Why physical security needs a bigger role

As uptime becomes ever more critical, Rob Middaugh, President, Hana Security Services, explains why physical security should be treated as a core part of operational resilience, not just a front-desk function.

Data centres have quietly become some of the most critical pieces of infrastructure in modern society. As AI adoption accelerates and digital services underpin much of what we depend on, the importance of uptime has moved from a business metric to a broader operational necessity.

For data centre operators, availability is everything. But while enormous attention is given to redundancy, cooling systems, power resilience, and network architecture, physical security is often reduced to a checkbox: guards at the gate, access control badges, CCTV on the perimeter.

That mindset is increasingly difficult to justify.

Physical security is not a static function. It is a layered system designed to protect continuity of operations. In a data centre environment, where even brief interruptions can have wider consequences, security should be understood as part of the operational ecosystem itself.

Start with what’s truly critical

Effective security design does not start with cameras or guards. It starts with clarity. The first and most important question leaders should ask is simple: what, specifically, is most critical to continuous operations?

Rank them.

The server rooms?
Primary power feeds?
Backup generators?
Cooling systems?
Network connectivity?
On-site personnel?

Unlike a retail site or office building, where a power outage is disruptive but temporary, data centre operators recognise that loss of power can halt operations almost immediately. Backup systems mitigate risk, but they are also potential points of vulnerability and should be protected accordingly.

Effective security planning begins by defining these critical assets and designing layered protection around them.

The visible and not-so-visible rings of layered security

A well-designed facility uses concentric rings of protection. Some forms of protection are visible: perimeter fencing, hardened gates, ballistic walls, CCTV, intrusion detection systems, and on-site officers. These provide deterrence. They signal that the site is not a soft target. If a hostile actor sees alert personnel, active patrols, and robust infrastructure, that may influence their assessment of the site.

But some of the most important rings of security cannot be seen. Access protocols, compartmentalised privileges, biometric authentication, surveillance detection training, and response coordination procedures provide the structure behind the visible measures. They are also the parts of the system an adversary cannot easily observe or plan around.

The best way to defeat an attack is to see it coming

Consider this: before any attack, whether sophisticated or opportunistic, there is observation.

Adversaries assess defences. They study patterns: shift changes, patrol routes, access procedures, and blind spots.

The officer stationed at the gate may be well placed to detect that pre-operational surveillance, if they are trained to do so.

Surveillance detection training teaches personnel what to look for: individuals lingering without purpose, vehicles returning repeatedly, or subtle behavioural cues that suggest reconnaissance. On their own, these observations may seem insignificant. But when documented and centralised, patterns can emerge.

Most of the time, such observations lead nowhere. But when they do matter, early detection can be the difference between prevention and response.

Not all guard forces are equal

Data centre operators have options when selecting security providers, but not all guard forces deliver the same capability.

For critical sites, the selection criteria should go beyond cost and headcount.

Key considerations include:

Experience: Personnel with military, law enforcement, or critical infrastructure backgrounds may have a stronger grounding in layered protection and threat assessment.
Training depth: Competency-based training in surveillance detection, emergency response, access control, and escalation procedures.
Management infrastructure: Systems to catalogue incident reports, correlate historical data, and refine threat assessments over time.
Professional standards: Alert, disciplined personnel who project competence. Appearance and posture can influence deterrence more than many realise. A disengaged or poorly presented officer may signal vulnerability.

More importantly, sustained performance requires investment: ongoing training, cohesive team culture, and leadership oversight that reinforces standards consistently.

Security is a result

One of the most important points for data centre leaders is this: security is not a product you install. It is the outcome of decisions made at every stage, from site selection and architectural design to SOP development, technology integration, and personnel training.

Break any link in that chain and the result weakens:

A poorly designed layout creates blind spots
Unclear procedures create confusion under stress
Undertrained officers fail to recognise warning signs
Weak integration between technology and personnel slows response

Security failures rarely occur because of a single dramatic oversight. More often, they happen because small compromises accumulate until the system no longer performs as intended.

In aviation, accident investigators often trace incidents back through a chain of decisions. Each individual error may seem minor, but together they produce serious consequences.

Security operates in much the same way.

Security is a strategic conversation, not a checkbox

For executives and boards overseeing data centre development, the most important step is to elevate security from an operational afterthought to a strategic design conversation.

Ask: