The Watch Blog

David Franklin | Oct 30, 2025

The Technophilia Trap: Why Principles Matter More Than Tools in Security Programs & Strategies

principles based security strategies for organizations

There is an interesting – albeit circuitous – parallel I keep thinking about: how America’s private security industry propagates technology today mirrors how the U.S. approached espionage during the Cold War.

During the Cold War, we approached spying in line with our culture – technophilic, and deeply tied to the incentives and feedback loop of market demands. The Soviets, on the other hand, primarily relied on good spy-work (tradecraft). Interestingly, while the U.S. was ultimately victorious in that extended geopolitical rivalry, the “East Bloc won the spy wars” because of its focus on people – not technology. As security professionals, this pattern should give us pause.

The Current State of Security, and How Most Organizations Approach It

In the case of private security today, everyone from tech companies and private schools to corporate security managers and ethno-religious nonprofits have invested in some form of technology to support their organizations: they have purchased cameras with advanced analytics, open-source intelligence collection and analysis platforms or services, artificial intelligence-enabled weapons detection scanners, and the list goes on.

Of course, nonprofits are not in a war with a powerful geopolitical adversary. Neither are schools. Nor tech companies, for that matter. Many of these organizations are wildly successful enterprises, and most of them never experience a life-changing tragedy because of a security or intelligence failure. However, when they do, in my experience it is because of the errors, oversights, misjudgments, and honest mistakes that people make – not because of a technology manufacturer’s defect or failure for the organization’s security equipment to function properly. 

To help reinforce my point, a 2017 Government Accountability Office review of physical security failures at the National Institute of Standards and Technology (NIST) found that breaches resulted from organizational structure problems, inadequate procedures, and poor training – not equipment malfunction. GAO investigators achieved 100% success in 15 unauthorized access attempts using “very basic espionage techniques.” Again, it was not the technology that failed, it was the people and organizational processes.

Security Technology as Mechanism, Not Solution

Systematic attribution of security failures to human versus technology causes is well-developed in cybersecurity but remains underdeveloped for physical security. While government audits document that physical security breaches stem primarily from organizational and human failures rather than equipment malfunction, no centralized databases or meta-analyses aggregate these findings. Because of this, organizational security strategy must synthesize the domain-adjacent evidence, case-specific physical security investigations, and rely on foundational security principles. 

Specific technologies designed to ameliorate security problems – advanced cameras, lockdown devices, or weapons detection software, for example – are mechanisms that enable a desired safety and security end-state; they are pieces of a puzzle that do not automatically connect. Focusing on (and purchasing) technology over focusing on the people who must leverage that technology, or the processes which enable that security technology to connect with the broader program, is to miss the forest for the trees.

At no point in time – and the recent tragedy near NFL headquarters is a perfect example of this – has weapons detection software installed on a camera self-animated and physically stopped someone from causing harm to other people. And at no point in time has a door ajar alert automatically dispatched staff to respond to a security breach. 

Technology enables organizational security programs. It does not, however, execute, integrate, or sustain them.

What Principles-First Organizational Security Strategy Actually Looks Like

The U.S. Army’s Army Doctrinal Publication (ADP)  3-37 Protection identifies five foundational security (protection) principles that transcend technology and tactics:

  • Comprehensive: All-inclusive approach using complementary and reinforcing protection tasks and systems.
  • Integrated: Vertical and horizontal coordination across echelons, domains, and unified action partners.
  • Layered: Deliberately arrayed capabilities to provide depth through multiple overlapping defenses.
  • Redundant: Secondary or auxiliary protection measures for critical capabilities, areas, and information.
  • Enduring: Ability to prevent or mitigate detection and threat effects over extended periods.

These are not just abstractions – they are functional principles that structure security architecture decisions regardless of the available technology. These security principles apply whether you are protecting a military base, corporate campus, private residence, church, or synagogue. The implementation of these principles will vary, and contextual application must shift from facility to facility and operation to operation, but the principles remain stable.

Consider “layered” security: In physical protection, this means multiple perimeter barriers, access control zones, and monitoring systems. In cybersecurity, it manifests as defense in depth – perimeter firewalls, endpoint protection, network segmentation, application security. In protective intelligence, it means compartmentalization, internet protocol (IP) address obfuscation, and cover accounts. In all of these cases there are different instantiations but the same underlying principle: no single point of failure should compromise the entire system.

Contrast this with the approach taken by NIST SP 800-171r3, which, as opposed to overarching principles, provides operational security requirements derived from control baselines:

  • Physical Access Authorizations.
  • Monitoring Physical Access.
  • Access Control for Transmission, etc.

While these requirements are vital, they are nonetheless requirements, not principles. Requirements tell you what to do. Principles explain why and guide you when the requirements don’t perfectly fit your context. 

Similarly, the 2021 edition of the Interagency Security Committee’s Risk Management Process provides exactly what the title entails: a process and countermeasure-driven approach to security and risk management. This includes:

  • Structured methodology.
  • Facility security levels.
  • Baseline security countermeasures. 

Again, these processes are essential, but they are nonetheless processes and not principles.

To be candid, I am somewhat disconcerted by the fact that one cannot easily find academic or government publications that identify security program principles beyond the ADP referenced above, which explicitly titles a section “principles of protection.” This gap reveals something about how we think (or fail to think) about security program architecture.

Why This Matters for Stewards of Organizational Security Programs & Strategies

Principles provide the framework technology and actions must fit within – technology changes; principles remain stable. An organization that understands it needs comprehensive, integrated, layered, redundant, and enduring protection can evaluate any proposed technology or procedure, and indeed the program itself, against those criteria. A principle-driven strategic approach to security would require one to ask:

  • Does this camera system integrate with our access control? 
  • Is this policy feasible, and does it create redundancy for critical security functions? 
  • Will this approach endure through leadership transitions and budget cycles?
  • What are the critical requirements that enable our organization’s mission?
  • Which of those are most vulnerable to disruption? 

Without principles, organizations can end up pursuing expensive security technology that sounds great but doesn’t serve strategic coherence. It’s like buying premium vitamins when you’re malnourished – wrong priority entirely.

Finally, it is important to recognize that our cultural bias toward the tangible over the abstract is not inherently wrong. Historian Kristie Macrakis demonstrates in her analysis of Cold War espionage that this technophilic tendency drove remarkable innovation – even as it created blind spots in operational tradecraft. But in security, as in Cold War espionage, it can create unnecessary vulnerabilities. This is why, at Convoy Group, we emphasize the value of people, processes, and culture-oriented security solutions over simplistic technological fixes. For sure, cameras are a key component of office security hardening, but they matter little if no one monitors the feeds.

Related posts:

  1. Integrating Formal Education and SOF Experience for Comprehensive Security Consulting
  2. Building Resilient Security: A Principle-Driven Consulting Case Study
  3. A Quick Primer on Insider Threats to Organizations
  4. When the Organization’s Perimeter Disappears: Managing Insider Security Threats in Remote and Hybrid Environments

Tags

Categories

About

The Convoy Group is your trusted source for all things security-related, from insider safety tips to insights into industry innovations. Our team of global security and intelligence experts is committed to providing top-notch personalized security solutions because safety always comes first.