Defence in depth: one of the most fundamental and important of military concepts. Whether it's the movement of an infantry section or an entire division, the commanders always retain a portion of their force ready to move up and to support the advancing units.

In the case of castles, the principle is taken to the extreme. Outer walls are defended by strongpoint towers, themselves capable of being defended floor by floor. Within the castle, there are inner and outer walls; barbicans and killing zones; and an inner keep to act as the ultimate, last-ditch defensive position.

Even the coming of gunpowder and cannon didn't do that much to remove the need for castle defences. Outer walls were surrounded by deep ditches and traps for the attacking infantry; carefully placed mounds were used to deflect cannon balls; and surrounding hills - that could have been used by an attacker from which to fire their cannon - were themselves topped by smaller fortified positions.

The castle builders understood the principle of defence in depth and it was the fundamental notion behind all of their constructions.

A similar notion has been introduced for the physical security of many establishments, with CCTV, guards, screens, vaults and time-locked safes. Physically, banks and armoured cars are protected to a remarkable degree.

Why then has the philosophy been so difficult to introduce into information security?

Partly, this is because of the way in which information security is seen always as an "add-on" to a basic design; and partly it's to do with the nature of the measures themselves.

All of the most crucial elements of information security are designed to keep an attacker outside the outermost wall. Firewalls and passwords, smartcards and biometrics: all are intended to make sure that only those who should be on the inside are allowed to be there.

Yet the majority of security problems are caused by those who are already inside that wall. Employees, contractors, partners: these are the people we trust the most, and these are the people who do the most damage. Yet our defences are like Minstrel chocolates: a hard shell around a soft inner core.

We need to adopt a greater depth of information security, with measures for preventing, detecting and (perhaps most importantly) deterring intruders from proceeding deeper into the information "castle".

Each and every server should be considered a "strongpoint", with its own lines of defence and monitoring; each portion of the network should be firewalled and screened from every other; and intrusion detection systems should monitor everyone who acts on the network.

Some of the supposedly most trusted networks in the UK's Critical National Infrastructure - the finance, transport and utilities networks on which we depend - are not protected from internal abuse.

Correcting this will take time, money and dedication, but the result will be a secure infrastructure and a secure nation. It still might not be completely safe from information warfare and cyber-terrorism, but it will at least be able to provide a plausible defence.