Physical Security: The Overlooked Foundation of Modern Cyber Resilience

The relationship between physical security and cyber security has never been more critical. Yet, across many organisations, these disciplines remain structurally and culturally separated.

The result is predictable: threat actors exploit the gaps.

I joined a recent webinar and live conference discussion with Verkada, a leading cloud managed physical security business. In a session titled “The Role of Physical Security in Cyber Defence” I examined the convergence of physical and cyber security. I explain why leaders must now treat physical security as a core digital risk, not just a peripheral concern handled by the facilities or estates team.

A simple truth sits at the heart of this challenge: attackers do not respect organisational boundaries. They look for weaknesses between teams, processes, and technologies. Those physical weaknesses often provide the most direct route into digital systems. True resilience, therefore, depends on integrated controls across the physical, cyber, and human domains.

Many organisations still assume that strong firewalls, encryption, and monitoring tools are sufficient to protect critical assets. In practice, vulnerabilities usually arise not because of weak technology, but because of fragmented governance. Facilities teams deploy physical controls, IT departments manage digital systems, security teams set policy, and risk teams monitor frameworks, each working professionally, but not always cohesively.

In my experience, it is within these governance gaps that most failures occur. Leading organisations that we are working with address this by adopting converged governance models, ensuring that physical, cyber, and human risks sit within a single coherent framework. This approach is now essential for a well-run organisation. Without it, directors cannot meet their accountability obligations or demonstrate the level of operational resilience that regulators increasingly expect.

One of the most common failings we see arises during the design and commissioning of new buildings, physical systems, and operational technology. Physical systems are frequently delivered in a functional state but not a secure one. In several assessments we have undertaken, access control, CCTV and building management systems were commissioned without appropriate security hardening and were sometimes connected directly to corporate networks with default credentials and open remote access.

Nothing about this was unusual from the supplier's perspective; yet it created a direct and unnecessary vulnerability. Secure by design principles must be applied from the outset, long before a system goes live. The CSO, CISO and operational security teams need to be involved early, not presented with a completed system days before operational launch and asked to approve them. This shift in process is essential if organisations are to close those longstanding gaps between physical infrastructure and digital assurance.

While external cyber actors capture headlines, significant risk still originates from insiders. Malicious, coerced or simply careless, insiders possess legitimate access and situational familiarity that external attackers lack. Modern threat actors increasingly recruit or manipulate individuals within organisations to facilitate access to systems, buildings or data. We know that criminal gangs have placed low paid and contract staff into organisations to deliver that insider advantage and tried to recruit even high-profile journalists to gain access to what would have been an attractive target.

This reality reinforces the need for robust identity, access, and personnel security, with clear ownership and monitoring, as well as leadership engagement in culture, behavioural insight, and workforce assurance to manage human risks. Your organisation's recruitment process, vetting, and ongoing cultural and behavioural insights are integral to your cyber resilience, not peripheral to it.

The shift towards hybrid and cloud-based environments is transforming how physical security systems operate. Cloud services powered by effective AI and analytics can enhance scale and responsiveness, but they also introduce a new attack surface that must be carefully governed. Hybrid models offer significant resilience advantages, particularly when connectivity is disrupted, but only if identity management, segmentation, and system architecture are properly designed, tested, and implemented.

We often work with organisations on the assumption that outages, whether accidental or malicious, will occur. Our exercises stress-test whether the organisation can survive and thrive in the event of a breach. Maintaining local capability while leveraging cloud-based intelligence is increasingly becoming the model of choice for organisations seeking both flexibility and assurance. Of course, it can pose sovereign challenges when examining the hosting of that cloud infrastructure, but with the right guardrails in place, many of the challenges can be overcome.

Boards now face increasing scrutiny for the adequacy of their organisation's security and resilience. Regulators are placing greater emphasis on operational resilience, continuity, and the integration of cyber physical controls. For directors, the question is no longer whether investments in physical security are justified, but how physical controls contribute to overall risk reduction and business continuity, and how they can be evidenced as doing so.

An area attracting growing attention is ‘grey zone’ activity, low level physical disruption driven by geopolitical state actors but using criminal or proxy groups. This activity sits below the threshold of armed conflict but is designed to impose both operational and psychological impact for political ends. 

Warehouses, logistics hubs, and critical infrastructure have all been targeted in recent incidents across Europe. This blending of motives demands refreshed approaches to threat monitoring and preparedness. Organisations need to consider geopolitical intent, supply chain fragility and cross border vulnerabilities when assessing physical security. 

No control, policy or technology can substitute for realistic exercises. Organisations that carry out regular, scenario based rehearsals, with physical tests especially out of hours and with an attacker's mindset with which to identify issues that audits miss. In my experience, real resilience is measured by the speed and coherence of responses under pressure, not by a system's performance on paper or the complexity of their playbooks.

The most resilient organisations practice continuously, test assumptions rigorously and ensure that both physical and digital responders have the information, authority and training they need to act decisively.

Cyber resilience cannot be achieved solely through digital controls. Physical security, human behaviour, technology integration, and operational governance must now be treated as a single system. 

Organisations that fail to adapt will continue to see attackers exploiting structural weaknesses that should have been addressed years ago. Those that embrace convergence, secure by design principles and realistic (threat intelligence informed) exercising will be best placed to withstand disruption, protect their people, and safeguard their operations.

If you would like to explore any of these themes further or discuss how organisations can structure an integrated resilience model, I would be pleased to continue the conversation.