I ran interior design and remodeling companies for about a decade before I switched into security. I thought I was leaving one career behind for another, completely separate one. I was wrong. Almost everything I now do in security architecture, I first did with drywall and permits.

Load-bearing walls and critical paths

First thing you learn on a job site: not all walls are the same. Take down the wrong one and the second floor lands on you. Take down the right one and the kitchen opens up beautifully.

Security architecture has the same asymmetry. Most controls are cosmetic; a few are load-bearing. The auth system, the secret management story, the data classification boundary, the audit trail. Move those without a plan and the whole thing collapses. Move the rest however you want.

The mistake new architects make is the same one new general contractors make: treating every wall as equally precious. Wanting to preserve everything, slowing every change. That’s how you end up with a six-month remodel for a kitchen, or a six-month sign-off for a feature flag.

Permits and compliance

I had a love-hate relationship with the city permit office. I needed them to sign off on my work; they needed to make sure I wasn’t cutting corners that would hurt someone later. Compliance audits are the same dynamic with different fluorescent lights.

The thing that took me too long to learn in both fields: the auditor isn’t the enemy, the rework is. If you submit clean drawings the first time, the inspection is a 15-minute walkthrough. If you submit garbage and try to bluff it, you get red-tagged and have to redo two weeks of finished work.

Security teams that treat SOC 2 auditors as adversaries get the construction equivalent of red tags: weeks of pulling cabinets back out to fix the wiring you should have done right the first time.

Contractors who lie about timelines

In construction, every subcontractor’s timeline is a fiction. The framer says three days, takes seven. The electrician says next Tuesday, shows up the following Friday. The drywall guys say they’ll be done by lunch, they’re still texturing at 9pm.

You learn to add buffer. You learn to verify in person. You learn that “I’ll get to it” means “I will never get to it.” You learn to make the next subcontractor’s milestone depend on the previous one’s actual finish, not their promised finish.

This is exactly how to manage vendor security questionnaires, third-party pentests, and any SLA-bound work in security. Trust nothing, verify in person, chain the dependencies on real artifacts not promises. The vendor who tells you they fixed the finding hasn’t fixed the finding until you’ve seen the proof.

Blueprints and threat models

I always sketched a remodel before I started. Sometimes badly. Sometimes the sketch was just a napkin with arrows. But the sketch existed, and you’d consult it when a question came up about where the new outlet went.

Threat models are the same thing. They don’t need to be beautiful. They don’t need to be a 40-page document with formal STRIDE categorization. They need to exist somewhere you can point at when a question comes up. “Where does customer data leave our network?” Find the arrow on the napkin.

The teams that don’t have any threat model are the teams that find out at 2am during an incident that they have no idea where customer data leaves their network.

Walking the site

Construction has a discipline that security mostly doesn’t: walking the site. At least once a week, every active job, the GC walks every room. Not because something is broken. Because that’s how you catch things before they become broken.

Security teams that only look at dashboards miss the equivalent of that hairline crack in the foundation. The thing nobody flagged because no alert was wired for it. You catch it by walking through your environment with no agenda except seeing what’s actually there.

I block an hour every two weeks for this. No tickets, no agenda. Just opening tools I haven’t opened in a while, reading recent activity, clicking around. It catches the things that don’t trip any rule.

The thing that doesn’t transfer

One thing about construction does not map to security: the work shows. When you remodel a kitchen, at the end there is a kitchen. People walk into it and react. The labor is visible, the value is obvious.

Security architecture is the opposite. Done well, the work is invisible. Nothing breaks, nobody notices, the auditor says “ok, looks fine,” the org keeps shipping. You don’t get the cathartic “look at this beautiful kitchen” moment. You get a quiet quarter and a renewal of trust.

That asymmetry is the hardest thing to internalize when switching from a trade where craft is visible to one where craft is mostly invisible. Got my drywall in, can see it on the wall. Designed our IAM, never see it. Both took the same kind of thinking, only one shows.