[Background: see issues with low quality RFPs / security consultant deliverables.]
An end user asked today for advice on a picking a security consultant. While there's some obvious ones (ask peers, check references, etc.), I wanted to highlight some factors that are less commonly cited. All of these presume the end user is asking the consultant:
- What's the consultant's speciality? Physical security / security management are very broad fields - someone who is an expert in one area may be way below average in another area. It's very hard for an individual to be exceptional in multiple areas within security, there's just too much to know. So if someone's practice seems focused in video surveillance, be careful about trusting them in, for example, access control.
- What products has s/he specified in their last 10 projects? A lot of consultants simply default to a few favored manufacturers.
- Demand they NOT cut and paste specifications: At the very least, this will weed out obviously crappy consultants, who pick a few favorite products and chop up the manufacturer's AE specifications. Note: this is a very common and bad practice.
- What engagements do they perform for manufacturers? I was surprised how many big name consultants actually do significant work for manufacturers. Of course, they'll assure you there is no influence but when you are making tens of thousands from a manufacturer, it tends to influence you, even if it's just that they are a lot more familiar and comfortable with them.
Experience vs Current Technology: Ideally, you want someone with a lot of experience and who is up to date on the newest technologies. However, some 'veterans' are a decade behind the times and will continue to push antiquated technology (e.g., New RFP, 10 Years Out of Date). While it's good to be cautious about bleeding edge technology (and most consultants are - high risk, low reward), specifying technology even a few years out of date likely reduces performance significantly.
- Do they go on Manufacturer 'Edu-vacational' Events? Manufacturers entice consultants with paid luxury events that mix some education and a lot of drinking, eating and entertainment. Ask your consultant point blank what events they go to and if they ever participate in such events.
- If it's a video surveillance project, do they read IPVM? :) Seriously, though, if they are not familiar with IPVM at this point, it may mean they are behind the times or missing a lot of critical information.
- There is a list of security consultants at the IAPSC. While I certainly cannot vouch for all, we do know some who are quite knowledgeable and trustworthy.
Again, the above assumes an end user is asking a consultant who is more knowledgeable about security systems than they are. If you know specific trends or technologies, quiz the consultant about this (e.g. for video ask them about WDR, slow shutter, and other fundamental areas we cover in our tutorials, and compare their answers to ours).