Defense in Depth: An Impractical Strategy for a Cyber-World

Businesses and Information Technology Security Professionals have spent a tremendous amount of time, money and resources to deploy a Defense in Depth approach to Information Technology Security. Yet successful attacks against RSA, HB Gary, Booz, Allen & Hamilton, the United States Military, and many others are examples of how Defense in Depth, as practiced, is unsustainable and the examples show that the enemy cannot be eliminated permanently. A closer look at how Defense in Depth evolved and how it was made to fit within Information Technology is important to help better understand the trends seen today. Knowing that Defense in Depth, as practiced, actually renders the organization more vulnerable is vital to understanding that there must be a shift in attitudes and thinking to better address the risks faced in a more effective manner. Based on examples in this paper, a change is proposed in the current security and risk management models from the Defense in Depth model to Sustained Cyber-Siege Defense. The implications for this are significant in that there have to be transitions in thinking as well as how People, Process and Technology are implemented to better defend against a never ending siege by a limitless number and variety of attackers that cannot be eliminated. The suggestions proposed are not a drastic change in operations as much as how defenses area aligned, achieve vendor collaboration by applying market pressures and openly sharing information with each other as well as with federal and state agencies. By more accurately describing the problems, corporations and IT Security Professionals will be better equipped to address the challenges faced together.