MUSEUM SECURITY NETWORK

hiring a consultant:

This article is provided for your use by:

Steven R. Keller and Associates, Inc.
Security Consultants
1939 Algonquin Ave.
Deltona, FL 32725
Tel. (904) 789-6740
FAX (904) 532-5969

You may use this material for your own use, but please retain this header, and the copyright notice.
Copyright 1988 by Steven R. Keller and Associates, Inc. All Rights Reserved.

CLEARING UP CLOUDY SKIES

by Steven R. Keller, CCP

Security managers with an unusually heavy workload or highly
specialized problem may sometimes find themselves in need of help from a
consultant. Too often, though, the consultant is hired by the security
manager's boss because the manager failed to ask for help until conditions
attracted the attention of someone outside the security operation.
Although the grapevine says a security consultant is called into an
organization to solve a problem after it has gotten out of hand, professional
security consultants often engage in preventive consulting. They provide a
valuable second opinion to clients long before a crisis strikes. Security
managers for most major corporations recognize that a consultant is one of many
tools they can use without fear of criticism for not being able to handle the
job themselves. In fact, the use of management, technical, marketing, and
financial consultants in industry and business in general has become so common
as to be unremarkable. When you hire a full-time employee, you are locked into
the skills of that employee unless you slowly, and sometimes at great expense,
develop additional skills. The advantage of hiring a security consultant is
that you can hire as many as you need in order to buy the skills your special
project requires.

The concept of preventive consulting doesn't mean, of course, that a
consultant should not be called in during a crisis. Consultants can often
provide a fresh, objective opinion as well as valuable problem-solving
expertise when it is most needed. However, too many security managers call in
outside advice when they are doing something right rather than after something
has gone wrong. Either way, it is important to find the right consultant to
manage your project properly and to ensure you receive the quality of service
you expect. After all, anyone can call himself a security consultant, and
hiring a consultant who is not qualified to do the job can be a costly mistake.

What is a Security Consultant?

The International Association of Professional Security Consultants
currently defines a professional security consultant who is a member of the
association as an independent, nonproduct-affiliated consultant who engages in
security management consultation and preventive, training, technical, or
forensic consultation on matters involving security. It is widely felt that,
to be as effective as possible, a security consultant should work in more than
one of these areas. A management consultant who fails to keep up with security
technology or a forensic consultant who spends all of his time testifying in
court may lose touch with the industry and its trends. I recall meeting with a
very high-priced consultant from a prestigious firm-- a firm of about 3,000
employees who provided consultation in many disciplines to governments and
businesses. We began talking about electronic security, and the subject came
up of an electronic access control keypad with numbers that scramble after each
use. To my surprise, this consultant had never heard of the product. He asked
me how to get information on the device, and I told him it is usually
advertised in "Security Management" and "Security" magazines. His reply was,
"What magazines? How do I get a copy of them?" Obviously this security
consultant was not in touch with the security industry and was not a member of
the leading professional association in the field.

Can a security consultant be a generalist? Clearly, the answer is no.
While there are many similarities among the needs of certain businesses and
industries, each type of company does have its own specialized needs and
requires a consultant who understands them. Knowledge of a particular
industry's infrastructure and how companies in that industry function is
important. Many consultants declare a specialization in one or more types of
security such as museum or university security, access system design and
specification, or expert testimony. Some specialize in security training and
manual or policy preparation for all industries.
I once read an article in which a consultant specializing in
counterintelligence work stated that specialization is not as important as it
might seem. When asked if he felt he was qualified to be a museum security
consultant, he said the thought process needed to solve problems in a museum is
the same as the thought process needed to solve counterintelligence problems.
Therefore, he felt he was qualified.
This view is obviously based on an incorrect assumption. While it may
be true that the thought process is the same, there are major differences
between the detection of spies and the protection of art. Consider the trouble
we would be in if the CIA was run by a committee of museum security
consultants. On the other hand, the special knowledge in the museum security
field is considerable. Few industries hang their assets on the wall with no
barrier between them and the visitor. And the unique conservation requirements
and aesthetic considerations in a museum setting prohibit the use of "normal"
alarm devices and installation methods. Without knowing the ways museums
record and document their collections, a consultant wouldn't stand a chance of
preventing internal theft by manipulation of these records.
To some degree, a person who has been in security long enough is
exposed to many fields. A museum consultant who has served as security
director of a major museum knows something about food service operations,
retail operations, cash security, accounting procedures, access control, parcel
control, physical security, and electronic security because a large modern
museum, like a hospital or hotel, has all of these elements. This knowledge
may enable such a consultant to work in many environments, but it cannot
qualify him to work in all.
Many security practitioners cut their teeth on several different
industries. They may start in banking, move to manufacturing, then on to make
a name for themselves in still another field. Likewise, consultants can have
several specialties. No person, however, is qualified to consult in every
aspect of security. For a consultant to accept a project in a field for which
he or she is not qualified would be not only an ethical breach but might
constitute malpractice. Unfortunately for the consumer of consulting services,
many security consultants do not feel this way. Their "know-it-all" attitude
has led to catastrophes, such as improper design of major alarm systems by
electrical engineers or architects who consider themselves proficient in
security.

To expand their capabilities, security consultants may have specialists
on staff or available as subcontractors. Very large projects, such as a
comprehensive survey for a Fortune 500 firm, often require a security
consultant to bring in associates. An auditor may contribute to one phase of
the project, an alarm system designer to another phase, and a locksmith to
still another. Larger firms might have staff members with these skills, but
normally security consultants have a contingent of experts they can call on as
needed. While it might not be as impressive to use an associate as it is to
have a large staff of experts, it is usually just as effective and is generally
more economical.

Which Consultant Should You Hire?

What questions should you ask a potential consultant? First, find out
if he or she is selling anything other than his or her own time and advice.
You want your consultant to be independent and not affiliated with a product or
service. If your consultant is not independent, you should know about his
relationship and understand that it may result in a conflict of interest. The
IAPSC will not admit for membership any person affiliated with a product or
service. The exception to this is that members may sell books they have
published or engage in training or academic activities.
Why is this distinction so important? Besides the obvious financial
conflict of interest that might occur when a consultant represents a product,
you run the risk of limiting the solutions to your problem. An independent
security consultant should approach every assignment objectively. More
important, he should take a holistic approach to solving problems. For
example, a consultant may survey your facility and find you need to bolster
access control. Since this can be accomplished by several methods, he might
recommend adding some new alarms, placing additional security officers at
strategic locations, and improving hardware. But if the "consultant" is also a
salesman for the local contract guard agency, he may attempt to solve the
problem using only security officers. While this may or may not be a good
solution, it certainly appears to be a conflict of interest.
In another example, your consultant is a dealer for a local alarm
company. She fails to recognize the importance of additional security officer
and recommends only additional electronics. An employee is assaulted on her
way to the parking lot at night and the electronics detect the attack, but the
staffing level does not permit prompt response. The employee sues, stating
that had you taken a more holistic approach to security, she might have been
safer. The court weighs the expertise of the "expert consultant" you brought
in to define your needs, sees the apparent conflict-- which may or may not be
real-- and rules against you because you failed to evaluate the entire problem
objectively. While I know of no case of this type going before the courts, it
certainly is possible.
Ask whether your consultant has a specialty. Are you trying to catch
spies with a museum consultant or survey a hospital with a consultant whose
primary expertise is in investigating or auditing? Many private investigators
and polygraph examiners call themselves security consultants, but their
specialty is in investigation and detection of deception when you may need a
specialist in surveying or auditing.
Ask if your consultant is full-time. Too often, investigators and
polygraph examiners call themselves security consultants to supplement their
incomes. While these are important and noble professions, you may want to know
if your consultant is a full-time consultant and, if so, whether he or she is
engaged in any other activities. Having served for nearly eight years as a
part-time consultant while holding a responsible job as a security manager, I
must defend the competence of part-timers. But your job may require the status
of a full-time consultant or time commitments, staff, and associates that a
part-timer can't provide.
What are the qualifications of your consultant? Who ordained him or
her an expert? How many years has the consultant been in the business? How
many successful projects of this type has he or she concluded? Will the
consultant provide references or are previous clients all confidential? What
practical experience does the consultant have? Has he or she ever been a
security manager? What is your consultant's educational background?
Experience, they say, is the best teacher, and so it goes for consulting. But
academic credentials say something about a person's ability to communicate and
evaluate. While a lack of formal education is no more a mark of failure than a
Ph.D. is an indication of success, you should make sure the consultant's
background qualifies him for your project. Is the consultant a Certified
Protection Professional? Is he or she a member of the American Society for
Industrial Security? Of the IAPSC? While lack of membership in either of
these organizations does not signal a lack of credentials, participation
indicates that the prospective consultant at least professes to observe the
code of ethics and to meet the minimum standards for affiliation with the
groups. The IAPSC subjects its applicants to a background check that, while
not infallible, is some assurance that the applicant is not a felon and that he
or she otherwise meets the requirements for membership, including the
requirements for specified levels of education and experience.
As industry trends change, codes of ethics must change as well. For
instance, the IAPSC has implemented a code of ethics for forensic consultants
(expert witnesses) because some unethical consultants have become little more
than "gunslingers," testifying in civil cases for whatever side pays the
highest fee. As a member of both the ASIS Ethical Practices Committee and the
IAPSC, I can assure you that both groups enforce their codes of ethics and
invite consumers of security consulting services to report unethical behavior.
When selecting a security consultant, it is essential that you fully
understand the project you want completed. Does it involve physical security
work, management consulting, training, electronic system design, litigation
avoidance, evaluation of depositions? It is only after you have thoroughly
defined the requirements of the job that you can select the consulting firm to
complete the work. If the project is not confidential and you can freely
discuss it with other managers in your organization, you can call upon them to
help you define the scope of the problem. For example, if the project involves
detailed auditing and accounting problems, the comptroller can advise you on
the skills and requirements your consultant should have-- or have within his or
her circle of associates-- in order to complete the job successfully.
Consultants generally do not advertise extensively, but most are listed
in industry directories such as the *Bell Atlantic Buyers Guide*, *Security
Letter Sourcebook*, "Security" magazine annual buyers' guide, and others. Some
directories list all consultants in one category, while others list
independent, nonproduct-affiliated consultants separately. The IAPSC
publishes a free annual directory of members with a complete biography and
listing of specialties for each member. The IAPSC also operates a free
referral service for consumers of consulting services. Another excellent
source of qualified consultants is colleagues in your industry who have used a
consultant and are pleased with the relationship.
The IAPSC estimates there are approximately 250 independent,
nonproduct-affiliated consulting firms in North America, whose consultants meet
or exceed its membership standards, and approximately 500 other independent
security consultants. The number of product-affiliated consultants is in the
thousands.
To date, there is no valid certification program for security
consultants, and a CPP or degree in a specialized field such as law or
electrical engineering is the best measure of proficiency. The diverse nature
of security consulting makes it unlikely that any valid certification program
will be developed in the near future, so the consumer should be wary of anyone
claiming to be a certified security consultant.
What if your boss selects a consultant without your involvement?
Obviously, this is not a desirable situation. The security manager should be
consulted during the selection process. To avoid being excluded from that
process, select a consultant as you select your doctor-- before you need one.
Establish a relationship before you have a problem, and you will probably never
find yourself in the position where your boss has selected a consultant for
you.

Working with Your Consultant

After you have identified a consultant you want to work with, what do
you do? Start with a thorough background check or at least check his or her
references to assure yourself the individual is both competent and trustworthy.
After all, you are about to convey the deepest secrets of your organization to
this person and his or her associates.
Interview the consultant as you would an assistant. For major
projects, it is common to invite the consultant-- at your expense-- to your
office to introduce him or her to the project. This interview allows you to
evaluate the consultant more closely and allows the consultant to assess the
scope of your problem. If the consultant is a member of the IAPSC, he or she
will be compelled by the codes of conduct and ethics to tell you if his or her
firm or circle of associates is not able to perform the work in a capable and
professional manner. If that is the case, the consultant may refer you to
another consultant, and if the consultant abides by the IAPSC's code of ethics,
he or she will not accept a referral fee.
Discuss the project, fees, and expenses with the consultant in advance.
Get the full details. How much does the consultant charge? How is work
billed? Is there an hourly, daily, or weekly rate? Will the consultant quote
a "not-to-exceed" figure? Who pays expenses? Will the consultant travel first
class, stay in a five-star hotel, and eat only the best milk-fed veal, or are
there limitations placed on expenses? How is travel time billed? Are you
billed portal to portal? Who buys airline tickets? Who pays expenses if
meetings are changed, airports are snowed in, or the consultant is stranded in
a hotel due to flight delays? What receipts or proof of expenses are required?
The more details you iron out in advance, the fewer surprises there will be
later.
Expect to treat a consultant, for purposes of travel expenses and
comforts, at a level equal to your own or that of the chief administrative or
financial officer of your company. After all, the consultant is an expert in
his or her field-- probably the president of his or her own company-- who is
being called in because of special knowledge and skill. If the vice president
flies first class, your consultant should be expected to fly first class. If
the vice president flies coach, you may be reasonable in expecting the
consultant to fly coach. But remember, when you insist on travel arrangements
that take the consultant into a suburban airport rather than a major airport or
that result in connecting rather than direct flights, you may be achieving
false economy. You will probably be billed for travel time, including time the
consultant spends in a taxi or an airport lounge.
Look at the question of expense and fees sensibly. If the consultant
flies from Chicago to Boston in the morning to attend a 1:00 p.m. meeting, then
flies back to Chicago on a 6:30 p.m. flight, arriving home at midnight, he or
she may be entitled to fly first class. After all, the consultant is saving
you hotel and breakfast expenses and is enduring a physically difficult
schedule to accommodate your needs.
Fees vary from consultant to consultant and project to project. While
some industry directories include sample hourly fees, these may vary
drastically. When seeking a comparison of fees and expenses, the best approach
is to prepare a bid proposal outline, stating exactly what you want a
consultant to do for you, and ask interested consultants to provide a proposal
that addresses your concerns. In this way, all consultants you approach will
be quoting a fee on the same project scope.
When evaluating proposals, it is important to know a low hourly fee may
not necessarily be an advantage, unless the consultant assures you the project
will not exceed a given number of hours. Some consultants cost less but take
more time. Some cost more but, due to their experience, can resolve problems
more quickly.
If you want to eliminate any possibility of misunderstanding between
you and your consultant, regarding the scope of services or fees, spell out
your expectations in a contract. Some consultants prefer to prepare a proposal
for your review and signature. If this document is not clear, leaves questions
unanswered, or fails to tell you what you will get for your money, request that
it be modified.
What should you get for your money? That, of course, depends on the
project. A preliminary evaluation might be required before a consultant can
give you a formal proposal. Too many clients want a price quotation, but don't
want to pay for the consultant to visit their facilities. You can't get an
estimate on the repair of your toaster without paying for it, so you can't
expect a consultant to fly across the country to visit your site without
compensation. Some consultants will perform a preliminary visit at a reduced
rate, but they will, justifiably, not solve your problems during that visit.
Others expect a higher fee, and will freely discuss apparent solutions.
Some reputable consultants include in the consulting contract what you
will not get as well as what you will receive. Be sure you are in full
agreement about expectations. If you want a written report, ask for a written
report. If you want an oral report, specify an oral report. Your consultant
may advise you on the type of report he or she feels you should receive. For
example, if the consultant is performing a litigation avoidance survey, he or
she may suggest that you not request a written report, which might be
subpoenaed at a later date and used against you. Whatever you decide, be sure
you and the consultant agree. Perhaps the greatest area of disagreement
between consultant and client is the quality of product to be delivered, and
the product is usually the report.
If your problem requires specialized equipment such as an improved
alarm system, agree in advance whether the consultant should recommend specific
products. Some consultants won't-- or can't-- make recommendations. Decide
whether you want a basic concept report, a conceptual layout, or specifications
and bid documents. Some consultants consider it unethical to specify products
or equipment by name, but there is nothing in the code of ethics of any
security, fire protection, electrical engineering, or architectural association
to prevent this. In fact, it is difficult to serve a client without providing
occasional product cut sheets recommending specific products. An ethical
consultant will do so without a conflict of interest and, while he or she might
have a product preference, can generally recommend "equals."
If you want the consultant to visit your site and make a formal
presentation of his or her report, spell this out. If you want the consultant
to do the work and not delegate it to an employee or associate, or if you have
a time limitation on delivery of the report, specify these things. You have a
right to know if the consultant has other major projects in progress that
detract from his or her ability to meet your needs. And, if you pay your
consultant a regular retainer, you have a right to expect priority service.
Since the consultant will be gathering considerable information about
your organization, including its vulnerabilities, you should consider limiting
the amount or type of material he or she is allowed to retain. That material
should remain confidential, and the consultant should be restrained by contract
from making his or her findings or any details of your project public. If the
consultant is permitted to retain notes and copies of your report, blueprints,
or other materials, specify that they be maintained in a secure manner. There
are serious legal issues regarding whether you can compel a consultant to turn
over to you all notes and materials stemming from your project. If you
contractually obligate your consultant to do so, you deny him the opportunity
to defend himself in a future error and omission lawsuit and, therefore, you
may lose your right to bring such a suit.
When a consultant embarks on a complex assignment, he or she may
encounter problems that must be resolved but were not anticipated. You have a
right to expect the consultant to provide you with answers to your questions or
solutions to your problems, but you must understand that these unforeseen
problems will require a flexibility of contract and budget. Agree in advance
on a means of approving additional work that might result from the project. An
ethical and experienced consultant should be able and willing to point out the
types of problems that might arise and expand the scope of the project and the
project budget. You should require, however, that the consultant keep you
informed of additional costs as they arise so there are no surprises when the
bill comes.
When your consultant arrives for work, make every effort to make his or
her time productive. If possible, provide an office with a phone and necessary
supplies. Introduce the consultant to the staff and clerical support persons
who can facilitate his or her efforts. Time is money, and you are the one
picking up the tab.
If your consultant needs access to information before conclusions can
be drawn, ascertain whether you can provide that information in a concise
format. For example, if you are asking your consultant to audit your manpower
and determine whether you need additional security personnel, provide all
necessary information regarding the number of current personnel, sick days
used, vacation days used, length of vacation provided for each position, and
vacation accrued by staff. Your secretary can assemble that data much less
expensively than a consultant can. Don't give the easy work to your consultant!
During and after your project, you are entitled to access to your
consultant. While the consultant is not required to report findings or share
information until the final report is made, you can expect interim reports to
ensure that the work is on target. Agree in advance how much the consultant
will charge for follow-up phone consultations after the project is concluded.
Many consultants include a reasonable amount of follow-up consultation in the
project, while others bill for each phone call. In any case, you cannot expect
your consultant to incur phone expenses or to spend any great amount of time on
your behalf without compensation. This is why you may wish to consider a
retainer.
The most successful relationships with consultants exist in
organizations where the consultant is invited in to reassess or reevaluate
conditions periodically. When a problem occurs, a new consultant will not be
able to come in and react immediately to your needs. He or she must be
familiar with your facility and its unique situation. Interim and follow-up
visits need not be costly, and they should be seen as an investment in the
future. In return, you will receive an investment in commitment from your
consultant.
Your security consultant should be viewed as an objective member of
your team who, by virtue of his distance from your day-to-day situation, can
provide you with valuable input and support in your efforts. He is a highly
qualified specialist who, contrary to popular belief, works very hard for his
money. While your hourly wage may be lower than his, your insurance,
hospitalization, and other valuable benefits-- including an office telephone,
copier, and other necessities-- are paid for. A good consultant has nothing to
sell but time and experience. The consultant earns his or her wage through
hard work and spends many hours in airport waiting rooms. Good consultants
have paid their dues with years of hard work. If properly utilized, they can
be of great value and can possibly save you far more than the cost of their
fees.
The burden is on you to seek out the qualified professional who can
meet your needs. Just Remember, in services, as in products, you get what you
pay for.

About the Author: Steven Keller, CPP, is senior consultant with Steven R. Keller and Associates, Inc., the leading security consulting firm specializing exclusively in museums, special collections, cultural and historic properties. The firm provides security surveys, value engineering studies, security, access control and CCTV system design and specifications, pre-theft and post-theft strategic planning, and other management and technical systems consulting. His clients include the National Gallery of Art, the Smithsonian Institution, the San Francisco Museum of Modern Art, the Seattle Art Museum, the Philadelphia Museum of Art, Harvard University, Yale University, Stanford University, the Mansions of Newport, the Hearst Castle, Mount Vernon, the Library of Congress, and about 200 other museums, libraries, cultural and historic properties. He formerly served as executive director of the International Association of Professional Security Consultants. He has been a member of ASIS since 1979 and serves on the Society's Standing Committee on Museum, Library, and Archive Security. He is a past chairman of that group's subcommittee on professional practices and a member of the ASIS Ethical Standards Committee.