Physical security · The built environment

Where does security truly exist within an organisation?

Security is often viewed as a function, a department, or a specialist discipline. But what if it is something more?

Security is a thread, not just a discipline.

Organisations are strengthened not by isolated controls, but by the connections between the disciplines that shape them. Like the strands of a web, every decision influences the whole. When security is woven through those disciplines, it becomes part of how an organisation thinks, decides and succeeds.

This website explores what happens when organisations stop treating security as a function and start weaving it through every discipline. If these ideas resonate, then welcome to the conversation.

A point of view

Better decisions begin with better ways of seeing.

Security exists wherever organisational decisions are made. It runs through strategy, governance, operations, procurement, facilities, resilience and countless everyday choices. It influences them all, yet belongs exclusively to none of them.

Most of the writing shared here sits one layer beneath hardware, standards and compliance. It explores the thinking behind security: how decisions are made, the assumptions that shape them, and whether those decisions remain sound when tested over time.

Because security is rarely won or lost at the moment of an incident. More often, it is shaped long before, by the quality of the decisions that came before it.

Featured writing

The hidden fifth D

Deter, detect, delay, deny. Four ingredients, no recipe. The argument that decision is the fifth D, the one that binds the other four into a strategy.

Intelligence isn't just a rear-view mirror telling us what has already happened, it's a forward-looking guide to what should happen next.
Take something with you
You can't count the attacks that never happened. Success often looks like nothing at all. But failure is visible, costly, and judged in hindsight.
From Beyond the Checkbox
Where the writing comes from

The executive years

I spent years as a security executive across Africa, one of the hardest schools in the profession. There were decisions made less than 60 kilometres from a war zone, kidnappings, internal fraud, civil unrest, and the challenge of rebuilding programmes from whatever could be saved after failure. Those experiences shaped my judgement, but they are not what I value most.

I value the opportunity to have built high-performing teams, developed future leaders, worked in organisations recognised for their culture, and solved problems for which there were no established answers. Looking back, those years taught me that security is ultimately about people. Technology changes, threats evolve, but good judgement, trust and leadership endure.

The consulting years

Consulting broadened my perspective in ways I had not anticipated. Today my work spans giga projects in the Middle East, major developments in England, and clients across Europe and North America. The projects are remarkable, but it has been the clients and the people I work alongside who have had the greatest influence on my thinking.

As a security executive, experience was often enough to guide difficult decisions. Consulting demanded something more. Experience still matters, but it must be supported by evidence, aligned with recognised standards and tested against the thinking of other experienced practitioners. Working alongside colleagues who help shape global practice has challenged my assumptions as much as it has confirmed them. They continue to sharpen my technical understanding, strengthen the way I justify my recommendations, and remind me that expertise is never finished.

The projects themselves are confidential, so I rarely write about them directly. Instead, I write about the principles that emerge across projects, organisations and countries. They are the ideas that continue to shape my thinking and the reason this website exists.

The person behind the thinking

Practitioner first, strategist second. The long version is on the about page.

Writing

Lenses, not lectures.

Each piece here tries to leave you with a different way of seeing a familiar problem, not just another answer. The current series looks at how decisions in physical security are actually made.

The decision-making series
About

Who am I?

I wrote that question in a journal in 2003. I still cannot fully answer it.

Perhaps that is because we spend our lives becoming. You can leave home, spend decades crossing continents, and return bearing the same name, yet be an entirely different person.

Adriaan Bosch

I have travelled to 72 countries and worked across Africa, Europe, North America and Asia. Along the way I have been a student, a farmer, a soldier, a storyteller, a photographer, a guard, a guide, a loner and a father. I have known the despair of war and the privilege of protecting endangered wildlife.

Yet none of those things is who I am.

The road taught me something simpler: each of us is utterly unique, yet we hope, fear and dream in much the same way. That understanding has become the foundation of both my life and my work.

I try to leave the world a little better than I received it.

The work

There is rarely a day I do not learn something new.

I am fortunate to work in an industry that allows me to live my passions. It challenges me with some of the world’s most complex projects and takes me to places I never imagined I would see.

What I learn, I share. I have no intention of taking it to my grave. That is why this site exists.

I am equally fortunate as a leader. I have the privilege of helping young graduates grow, working alongside exceptional people, and continuing to learn from mentors who have shaped my own journey.

The record

I am a physical security strategist in the built environment. I spent years as a security executive across Africa and now advise on some of the world’s most ambitious giga projects.

IFSEC recognised me as one of the world’s most influential security executives. The full record lives on LinkedIn. This page is the person.

Everything I have experienced has led me to one conviction.

The security industry does not have a technology problem. It has a decision-making problem.

That is what I write about.

The operating principle

Security is a thread, not simply a discipline. It does not exist as a department that stands apart from the organisation. It runs through governance, strategy, operations, procurement and facilities because it is inseparable from the decisions people make and the way they behave. It belongs to all of them, even though it owns none of them.

Security owns its advice: the analysis, the design and the recommendations that follow. It never owns the risk.

The risk owner decides what is acceptable, weighs the cost and accepts what remains. Removing a security requirement is not a quiet cost saving. It is a conscious decision to accept additional risk, and it should be treated as such.

Contact

If something here made you pause, I'd like to hear about it.

For conversations about security, decisions, or the writing.

Prefer another route? Message me on LinkedIn or browse my security links.

← Back to writing

Heuristics in Strategic Security Decisions: The Problem Isn't Starting There, It's Stopping There

Part three of the decision-making series · First published May 2025

In security strategy, we all start from what we know. A leader with a background in manned guarding is likely to lean toward personnel-based solutions. Someone from a technical systems background might default to surveillance and intruder detection systems. These approaches aren't wrong, in fact, they often reflect real-world experience and delivery confidence. The problem isn't starting there. It's stopping there.

I often find, working with a wide variety of clients and diverse projects, that there is no single approach that is universally applicable. Although many fall into the trap of duplicating a process that has worked for them in the past, context always matters. What worked in one environment may fail in another. This is especially true in physical security, where each location, threat profile, and stakeholder landscape brings its own complexities. Strategic decisions made by default, rather than by design, often result in solutions that are well-executed but misaligned.

As consultants or in-house strategists, we are often brought in to close a gap the stakeholders know exists but can't always define. Working in a consultancy role, the challenge is that clients will often try to shape our contribution around what they already understand. In doing so, they risk reconstructing the same problem, just with new packaging. Our job isn't just to deliver a solution; it's to help reframe the problem. That's why building mutual awareness into the process is so critical.

To approach this problem, start with the following steps:

  • Name the dynamic early: "Here's what I bring. Here's what I might miss."
  • Use structured inquiry: stakeholder mapping, threat framing, and non-technical scenario walkthroughs.
  • Encourage the client to reflect on their own defaults, and be open about your own.

The solution isn't to abandon heuristics, it's to formalise them, challenge them, and situate them in context. Strategic thinking starts with self-awareness: knowing your default approach, and then asking if that's what the problem really needs. It means creating the space to test ideas beyond habit and anchoring decisions in relevance, not routine.

To formalise and elevate strategic thinking, security leaders should incorporate a decision framework that includes heuristic awareness checkpoints. These checkpoints help ensure that decisions are driven by fit-for-purpose logic, not just familiarity. Here's how that can be structured:

Problem framing

  • What is the core challenge we are solving?
  • Are we addressing a symptom or the root cause of a broader issue?
  • Is this a tactical problem or a strategic one?

Contextual analysis

  • What makes this environment, threat, or population unique?
  • How do variables like life safety, business continuity, and public perception influence the stakes?
  • What constraints (legal, spatial, social) shape the feasible options?

Option diversification

  • What solutions exist outside my personal or organisational default toolbox?
  • Who from other disciplines (technical, behavioural, architectural, environmental) should inform the strategy?
  • Are we considering layered, integrated approaches rather than single-point fixes?

Bias audit

  • Why am I drawn to this solution? Is it because it worked before, or because it fits this context?
  • What alternatives did I dismiss too early, and why?
  • Have we challenged our initial assumptions through inquiry or feedback?

Decision rationale

  • Can I clearly articulate why this option is the right fit for this specific challenge?
  • Can others evaluate, understand, and defend this decision under scrutiny?
  • Are we documenting our rationale to support institutional learning?

Lastly, it's vital to recognise that no single consultant or strategist can embody every skill, perspective, or lived experience. The goal is not to create a "super consultant" but to build strategic teams with diverse skill sets, viewpoints, and even neurodiverse cognitive approaches. Diversity in thinking helps mitigate blind spots, challenge echo chambers, and introduce alternative problem-solving models that wouldn't arise from one mind alone.

The most resilient strategies are rarely the product of a single genius, they emerge from well-framed decisions made by collective intelligence that respects complexity, interrogates assumptions, and balances intuition with structure.

In practice this is what it might look like:

  • Framing problems in capability-neutral terms ("We need awareness of X" instead of "We need CCTV on X").
  • Asking, "What would this look like if we couldn't use our usual approach?"
  • Bringing in parallel disciplines to pressure-test your logic.

Heuristics are not the enemy. In fact, they often contain the seeds of good decisions. But without reflection, they can just as easily become shortcuts to stagnation. Strategic leadership in security doesn't require knowing every answer. It requires having a process that keeps us from stopping too soon, and helping others do the same.

← Back to writing

Beyond the Checkbox: Strategic Thinking in Compliance-Driven Security Decisions

Part four of the decision-making series · First published July 2025

Compliance is often seen as black and white, but in practice, it's anything but.

Compliance-driven decision-making is often misunderstood as being simple or binary, "comply or don't." In reality, compliance is layered, jurisdictional, and deeply context-sensitive. In physical security, where decisions must stand up not only to operational tests but also board-level scrutiny or legal review, relying purely on checklists or minimum standards is rarely sufficient.

From government mandates and national security regulations, to sector-specific practices, and even internal corporate protocols, compliance influences every layer of security strategy. But where do you start? What do you need to comply with? And more importantly, how do you ensure your decisions are justifiable, transparent, and strategically sound?

This article shares insights from working across complex physical security environments to explore a more strategic view of compliance. Rather than seeing it as a constraint, we explore how compliance can function as a foundation for clearer, more defensible decision-making, when it's framed correctly.

1. Understanding the compliance landscape

There's no single source of truth when it comes to compliance in security. You're usually navigating a mix of laws, internal policies, and sector guidance, all with a different intent and often pulling in different directions. To make good decisions, it's critical to understand these layers and how they interact. Here are the big categories you're likely to encounter:

Legal or regulatory obligations. These come from national authorities or local jurisdictions and must be met for a facility to operate legally. They may include technical specifications, procedural requirements, or approvals from relevant ministries or government bodies. These are non-negotiable, and failure to comply can carry legal or financial consequences.

Industry-recognised standards. These are often developed by professional bodies or international organisations and define good practice within specific sectors. While not always legally binding, they are widely accepted as the benchmark for safe and effective design.

Internal organisational standards. These reflect a company's own policies and are sometimes more demanding than external requirements. They may include global security frameworks, internal performance thresholds, or design expectations shaped by corporate values such as sustainability, resilience, or stakeholder accountability.

Voluntary best-practice frameworks. These are often maintained by independent third parties and offer certifications, accreditations, or design principles. While optional, they can bring reputational benefits, support insurance or investor requirements, and serve as useful tools when navigating complex or contested design environments.

Understanding compliance, then, is not about simply checking off boxes. It's about recognising that different standards apply in different ways, and the real challenge is knowing how to balance, prioritise, and defend your choices within this layered environment. The point here isn't to memorise every standard. It's to recognise that compliance sits within a system, and that system needs to be navigated, not blindly implemented.

2. A strategic approach to compliance

Being compliant doesn't mean you're secure.

In my experience, one of the biggest challenges in physical security consulting is assisting decision-makers in understanding that it's not just about being compliant, but understanding how compliance supports the organisation's goals. When approached strategically, compliance becomes a tool to clarify priorities, protect resources, and demonstrate accountability.

This is especially true in physical security, where compliance does not automatically equate to effective protection. For example, a standard focused on delay resistance may pass a technical test, but that same barrier may be ineffective against an adversary using coercion or social engineering as a tactic. Compliance alone won't create a holistic solution. You still need to understand your threat and apply the correct mix of systems, processes and procedures that mitigate it.

Strategic compliance also means recognising that misalignment has consequences:

  • Overemphasising technical compliance can undermine public usability or safety. (There is always a tradeoff.)
  • Ignoring local mandates in favour of corporate preferences can result in legal exposure.
  • Blindly following outdated internal policies can fail to address new risks altogether.

When facing a compliance requirement, whether internal or external, it's not enough to ask "Are we compliant?" The real question is: "Does compliance support our objective, and is it sufficient?"

To move from checkbox thinking to strategic clarity, consider these questions as part of a layered framework:

1. Clarify the requirement. Is this requirement mandatory (legal, regulatory, or internal)? What is its core intent, and does it match our actual risk context? Does it apply fully to this site, asset, or operation, or only in part?

2. Assess coverage and gaps. What risks or operational factors are not addressed by this requirement? Are there known threat types or business sensitivities it overlooks? Does it conflict with any other obligations (e.g., life safety, public access)?

3. Select supporting frameworks (if needed). Is there a voluntary standard that meaningfully fills those gaps? Why are we choosing this specific framework, reputation, technical merit, stakeholder expectation? Are we adopting it in full or only in part, and what's our rationale either way?

4. Conduct a cost-benefit review. Does this approach justify the investment in terms of security, safety, or business value? What impact will it have on usability, operations, or public perception? Is there a simpler or more adaptable way to achieve the same outcome?

5. Document and defend. Can we clearly explain why we chose this path, in this context, at this time? Have we captured gaps, trade-offs, and the reasoning behind voluntary standards used? Have we set a review trigger to revisit this as the context changes?

This framework doesn't slow down decision-making, it supports it. It ensures that compliance isn't just followed, but understood, applied with intent, and used to strengthen strategic outcomes. Used this way compliance becomes a reference point, not a finish line. It can help prioritise investment, align teams, and provide justification. But only if you stay curious about what's behind it, and how it fits your specific risk picture.

3. Simplifying complexity with a decision framework

Compliance is a snapshot in time.

What passes today might fall short tomorrow. Threats shift. Laws change. New priorities emerge.

One thing I've seen time and again: the decisions that get questioned later are usually the ones that weren't clearly recorded at the time. It's not that the wrong choice was made, it's that no one can explain why it made sense then.

That's why I often encourage teams to treat compliance decisions not just as technical tasks, but as strategic steps worth documenting. It doesn't need to be complicated, but it does need to be deliberate. Here's a simple framework I use to help structure and record decisions. It's not rigid, it's a tool to support better thinking and clearer conversations.

1. Map the compliance landscape. What rules apply here? Start by listing the relevant laws, regulations, internal standards, and voluntary guidelines. Be honest about which are mandatory and where there's room for interpretation. Record a short summary of each requirement, its source, and how you're applying it.

2. Understand the context and the threat. What makes this situation unique? Asset type, public use, known risks, these shape how compliance should be applied. Record the site context, user dynamics, threat profile, and key assumptions.

3. Define the strategic intent. What are we actually trying to achieve? Is the goal deterrence, life safety, business continuity? Get clarity first. Write a one-line statement of intent. It keeps everything grounded.

4. Evaluate the trade-offs. Where are the tensions? Sometimes compliance clashes with safety, usability, or operations. Make that tension visible. Record what options were considered, and why you chose the path you did.

5. Justify and capture the decision. Why did this make sense at the time? You're not just protecting a site, you're protecting your reasoning. Use a format that includes: Context, Objective, Options, Rationale, Review date.

And keep in mind: this isn't a one-time exercise, build in review cycles. Make documentation part of your process. That's how you keep decisions defensible, not just compliant.

4. The role of internal standards and governance

Governance doesn't exist to slow things down. It exists to make decisions deliberate, explainable, and repeatable.

Too often, internal standards are either outdated, overly rigid, or forgotten. But when they're done right, they become one of the most useful tools for making consistent, confident decisions, especially when you're navigating multiple influences like compliance, risk, and operations.

What makes internal standards valuable isn't how detailed they are. It's that they reflect your organisation's intent. They define what "good" looks like for you, and help people make better calls when things aren't black and white.

When structured and maintained well, they deliver clarity (define what "good" looks like for your organisation), consistency (reduce project-by-project variation), speed (avoid rethinking basic elements each time), and accountability (support defensible, traceable decision-making). But they have to be alive, not static. Assign ownership. Update them when the landscape shifts. And always make sure they support decision-making, not just control it.

So how do you influence governance without authority? Internal governance is often shaped at a level where security may not have a formal seat. In many organisations, strategic decisions are driven by finance, operations, or legal, while security remains a support function. Yet even without direct authority, security professionals can shape governance. Influence isn't just about position, it's about framing, timing, and contribution. Here's what I've seen work in practice:

1. Align with existing business priorities. Position security standards as enablers, not barriers. Frame them around business outcomes, reduced liability, operational continuity, or protecting reputational assets. The more clearly security supports their goals, the more welcome your input will be.

2. Offer decision-ready inputs. Don't wait for an invitation to contribute, bring something to the table. Draft templates, propose baseline measures, or structure guidance that others can easily adopt or adapt. It's easier to influence governance when you provide something useful, not just raise concerns.

3. Collaborate across functions. Build informal alliances with facilities, safety, compliance, and risk. Governance often evolves through consensus and shared needs. The more cross-functional the support, the more staying power your contributions will have.

4. Promote review cycles. Internal standards shouldn't be static. Recommend clear ownership, scheduled reviews, and practical update triggers (e.g., after incidents or regulatory changes). This keeps standards relevant, and reinforces your role as a forward-thinking contributor.

5. Build for real use. Avoid complexity for complexity's sake. Good standards should guide, not constrain. Use plain language. Focus on actions and principles. And make sure what you're proposing is usable by the people who have to apply it.

Internal governance isn't just about control, it's about creating a shared language for better decisions. And while you may not always have a seat at the top table, you can still shape the conversation. Often, the most effective influence comes not from authority, but from clarity, initiative, and relevance.

5. Closing reflections

This is the fourth piece in a bigger conversation about how decisions in physical security are made. We've looked at risk (and its limits), strategy (and its importance), heuristics (and their influence), and now compliance (and how to use it wisely).

Each one plays a role. But none of them are enough on their own. Compliance gives you legitimacy, but not always security. Strategy gives you alignment, but needs realism. Heuristics give you speed, but risk bias. And risk gives you focus, but can't predict the future.

Pull them together with the right frameworks, and you create something better: defensible decisions that make sense at the time, hold up under scrutiny, and serve the people they're meant to protect.

You can't count the attacks that never happened, the lives quietly protected, or the costs quietly avoided. Success often looks like nothing at all. But failure? That's visible, costly, and judged in hindsight.

That's why security decision-making isn't about getting it perfect, it's about making it justifiable, proportional, and context-aware, for the environment, for the moment, and for the duty we carry.

← Back to writing

The Hidden Fifth D

Part five of the decision-making series

Physical security is usually explained through the four Ds: deter, detect, delay, and deny. They describe the actions and controls that shape defences, but they leave out something vital: how leaders decide which actions to take, when, and why. At the centre of it all lies Decision, strategic choices guided by intelligence and vision.

Think of it like baking. The four Ds are the ingredients: essential, but not enough on their own. Without a recipe to guide how they're combined, in what order, and for what purpose, the result won't hold together. Decision is that recipe, the framework that binds the ingredients into something coherent and effective.

The penny dropped for me while reading Decision Advantage by Jennifer E. Sims, a leading scholar and former senior U.S. intelligence official. In her work, Sims defines decision advantage as the use of intelligence to create a competitive edge in diplomacy and conflict. Applied to physical security, this means converting intelligence into strategic choices that shape the environment before threats materialise.

Great strategists like Sun Tzu remind us that victory is shaped long before the first move is made. In the same way, this article argues that decision must be recognised as the hidden fifth D, the element that gives meaning and direction to the others. As Jennifer Sims points out, intelligence isn't just about collecting information; it's about shaping choices in ways that create real advantage.

Seen through this lens, decision is the recipe that binds the four Ds (deter, detect, delay, and deny) into a coherent, forward-looking posture. The four Ds remain vital, but they are tactical by nature, focused on execution rather than intent. What they miss is the pivotal moment of choice. Every deterrent we design, every detection system we deploy, every barrier we build, every denial measure we enforce, all of them flow from earlier decisions.

If those decisions aren't grounded in sound intelligence and foresight, the four Ds risk becoming fragmented, reactive, or misaligned with broader goals. But when decision is placed at the centre, the four Ds stop being isolated controls and start working together as a strategy.

In previous articles, I have examined the foundations of decision-making. Here, I want to build on that work by exploring the idea of decision advantage, transforming intelligence from a support function into a strategic lever that unifies the four D's into a resilient, forward-looking security capability.

"Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat." - Sun Tzu

Why decision must be explicit

Intelligence on its own doesn't change anything if it just sits there. It only becomes powerful when leaders turn it into action through clear decisions: setting priorities, directing resources, and creating real effects. As Jennifer Sims puts it, intelligence is information for competition, its purpose is to shape outcomes and help us navigate uncertainty.

That means intelligence can't just be a passive input or another report on the desk. It has to be an active lever, guiding which risks to accept, which to eliminate, and which to shape before they ever materialise. When intelligence is tied directly to decision, it stops being background noise and becomes strategy.

Strategy always comes before tactics. As Sun Tzu reminds us, the real victory is secured long before the first move is made. In practice, this means that the choices leaders make (what to deter, what to detect, where delay will matter, and what must be denied) set the stage for everything that follows.

The world we operate in is full of uncertainty. Threats shift, evolve, and often appear where we least expect them. That's why decision advantage matters: it allows organisations to learn faster, adapt their posture, and stay one step ahead while adversaries are still catching up. In this sense, intelligence isn't just a rear-view mirror telling us what has already happened, it's a forward-looking guide to what should happen next.

When intelligence is tied directly to decision, it becomes a living cycle: decisions drive outcomes, outcomes generate data, and that data sharpens the next decision. This feedback loop turns security from a static checklist into a dynamic system of learning, foresight, and adaptation.