I talk about defense in depth quite a lot in various blogs and other writing, so my ears twitched when I came across a couple of fairly recent short articles today on the topic:

O'Donnell's point is that hackers hate layered defenses because they have to squander resources breaking through them, though he expands on the topic with some specific suggestions in a further article here.

Ritchey, on the other hand, argues that defense-in-depth implementations fail because they often represent after-the-fact, reactive strategy rather than “baked-in” security. And indeed, it makes sense to design your castle from the ground up before you build it, rather than adding extra walls after you've been attacked.

However, these two viewpoints aren't really contradictory. Defense in depth isn't the opposite of agility or adaptability: forward thinking is itself one of the primary layers of a multilayered defense. A moat-and-wall approach continues to work pretty well against archers and scaling ladders, but the real trick is to be thinking about other, more proactive measures against less-conventional attacks, before a battery of those new-fangled trebuchets or cannons appears on the other side of your drawbridge.

Hat tip to Ron Gula and Anton Chuvakin, who tweeted/retweeted pointers to some of these articles.