Defence in Depth Is Not a Bundle You Can Buy
Hello, Mauven here.
There is a sentence that quietly undoes a great deal of small-business security spending, and it is worth saying plainly. A collection of controls is not Defence in Depth.
Many business owners are confident they already have layered protection, because they bought three things: a firewall, an endpoint protection product, and a backup product. Three boxes. Three invoices. The salesperson nodded. The job felt done.
It is not done. Those three products might be the beginning of Defence in Depth. They might also be three expensive single points of failure sitting next to each other, none of them watched, none of them tested, none of them owned. The difference is not visible from the invoice. It is only visible when something breaks.
What the NCSC Actually Says
The National Cyber Security Centre describes Defence in Depth as using multiple, overlapping security measures so that the failure of any single measure does not lead to compromise. The phrase that deserves your attention is single points of failure.
This is the part that gets lost in the sales conversation. The goal is not to accumulate products. The goal is to remove the situations where one thing going wrong takes down everything. One exposed system. One weak identity. One forgotten admin account. One unpatched device. One trusted supplier. One backup console with too much power.
Attackers do not browse your purchase history. They look for the single weak point that lets them in, and then the absence of a second layer that would have slowed them down. The number of security products you own is irrelevant to them. The number of single points of failure is everything.
The Difference Between a Control and a Layer
Here is the distinction that the round table on this weekβs podcast kept returning to. A product you bought is a control. A control only becomes a layer when four things are true.
It is configured for your environment, not left on its factory defaults. It is monitored, so that someone would actually notice if it failed or was bypassed. It is tested, so that you have evidence it works rather than a hope that it does. And it is owned, so that when it needs a decision, there is a named person who makes that decision.
A control without an owner degrades. A control without monitoring becomes blind. A control without testing becomes belief. Strip those away and your three products are not three layers. They are shelfware with a support contract.
This is not theoretical. The recent Fortinet FortiCloud single sign-on authentication bypass flaws, exploited over the turn of this year, were a textbook single point of failure. A device trusted by design, sitting at the edge, with an authentication path that could be walked straight past. Businesses that had only that one layer, with no monitoring of admin activity behind it, had no second line to catch the intrusion. Businesses with identity controls, segmentation, and log review had somewhere for the attack to get stuck.
The Ten Layers Worth Knowing
You do not need to memorise a framework. But it helps to know roughly what the layers are, so you can spot which ones you are missing. Graham set these out on the episode.
Physical access. Network. Endpoint. Identity. Applications. Data. Backups. People. Monitoring. Governance.
And running through all of them, ownership. Without ownership, layers become theatre.
You will notice that only a few of those are things you buy from a vendor. Most are things you do, decide, or document. Identity is mostly configuration and discipline. People is training and culture. Governance is decision rights. Monitoring is the unglamorous habit of actually looking at the logs. The reason Defence in Depth resists being sold as a bundle is that most of it cannot be shipped in a box.
Why the Confidence Outruns the Evidence
The Cyber Security Breaches Survey 2025/2026, published by the Department for Science, Innovation and Technology, found that only 24% of UK businesses reported having the full set of five Cyber Essentials technical controls. Just 5% hold the certification, up from 3% the year before.
Read that against how many businesses would tell you, confidently, that their security is mature. The gap between the confidence and the controls is the gap attackers live in. If three-quarters of businesses do not have the basic five controls in place, then βwe have a strong firewall brandβ is not a security posture. It is a brand preference.
How to Turn This Into a Competitive Advantage
Understanding the difference between a control and a layer is itself a differentiator.
You buy better. Once you know that a product only counts when it is configured, monitored, tested, and owned, you stop paying for shelfware. Your security budget goes further because you are buying outcomes, not reassurance.
You answer the procurement question properly. When a larger client asks how you protect their data, βwe have multiple layers and here is who owns each oneβ is a stronger answer than a list of product names. It signals maturity that auditors and insurers reward.
You spot a weak provider faster. A provider who sells you a bundle and calls it Defence in Depth is telling you how they think. A provider who maps your single points of failure is telling you they understand the actual goal.
How to Sell This to Your Board
Three points that translate the technical into the financial.
Layers are about avoided cost, not added spend. Each layer exists to stop one failure becoming a business-ending event. The Breaches Survey 2025/2026 found the share of breaches causing lost revenue or share value has more than doubled, from 2% to 5%. Layers are what keep an incident in the cheap column.
Most of the missing layers are nearly free. Removing old users, enforcing multi-factor authentication, restricting admin access, and reviewing logs cost time, not large capital. The board is not being asked to approve a six-figure platform. It is being asked to approve discipline.
Ownership is a governance decision the board cannot delegate away. You can outsource the task of running a control. You cannot outsource the responsibility for whether the business survives a failure. That distinction belongs in the boardroom, not the server room.
What This Means for Your Business
-
List your single points of failure, not your products. Walk through the ten layers and mark where one failure would have no backstop. That list is your priority order.
-
Apply the four-part test to every control you pay for. Is it configured, monitored, tested, and owned? Any βnoβ is a layer that is not really there.
-
Assign an owner to each layer. Even in a 20-person firm, every layer needs a named person and a review date, or it quietly degrades.
-
Start with identity and segmentation. These are the cheapest, highest-value layers, and the ones most likely to catch an edge-device failure like the Fortinet one. Read our breakdown of why stolen credentials are now the default attack route.
-
Ask your provider to map advisory to asset to action. When a vendor flaw is announced, can they tell you which of your devices is affected and what they did? If not, that mapping is a layer you are missing.
Defence in Depth is not a product you can purchase. It is a way of removing the single points of failure that let one bad day become a catastrophe. The boxes can help. But the layers are built, not bought.
| Source | Article |
|---|---|
| NCSC | Cyber security design principles |
| NCSC | Cyber Essentials overview |
| GOV.UK (DSIT) | Cyber Security Breaches Survey 2025/2026 |
| Fortinet PSIRT | FortiCloud SSO login authentication bypass (FG-IR-25-647) |
| CISA | Known Exploited Vulnerabilities catalogue |
Related Posts: