Physical Security Consulting: What Actually Moves the Needle

So a guy walks into a warehouse, points at a camera, and says "that's not pointed at anything useful." That guy charged $4,200 for the visit. And honestly? He was right. Welcome to the strange, occasionally infuriating, frequently misunderstood world of physical security consulting — where the most valuable thing in the room is often a clipboard and a brutally honest pair of eyes.

Here's the thing nobody tells you up front: most security problems aren't gear problems. They're decision problems. A facility with a hundred cameras can be less secure than one with twelve, if the twelve are pointed at the right doors and somebody actually watches them. Consulting, done well, fixes the decisions. The gear comes later.

Let's get into what good consulting actually looks like, what it costs, when you need it, and how to tell if the person you hired knows what they're doing — or just owns a clipboard.

What Physical Security Consulting Really Is

Strip away the jargon and physical security consulting is one job: figuring out how a real attacker (or a thief, or an angry ex-employee, or a curious teenager with too much time) would actually compromise your site — and then telling you how to make that harder.

That's it. That's the gig.

It's not selling you cameras. It's not installing card readers. It's not pitching you the latest cloud platform with a slick app. A consultant who shows up with a product brochure in hand is not consulting — they're selling. There's nothing wrong with selling, but you should know which one you're paying for.

Real consulting includes:

• A site walk where the consultant tries to find ways IN, not ways to charge you
• A threat model that's specific to YOUR business (a jewelry store and a logistics yard are not the same problem)
• A gap analysis comparing what you have versus what the threat model demands
• A prioritized roadmap that says "fix this first, then this, then this" — with budget realism baked in
• Vendor-neutral recommendations (or at least vendor-honest ones)

What it isn't: a 90-page PDF full of stock photos and the phrase "best-in-class." If your deliverable looks like it was generated by a template that's been used 400 times, you got templated.

The Three Questions Every Good Consultant Asks First

Before anyone measures a doorway or counts cameras, a competent consultant will ask three things. If they skip these, walk.

1. What are you actually trying to protect? People, inventory, data, brand, continuity of operations — these all lead to different solutions. "Everything" is not an answer.
2. What does a bad day look like for you? Not in vague terms. Specifically. Theft at 2am? An employee assault? A vendor who shouldn't have been let in the back door? Your bad day shapes the entire plan.
3. What's your operational reality? A 24/7 distribution center has different needs than a Monday-to-Friday office. A small team that already wears six hats can't suddenly add "monitor 40 cameras" to the list.

Notice that none of these questions are about technology. The tech conversation comes later — usually a lot later than people expect. I've seen consulting engagements where the answer was "you don't need new cameras, you need to lock the side door at night." Total project cost: a $14 hasp.

The Risk Assessment — Where Most Money Gets Saved or Wasted

The single most useful deliverable in physical security consulting is a real risk assessment. Not the checkbox kind. The kind where someone walks your property at the times your bad day would happen, looks at the things you've stopped seeing because you walk past them every day, and writes down what they find.

A proper assessment hits four buckets:

People. Who's coming and going. How are visitors handled. Who has keys, fobs, codes — and who used to have them but technically still does because nobody collected them when Steve quit in 2021.

Process. What happens when an alarm goes off at 11pm. Who calls who. Does the night manager know the camera angles. Is there a written procedure or just tribal knowledge that walks out the door with every retirement.

Physical layout. Doors, fences, lighting, sightlines, blind spots, parking lots, loading docks, the dumpster area (always the dumpster area — it's the most ignored part of every facility and the most often used entry point in actual incidents).

Technology. Cameras, access control, intercoms, alarms, monitoring. This bucket gets all the attention and is usually the least important of the four. The Cybersecurity and Infrastructure Security Agency has solid free guidance on layered physical security that mirrors this thinking — defense in depth, not defense in shiny gadgets.

A good consultant will produce a heat map of your actual risk, not a list of products. If the deliverable has more SKUs than findings, something's off.

Where Technology Finally Enters the Conversation

Okay. We've done the boring (read: actually important) work. Now we can talk about gear. But even here, the consulting mindset matters more than the product list.

Access Control

Most facilities are running access control systems that were installed during a presidency two presidents ago. They technically work. They also technically can't tell you who entered the building at 3am last Thursday, because the audit log was full and started overwriting itself in 2019.

Modern access control isn't about fancier badges. It's about visibility, revocation speed, and integration. When somebody leaves, can you kill their access in 30 seconds from a phone? When a contractor needs a one-day pass, can you issue it without making someone drive to the office? A consultant should be evaluating your access control setup against those operational questions, not against a feature checklist.

Cameras

Camera projects fail for one of two reasons: too few cameras pointed at things that matter, or too many cameras pointed at things that don't. There's almost never a middle ground in the wild.

A camera plan should answer: at this exact spot, what question is this camera answering? "Who came through this door?" is a question. "General awareness of the parking lot" is not — it's a wish, and it's why so many incidents end with grainy footage of a hoodie.

This is also where AI has changed the math in a real way. Modern systems can flag a person loitering at a loading dock at 2am without anyone watching the screen. If you want the non-marketing version of what that actually does, here's a plain-English breakdown of AI security systems — worth reading before any consultant pitches you the word "AI" with a straight face.

Intercom and Visitor Management

An intercom security system is one of the most underrated pieces of the puzzle, especially for facilities with controlled lobbies, loading bays, or after-hours deliveries. The question isn't "do we have an intercom" — it's "when someone presses the button, does the right person get the call, can they see who's there, and can they unlock the door without walking down a hallway?" If the answer to any of those is no, that's a finding.

Monitoring

Cameras nobody watches are evidence collection, not security. That's fine, if that's what you bought them for. But if you THOUGHT you bought deterrence and detection, and what you actually got is a hard drive full of crimes-after-the-fact, that's a consulting gap.

A consultant should help you decide: self-monitor, contract monitor, AI-assisted monitor, hybrid. Each has a real cost and a real benefit. None is universally right.

What a Real Engagement Looks Like, Start to Finish

People always ask "what does the process actually look like?" Fair question. Here's roughly how it goes when it's done right:

Week 1 — Scoping call. Consultant asks the three questions above. You explain your operation. They ask for floor plans, current asset lists, incident history, insurance requirements. If your incident history is "we don't really track that," congratulations, you have your first finding.

Week 2 — Site visits. Plural. Daytime AND after hours, because your facility behaves differently at 6pm than at 10am. A consultant who only visits during business hours is doing half the job.

Week 3 — Stakeholder interviews. Talking to the night manager, the receptionist, the loading dock lead, the IT director, and yes — the cleaning crew, because the cleaning crew sees everything and tells nobody.

Week 4 — Draft report. Findings, risk ratings, recommendations, rough costs, suggested sequencing.

Week 5 — Review session. You push back. They defend or revise. The final report should reflect both your operational reality and their professional judgment.

Week 6 onward — Implementation oversight (optional but recommended). A consultant who hands you a report and disappears has done about 60% of the value. The other 40% is keeping integrators honest when the install starts.

Total spend for a thorough mid-size engagement: usually somewhere between $8,000 and $40,000, depending on facility count and complexity. Sounds like a lot until you compare it to the cost of buying the wrong system — which is typically 10x that and a slow march to ripping it back out three years later.

Red Flags When Hiring a Consultant

Some warning signs, in no particular order:

• They give you a product recommendation before they've done a site walk. This is selling with extra steps.
• They can't name a manufacturer they DON'T like. Everyone has opinions. A consultant with no opinions has no experience.
• Their report is 80% boilerplate. You can tell — the font changes when they got to the part they actually wrote about you.
• They won't share references from facilities like yours.
• They quote a flat fee with no scope. Either they're guessing, or they're going to find a way to make the work fit the fee, neither of which helps you.
• They use the word "synergy" unironically. Run.

Independent certifications help. Look for credentials like the Physical Security Professional designation from ASIS International — it's not a magic stamp, but it tells you the person has had to actually study this stuff and pass a real exam.

The Pilot Question

Almost every modern engagement ends with the same conversation: "okay, we agree on the plan — do we do the whole thing at once, or pilot a piece first?"

Almost always, pilot first. A pilot does three things. It validates the consultant's recommendations in the real world. It builds internal champions among the people who'll actually use the system. And it gives you data to renegotiate pricing on the full rollout, because vendors price differently when they see you're serious. Here's a longer take on running an AI security pilot the right way if you want to see how that plays out in practice.

The only time to skip the pilot is when the risk is acute and immediate — recent break-ins, an active threat, a regulatory deadline. In those cases, speed beats elegance.

Where Consulting Ends and Operations Begin

Here's the unglamorous truth: the best security plan in the world dies in the first 90 days if nobody owns it operationally. Consultants design the system. Somebody on your team has to live in it.

Before any engagement wraps, somebody internal needs to own:

• Daily verification (alarms armed, cameras online, access logs reviewed at some sane interval)
• Quarterly access list reviews (the Steve problem from earlier)
• Annual revisit of the threat model (your business changes; your security should too)
• Incident debriefs (every incident, even the small ones — patterns matter)

If you don't have someone to assign these to, that's a finding the consultant should raise before signing off. Sometimes the answer is hiring. Sometimes it's outsourcing to a managed service. But "nobody" is not an answer that ends well.

What Good Looks Like, Six Months Later

You'll know consulting worked if, six months after the engagement:

• Your team can describe the security plan in plain English without reading from a binder
• Incident response has names attached, not just steps
• You've removed at least one thing you used to do that wasn't actually helping
• You spent less than your original budget assumption, because the consultant saved you from buying things you didn't need
• The next time something weird happens at 2am, you find out about it in real time, not in the morning

If none of those things are true, the engagement didn't take. And it's worth asking why — usually it's because implementation got rushed, or because the operational ownership piece never landed.

FAQ

How much does physical security consulting actually cost?

For a single facility, expect $5,000 to $15,000 for a thorough risk assessment and roadmap. Multi-site or complex environments (logistics, healthcare, critical infrastructure) typically run $20,000 to $60,000+. Hourly rates for senior consultants generally land between $200 and $400. Beware of anyone significantly under that band — they're either inexperienced or planning to make the difference back on product margins.

How is a consultant different from an integrator?

A consultant designs the plan and is paid for their judgment, ideally without product margin in the mix. An integrator installs and maintains the systems. The conflict of interest matters: if the same company designs AND installs, they have a financial reason to recommend more equipment. Some firms do both honestly, but you should know which hat is on at any given moment and how they're paid for each.

Do small businesses really need a security consultant?

Not always — but the threshold is lower than people think. If you handle valuable inventory, see public foot traffic, employ more than about 20 people, or have had any incident in the last two years, a consultant pays for themselves quickly. For very small operations, even a half-day paid walkthrough ($1,500-$3,000) can surface 80% of the meaningful issues without a full engagement.

What's the difference between a security audit and a risk assessment?

An audit checks whether you're doing what you said you'd do — comparing current state to a written policy or standard. A risk assessment is broader: it asks whether the policy itself is right for the actual threats you face. You can pass an audit and still be wildly insecure if the underlying assumptions are wrong. Most facilities need a risk assessment first, then audits going forward.

How often should we revisit our physical security plan?

Annually at minimum, and any time something material changes — a new facility, a major staffing change, a merger, a new product line, a recent incident, or a shift in the surrounding neighborhood. Threat models drift. A plan that fit your business three years ago might be solving the wrong problem today.

Will a consultant work with the systems we already have?

A good one will. Rip-and-replace recommendations should be a last resort, not a starting position. Most facilities have some equipment that's still useful, some that needs reconfiguration, and some that's genuinely past its life. A consultant who recommends scrapping everything on day one is either right (rare) or selling something (common).

Can one consultant cover both physical and cyber security?

Some can — the disciplines overlap more every year, especially as cameras, access control, and intercoms all live on the network. But true dual-domain expertise is rare. More commonly, you'll want a physical security lead who coordinates with your IT or cybersecurity team on the network-side concerns. Be skeptical of anyone claiming deep expertise in both unless they can show specific credentials in each.

What deliverables should we expect at the end of an engagement?

At minimum: a written risk assessment, a prioritized findings list with severity ratings, a recommended roadmap with rough budget ranges, and a presentation to your leadership team. Better engagements also include vendor-neutral specifications you can put out to bid, sample policies and procedures, and an implementation oversight option. If the deliverable is just a PDF and an invoice, you got the budget version.