Over the years, I’ve been asked to participate in surveys from security peers where the primary objective was to determine how many full time staff (aka FTE’s, proprietary, or In-House resources) vs. contractors we have. One specific request was from a security director of a fortune 500 company who invited me to participate in an all-day benchmarking session to discuss proprietary FTE staffing models. The company had just reorganized and his new VP questioned their current security staffing model. I think the security director regretted inviting me because I told him he was way overstaffed with FTE’s and could effectively run his business with less FTE’s and more contractors.
Many security directors come from the government with military or law enforcement backgrounds. They are used to having FTE staffing and only used contractors on a limited basis. I know a few security directors that pride themselves on having large FTE staff because they feel the more FTE employees they have, the more power they hold. There are some biases, whether conscious or unconscious, towards contractors. I’ve heard from some of my FTE staff in my early years in the corporate arena that contractors needed to have limited decision making authority and only FTE’s could drive strategic programs. I disagreed because I knew that talent is talent no matter the employment status of someone. I’ve seen in the physical security industry where contractors are treated poorly by FTE’s and I definitely would not tolerate that in my organization. Part of the problem resides in some contracting companies that treat their staff like commodities that are easily expendable, so the result is having poorly trained, uninspired, unengaged, and unhappy contractors. This is where a security director may argue that having FTE staff is required over contractors because of a higher retention rate and morale. There’s a trend in Silicon Valley where traditional contracting roles such as man-guarding are being converted to FTE’s. I don’t want to debate anyone’s reasoning for doing this but I can only speculate if their companies ever have a bad quarter and need to cut costs, there’s a high likelihood that the FTE man-guarding will be at the top of the list to cut.
I have built a strong contracting model in my organization as getting FTE resources is very difficult to obtain; however getting dollars for contracting is much easier. I recall about 14 years ago when I was a new manager some of my FTE staff warned me not to bring in higher level contractors to help with our strategic direction. They felt only FTE’s were capable of making key strategic decisions. I guess being new to corporate security, I wanted a second opinion and brought in strategic consultants to help validate what I was being told. I’ve learned that there are good contractors that are committed to delivering to their client’s objectives, and I’ve also had bad experiences. Years ago I hired a consultant for a risk assessment project who later covertly pitched my CSO why he (the contractor) needed to run the operations organization as the director. I think this is where security managers are leery of security consulting contractors not looking out for their client’s best interest.
My advice is to check the references of security contractors/consultants and get feedback on the tangible results they delivered. Another example I have is from a very well-known consultant that I considered bringing on for a strategic project. He told me that he had done a large project for the IT department in my company. He dropped a few names from my company that hired him, one being a very high level VP whom he probably thought I wouldn’t reach out to. I reached out to the VP, and he said never heard of the guy and never did a project with him. When I confronted the consultant with my findings, he changed his original statement that he had subbed for another consultant doing the work. I quickly found out that wasn’t true either. Needless to say not only did he not get my business, I continue question his veracity and reputation when I see him posting blogs and articles about being a security authority.
Part of the problem of the security contracting world is the actual contractors or companies themselves. It’s really no different than hiring a construction contractor where you’ll find really good ones, middle-of-the-road ones, and very bad ones.
Once I find a security contractor that delivers on what they say they will do, and are strategic partners that are truthful and transparent whether the message is good, bad, or indifferent, I stick with them for the long term and have built a very successful, world-class security organization with their help.
In conclusion, don’t be afraid to leverage contractors as long as you do your own due diligence in checking their body of work, references, and holding them accountable when you bring them on. You won’t be disappointed and will likely build a long-term strategic partnership that will make your organization better and stronger.
*Disclaimer: The opinions and views expressed in this blog are those of the author and do not necessarily state or reflect those of Microsoft.