Three security professionals went fishing, a manufacturer, an integrator, and a consultant. To be continued…
Sounds like a funny joke in the making, right? When it comes to security management of a corporation or organization, though, there really aren’t any good jokes. The organization is faced with the reality of managing budgets and resources to appropriately mitigate the constant risks that push to undermine the goals, obligations and mere existence of that organization. While the importance of the security team and their operations is obvious to anyone who thinks very long about it, there is an on-going challenge to validate costs and show that security is a business enabler. The security manager spends part of his time overseeing the security operations, and possibly the majority of his time lobbying management for the resources they need to carryout their responsibilities. Right about now you are asking, “what does that have to do with consultants?” The relevance is: the consultant to security operations is what security operations is to the organization. The consultant is a security enabler.
The best way to think about a consultant, is that of Owner’s Representative. A true consultant does not pursue the agenda of any specific product or solution, but assists the organization to identify its true condition and evaluate the best way forward in the interest of the organization’s goals and objectives. The consultant is a “truth teller”, in that they will help the organization see itself for what is its’ actual condition, and not be influenced by what the organization believes itself to be, or by what an outside party has convinced them of. The consultant receives no benefit from presenting anything other than what is in the best interest of the client. Now, as with any professional, there can be those who seek to promote their own cause through “busy work”, but the respected, seasoned consultant understands that approach is short lived.
So, you may ask, what about the manufacturers and integrators? Why can’t an organization simply rely on their input, along with internal security staff to accomplish the desired results? I do not in any way want to disparage relationships with manufacturers and integrators. The consultant cannot do that work or provide the products. The manufacturers and integrators, however, can only offer the products and services they provide, in order to promote their own business model. They may be able to provide some level of evaluation and recommendations to the end-user, but those will always be in step with their own products, as they should. Where there are existing, effective relationships between owner, integrator and manufacturer, there is still value provided from a non-biased third party as consultant, whose primary objective is to ensure the organization’s best interests are incorporated in all security efforts. Whether for internal interests or for regulatory audits and assessments, a consultant will provide effective, realistic evaluations and reports on the overall health and fit of an organization’s security practices, systems and technologies. When considering new opportunities for technologies and solutions, the consultant is going to help the organization define their objectives, identify the best solution, justify that direction and support the client through the implementation process.
Aside from the security systems discussion, the consultant also provides value to the organization through evaluation and support of operational developments. In a typical security risk management program, there is never an opportunity to pause. Today, security risks are more prevalent and continue becoming more advanced. So must the mitigation efforts of the organization. A consultant will provide value to the organization through evaluation and recommendation of best practices to continually develop and advance the position of the security program. The biggest challenge to any security team is finding the time to step outside of its daily activities for self-evaluation and development. If they do, they are so immersed in their existing condition, it is impossible to see some of the simplest opportunities. Possibly most important, the consultant will assist the security team in building credibility and value throughout the organization and with upper management. The truly effective security program is one that has support and engagement across the entire organization and from top to bottom, a benefit that is nearly impossible for a security team to accomplish on its own. Most of all, protecting the integrity of the organization by helping to establishing a first-rate security program, priceless.
And more than likely, another benefit of the consultant is that, everyone will sleep better.
The security manufacture, integrator and consultant who went fishing, took their clients, caught lots of fish and had a great time! No joke!