Picking The Right Security Consultant?

[Background: see issues with low quality RFPs / security consultant deliverables.]

An end user asked today for advice on a picking a security consultant. While there's some obvious ones (ask peers, check references, etc.), I wanted to highlight some factors that are less commonly cited. All of these presume the end user is asking the consultant:

  • What's the consultant's speciality? Physical security / security management are very broad fields - someone who is an expert in one area may be way below average in another area. It's very hard for an individual to be exceptional in multiple areas within security, there's just too much to know. So if someone's practice seems focused in video surveillance, be careful about trusting them in, for example, access control.
  • What products has s/he specified in their last 10 projects? A lot of consultants simply default to a few favored manufacturers.
  • Demand they NOT cut and paste specifications: At the very least, this will weed out obviously crappy consultants, who pick a few favorite products and chop up the manufacturer's AE specifications. Note: this is a very common and bad practice.
  • What engagements do they perform for manufacturers? I was surprised how many big name consultants actually do significant work for manufacturers. Of course, they'll assure you there is no influence but when you are making tens of thousands from a manufacturer, it tends to influence you, even if it's just that they are a lot more familiar and comfortable with them.
  • Experience vs Current Technology: Ideally, you want someone with a lot of experience and who is up to date on the newest technologies. However, some 'veterans' are a decade behind the times and will continue to push antiquated technology (e.g., New RFP, 10 Years Out of Date). While it's good to be cautious about bleeding edge technology (and most consultants are - high risk, low reward), specifying technology even a few years out of date likely reduces performance significantly.
  • Do they go on Manufacturer 'Edu-vacational' Events? Manufacturers entice consultants with paid luxury events that mix some education and a lot of drinking, eating and entertainment. Ask your consultant point blank what events they go to and if they ever participate in such events.
  • If it's a video surveillance project, do they read IPVM? :) Seriously, though, if they are not familiar with IPVM at this point, it may mean they are behind the times or missing a lot of critical information.
  • There is a list of security consultants at the IAPSC. While I certainly cannot vouch for all, we do know some who are quite knowledgeable and trustworthy.

Again, the above assumes an end user is asking a consultant who is more knowledgeable about security systems than they are. If you know specific trends or technologies, quiz the consultant about this (e.g. for video ask them about WDR, slow shutter, and other fundamental areas we cover in our tutorials, and compare their answers to ours).

disclaimer: depending on your criteria I'm a security consultant. be happy to provide references on vendors I've bitched out at their edutainment events, which I do attend because the vendors are terrible at communicating information via other venues.

make sure your "consultant" isn't in fact a "manufacturer's representative" who only recommends one set of brands.

agree with the 10-years-behind comment. I see that a lot.

I'd be far more worried about what construction companies and integrators the consultant is cozy with rather than the manufacturers. Consultants seem too well skilled at ignoring the end customer while attending to the construction project's needs.

Rodney, interesting point about relationships with construction companies and integrators. I am curious how often this happens. It appeared to me, from historical interactions, that most consultants could not care less about integrators. That said, I can see the risk.

Really? I know many consultants, architechts, and designers who are "independent contractors" for some integrator or integrators. The consultant turns the integrator on to a deal, positions them to be a sole source, and get's 10% off the top. This is very common in the Public Sector, where integrators are doing everything they can to avoid the dreaded RFP. The city doesn't care, because they want to avoid the RFP as well. If you see the recently retired mayor/chief of police/CIO/City Council member backing a certain solution, you can bet that they're a "contractor" as well. I'm sure there are exceptions, but I can't think of any.

It's always smelled kinda' fishy to me.

I am what I term an electronic security technology consultant. I don't see anything wrong with sticking to some trusted brands if those brands suit the application and there is no financial arrangements (or others) between the consultant and manufacturer. In saying that it is imporant to be constantly reviewing all avalaible brands within your geographic region to ensure you are providing your client with the best technology that falls within their budget.

I have found manufacturers and distributors product seminars a good starting point for viewing new technology, they are generally not the food and wine fest they used to be in Australia. Then it is important to speak to other users of the technology, have a look at installed systems (if possible) and speak to the integrators to determine whether the new brand may be worthwhile considering. It is all about providing the best solution for your client within their budget and keeping the risk factor to your business and their business low.

I agree that cut and paste specifications are poor and there are many who still do this. It is one of the reasons I got out of the integrator side of the security industry.

Hi Robert, good feedback. I am curious. How brands would you say are sufficient? Certainly, no one can be expert in every line and there's real risk in spec'ing something one has no background in. On the other hand, should one regularly stick with 2 brands, 3, 4, 5? And if a consultant is only recommending 2 or 3 brands regularly, how's that different than an integrator? ;)


I have been in the integrators shoes and you tend to develop a relationship with one or two suppliers who will then generally give you preferential pricing and a higher level of support. In some instances you may be locked into a relationship with a certain supplier due to your employers purchasing arrangements. This tends to blinker your views to what is available to offer your client. As a consultant you are open to recommending any brand as long as it meets with the performance and pricing criteria of the project. Of course you will recommend a brand you trust, one that offers great service and advice and one that it field tested and proven. This is why I generally stick with 3 or 4 different brands but in no way does this stop me from looking at other options as long as they are proven and well supported locally.

Thanks, Robert, good points.

That does smell extremely fishy. I would assume it's also illegal in many areas, no?

Thank you for the article on “Picking a Security Consultant.” As the president of the international Association of Professional Security Consultants, I appreciated your illumination of our Association’s members. There are many good points in your writing and some I feel could be enhanced with some clarification:

  • In addition to determining what products a consultant has specified, it is also important to understand how the consultant stays up to date on emerging technologies. We regularly acquire and read the specifications of various products (e.g. SMS and VMS) products to understand the features and capabilities of the products we may specify. In our opinion it would be more important to ensure that the consultant is knowledgeable to marry the products with the requirements versus just demonstrating that the consultant does not always specify the same products day in and day out. To focus on or try and identify an ideal number of “go to” products is silly. There are at least fifteen access control manufacturers out there and each has a value proposition and differentiators that need to be taken into account by the savvy consultant to match the right product (s) with the right conditions. These variables are different on every project. For example, if you are simply controlling access in one direction through a portal with no special requirements; then there are any number of products that will serve the purpose. When the requirements get more specific (e.g. 64 bit operating environment, mustering, time and attendance auditing, multiple expiration dates on credentials); the pool of qualified products thins very quickly.
  • I am not sure what you mean by most consultants are high risk – low reward
  • Your point about excessive manufacturers’ training sessions is a good one; and we agree that no consultant should engage in conduct that even creates the appearance of impropriety, it is essential for the consultant to stay abreast of developments in major product and software platforms. Not all of the events are like the cruise you rightfully highlighted some years back and they should not summarily be dismissed; particularly if the consultants are attending multiple manufacturers training sessions each year. Further, lunch and learns, newsletters and other A&E program interface are critical tools to demonstrate one is staying current with new developments.
  • The good consultants realize the value in maintaining positive relationships with manufacturers and integrators. To think that those players are somehow less knowledgeable or sophisticated is a huge mistake and can result in adversarial relationships that only hurt the owners of the projects whom we all serve.
  • The one main omission from our perspective would be whether the consultant is truly independent. The major problem in the security business is the consumer is generally not educated or versed in determining their requirements and 95% of the market sales personnel have a conflict of interest in their sales work (which is often inaccurately referred to as consulting). There are pros and cons in using various advisors in the business which include integrators, manufacturers’ reps, architectural and engineering firms and independent consultants. While the integrators and manufacturer reps offer their services for “free”; “free isn’t always free and the consumer is limited to a solution set which is on that advisor’s sales line card and all other solutions sets are excluded. If you ask a guard company for a solution, you are likely to get more guards. A&E firms often lack the technical expertise and figure security is just another low voltage system so it gets shuffled off to an electrical engineer.

There are very few organizations who can afford to have their own in-house experts with no conflict of interest or motivation to oversell a design. All others are left to navigate the complex security purchasing waters in an economy where you are lucky to get one trip to the “capital budgeting” plate every five to ten years and it is more than ever essential to get it right the first time.

Frank Pisciotta, CSC

President, IAPSC

Frank, thanks for the feedback. I did not know you were the President of the IAPSC!

A few points of clarification:

  • In terms of high risk, low reward, my point was that most consultants are risk averse and see bleeding edge technologies as 'high risk, low reward'. By contrast, in my experience, integrators tend to be more daring on pitching new technologies as it can help them win big deals with lots of product sales (not all integrators, but certainly a greater percentage than consultants).
  • It would be great to know if a consultant is knowledgeable in many products. However, it is incredibly hard for an end user to do so. That's why I recommend checking what they specify. If 8 out of their last 10 video projects specified Honeywell (or whomever), I think that's a yellow flag and probably the best someone can do to 'smell' out potential problems without being an expert themself.
  • As for maintaining a 'positive' relationship, I agree. However, one can keep a 'positive' professional relationship while staying independent from undue influence.
  • I think lunch n learns, newsletters, webinars, etc. are far more appropriate than weekend, country club, ski trip, etc. type events.

Great discussion. I would like to add a couple of points.

First, with regards to the risk/reward question, I think that this is a philosophy that varies considerably between consultants and is a question that a client should ask when selecting a consultant. I personally am very conservative when specifying products and rarely am an "early adopter" of any type of technology. I don't like to turn my projects into R&D labs.

On the other hand, there is a very well-known consultant in my market area (Western USA) that loves to specify new and untried products, occasionally even specifying things that don't exist yet, hoping that a manufacturer will rise to the challenge. Each of us has our own following; those that want bleeding edge choose him, and those that want proven and reliable choose me. Neither of us is right or wrong, only different, and clients can choose which of us is the best match for them.

Second, on my projects, I rarely am the sole decision maker on product selection, particularly when choosing major systems such as the VMS or SMS. I typically form a committee that include representatives from major departments (security, IT, facilities, etc.) within the client's organization. We jointly establish design criteria and then evaluate a selected group of manufacturers that can meet this criteria. This usually includes on-site demos and interviews with the manufacturers. At the end of this process, we determine which products in each category will be included in our specification. I always voice my opinion, but on many occasions, a client committee has selected a product other than the one that I would have recommended. In many cases, the features are nearly identical between products and it just comes down to which user interface the client prefers.