How to approach corporate security in an increasingly febrile society
March 2026
Warren Buffet famously said “Only
when the tide goes out do you
discover who’s been swimming
naked”. He was talking about the
credit markets, of course, but he
could have been describing the
security setup at any number of
global organizations.
Armstrong Craven recently reviewed the corporate security structures at 10 major businesses across banking, energy and manufacturing. The picture we discovered was one of confusing reporting lines, diminished headcounts and institutionalized complacency.
True, since the tragic assassination of United Health CEO Brian Thompson and the on-site murder of Blackstone executive Wesley LePatner, a number of companies have rushed to review their people and asset protection policies. But knowing you need to run a tighter ship is not the same as knowing what measures to take. The sources we spoke to often disagreed on best practice and sometimes seemed to equivocate on what we consider fairly straightforward questions.
In particular, three points at issue emerged. And with the bird’s-eye view of the market that we gained during our research, we think we’re well placed to suggest some compelling answers to each one.
1. Where should security report up into?
Say the words ‘corporate security’ to a layperson and they probably think of thickset guards in epaulettes. But security is so much more than that. It covers executive protection, travel, investigations, intelligence, cybersecurity and crisis management. Given that broad coverage, the oft-observed reporting line into a Head of Corporate Services (alongside catering, cleaning and reception services) seems very narrow-minded.
So where should security report? Our research identified upward reporting linesinto a wide range of functions including the CEO, Legal, HR, Technology andOperations. The sheer variety of models suggests the market as a whole doesn’t know what good looks like. Of course, each person we spoke to had some sort of rationale for their particular reporting line, but let’s just say some arguments were more compelling than others.
Answer:
Our view is that security should report to the General Counsel.
Firstly, keeping your people and assets safe is a matter of operational risk. In the same way that risk and compliance often report up into Legal, so should security. Secondly, as one source put it, “if anyone gets killed, that very quickly becomes a legal issue”. Dealing with the consequences of security failures – and learning from those failures – is far easier if you have the firm’s best legal minds on the case. Lastly, there is an unavoidable overlap between security and insurance; this means that all documentation referring to minimally required security details needs to be scrutinized by a lawyer.
But perhaps the most persuasive argument is this. Sources who worked within a security team reporting into some function other than Legal usually suggested this was sub-optimal. Those who operated within a Legal-oriented setup usually agreed it worked just fine.
2. Should Cybersecurity be treated as a separate function?
Some companies have corporate security existing as a separate function to cybersecurity. According to this model, the first will report up into Legal, say, while the second sits firmly within the CIO’s office. By contrast, other companies position cybersecurity as a peer-function to corporate security with both reporting into the overall Chief Security Officer (CSO). So which is right?
The argument for keeping them separate is that cyber-risk is an enterprise-wide issue which should be the responsibility of a highly tech-literate senior leader. However, there are functions within traditional corporate security (e.g. threat analysis) which would benefit from close collaboration with cyber professionals; therefore having the disciplines as peer functions is also a persuasive setup.
But perhaps an authoritative answer is only elusive because companies are asking the wrong question.
Answer:
We think a better approach is to ask whether your security team is tech-literate. After all, almost every aspect of security has a tech angle these days. Think of such issues as face recognition, turnstiles, elevators or weapons detection. If you’re not using state-of-the-art technology to explore solutions to all these security challenges, then you’re probably
missing a trick.
And the only way to ensure this mindset is in place is to appoint a Head of Security who is themselves highly schooled in technology. It’s feasible that person might also be a sensible appointment as Head of Cybersecurity, but that’s beside the point.
The key is to ensure (a) the entire function is fully digitized, and (b) if you do keep the two roles separate, they at least work very closely together.
3. Should you outsource and, if so, when?
There is a certain well-known global bank which has spent the last few years drastically reducing its full-time security headcount. The driver appears to have been cost. But now the business is considering a U-turn and ramping up its internal team again. Sources speak of a lack of continuity, inconsistent quality among its contractors and a general sense that some roles simply can’t be effectively delivered by external suppliers.
Then again, we know of a manufacturing firm which reports cost-reductions of up to $10 million per annum via outsourcing various aspects of its security. Is there not a happy mid-point where a business can access those kinds of savings while also avoiding compromising on safety?
Answer:
In short, yes, there is.
Outsourcing security can be sensible or disastrous depending on the context. One role that almost all companies outsource is guarding. It’s cheaper, it allows you to access a huge, qualified talent pool and you can dial resource up or down depending on your needs.
But it’s not a one-size-fits-all solution. A lot of companies choose not to outsource guarding where their headquarters are concerned. Maximizing protection for your CEO and senior leaders means surrounding them with well-paid (probably armed) employees who have some deeper sense of loyalty to the business than a guard-for-hire might have.
Other functions which can and probably should be outsourced are event security, control room monitoring and any technology installation.
Meanwhile, other functions should always be kept in-house. These include executive protection, investigations and crisis management. Of course, the best security leaders will demand high salaries to run these functions, but not having those people in place could end up costing you a whole lot more.
Security has long been the poor relation of the corporate family. Ask someone to name a C-suite role and they’ll get through quite a few job titles before they say ‘Chief Security Officer’. But in these increasingly unstable times, businesses cannot adopt the same blasé attitude to one of the most crucial corporate functions.
Security teams need to be properly staffed, efficiently structured and overseen by proven leaders who have genuine influence in the boardroom. Easier said than done, perhaps, but if you’re looking at reviewing your own security setup, why not get in touch with us first and find out how and why other companies have succeeded or failed.
