What Is the True Cost of Your Weakest Control?

Written By Jonathan Prewitt

Organizations will spend hundreds of thousands of dollars securing a warehouse. Access control systems. Video surveillance. Physical barriers. Layered defenses designed to protect millions in inventory. On paper, it looks like a hardened environment. A well-controlled facility. A “secure” operation. And then we place a $10/hour guard at the gate and call it risk management.

Let’s stop pretending this is a technology problem. It’s not. It’s a control design failure.

If I were looking to compromise that environment, I’m not starting with the cameras or the fence. I’m starting with the human control sitting in the guard shack. Because that’s the only control in the entire system that can be influenced in real time. Not bypassed. Not broken. Influenced.

And influence is cheaper than intrusion.

You don’t need sophisticated tooling. You don’t need zero-days. You need a conversation, a little social engineering, and one very simple question: “How would you like to make $1,000 for doing absolutely nothing?”

At that moment, your entire security architecture collapses into a single decision made by someone earning $10 an hour.

This is where most GRC programs get it wrong. We obsess over control coverage, not control integrity. We document controls as if their existence equals effectiveness. We test whether the gate exists, whether the camera records, whether the policy is written. But we rarely ask whether the control can withstand pressure—financial, social, or operational.

Because that’s uncomfortable.

It forces us to confront a reality most organizations would rather ignore: risk doesn’t break at the technical layer. It breaks at the human layer, where incentives, pressure, and opportunity intersect.

Now let’s talk economics, because this is where the conversation usually changes.

If you pay your guard $10/hour, you’re effectively telling them that the responsibility of protecting millions of dollars in assets is worth less than an entry-level warehouse role. You’re also creating an environment where a single cash offer can outweigh three weeks of wages. That’s not a security model. That’s a vulnerability with a uniform.

Increase that wage to align with the lowest operational roles inside the warehouse—say $15/hour—and something subtle but important changes. You haven’t eliminated risk. But you’ve increased the cost of compromise. You’ve introduced friction into the attack path. You’ve made the “easy option” just a little harder.

That’s what good control design actually does. It doesn’t eliminate risk. It makes exploitation more difficult, less predictable, and more expensive.

Will a $15/hour guard still take the money? Maybe. But now the decision carries more weight. The job is harder to replace. The perceived value of the role increases. And, more importantly, so does the individual’s attachment to it.

GRC, at its core, is about understanding these trade-offs. Not just documenting controls, but designing them in a way that reflects how people actually behave under pressure.

Because here’s the real question no dashboard is going to answer for you:

If someone walked up to your “strongest control” tomorrow and applied the right amount of pressure… would it hold?

Or would it open the gate?

#GRC #RiskManagement #OperationalResilience #EnterpriseRiskManagement #ThirdPartyRisk #CyberSecurity #PhysicalSecurity #InsiderRisk #SecurityLeadership #ControlDesign #RiskLeadership #BusinessRisk

Jonathan Prewitt
Previous

Cognitive Resilience or Cognitive Delusion?
Next

The Hidden Vendor Supply Chain of Your Personal Data