The corporate security culture is something we absorb gradually through various encounters or interactions with an organization and its people. Specifically regarding the physical aspects of an organization's security culture, hundreds of installation security audits have taught me to open my eyes wide whenever I approach an organization's premises for the first time, starting well before I reach the visitor parking area, guard house, foyer or reception.
Some organizations' buildings are proudly lit up with the company name in neon. Some are simply so large that everyone for miles around knows exactly who they are and has a pretty good idea what they are doing. I used to work for an electricity generator company: most - but not all - of the power stations are landmarks, some would say blots on the landscape.
In contrast, some organizational premises are more discreet, perhaps hard to find without an address and maybe a glance at Google's satellite images (hmmm, now there's a vulnerability).
A few seem to have done their very best to disappear, with no signs, sometimes not even windows. As I write these words, I have in mind a particularly forbidding concrete building in a city commercial area that screams "Sensitive!". Paradoxically, it attempts to be so discreet relative to all the ordinary commercial buildings in the area that it stands out a mile. I'm intrigued but it's not my business to find out who they are and what they do, nor to point them out so I'm not going to say any more about them.
That advice quoted above from the NZ PSR is pertinent, especially the emphasis on security culture. In fact, if workers are sufficiently clued-up to be vigilant and responsive, then even a tailgater, a wandering maintenance engineer or a "lost" interviewee allegedly searching for the toilets, is likely to catch someone's attention ... at some point. The duration of an intrusion might make a good security metric if it could be measured, although there are many complicating factors so the data would be noisy. On top of that, the most successful intrusions will never be identified as such, let alone timed!
Those physical installation audits I mentioned are a more reliable and less risky way to generate useful metrics, provided the auditor has sufficient expertise and experience anyway. It's one of many areas where the auditor's independence comes to the fore: a good, vigilant auditor will spot and point out issues that most workers either fail to notice at all, or simply ignore just as they and everyone else has always done. Repeated exposure makes them blind to stuff, especially if the prevailing opinion is "It's nothing" or "Don't worry about it: it's not even your responsibility".
We'll be tackling those ignorant and dismissive attitudes head-on in June's NoticeBored module, as we always do. Compared to the cybersecurity topics, it's relatively easy to explain physical security issues, persuading workers to see stuff and react accordingly. Hopefully promoting vigilance, responsiveness and resilience on physical security will have benefits across the board in terms of the corporate security culture overall. It's a good start anyway.