Minimum access - maximum benefit

Minimum access - maximum benefit. It ihs true that we need to have the access necessary to do our job -- not more.

I have always believed in having minimal access for cyber security professionals (including myself). This includes physical access. I believe that companies should minimally trust positions not people. This should only allow cyber security people have the access needed to be effective in their positions -- not more.

In a system of compensating controls, I have many times asked for my access to be reduced. While I am trusted in my positions, I shouldn't be. It is my position that should have limited trust thus limiting the trust of the person in it.

I find the person who is most trustworthy is the person who seeks to have the least trust placed in them. They see the possibility of themselves not being in the position in the future. They care about the future of the organization.

In my training first as an accountant, the professor mentioned most fraud happens with the bookkeeper. They are often entrusted and liked within an organization. Unfortunately a few of them have misused that trust to forge signatures on checks made out to themselves. They have also managed to hide the transaction by giving a false description in the books. While one can personally like their bookkeeper they should not trust the bookkeeper position. Their should be compensating controls for the disbursement of funds.

Back to cyber security give and seek minimal access. Give and seek maximum organizational benefit.