Three Speeches on Cybersecurity by Dan Geer

Therefore, let me give my core prediction for advanced persistent threat: In a world of rising interdependence, APT will not be about the big-ass machines; it will about the little.  It will not go against devices with a hostname and a console; it will go against the ones you didn't even know about.  It will not be something you can fix for any of the usual senses of the English word "fix;" it will be avoidable only by damping dependence.  It cannot and will not be damped by a laying on of supply chain regulations.  You are Gulliver; they are the Lilliputians. My personal definition of a state of security is “The absence of unmitigatable surprise.”  My personal choice for the pinnacle goal of security engineering is “No silent failure.”  You, for all values of “you,” need not adopt those, but I rather imagine you will find that in an Internet of More Things Than You Can Imagine an ounce of prevention will be worth way, way more than a pound of cure.  We have very little time left -- the low-end machines of four years from now are already being deployed.  As Omar Khayam put it a thousand years ago,

The Moving Finger writes: and, having writ, Moves on: nor all thy Piety nor Wit Shall lure it back to cancel half a Line, Nor all thy Tears wash out a Word of it.

There is never enough time. . . .