Why Separating Physical and Cyber Governance Risks Enterprise Ruin

Security expert Tim Rawlins explains how corporate silos create critical blind spots that threat actors exploit to bridge physical and digital assets.

• By Jesse Jacobs
• Jun 24, 2026

The artificial divide between physical and digital protection remains a glaring vulnerability across modern enterprise organizations. In many corporate structures, physical security sits within facilities or estates, while cybersecurity answers directly to IT departments. These teams operate under different reporting lines, use separate jargon and chase conflicting priorities.

According to Tim Rawlins, senior advisor and director at NCC Group, this corporate separation makes it easy for leadership to treat a physical breach as a localized site issue rather than a systemic enterprise risk. Having spent more than 30 years managing global security programs for the British government, Credit Suisse and London's O2 arena, Rawlins is a veteran risk executive. In an exclusive interview with Security Today, he further breaks this down:

"An intruder does not care how an organization labels a vulnerability," Rawlins said. "Threat actors simply seek the path of least resistance."

A poorly secured plant room, an exposed building management system (BMS), a tailgated entry point or a contractor with excessive access permissions can all serve as open doorways into sensitive corporate networks. Until organizations govern physical and digital security under a single risk umbrella, Rawlins warned, they will continue to miss the hybrid attack paths that matter most.

When addressing "grey-zone" activity (low-level, state-sponsored disruptions designed to destabilize a society or economy without triggering a conventional military response), Rawlins argued the strategic effect is deeply psychological and operational. While a small fire, a low-flying drone or suspicious access near a cable route may appear minor in isolation, these acts erode public confidence and distract leadership teams. In many cases, a physical event is intentionally deployed to create tactical cover for a digital network intrusion.

Logistics hubs, ports, transport nodes and critical infrastructure sites have also become high-priority targets. Rawlins explained that these environments are no longer just brick-and-mortar warehouses; they house the connected digital systems that schedule transport, monitor inventory and control environmental conditions. A physical breach can trigger a digital shutdown within minutes, and a digital compromise can stop the physical movement of goods just as quickly.

These blind spots typically occur in "governance seams"; the unowned gaps between competent but isolated silos. For example, facilities might install a new smart security camera system, IT might manage the network it sits on and risk teams might handle overall compliance. The failure happens when a system is connected without a proper cyber review, or a supplier is granted broad remote access without oversight. No single team made an error, yet the enterprise is exposed because governance followed an organizational chart rather than real-world system interactions.

This lack of cohesion is precisely why critical building management systems are still commonly commissioned with default factory credentials. Rawlins noted that contractors are typically judged on operational delivery (i.e., whether the camera feeds or climate controls work) rather than secure operation. Default credentials and unsegmented networks make third-party maintenance easier, but they also make cyber compromise effortless. If secure configuration is not baked into the initial procurement and tendering process, convenience will always beat security.

Regarding solutions, Rawlins stated that secure-by-design principles must begin when a project's business case is first being shaped. Security executives must be brought to the table during the concept stage, not the week before handover. Their role is not to veto innovation, but to shape the architecture, access models and resilience testing before procurement choices are locked in. Bringing security in at the final hour is not secure-by-design; it is late-stage damage limitation that drives up costs.

Moving toward a converged governance model requires a mandate from the top. A board must explicitly decide to govern physical, cyber and personnel risk as a single resilience function. Once that mandate is established, organizations should create a joint governance forum, establish a unified risk register and ideally co-locate these teams to break down cultural barriers.

Long-term hardening of these connected physical assets requires a continuous cycle of asset inventory and simulation. Rawlins stated that many companies still lack a reliable, live inventory of every connected device across their estate. He advises security leaders to build an accurate asset view, eliminate default settings, segment networks and aggressively test manual workarounds through realistic scenario rehearsals.

Failing to address these converged risks carries heavy regulatory and financial penalties. From an insurance perspective, underwriters are heavily scrutinizing control environments. Rawlins warned that organizations that cannot demonstrate oversight of connected physical assets face tougher pricing and coverage exclusions. Simultaneously, global regulators are demanding evidence that senior leaders can maintain critical operations through prolonged disruption.

In his final remarks, Rawlins cautioned that security leaders must also keep a close eye on architectural drift. The rapid adoption of cloud-managed cameras, smart sensors and artificial intelligence analytics is expanding the corporate attack surface exponentially. While these technologies improve visibility, they create deep dependencies on third-party suppliers and digital identity. Innovation must be balanced with strict discipline, ensuring governance models evolve at the exact same pace as the technology deployed.