This volume features a guest contribution from David Webb of Valkyrie, a boutique security and investigations firm based in Belgrave Square. Valkyrie’s work spans physical and personal security, cyber resilience, technical surveillance countermeasures and complex investigations for individuals, corporates and government bodies.
David’s piece takes a lesson from the modern battlefield, that advantage now flows to whoever sees first, and applies it to the security of businesses, family offices and private households. His argument is that risk is no longer defined by the strength of a perimeter but by visibility, and that hostile actors exploit the joins between physical, digital and reputational exposure rather than any single point of defence. It is a discipline adjacent to our own, and the argument runs parallel to ours. A short Pavesen Perspective follows at the close.
The Battlefield Lesson for Modern Security
War has always accelerated change. Technologies, tactics and behaviours that begin in conflict rarely stay there. They move into politics, business, crime, protest, espionage and everyday life. The battlefield is often where societies first see the future under pressure.
One of the clearest lessons from recent conflicts is not simply that drones are dangerous or artificial intelligence is advancing. It is that advantage is being redistributed. Smaller, less-resourced actors can now observe, disrupt and impose cost on much larger opponents. A target that can be seen, mapped or anticipated can still be vulnerable.
That lesson matters far beyond war. The same reality now shapes how organisations and individuals should think about security.
For businesses, family offices, high-profile individuals and private households, risk is no longer defined only by the strength of a perimeter, the quality of a system or the resources available to defend it. Those things still matter, but they are no longer the whole picture. Risk is increasingly shaped by visibility. Information, access, routine and technology now interact in ways that can expose even well-protected people and organisations.
The modern threat actor does not always need to break through a front door, defeat a firewall or confront a security team. They may only need to understand the target better than the target understands itself.
In security terms, this is reconnaissance. It may be physical, digital, technical, social or commercial. The method varies, but the purpose is the same: to identify weakness, timing, access or leverage.
That understanding can be built quietly and cheaply. Public information, social media, corporate filings, planning documents, leaked data, staff profiles, photographs, property records, commercial datasets, travel patterns and routine observation can all help create a picture. None of it may look sensitive in isolation. Combined, it can reveal movement, habits, relationships, access points, pressure points and moments of weakness.
The issue is no longer only what someone chooses to publish. It is what can be collected, combined and interpreted. A photograph, address, company filing, staff profile, breach record or location reference may say little on its own. Assembled together, those fragments can become intelligence.
Once a person or organisation becomes visible in the wrong way, risk can take many forms. A criminal may identify when a property is empty. A fraudster may impersonate a trusted adviser. A drone may be used to observe a residence, office, event or sensitive site. A cyber incident may create physical risk. A private matter may become reputationally damaging within minutes.
The important point is not the individual tool. It is the connection between tools.
Digital exposure can create physical vulnerability. Physical routines can create cyber opportunity. A staff process can become an intelligence source. A personal device can become an investigative concern. A minor privacy gap can become a reputational issue. A contractor, assistant, driver or household employee can become part of the security picture because trust, access and information now sit at the centre of modern risk.
The Risk Sits in the Gaps
This is where traditional security thinking can fall short. It often treats threats as separate categories: physical security, cyber security, privacy, investigations, technical surveillance, reputation and crisis management. In reality, hostile actors do not work within those categories. They exploit the joins between them.
The risk sits in the gaps.
A residence may be physically secure but digitally exposed. A company may have strong cyber controls but weak arrangements around executive travel, visitors or personal routines. A family office may protect financial information while overlooking the visibility created by staff, suppliers, vehicles, property data or social media.
Trusted access is also part of the picture. Staff, suppliers, contractors, advisers and household employees may be legitimate and well-intentioned, but the information and access around them still need to be understood and managed. Security is not about assuming bad intent. It is about recognising that access, knowledge and routine can create exposure if they are not properly governed.
This is the real battlefield lesson for modern security. The side that sees first, understands fastest and adapts quickest can impose disproportionate cost. In civilian life, that cost may be disruption, financial loss, legal exposure, personal harm, reputational damage or the loss of control over a private situation.
Technology has widened the gap because it has lowered the barrier to entry. Reconnaissance no longer always requires prolonged physical surveillance. Fraud no longer needs to look crude. Harassment can be coordinated at speed. Disinformation can spread before facts are established. Artificial intelligence can increase the speed, scale and plausibility of targeting, impersonation and manipulation.
That does not mean every organisation or individual should become alarmed or over-secured. The answer is not paranoia, nor is it simply more equipment. More technology can help, but only if it is properly understood, configured and integrated. Poorly managed systems can create as much exposure as they remove.
Disciplined Clarity
The better response is disciplined clarity.
What can be seen? What can be inferred? Who has access? Which routines are fixed? Which systems are critical? What information is public? What can be assembled from commercial or open sources? Which people hold trust, knowledge or influence? What happens if a private issue becomes public, or a digital incident creates a physical concern?
These questions matter because many serious incidents do not begin with a dramatic breach. They begin with ordinary exposure that has not been noticed, tested or joined together.
Security therefore has to become more integrated. Physical protection, cyber resilience, digital forensics, technical surveillance counter-measures, open-source intelligence, investigations, protective security and crisis response should not be treated as separate disciplines. They are different ways of understanding how people, information, places, systems and routines can be used against a target.
For businesses, this means looking beyond networks and premises to include leadership exposure, supplier access, travel patterns and reputational impact. For private clients and family offices, it means understanding how online visibility, household access, staff processes, technical privacy and incident response connect.
The advantage increasingly belongs to those who can see the pattern early, make decisions quickly and adapt before the situation escalates. That requires awareness, coordination and a realistic understanding of how risk develops.
That is where resilience is built.
The battlefield lesson is not that businesses, families or senior individuals should think like military units. It is that the balance of risk has changed. Smaller actors can now create larger consequences. Cheap tools can generate expensive disruption. Visibility can become vulnerability. And the old separation between digital, physical and reputational risk is increasingly artificial.
Those best placed to manage this environment will not be the ones who rely on a single system, supplier or assumption. They will be the ones who understand their exposure as a whole and act before an incident reveals the gaps for them.
Modern security is no longer just about keeping threats out. It is about understanding how threats find you in the first place.
The view from where we sit
David’s central observation, that the risk sits in the gaps between disciplines, is one we recognise from the other side of the table. Where Valkyrie closes the physical, technical and investigative gaps, the one we work in is reputational.
David notes that a private matter can become reputationally damaging within minutes. That sentence is where our work begins. The same visibility that exposes a routine or an access point also builds the picture that an AI model, a journalist or a counterparty will later assemble about who someone is. Most of that picture is constructed quietly, from fragments that look harmless alone, long before anyone is aware it exists.
The parallel to David’s argument is exact. Reputation is rarely lost in a single dramatic breach. It accumulates from ordinary exposure that was never noticed, tested or joined together, a stray filing, an outdated allegation, a search result that hardens into perceived fact. By the time it surfaces as a problem, the work of shaping it has already been done by everyone except its subject.
So the question David puts to physical security, we put to reputation: what can be seen, what can be inferred, and who is assembling it. The most effective response is the same in both fields. It is rarely dramatic. It is found in reducing unnecessary visibility, closing small gaps early, and ensuring someone is watching the whole picture before an incident reveals it for you.