top of page
  • X
  • Facebook
  • Linkedin
  • Instagram
Search

Why IT Shouldn't Own Physical Security: A Risk-Based Perspective


Recently, Verkada—a major player in cloud-based surveillance and access control—asserted that IT departments should own physical security. While this claim might resonate with buyers of cloud-native technologies, it reflects a narrow understanding of what physical security truly entails. Verkada appears to conflate physical security with just two of its components: cloud-connected cameras and badge readers. That’s a fraction of the equation.


There’s growing momentum around this line of thinking, especially in large enterprises seeking efficiency through convergence. But handing over physical security to IT, while neat on an org chart, is fundamentally flawed. It misrepresents physical security as a technology stack, when in reality it is an operational discipline—one grounded in risk management, behavioral intelligence, emergency response, and architectural design.


Physical security is not about who manages the software—it's about who understands the threats, the operational risks, and the real-world consequences of a failed control. In this post, we’ll explore why ownership should stay with physical security professionals, how IT and security can work together without undermining one another, and what a truly converged governance model looks like.


Different Domains, Different Expertise


At first glance, it might seem logical to fold physical security under IT—after all, both deal with access control, threat detection, and risk mitigation. But that assumption breaks down quickly when you examine how fundamentally different these domains are. Each operates with its own methodologies, technical toolsets, regulatory expectations, and professional competencies. Treating them as interchangeable not only undermines effectiveness, it introduces new blind spots that increase organizational risk.


Information Security teams are deeply versed in protecting data through the lens of the CIA triad—Confidentiality, Integrity, and Availability. Their work revolves around digital systems: firewalls, endpoint protection, identity and access management (IAM), encryption, SIEM platforms, zero trust architectures, and continuous monitoring. Certifications like CISSP, CEH, and OSCP reflect deep technical and theoretical knowledge of cyber risks.


Physical Security professionals, in contrast, work in the tangible world—designing and managing protections for facilities, people, and physical assets. Their responsibilities range from site assessments and access control engineering to surveillance design, guard force coordination, and emergency response protocols. They use tools like CAD for space planning, VMS (Video Management Systems) for surveillance integration, and PSIM (Physical Security Information Management) platforms for real-time situational awareness. Their professional qualifications—such as the ASIS CPP (Certified Protection Professional) or PSP (Physical Security Professional)—emphasize operational planning, risk assessments, and security architecture based on threat context.


Consider the security requirements of a high-value area like a data center. A network security engineer may know how to protect the data once it’s on the servers, but securing the physical environment requires a very different skill set: zoning spaces by risk level, designing multi-factor access control paths (badge + PIN + biometrics), integrating video analytics, preventing piggybacking, ensuring UPS systems and emergency lighting meet code, and accounting for both human behavior and emergency egress scenarios.


In environments like pharmaceutical manufacturing, critical infrastructure, or sensitive research labs, these considerations are not secondary—they are primary. Risk assessments involve not just digital vulnerabilities, but blast radius modeling, insider threat planning, HVAC security (e.g., to prevent airborne contaminants), and fail-closed mechanisms on secure doors.


Merging IT and physical security under one department often results in prioritizing one domain’s risks over the other’s. The skills required to build a secure server architecture are not the same as those needed to plan secure building entry routes, construct defensible perimeters, or manage emergency evacuation logistics. Both areas are essential—but they demand separate disciplines and leadership to be executed correctly.


Risk Management Requires a Unified View—Not a Single Owner


Effective risk management isn’t about choosing which department gets to “own” security—it’s about ensuring the right expertise is applied to the right risks, and that collaboration is structured, deliberate, and sustained. The moment one function is given unilateral control over a multidimensional risk domain, critical elements are either deprioritized or misunderstood. This is especially true in environments where both physical and cyber threats must be managed concurrently.


While centralizing ownership under IT might simplify budget lines or reporting structures, it fractures situational awareness. The reality is that most meaningful risks today—whether insider threats, workplace violence, or business continuity failures—span both physical and digital dimensions. That’s why a unified governance model, not a centralized ownership model, is key.


In high-performing organizations, risk management is treated as a shared strategic function with strong cross-disciplinary collaboration. Physical security, IT, HR, compliance, legal, and facilities management each bring specific domain expertise that contributes to a complete risk picture. Risk decisions—like whether to elevate threat levels, initiate a lockdown, or revoke access—require input from multiple angles to ensure effective mitigation without unintended operational consequences.


For example, an employee under investigation for misconduct might still have active badge access and VPN credentials. If only the IT team is monitoring the digital realm, they may miss after-hours access attempts to sensitive areas. Conversely, if physical security isn’t looped into HR concerns, they may fail to adjust patrol patterns or restrict floor access. The result is a fragmented response that leaves open pathways for exploitation.


What’s needed is structured, joint risk oversight:


  • Integrated Risk Committees that meet regularly to assess emerging threats, prioritize mitigation strategies, and align resources. These groups must include senior representation from both physical and cyber domains, with authority to drive action.

  • Cross-Domain Risk Registers that document threats across vectors—physical, cyber, and human—with assigned owners, mitigation plans, and timelines.

  • Unified Incident Response Playbooks that detail how physical and digital teams coordinate in the event of a security breach, workplace incident, or disaster recovery event.


This governance model ensures that no single team acts in isolation. Instead of one department “owning” security, organizations should establish a collaborative framework that respects the unique strengths of each discipline and holds them collectively accountable to the enterprise.


Ultimately, security is not a function—it’s a capability. And capabilities thrive when expertise is distributed, not when it’s siloed under convenience-driven hierarchies.


Operational Blind Spots


When physical security is relegated to IT ownership, gaps begin to form—not because IT teams are negligent, but because they’re not trained to see certain risks. Their expertise is tuned to digital threat detection: anomaly scoring, patch management, DDoS mitigation, and log correlation. Meanwhile, physical security challenges are often subtle, analog, and situationally dynamic—requiring a completely different mindset and toolkit.


The most common blind spots stem from real-world human behavior and environmental factors. These include:


  • Tailgating and Piggybacking: One of the most pervasive threats in physical security, tailgating occurs when unauthorized individuals follow legitimate badgeholders through secure doors. IT-led teams may install badge readers and call it done—without considering anti-tailgating solutions like turnstiles, mantraps, or optical sensors. Nor do they often account for training employees to recognize and stop such behavior.

  • Badge Mismanagement: IT teams may provision access via Active Directory integrations, but often fail to enforce least privilege principles in physical systems. Temporary badges remain active indefinitely. Contractors retain access months after departure. Visitors are given credentials without an expiration timestamp or proper tracking. This leads to uncontrolled exposure.

  • Unsecured High-Risk Zones: Without thorough physical risk assessments, IT-owned access systems may provide uniform controls across a facility, missing the need to tier access by threat level. For instance, a supply closet might have the same access requirements as a high-value prototype lab or executive suite. That’s not just inefficient—it’s dangerous.

  • Inadequate Response Planning: Many facilities have electronic access controls but lack trained response personnel, escalation protocols, or incident management workflows. Who responds when a forced door alarm goes off? What if a badged individual gains access during off-hours with no accompanying camera coverage or security presence? These questions often remain unanswered in IT-led environments.

  • No Physical Security Maintenance Lifecycle: Unlike endpoint protection or cloud infrastructure—which are regularly patched and audited—physical security components are often “set it and forget it.” Cameras go down for months. Door contacts corrode. Magnetic locks fail open. Without a preventive maintenance program and regular testing, the system gradually degrades—and no one notices until it’s too late.


These gaps can’t be closed through IT automation or policy updates alone. They require field operations, scenario walkthroughs, and staff training. Physical security must be treated as a living, breathing layer of the risk ecosystem—one that includes human behavior, environmental change, and adversarial testing.


Organizations must prioritize:


  • Regular physical security assessments (quarterly or bi-annually)

  • Employee training to identify and report anomalies

  • Badge audit programs with automatic expiration and periodic review

  • Manual testing of alarms, locks, sensors, and emergency systems

  • Integrated metrics that track physical security effectiveness (e.g., door propping incidents, response times, credential anomalies)


When these practices are missing, vulnerabilities multiply—often silently. And when a real incident occurs, organizations realize too late that the controls they assumed were “working fine” haven’t been validated in months or years.


A Better Model: Integrated Governance


Rather than defaulting to consolidation under IT, organizations should shift their mindset toward integrated governance—an approach that unites physical and cyber security efforts under a shared strategic framework, without diluting domain expertise. This isn’t about drawing lines between departments; it’s about building connective tissue between them.


In a mature security posture, governance is not just reactive—it’s anticipatory. It aligns security with enterprise risk management (ERM) functions and ensures that decisions reflect the broader operational, regulatory, and threat landscape. This means involving all key stakeholders in planning, resourcing, and incident response.


Here’s what integrated governance looks like in practice:


Cross-Functional Security Governance Boards: These boards include executive sponsors from IT, physical security, HR, legal, compliance, and operations. Their mandate is to align security initiatives with business priorities, allocate budgets based on threat exposure, and maintain visibility across all domains. This group doesn’t micromanage controls—it steers strategy and ensures accountability.


Unified Risk Taxonomies: Cybersecurity teams often have their own risk language (e.g., data exfiltration, DDoS, APT), while physical security uses terms like hostile surveillance, workplace violence, or perimeter breach. Integrated governance creates a shared taxonomy so that the board, risk managers, and audit functions understand all risks on equal footing—measured by likelihood, impact, and residual exposure.


Integrated Threat Monitoring: Many organizations have a SOC (Security Operations Center) for IT threats, and a GSOC (Global Security Operations Center) for physical incidents. Governance integration means those centers don’t operate in silos. Physical access anomalies, camera alerts, and badge misuse should feed into the same situational awareness platforms as VPN anomalies, logins from odd geographies, or credential stuffing attacks. This allows for correlation, faster detection, and more accurate root cause analysis.


Joint Tabletop Exercises and Drills: A ransomware attack isn’t just an IT problem. It can halt badge systems, disable security cameras, or lock doors controlled by building automation systems. Likewise, a physical event—like a fire, protest, or break-in—can necessitate shutting down IT services or invoking data recovery procedures. Organizations with integrated governance routinely run joint exercises that include both physical and cyber playbooks, with communications templates, command structures, and after-action reviews.


Shared Performance Indicators and Reporting: Governance models must include clear KPIs that reflect performance across domains.


For example:


  • Mean Time to Detect and Respond (MTTD/MTTR) for both physical and digital intrusions

  • Compliance with access review and deprovisioning SLAs

  • Percentage of systems tested in the last quarter (alarms, backups, panic buttons, failover comms)

  • Volume and response time of cross-domain incidents (e.g., a badge used post-termination)


The ultimate goal is to create a system where no risk falls between the cracks. Integrated governance brings everyone to the table, fosters collaboration, and ensures that expertise is applied where it matters—without erasing the distinct competencies each team brings to the equation.


This model doesn’t ask IT to be physical security experts, nor does it ask security officers to become system admins. It builds alignment, not substitution—so that every security function supports the organization as a cohesive risk management engine.


Physical Security Is an Operational Discipline—Not Just a Technology Stack


One of the biggest misconceptions in corporate security is that physical security is simply about devices: badge readers, surveillance cameras, door locks, or turnstiles. But in reality, it’s an end-to-end operational discipline. It involves strategy, planning, threat modeling, design, execution, and ongoing optimization—similar in rigor to enterprise IT, but focused on people, property, and physical processes.


When physical security is owned by teams without operational field experience, it often becomes a collection of underused gadgets—checked off during audits, but poorly integrated into actual risk scenarios. To manage physical security effectively, organizations must embrace it as a specialized function that requires domain knowledge, operational foresight, and continuous adaptation to the evolving threat landscape.


Key pillars of physical security as an operational discipline include:


Risk-Based Facility Zoning and Access Control Architecture


High-performing programs start with zoning—segmenting a facility into security tiers (e.g., public, controlled, restricted, and secure zones). Each zone has its own access policy, entry technology, monitoring level, and operational controls.


  • Public: Lobbies, cafeterias – often supervised but not restricted.

  • Controlled: General employee workspaces – badge access required.

  • Restricted: Server rooms, HR offices – dual authentication and logging.

  • Secure: Executive areas, R&D labs, vaults – biometric or escort-only protocols.


Access control isn’t just about badges—it involves designing workflows around risk. This includes anti-passback policies, time-restricted access, tailgate prevention technology, and integration with HR systems for real-time provisioning and revocation.


CPTED (Crime Prevention Through Environmental Design)


Effective physical security begins with architecture and layout. CPTED principles focus on using design to reduce opportunities for crime and improve incident detectability:


  • Natural Surveillance: Positioning doors, windows, and cameras for optimal visibility.

  • Territorial Reinforcement: Clear boundaries with signage, fencing, or landscape cues.

  • Access Control through Design: Narrowed entrances, layered access points, and barrier placement that influence human movement.

  • Maintenance and Order: Clean, well-kept spaces that communicate control and awareness.


These principles shape how people behave in a space—and can prevent threats before any technology is engaged.


Emergency Preparedness and Incident Response


Physical security professionals design and manage emergency operations plans (EOPs) that cover fire, natural disasters, workplace violence, medical emergencies, and utility failures.


This includes:


  • Role-Specific Emergency Protocols: Defined responsibilities for floor wardens, receptionists, executives, and contracted staff.

  • Building-Wide Notification Systems: Integrated voice and text alerts across zones and devices.

  • Mustering and Headcounts: Real-time accountability post-evacuation.

  • Lockdown/Lockout Procedures: Physical mechanisms and communication for controlling ingress and egress during crises.


These systems are drilled and tested—not just documented—and integrated into broader business continuity and disaster recovery plans.


Integrated Surveillance and Alarm Infrastructure


Cameras and intrusion detection systems are only effective when part of a centralized, actively monitored environment. A mature physical security operation:


  • Connects video analytics to access control systems to detect policy violations (e.g., badge swipe without door open).

  • Uses intelligent alerting to reduce noise and prioritize real threats.

  • Ties all events into a PSIM or GSOC dashboard for real-time decision-making and auditability.


Critical areas are monitored by humans and machines—ensuring no dependency on passive logging or unreviewed footage.


Operational Testing and Continuous Assessment


Just like vulnerability scans and pen tests in IT, physical security must be actively evaluated through:


  • Physical Penetration Testing: Simulated break-ins, tailgating attempts, social engineering campaigns.

  • Routine Maintenance Checks: Validation of locks, sensors, surveillance coverage, alarm testing.

  • Audit Trail Reviews: Who accessed what, when, and why—cross-checked with job roles and alerts.

  • Behavioral Assessments: Are staff following protocols? Are security officers alert and responsive?


Metrics matter—false alarms, response times, unauthorized access attempts, and failed equipment must be tracked and fed into quarterly reviews.


The bottom line: physical security is not just infrastructure—it’s a live operational program that interacts with the organization every day. Treating it like a technology investment misses the point. It demands professional oversight, strategic planning, and continuous hands-on execution.


Closing Thoughts


Security convergence is essential—but convergence doesn’t mean consolidation. It means integrating capabilities while preserving the depth and specialization of each discipline. When organizations assign ownership of physical security to IT, they often do so under the false assumption that efficiency and control are the same thing. But real security is not about control—it’s about clarity, coordination, and competence.


Physical security is an operationally complex domain. It intersects with life safety, workplace culture, infrastructure integrity, compliance, and executive protection. It is not an IT function, and treating it as one can result in fragmented oversight, missed threats, and reduced responsiveness during critical events.


Likewise, IT security operates in a rapidly changing digital threat environment that requires continuous technical education, automation, and incident response precision. Expecting physical security teams to manage digital controls would be just as shortsighted.

The most resilient organizations understand this balance. They create cross-functional security teams, ensure risk ownership is distributed by expertise—not convenience—and align both digital and physical controls to the organization's operational risk profile.


Converged security doesn’t mean blurring roles. It means aligning goals, systems, and responses without sacrificing the specialized knowledge each domain brings. Anything less increases risk—exactly the opposite of what security is supposed to achieve.



 
 
 

Comments


© 2025 by Red Cell Security, LLC.

bottom of page