Let' Face It: We design our systems to make it easy for users to access information. And we pay much more attention to simplifying access than to ensuring that only authorized users have it.
But companies are now waking up to the fact that the value of their business is inextricably tied to the information in their core systems. And that information can leak out of core systems in much the same way water can leak out of a water heater with a two-inch hole. That is to say, quickly and in large volumes.
An information security or IT administration employee, therefore, must protect the corporate information jewels while not inhibiting access. IT has always had to balance security with usability, but typically hasn't paid much attention to which authorized users could see what information. Yet, in most organizations, most users (authorized or unauthorized) see far more data than they should.