The Onion by John Sephton

OK, I hear you think, but this onion is going to help me go through the basics of physical security of any building that you may be in charge of as a security manager, or working at as a security officer. 

Now, if you take this onion and look at the layers, this can be used to describe the layers that are needed when observing your new site. It is a process you should go through when you are deciding what layers are needed and what is missing or where the short falls are. The parts we will look at are the outer layer, middle layers and last but not least the core layer.

This article is not going to go in to the nth degree of physical security, just give you an idea of what you can look out for when you are starting on a site.

Outer layer – Black Line

This layer is your first defense to threats outside the building or organisation you are assigned to protect. The outer layer, marked with the black line on the onion, is the first thing you pay attention to when you come to a site and the first thing you are reviewing when you are protecting a site.

What to look out for

This layer encompasses the gates, fences, hedges, walls, chain link fences, the beginning of the next property which could overarch or be close to your site. Quickly just to touch on the overarching or close proximity scenario, this could be a fire safety issue should the neighbouring building catch fire and it could affect your building, so working together with any security teams would be beneficial.

In the stock picture below, you will see an example of the outer layer or the perimeter. This building has vehicle mitigation bollards to stop vehicles ramming the fence, the fence is sat on a brick wall which gives it an additional resilience to any vehicles.  The weakness of a brick wall is that you cannot see anything put behind it from the security hut in the picture.  External patrolling of this building should be incorporated into the duties of the security team to ensure anything suspicious is reported.

The fence is in place to ensure people or vehicles cannot easily get on to the premises and are forced to go to the main entrance point. Another weakness of this picture is that vehicles are allowed to park next to the fence and building which could make the place vulnerable to a VBIED (vehicle borne improvised explosive device). Due to space limitations, architectural design like this sometimes cannot be helped but you can put it on your risk assessment as a point of interest and see if anything can be done to minimize the risk of unauthorised parking.

When doing security checks of your building or site it is very important to make note of the condition of any security feature you may have in place on the boundaries and equally important to recommend any you do not have.

The importance of performing external checks of buildings is in my opinion more important than internal patrols, due to the uncontrolled nature of activities outside.

Picture courtesy of – Alamy

To recap

  1. Check external gates, fences, parking areas, padlocks, lights, bollards and any dark spots.
  2. Make sure you report any defects to management immediately and document them in the daily occurrence book and report.
  3. If there is suspicious activity then call the police and make them aware of potential hostile reconnaissance. 

Middle Layer

As we move to the orange and green lines of the onion, this reflects the position between the perimeter of the site to the building, also known as the approach. The important thing to remember here is that some buildings especially in cities, will not have a fence and would immediately start here. But they may have some form of HVM (Hostile Vehicle Mitigation) this could be planters, bollards etc. you can count this as your perimeter.

In this layer there are two examples, the first example is a nice shiny building in the city and a data center.

What to look for:

If we concentrate on the shiny building for a moment this would be the reception area and loading bay areas. Within this layer you would expect to find access control barriers, CCTV, uniformed officers, receptionists and occasionally meet and greeters. These areas are really important as it is the barrier between an intruder and the assets you are trying to protect.

Trained uniform officers who are familiar with their surroundings, are very effective if they follow the HOT principle:

  • Has an item been deliberately concealed or Hidden? A vigilant security officer will know if something isn’t right for the area and with training in how to deal with various issues, is a great deterrent. 
  • Is it Obviously suspicious? Does it seem odd or out of place? Are wires, batteries or liquid containers visible?
  • Is it Typical for the location? Does its presence seem reasonable?

Where data centres are concerned the perimeter, which will have extensive access control, CCTV and intercoms, is then followed by an empty void of land and most definitely a well-lit pathway which is monitored by CCTV and possibly some movement sensors, connected to a centralised CCTV room. Trained security staff are then tasked to monitor any suspicious people or packages before they reach the core layer or server centres and challenge anybody who has breached the perimeter.

                                                     Void between the perimeter and the core layer

Core Layer

This is your critical function zone and the area you are trying to ultimately protect. Take the Tower of London below, you will see it has a perimeter, a void and the tower where the crown jewels are kept.  (sic.)

If anybody breeches the other layers, the core layer will have additional security in the form of further access control methods, card entry, CCTV, officers and restricted access zones. Great housekeeping on the access control will be important here and it is one of the first things you should check when starting on a site. Restricted access area needs to be monitored and department heads agreeing lists of people who have access, should be done weekly or in less sensitive buildings monthly. 

Further to this, in the core area where the company has its critical business functions and what you are hired to protect, it is important to take the outer layers of the onion seriously so the external threat actors cannot get to the core and will be deterred long before this point. Your job as a security officer, although it can be mundane, is a critically important one, especially as it is an integral part of the risk management process on the site.


  1. Make sure your patrol route counts, if there isn’t a patrolling system then install one and ensure the patrols are hitting vulnerable areas
  2. Report any defects to management within the perimeter area and potential threats
  3. Make sure your access control is monitored on a weekly/monthly basis and any denied swipes are investigated, this may be a first try to see how security reacts to an attempt at an unauthorised access.
  4. Get department heads to agree access to individuals and update you when somebody leaves.
  5. Speak to people in your area to deter intruders, they may be trying hostile reconnaissance and do not give any information away pertaining to security and its team. Always act professionally and escalate it to a supervisor or manager. If you believe it is a hostile reconnaissance act inform the police.
  6. Treat your site like a layer of an onion and seek to make improvements to the security starting from the outside in. There is the insider threat, but for now we are looking at physical security.
  7. Report anything out of the ordinary to your management team and do your reports.

John Sephton MSyI

Credits: Stock Photo – Warsaw, Poland. April, 2018. External view of Polish Security Printing Works

John Sephton Bsc (hons), MSyI, M.ISRM

John is a friend of The Professional Security Officer magazine and works hard to improve standards across the industry as a writer, mentor and in his role as a Board Director of The Security Institute. Recognised for his efforts he has risen through the ranks at Axis Security, and is currently an Account Director