A lot of ICT security musings don’t take into account that before being “ICT”, security is first “security”. This means that in designing a strategy, the “security architect” should know the basic meaning of the word: preventing threats and, in case the worst happens, terminate the threat as fast and ruthlessly as possible.
Often this is not possible in ICT security because the attacker is largely unknown and safe from any direct counteraction, thus leaving “passive” security as the only option for the victim (apart from the legal consequences of an “offensive security” approach.)
Nevertheless, the active-defender mindset should be always on, even in case of a purely passive approach.
But what does “active-defender mindset” is all about?
Well, an answer can comes from the psychological military training methods to teach how to kill the enemy, described in a very pragmatical book, On Killing by Dave Grossman.
To end a threat the defender must accept the possibility to do it by killing the enemy. This means that in case of attack, the mindset should be “surviving” rather than “fighting”.
A “fighting” attitude is good for sport (there are rules, you step into the ring at peak condition, a referee can stop the match, etc.) while a “surviving” mindset saves your life because it makes you ready for whatever the attacker is throwing at you, and fast in ending the attack in a definitive way.
Sounds brutal? Maybe, but this is how “dirt” situation are dealt with.
So, if you are in the ICT Security business, think of your strategy in terms of “surviving” rather than “fighting”.
You rarely will face a situation where a definitive solution is needed, but you will be ready for the Big One nevertheless.
And, remember, when something very bad happens, nobody will credit you for having “fought” bravely.
They will all blame you for having lost.