Hiring a security consultancy is not like hiring a law firm or an accountant. There is no universal licensing body, no single professional standard and no shortage of firms that present well in a proposal but lack the depth to deliver once the engagement starts. For organisations commissioning their first risk assessment — or replacing a provider that under-delivered — the selection process itself is a risk-management exercise.

This guide is written for the people who sign off on these engagements: general counsels, CSOs, COOs and board members evaluating a corporate security and risk management consulting firm for the first time or reconsidering their current provider. It sets out the criteria that matter, the questions to ask and the red flags to avoid.

Why the Selection Decision Matters More Than You Think

A risk assessment is only as good as the team that conducts it. A poorly scoped or superficially executed assessment does not just waste the fee — it creates a false sense of security. Leadership believes the risks are understood and managed when in fact they are neither. The consequences surface later, often after an incident that the assessment should have identified.

Conversely, a well-chosen consultancy delivers compounding value: the initial assessment builds a risk baseline, the recommendations create a funded security roadmap, and the relationship provides ongoing access to expertise that most organisations cannot justify hiring full-time. The selection decision determines which of these outcomes you get.

Seven Criteria for Evaluating a Security Consulting Firm

1

Practitioner Experience, Not Just Firm Reputation

The firm's brand is less important than the individuals who will lead your engagement. Ask who the lead consultant will be, review their biography, and confirm their direct experience in your industry, region and risk profile. The best firms field senior practitioners with 15–30 years of operational experience in military, intelligence, law enforcement or corporate security. If the proposal names a senior partner but the work will be done by junior analysts, that is a red flag.

2

Geographic Coverage and Regional Expertise

For multinational organisations, the consultancy must have genuine operational presence — or vetted local partners — in the regions where you operate. A firm strong in North America but with no presence in Southeast Asia, the Middle East or sub-Saharan Africa will struggle to deliver an international security and risk management consulting engagement that covers your full footprint. Ask for case examples in your specific geographies.

3

Methodology and Frameworks

A credible firm will articulate a clear, repeatable methodology — not a vague promise to "assess your risks." Look for explicit references to ISO 31000, ASIS ESRM, ASIS General Security Risk Assessment (GSRA) or equivalent frameworks. Ask how they score likelihood and impact, how they calibrate across sites, and how they ensure consistency when multiple consultants are deployed simultaneously.

4

Independence and Vendor Neutrality

Some consultancies are affiliated with security technology vendors or guard-force providers. This creates a conflict of interest: the assessment may steer recommendations toward the products or services the firm sells. Look for firms that are vendor-neutral and whose revenue model is fee-for-service consulting, not product resale.

5

Confidentiality and Data Handling

Security assessments produce highly sensitive information — your vulnerabilities, your gaps, your incident history. The consultancy must have robust confidentiality protocols: NDAs before any data is shared, encrypted communications, secure document storage, and clear data-retention and destruction policies. For engagements involving HNWIs or family offices, the firm should have experience in private investigation services for high net worth individuals and understand the heightened discretion required.

6

Deliverable Quality

Ask to see a redacted sample report. The deliverable should be structured, clearly written for a non-security audience, and include a prioritised risk register, a recommendation register with cost and timeline estimates, and an executive summary suitable for board presentation. If the sample report is a generic template with boilerplate language, expect the same from your engagement.

7

Post-Assessment Support

The best consultancies do not disappear after the report is delivered. They offer implementation support, periodic reassessment, retainer-based advisory access and training. Ask what post-assessment support is included in the fee and what is available on a retainer basis. A firm that builds a long-term relationship has a stake in the quality of its initial recommendations.

Ten Questions to Include in Your RFP

  1. Who will lead the engagement, and what is their direct experience in our industry and region?
  2. What methodology and risk-scoring framework do you use?
  3. How do you ensure consistency across multi-site, multi-country assessments?
  4. Are you independent of security technology vendors and guard-force providers?
  5. Can you provide a redacted sample report?
  6. What are your data-handling, encryption and document-destruction protocols?
  7. How do you structure pricing — fixed fee, day rate or retainer?
  8. What post-assessment support is included, and what is available on retainer?
  9. Can you provide three client references in our sector and geography?
  10. What professional certifications do your consultants hold (CPP, PSP, PCI, CISSP)?

Red Flags to Watch For

  • Proposals led by sales staff rather than practitioners. If the person pitching is not the person delivering, ask why.
  • Hourly-only pricing with no scope cap. Open-ended billing incentivises slow delivery and scope creep.
  • Templated reports. If the sample report could apply to any organisation in any industry, the assessment will be equally generic.
  • No site visits proposed. Any firm that offers a "desk-based assessment" as the primary deliverable for a physical security engagement is cutting corners.
  • Reluctance to name the lead consultant. This usually means the engagement will be staffed with whoever is available, not whoever is qualified.
  • Upselling products. If the firm sells CCTV, access control or guard services, their recommendations may not be objective.

Pricing Models Compared

ModelAdvantagesRisks
Fixed feeBudget certainty; incentivises efficient deliveryMay encourage scope-trimming if the fee is too low
Day rateFlexibility for complex or evolving scopeNo cost cap; incentivises slow delivery
Retainer + projectOngoing access; builds relationship; better long-term valueHigher total spend; requires trust in the provider

For most first-time engagements, a fixed-fee model with a clearly defined scope of work is the safest option. Once a relationship is established, a retainer model often delivers better value because it provides ongoing access to the same senior consultants who conducted the initial assessment.

How to Structure a Trial Engagement

If you are uncertain about a firm, start with a bounded engagement: a single-site risk assessment or a desktop threat analysis for one region. This allows you to evaluate the team's expertise, communication style, deliverable quality and responsiveness before committing to a larger programme. A confident firm will welcome this approach; a firm that insists on a multi-year contract before demonstrating capability is telling you something.

Frequently Asked Questions

How do I evaluate a security consulting firm?

Evaluate on seven criteria: practitioner experience, geographic coverage, methodology, independence, confidentiality protocols, deliverable quality and post-assessment support. Request references, a redacted sample report and the biography of the lead consultant.

How much does a corporate security consultancy cost?

A single-site assessment typically costs USD 15,000–50,000. Multi-site programmes range from USD 75,000 to USD 250,000 or more. Retainer-based advisory access typically starts at USD 3,000–8,000 per month.

Should I choose a global or boutique firm?

It depends on your footprint. A multinational with operations in 20 countries needs a firm with genuine global reach. A single-country organisation may get better value from a boutique with deep local expertise. The key is the seniority and relevance of the individuals assigned to your engagement, not the size of the firm.

References

  1. ISO 31000:2018 — Risk Management Guidelines. iso.org
  2. ASIS International — ESRM Guideline. asisonline.org
  3. ASIS International — Board-Certified Practitioners (CPP, PSP, PCI). asisonline.org
  4. NIST Cybersecurity Framework 2.0. nist.gov
  5. Security Management Magazine — ASIS International. asisonline.org