Home > Glossary > Certified in Cybersecurity > Defense in Depth

📖 What is Defense in Depth?

A security strategy that uses multiple layers of security controls (physical, technical, and administrative) to protect an asset.

🥋 Sensei Says:

"If the firewall fails, the host-based antivirus should catch it. Layering is safety."

📚 Certification: Certified in Cybersecurity (CC)

🔑 What are the Key Concepts of Defense in Depth?

▸ Defense in Depth isn't about redundancy of the *same* control, but layering *different* types of controls for comprehensive protection.
▸ Administrative controls (policies, training) are the first line of defense, followed by technical controls (firewalls, AV), then physical controls.
▸ A successful attack requires bypassing *multiple* layers, increasing the attacker's effort and likelihood of detection.
▸ Consider the 'principle of least privilege' within each layer to limit the impact of a potential breach.
▸ Regularly assess and update each layer to address new threats and vulnerabilities; a static approach is ineffective.

🎯 How does Defense in Depth appear on the CC Exam?

You may be asked to identify which security controls would best implement a Defense in Depth strategy for a new web application deployment.

A scenario might describe a company experiencing a breach despite having a firewall; expect questions about what *additional* layers were missing.

Expect questions about prioritizing security investments based on a Defense in Depth model – which layer provides the most significant risk reduction?

❓ Frequently Asked Questions

Is Defense in Depth only for large organizations with complex networks?

No, it's scalable. Even a home user can implement Defense in Depth with a strong password, antivirus software, and a locked door. The principle applies universally.

How does Defense in Depth relate to the CIA triad (Confidentiality, Integrity, Availability)?

Each layer of Defense in Depth contributes to protecting one or more aspects of the CIA triad. For example, encryption protects confidentiality, while backups ensure availability.

What's the difference between Defense in Depth and 'security through obscurity'?

Defense in Depth relies on multiple, visible controls. 'Security through obscurity' hides vulnerabilities, which is unreliable. Obscurity can *supplement* Defense in Depth, but isn't a replacement.

Related Terms from Certified in Cybersecurity

IPS (Intrusion Prevention System) Recovery Point Objective (RPO) Ransomware Integrity Administrative Controls Firewall

📝 Related Study Guides

Study Guide 8 min read

ISC2 CC Certification Guide: Your Free Entry into Cyber

The ISC2 Certified in Cybersecurity (CC) is a free, entry-level certification designed for beginners. It covers five core domains—Security Principles, BCP/DR, Access Control, Network Security, and Security Operations—via a 100-question exam. It's the ideal starting point for career changers to build a foundation without financial barriers.

Exam Tips 8 min read

ISC2 CC Exam Domains: What You Need to Know to Pass

The ISC2 CC exam consists of five domains: Security Principles, Business Continuity (BC), Disaster Recovery (DR), and Incident Response (IR), Access Controls, Network Security, and Security Operations. To pass, you must master the CIA Triad and security governance, while prioritizing high-weight domains through targeted practice and domain-specific analytics.

Comparison 8 min read

CISSP vs CISM: Which Certification Should You Pursue in 2026?

Choose CISSP if you want broad technical security expertise across eight domains, including cryptography, network security, and software development. Choose CISM if you're focused on information security management, governance, and risk management from a leadership perspective. CISSP is ideal for hands-on security architects, while CISM is designed for security managers and directors.