Este artículo está disponible en español aquí.
In most modern organizations, physical security systems are simultaneously a prevention tool and a continuous data factory. Video surveillance cameras, access control systems, credentials, biometrics, video analytics, and monitoring platforms constantly generate records.
In intensive operations—industrial plants, distribution centers, logistics yards, and transportation routes—this data production is not limited to simply observing incidents. It becomes evidence used to resolve discrepancies, reconstruct events, and support decision-making.
Conversations about these systems almost always begin with technical aspects—coverage, resolution, storage, maintenance, system availability, and monitoring response times. But the real risk usually appears somewhere else: when the use of information lacks clear rules. Installing cameras or expanding control points may be relatively simple. The real challenge is sustaining, over time, a framework where everyone understands how the system can and cannot be used; who is authorized to use it and for what purpose; and how each access, query, or export is recorded.
At the heart of this challenge is the distinction between operating and governing.
Operating means keeping the system running—ensuring availability, stability, and responsiveness when needed.
Governance is different. It means ensuring that the same system is used with a clearly defined purpose, with defensible limits, with traceability, and with consistency. When the governance component is missing, even a robust platform becomes fragile—not because of the equipment itself, but because of the risky habits that gradually normalize around it.
When the Problem Is Not the Incident but How We Use the System
A typical scenario helps illustrate this dynamic. During a loading or unloading operation at a distribution center, for example, a discrepancy appears at the dock. It might involve missing products, a damaged pallet, or a difference between shipping documentation and what was actually received or dispatched. At that moment, operational pressure is high. Trucks are waiting their turn, routes cannot be delayed, and delivery commitments must be met.
For that reason, the reaction is usually immediate. Someone from operations approaches or calls the security department and asks it to review the dock cameras to understand what happened.
The first request from operations is straightforward: “I need to see the dock video.”
Then another request appears: “Check the angle from the exterior camera as well.”
Shortly afterward, a clearer instruction follows: “This may escalate into an internal review—save all the material.”
Within minutes, the video surveillance system stops being merely a monitoring tool and becomes the primary source for reconstructing an incident. This is precisely the moment when the situation changes. It is no longer simply about watching images—it’s now about managing who can access those images, for what purpose, and how that access is documented.
Almost without realizing it, security moves from investigating a fact to administering something more sensitive. Its responsibility becomes ensuring who accesses what, for what reason, and how security will be able to justify that access later if someone questions it.
If security takes the informal route at that moment—exporting the video without leaving a record, granting broad access based on trust, or retaining footage indefinitely “just in case”—it may indeed solve the urgency of the day. But it also begins loading the system with accumulating risks. Security loses control of evidence, weakens the credibility of both the system and the team, and creates the perception that information is used according to convenience.
In an operational environment, that perception is costly. People report less, friction with Human Resources and Legal increases, and internal support for the security function becomes harder to sustain.
In this context, governance is not a theoretical debate: Governance now is part of operational control. It is not an obstacle, but instead the rule of the game that prevents information from being used conveniently, without clarity, or beyond what is necessary.
Privacy Debt: What Accumulates When Systems Grow Without Clear Rules
Over time, when the system grows but governance does not evolve alongside it, privacy debt begins to appear. It encompasses practices created to solve problems quickly but that gradually accumulate exposure. Privacy debt rarely presents itself as major errors—rather, it normalizes in daily operations.
It begins with a shared account to cover shifts, with permissions left open “in case someone needs them. Video exports are performed quickly because “it’s urgent,” or recordings are retained indefinitely because no one defined a clear retention policy. Requests also begin arriving through calls or messaging apps without formal documentation, and the system starts being used for purposes different from the ones that originally justified its installation.
The real risk of these decisions is not only regulatory or reputational: It is operational and cultural. When rules become ambiguous, the system stops feeling neutral. It starts being perceived as a tool that is used depending on the moment, the person requesting it, or the relationship between departments. That perception erodes legitimacy. And when legitimacy weakens, security loses traction even when its technical assessment is correct, because doubts arise about the criteria used to manage information.
In one multisite operation, for example, the video surveillance system was deployed before a formal corporate security function existed. At the time, access was granted directly to human resources, administration, and operational managers through the digital video management platform so they could oversee personnel activity across different locations. Over time, this access remained unchanged.
What initially appeared to be efficient gradually shifted the video system’s purpose. Footage was used not only for security incident review but also to verify attendance, monitor employee behaviors, and support internal decision-making—often without consistent criteria or traceability. When a sensitive case was later challenged, the organization could not demonstrate who accessed the footage, under what authority, or how it had been used.
To restore control, access was centralized under the security functions, permissions were redefined based on roles, and a simple request-and-authorization process was implemented for all video retrieval. These measures helped to reestablish traceability and return the system to a neutral, defensible role.
The above use case provides a valuable learning opportunity for other security practitioners who are considering introducing more technology at their sites. Before taking that step, practitioners should pause and ask six concrete governance questions:
- What is the purpose of each system?
- Which uses are legitimate and which are not?
- Who can access the system and under which roles?
- How long is information retained?
- How can I demonstrate who consulted or exported evidence?
- What mechanism exists to act if misuse is detected?
These questions are simple, but they often spell the difference between a powerful system and a defensible system.
Five Governance Decisions That Limit Risk
Governance, however, does not mean adding bureaucracy. It means there is a process in place to facilitate clear decision-making that allows surveillance and access control systems to operate consistently and defensibly—even when operations demand quick responses.
Here are five governance measures that could help prevent your video surveillance system from becoming a liability.
- Purpose by zone (and limits of use). Define why the system exists in each environment—such as perimeter, loading dock, warehouse, or office areas. When the purpose is explicit, the limits are also clear, preventing the creative use of cameras or access logs.
- Proportional design focused on critical points. More cameras do not necessarily mean better security. Prioritize useful coverage—correct framing, configuration, and quality—to capture relevant events without creating unnecessary exposure or operational noise.
- Automated, auditable retention and deletion. Indefinite retention often occurs simply because no one defined anything else. Establish reasonable retention periods and extend them only when a documented incident requires it. Automatic and auditable deletion becomes essential.
- Role-based access that equals greater traceability. Access is granted by function—monitoring, formal investigation, or system administration—and every query records who accessed what, when, and why. Avoid shared accounts and review permissions periodically.
- Formally request workflow and separation of functions. Replace “send me the video” with simple requests that include authorization, logging, and controlled delivery of evidence. Security preserves and documents the evidence, while Human Resources and Legal manage disciplinary or legal processes.
When these decisions are clearly defined, the system stops depending on improvisation and begins operating as a reliable tool for the entire organization.
What Makes It Sustainable: Consistency, Not Rigidity
The most common objection to governance is that adding rules slows down operations. But the opposite is usually true. What actually slows operations down is improvisation, because every case ends up being handled differently and each department makes requests in its own way.
Improvisation may create a sense of speed in the moment, but it becomes costly later when evidence is questioned, friction between departments emerges, and confidence in the system—and in those who operate it—erodes.
Consistent governance does not mean making work rigid or bureaucratic. It means that everyday situations have a clear and repeatable response path. People know what happens when video is requested, who authorizes it, how it is delivered, and what gets recorded. And when it becomes necessary to deviate from the rule, that exception should be explainable, be documentable, and not allowed to become routine.
Consistency can be maintained through simple controls: periodic access reviews, light sampling audits of system logs, monitoring of exceptions, and basic analysis of unusual access patterns.
Translating Governance into the Language of the Business
Governance becomes sustainable only when it can be explained in terms the business understands. Do not present it as compliance. Instead, pitch it as control and continuity.
There are simple indicators that security practitioners can use to facilitate this conversation:
- The percentage of access rights reviewed and adjusted on time
- The number of shared accounts eliminated
- Whether retention policies are being followed as defined
- How many exceptions were authorized and why
- How many misuse cases were detected and closed with corrective actions
In addition, provide information on something very practical: how long it takes the organization to respond to a legitimate request with complete, well-delivered evidence, and—when applicable—with a proper chain of custody.
When those metrics are part of the discussion, the conversation changes. It is no longer about believing the security leader or trusting the system. It becomes about demonstrating both that the system is controlled and that its continued use is defensible.
A video surveillance system does not become defensible because of its technology, but because of how it is used. The moment video stops being used for simple monitoring and becomes evidence, the organization is no longer playing an operational game—it is playing a credibility game. That is where governance stops being a concept and becomes a true control mechanism.
Privacy properly understood is not an obstacle: It is a principle that organizes the system. It allows security practitioners to define purpose, reduce unnecessary exposure, sustain decisions, and prevent the system from being perceived as a tool used for convenience. When access, retention, traceability, and evidence delivery follow a clear path, the outcome is not just information being protected: It’s also the legitimacy of security as a business function.
Germán Sánchez Beltrán, PhD, PCI, is chief security officer at Embotelladora AGA del Centro in Mexico. He specializes in security governance, operational risk management, and intelligence-led decision-making. Beltrán has worked with private companies and public institutions across Mexico, Spain, and other Latin American countries to develop intelligence capabilities and security management systems. He was a speaker at the ASIS LATAM Conference 2024 in Costa Rica.