Explain defense in depth and how it differs from relying on a single strong control.
Short answer
Defense in depth layers multiple, diverse, and independent controls across people, process, and technology so that the failure of any one control does not result in compromise. It assumes every control will eventually fail and uses redundancy and variety to slow, detect, and contain an attacker.
Defense in depth is a strategic principle that runs through the entire CISSP body of knowledge. Interviewers ask it to see whether you design systems that survive the failure of any single safeguard.
The core idea
Defense in depth (also called layered security) places multiple, overlapping controls between an attacker and an asset. Its founding assumption is humbling but realistic: every control will eventually fail — a firewall is misconfigured, a credential is phished, a patch is missed. By layering independent defenses, the failure of one does not hand the attacker the prize; the next layer slows, detects, or stops them.
Layers across the stack
Strong layering spans people, process, and technology, not just network gear:
- Administrative — policies, security awareness training, separation of duties.
- Technical — firewalls, segmentation, MFA, endpoint protection, encryption, logging.
- Physical — locks, badges, cameras, mantraps.
A database might sit behind network segmentation, then identity and MFA, then least-privilege authorization, then encryption at rest, then monitoring and DLP — each a different type of control.
Diversity, not just quantity
Layering matters most when the controls are diverse and independent. Ten identical firewalls share the same flaw; a single exploit defeats all of them. Using different vendors, control types, and detection methods means one bypass technique does not cascade. This variety also buys time to detect and respond, which is the strategic payoff.
Relationship to zero trust
Modern zero-trust architectures are an evolution of this thinking: rather than trusting anything inside a perimeter, they enforce verification at every layer continuously — defense in depth taken to its logical conclusion.
What interviewers look for
That you treat it as a strategy built on the assumption of inevitable control failure, that you describe diverse layers across administrative, technical, and physical domains, and that you stress diversity over sheer quantity — ideally connecting it to least privilege and zero trust.
Likely follow-ups
- How does defense in depth relate to the zero-trust model?
- Why does diversity of controls matter, not just quantity?
- How would you layer controls to protect a sensitive database?