The term “Defense In-Depth” has been around for a long time and is sometimes difficult to define. The best definition I’ve heard is as follows from Chris Cochran: “Defense in depth is about more than protecting your perimeter, it’s about adding defenses as you get closer to your critical assets.”
In other words, to have deep defenses against cybersecurity threats, your cybersecurity philosophy cannot just rely upon having the technical pieces, such as Network Intrusion Detection (NID) and Host based Intrusion Detection (HID) in place, but must have processes and an incident response framework in place to complement it. The reverse is also true, an organization can’t just have IT Service Management without the technology to back it up. You have to have both.
There is also a third aspect required for any Defense-in-Depth to be successful. This is getting the buy-in from the people who have to work within these parameters. This can be the most difficult part of the puzzle to get right. Achieving this balance can be very difficult to do correctly.
So, how do you get it right?
It is a matter of training and balancing the processes with the technology to make executing daily tasks smooth and efficient. To find the balance, you need to foster the right culture first. Your organization needs to embed cybersecurity into your culture. Because, ultimately, it doesn’t matter how good your processes and technology implementations are. If there is no buy-in, people will work around your cybersecurity initiatives, creating vulnerabilities.
Solving your cybersecurity challenges must begin with fostering the right culture before doing anything else. Creating and sustaining a solid cybersecurity culture starts with your people, coupled with solid processes and advanced technology.