We love to use analogies to discuss and illustrate information security concepts. We often see people referring to Sun Tzu's Art of War,  mentioning Army combat strategies and using military terms. Well, have you ever considered that information security mixes concepts from two different things, defense (like the Army protecting the borders and interests of a country) and internal security (law enforcement entities, such as police)? Well, anyone that works for one of those entities knows that they apply different methodologies, techniques, concepts and tools. So, shouldn't we be applying this separation in information security too?Here's the idea to consider: Is it worth (valuable? Efficient?) to organize your information security strategy in two different components, Defense and Internal Security? Defense focusing on external Threats, Internal Security on compliance, policy enforcement, access control? Let me know what you think...