TalkText to a human — (888) 965-5150Investigators Available Now
Client LoginOrder Services Online
Encyphir Risk Management
← Back to Blog
7 min read

How to Hire a Security Consultant

Craig Biggs
Craig BiggsFounder & CEO
July 22, 2024
How to Hire a Security Consultant

Table of contents

Define What You Need FirstWhat Credentials and Background to Look ForQuestions to Ask Before EngagingHow Engagements Are Typically StructuredRed Flags to Watch ForUnderstanding the Difference Between a Consultant and a VendorMatching the Consultant to the Problem TypeBudgeting Realistically and Avoiding False EconomyWorking Effectively With Your Consultant

Categories

Security ConsultingRisk Management

Hiring a security consultant differs from hiring most other professional services. The stakes are high. You are asking someone to find the vulnerabilities in your organization and recommend how to address them. The market is also crowded with people who use the title without the credentials or experience to back it up. Knowing what to look for, what questions to ask, and how to structure an engagement will help you select the right firm and get full value from the relationship.

Define What You Need First

Security consulting covers a wide range of services, including:

  • Physical security assessments
  • Threat assessments for specific individuals or situations
  • Enterprise risk management program development
  • Workplace violence prevention planning
  • Executive protection consulting

Before you reach out to firms, define as specifically as possible what you are trying to accomplish.

Are you concerned about a specific threat, such as an identified individual, a recent incident, or a pattern of behavior? Do you need a comprehensive review of your organization's security posture? Are you trying to build or update your formal security program? Is there a regulatory or legal driver, like SB 553 compliance, a duty of care obligation, or a board-level mandate? The clearer you are about the objective, the better you can evaluate whether a given consultant is the right fit.

What Credentials and Background to Look For

Relevant operational experience. The most important credential for a physical security or threat assessment consultant is not a certificate. It is direct operational experience in security-relevant roles. Former law enforcement officers, intelligence professionals, military veterans with security backgrounds, and government security professionals bring real-world threat experience that no classroom can replicate.

Professional certifications. ASIS International offers several recognized certifications relevant to security consulting: the Certified Protection Professional (CPP), the Physical Security Professional (PSP), and the Professional Certified Investigator (PCI). Threat assessment specialists may hold credentials from the Association of Threat Assessment Professionals (ATAP). These credentials show a commitment to professional standards and a baseline of formal knowledge.

Sector experience. Security consulting for a school district differs from security consulting for a hedge fund or a manufacturing facility. Look for consultants who have worked with organizations similar to yours. They will understand the specific threat environment, regulatory requirements, and operational constraints you face.

Licensure. In many states, security consulting involving certain activities, including investigations, requires professional licensure. Verify that the consultant or firm holds applicable licenses in your state.

Questions to Ask Before Engaging

Before signing an engagement agreement, ask:

  1. What is your background, and what specific experience is most relevant to this engagement?
  2. What certifications do you hold, and are you licensed in our state for this type of work?
  3. Have you worked with organizations like ours? Can you provide references?
  4. What does your methodology look like for this type of assessment?
  5. What will the deliverable look like, including report format, level of detail, and executive summary?
  6. How do you prioritize recommendations? Will you tell us what is most important, or will you give us an undifferentiated list?
  7. What is your fee structure, and what is included?
  8. Will you personally do the work, or will it be delegated to junior staff?

That last question matters more than it might seem. Some firms sell engagements on the strength of senior principals and deliver the work through junior consultants with less experience. Understand who will actually conduct the assessment and prepare the report.

How Engagements Are Typically Structured

Security consulting engagements generally follow a consistent structure:

Scoping conversation. The consultant learns about your organization, your specific concerns, and your objectives. This is also your chance to assess the consultant's understanding and communication style.

Proposal. The consultant provides a written proposal describing the scope of work, methodology, deliverables, timeline, and fees. Review this carefully. The proposal defines what you are getting.

Assessment phase. The consultant conducts the assessment: site visits, document review, interviews with key personnel, and threat or vulnerability analysis.

Reporting. The consultant prepares and delivers the report. It typically includes an executive summary, detailed findings, and prioritized recommendations.

Debrief. The consultant walks through the findings with leadership or the relevant team, answers questions, and provides guidance on next steps.

Some engagements also include an implementation support phase, where the consultant helps put recommendations into action.

Red Flags to Watch For

  • Consultants who skip the scoping conversation and go straight to a proposal
  • Generic proposals with no specifics about your organization
  • Firms that cannot provide relevant references
  • Fee structures that are unclear or shift after engagement begins
  • Reports that read like checklists with no prioritization or analysis

Understanding the Difference Between a Consultant and a Vendor

Organizations often confuse a security consultant with a security vendor, and the mistake is costly. A vendor sells a product or service, whether that is a camera system, an access control platform, guard services, or alarm monitoring. A consultant, properly engaged, is independent of those product decisions. They are paid to give you objective advice about what you actually need.

When the same firm recommending upgrades also sells and installs the hardware, the incentive structure is compromised by design. You should not assume bad faith. But you should recognize that objectivity is difficult when the recommendation directly drives the recommender's revenue. For significant security investments, particularly capital expenditures above five or six figures, separate the assessment from the implementation. Hire an independent consultant to define the requirements. Then solicit competitive bids from integrators and vendors against that specification. This approach routinely saves organizations more than the cost of the consulting engagement itself, and it produces a system that reflects your needs rather than a vendor's inventory.

Law firms handling premises liability or negligent security matters run into a related distinction. Expert witnesses and consulting experts must be genuinely independent, and their opinions must survive cross-examination. Our law firm clients engage us specifically because our work product stands up to review and is not entangled with product sales.

Matching the Consultant to the Problem Type

Security consulting is not a single discipline. The consultant who excels at designing a corporate campus perimeter may have limited experience with behavioral threat assessment. The behavioral threat assessor may not be the right choice for evaluating a data center's physical controls. Be honest about the actual problem before you shop for a provider.

If your concern is a specific person who has made threats, exhibited concerning behavior, or been terminated under difficult circumstances, you need someone trained in threat assessment methodology, not someone whose expertise is lock hardware. If you are a school district responding to parent concerns after an incident in another district, you need a consultant who understands the school environment, applicable state laws, and the governance dynamics of school boards. Our security consulting practice is structured around the recognition that different problems require different specialists. We will tell you when a matter falls outside our core competencies.

Some engagements also blur into investigative work. A threat assessment may require a background investigation on the subject. A workplace violence concern may require surveillance to establish whether a terminated employee is actually approaching the facility. An executive protection planning engagement may begin with due diligence on an adversary or a contested business relationship. Firms that hold investigative licensure in addition to security consulting credentials can move across these boundaries within a single engagement, rather than requiring you to coordinate multiple vendors.

Budgeting Realistically and Avoiding False Economy

Organizations routinely underestimate what a credible security consulting engagement costs. They just as routinely overestimate what a cheap one will deliver. A thorough physical security assessment of a mid-sized facility, including site visits, stakeholder interviews, documentation review, and a written report with prioritized recommendations, typically requires between forty and one hundred consultant hours. A behavioral threat assessment on an identified subject of concern may involve background research, interviews, collateral contact, and formal written findings that will be relied upon in personnel or legal decisions.

When a proposal comes in dramatically below market, ask why. The usual answer is one of three things:

  • The scope is narrower than you understood
  • The work is being delegated to junior staff without adequate supervision
  • The report will be a template with your organization's name inserted

None of those outcomes will serve you if something goes wrong and your response has to withstand review from a plaintiff's attorney, a regulator, a reporter, or a board of directors asking why more was not done.

The honest way to budget is to start with the decision the report will support. If the report will justify a multi-million-dollar capital investment, defend the organization against a duty of care claim, or inform a personnel action with significant legal exposure, the consulting fee is a small fraction of what is at stake. If the report is a routine compliance exercise with no material downstream consequences, a lighter-touch engagement may be appropriate. Match the rigor to the stakes.

Working Effectively With Your Consultant

Hiring the right consultant is only the first step. The quality of the engagement depends heavily on how your organization participates in it. Designate a single point of contact with enough authority to coordinate access, schedule interviews, and resolve questions quickly. Assessments stall when the consultant has to chase multiple stakeholders for basic information or wait weeks for a site visit to be approved.

Be candid about history. Consultants are more useful when they know about:

  • The terminated employee who made threats three years ago
  • The executive going through a contested divorce
  • The active litigation involving a former vendor
  • The incident that leadership prefers not to discuss

These facts shape the threat environment whether they are disclosed or not. Withholding them does not make them disappear; it just makes the assessment less accurate. Everything shared in a properly structured engagement is covered by professional confidentiality and, where applicable, by attorney work product protection when counsel directs the engagement.

Plan for what happens after the report. A common pattern is for organizations to commission an assessment, accept the report, and then fail to implement the recommendations because no one owns the follow-through. Before the engagement begins, identify who will be responsible for acting on findings and how progress will be tracked. Many of our corporate engagements pair the assessment with follow-on work such as policy development, training programs for managers and security staff, or scheduled reassessments to verify implementation. The organizations that get the most value from consulting treat the report as the beginning of the work, not the end of it.

Our security consulting team includes former law enforcement and government security professionals who conduct assessments with operational rigor and deliver findings that are practical, prioritized, and actionable. Corporate clients often combine the engagement with our training programs on workplace violence, de-escalation, and emergency response, so the assessment's recommendations get implemented with real capability. Schedule a consultation to discuss your organization's needs.

Related posts

The Art of Tailing: How Professional Investigators Conduct Mobile Surveillance

The Art of Tailing: How Professional Investigators Conduct Mobile Surveillance

Troy NewtonTroy Newton
Apr 23, 2026
Asset Searches: How to Find Hidden Assets in Legal and Financial Disputes

Asset Searches: How to Find Hidden Assets in Legal and Financial Disputes

Jeremy MasonJeremy Mason
Dec 10, 2024
How Much Does a Background Check Cost? A Complete Pricing Guide

How Much Does a Background Check Cost? A Complete Pricing Guide

Craig BiggsCraig Biggs
Oct 14, 2025