Course 2 – Module 1
“So Who Runs This Place?” — Mapping the Entire Cybersecurity Ecosystem
This module tells about “What’s the entire security world made of?”_
And it turns out, there’s a map. A proper one. Not a list of buzzwords, but eight domains that tell you who’s responsible for what, where the risks are, and how to keep an entire system (or company) secure from the top down.
They’re called the CISSP domains and together, they frame everything a security professional should care about.
The Internet Isn’t Just One Big Place
We hear about hackers on the dark web or “leaked PII” without really grasping where all that exists.
- Surface Web is where 99% of us live: Google, Instagram, Wikipedia.
- Deep Web is the gated stuff: password-protected platforms, academic databases, internal systems.
- Dark Web is where anonymity meets crime. You can’t Google it, it runs on encrypted networks like Tor.
Now imagine this messy web holds everything from personal identities to confidential government data. And each data type carries a different level of risk if compromised:
- A leaked credit card? That’s financial loss.
- A stolen passport scan? That’s identity theft.
- A hacked medical system? That’s reputation damage, lawsuits, and human lives.
PII vs SPII
- PII (Personally Identifiable Information): Name, email, phone number, stuff that can identify you.
- SPII (Sensitive PII): Health, financial, biometric data that needs stricter controls due to higher risk.
So how do you keep this world in order? You need structure. And that’s where the eight CISSP domains come in, like departments in a highly secure, hyper-functional digital organization.
Domain 1: Security and Risk Management
(The Strategy Office of Cybersecurity)
This is where the rules are written, the ones that say how much risk can we live with, what do we protect first, and how do we continue business when things go south. This domain governs everything from compliance laws (GDPR, HIPAA) to risk appetite, code of ethics, and business continuity planning.
It’s not about fixing tech, it’s about building policies that align security with business goals, and protecting against financial loss, identity breaches, and reputation damage, the three big impacts of risk.
Why It Matters:
This domain ensures that even during a breach, the business can recover, stay compliant, and protect people’s trust.
Domain 2: Asset Security
(The Inventory and Labeling Department)
Once you’ve defined what matters in Domain 1, Domain 2 is about classifying, labeling, and securing it. Data, devices, documents you name it. This domain ensures assets are handled based on their sensitivity and value, from creation to destruction.
Why It Matters:
If you don’t know what your crown jewels are or where they live, you can’t protect them. This domain brings order to the chaos.
Domain 1 defines what needs protecting at an organizational level and why, then sets policies.
Domain 2 handles how those specific assets are treated, stored, and labeled on a day-to-day basis.
Domain 3: Security Architecture and Engineering
(The Blueprint and Bricks Team)
This is the domain where security is built in, not bolted on. Focuses on the design and internal structure of systems. It asks: Do we have layered security (defense in depth: OWASP principle) built into the architecture?
Why It Matters:
This domain turns abstract policies into actual, defensible systems that are hard to break and easy to maintain.
Domain 4: Communication and Network Security
(The Traffic Controller of the Digital Highway)
Now that systems are in place, how do they talk to each other safely? This domain controls how data moves: routers, firewalls, VPNs, TLS, and wireless protections. It ensures traffic is authenticated, authorized, and encrypted.
Why It Matters:
If Domain 3 built the roads, this one manages the intersections and toll booths, making sure bad actors can’t hijack your data mid-transit.
Domain 5: Identity and Access Management (IAM)
(The Doorman Who Checks Every ID)
IAM controls who can do what, where, and when. It’s not just about passwords, it includes multi-factor authentication (MFA), biometrics, role-based access, and privileged access management.
Why It Matters:
This domain ensures that access is intentional and auditable which is often the difference between a mistake and a major breach.
Domain 6: Security Assessment and Testing
(The Quality Control Department)
What good are defenses if they’re never tested? This domain manages vulnerability assessments, penetration tests, code reviews, and audit reports. It also ensures continuous monitoring and testing against evolving threats.
Why It Matters:
Without testing, security is just a guess. This domain proves whether controls work before attackers do.
Domain 7: Security Operations
(The Day-to-Day Cyber Response Team)
This is where security comes alive. From incident response, monitoring logs, forensics, to SIEM tools, this domain executes the strategy in real-time. It includes playbooks, chain of custody, SOC teams, and alert triage.
Why It Matters:
You can’t prevent everything but you can detect early and respond fast. This domain keeps the organization’s pulse.
Domain 8: Software Development Security
(The Developer Who Codes with Security in Mind)
This domain trains teams to write secure code, avoid common pitfalls like the OWASP Top 10, and build security into SDLC (Secure Development Lifecycle). It also governs version control, code signing, and secure release practices.
Why It Matters:
Most breaches today start with bad code. This domain ensures the software doesn’t become a soft target.
Risk Management with NIST RMF
This module also introduced NIST’s Risk Management Framework (RMF) - a 6-step process that guides how organizations manage cybersecurity risk:
- Categorize: What kind of system/data are we talking about?
- Select: Choose appropriate security controls.
- Implement: Put those controls in place.
- Assess: Test the controls.
- Authorize: Approve the system for use.
- Monitor: Continuously track effectiveness.
It’s not linear, it’s ongoing. Like software updates, your security posture should evolve with your threat landscape.
Final Thoughts: This Isn’t Just Tech, It’s Strategy
What stood out in this module wasn’t how many tools I’d need to master, it was how interconnected everything is. Security isn’t one person’s job. It’s a system of specialists working across domains: legal, infrastructure, development, response teams, and executives.
The NIST Risk Management Framework (RMF) also made more sense now. It’s not a one-time checklist, it’s a continuous process that every domain plugs into.
What I’m Taking Forward
- Understanding the CISSP domains gave me a mental map of cybersecurity not just what’s possible, but what’s needed.
- And I finally feel like I’m not just learning random concepts. I’m seeing how the real-world responsibilities of security pros align with these domains and how I can grow into one of them.