Why Defence in Depth Cybersecurity Starts with Accepting Breaches

One of the most important shifts an organisation can make is also one of the hardest: accepting that, at some point, something will go wrong. Defence in depth cybersecurity rests on exactly this premise, and it changes how organisations approach protection entirely. In 2025, we adopted a client who had what he described as an “unwanted visitor,” a ransomware attack targeting a well-known vulnerability. For those of us in the business of providing these services, this comes as no surprise. We see continuous probing of client networks and cloud services, as threat actors search for that one weakness that opens a route to cause havoc.

Despite advances in technology, tooling, and threat intelligence, cyber incidents continue to happen. They occur not only because systems fail, but because people make mistakes, attackers adapt, and complexity creates gaps that are difficult to see in advance. This was never more evident than when COVID-19 forced businesses into a work-from-home pattern, where attackers exploited temporary weaknesses in defences through a wave of ransomware attacks. Security strategies that assume perfect prevention are fragile by design.

Defence in depth cybersecurity starts from a different, more realistic position. It assumes that a breach will occur and focuses instead on limiting impact, slowing attackers, and protecting what matters most. It is not a reactive mindset, nor is it defeatist. It is a recognition that resilience, not perfection, is the true measure of effective security.

For organisations working with a Managed Service Provider, this approach offers a practical way to connect cybersecurity, governance, and operational continuity into a single, coherent strategy.

A Philosophy with Deep Roots

Defence in depth did not originate in IT. Military strategists developed layered defences to absorb pressure, delay attackers, and protect strategic assets even after outer defences had fallen. A single wall was never considered sufficient protection.

As computing environments evolved, cybersecurity initially adopted a narrow version of this thinking. Early models focused heavily on perimeter defence, firewalls, gateways, and hardened boundaries. That approach made sense when systems were contained and users were largely on-site. It makes far less sense in a world of cloud services, mobile devices, and remote working.

Today, attackers rarely need to “break in.” They log in using stolen credentials, exploit trusted relationships, or take advantage of unpatched systems. This reality has driven modern security thinking towards resilience-based models.

Security thinkers such as Bruce Schneier have long argued that cybersecurity is fundamentally about managing risk, not eliminating it. More recently, the principles behind Zero Trust, associated with John Kindervag, reinforce the same idea: organisations must continually earn trust, and no single control should carry the full burden of protection.

Defence in depth cybersecurity sits comfortably within this philosophy. It is not a framework or a standard, but a way of thinking about security design and governance.

The Castle Analogy: Visualising Layered Security

A medieval castle provides a helpful way to visualise this approach.

Architects and military planners never relied on a single wall for protection. Each layer of a castle served a specific purpose. Moats restricted movement. Outer walls delayed attackers. Towers provided visibility. Inner keeps protected the most valuable assets. Crucially, defenders assumed that outer layers might fall. The goal was to buy time, enough time to detect an attack, organise a response, and protect what mattered most.

Cybersecurity works in much the same way. No single control will hold indefinitely. Instead, each layer exists to slow an attacker’s progress, expose their actions, and reduce the damage they can cause.

For MSPs, this analogy maps directly onto how cybersecurity services should be designed and delivered, not as isolated controls, but as part of an integrated, layered system aligned to business priorities.

Physical Security: The Often-Ignored Foundation

Cybersecurity discussions frequently underestimate physical security, yet it remains foundational. If an attacker gains physical access to systems or devices, many digital controls become irrelevant very quickly.

Physical security encompasses how buildings are accessed, how devices are protected, and how organisations store, move, and dispose of equipment. It also includes visibility, knowing who is on-site and when.

From a defence in depth cybersecurity perspective, physical controls remove easy wins for attackers. They reduce opportunistic risk, help prevent insider threats, and ensure that technical measures are not trivially bypassed.

For an MSP, this layer is about establishing confidence in the basics. It underpins governance, supports compliance obligations, and provides assurance that more advanced controls rest on solid ground. In castle terms, it is the moat and outer wall, unglamorous but essential.

Technical Controls: Layering for Resilience, Not Perfection

Organisations often invest most heavily in technical security, but defence in depth cybersecurity challenges how these investments should be viewed.

Rather than asking whether a particular tool will stop an attack, it asks how controls interact when something fails. Email filtering may reduce phishing, but it will not eliminate it. Attackers may compromise credentials despite strong password policies. Malware may execute despite preventative controls like antivirus protection.

Layered technical security accepts this reality. Identity controls, endpoint protection, network segmentation, monitoring, and secure backups all serve different roles. Each layer slows an attacker, restricts movement, and increases the likelihood that unusual behaviour surfaces before serious damage occurs.

As security researcher Ross Anderson has observed, complex systems fail in unexpected ways. Layering is not redundancy for its own sake; it is a recognition that no single control can carry the full weight of protection.

For MSPs, the value lies not in deploying tools, but in designing, managing, and monitoring them as a system. Effective defence in depth cybersecurity requires visibility across environments, consistent configuration, and a clear ability to respond when signals indicate something is wrong.

This is the inner wall of the castle, not impenetrable, but deliberately difficult to move through unnoticed.

Process and Governance: Where Security Becomes Real

Technology alone does not determine the outcome of a cyber incident. How people and organisations respond under pressure matters just as much.

Process and governance controls define how organisations detect, escalate, and manage incidents. They shape how quickly teams make decisions, how clearly responsibilities are understood, and how well operations continue during disruption.

Defence in depth cybersecurity treats preparation as a core security control. Incident response planning, staff awareness, change management, and recovery testing are not administrative overheads; they are critical defences in their own right.

This aligns closely with the thinking of Nassim Nicholas Taleb, who describes systems that grow stronger through stress. Organisations that rehearse failure, learn from incidents, and refine their processes become more resilient over time.

For MSPs delivering cybersecurity and governance services, this is where strategic value is most clearly demonstrated. Clear policies, tested response plans, meaningful reporting, and alignment with recognised standards all help ensure that security works when it is needed most.

In the castle analogy, this is the garrison, trained, prepared, and able to respond decisively when the alarm is raised.

Buying Time to Protect What Matters

A common misconception is that defence in depth exists to stop attacks completely. In reality, its primary purpose is to buy time.

By slowing attackers down, layered security gives organisations the opportunity to detect suspicious activity, contain incidents, and protect critical systems and data. Gaining that time reduces panic, enables clearer decision-making, and significantly limits the damage an attacker can cause before the organisation responds.

From a business perspective, this is what resilience looks like. It is not the absence of incidents, but the ability to withstand them without catastrophic impact.

MSP-led cybersecurity services play a key role here by providing continuous oversight, coordinated response, and governance structures that keep security aligned to business risk rather than technical noise.

Defence in Depth as a Governance Mindset

This approach naturally supports good governance because it encourages organisations to think in terms of impact and priorities. Rather than applying controls evenly everywhere, it asks what assets matter most and how to protect them accordingly.

This shifts cybersecurity away from fear-driven spending and towards informed, risk-based decision-making. It also reinforces the idea that security is not a one-off project, but an ongoing capability that evolves as the organisation changes.

The NCSC’s guidance on risk management provides a useful reference point for organisations looking to formalise this thinking.

Conclusion: Security Designed for Reality

Defence in depth cybersecurity is not a product or a checklist. It is a way of thinking about security that accepts uncertainty and designs for it.

By assuming that breaches will occur, organisations can focus on what truly matters: limiting impact, protecting critical assets, and maintaining operational continuity. For organisations that understand this philosophy, investment in cybersecurity becomes simpler, more focused, and better aligned with management priorities.

Like the castles of old, effective security is not about building higher walls. It is about layering defences, preparing people, and ensuring that when pressure comes, the organisation holds strong.

Speak with Our Team

Spector IT works with organisations that want a clear, risk-based approach to cybersecurity and governance. To discuss your environment, your priorities, or where defence in depth cybersecurity fits into your strategy, contact us to arrange an initial discussion.