When I think about cybersecurity, I picture it like building and protecting a secure, thriving city. You don’t start with the streetlights or the guard patrols—you start with the fundamental principles, then the ground the city stands on, then build upward, layer by layer, until it’s a living environment that’s both functional and safe. We begin with the very bedrock (the CIA Triad), then move to the foundation (the network) and gradually upward to endpoints, users, and data. On top of that, we layer continuous operations, governance, and strategic frameworks. This ensures everything is connected.
Here’s my ground-up view of how it all fits together.
The Bedrock: The CIA Triad
Before you start building the city, you need to establish its core principles. The CIA Triad is the bedrock of cybersecurity, representing the three fundamental goals of any security program. Every control and operation you put in place should be in service of these three goals:
- Confidentiality: This is about keeping secrets safe. It’s the assurance that only authorized people can access sensitive information. In our city, this is like making sure confidential documents are in locked safes, accessible only to those with the right keys.
- Integrity: This ensures that data remains trustworthy and has not been tampered with. It’s the guarantee that information is accurate and reliable. In the city, this is like having a notarized deed for a building—you know the information hasn’t been changed without authorization.
- Availability: This ensures that systems and data are accessible to authorized users whenever they need them. It’s the assurance that your city’s infrastructure—like the roads, power grid, and water supply—remains operational and usable for its citizens at all times.
These three principles guide every decision we make in securing the city. They define what we are ultimately protecting and why.
mindmap
root((CIA Triad))
Confidentiality
Integrity
Availability
1. The Foundation: Networks
In modern IT, the network is the foundation. Without it, no devices can connect or communicate, which means they can’t be attacked. Think of the network as the land a city is built on—its perimeter defines the city’s boundaries. It’s the first point of contact for anything external trying to enter an organization’s infrastructure, making network security a critical first line of defense. The network acts as the city’s main gate, while the devices and systems within it (such as laptops, desktops, and servers) are the buildings and structures inside.
Key security elements here include:
- Firewalls and next-gen firewalls
- Intrusion Detection/Prevention Systems (IDS/IPS)
- Network segmentation and VLANs
- VPNs and secure tunneling for remote access
- Proxies for controlled traffic flow
The goal here is to create a secure perimeter and internal structure for everything else to live inside. Now, moving to what is within the network, you’ll find endpoints and servers (which reside within the network), data (which resides within endpoints and servers), and users (who access the data within the endpoints and servers).
2. The Structures: Endpoints & Servers
Once you have the network, you put systems inside it: laptops, desktops, servers, and other devices. These are the “buildings” in your city. If a network is bypassed, these are the next targets. Hardening the devices reduces the entry point for attackers.
Core protections (the building codes):
- Antivirus / Endpoint Protection Platforms (EPP)
- Endpoint Detection & Response (EDR)
- Patch Management (OS, firmware, applications)
- Secure Configuration Baselines
- Application whitelisting/blacklisting
These controls (which can be found in the NIST 800-53 security control catalog or the CIS Critical Security Controls) are like the building codes for your city’s structures.
3. The Valuables: Data
The valuables would be the data the organization stores and processes. It sits inside those endpoints and servers, moving across your network. Ultimately, what we are protecting is information—data. Encryption (both at rest and in transit) ensures that even if stolen, the data remains unusable. Data Loss Prevention (DLP) helps monitor and block unauthorized transfer of sensitive information. Protecting data means protecting the very reason cyber attackers come knocking.
Core protections:
- Encryption (at rest & in transit)
- Data Loss Prevention (DLP)
- Backups with tested recovery plans
- Classification & handling policies
flowchart LR
A[Data at Rest] -->|Encrypt| B[Protected]
C[Data in Transit] -->|Encrypt| B
4. The People: Users
Every environment has people who need access—employees, contractors, and partners. These users have access to the things residing within the network. Since humans are often the weakest link, controls here are vital. This ensures people become part of the defense, not just a liability.
Core protections:
- Multi-Factor Authentication (MFA)
- Role-Based Access Control (RBAC)
- Least privilege principles
- Security awareness training
5. The City Maps: Asset & Inventory Management
This is a key turning point. It’s the segue from the previous sections, which entailed building a functional network (the city). We went through building a network landscape, and what that entails. From building a network to deploying devices (i.e. endpoints and servers) within that network. From there, we discussed data that resides within those devices and finally, the users that access the data that lives in those devices within the network.
In the upcoming sections, we pivot to operations that provide safety and security of the network and what resides therein. But you can’t secure what you don’t know exists. Thus, ‘Asset & Inventory Management’. Maintaining a real-time, accurate inventory of all network devices, endpoints, software, and data is crucial. Think of this as creating a detailed map of your city before you can start planning its security. Once we have the map, and become aware of what is in our environment, we look at what operations and codes we should follow to secure them.
6. Ongoing Upkeep: Vulnerability Management
Once you have a map of your assets, you can secure them. Think of this as city maintenance—repairing cracks before they become disasters. Vulnerability management is an ongoing process of finding and fixing weaknesses. Every system has weaknesses. Vulnerability Management ensures we continuously scan for, prioritize, and remediate those weaknesses before attackers exploit them. This process is cyclical—identify vulnerabilities, assess risk, patch or mitigate, and verify. It’s the routine maintenance that keeps the city strong.
Core process:
- Identify vulnerabilities via scanners (e.g., Nessus, Qualys, Tenable)
- Prioritize based on severity & business impact
- Remediate with patches or compensating controls
- Verify fixes were successful
- Report to stakeholders for visibility
flowchart TD
A[Identify Vulnerabilities] --> B[Prioritize]
B --> C[Remediate]
C --> D[Verify Fix]
D --> A
7. The Locks and Keys: Identity & Access Management (IAM)
IAM ensures only the right people have the right access at the right time—and that access is revoked when it’s no longer needed. This system is what gives the proper keys to the right people to access the appropriate ‘buildings’.
8. The Guards: Security Operations Center (SOC)
Even with strong defenses, threats still emerge. The SOC acts as the ‘watchtower’ of the city—monitoring logs, alerts, and events across the environment. SOC analysts detect anomalies, triage alerts, and coordinate responses, keeping the defense active 24/7.
Key SOC functions:
- Log collection & analysis (SIEM tools like Splunk, Wazuh)
- Alert triage & escalation
- Continuous network and endpoint monitoring
9. The Detectives: Threat Hunting
While the SOC reacts to alerts, threat hunters proactively search for attackers who may already be inside but are staying hidden. This is the difference between waiting for a burglar alarm to go off and actively checking every building for signs of intrusion.
10. The Firefighters: Incident Response (IR)
When something does go wrong—and it will—the IR team contains the incident, eradicates its root cause, and recovers from security incidents. Incident Response is the structured way to contain, eradicate, and recover from an attack. Following frameworks like NIST 800-61 ensures we prepare, detect, respond, and learn from incidents.
Incident Response cycle:
- Preparation (plans, playbooks, tooling)
- Detection & Analysis
- Containment (stop the spread)
- Eradication (remove the threat)
- Recovery (restore services/data)
- Lessons Learned (improve for next time)
sequenceDiagram
participant P as Preparation
participant D as Detection & Analysis
participant C as Containment
participant E as Eradication
participant R as Recovery
participant L as Lessons Learned
P->>D: Plans, playbooks, tools
D->>C: Incident found
C->>E: Stop spread
E->>R: Remove threat
R->>L: Restore, review
11. The Building Codes: Security Frameworks & Governance
Some of these “codes” have been mentioned in the earlier sections. Once the physical and operational layers are set, frameworks give you the rules and standards for keeping it all secure over time. Think of these as the building codes for your city, which dictate how all the structures and systems must be built and maintained to ensure long-term safety and resilience. They provide a structured approach to managing cybersecurity risk, ensuring that all parts of the system are designed to work together securely.
Frameworks:
- NIST Cybersecurity Framework (CSF): A high-level strategy for managing and reducing cybersecurity risk using the core functions of Identify, Protect, Detect, Respond, and Recover.
- NIST Risk Management Framework (RMF): A detailed, per-system process for integrating security into a system’s life cycle from start to finish.
- NIST 800-61: Computer Security Incident Handling: A guide that serves as the playbook for preparing for and recovering from cybersecurity incidents.
- NIST 800-53: Security and Privacy Controls: A comprehensive catalog of security and privacy controls that act as the fundamental building blocks of a secure system.
- CIS Critical Security Controls: A prioritized set of best practices that offer a simplified approach to essential cyber hygiene and threat protection (smaller security controls list compared to NIST 800-53).
- ISO 27001: An international standard that provides a systematic approach to managing sensitive company information.
In addition to frameworks, organizations must also comply with Regulations & Standards specific to their industry.
- HIPAA: A U.S. law that protects sensitive patient data (PHI), with HITRUST being a related framework for demonstrating compliance.
- PCI DSS: A mandatory standard that sets requirements for any organization that handles credit card data.
- GDPR: An EU law that gives individuals control over their personal data and imposes strict data processing requirements on any organization that handles EU citizen data.
These frameworks and regulations ensure security is a strategic part of the organization’s operations, not just an ad-hoc collection of tools.
12. The Renovation Cycle: Continuous Improvement
Security isn’t static. Threats evolve, technology changes, and businesses grow. A mature program continuously measures itself, learns from incidents, and improves controls across every layer.
Final Thought
This structure—from the network foundation to governance and continuous improvement—gives you a clear, holistic mental model of cybersecurity. Each section plays a distinct but connected role. Like building a secure city, success comes from understanding how the layers interlock, creating resilience from the ground up. Resilience comes not from any single tool, but from the interlocking structure of all layers combined.
Tags: Cybersecurity, Frameworks, NIST, CIS Controls