Re: Not fully convinced
I agree the process should be automated as much as possible. However, the article highlights security is often an eggshell with nothing behind the shell. Breach the shell or all already behind the shell (insider) you can do a tremendous amount of damage.
Security best practices include a layered defense with strict limits on user permissions including admins, user training, and white-hat attacks. Layered defense assumes the outer defenses will be breached and there are more defenses set up behind the crust. Standard military defense doctrine is "defense in depth". Users need training to identify phishing attacks - in person, phone, fax, and email - and how to respond. Also, they need training about basic physical and electronic security - do not assume they know. Irregular, unannounced white-hat attacks will help identify weaknesses to be fixed.