"First, our focus on security is on the infrastructure itself. So it is all about how you protect the network, the device, and the application that is riding on the server"
About this Quote
Security starts with the substrate. John W. Thompson, long-time cybersecurity leader and former Symantec CEO, is drawing a boundary around what must be hardened first: the network that carries traffic, the devices that run code, and the applications that execute on servers. The message is practical and operational. Before chasing sophisticated threats or abstract frameworks, get the plumbing right.
That priority reflects the enterprise reality of his era and remains relevant today. Networks must be segmented, monitored, and resilient, because a flat, noisy network is an attacker’s freeway. Devices must be configured, patched, and observed, because compromised endpoints become launchpads. Applications must be built and deployed with discipline, because vulnerabilities in the stack are invitations to lateral movement. If those foundations are weak, later layers like data governance, identity controls, or AI-driven analytics rest on sand.
The phrasing also implies a layered model. Each layer depends on the one beneath it. A hardened server with a misconfigured application is still a risk; a perfectly coded app on an unpatched OS is equally fragile. Defense in depth is not a slogan but a dependency chain, where controls reinforce each other: firewalls and microsegmentation at the network, EDR and least privilege at the endpoint, secure coding and runtime protections at the application.
Modern shifts to cloud, containers, and zero trust expand rather than negate the point. The infrastructure may be virtual, shared, and ephemeral, but it still demands protection: VPC design, workload isolation, image hygiene, supply chain verification, and strong identity as the new perimeter. The shared-responsibility model simply changes who owns which part of the stack, not whether it must be secured.
Thompson’s focus is a prioritization strategy as much as a technical one. Start with what everything else depends on. When the bedrock of network, device, and application is sound, higher-order policies actually hold, incident response has room to work, and the business can innovate without courting catastrophe.
That priority reflects the enterprise reality of his era and remains relevant today. Networks must be segmented, monitored, and resilient, because a flat, noisy network is an attacker’s freeway. Devices must be configured, patched, and observed, because compromised endpoints become launchpads. Applications must be built and deployed with discipline, because vulnerabilities in the stack are invitations to lateral movement. If those foundations are weak, later layers like data governance, identity controls, or AI-driven analytics rest on sand.
The phrasing also implies a layered model. Each layer depends on the one beneath it. A hardened server with a misconfigured application is still a risk; a perfectly coded app on an unpatched OS is equally fragile. Defense in depth is not a slogan but a dependency chain, where controls reinforce each other: firewalls and microsegmentation at the network, EDR and least privilege at the endpoint, secure coding and runtime protections at the application.
Modern shifts to cloud, containers, and zero trust expand rather than negate the point. The infrastructure may be virtual, shared, and ephemeral, but it still demands protection: VPC design, workload isolation, image hygiene, supply chain verification, and strong identity as the new perimeter. The shared-responsibility model simply changes who owns which part of the stack, not whether it must be secured.
Thompson’s focus is a prioritization strategy as much as a technical one. Start with what everything else depends on. When the bedrock of network, device, and application is sound, higher-order policies actually hold, incident response has room to work, and the business can innovate without courting catastrophe.
Quote Details
| Topic | Privacy & Cybersecurity |
|---|
More Quotes by John
Add to List
