Security Engineering vs. Targeted Attacks

In a followup blog post on Zalewski’s security engineering rant, Charles Smutz argues that security engineering cannot solve the problem of targeted attacks:

»Lastly, while it technically would be possible to engineer defenses that would be effective, very few people really want to live the resulting vault in fort knox, let alone pay for the construction.«

(SmuSec:
Security Engineering Is Not The Solution to Targeted Attacks)

So what can security engineering do for us—and what can we do if we want to take reasonable precautions against targeted attacks?

P.S.: This new paper by Cormac Herley might be losely related: The Plight of the Targeted Attacker in a World of Scale. I haven’t read it yet.