How to Build a Security Strategy That Actually Works

Permacrisis—a prolonged era of overlapping disruptions, accelerated decision-making, and constantly heightened risk—is leading to burnout among security staffs and making it impossible to judge what is a true emergency. Here’s what to do about it.
June 26, 2026
4 min read
Add Us On Google

Key Highlights

  • Organizations face overlapping crises such as global instability, cyber incidents, and social unrest, creating a 'permacrisis' environment that demands structured security strategies.
  • Security teams should develop clear frameworks, including incident severity tiers and role-based escalation paths, to restore clarity and reduce decision fatigue.
  • Aligning security initiatives with business objectives and framing them as resilience efforts helps secure executive buy-in and demonstrates value beyond simple activity metrics.
  • Integrating security into business continuity planning across prevention, management, response, and recovery phases ensures organizational resilience during ongoing disruptions.
  • Measuring meaningful outcomes related to risk, impact, and reputation is crucial for demonstrating security program effectiveness to leadership.
ID 54368913 © Dmitry Kalinovsky | Dreamstime.com
Security staffs are at risk thanks to a parade of nonstop crises. It’s time to build a better security program.

Security staffs are at risk thanks to a parade of nonstop crises. It’s time to build a better security program.

From global instability to local crime trends, cyber incidents, social unrest, and more, organizations are experiencing a multitude of overlapping disruptions. Security teams without a plan to manage these disruptions are at risk of decision fatigue and burnout from the constant pressure, according to GMR Security Consulting Group CEO Mary Gates, who refers to today’s security environment as a state of “permacrisis”—the domino effect of nonstop crises with no recovery time.

“Reactive posture now becomes the norm,” Gates said. “You have difficulty distinguishing between signal—real risk—and the noise, because there’s constant pressure. Then you have increased scrutiny from executives during every incident because there are so many of them. Security is no longer episodic—it’s persistent risk management under times of uncertainty.”

Today, security management requires critical action from leaders, Gates said. This includes:

  • Prioritizing certain risks
  • Establishing clear incident severity tiers so everyone understands what’s routine, elevated, and critical
  • Defining decision thresholds that are tied to business impact, not just fear
  • Having clear playbooks to ensure consistent response that’s not based in emotion
  • Designing escalation paths that are role-based, not personality-based

“We have to have clear frameworks to restore clarity,” Gates explained.

How to Prioritize What Matters Most

Building that clear framework starts with understanding that not everything is a true emergency. The security plan needs to align with business objectives, explained Sean Ahrens, security market group leader for Affiliated Engineers, Inc.

“When you meet with the C-suite, you need to have that plan developed: this is the roadmap, this is what I’m thinking, and this is what I’m going to need for monies,” Ahrens said. He also suggests framing the program as resilience, not just security.

“Resilience conveys maturity, you’re going to get money back from this, you’re proactive,” Ahrens added. “What does security convey to you? ‘I don’t do anything until something happens.’ That’s the difference. It’s a psychological change. Resilience is important to the business.”

Executive alignment is key to the success of your program, Gates said, and it requires a risk-based security and resilience strategy tied to what the organization cares about. Buy-in also requires measurable outcomes, not just simple activity metrics. Executives think in terms of risk, impact, and reputation, so you can frame your conversations and reporting around those concepts—for example, illustrating how your security decisions support brand trust or regulatory confidence.

“You can measure how many things did I respond to, but is that really important? You want your measurable outcomes to be meaningful,” Gates said. “I hear a lot of times, how many alarms did we respond to, or how many camera events did we respond to? That’s good data, but did it mean something? Does it mean something to your executives? Make sure what you’re measuring is important to the people who are receiving that data.”

Building a Better Security Program

Security isn’t just about stopping something bad from happening—it’s about keeping the larger organization operating, Gates said. Security should be part of business continuity and recovery planning, not a separate function, and it needs to account for four phases: prevention, management, response, and recovery.

Prevention: This phase involves looking at metrics and understanding risks to see where your program is weak and respond accordingly, Ahrens said. “With metrics, we can say, ‘We had a significant number of medical issues here. How do we support that? Let me get my staff trained on CPR and AEDs, or let’s look at some debriefs and understand what that medical exposure is,’” he said. “It’s thinking about those things in the organization and building out programs on the prevention side.”

Management: “The management side is about being there when something happens—being able to deal with workplace violence or a crisis and having the connections and resources to manage that incident,” Ahrens said.

Response: This step may involve knowing how to talk to law enforcement or working with your organization’s public information officer for any immediate post-incident needs, Ahrens said.

Recovery: Plan ahead for the aftermath of incidents as much as you can. Know how you’ll protect critical business functions and assets. “Defined recovery objectives for facilities and operations should be considered as part of business continuity,” Gates said. “Too often, when people think about business continuity, they get hung up on IT—but it’s not just that. You’ve got to have people, you’ve got to have facilities, and you’ve got to have the safety and security of the people who are going to staff those locations… All of those things need to be part of security’s planning with facilities, IT, and HR, in order to make arrangements and coordinate how to bring your people back into work, bring your facilities back to a recovery state, and bring your operations back online.”

About the Author

Janelle Penny
Email

Janelle Penny

Editor-in-Chief at BUILDINGS

Janelle Penny has been with BUILDINGS since 2010. She is a two-time FOLIO: Eddie award winner who aims to deliver practical, actionable content for building owners and facilities professionals.

Sign up for our eNewsletters
Get the latest news and updates

Related

Optimizing Industrial Facility Retrofits for Future-Ready Manufacturing
Oculus Hits a Home Run with Rawlings’ New Headquarters

Voice Your Opinion!

To join the conversation, and become an exclusive member of Buildings, create an account today!