[ukigumo]

Hi, IT Architect with a history of several major financial institutions here.

Defence in depth is a placebo. Separation of concerns, principle of least privilege, honeypots, SIEM, file integrity monitoring, host intrusion detection, IDS/IPS on all your ingress and egress points, WAF, content filtering and a responsive and empowered SOC capable of acting on auditing events will get you half way to not showing up on the front cover of NY Times.

The problem is that it takes money to keep money safe and too much security is often not secure at all, so putting everything together in a way that you doesn't motivate your users to find new and exciting ways to bypass your controls is an art in itself.

Would love to discuss some of these things with you, any chance I can interview you for my blog?

[contingencies]

Agreed, there's no silver bullet. However, I don't think spending money to feel better is much of an alternative. It feels to me as if internal process design in security-conscious organizations is probably more important than actual systems design... which could be summarized as knowing when not to take shortcuts. Please do get in touch, I'd be happy to chat. Email in profile.