"If you think a weakness can be turned into a strength, I hate to tell you this, but that's another weakness."
Deep Thoughts by Jack Handy
This post has been percolating for a few weeks now. Part of it was triggered as I read Taleb's The Black Swan, part of it was triggered by attending the ISSA International Conference a few weeks ago and hearing the same old quips, and part of it was triggered this morning by reading stories about yesterday's DARPA cybersecurity conference.
The challenge to this whole post is going to be keeping a coherent thread, so let me spell it out up-front: If "securing networks" is your goal, then I hate to tell you, but you've already failed. A strictly threat-centric approach to infosec is the failed approach we've been using for decades, and it's not going to solve any problems. The real problem is that we've lost sight of what is really important (assets!), and are not constructing our environments, defenses, etc., in a manner that is optimized toward protecting those things. More on this later.