[001spartan]

That's very true. In many cases, that's even _perfectly fine_. Not every organization needs enough physical security to deter a determined attacker. The ones that do hire people like Sophie (or me), and take the lessons to heart. Even if the organization doesn't make changes to their physical security posture as a result, they know what to be aware of, and they know where their weaknesses are.

A lot of our security--both network and physical--is based on the illusion of security. One of the most important things that penetration testing does is to make organizations aware of the issues, to put the bug in their ear to remind them that security is important, and shouldn't be an afterthought. We see lots of organizations make material improvements to their security as a result of red team exercises. We also see a lot of organizations that don't. It's disheartening when that happens, but I like to think I help make a difference. The next data breach might be mitigated by our recommendations, or even prevented entirely.