On 2 July, 1863, the Union Army was battered, outnumbered and on the brink of collapse. Two days into the Battle of Gettysburg – the bloodiest fight of the American Civil War – Confederate forces had pushed deep into Pennsylvania and were threatening to break the Union line. In a last-ditch move, the Union left flank fell back to a rocky outcrop called Little Round Top.
Whoever held that hill would control the high ground – and with it, the outcome of the battle.
As the originator of Zero Trust security, I’ve spent years showing organisations that cyber-defence is less about piling up controls and more about owning the decisive ground. You don’t guard every inch of Pennsylvania. You take the hill that breaks the enemy’s plan, to give you the best opportunity to win the battle.
In cyber terms, that hill is what we call the “protect surface”: the data, applications, assets and services that truly determine whether you win or lose. It's the thing you need to build, take hold of and not give up to the enemy.
We know how Gettysburg played out. Colonel Joshua Chamberlain and the 20th Maine scrambled up Little Round Top and threw together a defence. When they ran out of ammunition, they fixed bayonets and charged downhill. The surprise attack shattered the Confederate advance, won the day for the Union Army and turned the tide of the Civil War.
I see echoes of this every day in the digital battlefield. Because cybersecurity is about knowing your environment, using it to your advantage and forcing the adversary to fight on your terms.
Zero Trust is often misunderstood as a technology or a single product. It’s not. It’s a holistic security model built on five key steps: defining what you’re trying to protect; mapping transaction flows; architecting a Zero Trust network; creating policy; and continuously monitoring and maintaining it.
Understanding the terrain – visualising how data moves and where it’s most at risk – is essential to every one of these steps. Without that visibility, you can’t define what you’re protecting, enforce effective controls or measure progress. The battle for resilience is won not just with strong defences, but with smart ones.
Terrain still wins wars
At a recent LinkedIn Live event, I spoke with Navy SEAL-turned-entrepreneur Clint Bruce and retired Major General Viet Luong, the first Vietnam-born soldier to be promoted to the rank of general in the US Army.
Clint Bruce introduced a powerful distinction that applies as much to cybersecurity as it does to the battlefield: the difference between influence terrain and impact terrain.
Influence terrain is everything you worry about but can’t control: the weather, distant hills, the size of the enemy’s reinforcements. In the cyberworld, it’s your external threat landscape: nation-state actors, zero-day vulnerabilities, economic conditions, geopolitical unrest. These are real threats, but you can’t shape them directly.
Impact terrain is the ground you can act on. It’s the bridges, roads and high ground you can seize, defend or deny to the enemy. In cybersecurity terms, it’s your internal environment: your networks, your workloads, your data. This is the terrain where your decisions matter, where you can enforce policy, contain lateral movement and make it harder for an attacker to manoeuvre.
Our job isn’t to defend every square inch of the network. It’s to control the terrain that matters most. In cybersecurity, that hill is your protect surface: the small, well-defined set of assets that matter most. It could be your payment systems, your patient records, your proprietary algorithms – whatever would cause operational, financial or reputational damage if compromised.
Why maps work: From Union defences to cybersecurity
A map forces clarity. It reveals blind spots. It shows where the gaps are – and where the enemy will go. The cybersecurity equivalent of a field map is the security graph. It’s a real-time visualisation of how workloads communicate, where users go and which services are exposed. It’s not just a list of IPs. It’s your operational reality rendered intelligible.
Clint Bruce put it well: “The best weapon is a map. Because when you have a map, the worst you’ll ever be is wrong – not lost.” Wrong can be fixed. Lost is fatal.
Defending the protect surface
Major General Luong reminded us that terrain isn’t just physical – it’s human, moral, informational, and, in today’s world, digital. In every mission, he said, you identify your decisive terrain – the hill you’re willing to die on because it determines who wins.
To do that, you do need to know exactly what your protect surface is, where it lives, how it’s accessed and who depends on it. Then you chart it, segment it, and control it. Because in Zero Trust, the protect surface isn’t just what you’re defending – it’s the ground you must never lose.
Zero Trust doesn’t succeed just because it stops breaches. It succeeds because it also contains them. That containment is possible only when you master your terrain.
It’s like Chamberlain seeing that Little Round Top was undefended. You don’t win by being everywhere. You win by seeing better and moving smarter. You win by holding the high ground.