The concept of “defense in depth” gets thrown around a lot in cybersecurity, to the point that it is gospel for many practitioners.

But this concept is broken and even dangerous when applied in industry, in a civilian blue team security context.

Defense in depth is a military concept. One of the core pillars of the idea of defense in depth is the ability to counterattack.

Let me repeat that: defense in depth includes the ability to counterattack.

But as civilian defenders we are forbidden from attacking anyone, ever, for any reason. No exceptions. Period. The law forbids it.

So we arrange our defenses in a three-layer Swiss cheese model against 0-days and mutter about unknown unknowns and insist that we are applying defense in depth.

We are not.

It is dangerous to even call this defense in depth.

Layered defense, perhaps.

And this is not a pedantic difference. Defense in depth means you can shoot back. Layered defense means you have a shield wall, but no swords or spears, and the enemy can attack you over and over and over again with little to no consequence whatsoever.

All metaphors break down under close examination, and are intended to inspire, and not produce a roadmap. And I’m self-aware enough that I don’t want to be that guy who criticizes metaphors for being imperfect (when all metaphors are imperfect).

But all the same I think this is a striking and important difference that civilian defenders need to be conscious of. If you’re working in the military for the US Cyber Command—fine. You literally can fire back.

But relying overmuch on the metaphor of “defense in depth” in a civilian context can lead us astray, and give us a false sense of comfort where none exists.

What’s the moral of this story? Like always, don’t take metaphors as gospel, solve the real world problems in front of you, and think for yourself.