Ep. 37: Protect and Prepare: Physical Security & Emergency Readiness

Full transcript

David Stainback: Hello, everyone, and welcome to the Emerge Stronger Through Disruption podcast series. I'm Dave Stainback, co-leader of PwC's Global Center for Crisis and Resilience, GCCR for short, and I'm coming to you today from our office in Atlanta, Georgia. The aim of this podcast series is to explore the challenges facing businesses in this environment of constant crisis and change, and really discuss how successful business leaders can emerge stronger through disruption.

Before we dive into today's conversation, if you're enjoying Emerge Stronger Through Disruption podcast series, please subscribe wherever you get your podcasts and consider leaving a like or a comment. Hearing from you all helps us know that we're connecting, and it also helps us reach more people. So thanks so much for your support.

Today, we're discussing physical security and emergency preparedness. Joining me to explore this topic is Andrew Hoch, a director on our PwC US team with extensive law enforcement and corporate security background. Welcome, Andrew.

Andrew Hoch: Thanks, Dave. I'm excited to be here. 

David Stainback: All right. So Andrew, unfortunately, we only need to see the news headlines to know that incidents that put employees and critical assets at risk are happening everywhere.

Whether it's an active shooter incident or a natural disaster or violence of war that we're seeing around the world, forcing organisations really of all sizes to address physical security is an important topic today. 

Andrew Hoch: I couldn't agree more, Dave. In my conversation with executives, it's apparent that there's heightened focus on making sure their organisations are proactive in preparing for potential emergencies in the workplace as employees travel to corporate events and at executive residences.

You know, we've assisted hundreds of organisations with their physical security and emergency planning, and there's a wide spectrum of capability out there. There are large organisations that have significant internal capabilities and security operation centers built out within the organisation. There are small family offices and private businesses that don't have much at all, and then there's everything else in the middle ground.

Every organisation is gonna have its own unique flavor, but the principles for physical security remain the same for all. And I would argue that many large organisations have just as much risk as those with less capabilities. Because while they have large teams, they're often siloed and don't have formalised policies and procedures or sufficient interaction with other resilience functions such as crisis management, business continuity, and cybersecurity.

So there's work to be done across all types of organisations. 

David Stainback: Yeah. And I think that's a great tee up for some of the stuff we're gonna try to get to today, and so let's get started. At the macro level, Andrew, how should organisations be thinking about their physical security programmes given today's risk environment?

Andrew Hoch: Yeah, Dave, that's a great point. First, I'll say that effective security often starts with understanding the risks. Organisations should make intentional decisions about what they are protecting and the threats they face, as well as potential impact of failure. The focus is on prioritisation and making informed trade-offs.

Secondly, organisations should take a layered approach and apply that pragmatically. And what do I mean by a layered approach? Thinking having actions in place for deterrence, detection, delay, and response. And the controls put in place should be usable and aligned to those risks. So the key themes are pragmatic, risk-based and layered security that protects people wherever they are.

So take, for instance, Dave, a scenario of unauthorised access in a multi-tenant office. Let's say an individual gains access by tailgating into a shared office building. He or she uses shared elevators and stairwells to move between the floors. They enter in a tenant space through a propped door. They move unnoticed to an open office environment, and they reach a critical asset, say a server room, an MDF room, an executive office, or a boardroom.

This example highlights a few important points. First, security failures happen at entry, not just at the perimeter. Secondly, human behavior, as in not challenging the tailgating, is a primary vulnerability. Thirdly, modern office designs often reduce natural barriers and increase exposure. And lastly, the lack of role-based zoning and delay controls allow unrestricted movement.

To protect against this risk, security must control movement and behavior, not just access. 

David Stainback: Yeah, so that's a really helpful example, and, you know, it helps bring to life the types of things that we know are happening in organisations around the world on a daily basis, and that physical security professionals are really trying to thwart.

One thing that I heard you kinda mention is that organisations can't protect against every possible scenario, so that taking a risk-based approach to physical security makes sense. Based on my experience when I talk with executives, they often try to jump immediately to a discussion of tools and technology, which I know is important.

Can you talk a little bit about how tools fit into this? Should that be the first question, or is there really more to it? 

Andrew Hoch: Yeah, that's a good point, Dave. So security tools are certainly important, especially for large, geographically dispersed and complex organsations. But fundamentally, security is a practical, behavior-driven capability that, when honed, enhances safety, resilience, and readiness.

David Stainback: Okay, I thought that might be your perspective. Can we go a little deeper on that? 

Andrew Hoch: Sure. It's a combination of human controls, cultural alignment, effective governance, training, and communication. So let's start with the human behavior. It's one of a physical security programme’s control layers. Many physical security failures are driven by human behavior rather than technical gaps, such as not questioning the tailgater or leaving the doors propped open.

Rather than employees being seen as a vulnerability, they should be positioned as a critical frontline control layer. For human behavior to be a control layer, security programmes need to align with corporate culture. Controls that conflict with how people work are often bypassed, thus reducing effectiveness.

Security controls that create too much friction can lead to employee pushback. That pushback leads to workarounds, and the workarounds create risk. The net is, if controls do not align with behavior, they will likely be bypassed. 

From a governance perspective, there should be clear ownership and coordination. Without clear ownership, controls degrade over time. Security responsibilities are often split across multiple functions, and inconsistent interpretation and enforcement weaken security. 

Examples of governance gaps that we see in practice include things such as, first, unclear owner of the access control standards. Secondly, we see often unclear ownership of incident communication. And lastly, Dave, that limited accountability of foreign enforcement. And all of these, which leads to a weakened security posture. 

And the last piece is training and communication. Training should be based on real-world decisions and repetition, and effective communication is critical during and before incidents occur. People need to know what to do, when to act, and how to respond. They rely on what they have practiced, not what they have read. Effective programmes use scenario-based in-person and recurring training, and that results in better decisions under pressure and more consistent behavior. 

There's a good example related to mass communication tools. They're essential during incidents, evacuations, and disruptions to guide behavior in real time. They reduce confusion and align responses. However, they only work if the employees trust them and understand how to action the information, and that directly ties back to governance, training, and behavior. 

The key takeaway here is security fails when behaviors are misaligned with governance, and it's unclear, and people are not trained to act appropriately. 

David Stainback: Yeah, I think those are all really critical points and appreciate you outlining that for our listeners.

I want to switch gears just a little bit and talk for a moment about physical security outside of the workplace. You know, I think a lot of what you just walked through was very much focused on internal workplace, having the right governance, culture, controls, et cetera. But can you share your thoughts on how does this work outside the workplace? I think given the lines between work and personal time and personal space have changed drastically over the last fifteen years. 

Andrew Hoch: Couldn't agree more with you, Dave. And more and more, we're seeing organisations apply security principles to residences and corporate travel, which really reinforces that holistic duty of care approach towards employees by an organsation.

I think a great example of that is, for instance, an organisation has an office or a facility in a city which civil unrest erupts. Does that organisation have the ability to gather intelligence on an emerging situation, assess the impact, and communicate quickly to its affected employees with safety protocols or instructions such as working from home and return to work?

This example highlights that security requires a repeatable capability, not just an ad hoc reaction. Organisations should monitor, assess, decide, and communicate with an understanding that timing and clarity of communication directly affects employee safety. When an employee is traveling to a certain region, there should be pre-travel awareness briefings and an understanding of the risks and clear escalation paths back to the organisation.

There's a need for planning and coordination when employees are at conferences, meetings, and other external venues. And more often, organisations are including some sort of residential security in their programmes, providing targeted protection for their high-risk individuals, not applied broadly across all employees, but done focused on visibility-driven and proportional risks.

So security extends beyond buildings. It's broadly about duty of care for an organsation's employees. 

David Stainback: Yeah, that is super helpful, and I think that is the reality of the world we're living in today. And it's interesting, as you were going through that, I heard a lot around the programme and making sure that that's in place.

But it also does harken back to the need for potential tools and technology because a lot of what you walked through was data and awareness and knowing where your employees or your executives are at any given point in time and having the right line and the right data to be able to protect them wherever they might be in the world.

So really great points. The next thing I want to kind of shift to is that physical security and emergency planning are clearly important components of an organisation's resilience, and frankly, were probably one of the first that were ever built. But as such, it's really critical today that physical security becomes integrated with the other parts of the broader resilience programme.

In too many cases, and perhaps because these were often built before some of the other resilience capabilities were developed, we see that physical security programmes are siloed from the other aspects of resilience. I think it's important to recognise that and then proactively begin to address it, making sure that it becomes integrated, like you said earlier, with broader crisis management, business continuity, ITDR, and the other resilience programmes that you have under an overall umbrella or governance structure of resilience.

Andrew Hoch: Dave, I couldn't agree more. Some of the physical security teams that we work with feel siloed from their organisations as opposed to truly integrated into the business. They often recognise the need to address that, but it takes progressive leadership at the organisational level to do so. Dave, here's one more quick example.

As you know, physical security is becoming a critical part of data center resilience. Yet we consistently see that data center physical security assessments and standards are often owned and completed by IT security and not the physical security team. That's a classic example of a gap in the physical security programme due to the lack of integration and coordination across the organisation 

David Stainback: I agree.

That is a perfect example. And frankly, it's a great teaser for the more in-depth conversation that I know you and I are gonna have as a follow-up to this on data center physical security specifically that we're gonna bring you all in an upcoming episode of this podcast. So we've covered a lot of ground here today, and so I think this is a great place to wrap up.

Andrew, I want to thank you. Really, really appreciate your insights and look forward to our next conversation around data center security. To our listeners, thank you for tuning in. In upcoming episodes of Emerge Stronger Through Disruption, we'll continue to tackle the topics that keep business leaders up at night.

We'd love to hear ideas from you about topics you'd like us to address. So please get in touch with Andrew and me via LinkedIn. In the meantime, remember to subscribe to Emerge Stronger wherever you get your podcasts. Until next time, stay resilient and prepared for whatever challenges come your way.

VO: Copyright 2026 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only and should not be used as a substitute for consultation with professional advisors.

© 2026 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.