Choosing a Security Consultant

On August 20, the Australian Government released the publication Australia’s Strategy for Protecting Crowded Places from Terrorism 2017. This document has, among other things, provided much needed guidance on the selection of security consultants.

It states:

Professional and qualified security consultants play an important role in undertaking full security risk assessments of crowded places and recommending appropriate protective security measures (Box 3).

Looking at these considerations:

Security Licence

The licensing requirements for security consultants varies considerably between the states and territories and a licence in one state or territory is not valid in another.

The following table shows some of the differences. These are just for the individual licences – companies have more variances.

The most rigid licensing requirements are in ACT, NSW and WA. In the other states and territories either no licence is required or no qualifications are required to obtain a licence. However, the inconsistency in the qualification requirements to obtain a license opens up a loophole when mutual recognition laws between the states are applied. For example, a Registered Security Adviser in Victoria (who is not required to be qualified and can apply for a licence without ever been physically seen by the licensing authority) can simply apply for mutual recognition and obtain a full licence in any other state without having any qualifications.

Having a licence in any state or territory is therefore no guarantee that the consultant holds qualifications in security.

Education, qualifications, skills, and experience

So, what education, qualifications, skills, and experience should a security consultant hold?

The absolute minimum qualification is generally considered to be a Certificate IV in Security and Risk Management (although a Diploma is more common). This provides a very basic understanding of the security risk assessment processes but does not touch on any technical subjects. It’s enough to get a licence in some states but it doesn’t let the consultant speak with authority on any technical matters.

The Australian Government Security Construction and Equipment Committee Security Zone Consultant Scheme Policy (2013) includes the following minimum education and experience requirements for any security consultant wishing to apply for SCEC endorsement which will permit them to advise on and certify high security government security systems. It could be reasonably inferred therefore that this is what they expect security consultants to have as a minimum.

Once accepted into the SCEC Endorsed Security Zone Consultant program, candidates are given several days training and an examination at the conclusion.

ASIS International has a different qualification and experience requirement for the granting of their CPP (Certified Protection Professional) accreditation. The eligibility requirements to apply are:

  • Nine years of security work experience, with at least three of those years in responsible charge of a security function; or
  • A bachelor’s degree or higher and seven years of security work experience, with at least three of those years in responsible charge of a security function.

Applicants are then required to sit an examination.

Referee reports

Referee reports need to be relevant to the project that a security consultant is being considered for. How well a consultant carried out a security risk assessment for one client is no indication of how well they can design a CCTV system for another.

Security clearance (where required)

Security clearances are given at the following levels in Australia:

Most security consultants will hold at least a Baseline security clearance. If they don’t have this then it isn’t necessarily a problem, but you would want to establish why they haven’t obtained one. A security clearance picks up a lot more than a simple police check.

Professional association and affiliations

Some of the associations and affiliations that are relevant to individual consultants in Australia include:

  • ASIS (American but common in Australia)
  • Association of Investigators and Security Professionals
  • Australian Institute of Professional Investigators
  • Australian Standards
  • Engineers Australia (Membership enables exemption from some SA security agent licence requirements)
  • Security Providers Association of Australia Limited
  • Victorian Security Institute (VSI)

Previous experience conducting security reviews

When looking at this, look for how they previously assessed the risks and how the recommended risk mitigation measures realistically addressed these risks.

The following is from an earlier blog of ours:

If you ask two security consultants to provide a security risk assessment of your premises, then most likely you will receive two different results. A main cause of this is that it is common for security risk assessors to take the approach of identifying risks as being simply extreme, high, medium or low. This is done by assessing the likelihood of a risk as rare through to certain and rating the consequences as insignificant through to catastrophic.  This approach provides a quick result but the results will vary between individuals.

A significant problem with this approach is that any risk with a catastrophic potential consequence is invariably rated as being an extreme or high risk no matter how unlikely the risk is. An example of this is the risk of terrorism.  This risk is often rated as the highest risk to a site, even if it is inconceivable that this risk would occur. The other obvious problem is that different risk assessors will view the likelihood of risks occurring differently, so the level of risk the assessment says that you are exposed to will depend on who carried out the assessment. This is a particular problem if the client has a number of properties that they need assessed.

Another approach, and one that we use in our consultancy practice, is to quantify the risks as far as possible. Instead of rating the risk of burglary, for example, as being medium or high, this approach looks at the local crime statistics and identifies the number of times per annum that the client can expect a burglary attempt. The method then looks at the security measures, either that are in place or proposed, and through a standard spreadsheet, identifies the likelihood of an attempted burglary succeeding. This then provides the number of expected successful burglaries per annum. All the potential consequences of burglary are then applied to this risk, e.g. value of losses, property damage, interruption to operations etc. to determine a consequence value. From all this data, a relative risk score is provided through a spreadsheet. As consequences will vary between clients and the attractiveness to a burglar vary also, spreadsheets need to be developed for each type of client. In this approach, using standardised spreadsheets, different risk assessors will provide identical results.

Ability to effectively undertake the security review (subject matter knowledge)

Satisfying this requirement is linked to the consultant’s qualifications and experience. For example, if a consultant is recommending the implementation of vehicle bollards, are they suggesting a particular brand or are they citing which elements of local and international standards need to be met.

Impartiality of advice (consider any commercial affiliations)

An independent security and risk consultants will not provide any insurance, guards, equipment, installation services, training, employment services or any other item that may be a recommendation in their reports.

Integrity and impartiality in their recommendations is critical and they must have a policy in place that refuses acceptance of any benefit from any supplier.

Published professional work

As the phrase goes “Publish or Perish”. The government has listed this as a consideration in assessing a security consultant, so consultants should be able to provide a list of their professional publications.

Other considerations

There are a number of other considerations that the Australian Government hasn’t mentioned:

  • Professional indemnity insurance ($10 million is the accepted norm).
  • Public liability insurance ($20 million).
  • Quality Assurance (Do they have a system compliant to  ISO 9001?).
  • Safety Management (Do they have a system compliant to  AS4801 ?).
  • Are they Australian Government Security Construction and Equipment Committee (SCEC) Endorsed?


Simon Walker

Author: Simon Walker

Simon established Connley Walker Pty Ltd in 1996. He is a Fellow of Engineers Australia, a Registered Building Practitioner, a Member of the Australian Institute of Project Management, a Registered International Professional Engineer, a Registered APEC Engineer, and an SCEC Endorsed Security Zone Consultant. He is the author of the books Operational risk management: Controlling opportunities and threats, 2001 ISBN 0957907400 and Hospital and Health Care Security in Australia, 2009 ISBN 978-0-9579074-1-6.