Part 2 of 3 in our series on Anticipate. Adapt. Secure. The Holtium methodology for physical security risk assessment, governance, and diligence readiness.
The three pillars defined:
-
Physical Security Risk Assessment is the baseline: the work that names what the business protects, what threatens it, and where exposure sits in dollar terms, run before an incident forces the answer.
-
Governance is the structural layer built before controls are installed: the security program management infrastructure (risk register, controls inventory, policy library, and roadmap) that the security leader walks into rather than reconstructs.
-
Diligence Readiness is a risk function prepared to pass outside scrutiny from an auditor, acquirer, investor, regulator, or major customer at the moment it is asked, not after the scramble.
Across fast-growing tech, the workforce math changed in 2025 and 2026. Amazon cut 30,000 corporate roles across two rounds while AWS grew at its fastest pace in years Salesforce eliminated more than 4,000 customer support positions after AI took over 30 to 50 percent of that workload. Coinbase cut 14 percent of its workforce in May 2026, citing AI acceleration as the driver. The framing was consistent across every announcement: this is not cost-cutting, it is a redesign of how work gets done.. The framing was consistent across every announcement: this is not cost-cutting, it is a redesign of how work gets done.
This is the operating environment for fast-growing tech right now: fewer people, higher output expectations, AI embedded in every workflow. Most functions have been redesigned around AI and leaner teams. One discipline has not yet been redesigned around it. Security program management, the function that produces the risk register, the controls inventory, the policy library, and the roadmap that ties them together, still runs on the assumption that each piece requires a dedicated hire. That assumption made sense when those tasks demanded weeks of manual research, niche expertise, and document production by specialists. That assumption is out of date.
Most functions have been redesigned around AI and leaner teams.
The work that used to take weeks of specialist time now ships from a single engagement. Every other function has already moved in that direction. Security program management is the one that has not, even as the rest of the business increasingly needs to treat security as a strategic function. That gap is no longer abstract.
Tech makes the pattern visible because the layoffs make headlines. The same shift is playing out at banks integrating after acquisitions, at hospitals merging back-office operations, at manufacturers running leaner finance and compliance teams. The security leader at each of these feels it the same way: more responsibility, less help, and a hiring plan that keeps getting pushed.
The Gap Has a Cost That Compounds
The security leader at a fast-growing tech company is already operating lean. Physical security responsibility typically lands on someone who also carries workplace services, facilities, and employee experience, with a headcount request that has been deferred once or twice already. In this environment, the plan to fix security program management by eventually hiring a dedicated program manager is not just slow. It is structurally fragile.
Every month that passes without a documented risk register, a controls inventory, and a policy library is a month in which the organization’s exposure grows undocumented and unmitigated. New offices open. Vendors change. Headcount increases. The complexity of the program compounds while the structure for managing it stays the same. And when the hire does arrive, approved after two budget cycles and six months of recruiting, they inherit nothing: no baseline, no methodology, no documented rationale for any of the decisions made before them. They spend the first year reconstructing what should already exist. Meanwhile, the organization has been exposed the entire time, and no one has been able to put a number on it.
The reconstruction is harder than it sounds. Cybersecurity has decades of frameworks like NIST CSF, ISO 27001, and SOC 2. A new cyber leader inherits a baseline and a vocabulary. Physical security has nothing equivalent. Every program gets rebuilt from the leader’s individual experience, and the methodology resets with each hire.
There is a different way to run this. Build the governance frame first (risk register, controls library, policy suite, roadmap), and the security leader inherits a foundation rather than reconstructing one. This holds whether the leader is already in seat or still being hired. The work belongs to the program, not to a single person. We call this approach Anticipate. Adapt. Secure. Most companies defer building that foundation until an incident makes it the only thing the board wants to talk about.
One Engagement, Multiple Disciplines
Building all of this from scratch requires capabilities that are rarely housed in a single hire. Risk quantification draws on actuarial and financial modeling. Policy writing is a distinct skill from risk analysis. Program management is a discipline of its own.
The traditional answer was to hire several people, or to engage multiple specialist consultants. Neither option is accessible at the stage when most fast-growing tech companies actually need this infrastructure: before they have the headcount budget to justify it, and before an incident forces the question.
The Holtium model is designed to deliver all of this from a single engagement and a unified platform. One relationship brings the risk analyst, the policy writer, and the program manager, working from the same system of record, against the same roadmap. The output is not a report. It is a functioning program: a live risk register with dollar values attached, a controls library mapped to specific risks and locations, a document library ready to tailor and publish, and an action plan with milestones.
Risk gets reported in dollars, not heat maps. That is what a CFO can act on. The work that used to require a risk analyst, a policy writer, and a program manager hired separately comes from one organization that delivers all three in one run.
For the security leader managing physical security alongside workplace services, facilities, and a dozen other responsibilities, this matters in a specific way: the documentation, the quantification, and the roadmapping are not added to their plate. They are produced as part of the engagement. The leader's job becomes deciding what risks to accept, what controls to fund, what trade-offs are right for the business, not writing the policies and assembling the registers themselves.
Built for the Way Fast-Growing Tech Actually Works
Holtium is building Physical Risk Governance: the operating layer for physical risk that cyber has had for a decade. The Anticipate. Adapt. Secure. methodology delivers the governance frame before the operator: a security program management structure the current leader can run with AI-augmented support, and that any future hire inherits fully intact. The risk register exists. The controls are documented. The policies are drafted. The security program does not reset when the org chart changes.
The security program does not reset when the org chart changes.
As we have explored in security as a partner for growth, physical security delivers the most value when it is built as a continuous operating capability, not a project that starts over each time a role turns over. Done this way, security program management is not a hire deferred until next budget cycle: it is the operating layer already running. Request a scoping call to see what that structure looks like for your organization.