The gap between security on paper and security in practice

The gap between security on paper and security in practice 

A site that performs well during an annual security review and a site that would withstand a determined, reconnaissance-led intrusion are not necessarily the same thing. In many organisations, there is a significant gap between the two. 

Compliance frameworks ask whether controls exist and operate as designed. An attacker is asking something else entirely: where does this environment become vulnerable under realistic conditions? 

Those are very different questions and they tend to produce very different answers. 

How a real targeting cycle works 

A determined attacker won’t approach a site without preparation. 

Long before any attempt to gain physical access, there is a period of reconnaissance where they spend time to understand how the environment operates, how people behave and where controls are likely to be weakest in practice. Much of that information is publicly available. 

Site imagery, job postings, contractor relationships, social media activity, planning documents and supplier information can all help build a picture of how a site functions day to day. Individually, most of this appears harmless. Aggregated, it can reveal access routes, operational routines, key personnel movements, delivery patterns and where challenge culture is likely to be inconsistent. 

The underlying approach is not new, but what has changed is the speed at which it can now be conducted. Information that previously required weeks of manual collection can now be aggregated and analysed in hours. Publicly available data, combined with accessible tooling, makes it far easier to build a working understanding of a site before anyone physically approaches it. 

From there, access tends to develop incrementally. A contractor relationship may provide familiarity with the environment. A legitimate site visit may provide an opportunity to observe access routines or response behaviour. An unchallenged tailgating opportunity may remove the need for force entirely. Taken in isolation, none of these steps looks particularly significant. Combined, they can create a credible pathway to sensitive areas or critical assets. This is where many conventional reviews can fall short as they evaluate whether controls exist and function as intended. They are not necessarily assessing how those controls hold up when someone is actively attempting to work around them and that difference matters. 

Where the gap sits 

In most environments, the issue is not a lack of security controls. It is that the controls in place are often designed around a different type of threat to the one the organisation is most likely to face. 

Many sites are designed to deal with opportunistic intrusion, theft or casual trespass. That does not necessarily mean the same controls will hold up as well against someone who has spent time understanding the site, its routines and how people work within it. 

Surveillance coverage may meet design requirements while still leaving gaps in how activity is identified, interpreted or responded to operationally. Even technically robust access control can become weakened over time by routine behaviours, contractor movement, familiar workarounds or inconsistent challenge culture. 

None of this is unusual. Physical security must coexist with operational reality and over time, most environments develop habits, routines and accepted behaviours that sit slightly outside the original design intent. 

These are also not necessarily failures in design. In many cases, they reflect the way security is typically developed and assessed, around compliance requirements, governance and practical constraints, rather than how someone would approach the environment if they were deliberately trying to work around the controls. 

Frameworks are useful for establishing consistency and baseline assurance. What they are less effective at assessing is how controls perform during periods of pressure, disruption or against someone actively looking for weaknesses. 

Familiarity also plays a part. 

Teams working within the same environment every day naturally stop noticing certain things over time. Access routes, day to day activity, blind spots and operational dependencies become part of the background. Things that stand out immediately to someone seeing the site for the first time often become normalised internally. 

That is a common feature in threat-led physical security reviews and something that a typical audit activity does not always bring into focus. 

Looking at the environment differently 

The value of approaching physical security from an attacker-led perspective is not that it uncovers something nobody else has noticed. It is that it starts from a different question: 

Given who would realistically target this organisation, with what intent and what capability, how does the existing control set perform? 

That change in perspective usually gives a much clearer picture of where controls are effective, where they create reassurance without materially improving resilience and where relatively straightforward changes could significantly improve defensive posture. 

Operational routine, contractor access, familiarity and day-to-day pressure can gradually erode the effectiveness of otherwise well-designed controls. Those issues are rarely identified through conventional audit because the audit is measuring whether the control exists, not whether it continues to function effectively under real world conditions. 

Done properly, the outcome should be practical. Not a long list of theoretical vulnerabilities or generic recommendations, but a clearer understanding of what matters most and where intervention is likely to make a difference. 

Security investment decisions rarely happen in isolation. Budgets are finite, operational priorities compete for attention and the case for change has to stand up commercially as well as operationally. 

A well-executed assessment does not simply identify weaknesses. It helps organisations avoid misdirected spend, challenge assumptions and focus investment where it will materially improve resilience. 

Questions worth asking 

• When your site was last reviewed, was it assessed against how a motivated actor would realistically approach it or against a framework checklist? 
• Are the threats your controls were originally designed to address still the threats most relevant to your operating environment today? 
• How much of your current security posture depends on procedures being followed consistently during busy periods, contractor activity or operational disruption? 
• If a critical asset were deliberately targeted rather than opportunistically encountered, how confident are you that the existing control set would hold up in practice.  
• What could a capable outsider establish about your people, operations and dependencies using only publicly available information? 

It’s also worth noting that there are no universal answers to these questions. Every organisation, site and threat profile is different but the process of working through them tends to expose assumptions that routine assurance activity consistently misses. 

Most serious incidents are not the result of a single catastrophic failure. They emerge from small, connected weaknesses that appear manageable in isolation but create genuine opportunity when viewed together by someone actively looking for them. 

A control that satisfies a framework requirement and a control that will hold up under pressure are not always the same thing.