There is another side to the issue of user authorization. Sometimes, a user is authorized to do something organizationally, but the technical controls refuse to allow them to do this. Obviously, this is often because we can't make programs that do everything, but too often, we also decide to limit what a program can do due to security. Security, as we know, is not a one sized fits all process, and there are deep problems when we decide very early what security is. This decision is what the other side of the Authorized User problem.
Read MoreWelp, I guess I'm starting a blog today. I want to talk about how we secure systems today, but I don't want to talk about computers, I want to talk about organizations as systems. One of the things that I think haunts infosec is our insistence that technical solutions, computers, and similar automation is the solution to security. I think this is because it's easy to measure, and there's a belief that it's reliable. But today I want to talk about what I see as the core gap in that system.
Read MoreBecause we can't just secure computers