Originally published on LinkedIn · August 2024.
What I Observed This Month
I visited an organization this month where a uniformed security officer was discussing active assailant response protocols — in detail — with a customer who had stopped to ask a general question. The conversation covered response procedures, shelter-in-place locations, and lockdown triggers. In a lobby. Audible to anyone nearby.
This is a confidentiality failure, not a training failure. The officer was knowledgeable. The problem was that the organization had not established a clear standard for what information is appropriate to share in public spaces. That standard needs to come from leadership, in writing, with reinforcement.
Responsible Vulnerability Disclosure in Physical Security
Cybersecurity has developed a reasonably mature model for responsible vulnerability disclosure — a researcher finds a flaw, notifies the vendor privately, allows a remediation window, then discloses publicly. Physical security has no equivalent standard. When a consultant finds a critical physical vulnerability during an assessment, there is no formalized protocol for how that finding moves from assessor to owner to resolution.
This matters because physical vulnerabilities — an unlocked server room, an unmonitored entrance, a guard post that is routinely abandoned — are as exploitable as software flaws. We need a physical security equivalent of responsible disclosure. This is a conversation the industry should be having.
Leadership vs. Supervision
Security management often conflates supervision with leadership. Supervision is transactional: assign tasks, monitor completion, correct errors. Leadership is relational: understand the person, develop the capability, set the context for why the work matters.
My framing: connect to the humans, not just to the business. The business case for security is important. But the people who show up every day, make the decisions, take the risks, and respond when things go wrong — they need leaders who see them as people, not as headcount. Security leaders who understand this build better teams and retain better talent.
M&A Security
My M&A Security newsletter is running alongside this general newsletter now. If you work in private equity, venture capital, investment banking, or corporate development, the M&A newsletter is the one to subscribe to.
A theme I returned to this month: integration capacity. Organizations underestimate how much bandwidth real security integration requires. The acquirer has existing operations. The acquisition adds a second set of systems, people, locations, and processes — all of which need security review, reconciliation, and often redesign. Cultural conflicts — different security philosophies, different risk tolerances, different policies — can derail integration as effectively as technical mismatches. Transaction size and pacing determine how much runway you have to do this right. Most organizations give themselves far less than they need.
Insider Threats: Including Your Own Security Team
Security personnel are not immune to becoming insider threats. They have access. They know the systems. They know the procedures. When an organization’s security team is not subject to the same background check refresh cycles, ethical standards enforcement, and monitoring protocols as other high-trust roles, it creates a gap that bad actors — or simply compromised individuals — can exploit.
Background checks are not a one-time event. Updated checks at defined intervals, combined with clear ethical standards and a culture where concerns can be raised without retaliation, are the controls that address this risk.
Physical Security Findings in the Field
I continue to find buildings with minimal physical controls — unlocked utility spaces, unmonitored secondary entrances, credential systems that have not been audited since the prior tenant. When I document these findings, the question of who gets the report and what happens next is not always clear. Organizations need a defined vulnerability reporting mechanism and a defined remediation ownership process. Finding the problem is step one. Closing it is the actual work.
On Metrics
Activity-based statistics are not security metrics. “We responded to 847 incidents last quarter” is a count. A metric connects a measurement to an outcome: what percentage of incidents were detected within defined time parameters, what was the trend, what drove the change? Measurable security requires defined baselines, defined targets, and honest reporting — including when the numbers do not show progress.