Sector Focus: The Security Strategist

Even sole practitioners are basking in the new attention. "It is a huge opportunity," says William Hawthorne, CPP, a certified security consultant and principal of William A. Hawthorne Associates, Inc., Wayland, MA. And more than just calling, these new clients also are actually listening to him, something that clients often failed to do before — even after paying for his services. "In the past, they wouldn't take our advice. They wouldn't implement our recommendations. Now, they are," he says.

CEOs calling security consultants! Boy, the world sure has changed. Security consultants used to be regarded as the low folks on the consulting totem pole, only a few notches above night watchmen in public esteem. [Full disclosure: This writer worked his way through graduate school as a security guard, getting paid minimum wage to write his dissertation while sitting in the lobby of an empty building.] The image of the security consultant, according to popular stereotype, might be that of a retired cop or military guy, maybe a former FBI or Secret Service agent. Mothers who struggled so their kids could graduate from Harvard with an MBA weren't dreaming of their son, the security consultant. Welcome to "the new era of heightened security," says Marc Bradshaw, president, International Association of Professional Security Consultants (IAPSC), Newport Beach, CA. The IAPSC membership is fielding a flood of requests for everything from building security to threat assessment. "We are seeing an increase in consulting opportunities as all businesses reevaluate their security needs," he adds.

But today's security consultants are looking to do more than just take advantage of the sudden opportunity to boost their revenues; they also want to boost their image. "This has turned into a superb opportunity to educate management, to make people aware, and to share ideas," says John Kennish, a security consultant based in Westport, CT. He adds: "It's a chance for security consultants to impress people and make friends."

The security consulting industry is actually more diverse than the popular image. It consists of four focus areas — administration, security design, equipment, and people — Kennish explains. Administration covers policy, procedures, training, disaster planning, business continuance, and such. Security design focuses on the actual facility, such as an airport or office building, and how it can be designed and built to be more secure. Equipment deals with access control, surveillance, identification systems. People are guards and investigators.

Organizations typically move through the security drill one area at a time, starting with administration, the least expensive and quickest security to implement. Following the Sept. 11 attacks, many security consultants received frantic requests to whip up a disaster recovery plan fast. Y2K aside, top management saw in the most vivid and painful terms what a disaster truly means for a business and its people. "A lot of clients are embarrassed by not having these pieces already," says Brod.

But even before the attacks, pressure was building on companies in this regard. "There is pressure to report disaster recovery plans in annual reports, and having a disaster recovery plan increasingly is part of the due diligence checklist," he continues.

Facility planning, which involves coordination and collaboration with architects and engineering firms, is more costly, "but if it is done right, it will help security and last 50 years," says Kennish. Equipment-based security, too, can be very expensive. The most expensive type of security of all, however, is people.

Security consultants also report being called on to deliver new types of services. "We're now being asked by clients to provide psychological counseling to their employees," notes Brod. These requests are coming not just from companies directly involved in the attacks but from firms that find their workers generally upset, nervous, and distracted. "These companies just need help in getting their people to focus," he continues.

Where security consultants are going to find counseling resources remains an open question. "There are grief counselors out there," Brod insists. Warns Kennish: "You have to be very careful if you get into grief and trauma counseling." The nature of counseling engagements tends to be driven by an immediate crisis rather than an ongoing need.

Another change is management's approach to security expenditures. "I wouldn't say that money is no object, but the cost is not the first thing discussed," says Brod. Adds Hawthorne: "There is a definite willingness to spend more. This is now too big, too important, to debate. They want to mitigate the risk and will spend the money to do it."

This is a far cry from the recent past. Traditionally, management treated security as a cost to be minimized. There was no meaningful ROI to be calculated for security; it was a pure cost center that did nothing to advance the organization's business objectives.

Instead of cost, the driving issue now is speed — how fast the security consultant can get to the client's job — which is straining the consulting firms. "We can handle the demand with a little scrambling, but it is a challenge," Brod concedes. Kennish, however, isn't quite so confident: "It takes weeks of research and writing to complete a disaster recovery plan."

To meet the demand, the security industry is going to have to dig deep for experienced talent, because experience is critical to security consulting. And there is no crash course that can give new security consultants the necessary experience. Raiding the military for talent is out, due to the antiterror war effort. Instead, the industry may have to tap those who have retired, suggests Kennish.

Another problem is the nature of the latest security threats. The majority of security consultants are generalists who focus on one of the four major areas. Today's threats, however, take the form of bioterrorism or involve advanced explosives. Even information system security is facing increasingly sophisticated threats. This requires specialists — PhDs in biology, chemistry, and mathematics. "This is too technical for the average security guy," concedes Kennish.

"I've always worked with specialists, but the demand for them is up," Hawthorne reports. The most frequently called specialists work with biohazards, hazardous materials (HAZMAT), and explosives. Again, these aren't exactly the kinds of specialties any general consultant can pick up on the fly.

In addition, liability claims loom large over the security industry. "Security really is driven by the fear of litigation, not the urge to protect people. If a company hires an unqualified consultant, it could be held liable [in the event of a security failure]. You're actually better off [from a liability standpoint] not doing anything than doing it wrong," says Kennish.

Keeping that caveat in mind, conventional management and IT consulting firms still can benefit from the current demand for security services, but they will need to move carefully. Management consulting firms that do risk assessment, disaster planning, and business continuance planning can certainly pick up some new business. Similarly, IT consulting firms with experience in information systems security and disaster recovery, particularly those that successfully mitigated their clients' Y2K risks, can also benefit from the sudden demand for security. On the other hand, if the firm doesn't have credentials and a track record in security, it may be too late to get into it now.

Whether this newfound security religion actually sticks for the long term is unclear. The current demand is clearly a knee-jerk reaction to the Sept. 11 attacks and naturally so. The unanswered question is how long the heightened interest will last. The answer is, "depends on what happens next," Bradshaw believes. If the immediate fear subsides, then companies are soon likely to return to a more casual approach to security. Should another attack occur, however, the clamor for security will likely be loud and sustained.

The real key to the corporate security commitment may lie with the important stakeholders — customers, employees, and investors. If customers show a preference for doing business with those companies with strong security programs, security suddenly can make a business ROI case. If employees prefer to work at companies that make them feel safe and secure and are more productive in environments perceived as safe and secure, and if investors prefer to put their money into companies with a commitment to security, then increased security will become part of the corporate culture.