The concept is simple, the more obstacles in the way the better. Let me abstract the concept for you…..
…..you put your file in a safe, I crack into the safe.
………you put your file in a safe, and lock the safe in a strong/secure room, I crack the room then the safe.
………..You put the file in the safe, in the room, at the bottom of the ocean, I go elsehere to get a different file!
People often talk to me about controls, and want to know which one is best. The answer typically is either all, none, or both. The more layers you have, the more security you have. But lest we foget the basics, understand the cost of the control vs the cost of the asset through a formal Risk Assessment Process.