The Victorian Auditor-General’s Office (VAGO) published an independent assurance report to the Victorian Parliament regarding physical security of government facilities and accommodation (2019). The audit focused on physical security as it relates to protective security, which also includes information and personnel security. It is a report that deserves attention and reflection by people with management responsibilities of government facilities and accommodation in other States and Territories.

The report describes the overarching concern, ‘The risk comes from individuals or groups who, for a variety of reasons—some malicious—will seek to threaten staff, attack systems and processes, or damage or steal property. Unauthorised access to government buildings could put staff health and safety at risk and cause significant disruption to public sector services’.

The report’s conclusion included an observation that ‘The security infrastructure at the facilities we examined was adequate, but its effectiveness as a deterrent to unauthorised access was undermined by human error, enabled by a weak security culture. This weak security culture among government staff is a significant and present risk that must be urgently addressed’.

This observation is consistent with the physical security vulnerability reviews that we have conducted on many government, commercial and educational workplaces across the country.

Unlike expectations for government agencies, it is less likely that commercial or educational organisations place any effort in the development of a security culture. Rarely, questions like ‘what should our security culture look like?’ or ‘what is our security culture?’ are asked. Commercial and educational organisations rely heavily on security infrastructure and security personnel, which is essential, but insufficient.

One of the salient findings in the report state ‘Victoria’s current security governance arrangements are not fully effective’. The hard reality is that many public and most private organisations fail to have their security governance framework properly developed or objectively assessed. Ineffective security governance typically becomes obvious after a serious security incident and, during court cases where it is alleged the employer or property owner failed in their duty of care in relation to security.

Irrespective of your type of organisation security risk management needs to be a governance imperative. This includes among other requirements to ensure security risk management is imbedded in enterprise risk management and security capability is fully appreciated in business continuity planning. In terms of due diligence, only independent audits by subject matter experts should determine the integrity of security risk management.

The VAGO website has the report available plus the imbedded YouTube presentation of the report (less than 6 minutes) is worth viewing.

Although (much) older, the audits on Australian Government physical security by the Australian National Audit Office have many issues relevant today. The audit reports are great reading for motivated security managers and students of security, just type in ‘security’ at