Physical penetration testing is often viewed as a technical exercise. It’s about testing locks, doors, alarms, and access control systems. But beneath the surface, these tests often reveal something much more consequential: the culture of the organisation.
At GRC4, we’ve conducted physical penetration tests across some of Australia’s most sensitive facilities. In nearly every case, the true insight isn’t how we got in, it’s why no one stopped us. What the test reveals isn’t just a gap in infrastructure, but a pattern of behaviour that puts the entire security program at risk.
These red flags aren’t about the equipment. They’re about the mindset.
When the Real Problem Isn’t the Fence
Security culture isn’t something you find in a policy manual. It’s revealed through actions, especially when no one thinks they’re being watched. Penetration tests, by design, place pressure on systems and people in unanticipated ways. And the patterns we observe say far more than the technical findings in a report ever could.
Whether it’s a contractor taking a shortcut or a team member hesitating to speak up, these small decisions become leading indicators of a deeper issue. Over time, they shape a culture that is either risk-aware or risk-permissive.
Here are five of the most consistent cultural red flags we encounter during real-world physical penetration tests.
Red Flag 1: “It’s Not My Job to Ask”
The first and most common red flag we see is passive disengagement. Staff see something unusual, such as an unfamiliar person in a restricted area, a suspicious behaviour, an access control anomaly, but they choose not to act. Sometimes it’s hesitation. Sometimes it’s a belief that someone else is responsible. But the result is the same; an opportunity to stop a breach is missed.
When we ask staff afterward why they didn’t intervene, the answers are revealing. They didn’t want to confront someone. They assumed the person had been cleared. They weren’t sure if it was part of a test. These aren’t individual failures, they’re symptoms of a culture where clarity around ownership is lacking. Security becomes someone else’s problem.
In mature organisations, team members know what they’re expected to do and feel empowered to do it. Where that’s missing, even the best systems are compromised by silence.
Red Flag 2: Convenience Overrules Policy
In many environments, we see staff bending rules for convenience. A secure door is propped open for deliveries. A visitor is waved through without a proper check. A swipe card is loaned to a colleague “just for a minute.” The justification is always the same: it saves time.
These behaviours might seem harmless, but they are the cracks through which serious threats slip. In penetration tests, they are the openings we exploit most often. And when these behaviours are routine, it’s rarely due to ignorance. It’s because the culture implicitly allows it.
Security policies are only effective if they’re consistently applied. If the rules change when the office gets busy or when the supervisor isn’t around, they’re not really rules. They’re suggestions.
Red Flag 3: Leadership Is Invisible
In organisations where physical security underperforms, we often find that leadership is missing from the conversation. There is no senior figure actively sponsoring security awareness. There’s no visible accountability for procedural drift and there’s no regular engagement with what’s really happening on the ground.
This absence creates ambiguity. If supervisors don’t reinforce expectations, staff won’t feel the need to uphold them. If executives never reference security, it’s seen as peripheral to core business. Over time, this creates a dangerous gap between what’s documented in the policy and what’s delivered in practice.
In organisations with strong security culture, leadership sets the tone. They ask questions, they challenge assumptions, and they make it clear that physical security is not a “facilities issue”, it’s a strategic priority.
Red Flag 4: Training Stops at Induction
Another red flag is the presence of training that only exists on paper. In many of the facilities we test, security induction is part of onboarding but after that, there’s no reinforcement. No drills. No refreshers. No testing of real-world scenarios.
When we gain access during a penetration test, it’s often because someone didn’t know what to do, or forgot what was expected. That isn’t necessarily a knowledge issue, it’s a maintenance issue.
Security awareness fades quickly without reinforcement. If your last physical security training happened when your staff badge was printed, chances are the procedures haven’t kept up with the threats. And in our experience, when training isn’t embedded into ongoing operations, the behaviour during a test reflects that neglect.
Red Flag 5: Security Success Is Defined by “No Incidents”
The final cultural red flag is perhaps the most dangerous: complacency disguised as success. Organisations often point to a lack of incidents as proof that their security controls are working. But in many cases, that absence of activity reflects an absence of detection.
When penetration tests are successful, it’s often because there are no consequences for failure. Alarms are ignored. Access violations go unreported. Suspicious behaviour is rationalised away. And when leadership relies on this false sense of security, the risk isn’t just hidden, it’s institutionalised.
Resilience is not defined by the absence of incidents. It’s defined by the ability to prevent, detect, and respond to them. A security culture that assumes “everything must be fine” simply because nothing has gone wrong yet is the one most at risk of failure.
Turning Red Flags into Leadership Action
The value of a penetration test isn’t just the breach report, it’s what happens next. Each red flag is an invitation to have more meaningful conversations, about leadership visibility, staff empowerment, operational consistency, and behavioural reinforcement.
For boards and executives, these tests provide a rare window into how security actually functions. They cut through audit reports and policy documents to expose what’s really happening at the frontline.
At GRC4, we use these insights to help leadership teams understand the cultural foundations of security. We don’t just point to the unlocked door, we explain why it was left open, what assumptions made it possible, and what systemic factors must change to ensure it doesn’t happen again.
Final Thought
You can have the best systems in place but if your culture doesn’t support them, they won’t hold.
Physical security failures aren’t just the result of poor infrastructure. They’re the result of misaligned expectations, inconsistent behaviour, and leadership gaps. Penetration testing reveals these patterns not as isolated incidents, but as organisational signals.
At GRC4, we assess more than just your buildings. We assess the behaviours behind them. Because in the end, the greatest threat to your security might not be what’s outside the fence but what’s been normalised inside it.


