I didn't see any mention of a DMZ. What percentage of his company's servers are hardened in the way he describes? What about his users' desktops? There's got to be some point at which one declares that the "administrator" of a computer (an individual user with a laptop, even) must be protected from himself.
What I liked about his argument was that he was actively thinking about threats instead of applying a heuristic of "it's ok -- we have a firewall." With all this said (and asked), I'm no security expert.
What I liked about his argument was that he was actively thinking about threats instead of applying a heuristic of "it's ok -- we have a firewall." With all this said (and asked), I'm no security expert.