Cybersecurity, like structural engineering, needs a tried-and-tested set of foundational measures to avoid Swiss Cheese-style problems. Find our more here.

Last April, I awoke from a dead sleep at 2:21am in Taiwan, due to a government emergency alert on my mobile phone. There was an earthquake. I had casually turned the alert off and gone back to sleep.

Why? Because Taiwan is known for its earthquake preparedness. My confidence at that moment came from knowing that the high-rise hotel I was staying in, was purpose-built to survive an earthquake like the one happening that night.

The Taiwanese people expect earthquakes to happen, and build accordingly. They know that if a building’s foundation is weak, the whole thing collapses.

Similarly, cybersecurity is the structural engineering of the digital age. Just as civil engineers design buildings to withstand earthquakes, hurricanes, and daily wear-and-tear, cybersecurity must be designed to support and protect digital businesses.

Structural engineering’s  “Swiss Cheese” model

Civil engineers follow building codes, test materials, and reinforce weak spots: they do not make guesses or take risks. Additionally, structural engineering exists to make buildings safe. In the same way, cybersecurity makes it safe to use digital systems.

This principle of accountability and safety is not new. It dates all the way back to Hammurabi’s Code, one of the earliest sets of laws, which held builders responsible for the integrity of their structures.

Cybersecurity should work the same way, but the issue is that many companies take shortcuts. They rely on patchwork security, like using duct tape and bubble gum to hold things together. Then, when this approach inevitably fails, the whole system crumbles. That is why we see massive breaches over and over again. It is not bad luck — it is bad engineering.

In civil engineering, the Swiss Cheese Model is used to explain failure. Think of slices of Swiss cheese stacked on top of each other. Each slice has holes, but as long as the holes do not line up, problems get blocked. However, when they do line up, disastrous consequences can arise.

Cybersecurity has the same issue. A single weak point — a misconfigured firewall, an unpatched server, or an employee clicking a phishing link — can let attackers slip through.

With today’s interconnected and sprawling systems, an attack on a single point can become an attack on the entire system, disrupting and impacting suppliers, customers, and partners. Therefore, organizations need multiple layers of protection, just like strong buildings have multiple reinforcements.

Instead, many simply hope for the best and act shocked when the worst happens.

Strengthening Cybersecurity’s structural integrity
In cybersecurity, Zero Trust is key framework within a broader architectural approach.

Here is how cybersecurity based on key structural engineering precepts can be applied:

  • Micro-segmentation is the foundation: Just as a strong foundation supports and protects a building, micro-segmentation secures and stabilizes a network. It isolates different segments to prevent unauthorized access and limit the spread of threats, ensuring the integrity and security of the overall system.
  • Building codes are least-privilege access: Nobody gets into restricted areas without permission. Least-privilege access ensures users only get what they need and nothing more.
  • Inspections and maintenance are continuous monitoring: Just as civil engineers regularly inspect bridges and roads, cybersecurity teams must constantly monitor network traffic for threats.
  • Locked doors and badge readers are identity and authentication: The strongest building is useless if anyone can waltz in. Identity verification helps keep intruders out.

In civil engineering, there is a legal and ethical responsibility to build safe structures. If a bridge collapses due to negligence, someone is held accountable. Cybersecurity should have the same standard because a weak security foundation puts lives, businesses, and economies at risk. Hope and unsupported assumptions are not a strategy: planning is.