Part 1 of 3 in our series on Anticipate. Adapt. Secure. The Holtium methodology for physical security risk assessment, governance, and diligence readiness.
The three pillars, defined:
Physical Security Risk Assessment. The baseline that names what the business protects, what threatens it, and where exposure sits, in dollar terms the board can act on. Run before an incident forces the answer.
Governance. The structural decisions made before controls are installed: what risks matter, who owns them, how they’re measured, and what reports to the board. This is the frame the security leader walks into.
Diligence Readiness. A risk function ready to pass outside scrutiny from an auditor, acquirer, investor, regulator, or major customer, at the moment it’s asked, not after the scramble.
Most fast-growing tech companies run their first physical security risk assessment only after something goes wrong: a lobby incident, a package that shouldn't have been signed for, a termination that didn't stay civil. For the first fifty to five hundred employees, physical security lands wherever it happened to fall: the office manager, the facilities vendor, the IT team that installed the badge reader. Nobody owns risk in the building. Nobody is asking what would happen if something went wrong. This is the same structural gap traced in the security risk landscape for smaller and mid-market businesses, and at growth-stage, it compounds faster than the org chart changes to close it.
For years, the “we need to think about this properly” threshold was IPO, or a campus, or a second country. That has moved substantially. The 2021–2022 U.S. Bureau of Labor Statistics workplace violence data reports 57,610 nonfatal workplace violence cases serious enough to require days away from work, job restriction, or transfer, and 524 workplace homicides in 2022 alone.
Office environments are not exempt from those numbers. Since July 1, 2024, nearly every California employer with ten or more employees has been legally required to maintain a written Workplace Violence Prevention Plan under Senate Bill 553 and California Labor Code §6401.9, with serious-violation penalties up to $25,000 and willful penalties up to $158,000.
The regulatory floor caught up to tech's casual approach to physical space faster than most companies' internal programs did. A forty-person company that grows to 180 in eighteen months now owes a written plan, a hazard assessment, annual training, and documented procedures before a customer, insurer, or enterprise buyer asks whether security is actually managed or just installed.
A physical security risk assessment, done correctly, identifies the assets the business is protecting, the threats specific to its locations and workforce, the controls currently in place, and the residual exposure the business is actually carrying. What most companies call a physical security risk assessment is, done at this depth, a Physical Security Program Assessment: the baseline every subsequent budget, control, and board report measures against.
In practice that means four linked steps:
an inventory of what matters (people, IP, revenue-producing locations, executive leadership);
a threat model grounded in the specific geography, industry, and profile of the company;
a mapping of each control to the risks it actually reduces; and
an exposure statement that names what is still uncovered and what it would cost if it failed.
Across the assessments we run, that last piece is what most growth-stage tech companies never see. The badge reader is installed. The cameras are up. The receptionist has a panic button. But nobody has ever translated that infrastructure into a statement a CFO can read: here is what we protect, here is what we spend, here is what is still unaddressed, and here is what it would cost the business if it went wrong. Without that translation, physical security lives in the operations budget as a fixed cost, unexamined and unjustified.
Fast-growing tech companies are optimized to move. The physical footprint is treated as a leasing problem, not a risk problem. Headcount is a recruiting KPI, not a threat surface. Offices open before floorplans are finalized, and the security conversation (to the extent it happens) is bundled into the IT ticket that sets up the space.
Each new location adds a patchwork of controls, and none of them ever gets examined as a portfolio. The budget defends itself one invoice at a time, and the risk picture never consolidates.
The trigger for a physical security risk assessment should not be an incident. It should be the arithmetic of the business: the second office, the hundredth hire, the first customer who asks about duty of care. The companies that wait for an incident are not managing risk; they are underwriting it personally, with the CEO's time and the board's attention when it happens.
The value of a physical security risk assessment is not the PDF it produces. It is the set of decisions it makes possible: where to spend, what to defer, what to escalate to the board, and what to disclose when a customer audit lands. That requires an assessment methodology tied to the business, not the building, and it requires an operating rhythm that keeps the picture current as the footprint grows. It is also why a practical way forward for security in businesses sequences governance infrastructure before controls. An assessment without a governance system produces a report that gets filed; an assessment inside one produces a program the board can actually evaluate and hold to account.
Holtium is building Physical Risk Governance, the operating layer for physical risk that cyber has had for a decade. Our methodology, Anticipate. Adapt. Secure., produces a Physical Security Program Assessment that delivers the baseline every subsequent budget, control, and board report measures against. Not a PDF. A baseline. The next post in this series asks the question that follows naturally: when do you actually hire the security leader, and what has to be true before you do?