One of the topics I teach about in regular training sessions is the one of Defence in Depth
Defence in Depth is a cybersecurity strategy that uses multiple layers of security controls throughout an organisation’s environment. The idea is that if one security control fails or is bypassed, other controls remain in place to prevent, detect, or limit an attack.
Rather than relying on a single protective measure, defence in depth assumes that breaches can, and will occur and therefore implements overlapping safeguards at different levels.
Defence in Depth Key Principle:
Think of a castle:
- A moat protects the outer perimeter.
- High walls provide another barrier.
- Guards patrol the grounds.
- Locked doors protect individual buildings.
- The keep houses the vault
- Vaults secure the most valuable assets.
https://commons.wikimedia.org/w/index.php?curid=32007084
An attacker would need to overcome several obstacles before reaching the target, all the while being under fire from the soldiers employed to act as a dynamic defence.
Cybersecurity applies the same concept by protecting systems, networks, applications, data, and users with multiple layers of security.
Typical layers of Defence in Depth in cyber security
1. Physical Security – Protects hardware and facilities from unauthorised access
Examples:
- Secure server rooms
- Access control cards
- CCTV monitoring
- Security guards
- Visitor management systems
2. Perimeter Security – Controls traffic entering and leaving the organisation’s network
Examples:
- Firewalls
- Web Application Firewalls (WAFs)
- DDoS protection services
- Secure email gateways
Scenario: A firewall blocks unauthorised incoming connections from the internet.
3. Network Security – Protects internal network communications.
Examples:
- Network segmentation
- VLANs
- Intrusion Detection Systems (IDS)
- Intrusion Prevention Systems (IPS)
- Network monitoring
Scenario: If malware infects a user’s workstation, network segmentation prevents it from spreading to critical servers.
4. Endpoint Security – Protects devices such as laptops, desktops, and mobile phones.
Examples:
- Antivirus software
- Endpoint Detection and Response (EDR)
- Device encryption
- Patch management
- Application whitelisting
Scenario: An employee accidentally downloads malware, but EDR detects and isolates the device before further damage occurs.
5. Identity and Access Management (IAM) – Ensures users only have access to what they need.
Examples:
- Multi-Factor Authentication (MFA)
- Strong password policies
- Single Sign-On (SSO)
- Role-Based Access Control (RBAC)
- Privileged Access Management (PAM)
Scenario: An attacker steals a user’s password but cannot log in because MFA is required.
6. Application Security – Protects software and web applications.
Examples:
- Secure coding practices
- Vulnerability scanning
- Penetration testing
- Code reviews
- API security controls
Scenario: Input validation prevents a SQL injection attack against a web application.
7. Data Security – Protects sensitive information.
Examples:
- Data encryption
- Data Loss Prevention (DLP)
- Backup systems
- Data classification
- Access controls
Scenario: A stolen laptop contains encrypted data, making the information inaccessible to the thief.
8. Monitoring and Incident Response – Detects and responds to security incidents.
Examples:
- Security Information and Event Management (SIEM)
- Security Operations Centres (SOC)
- Threat intelligence feeds
- Incident response plans
- Log analysis
Scenario: – Unusual login activity triggers an alert, allowing security staff to investigate before a compromise occurs.
All of the above approaches and concepts are typically governed by various regulations, frameworks, guidance, and best practice recommendations.
Most organisations will primarily be governed by regulations (Think GDPR, Financial Regulations, Human rights, Medical regulations, Health & Safety, etc.) which will form the basis of anything they do or implement. In many cases, these mandatory laws will be further augmented by other regulations and compliance rules depending on the industry sector they operate within.
So for example, the financial sector will be impacted by PCI-DSS (Payment Card Industry Data Security Standards), DORA (Digital Operational Resilience Act), and GLBA (Gramm-Leach-Bliley Act). Whereas those involved in the manufacture and supply of consumer digital devices now have to comply with the EU Cyber Resilience Act, or in the UK the Cyber Security and Resilience Act. Those in the Critical Infrastructure space (e.g. Telecoms, Transport, Power, etc.) have the NIS directives to comply with – it all gets very complex
Once these laws and regulations are covered, the company will draw up its own policies & procedures before setting them out and training their staff on them. These policies will then drive the corporate communications, the technologies they implement, and the ongoing maintenance of it all.
This is where the Swiss cheese analogy come in.
No matter how well written a piece of regulation is, it will not be perfect for all instances, likewise procedures will not fit every scenario, training will miss key elements of what we should do, messages can (and often are) mis-communicated, technology isn’t a one-size-fits-all and needs to be tailored and tweaked to fit, and maintenance schedules are regularly missed.
These become holes in the layers of our defences – just like the holes in the cheese.
As individual things, in many cases, these are, in most cases, not something to be overly worried about, but IF all those things align, then a hazard, which should be stopped at at least one of the layers may manage to pass through the holes in each of the slices to manifest as an incident.
Maaaany years ago, renowned Cryptographer, and Cyber Security expert Bruce Schneier wrote a book called Secrets and Lies – In that book he introduced the concept of “People, Process, and Technology” and that organisations should have a management model which balances the organization’s resources, workflows, and tools.
Schneier’s model was a rework of an earlier concept produced by Harold J. Leavitt who was an organisational psychologist who created a model which came to be known as Leavitt’s Diamond.
This model specifies four important variables to assess within organizations which include process, structure, technological, and human variables:
- Human variables refer to the people who implement the tasks that are relevant to the organization’s goals.
- Process variables refer to activities that employees are expected to perform in order to deliver products and services.
- Structure variables refer to any structure (organizational chart, communication norm, work process, etc.) that employees are expected to follow within the organization.
- Technological variables refer to all tools, machines, and equipment that support employees’ tasks.
Regardless of model – the principles stay the same – Organisations should carefully manage their processes alongside the people who work with them and the technologies they use to do so.
When these elements have holes in them, then an incident occurring is just a matter of time – which is why it is a constant battle to keep reviewing the guidance we follow, the processes we create, the training we deliver, the communications we transmit, the technologies we deploy and use, and the maintenance schedules we adopt.
Add to all of the above, the ever-changing world of IT, and the emergence of AI as a tool to identify holes we never even realised were there, it becomes quite easy to understand why so many organisations suffer successful cyber attacks
Earlier this month (June 2nd), Cyber security firm Depthfirst used an inhouse AI agent to identify 21 zero-days just in one product. They identified the vulnerabilities in the FFmpeg software suite which is an open-source application used to record, convert, stream, and edit digital audio and video – it is the workhorse behind sites such as YouTube and NetFlix amongst others.
Anthropic – the company behind the Claude family of AI agents recently announced that one of their products is so good at identifying vulnerabilities that it will not be publicly released as a standalone product as it is deemed to be too dangerous.
Claude Mythos will instead be rolled-out in phases, each with different, managed capabilities.
- Initial Phase (April 2026): Mythos was strictly limited to a select group of organizations, security researchers, and enterprise partners (via Google Cloud’s Vertex AI) to test its capabilities in a controlled environment. Released under the title of Project Glasswing – Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks are working together in an effort to secure the world’s most critical software.
- Interim Mitigation (April/May 2026): Anthropic released alternative, less risky models (like Claude Opus 4.7 and Opus 4.8) to give cybersecurity professionals time to patch flaws.
- Upcoming Public Release (Present): Anthropic announced swift progress on cyber safeguards and expects to bring these highly advanced models to the general public and wider customer base soon. Claude Mythos Fable 5 was released on the 9th June to the general public
Final Thoughts
Cyber Security is an ever-changing world, one which often changes overnight. Regulations, policies, procedures, and training simply cannot keep up with this rapid pace of change. Professionals need to keep abreast of the latest events in this space all the time which often leads to information overload and, in some cases misinformation and conflicting advice.
The more we can learn and understand the technologies we use and the threats posed against them, the more we can do to ensure all those slices of cheese don’t align the holes in the right way to allow the hazards to become incidents – but its not an easy task.
