My work may seem like a lot of fun at the expense of a client, but it obviously has to have a point. The end result of an assessment is to improve security, and during the assessment, I am there to find the baseline lowest security awareness.

Let me explain that a little.

I hope you can see that a company where I can enter, remove items, and leave without security intercepting me has a worse security posture than one that, say, prevents me from removing an item or accessing a specific area. Security posture is your readiness to prevent a security breach, whether digital or physical.

My job on site is not just to get in. It is to find the lowest point of that security posture. What is the least effort required to perform the action expected? That is, what can I get away with? It is not just a question of getting in, because time is always on the attacker's side.

I have been doing this for almost three decades, and I have a 100% success rate at gaining access. Does that mean I am the world's best? No, it means I strategically pick my opportunity to take advantage of security issues, and that can require some time to do. As a result, the attack I perform will not always work. The other disadvantage of gaining access is that the client only learns about a single flaw: say, one window that was a weak point that day, or one time a gate was left ajar too long. It does not give them an overall holistic view of their security.

To understand a client's security ...