Parts I and II of this series assessed two realities that US businesses must address:
First, the risk environment has changed. Physical and cyber threats are no longer separate; they increasingly reinforce each other.
Second, many companies are not becoming more resilient, even though they are spending more on security.
This gap between spending and results is not accidental. It is structural. Most businesses still rely on a security model built for a different era: one where physical and cyber risks were separate, predictable, and slow-moving.
That model no longer works.
Today, mid-market companies face many of the same threats as large enterprises, but without comparable leadership structures, governance, expertise, or resources. As long as this imbalance persists, risk levels will remain high and losses will continue to rise, regardless of how many new security products or services companies purchase.
Security professionals have observed this shift for years, and the data now confirms it: physical and cyber risks are increasingly interconnected.
What has changed is how often these risks intersect.
Supply chain attacks are a clear example. Threat actors frequently target smaller vendors because their defenses are weaker. A cyber-attack on a small logistics provider can disrupt physical deliveries, shut down manufacturing operations, or expose sensitive data across an entire industry.
The connection also runs in the opposite direction. Many cyber incidents begin with physical failures: tailgating, stolen credentials, unsecured workstations, shared access badges, or tampered equipment. These breaches often result from basic physical security gaps, not advanced hacking techniques.
For mid-market companies, the lesson is clear: risk can no longer be managed by separating cyber and physical security. Threat actors do not care how responsibilities are divided internally. Defensive strategies that remain siloed are increasingly ineffective.
Insurance markets offer some of the strongest evidence that these risks are structural rather than temporary.
Cyber insurers have tightened underwriting standards significantly in recent years. Organizations without basic controls such as multi-factor authentication, incident response plans, or reliable backups now face higher premiums, reduced coverage, or denial of coverage altogether.
Property insurers are responding to rising theft and violence in similar ways, with higher deductibles and stricter security requirements.
More importantly, underwriters are no longer focused solely on individual security tools or checklist-style compliance. They increasingly assess overall security maturity, including governance, leadership, and accountability.
Companies that cannot demonstrate coordinated oversight of both physical and cyber risks are viewed as higher-risk clients. In practical terms, fragmented security programs make insurance more expensive and harder to obtain.
For many mid-market organizations, maintaining coverage now depends on demonstrating credible leadership, clear ownership, and consistent risk management practices.
Despite these pressures, most companies still approach security as a series of short-term fixes.
Decisions are often driven by immediate triggers such as a failed audit, a security questionnaire from a large customer, or an upcoming insurance renewal, rather than by a structured understanding of business risk.
This creates a familiar paradox. Companies spend more on security each year yet remain vulnerable. They add tools, services, and vendors, but their ability to withstand incidents does not materially improve.
The reasons are consistent across industries:
In short, many companies try to buy security before defining what they actually need. The result is inefficiency and a false sense of protection.
Technology and visible controls (e.g., cameras, guards, guns, and gates) often receive most of the attention and funding. Yet process failures are responsible for many incidents.
Most breaches involve human error, misuse, or social engineering. Phishing attacks, for example, succeed by exploiting behavior, not because of missing software.
Policies and procedures are often dismissed as paperwork. In reality, they function as operational controls. They define expectations, guide decision-making, and shape behavior under pressure.
Examples include:
The value of documentation becomes evident during a crisis. When roles are ill-defined, response slows and risk increases. Organizations with clear, tested procedures recover faster and with less disruption.
Documentation also builds external credibility. Insurers, auditors, and large customers increasingly expect evidence of governance. Effective documentation is not about volume. It is about clarity, consistency, and real-world use.
Most companies cannot afford a large internal security department. The real question is not whether to hire a full-time executive, but how to access senior-level security leadership without senior-level cost.
Any effective solution must begin with centralized accountability. Someone must clearly own security risk across the organization.
To succeed, this role should be shaped by five key considerations:
Security decisions should start with business context, not vendor marketing.
Key questions include:
Effective security leadership translates these questions into priorities. A healthcare organization and a logistics company may face similar threats, but the consequences of failure differ significantly.
Centralized oversight ensures that resources are focused where business impact is greatest.
Fragmented systems create blind spots. When key elements of the security program are spread across departments and tools, no one sees the full picture.
Companies need a way to bring core elements together, including:
This requires intentional design and tools that support coordination rather than duplicate effort.
The difference between effective security management and tool sprawl is purpose.
Most security purchases solve narrow technical problems such as endpoint detection, access control, or video surveillance. Each system operates in its own silo, with its own dashboard and alerts.
What companies need instead is a security management platform: a system of record that coordinates people, processes, and oversight across both physical and cyber domains.
This is fundamentally different from buying another security product:
The platform becomes the operational hub where security work actually happens. Rather than adding another tool, the organization implements the management layer that makes existing controls effective.
A practical test is simple: can a new employee find the current access control policy in under two minutes? Can leadership identify the top three security risks without convening a meeting? If not, the foundational management infrastructure is missing.
Example: security management dashboard providing actionable insights for leadership.
Most companies cannot afford full-time security leadership with deep expertise across both physical and cyber domains. Yet modern security programs demand exactly this breadth.
A practical solution is to engage specialized security expertise in a structured, ongoing relationship that supplements internal capabilities.
Unlike traditional consulting engagements that deliver reports, this model embeds expertise into ongoing initiatives. External specialists help assess risk, interpret regulatory requirements, develop policies, and support implementation of recommendations.
The result is clarity, consistency and accountability. The organization gains a trusted partner who tracks progress, adjusts priorities, and remains engaged as risks evolve.
No company achieves strong security overnight. Eliminating risk is not the goal; it is impossible. The objective is to align risk management efforts and spending with the organization’s risk appetite.
For mid-market companies, steady improvement is key:
Security maturity is not a pass-or-fail condition. Organizations that treat it as an ongoing process, supported by metrics and regular review, build resilience sustainably.
Mid-market companies are no longer small targets. They are critical links in connected systems and are being targeted accordingly.
Managing physical and cyber security as separate problems is no longer viable. Neither is spending money without leadership and governance.
Buying tools in hope means reacting from fear, adding systems without understanding how they fit, and creating complexity that obscures risk. Buying infrastructure to manage means starting with clear ownership, implementing systems that support decision-making, and building governance that makes tools effective.
The sequence matters. Many companies buy a firewall and then look for someone to manage it. A better approach is to establish who owns risk, equip them with a platform to manage comprehensively, and then make informed decisions about controls.
The path forward does not require business leaders to become security experts. It requires three commitments:
Think about risk across physical and digital domains, and where they intersect.
Assign clear ownership, supported by the right management platform and access to expertise.
Improve steadily based on business impact, not fear.
Organizations that make these changes gain control over their risk. Those that do not will continue to spend more while remaining exposed to the same threats. For most companies, security maturity is no longer a competitive advantage. It is the cost of staying in business.