Choosing a Security Consultant

On August 20, the Australian Government released the publication Australia’s Strategy for Protecting Crowded Places from Terrorism 2017. This document has, among other things, provided much needed guidance on the selection of security consultants.

It states:

Professional and qualified security consultants play an important role in undertaking full security risk assessments of crowded places and recommending appropriate protective security measures (Box 3).

Looking at these considerations:

Security Licence

The licensing requirements for security consultants varies considerably between the states and territories and a licence in one state or territory is not valid in another.

The following table shows some of the differences. These are just for the individual licences – companies have more variances.

The most rigid licensing requirements are in ACT, NSW and WA. In the other states and territories either no licence is required or no qualifications are required to obtain a licence. However, the inconsistency in the qualification requirements to obtain a license opens up a loophole when mutual recognition laws between the states are applied. For example, a Registered Security Adviser in Victoria (who is not required to be qualified and can apply for a licence without ever been physically seen by the licensing authority) can simply apply for mutual recognition and obtain a full licence in any other state without having any qualifications.

Having a licence in any state or territory is therefore no guarantee that the consultant holds qualifications in security.

Education, qualifications, skills, and experience

So, what education, qualifications, skills, and experience should a security consultant hold?

The absolute minimum qualification is generally considered to be a Certificate IV in Security and Risk Management (although a Diploma is more common). This provides a very basic understanding of the security risk assessment processes but does not touch on any technical subjects. It’s enough to get a licence in some states but it doesn’t let the consultant speak with authority on any technical matters.

The Australian Government Security Construction and Equipment Committee Security Zone Consultant Scheme Policy (2013) includes the following minimum education and experience requirements for any security consultant wishing to apply for SCEC endorsement which will permit them to advise on and certify high security government security systems. It could be reasonably inferred therefore that this is what they expect security consultants to have as a minimum.

Once accepted into the SCEC Endorsed Security Zone Consultant program, candidates are given several days training and an examination at the conclusion.

ASIS International has a different qualification and experience requirement for the granting of their CPP (Certified Protection Professional) accreditation. The eligibility requirements to apply are:

  • Nine years of security work experience, with at least three of those years in responsible charge of a security function; or
  • A bachelor’s degree or higher and seven years of security work experience, with at least three of those years in responsible charge of a security function.

Applicants are then required to sit an examination.

Referee reports

Referee reports need to be relevant to the project that a security consultant is being considered for. How well a consultant carried out a security risk assessment for one client is no indication of how well they can design a CCTV system for another.

Security clearance (where required)

Security clearances are given at the following levels in Australia:

Most security consultants will hold at least a Baseline security clearance. If they don’t have this then it isn’t necessarily a problem, but you would want to establish why they haven’t obtained one. A security clearance picks up a lot more than a simple police check.

Professional association and affiliations

Some of the associations and affiliations that are relevant to individual consultants in Australia include:

  • ASIS (American but common in Australia)
  • Association of Investigators and Security Professionals
  • Australian Institute of Professional Investigators
  • Australian Standards
  • Engineers Australia (Membership enables exemption from some SA security agent licence requirements)
  • Security Providers Association of Australia Limited
  • Victorian Security Institute (VSI)

Previous experience conducting security reviews

When looking at this, look for how they previously assessed the risks and how the recommended risk mitigation measures realistically addressed these risks.

The following is from an earlier blog of ours:

If you ask two security consultants to provide a security risk assessment of your premises, then most likely you will receive two different results. A main cause of this is that it is common for security risk assessors to take the approach of identifying risks as being simply extreme, high, medium or low. This is done by assessing the likelihood of a risk as rare through to certain and rating the consequences as insignificant through to catastrophic.  This approach provides a quick result but the results will vary between individuals.

A significant problem with this approach is that any risk with a catastrophic potential consequence is invariably rated as being an extreme or high risk no matter how unlikely the risk is. An example of this is the risk of terrorism.  This risk is often rated as the highest risk to a site, even if it is inconceivable that this risk would occur. The other obvious problem is that different risk assessors will view the likelihood of risks occurring differently, so the level of risk the assessment says that you are exposed to will depend on who carried out the assessment. This is a particular problem if the client has a number of properties that they need assessed.

Another approach, and one that we use in our consultancy practice, is to quantify the risks as far as possible. Instead of rating the risk of burglary, for example, as being medium or high, this approach looks at the local crime statistics and identifies the number of times per annum that the client can expect a burglary attempt. The method then looks at the security measures, either that are in place or proposed, and through a standard spreadsheet, identifies the likelihood of an attempted burglary succeeding. This then provides the number of expected successful burglaries per annum. All the potential consequences of burglary are then applied to this risk, e.g. value of losses, property damage, interruption to operations etc. to determine a consequence value. From all this data, a relative risk score is provided through a spreadsheet. As consequences will vary between clients and the attractiveness to a burglar vary also, spreadsheets need to be developed for each type of client. In this approach, using standardised spreadsheets, different risk assessors will provide identical results.

Ability to effectively undertake the security review (subject matter knowledge)

Satisfying this requirement is linked to the consultant’s qualifications and experience. For example, if a consultant is recommending the implementation of vehicle bollards, are they suggesting a particular brand or are they citing which elements of local and international standards need to be met.

Impartiality of advice (consider any commercial affiliations)

An independent security and risk consultants will not provide any insurance, guards, equipment, installation services, training, employment services or any other item that may be a recommendation in their reports.

Integrity and impartiality in their recommendations is critical and they must have a policy in place that refuses acceptance of any benefit from any supplier.

Published professional work

As the phrase goes “Publish or Perish”. The government has listed this as a consideration in assessing a security consultant, so consultants should be able to provide a list of their professional publications.

Other considerations

There are a number of other considerations that the Australian Government hasn’t mentioned:

  • Professional indemnity insurance ($10 million is the accepted norm).
  • Public liability insurance ($20 million).
  • Quality Assurance (Do they have a system compliant to  ISO 9001?).
  • Safety Management (Do they have a system compliant to  AS4801 ?).
  • Are they Australian Government Security Construction and Equipment Committee (SCEC) Endorsed?


Are Australian airports secure?

Recent events in Australia have brought our airport security into the spotlight. When we compare our airport security with other countries, it becomes evident that there is much room for improvement at home.

The most striking difference between security at Australian airports and those in many overseas countries, is that in Australia we only have one weapons screening barrier and that this is well inside the airport. This is a serious deficiency for a number of reasons.

Firstly, when there is no screening at the entry to the airport, only travellers are screened, visitors are not. Anyone can enter the airport with a weapon or explosive device and mix with the crowds of people in arrivals, departures or in the busy retail areas. The area of biggest risk in an Australian airport is a terrorist attack in an area where large numbers of people gather and this is most likely in the departures hall. The recent advice of the Australian Government to arrive early at the airport has significantly increased the attractiveness of this area to terrorists as the number of people present at any time has greatly increased. In 2011 suicide bombers attacked Domodedovo International Airport near Moscow that resulted in 37 deaths and 173 injuries. At the time, they were not screening visitors to the airport, now they are.

Secondly, the weapons screening is a single point of failure. A number of factors could combine to allow a weapon to pass through the screening point such as staff distraction, corruption, failure to follow procedures, equipment underperforming. This year, a man in Texas was sentenced to three years prison for bribing a security guard on five occasions in order to smuggle drugs through passenger security screening at SFO. This single point of screening is very rare in many countries. Most overseas airports have screening at the entry to the building (some where all luggage is opened at the entry and inspected) and again at the passenger departures entry. Some go further and have screening at the departure gate lounges. It is also usual for screening to occur at international flight transfer points. In doing so, the single point of failure is removed.

Full body scanners are deployed at the screening points at major airports in Australia. These however are usually only used to screen a sample of passengers. Where these are deployed at overseas airports, all passengers are screened.

The security of baggage handling for departing flights in Australia is also of concern. I personally have had four suitcases forced open, damaged and have had items stolen from them at one particular airport. In one instance, this was reported to the Federal Police but no response was received. This is understandable as their website states that “The AFP carefully considers all reports of Commonwealth crimes, however we do not have the resources to investigate every reported crime.” It’s reasonable to assume therefore that people engaged in petty crime on Commonwealth property such as interfering with baggage at airports know this and have no fear of being caught.

Of course, there are many places in the world where airport security is far worse than Australia, but we can do much better.