Cyber assurance inherits the strength of the physical world it depends on.
Most compliance frameworks assume that physical security is already solved.
Almost none of them explicitly state it.
That’s the mistake.
In reality, the “cyber” controls we debate — IAM, encryption, segmentation, telemetry — all live on infrastructure you can physically touch. Servers, racks, networks, power, real buildings, real people, real interfaces with the real world.
Above the waterline sits the visible “assurance layer” — compliance, audit, certification, cyber policy, logging, governance.
Below the waterline sits the actual substrate that makes it all real — physical security controls, environmental controls, physics itself.
I’ve spent years in critical infrastructure environments watching organisations invest millions in tools but almost nothing in the physical preconditions that those tools require to hold.
When we ignore the physical dependency chain, we create assurance that is theoretically valid and operationally fragile.
This is why major breaches still begin with physical proximity, social engineering, access misuse, tailgating, contractor compromise, a badge, a door, a terminal.
Physical → Cyber → Compliance.
Most strategies build top down.
Stronger organisations build bottom up.
So if the bottom layers are not secure — nothing above will ever be truly secure.
This is why physical security is not legacy — it is foundational.
It is not about returning to old thinking. It is about grounding modern assurance in reality.
We spend billions perfecting cyber tools… but almost zero time acknowledging the physical world that those tools ultimately rely on.
Physical → Cyber → Compliance.
It’s not legacy — it’s the substrate.
Crisis Capable 
Leave a comment