The development of physical security can be traced back to the origin of human kind. One tends to think physical security is nothing more than deploying few security guards, installing some cameras and erecting a barbed wire fence. What is worse, in most companies physical security gets managed by administration or facility management. That further makes physical security seem less important.

Then again, with the emergence of information security, physical security got pushed further in the priority of management. But for experienced security campaigners, physical security comes frst. This is because if physical security is not taken care of, all other security controls will fail.

As a CSO, my biggest worry all the time is physical security and not so much information security.

Physical security controls are designed to manage the following types of risks: Risks to life and assets due to natural disasters, terrorist attacks, civil unrest, epidemics and similar threats; Risk of intrusions into campuses, buildings or work areas; Risk of damage, loss or misuse of assets; Risk of legal or regulatory non-compliance; and Governance risks for services provided by third parties and shared facilities owners.

There are around eight types of physical security controls to mitigate the above risks. These are controls to:

• Deter – visible physical security measures installed to induce individuals to seek other less secure targets
• Detect – physical security measures installed to detect unauthorised intrusion
• Delay – physical security measures installed to delay an intruder’s access to a physical asset and provide time for incident assessment and response
• Assess – the process of evaluating the legitimacy of an alarm and the procedural steps required to respond
• Communicate – communication systems utilised to send and receive alarm/ video signals and voice and data information. Also, includes the documented process to communicate detected intrusions
• Respond – the immediate measures taken to assess, interrupt, and/or apprehend an intruder
• Intelligence – measures designed to collect, process, analyse, evaluate and interpret information on potential threats
• Audit – the review and inspection of physical security measures to evaluate effectiveness

The cost of setting up a good security system can be much more than what business can afford in one fnancial year. It is important to prioritise the investment and work on a road map.  

Physical security works best when it is simple and not when we make it complicated. In fact complicated systems increase the level of risk.

Most of tragedies happen as some of these processes are not confgured properly or fail to function properly as they were not continuously tested or the systems and people haven’t gone through enough number of drills to ensure proper operations during such disasters.