The point here is that security personnel need to regularly conduct risk assessments by showing up unannounced and finding what we find – a lot of violations of their security procedures or practices that are contrary to effective access control.
Security and access control need to be aligned with the organization’s business strategy. For example, any public entity must have public access to its facility, whereas a top secret skunk works operation must carefully scrutinize every person’s entry through several layers of security.