Day 1: Intro to Cybersecurity: CIA, GRC, Security Models & Certifications

When I first started exploring cybersecurity, I quickly realised it is not just about hacking or firewalls. It is a whole discipline built on frameworks, principles, and formal models that define how we think about protecting information. This post captures the core concepts I encountered early on — the ones that gave me the mental scaffolding to understand everything else.

Security Threats — What Are We Actually Protecting Against?

Before you can defend anything, you need to understand the threat landscape. Threats come in many forms: malware, ransomware, insider threats, social engineering, zero-days, DDoS attacks, and supply chain compromises. What they all have in common is that they target one or more of three fundamental properties of information — and that is where the CIA Triad comes in.

The CIA Triad

The CIA Triad is the foundation of information security. Every control, policy, and design decision ultimately maps back to one of its three pillars:

• Confidentiality — only authorised parties can access the information. Encryption, access controls, and need-to-know policies protect confidentiality.
• Integrity — information is accurate and has not been tampered with. Hashing, digital signatures, and change controls protect integrity.
• Availability — information and systems are accessible when needed. Redundancy, backups, and DDoS protection preserve availability.

A ransomware attack, for example, destroys all three: it encrypts data (confidentiality breach), corrupts or destroys it (integrity), and makes systems unusable (availability). Understanding which pillar an attack targets helps you choose the right countermeasure.

GRC — Governance, Risk, and Compliance

GRC is the organisational side of cybersecurity. It ties together the policies, processes, and standards that keep a business legally compliant and strategically protected.

• Governance — who is responsible for security decisions? Policies, roles, and accountability structures.
• Risk Management — identifying, assessing, and prioritising threats. Risk = Likelihood × Impact. Controls are chosen to reduce risk to an acceptable level.
• Compliance — meeting legal and regulatory requirements. GDPR, ISO 27001, NIST, PCI-DSS are all compliance frameworks that organisations must align with.

GRC might sound dry compared to hands-on hacking, but it is where security strategy lives. A vulnerability found in a pentest only gets fixed if the governance structure supports it.

Certifications — Mapping the Landscape

Cybersecurity has a rich certification ecosystem. Early on, understanding which cert fits which career path matters:

• CompTIA Security+ — entry-level, vendor neutral, covers core security concepts including CIA, threats, and GRC basics.
• CEH (Certified Ethical Hacker) — focused on offensive techniques, great for aspiring pentesters.
• CISSP — senior-level, management and architecture focused, covers security models in depth.
• OSCP (Offensive Security Certified Professional) — highly practical, the gold standard for penetration testers.
• ISO 27001 Lead Auditor / Implementer — for those leaning toward GRC and compliance roles.

Security Models — Biba, Bell-LaPadula, and Clark-Wilson

Security models are formal frameworks that define rules for how information can flow within a system. They were developed to give rigorous, provable guarantees — especially for government and military systems. Understanding them reveals the theoretical roots of access control.

Bell-LaPadula — Protecting Confidentiality

Developed for the US military, Bell-LaPadula focuses entirely on confidentiality. Its two core rules are:

• No Read Up (Simple Security Property) — a subject cannot read data at a higher classification level than their clearance.
• No Write Down (Star Property) — a subject cannot write data to a lower classification level, preventing leakage of secrets downward.

Think of it as: you can read what you're cleared for, you can write upward, but secrets never flow down.

Biba — Protecting Integrity

Biba is the integrity-focused mirror image of Bell-LaPadula. Its rules are:

• No Write Up — a subject cannot write to a higher integrity level (preventing low-quality data corrupting trusted data).
• No Read Down — a subject cannot read from a lower integrity level (preventing contamination by untrusted data).

Biba is relevant anywhere data quality matters — financial systems, healthcare records, audit logs.

Clark-Wilson — Commercial Integrity

Clark-Wilson was designed for commercial environments where Biba's strict lattice model is impractical. It centres on two key concepts:

• Well-Formed Transactions — data can only be modified through controlled, auditable procedures.
• Separation of Duties — no single person can complete a sensitive transaction alone (e.g., a payment requires both an authoriser and a processor).

Clark-Wilson is the model behind many financial and ERP systems — it is why your bank requires dual approval for large transfers.

Why This Foundation Matters

These concepts — CIA, GRC, security models — are not just theory for exams. They are the lens through which every real-world security decision is made. When I started seeing attacks and defences through this framework, the whole field started to make sense in a deeper way. This is the vision that keeps me motivated to keep going.