Security recommendations should begin with risk, not with a product catalogue.

Yet in many organisations, security decisions are strongly influenced by the people who sell, install, manage or operate the proposed solution. A guarding provider may recommend more guards. A technology supplier may recommend more cameras, analytics or access-control equipment. An installer may identify weaknesses that conveniently align with what can be supplied. A close-protection provider may see executive movement primarily through the lens of deployment.

These recommendations may be sincere. They may even be useful. But they are not fully independent.

When the same party assesses the problem and benefits from the proposed solution, the organisation should recognise the actual, potential or perceived conflict of interest. It does not mean the advice is wrong. It means the advice should be tested.

Independent security recommendations are important because security decisions often involve cost, liability, operational disruption, reputational exposure and the protection of people. Those decisions should be based on assessed risk, control effectiveness and proportionality — not on the commercial interest of selling a particular service or product.

The Difference Between Advice and Sales

Security providers often have valuable technical and operational knowledge. Guarding companies understand deployment. Technology providers understand systems. Installers understand infrastructure. Close-protection teams understand protective operations. These perspectives can be useful.

But advice and sales are not the same function.

Advice should answer:

  • What is the risk?
  • What threats are credible?
  • Where are the vulnerabilities?
  • Are current controls effective?
  • What level of treatment is proportionate?
  • What should be prioritised?
  • What residual risk remains?

Sales usually answers a different question:

  • What can we provide?
  • What product, service or contract can address the issue?
  • How can the client be moved towards implementation?

Both functions may be legitimate. The problem arises when they are blurred.

If an organisation asks a product supplier to assess its risk, the answer may be shaped by product thinking. If it asks a guarding company to assess its risk, the answer may be shaped by manpower thinking. If it asks an installer to review the site, the answer may be shaped by what can be installed.

A risk assessment should not begin with the solution. It should begin with the exposure.

Why Commercial Bias Matters

Commercial bias does not always appear as deliberate manipulation. Often, it is simply the natural result of perspective.

This is why independence, disclosure and traceability of recommendations matter.

People tend to see problems through the tools they know. A technology company may see detection problems. A guarding provider may see supervision or deployment problems. A hardware installer may see perimeter or access-control problems. A consultant with a particular preferred framework may see the problem through that framework.

The risk is that the organisation receives a recommendation that is technically plausible but strategically incomplete.

For example:

  • More cameras may be recommended when the actual weakness is poor response.
  • More guards may be recommended when the actual weakness is weak procedure and supervision.
  • New access-control technology may be recommended when the actual weakness is poor enrolment discipline or tailgating.
  • Executive protection may be recommended when the actual need is better movement planning, information control and route variation.
  • A new fence may be recommended when the real problem is detection, lighting and response coordination.

In each case, the proposed solution may address part of the issue, but not necessarily the risk system as a whole.

Risk Should Determine the Solution

A structured security assessment should first define the risk problem.

This requires analysis of:

  • the operating context;
  • asset criticality;
  • credible threats;
  • vulnerabilities;
  • current control effectiveness;
  • likely consequences;
  • existing response capability;
  • operational constraints;
  • governance requirements;
  • residual vulnerability and residual risk.

Only after that should treatment options be considered.

This sequence matters. If the solution is selected too early, the assessment may become a justification exercise. The organisation may end up buying something that appears sensible but is not proportionate to the actual risk.

Good security recommendations should be traceable back to the assessment findings. A recommendation should explain what threat it addresses, what vulnerability it reduces, how it improves control effectiveness, why it is proportionate, and what residual risk remains after implementation.

Without that logic, recommendations can become a shopping list.

The Problem with Product-Led Security

Product-led security often creates the impression of progress. New equipment is visible. Budgets are spent. Boards and managers can point to tangible improvements. Suppliers can demonstrate capability. The site appears more secure.

But visible improvement is not always risk reduction.

A camera does not reduce risk if it does not detect the relevant event. Analytics do not reduce risk if alerts are unmanaged. Access control does not reduce risk if credentials are poorly controlled. A fence does not reduce risk if it is easily bypassed or not monitored. A control room does not reduce risk if operators are overloaded or poorly trained.

Product-led security becomes especially problematic when technology is used to compensate for weak governance, weak procedures or weak response.

In those cases, the organisation may continue adding controls while the underlying risk remains unresolved.

The Problem with Service-Led Security

The same problem exists with service-led recommendations.

A guarding provider may recommend additional posts, longer hours, more patrols, armed response or specialised units. These may be necessary in some cases. But they should not be assumed before the risk has been assessed.

The question is not simply whether more personnel can be deployed. The question is whether the deployment will reduce the relevant risk.

Security personnel can only be effective when roles, authority, supervision, procedures, communication and response arrangements are clear. More guards do not automatically create better security. In some cases, the problem is not the number of guards but the absence of direction, training, control, oversight or integration.

An independent assessment helps separate a staffing problem from a risk-design problem.

Independent Recommendations and Governance

For boards and executives, independence is not a technical nicety. It is a governance issue.

Security decisions often involve high cost and high consequence. If a serious incident occurs, leadership may be asked why certain controls were approved, why recommendations were accepted, and whether the organisation relied too heavily on interested parties.

Independent recommendations help leadership demonstrate that decisions were based on structured analysis, disclosed assumptions and traceable reasoning rather than supplier preference.

This is especially important where:

  • major security expenditure is being considered;
  • a provider is recommending additional services;
  • technology upgrades are proposed;
  • executive protection measures are being debated;
  • incidents continue despite existing controls;
  • internal assurance is weak;
  • governance committees require defensible evidence.

A recommendation is stronger when it can be shown to arise from risk analysis, not from commercial opportunity.

Independence Does Not Mean Ignoring Providers

Independent assessment does not mean excluding service providers, installers or technology specialists from the process.

Their input may be valuable. They may provide technical information, system limitations, response data, maintenance records, incident history, staffing models or operational insight. A good assessment should consider that information.

But the assessor should remain free to evaluate it critically.

Provider input should inform the assessment. It should not control the conclusion.

The final recommendation should belong to the risk analysis, not to the sales process.

Proportionality Matters

One of the most important functions of independent advice is proportionality.

Not every weakness requires a major investment. Not every risk requires the highest level of control. Not every executive movement requires close protection. Not every estate requires more guards. Not every site requires new technology.

Sometimes the correct recommendation is procedural improvement. Sometimes it is better supervision. Sometimes it is control integration. Sometimes it is maintenance discipline. Sometimes it is training. Sometimes it is a technology upgrade. Sometimes it is additional protection. Sometimes it is formal acceptance of residual risk.

The point is that the recommendation should be proportionate to the risk.

Independent assessment helps prevent both under-reaction and over-reaction. It can show where controls are inadequate, but also where proposed measures are excessive, poorly targeted or unlikely to deliver meaningful risk reduction.

The Right Question to Ask

Before accepting any security recommendation, leadership should ask: What assessed risk does this recommendation reduce?

That question should be followed by:

  • What threat scenario is being addressed?
  • What vulnerability is being reduced?
  • How does this improve control effectiveness?
  • What consequence is being mitigated?
  • Is the recommendation proportionate?
  • Is the person recommending it commercially interested in the outcome?
  • What residual risk remains if the recommendation is accepted?

These questions do not prevent implementation. They improve it.

They help ensure that security expenditure is directed towards risk reduction rather than appearance, habit or supplier preference.

Conclusion

Security recommendations must be independent because security decisions matter.

They affect people, assets, operations, budgets, governance and reputation. They should not be driven primarily by what a provider sells, installs or manages. They should be driven by credible threat analysis, asset criticality, vulnerability assessment, control effectiveness, consequence and residual risk.

Providers and suppliers can play an important role in implementation. But the decision about what is needed should first be grounded in independent risk assessment.

That is how organisations avoid supplier-led security, disproportionate expenditure and recommendations that treat symptoms rather than risk.

Keown & Associates provides independent security risk assessment and advisory services. The firm does not sell guarding services, hardware, installation contracts or operational security deployments, allowing recommendations to remain focused on assessed risk and defensible decision-making.

Discuss an Advisory Requirement  |  Discuss a Security Risk Assessment