Physical security is also important

I went to see a potential client yesterday to pitch my company's security wares.  I drove up to the very expansive facility, all the time fully expecting a pretty strong physical security presence since this was a large manufacturing facility.  But alas, I was wrong.  As I pulled up to the security guard shack, the guard inside raised the gate arm and simply waved me through.  Well, to say the least, I was a little confused.  Was this guy serious?  But I couldn't just drive in and go because I didn't know where the person I was going to meet was located, and i was waiting on my sales person to arrive.  So I parked on the side of the street and walked into the guard shack to ask some questions.  It was right about then that the evil social engineer in me decided to kick in.

I took one look at the guard and realized that he was maybe 20 years old.  He was about as green as Kermit, and he was ripe for getting jacked with.  I really didn't do much, but I just had to see what this guy's experience was.  When he started talking, he said that I looked like a guy that had just left the facility, and he thought I was coming back in, so he waved me through.  So an honest mistake, but not exactly security conscious.  I started asking him his name, asking how long he had been with the company (about 2 months - yep, green), yada, yada.  Basically I was getting in his confidence, and that took all of about 5 seconds.  I started saying that my sales person was coming up and I would get her all signed in for him since he was so busy.    He thanked me for that.  I could have brought the devil in with me and he would have been OK with it.  Which was funny because I saw this sign in his shack:

BTW: My phone was set to make a "click" sound when I take a picture, so I waited until he was turned the other way and then coughed loudly when I took the picture (and I complained about a sinus infection after the cough, which is actually true).

When my sales person arrived, he pretty much just let her go since she was with me.  I did ask him if he wanted to check her car or anything (we went to a place last week where they did search her car a bit).  He laughed and said no.  I finally left the guy alone when people started trying to leave the facility (there is some high dollar stuff leaving there, and I didn't want to get the guy into trouble). 

But the whole time I was having "fun" with this guy, I was really taking what I was doing very seriously.  I really wanted the person I was going to see to know the extent of the issue.  Turns out that this was a known issue at the facility, because when I let the potential client know about the situation, he laughed and said he knew about the problems with their physical security.  He didn't have any control over the situation, so he really couldn't do much, but I could tell that there was concern about the risk to the organization.

To be fair, it is very possible that the powers-that-be at the company didn't really perceive a phyical security breach to be a huge risk, and so they didn't invest much in protecting against one.  If so, that is fine.  But if that was the case, why have a guard at all?  Why spend any money since the physcial security was not effective at all?  Why have that sign up there that says to be strict?  One answer: security theater.