Security isn’t just about keeping bad people out

Responsible risk management should assume breaches are inevitable and while effort must be put towards securing boundaries efforts should also be directed to ensuring proper authentication (AuthN) and appropriate authorization (AuthZ) within the system(s).

Trust must be extended to employees and authorized parties but stakeholders in a system should regularly review access to ensure that subjects’ access to resources is valid for business purposes.  

This review cannot ensure appropriate use of information, as Capital One recently found, but it is a responsible step that must be taken.

Automated auditing of systems and well-crafted and tested processes for responding to customers’ feedback about fraudulent use must also be in place.  A final piece of the maturity of a system’s security is the education in order to create a culture of business that’s responsive to the industry in which the business works, creative in efforts to generate value while remaining cognizant of risks and effectively engaged in managing those risks down to the level that the business finds acceptable.