top | item 47143359

(no title)

Except the turnstiles and swipe cards do almost nothing against an active shooter situation.

But missing in this discussion is a risk and consequence analysis. If the risk is armed attackers, do something that targets that. For physical theft, target that. Likewise IT risks. The core problem is that risks were not being identified (systematically or in response to expert feedback) and prioritised.

Incidentally, the solution to car park access is ALPRs, and the solution to most of the physical security is solid core doors at the workgroup level with EACS swipe and surveillance cameras there, and at the front desk have face level 4k video surveillance. With an on duty guard to resolve issues with access.

discuss

handoflixue|5 days ago

> The core problem is that risks were not being identified (systematically or in response to expert feedback) and prioritised.

Or the person who wrote the article just wasn't involved in that loop, or otherwise disagreed on what threat models mattered.

angry_octet|3 days ago

It seems much more a compliance and auditing goal. To meet some objective of knowing who is in the office at what time, which informs office space leasing decisions, return to office mandates, decisions of charging for staff parking, etc. Personnel protection seems almost an afterthought.

Protecting JIRA auth tokens is quite likely low down the list for IT security. Making sure your workers are not remote North Koreans is indeed a security benefit of secured physical offices with regular on-site work.

But the author did have a deeper point -- visible security theatre gets lots of money and management attention, while meaningful expert driven changes are mired in bureaucracy.