In the era of entire workforces going remote and a wide variety of tasks being moved online, it seems fair to ask: what else can be transitioned to virtual due to COVID-19? Some activities — think finance, general counsel and human resources — are inherently better adapted than others. But in the corporate security space, where site surveys involve boots on the ground, arguments for online adaptation that work elsewhere tend to fall short. Worse, they expose an organization to unnecessary risk and constitute ineffective security risk management.
It is easy enough to see why physical security surveys are on the chopping block. Sending in-house or contracted personnel around the world, often to higher threat locations amidst evolving travel restrictions, is itself a logistical challenge. It is also an expense. A Bloomberg survey of 45 large global companies from late 2021 found that 84% are planning on spending less on travel post-pandemic. Even U.S. Customs and Border Protection started implementing virtual validations for its Customs-Trade Partnership Against Terrorism (CTPAT) Program during the pandemic, and the agency has indicated these may continue into the future.
Drawing from experience with large Fortune 500 companies conducting dozens of in-person and virtual assessments, there are several reasons why this shift presents dangerous security risks to an organization.
First, virtualization means relying on photographs, cellphone video and camera feeds to understand security operations from afar. In office complexes, manufacturing environments or key supply chain nodes, this often means inherent gaps in visibility for security practitioners. Assessments look at people, processes and technology measures across multiple high-rise floors, acres of factory space or miles of fence line. Not being able to observe these in-person means a survey is categorically incomplete.
Oversights on the ground
Second, virtualizing security surveys means relying on personnel based on the ground. Local security resources often have spent years working at a single site, bringing both benefits and drawbacks. While they may fully understand the security operations picture and know what is supposed to happen, they are often too close to the issues, missing things that a fresh pair of eyes can illuminate. They also tend to rely on personal, relationship-based knowledge over repeatable processes committed to writing.
Reliance on unconfirmed intelligence
Lastly, leveraging local resources in full means relying on these individuals to provide the primary inputs to external audits of their own processes. It’s widely acknowledged in enterprise risk management that no one enjoys being audited, as it can lead to time consuming mitigation measures down the line. But former President Ronald Reagan’s mantra, “Trust, but verify,” reigns supreme here. Otherwise, an organization runs the risk that survey findings are skewed and sometimes outright misleading. You can only accept, mitigate or transfer the risks that you know.
Physical security surveys serve as eyes and ears, proactively ensuring that an organization’s people and assets are sufficiently protected before things go wrong. For this reason, companies should also consider re-categorizing security surveys as essential travel so they fall in line with the lexicon used by many government authorities like the Centers for Disease Control (CDC) and the Department of State.
Of course, there are exceptions to these rules. Travel restrictions and quarantine periods continue to evolve by the day, making some locations inaccessible or unadvisable. The CDC’s list of travel recommendations by destination and the Blavatnik School of Government at the University of Oxford’s Stringency Index are two ways to track the evolving responses of governments around the world. But these cases should be managed as they arise with exceptions granted sparingly, as there are ways to mitigate many of these risks. Given the current state of the pandemic, sending only vaccinated personnel, following CDC guidelines and implementing basic precautions like masking while onsite should fall within the risk tolerance of most organizations in 2022.Now two years in, many security programs in the field have drifted, absent consistent oversight from security teams and ongoing assessment against security standards. Amidst these outlined challenges and cost-cutting measures, organizations should protect recurring onsite physical security surveys to ensure critical vulnerabilities are identified and countermeasures prioritized based on overall risk to the organization.