June 22, 2026

After Years on Factory Floors, I Realised Most Security Audits Miss This

A behind‑the‑scenes look at what really happens during a manufacturing security audit, and why most get it wrong.

Luke Appleby

3 min read

The first thing every Operations Manager says to me is the same:

"Just don't disrupt anything."

It doesn't matter what sector, what size of site, or how sophisticated the operation is, that concern is always there.

And to be honest, they're right to have it.

Because in manufacturing, everything revolves around flow.

Shift patterns, logistics, production targets, one interruption in the wrong place can ripple across an entire day.

So when someone hears the words "security audit", the assumption is simple:

This is going to get in the way.

The Moment That Changed How I See Audits

A few years ago, I was standing on a busy yard at a production facility just outside Leeds.

Forklifts moving. Drivers waiting. Supervisors coordinating handovers.

We were there to carry out a full security assessment.

And as I watched the site operate in real time, something became obvious:

If we couldn't understand this, the movement, the pressure points, the reality of the operation, then anything we recommended afterwards would miss the mark.

That was the moment it clicked.

Security audits don't fail because of poor technology. They fail because they don't understand the business.

The Problem With Traditional Security Thinking

Too often, security has been treated as a separate function.

Something that sits alongside the business, rather than inside it.

The result?

  • Systems that look good on paper but don't work in practice
  • Processes that create friction on the shop floor
  • Investments that protect the wrong things

At its worst, security becomes a cost centre that people tolerate rather than value.

But that's based on a flawed premise.

Because effective security isn't about adding more controls, it's about understanding risk properly.

And risk, in any business, is defined by three simple things:

  • What could go wrong
  • How likely it is
  • And what the impact would be if it did

Miss any one of those, and you're not managing risk, you're guessing.

What Actually Happens When It's Done Properly

When we approach a site, the audit doesn't begin at the gate.

It starts with a conversation.

Not about cameras or fences, but about the business itself.

  • How does production actually flow?
  • Where are the operational choke points?
  • Which assets genuinely matter to continuity?
  • Where does the site feel pressure during a normal day?

Because security, when it works, aligns with these answers, not against them.

Only then do we step onto the site.

And when we do, we don't look for "faults".

We look for pathways.

How would a real problem move through this operation?

From perimeter… to access points… to critical areas…

This concept, often referred to as modelling an adversary's path, is fundamental to understanding real exposure, not theoretical gaps.

The Things You Only See in Real Conditions

Some of the most important findings never appear in a specification.

They reveal themselves in the way the site actually operates:

  • Blind spots that only exist at peak loading times
  • Access systems that don't match shift transitions
  • Contractor processes that rely on trust rather than verification
  • Workarounds that staff have developed just to keep things moving

None of these are "failures".

They're adaptations.

But they also highlight where risk and reality have drifted apart.

And that's where real value sits.

When Security Starts Adding Value

There's always a moment in every audit where the conversation changes.

It usually isn't during the walkaround.

It happens afterwards, when the findings are linked back to the business.

When a Managing Director sees how a particular vulnerability could:

  • Slow production
  • Disrupt deliveries
  • Or create unplanned downtime

That's when security stops being theoretical.

And starts becoming operational.

Because ultimately, security is not there to eliminate all risk.

No business can afford that.

The goal is to bring risk down to a level that supports the operation, not constrains it.

The Bigger Shift That Needs to Happen

What we're really seeing is a shift in how security is understood.

From:

  • "guards, gates, and systems"

To:

  • business resilience and continuity

In modern operations, the most effective security functions:

  • Work with line management, not around them
  • Align with commercial objectives
  • Reduce friction, rather than add to it
  • And provide clarity for decision-making

In other words, they act as part of the business, not outside it.

Why This Matters More Than Ever

Manufacturing today is under constant pressure.

Margins are tighter. Supply chains are more complex. Expectations are higher.

In that environment, anything that introduces unnecessary friction won't last.

And anything that genuinely improves resilience will stand out.

Security has the potential to do the latter.

But only if it evolves.

A Final Thought

I still hear that same phrase on almost every site:

"Just don't disrupt anything."

And I agree with it.

Completely.

Because the purpose of a security audit isn't to interrupt a business.

It's to understand it well enough to make it stronger without breaking what already works.