Our 2027 Security Industry Trends Survey is now live. Add your insights to the conversion. Take the survey now

When IT Meets the Door: Boring Habits That Fix Scary Risks

Written by

Tim Orr

Conceptual illustration representing responsibility and decision-making in a digital security environment, with two figures separated by light and shadow

By this point in the series, you have met all the key players. Doors, alarms, cameras, and intercoms that all behave like small computers, and live quite happily on your networks. You have also seen why physical security belongs in your technology world, and how its data can support comfort, safety, and space planning.

In this part, we will look at something less glamorous but far more powerful. Not new features or shiny gadgets, but the steady cyber hygiene and IT governance habits that quietly prevent small problems turning into big incidents.

If you are a CIO or IT leader, this is your home turf. The trick is simply to apply the same thinking to doors and cameras.

No drama, no silver bullets. Just calm routines that make attackers bored and building managers happy.

 

Key takeaways

  • Most physical security incidents start with basic, preventable gaps
  • The same IT hygiene habits you already use apply directly to security devices
  • Governing identity, patching, and network segmentation closes the biggest risks
  • A simple quarterly health check keeps risk low without a big project

 

The usual suspects

When modern physical security goes wrong, it is rarely because of clever new tricks or sophisticated attacks. Most incidents usually start with the same issues that IT teams have been dealing with for decades, including:

  • Devices on the network that nobody knew were still connected
  • Old software that has not been updated for years
  • Shared admin accounts with simple or default passwords
  • Equipment sitting on flat networks with a clear path into important systems
  • Remote access for vendors that nobody really manages
  • No clear plan for what happens if a key server or controller fails

Part three is simply us rolling our sleeves up and addressing this list properly.

The good news is that you already know how to handle most of this. The habits below come straight from standard IT security hygiene checklists. We are simply extending them to physical security devices and your access control system.

Let us walk through the main habits, grouped in the way a CIO would normally think.

See what you have

Good governance starts with visibility. Before you can patch, segment, or recover anything, you need a clear picture of every device that is actually out there.

Habit 1: keep a living inventory

In part one, we talked about listing physical security devices. Now it is time to make that list work harder.

Start with a simple question: if you had to point to every controller, camera, and recorder on a map right now, could you do it with confidence?

A reliable asset list for physical security should include:

  • Every access control controller, intruder alarm panel, camera, recorder, and server
  • Where it physically lives: which site and room or cabinet
  • Where it logically lives: which IP range and network segment or VLAN
  • Which version of firmware or software it is running
  • Who is responsible for it: both a technical owner and a business owner

You do not need a complex system to start. A shared spreadsheet is fine. What matters is that it behaves like any other CMDB or asset register entry, with a named owner and a habit of updating it whenever something changes.

From a CIO point of view, this is the foundation. Without a basic inventory, you cannot do sensible work on patching, network segmentation, remote access security, or disaster recovery and backup.

Control who can touch it and how

Once you know what you have, the next job is controlling who can reach it and how. The habits below apply the same identity, patching, and network disciplines you already use across IT to your physical security devices.

Habit 2: connect operators to your identity provider

The people who operate Command Centre, manage cardholders, or review CCTV hold powerful privileges. They can create credentials, unlock doors, silence alarms, or retrieve video that may later be used as evidence. Treat those logins with the same respect as your finance or HR systems.

From an IT security point of view, this is classic identity and access management. Look for ways to:

  • Move away from shared local admin accounts to named individual accounts
  • Link operator accounts to your central identity provider, such as Active Directory, Entra ID, or another IAM platform
  • Use single sign-on so that joiners, movers, and leavers are handled consistently

In practice that means:

  • Asking your security integrator or vendor what options exist to connect Command Centre to your identity provider
  • Reducing the number of local passwords inside the security system
  • Making sure operator activity appears in the same kind of logs and reports as other privileged accounts

The goal is simple. Fewer local secrets to manage, more use of your central identity and access management system, and a clear audit trail if something odd happens.

Habit 3: bring devices into your patching and change rhythm

Controllers, panels, and recorders run software like everything else. That software ages, bugs are found, and security fixes are released.

The pattern you already use elsewhere applies here too:

  • Track which versions you are running, using your asset list
  • Subscribe to vendor or integrator bulletins so you hear about updates
  • Plan regular maintenance windows to apply patches

Treat these updates as part of your normal IT governance and change process, not as one-off jobs done in a hurry when something breaks. Make sure security controllers and recorders appear in your standard patching and change calendar, not in a separate informal list.

You do not have to chase every minor release instantly. You do have to know which versions you are running and whether any are unsupported or contain known security issues. This defines the line between “reasonably managed risk” and “legacy system quietly waiting to appear in an incident report”.

Habit 4: put security devices on the right network segments

If controllers and security camera systems sit on the same flat network as finance or payroll systems, you have just increased the prize for anyone who breaks in.

Network segmentation is already a familiar idea. Apply it here too.

Work with your network team to:

  • Place controllers, recorders, and cameras on their own network segment or VLAN
  • Use firewall rules to only allow them to talk to Command Centre servers and a few support services, such as time servers
  • Block any direct path from these devices to critical business systems
  • Monitor that segment for unexpected traffic patterns

The aim is not perfection; it is to ensure that if a device is compromised, it sits in a segmented network with limited options, not on a fast lane into your core systems.

Habit 5: tidy up remote access for vendors and staff

Remote access is both incredibly useful and a common source of trouble. Security vendors often need to connect into systems for support. Your own staff might look after sites from a central operations centre or from home.

From a governance point of view, vendor remote access should follow the same rules as your own remote support tools: time-limited access, strong authentication, and full logging.

Strong remote access security habits here include:

  • Making sure all connections come through your approved remote access tools, not through ad hoc ports opened on firewalls
  • Requiring multi factor authentication for any remote access to Command Centre, recorders, or supporting servers
  • Turning vendor access on only when needed, and removing old accounts and VPN profiles when contracts end
  • Logging remote sessions, so you can see who connected, when, and from where

Third-party vendor access into physical security systems should look and feel like third-party access into any other critical system. Familiar patterns, familiar controls, and no surprises when an audit or incident review happens.

Recover calmly when it breaks

No system stays healthy forever, so it pays to plan for the bad day in advance. These habits make sure that when something fails, you can bring it back quickly and calmly instead of improvising under pressure.

Habit 6: back up configurations and test restores

Your access control system, CCTV platforms, and related tools contain rules about who can go where and when. Losing these configurations is more than just losing convenience.

You may lose your ability to operate safely.

Treat the configuration of your physical security systems as critical data:

  • Make regular backups of Command Centre databases and configuration
  • Capture controller and device configuration where possible
  • Store copies of backups in a safe location that is not just the same server

Test restores regularly by:

  • Choosing a non-critical system or a lab environment
  • Restoring configuration to a spare device or test server
  • Recording what worked, what failed, and how long it took

Include the access control database and key video systems in your disaster recovery and backup plans alongside ERP and HR. The question to ask is simple: if this server failed on a Monday morning, how long before we could safely run the building again?

Habit 7: write simple runbooks for bad days

On a bad day, people do not want a novel. They want a one-page guide that says “do this, then this”.

Create short runbooks for common “bad day” scenarios, such as:

  • Command Centre server offline
  • Major site losing network connectivity
  • A controller cabinet damaged by water or fire
  • A site where nobody can badge in

Each runbook should include:

  • Who is in charge of the response
  • Who to call in IT, security vendors, and facilities
  • Where key diagrams, passwords, and backup locations are stored
  • The order of actions to take, and when to escalate

Practice these in tabletop exercises the same way you practice incident response for cyber-attacks.

Fold these short guides into your wider incident response and disaster recovery plans so that physical security is not missing from the playbook when you practice.

Habit 8: set clear standards for new projects

Instead of rebuilding from scratch every time a new building or project appears, create simple standards. These may include:

  • A one-page “physical security design standard for IT” that covers asset lists, network segmentation, and remote access
  • A checklist that new projects must complete before handover, including identity provider integration, patch levels, and backup configuration
  • A short description of what “good” looks like for access control and CCTV from an IT governance point of view

Then agree how these standards fit into your existing governance. Maybe they live in your architecture review, your security policies, or your IT service catalogue.

The goal is that the next project team does not invent its own approach in a hurry. They start on the path you have already cleared.

A simple recurring health check

If you want to turn this into a regular habit, pick one site this quarter and run through this list.

Refresh the asset list

  • Export or print the current list of controllers, panels, cameras, and recorders
  • Walk one building with a technician or integrator and mark what has changed
  • Update versions, locations, and owners

Review accounts and access

  • List all operator accounts in Command Centre and related systems
  • Remove any that belong to people who have left or changed roles
  • Check which ones are linked to your identity provider and single sign-on, and plan to reduce local logins

Plan one update window

  • Identify a device or server that is behind on patches
  • Agree a maintenance window with operations and facilities
  • Apply updates and record any impact or lessons

Check network placement

  • Confirm which network segments your security devices use
  • Note any places where they can reach more than they should
  • Log a task with your network team to tighten firewall rules where needed

Test one restore

  • Choose a non-critical system and restore its configuration to a spare device or lab environment
  • Record how long it took and what had to be fixed
  • Update your runbook with anything you learned

None of these steps will win prizes at a technology conference, but they will close the small gaps that most attackers look for and give you a calmer life.

Repeat this on a different site each quarter and you have an ongoing physical security health check without needing a big project or a terrifying audit.

What comes next

You now have three pieces of the puzzle:

  • Why physical security belongs in your world
  • How its data can support comfort, safety, and business decisions
  • The habits that keep everything under control

In the next parts of the series, we will dig into specific topics that CIOs and IT leaders are being asked about more often:

  • How to integrate access control and CCTV with other systems without creating new risks
  • How to use security data for safety and compliance, including muster lists and capacity rules
  • How to approach cloud access control, mobile credentials, and remote management without losing sleep

The aim remains the same: physical security that fits comfortably inside your existing IT governance, keeps risk low, and lets you have clear, confident conversations with security and property teams without everyone wanting to hide under the desk.

What if security is capable of so much more?

By challenging what's possible, Gallagher empowers businesses to be more connected with their people, their goals, and their potential.

Unlock More


Do you have a question?

Let us put you in contact with one of our team members.

CONTACT US


Want to hear more from Gallagher?

Get the latest Gallagher news, updates, and event information delivered straight to your inbox.

SUBSCRIBE

Stay up to date with Gallagher

Get the latest Gallagher news, updates, and event information delivered straight to your inbox.