The Castle Walls Are Gone
When I was a kid, I built forts.
Not blanket forts. I mean serious defensive structures. My bedroom closet became a bunker. My backyard became a kingdom. I’d stack pillows at the doorway, position toy soldiers at strategic chokepoints, and declare my territory safe from imaginary invaders.
The logic was simple: Control the walls. Control the entrance. You control safety.
This is how we protected companies for forty years.
The Old Map
In the early days of corporate IT, security worked like a medieval castle.
Your data lived on servers. Those servers sat in a room. That room was inside a building. The building had locks. The network had a firewall.
One boundary. One moat. One gate.
If your employees stayed inside the walls and your firewall stayed active, you were reasonably protected. Attackers had to find a way through that gate to reach you. Security teams focused on building taller walls, deeper moats, and more sophisticated gates.
It worked. For a while.
I remember consulting with a manufacturing company in the early 2000s. Their security posture could be drawn on a napkin. Data center here. Firewall there. Users inside. Threats outside. Simple. Defensible. Clear lines between “us” and “them.”
The CEO could point to the server room door and say, with genuine confidence, “Our customer data is in there.”
Today, that same CEO couldn’t tell you where his customer data is if his company depended on it. Because it’s everywhere. And nowhere he controls.
The Walls Came Down
Here’s what happened.
Business needed speed. Competition demanded agility. Customers expected convenience. And the answer to all of it was the same: outsource.
Why run your own email servers when Google can do it better? Why manage your own customer database when Salesforce handles millions? Why build internal tools when a SaaS vendor has the perfect solution at $10 per user per month?
So we signed contracts. We clicked “Accept” on terms of service. We granted API access. We connected systems to systems to systems.
Every decision made perfect business sense.
And every decision knocked another brick out of the castle wall.
The move to cloud wasn’t a single event. It was a thousand small decisions across thousands of organizations. Each one felt trivial. Each one felt necessary. Each one opened another door that didn’t exist before.
Your HR records moved to a cloud platform. Your accounting moved to another. Your CRM to a third. Your internal communications to a fourth. Your file storage to a fifth.
By the time anyone noticed, the castle had become a city with roads leading everywhere.
Research tells us the average mid-sized company now uses over 130 different software applications. Larger enterprises? Over 350. Every single one is a vendor. Every single one has some access to your data or your systems or both.
That firewall you spent millions on? It’s protecting an empty castle. Your crown jewels left years ago. They’re scattered across other people’s kingdoms now, connected by highways you don’t control.
What Actually Happened to Target
Let me tell you about a retail company that learned this the hard way.
It was 2013. Black Friday was approaching. A major retailer had just finished one of the largest security investments in their industry. Sophisticated firewalls. 24/7 monitoring teams. Advanced intrusion detection systems. Everything a modern enterprise was supposed to have.
Their castle walls were world-class.
But they also needed their HVAC systems managed. Climate control in 1,800 stores is complex business. So they hired a small contractor in Pennsylvania to help manage heating and ventilation systems remotely.
The contractor needed network access to do their job.
Here’s what security professionals call “the blast radius.” A small heating company with fewer than 150 employees wasn’t a cybersecurity firm. They were mechanics who happened to need network credentials. Their email security wasn’t sophisticated. Their password practices were… normal.
When attackers sent them a phishing email, someone clicked.
The criminals didn’t attack the retail giant directly. They didn’t try to breach those expensive firewalls. They walked through a door that nobody was guarding, because nobody thought a vendor’s vendor could become a superhighway into the castle.
Within weeks, credit card data from 40 million customers was compromised. The breach cost hundreds of millions of dollars. Executives lost their jobs. The company’s reputation took years to recover.
The castle’s main gate was impenetrable. The side entrance nobody remembered existed was wide open.
This wasn’t a failure of the security team. It was a failure of the model. You can’t protect a castle that doesn’t exist anymore.
The Mayor Problem
Here’s the part that keeps me up at night when I work with executives.
Most business leaders still think like Lords of the Castle.
They ask questions like: “Is our firewall configured correctly?” They review their internal IT team’s performance. They wonder if they should hire another security analyst.
These aren’t bad questions. They’re just incomplete questions. They’re questions for a world that ended twenty years ago.
You’re not the Lord of the Castle anymore.
You’re the Mayor of an open city.
Think about what that actually means. A castle lord controls the walls. A mayor controls… well, a mayor governs. A mayor doesn’t own the buildings. A mayor doesn’t control who moves in or out. A mayor builds relationships, creates standards, enforces regulations, and hopes that the citizens and businesses choosing to operate in the city maintain the quality that keeps everyone safe.
Your vendors are citizens of your city. You didn’t build their houses. You don’t control their security practices. But their problems become your problems the moment an attacker realizes that the path through their network leads directly to your data.
When a CEO asks me, “How secure is my company?” I have to ask a question back: “How secure are your vendors?”
Most of the time, there’s silence.
The New Reality
Your security perimeter isn’t your firewall anymore.
Your security perimeter is your vendors’ weakest password.
Your CRM vendor’s security practices determine whether your customer list stays private. Your payroll provider’s defenses determine whether your employees’ social security numbers remain protected. Your cloud storage vendor’s incident response determines how quickly you’d even know if your intellectual property was stolen.
This isn’t fear-mongering. It’s arithmetic.
If each of your vendors has a 2% chance of suffering a breach in any given year, and you have 150 vendors, your odds of experiencing at least one vendor-related incident are above 95%.
This is the principle of attack surface expansion. By the time you reach roughly 230 vendors, the mathematical probability of a third-party incident effectively reaches 99%. The math doesn’t care how good your internal controls are. The math cares about how many doors exist.
Every door needs guards. Every door needs monitoring. Every door is a potential failure point.
And right now, you’re trying to guard 150 doors with a security program designed for one.
What the Lord Needs to Become
The shift from castle to city requires a fundamental change in how we think about protection.
The old model asked: What walls do we need to build?
The new model asks: What relationships do we need to govern?
That’s not a subtle distinction. It changes everything about how security programs should be structured, what skills security teams need, and what questions leadership should be asking.
In the coming pieces on this publication, I’m going to walk you through what this new governance looks like. How to think about your vendor ecosystem as a system rather than a collection of contracts. How to identify which doors matter most. How to have conversations with vendors that actually reveal their security posture. How to build resilience when you can’t control the source of risk.
But before any of that becomes useful, you have to accept the fundamental truth.
The castle walls are gone.
You cannot rebuild them. You cannot wish them back. You cannot hire enough guards to pretend the old model still works.
Your data lives outside your control now. Your security depends on partners you didn’t choose, software you didn’t build, and practices you can’t verify.
The question isn’t whether to accept this reality. The question is what you’re going to do about it.
A Question to Sit With
Before you close this piece, I want you to think about something.
If I asked you right now to list every external company that has access to your customer data, could you do it? Not your IT team. You.
If I asked you how many of those companies have ever shown you evidence of their security practices, would the answer be “most of them” or “almost none of them”?
If I told you that one of those vendors would be breached in the next twelve months, would you know which one to worry about?
These aren’t hypothetical questions for someone else’s organization. These are your questions now.
The Lord of the Castle could delegate security to the guards. The Mayor of the City can’t delegate governance to anyone.
The terrain has changed.
The question is whether your leadership has changed with it.
Julio Bandeira de Melo is the author of The Heart of Influence, the first book in The Legacy Builder Series. With over twenty years of leadership experience, he writes about character-driven leadership and the invisible work of becoming. Subscribe for more at Blanket Fort Reads.