The Onion Effect in security: why penetration resistance isn’t enough

For decades, security strategy in many organisations has revolved around a simple principle: keep the threat out. Build strong fences. Lock the doors. Install cameras. Encrypt the servers. The idea being that if you stop the intruder at the perimeter, the rest will take care of itself.

But in today’s threat landscape, rife with insider risks, cyber-physical convergence, and intelligent adversaries, that mindset is not only outdated, it’s dangerous.

The real world is not binary. It isn’t just secure or breached. It’s layered. It’s messy. It’s full of unknowns. And that’s why resilience beats resistance.

Enter: The Onion Effect.

Perimeters are important, but they're not a strategy

The "bulletproof" mindset is common in legacy systems and traditional security cultures. It imagines that a singular hardened layer, be it a perimeter fence, firewall, or biometric gate, can stop all threats.

This works until one point fails. And it only takes one.

• An unlocked side door.

• A USB stick left unattended.

• A vendor with elevated system access and no vetting.

• A fatigued staff member who lets someone “tailgate” through a secure entry.

  
  

All it takes is one breach for the bullet to penetrate, and suddenly, your entire business operation is exposed.

This kind of over-reliance on penetration resistance (fortifying the outside) is like hanging your entire business model on a single, brittle point of failure.

The Onion Model, defence in depth for the real world

Unlike the bulletproof mindset, the onion approach builds multiple, overlapping layers of defence, each one able to delay, detect, or deflect threats independently of the others.

This isn’t just about adding more locks or cameras. It’s about designing your business operations with layered resilience at every stage.

Why it’s called the “Onion Effect”

The term “Onion Effect” comes from the structure of an onion itself, built in layers, each wrapping around the next. In security, it represents the concept of defence in depth: a strategy where no single system or barrier is solely relied upon. Instead, multiple security layers, physical, procedural, technical, and human, are stacked to work in tandem.

Just like peeling an onion, an intruder or threat must get through each layer before reaching the core. And if one layer fails? The others remain active, adding friction, delay, and visibility. It’s a model that embraces failure as a possibility, and prepares for it through redundancy, compartmentalisation, and adaptive response.

The Onion Effect has been a cornerstone of security philosophy for decades, but as threats grow more complex and interconnected, the model must evolve. Static layers aren't enough, modern security layers must be dynamic, context-aware, and constantly updated to match the pace of change.

Layering in business reality

Modern organisations must embrace security as a multi-domain system, not a product or line item. Here’s how that breaks down:

1. Physical Layers

• Secure perimeters, controlled entry points, and spatial design that guides human flow.

• Inner zones with increasing access restrictions (not all staff need access to everything).

• Hardened storage or server areas located internally, not at external-facing locations.

  
  

2. Digital Layers

• Firewalls, intrusion detection systems, segmentation of networks.

• Endpoint protection that doesn’t rely solely on user vigilance.

• MFA and access logs that flag anomalies, not just grant access.

  
  

3. Human Layers

• Background checks and vetting procedures for staff and vendors.

• Tiered access control, everyone doesn’t need to see or touch everything.

• Ongoing training: not once a year, but as part of business rhythm.

  
  

4. Procedural Layers

• Crisis protocols for lockdown, isolation, and communication.

• Clear escalation paths that don’t rely on one person.

• Tabletop drills and red team testing that simulate breach scenarios.

  
  

Businesses don’t fail from breach alone, they fail from unpreparedness

Let’s get real: breaches happen. Whether digital or physical, no business is immune. But what separates minor disruption from catastrophic failure is how the organisation responds after the breach begins.

If your business:

• Depends on a single person to make decisions,

• Has no plan for internal isolation of a threat,

• Can’t account for who has access to what,

• Lacks backup systems when primary controls fail...

...then no bulletproof fence will save you.

Security must be operationalised and modernised. That means designing for current threats, emerging tactics, and human limitations, not simply following what worked five years ago.

Resilience is what keeps you in business

In a corporate context, resilience isn’t just a technical issue, it’s a leadership one.

Executives and operational leaders must stop thinking of security as a “departmental responsibility” and start treating it as a strategic capability. The onion effect applies across the entire structure of the business:

• Board-level decisions on where to store data, outsource logistics, or open new offices must factor security into the ROI.

• HR procedures must link to threat modelling. Insider risk is real.

• Facilities management must understand access control, camera placement, and traffic flow, not just janitorial schedules.

  
  

It's about agility, not rigidity.

Conclusion: design for the breach, not Just the barrier

The bullet looks for one way in. The onion assumes there will be many, and prepares for each one.

Businesses that rely solely on outer defences are playing a high-stakes game with thin margins for error. But those that layer their security, review and update continuously, and build operational depth are the ones that endure, even when the attack comes.

The onion model isn’t outdated. But like any strategy, it must be dynamic.Layered security isn’t something you install once. It’s something you live by, every day.