Defense-In-Depth Thinking

One of my dad's favorite expressions was "belts and suspenders" or in other words, can't go wrong with backup. Basically, "belts and suspenders" is Defense-in-depth thinking. Defense-in-depth thinking is using redundant means to address each control (technical, physical, and administrative). However, redundancy is not cheap.

One CISO I know keeps an excel sheet with a list of the 98 NIST controls. He keeps notes on each control, any with list capabilities or technology, and/or outstanding issues for each control. When he is evaluating software he will sometimes pull up the excel sheet to remind himself of some of all the needs even the ones, not on fire.

When Buyers understand their needs in terms of all their physical technical and administrative controls, it enables them to look at cybersecurity solutions holistically to identify innovative ways to leverage solutions to address other controls. When solution providers and security buyers use defense in depth thinking they can together find innovative ways to make the most out of every dollar spent on security