Pospíšil Petr | CyberPOPE Independent Consultant | Cybersecurity Architect & vCISO
Security Basics · SME Security · CIS Controls · Security Strategy

What Security Actually Is: A Guide for People Who Never Wanted to Learn It (Part 1)

Petr Pospíšil
7 min read
What Security Actually Is: A Guide for People Who Never Wanted to Learn It (Part 1)

SME takeaway

Security is your bank account: available, confidential, and the balance does not change on its own.

You do not need an IT background to understand security. You need one picture (the triad), one starting plan (CIS Controls IG1), and the patience to ignore the jargon around both.

You run a company. Or you simply use internet banking. At some point, somebody told you that you “need security.”

What does that actually mean? Cameras? Antivirus? A consultant with a hoodie?

This post is the first part of a short series for people who never wanted to learn security and now have to deal with it anyway. No IT background required. I will use a small or medium company as the example, but big companies follow exactly the same principles - they just have more people arguing about them.

The terminology trap: information security vs cyber security

Before we get anywhere, we have to deal with two terms that are used constantly and confused constantly.

Information security is about protecting any information. Including the contract printed on paper in your drawer, the whiteboard in your meeting room, and the conversation your sales lead has too loudly on the train. Information does not need to live in a computer to need protection - although, let’s be honest, most of it already does.

Cyber security is a subgroup of information security. It focuses on protecting information technology assets - your laptops, servers, cloud accounts, applications.

Simple, right? Except the moment you zoom out, “cyber” stretches into the security of the whole cyber world: operational technology in factories, satellites, the software in your car. And now we are back in the confusion I wanted to avoid.

So here is my habit, and my recommendation: just say security. Drop the prefix. You remove an unnecessary layer of complexity that mostly exists so specialists can argue about category boundaries. For the rest of this series, security means protecting what matters to your business, wherever it lives.

The triad: the holy grail of security

The first thing you learn when you enter this field is that there is a magical triad. Three properties that, together, define what “secure” means:

  • Confidentiality - only the right people can see the information.
  • Integrity - the information is correct and nobody has tampered with it.
  • Availability - the information is there when you need it.

If you have all three, you are safe. That is the theory.

The problem? Achieving all three at a high level is often very expensive. So in practice you decide which one matters most for each system and focus your money and effort there. A public website cares mostly about availability and integrity. Your payroll data cares a lot about confidentiality.

And of course, the triad did not stay a triad. Over the years it grew extra limbs: non-repudiation (you cannot deny you did something) and authenticity (you are really who you claim to be).

You see the pattern already? Security people love concepts, complications and frameworks. We collect them like stamps.

Your exit ramp

If you got this far and you feel the madness approaching - this is your exit. Leave the article here, and take one picture with you. It is 80% of what you need:

Think about your bank account.

  • You need it available - you can pay anytime, day or night.
  • You need it confidential - nobody finds out how much you actually spend on your hobby. Fellow bikers and car maniacs, you know exactly what I mean.
  • You need it integral - the balance does not change randomly based on the current moon cycle.

That is the triad. That is security. Everything else is implementation detail.

Still here? Good. Let’s talk about how you actually get there.

How do you achieve the triad without going bankrupt?

So you want confidentiality, integrity and availability. But how? It looks complex, difficult, expensive - all of the above.

It does not need to be. What you need is a plan. A high-level plan that is generic enough to give you flexibility, but specific enough that you do not get lost halfway through.

There are several such plans on the market. My favourite is the CIS Critical Security Controls: simple, actionable, and probably the cheapest path to a real security baseline.

The concept behind it is refreshingly honest: from a strategic view, every business is basically the same. Every company has devices, accounts, data, software, and people who click on things. So every company needs the same categories of protection. The only real question is how deep you need to go.

CIS answers that with three Implementation Groups (IGs):

  1. IG1 - the foundation. Basic hygiene every company should have.
  2. IG2 - for companies with more sensitive data and more complexity.
  3. IG3 - for organisations where a breach has serious consequences.

Higher group means more complex, more secure, more expensive. How do you choose? It is not rocket science: you start with IG1. You have to start somewhere, and IG1 is the floor everyone should stand on.

The nice surprise is that IG1 brings genuine business benefits even before you think about attackers. Take asset management - simply knowing what hardware and software you own. It is a pity to lose a few laptops per year just because nobody keeps an inventory. That is not a cyber attack. That is just waste, and the fix happens to be a security control.

If you want to know what a CIS Controls baseline looks like in practice, I describe it on my CIS Controls service page.

Why “strategic”? The generals, explained

I keep saying CIS Controls are a strategic framework. Why that word?

Because there are frameworks that go much deeper - down to the operational and tactical levels. And yes, if you had not noticed: security loves military terminology. Probably for the cool factor.

So here is the picture I want you to keep:

  • Strategic - generals sitting in the bunker, planning the counter-offensive at the level of resources and brigades. The smallest unit they think about is 4,000 soldiers. That is the CIS Critical Controls: long-term direction, priorities, where the resources go. The strategy tells you where to go, not how to get there.
  • Operational - the middle layer: how a particular operation gets executed. Not step by step, more like the modus operandi - tools, tactics, goals, approaches. The best-known example is MITRE ATT&CK, a catalogue of how real attackers actually operate.
  • Tactical - the soldier’s view. How you execute the plan handed down from above, in ultimate detail. Think CIS hardening guidelines: how to configure your server in the most secure way. Click here, set this, disable that.

You see? We love frameworks, we love low-level procedures, and we love the strategic view. Not because we enjoy paperwork - but because security takes years to mature, and just when you get comfortable, a new technology arrives and resets part of the board. Without a strategy, you are just reacting forever.

The bottom line

Remember two things from Part 1. The triad - confidentiality, integrity, availability - is the holy grail of security, and you walk toward it with a strategic framework like the CIS Critical Controls, starting at IG1.

Next time we dig one level deeper, into the operational and tactical layers. You want to be a general? Let’s be generals together.

Found this useful?

Book a call

I work with organisations across Europe on NIS2 compliance, penetration testing, and security strategy. Practical advice, no overselling.

Schedule a Free Call Send a Message
Back to Intel