What Security Can Learn From the Military
Why Mission Critical Means More Than Important
The phrase “mission critical” is used so often in business that it has almost become part of the background noise.
- Mission critical infrastructure.
- Mission critical systems.
- Mission critical operations.
- Mission critical assets.
We hear it in boardrooms, project meetings and procurement discussions. Yet despite its widespread use, few people stop to consider where the term originated or what it was originally intended to convey.
The concept of mission critical security shares many similarities with military planning, where success is measured by outcomes rather than the resources deployed.
The phrase comes from the military, where the concept of a mission is central to everything. Every operation, whether it is a combat deployment, a humanitarian relief effort or a training exercise, starts with a clearly defined objective. Success is measured by whether that objective is achieved.
That may sound obvious, but it creates a very different way of thinking.
Military organisations do not define success by the amount of equipment they possess. They do not declare an operation successful because aircraft were available, vehicles were deployed or radios functioned correctly. Those things matter, but they are not the objective. They are capabilities that contribute towards achieving the objective.
The mission is always the point.
This distinction is important because it forces planners to focus on outcomes rather than resources. Every decision, every investment and every capability is assessed against a single question:
Does it help achieve the mission?
If the answer is yes, it has value. If the answer is no, its relevance quickly comes into question.
The Difference Between Capabilities and Outcomes
Outside the military, organisations often find this more difficult.
Businesses naturally gravitate towards things that can be measured. Budgets can be measured. Projects can be measured. Equipment can be counted. Systems can be installed and commissioned. Dashboards can be populated with statistics and reports can be presented to boards and stakeholders.
These activities provide reassurance because they create visible evidence of progress.
However, progress and outcomes are not always the same thing.
Most senior leaders have experienced projects that were delivered on time, within budget and exactly to specification, only to discover months later that the original problem still existed.
The project was successful.
The outcome was not.
This is where the military mindset becomes particularly relevant.
Military planning is relentless in its focus on outcomes because the consequences of failure can be severe. Success is not judged by what was deployed. Success is judged by what was achieved.
The distinction matters because focusing on activity can create the illusion of effectiveness. An organisation can be incredibly busy without becoming any more capable. It can spend money without reducing risk. It can implement systems without solving the problem they were intended to address.
The military has long understood that capabilities are important, but capabilities alone do not guarantee success.
Why Security Often Focuses on Measures Rather Than Objectives
Perhaps the same principle should be applied more widely in physical security.
Many security discussions begin with measures rather than outcomes.
- Should we deploy CCTV?
- Do we need perimeter intrusion detection?
- What security rating do we need?
These are all perfectly valid questions. Yet they are questions about capabilities rather than objectives.
The more important discussion often comes before any of them.
- What are we trying to achieve?
- Are we trying to prevent unauthorised access?
- Protect critical infrastructure?
- Safeguard people?
- Reduce theft?
- Maintain operational continuity?
- Delay an attacker long enough for a response to be initiated?
Without understanding the outcome, it becomes difficult to determine whether the measures selected are appropriate, proportionate or effective.
This is a theme we explored previously in our article Security is a System, Not a Product. Security measures only become valuable when they contribute towards a clearly defined objective.
Understanding the Adversary and the Changing Threat Landscape
This is where the military concept of mission critical becomes particularly valuable.
When military planners describe something as mission critical, they are not simply saying it is important. They are identifying something that is essential to achieving the objective. If it fails, the mission itself may fail.
The same principle can be applied to security.
The objective comes first.
The capabilities exist to support it.
However, defining the objective also means understanding the threat.
Military planners do not define success in isolation. They define it in the context of the adversary, the environment and the consequences of failure.
Physical security should be no different.
This is becoming increasingly important as the threat landscape evolves. Not all adversaries share the same objectives.
- A criminal may seek to gain access, steal and leave quickly.
- A terrorist may seek access to cause harm, disruption or fear.
- An activist group may seek visibility, publicity and prolonged occupation of a site to generate media attention and advance a cause.
Whilst the objective of protecting an asset may remain the same, the desired security outcome can be very different depending on the nature of the threat.
Understanding the adversary’s objective is therefore just as important as understanding your own.
After all, a criminal who wants to get in and out quickly creates a very different challenge to an activist whose objective is to remain on site long enough to create a news story.
One seeks speed. The other seeks time.
That changes the relationship between detection, delay and response.
- It changes the importance of visibility.
- It changes the consequences of failure.
- And it changes what success looks like.
Only once the objective, threat and consequences are understood can the appropriate capabilities be selected.
Mission Outcomes and Physical Security
- The outcome is protecting people.
- The outcome is maintaining operations.
- The outcome is safeguarding critical assets.
- The outcome is reducing risk to an acceptable level.
- The outcome is ensuring resilience when things do not go to plan.
The distinction may appear subtle, but it changes the entire conversation.
Instead of starting with products, organisations start with objectives.
Instead of focusing on what they can install, they focus on what they are trying to achieve.
Instead of measuring activity, they measure effectiveness.
The security measures themselves become part of the solution rather than the definition of success.
- A fence is not the outcome.
- A camera is not the outcome.
- An access control system is not the outcome.
They are capabilities that support the outcome.
The Most Important Lesson Security Can Learn from the Military
At Zaun, we believe this shift in thinking is important.
Security measures matter, but they only have value when they contribute to a clearly defined outcome.
Just as military planners begin with the mission, security professionals should begin with the objective.
Before discussing specifications, ratings or technologies, first define what success looks like.
- Understand the threat.
- Understand the consequences.
- Understand the outcome you are trying to achieve.
Only then should the discussion move to the capabilities required to deliver it.
Perhaps that is the most valuable lesson security can learn from the military.
Because mission critical security is not about the systems you deploy.
It is about the outcome you cannot afford to lose.
