It should come as no surprise, but Alex Hutton said something smart:

controls that work to prevent threat action by lowering the probability of action are extremely under-appreciated.

Everyone is so focused on reducing vulnerability or impact, which are inherently reactive (and a losing fight to boot. Review OODA for why.), rather than focusing on the various preventative options and applying those which give the best bang-for-buck, which is where we might actually have a chance to make a difference.

Of course, he also said

Regular readers will note that we believe controls basically give us some value to prevent/detect/respond to loss events. What we haven’t revealed is that obscurity (or other controls that prevent the probability of threat events) is one preventative measure that actually, in our models, seems to have a boatload of value. Yes, boatload is the qualitative label we use

I would like to take this moment to point out that the man who’s using “boatload” as a term of art took issue with me summarizing unacceptable risks as things for which I “turn projects yellow.” ;-)

HAHAHA, thank you for making me smile. It’s been a tough week.

You and me both, both at least it’s Friday night.