I’ve had some recent conversations that lead me to believe there may be some misunderstanding of the term defense in depth. Some practitioners may propose that this is a simple architecture that translates into a specific finite set of products and architectures. In a note I wrote last year (which is currently being updated) I used the term to bolster the support that our clients (for example a security manager, engineer or architect) may need to be able to increase their security capabilities (see Best Practices for Mitigating Advanced Persistent Threats). When some practitioners hear this term (especially those that are senior) they cringe and sometimes have the reaction or believe that its “old school” philosophy. I disagree. I’m saddened when I hear that some security practitioners seem to have abandoned this concept, in fact I feel it may need to be expanded.
- Defense In Depth – Implement preventative controls as much as possible/affordable.
Should we expand the terms used to be (DDR):
- Defend In Depth – Implement preventative controls as much as possible/affordable.
- Detect In Depth – Implement detective controls as a final “last straw” approach.
- Respond in Depth – Respond as quickly as possible to avoid the negative effects of security control failures.
Should practitioners expand their thinking and this new strategic approach to their security programs?
What are your own thoughts?
Read Complimentary Relevant Research
Five Golden Rules for Creating Effective Security Policy
Policy writing is a risk communication exercise that is frequently performed by people who lack the skills needed to create good security...
View Relevant Webinars
Fundamental Principles of Software Asset Management
Whether you've got too much software or not enough, uncontrolled software costs are a drain on your IT department, consuming resources...
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.