Defense in Depth: An Impractical Strategy for a Cyber World
Businesses and Information Technology Security Professionals have spent a tremendous amount of time, money and resources to deploy a Defense in Depth approach to Information Technology Security. Yet successful attacks against RSA, HB Gary, Booz, Allen and Hamilton, the United States Military, and many others are examples of how Defense in Depth, as practiced, is unsustainable and the examples show that the enemy cannot be eliminated permanently. A closer look at how Defense in Depth evolved and how it was made to fit within Information Technology is important to help better understand the trends seen today. Knowing that Defense in Depth, as practiced, actually renders the organization more vulnerable is vital to understanding that there must be a shift in attitudes and thinking to better address the risks faced in a more effective manner. Based on examples in this paper, a change is proposed in the current security and risk management models from the Defense in Depth model to Sustained Cyber-Siege Defense. The implications for this are significant in that there have to be transitions in thinking as well as how People, Process and Technology are implemented to better defend against a never ending siege by a limitless number and variety of attackers that cannot be eliminated. The suggestions proposed are not a drastic change in operations as much as how defenses area aligned, achieve vendor collaboration by applying market pressures and openly sharing information with each other as well as with federal and state agencies. By more accurately describing the problems, corporations and IT Security Professionals will be better equipped to address the challenges faced together.
33896 (PDF, 2.01MB)
20 Feb 2012Related Content
2026 Cybersecurity Workforce Research Report by SANS | GIAC
Research PaperThe cybersecurity workforce is at a turning point. AI is transforming how work gets done, regulators are redefining ‘qualified,’ and organizations are recognizing that the right skills, not headcount, are what drive success. As AI reshapes the cyber workforce, this report helps leaders make informed decisions and shows practitioners where skills and careers are heading.
- 11 Mar 2026
- SANS Institute, GIAC Certifications
SANS 2025 Security Awareness Report
Research PaperNow in its 10th year, the SANS Security Awareness Report remains the definitive, practitioner-built resource for understanding and managing the human side of cybersecurity.
- 12 Aug 2025
- Lance Spitzner
Cybersecurity Solutions Healthcare Report 2025
Research PaperReview and compare vendor capabilities, featuring SANS Institute as a top provider of security training and services tailored for healthcare.
- 30 Jul 2025
The Business Value of SANS: Proven Impact of Cybersecurity Training
Research PaperNew research from IDC reveals the tangible business value of rigorous, practitioner-led training from SANS
- 26 Jun 2025
The Business Value of SANS: Proven Impact of Cybersecurity Training – Euros
Research PaperNew research from IDC reveals the tangible business value of rigorous, practitioner-led training from SANS: faster threat detection and response, reduced operational risk, stronger team cohesion, and millions in annual cost savings.
- 24 Jun 2025
The Business Value of SANS: Proven Impact of Cybersecurity Training – Pounds
Research PaperNew research from IDC reveals the tangible business value of rigorous, practitioner-led training from SANS: faster threat detection and response, reduced operational risk, stronger team cohesion, and millions in annual cost savings.
- 24 Jun 2025
A Startups Guide to Implementing a Security Program
Research PaperStartups struggle to balance survival with the practical implementation of a security program. There...
- 8 Oct 2020
Putting it all together through Automation
Research PaperMost problems faced in Information Security are typically time sensitive. For Forensic Engineers and...
- 22 Apr 2019
Information Security Best Practices While Managing Projects
Research PaperTo maximize long-term return on investment (ROI) with a project's delivery, taking information...
- 25 Mar 2019
Logon Banners
Research PaperLogon banners have been a common feature of operating systems and applications for many years....
- 20 Mar 2019
Security Considerations for Team Based Password Managers
Research PaperPassword management applications are a common and practical way to store complex passwords. They use...
- 23 Jul 2018
Content Security Policy in Practice
Research PaperThe implementation of Content Security Policy to leverage web browser capability in protecting a web...
- 6 Jul 2018
Agile Security Patching
Research PaperSecurity Patch Management is one of the biggest security and compliance challenges for organizations...
- 3 May 2018
Speed and Scalability Matter: Review of LogRhythm 7 SIEM and Analytics Platform
Research PaperJust how scalable, fast and accurate are SIEM tools when under load? To find out, we put the...
- 13 Apr 2017
- Dave Shackleford
Bill Gates and Trustworthy Computing: A Case Study in Transformational Leadership
Research PaperThe notion that IT security is a serious issue is non-controversial. The market for cybersecurity...
- 20 Sep 2016
Filling the Gaps
Research PaperThere should be an emphasis on the importance of regular internal and external auditing focusing on...
- 18 Aug 2016
Investing in Information Security: A Case Study in Community Banking
Research PaperSmall businesses, such as community banks, often do not have resources dedicated to information...
- 12 Aug 2016
Introduction to Rundeck for Secure Script Executions
Research PaperMany organizations today support physical, virtual, and cloud-based systems across a wide range of...
- 11 Aug 2016
Using Information Security as an Auditing Tool
Research PaperAs cyber-attacks are gaining visibility within mainstream media, what once was knowledge for...
- 14 Jul 2016
Applying Data Analytics on Vulnerability Data
Research PaperOrganizations, by law, should exercise due care and due diligence in securing data at rest, in...
- 23 Dec 2015