Adventures in Consultant Due Diligence.
In May 2022, employees of a charitable organization in Omaha, Nebraska were in the middle of a typical workday when they were suddenly faced with their worst workplace nightmare. A masked man armed with a pistol burst into the office and began shooting randomly. Frightened employees observed several victims on the floor covered in blood. In the ensuing panic, some employees jumped from open windows and ran away, others attempted to hide, while several resigned themselves to an imminent violent death. Several 911 calls were made as police and EMS responded to reports of an active shooter incident with mass casualties.
This was not an active shooter situation. This was a drill conducted by an “expert” consultant firing blanks from a pistol and using paid actors covered in fake blood as victims. The leadership team of the organization wanted to conduct active shooter response training but did not know where to turn for an instructor. Their director of security recommended John Channels for the job citing his “fill-in” work in security as his expertise. Channels, 27 years old, was employed as a civilian security officer at a nearby Air Force base. Channels claimed to be the owner of a security firm with extensive experience in such training. Channels told the organization that he would coordinate with local police and that officers would be present during the drill. None of this was true, Channels did not own a company, had no relevant experience, and failed to notify the police of the planned exercise.
According to police reports, after the training, Channels approached traumatized employees, asked them if they wished they had a gun, and handed them a card advertising his gun safety training services.
Channels was subsequently arrested and charged with five counts of making terroristic threats and one weapons count. As it turns out, Channels was already out of jail on bond at the time of the drill after being arrested and charged with sexually assaulting a minor. In that case, prosecutors charged Channels with 12 counts of sexual assault of a child, 10 child pornography-related felonies, and three assault counts in connection with long-term abuse of a 12-year-old girl that continued through the victim’s early teens. The organization conducted no other due diligence checks of Channels and relied solely on the recommendation of their security director.
Unfortunately, this was not an isolated incident. In 2021, staff at a Florida hospital filed suit after a botched active shooter drill where a trainer wearing a mask appeared at a window, made bangs that sounded like gunshots, stormed into the room, told nurses to get on the ground, and demanded drugs. The trainer terrorized staff for at least 10 minutes before announcing it was all just a drill. Meanwhile, other staff called 911 resulting in a massive law enforcement response.
During active-shooter training in 2019, Indiana elementary teachers were told to kneel and face a classroom wall before being shot, execution-style, with plastic pellets. Terrified teachers were screaming during the exercise, which left them with welts and bruises, according to the Indiana State Teachers Association, which testified about the experience to lawmakers.
Granted these are extreme examples but they serve as a stark warning about the perils of failing to do your due diligence when hiring a consultant. Reputable security consultants can bring specialized knowledge, experience, and skills to help organizations tackle specific challenges or achieve their goals. This can be particularly useful for smaller organizations or those that do not have the budget to hire full-time security professionals. Sometimes an organization needs “outside eyes” on a specific problem or project. External consultants can provide an objective perspective on an organization’s security posture, conduct independent assessments, and identify vulnerabilities or gaps that internal teams may have overlooked. However, selecting the right consultant can be daunting, especially in the security sector. Hiring a bad consultant will only waste your time and money.
Organizations should consider some key things when choosing an external consultant.
- Define your needs: Before you start looking for a consultant, it’s essential to understand your organization’s needs. What challenges are you facing? What are your goals? What specific expertise do you need? What problem are you trying to solve and what are your specific expectations regarding deliverables? Having a clear understanding of what you want to achieve will help you identify the right consultant for the job. A good consultant will work with you to help define the problem and set the right goals.
- Look for relevant experience: When selecting a consultant, look for a firm or individual with experience working in your industry or one that specializes in addressing the challenges facing your organization. Professional certifications and credentials show that a prospective consultant has demonstrated a high level of expertise, experience, and knowledge. Through continuing education required to maintain certification a consultant holding such credentials is also committed to keeping up with new trends, research, industry best practices, and applicable laws and regulatory requirements. While credentials and certifications are important beware of “Credential Collectors.” There is a multitude of specialized certifications within the security industry. Is it realistic, practical, or effective to have them all? When evaluating a potential consultant with multiple certifications don’t be afraid to ask how frequently they work within that specific discipline. Is the individual truly an expert in the field with recent experience or are they a good test taker and this certification is just one of many? The whole point of utilizing a consultant is to take advantage of deep subject matter expertise in highly specific areas. Why settle for experience that is a mile wide but only an inch deep?
- Know who you are talking to: When contacting a prospective consultant are you speaking with a sales or business development person or are you connecting with one of the actual subject matter experts who will be working with you?
- How independent is the consultant? What are they selling? Is the consultant providing independent unbiased expertise and advice or are they selling other products their firm offers? Consultants may recommend products to address a vulnerability or gap, “Your facility needs a visitor management program, here are some examples” but beware of firms that exclusively recommend their own products.
- Check references: Don’t just rely on a consultant’s marketing materials or website. Ask for references and samples of work. Due to the sensitive nature of security consulting, some clients prefer to not be identified so be prepared to accept redacted copies of work products. A reputable consultant should be willing and able to describe their prior work without breaching client confidentiality. “We provide services to several large clients including a large multinational corporation with more than 18,000 employees and operations in over 20 countries.”
- Consider cultural fit: A consultant may have the right skills and experience, but if they don’t fit well with your organization’s culture, they may not be effective. Look for someone who shares your values, communicates well with your team, and can work collaboratively with your staff. The security consulting field is a crowded space with many individuals touting extensive law enforcement or military experience. As a retired law enforcement officer and military veteran, I can attest to the value of these experiences, but can your prospective consultant translate and adapt those skills and experiences to your corporate environment?
- Evaluate communication skills: Communication is key to the success of any consulting project. Look for a consultant who is an excellent communicator, both verbally and in writing. They should be able to explain complex concepts clearly and concisely, listen actively, and keep stakeholders informed throughout the project. Review sample written products. Are they full of jargon and raw data or do they provide meaningful analysis and actionable recommendations?
- Review the consultant’s methodology: Understand the consultant’s approach and methodology for conducting security assessments and developing security plans. Make sure their approach aligns with your organization’s goals and values. Do they conform to industry best practices and guidelines articulated by professional associations (ASIS, IAHSS, ATAP)? Do they conform to applicable ANSI National Standards?
- Watch out for “Mission Creep:” You hired the consultant for a specific need. When other needs arise beware of the consultant who says, “Yeah, we do that too.” Before committing to an expanded scope of work make sure the consultant has the required expertise for the new task. Ask for examples of their work on similar projects. Will they do the work or will they subcontract out?
- Watch deadlines and deliverables: Consultants who cannot give a proposed timeline or consistently miss deadlines may be over their heads. How responsive are they during contract negotiations? If they are not responsive during this courtship phase how will they be when the project is underway? Can they deliver what they promise on time? What does their final product look like? Is their work tailored to your organization or is it a recycled off-the-shelf template from prior clients?
Selecting the right external consultant requires careful consideration of a range of factors, from experience and expertise to communication skills and cultural fit. By defining your needs and evaluating potential consultants, you can ensure that you find a partner who can help your organization achieve its goals.