The Firewall Is No Longer the Security Boundary by Michael T. McDonald

Recent reporting from Hudson Rock claims that more than 75,000 Fortinet firewalls may remain compromised despite organisations applying patches intended to address known vulnerabilities. If accurate, the finding is concerning. However, the most interesting aspect of the story is not the vulnerability itself, nor even the number of potentially affected devices.

The more important question is why organisations continue to place so much faith in perimeter security in environments where the perimeter itself has largely disappeared.

The Perimeter Made Sense – Once

To understand the challenge, it is worth remembering that the firewall was one of the defining security innovations of the early internet era. It solved a very real problem. Organisations needed a way to control access between trusted internal networks and an increasingly untrusted external world. Firewalls provided a clear boundary and a practical enforcement point. For the environments they were designed to protect, they worked remarkably well.

The challenge is not that the firewall failed. The challenge is that the environment around it changed.

For decades, cybersecurity was built around a relatively straightforward model. Employees worked inside corporate offices. Applications lived inside company-controlled infrastructure. Data remained within networks organisations could see and manage. The distinction between “inside” and “outside” was generally clear.

Today, organisations operate across cloud platforms, SaaS environments, mobile devices, remote workforces, contractors, APIs, partners, and increasingly AI-driven services. Critical business processes often span systems that sit entirely outside traditional network boundaries. Data moves continuously between environments owned and operated by different organisations.

The distinction between “inside” and “outside” has become increasingly difficult to define.

Yet many organisations still approach security as though defending the edge remains the primary challenge. Firewalls are tangible. They create a visible control point. They provide the reassuring sense that there is a boundary to defend.

Unfortunately, attackers no longer need to respect that boundary.

Patching a Vulnerability Is Not the Same as Removing an Attacker

Incidents such as the Fortinet compromise highlight another reality that security teams have long understood but organisations often struggle to operationalise: patching a vulnerability is not the same thing as removing an attacker.

When a vulnerability is disclosed and patched, organisations naturally focus on closing the technical weakness. What often receives less attention is whether the vulnerability was exploited before remediation occurred. Attackers who establish persistence, harvest credentials, create additional access paths, or move laterally through an environment may remain long after the original flaw has been addressed.

This distinction matters because vulnerability management and incident response answer fundamentally different questions. One asks whether a weakness can still be exploited. The other asks whether an attacker successfully exploited it before it was fixed. Organisations that treat those questions as interchangeable risk developing a dangerous false sense of security.

Closing the Hole Doesn’t Mean You’re Safe

The problem becomes even more pronounced as vulnerability discovery accelerates. Security teams are under increasing pressure to identify, assess, prioritise, and remediate weaknesses faster than ever before. Yet remediation alone cannot determine whether compromise has already occurred. Detection, investigation, validation, and monitoring remain essential components of any meaningful security programme.

This is where the conversation needs to shift.

The Future Is About Control, Not Perimeters

The future of enterprise security is unlikely to be defined by stronger perimeter devices alone. It will be shaped by identity controls, segmentation, telemetry, behavioural monitoring, least-privilege access, and continuous validation. These approaches assume compromise is possible and focus on limiting impact rather than relying on a single defensive boundary to prevent intrusion altogether.

Firewalls remain important infrastructure. They continue to play a valuable role in modern environments. However, they are no longer sufficient architecture.

The organisations that continue treating perimeter devices as primary security controls are solving a problem that largely belonged to the last generation of computing. The challenge today is not defending the edge. It is operating securely in a world where the edge is everywhere.

About the Author:

Michael McDonald is a CTO and global expert in solution architecture, secure data flows, zero-trust design, privacy-preserving infrastructure, and cross-jurisdictional compliance.