Strong Foundations: What Structural Engineers Can Teach Security Leaders

Last April, John awoke from a dead sleep at 2:21 AM. Along with everyone else in Taiwan, an alert had come through on his cellphone from the Taiwanese government. There was an earthquake.  

John turned the alert off and went back to sleep.

Why? Because Taiwan is known for its earthquake preparedness. His confidence in that moment came from knowing that the high-rise hotel was purpose-built to survive an earthquake like the one happening that night.

The Taiwanese people expect earthquakes to happen and build accordingly. They know that if a building’s foundation is weak, the whole thing collapses.

This is why we both say that cybersecurity is the structural engineering of the digital age. Just as civil engineers design buildings to withstand earthquakes, hurricanes, and daily wear-and-tear, cybersecurity must be designed to support and protect digital businesses.

Taking a structural engineering mindset

Brian knows this well. Before he entered the cybersecurity field, he worked as a civil engineer.  

He sees the same principles apply in cybersecurity. Civil engineers don’t guess. They follow codes, test materials, and reinforce weak spots. Cybersecurity should work the same way.

The problem is that many companies take shortcuts. They rely on patchwork security — like duct tape and bubble gum holding things together. It works until it doesn’t.

And when it fails, the whole system crumbles. That’s why we see massive breaches over and over again.

It’s not bad luck. It’s bad engineering.

The “Swiss Cheese” problem

In civil engineering, the Swiss Cheese Model is used to explain failure.

Think of slices of Swiss cheese stacked on top of each other. Each slice has holes. But as long as the holes don’t line up, problems get blocked.

When they do line up? Disaster.

Cybersecurity has the same issue. A single weak point — a misconfigured firewall, an unpatched server, an employee clicking a phishing link — can let attackers slip through.

Companies need multiple layers of protection, just like strong buildings have multiple reinforcements. But most don’t. They hope for the best and act shocked when the worst happens.

Zero Trust is a key part of cybersecurity’s structural integrity

Zero Trust is an important component of cybersecurity, but it’s not the whole structure. It’s a key framework within a broader architectural approach.

Here’s how cybersecurity as structural engineering applies:

  • Load-bearing walls are microsegmentation: If one part of a building collapses, you don’t want the whole thing to go down. Microsegmentation isolates attacks so they can’t spread.
  • Building codes are least-privilege access: Nobody gets into restricted areas without permission. Least-privilege access ensures users only get what they need and nothing more.
  • Inspections and maintenance are continuous monitoring: Just as civil engineers regularly inspect bridges and roadways, cybersecurity teams must constantly monitor network traffic for threats.
  • Strong foundations are identity and authentication: The strongest building is useless if anyone can waltz in. Identity verification helps keep intruders out.

Build cybersecurity like lives depend on it — because they do

In civil engineering, there’s a legal and ethical responsibility to build safe structures. If a bridge collapses due to negligence, someone is held accountable.

Cybersecurity should have the same standard. A weak security foundation puts lives, businesses, and economies at risk.

Structural engineering exists to make buildings safe. In the same way, cybersecurity makes it safe to use digital systems.

This principle of accountability and safety is not new. It dates all the way back to Hammurabi’s Code, one of the earliest sets of laws, which held builders responsible for the integrity of their structures.

Hope and unsupported assumptions aren’t a strategy; planning is. It’s time we start treating cybersecurity like the engineering challenge it truly is.

John Kindervag & Brian Pitta

Chief Evangelist & Vice President, Solutions Architecture

Ready to learn more about Zero Trust Segmentation?

Ready to learn more about Zero Trust Segmentation?