Bandler’s Four Pillars of Cybersecurity

My Four Pillars of Cybersecurity model is a user-friendly cybersecurity framework which small and mid-sized organizations (and individuals) can use as guidance for their cybersecurity plan and practice. It consists of continual improvement of:

  1. Knowledge and awareness of cybercrime threats, information security, technology, and legal requirements
  2. Protection of computing devices
  3. Protection of data
  4. Protection of networks and safe use of the internet.

The beauty of this conceptual framework is its simplicity and efficiency. It is understandable and accessible to every person, from the newest hire to the head of the organization, and importantly for those without a technical background. That is essential because cybersecurity is for everyone, from the end users to the leaders who make important decisions about information assets. The Four Pillars of Cybersecurity involves focus on these important areas, with continual and cyclical growth and improvement. Let’s review each pillar.

1. Knowledge and awareness

Imaging trying to secure your home without knowledge of how a door operates, or how to engage the lock. Imagine trying to drive a car safely without understanding basic principles of how a car works, rules of the road, or the basic rules of physics that we learn with common sense (e.g. we cannot navigate that curve at 100mph, nor can we survive a crash at that speed).

Every employee needs a degree of knowledge and awareness to make good decisions. The employee’s lack of knowledge might result in a devastating cybercrime. The organization head’s lack of knowledge might result in disastrous decisions regarding information technology and security.

Knowledge and awareness should extend to:

2. Protection of computing devices

Computing devices need to be secured. This includes smartphones, tablets, laptops, desktops, servers, networking devices, and more. This means:

3. Protection of data

Data needs to be protected from data breach, and needs to be available when needed. Certain data breaches could trigger reporting requirements. This means:

4. Protection of networks and safe use of the internet

Data is constantly flowing between our internal devices and through the internet. Key concepts include:

A quick word on other cybersecurity and information security frameworks

There are many cybersecurity frameworks out there, which I will discuss in more detail in a future article. These other frameworks are written by excellent teams of smart people in excellent organizations, but are geared for readers with a high degree of technology and information security knowledge, and for organizations with mature information security programs. This means they are too technical for most individuals to understand, and for most smaller and mid sized organizations to implement. In contrast, my Four Pillars framework is perfect for individuals, small organizations, and many medium sized organizations. It is also a helpful tool for individuals in larger organizations to better comprehend the cybersecurity framework their organization has adopted. Should an organization using the Four Pillars framework increase in size and maturity to the point where it requires a more complex framework, it is simple for the organization to begin a transition by supplementing with more complex and detailed guidance, such as the NIST Cybersecurity Framework, or the CIS Twenty Critical Security Controls.


My Four Pillars of Cybersecurity will serve individuals, small businesses, and most medium sized businesses well. The framework is also conceptually helpful for individuals in larger organizations to help understand basic cybersecurity principles.

This is a brief summary with simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. This article is for anyone in need of a quick summary, including students, clients, and those seeking to learn about and improve their cybersecurity. It is not legal advice nor consulting advice, and is not tailored to your circumstances.

Additional Reading & Learning

This article is also hosted at my website at, where I include links for additional reading, and it may be kept more current and with improved formatting.

Copyright John Bandler, all rights reserved.

Posted 8/18/2021. Updated 9/17/2021.

Attorney, consultant, author, speaker. Cybersecurity, investigations (including of cybercrime), and more. Find me at