The Case for a Fractional Director of Security

The problem with an annual audit, all by itself.

An annual audit is a good thing. It tells you where your program stands on a specific day. It surfaces findings. It produces a plan. You close what you can close. And then, for eleven months, you run your organization without the person who wrote the report in the room.

In those eleven months, things drift. Staff turn over. Doors get propped. Policies age. New threats emerge. New programs are added to the facility. The careful work of the audit slowly absorbs into the daily noise until the next audit, when you start over.

The fractional Director of Security model exists to close that gap.

What a fractional director does.

A fDoS engagement is not a retainer for occasional advice. It is a defined, repeatable monthly rhythm that delivers the strategic oversight of a head of security, on a small fraction of the hours and cost.

The monthly rhythm

Every month, a P23 fDoS engagement includes:

• On-site walkthrough with a written findings memo
• Review of incidents, near-misses, and staff observations from the prior month
• Follow-up on the status of open findings and plan items
• Liaison check-ins with monitoring, installers, or other security vendors as needed
• Scheduled brief to the leader or committee responsible for security

The quarterly rhythm

Every quarter:

• Policy review (rotating through policies on a year-long cycle)
• Tabletop exercise with the security team or key staff
• Technology posture check (cameras, alarms, access control)
• Liaison contact with local law enforcement and first responders

The annual rhythm

Every year:

• Full security audit, included in the engagement
• Written annual report with year-over-year comparison
• Strategic planning session with leadership to set priorities for the coming year
• Review of vendor contracts, monitoring agreements, and insurance alignment

The unlimited-access piece sits alongside all of it. Any question during the month, any time, goes to a phone or email address with a human at the other end.

Why small organizations benefit most.

Large enterprises have full-time security staff because their threat profile, asset value, and regulatory environment justify the cost. Small organizations do not have that justification, but their threat profile is not zero. Children’s ministries handle vulnerable populations. Senior living facilities handle medical emergencies and elopement risk. Small nonprofits hold donor trust that is hard to replace.

The fractional model is the right economic fit for organizations in this middle zone. It provides:

• Expertise. A seasoned advisor who has seen dozens of similar facilities, not a generalist who has seen one.
• Continuity. Year-over-year knowledge of the organization, the space, and the people.
• Capacity. A predictable monthly cadence that ensures the work actually gets done.
• Access. A named person to call when something comes up, without the friction of re-explaining the context every time.
• Economy. A monthly retainer that is a small fraction of the cost of full-time staffing.

What a year inside the engagement looks like.

The first month of an fDoS engagement is always an initial full audit. This establishes the baseline. Every month after that builds on it.

By month three, the findings list has been converted into a tracked plan with assigned owners. The organization has a rhythm for reviewing progress.

By month six, the monthly walkthrough has become part of the organization’s culture. Staff know what the advisor is looking for and often bring observations directly to the monthly meeting.

By month nine, the first quarterly tabletop exercise has been run, the policy review cycle is underway, and the vendor relationships have been reviewed.

By month twelve, the annual audit closes the cycle. The year-over-year comparison becomes the most compelling document the organization produces about its own security posture.

By year two, the rate of new findings slows sharply. The program has matured. The advisor is less focused on closing gaps and more focused on stewardship, optimization, and strategic planning.

The Hurricane Ian test, applied to ongoing engagements.

After Hurricane Ian in 2022, we reviewed outcomes across our client base. A clear pattern emerged. Organizations on fDoS engagements at the time of the storm were, on the whole, better prepared, faster to recover, and clearer-eyed about the work that needed to happen in the aftermath.

The reason was not that the fDoS engagements had predicted the storm. It was that the engagements had produced programs with rehearsed protocols, current documentation, established relationships with first responders, and a named advisor available to help run the post-event response.

Preparation is compounding. Ian was a test of the compounding. The organizations that had been running a program for years passed the test. The organizations that had never run one, or who had let an old audit report gather dust, struggled.

The psalm names the two hands of serious stewardship: the Lord’s protection and the watchman’s attention. The fDoS model exists to make sure the watchman is actually awake, month after month, year after year. The rest remains where it always has been.

Who fDoS is not for.

The honest version. fDoS is not the right model for every organization.

• Very large organizations. If you can justify a full-time Director of Security, hire one. The fractional model is designed for organizations smaller than that.
• Organizations that want a one-time fix. If the goal is to close out a single identified concern, a focused audit or a project engagement is more appropriate.
• Organizations not ready to act on findings. The fDoS rhythm surfaces work to do. An organization that is not prepared to close findings will grow frustrated quickly. Better to start with an audit, confirm willingness to act, and then commit to ongoing engagement.
• Organizations whose security concerns are primarily cybersecurity. fDoS at P23 is a physical security practice. Cyber needs a different specialty.

If any of those apply, we will say so in the pre-engagement conversation.

The starting conversation.

For organizations considering whether fDoS is right for them, the starting point is a no-fee conversation. We walk your facility. We listen. We give you an honest read on whether the model is a good fit, and if not, what we would recommend instead.

Most of the churches, daycares, senior living facilities, and nonprofits we work with across Fort Myers, Cape Coral, Naples, and Port Charlotte started with that conversation. Some moved directly into engagement. Some started with a single audit and came back later. Some decided fDoS was not the right fit and we helped them find what was.

• No cost for the initial conversation or walkthrough
• Written proposal with clear scope, cadence, and retainer
• Flat monthly rate, no hidden fees, no meter
• No long-term contract required (most engagements are month-to-month)
• A real person, named, responsible for your engagement

The watchman, made consistent.

A security program is not a report. It is a rhythm. The fDoS model is the rhythm made explicit, made staffed, and made affordable for organizations that would otherwise have to choose between a one-time audit and a full-time hire they cannot justify.

If that rhythm is what your organization has been missing, we would be glad to have the first conversation. No pressure, no meter, no catch. Just a clear, honest look at what you have and whether we are the right ones to help you steward it.