The security mindset assumes failure is possible and asks how an opponent would abuse the system. Unlike pure software engineering optimism—ship features, fix bugs later—security engineering designs for malice, misconfiguration, and accident simultaneously. Defenders think in layers: if one control fails, others contain damage. Adversaries think in paths: the cheapest route to valuable data or leverage.

Kerckhoffs's principle (1883), adapted to modern systems, states that security should not rely on secrecy of the design alone; algorithms and protocols may be public while keys remain secret. 'Security through obscurity'—hiding implementation details as the primary defense—fails once attackers reverse engineer or insiders disclose. Open review, responsible disclosure, and patch cadence matter.

Risk management balances likelihood and impact of threats against cost of controls. Perfect security is unattainable; organizations prioritize assets, threat actors, and acceptable residual risk. Documentation—policies, standards, procedures—translates principles into repeatable operations auditors and regulators can assess.

Confidentiality ensures information is accessible only to authorized parties. Breaches expose personal data, trade secrets, and credentials. Controls include encryption, access control lists, need-to-know policies, and data loss prevention monitoring exfiltration channels.

Integrity ensures data and systems are accurate and unaltered except by authorized processes. Tampering can falsify financial records, inject malware, or deface websites. Hash functions, digital signatures, version control, and integrity monitoring detect unauthorized modification.

Availability ensures timely, reliable access to services and data. Denial-of-service attacks, ransomware encryption, and data center outages disrupt operations. Redundancy, backups, capacity planning, and incident response restore service levels defined in business continuity plans.

An asset is anything of value—customer database, domain controller, CEO laptop, brand reputation. Threats are events that may harm assets: phishing, malware, insider theft, natural disaster. Vulnerabilities are weaknesses threats exploit: unpatched CVE, weak password policy, open S3 bucket. Risk combines threat capability, vulnerability exposure, and asset impact.

Controls are safeguards: preventive (firewall), detective (SIEM alert), corrective (restore from backup), compensating (manual approval when automation fails). Defense in depth stacks controls so single failures do not collapse security. Least privilege limits accounts to minimum permissions required.

The attack surface is the sum of entry points—ports, APIs, vendor portals, physical doors. Shrinking surface area through segmentation, disabling unused services, and zero-trust architecture reduces opportunistic compromise.

Security governance assigns roles: board oversight, CISO leadership, system owners accountable for their environments. Risk registers track identified risks, owners, treatments, and residual scores. Third-party risk management evaluates vendors who process data on your behalf.

Frameworks provide common language. The NIST Cybersecurity Framework organizes activities into Identify, Protect, Detect, Respond, and Recover functions. ISO/IEC 27001 specifies an information security management system auditable by certification bodies. COBIT aligns IT with enterprise goals. None replace thinking; they structure repeatable improvement.

Compliance maps controls to legal obligations—sector-specific rules for health, finance, and critical infrastructure. Violations bring fines, contractual breach, and loss of customer trust. Security and compliance overlap but differ: compliant checklists can still be breached if operations drift.

Not every employee becomes a penetration tester, but everyone influences security: developers write safe code, HR guards personnel files, finance resists invoice fraud. Phishing simulations and annual training reduce human error—the dominant factor in many incidents.

Career paths include security operations center analysts, incident responders, architects, GRC (governance, risk, compliance) specialists, and researchers. Certifications such as Security+, CISSP, and OSCP signal baseline knowledge but must pair with hands-on labs and ethical conduct.

Chapter 10 expands compliance, privacy, and careers. Subsequent chapters deepen technical domains introduced here. The foundation is mindset plus CIA: know what you protect, from whom, and how you will detect and recover when controls fail.