Security budgets gravitate toward things you can buy — appliances, licences, a logo for the rack. One of the most effective controls is none of those. It is segmentation, and it is mostly a matter of deciding where the walls go and having the discipline to build them.
A flat network is one bad day from a breach
On a flat network, a single compromised laptop can reach the database, the backups, and the building's door controllers alike. The attacker's first foothold becomes a free run of the estate. Most of the damage in a serious incident is not the initial intrusion — it is the lateral movement that a flat network quietly permits.
Segment by blast radius
Good segmentation is drawn around consequence, not org chart. Group systems by what it would cost for them to fall together, and put a boundary between groups that should never trust each other by default. A practical first pass usually separates:
- Crown-jewel data stores from everything that merely reads them
- User and office networks from production systems
- Operational technology and building systems from general IT
- Third-party and vendor access from your own internal traffic
The firewall is a boundary, not a building
A firewall earns its keep enforcing the boundaries you have actually designed. Bought without a segmentation plan, it becomes an expensive bump in a flat network — a single perimeter wall around a building with no internal doors. The appliance is the easy part; the boundaries are the work.
You can defer the next security purchase. You cannot defer deciding what should be allowed to talk to what — and once that is decided, you have already done the expensive part for free.
Begin a conversation → about the systems you depend on.