Another problem with LPM, however, is that it is not always simple to decide who should have access to certain applications or areas.
"In an ideal world, the employee's job description, system privileges, and available applications all match," Goerlich said. "The person has the right tools and right permissions to complete a well-defined business process."
"The real world is messy. Employees often have flexible job descriptions. The applications require more privileges than the business process requires," he said. "[That means] trade-offs to ensure people can do their jobs, which invariably means elevating the privileges on the system to a point where the necessary applications function. But no further."
Mark Austin, cofounder and CTO of Avecto argued in a recent blog post that any worthwhile LPM system has to take into account both security and the user experience. "A poor user experience will inevitably lead to unhappy users and rejection of the solution, regardless of whether it makes the endpoint more secure," he wrote.
Beyond that, experts have varying views on whether putting more security training is worth the effort. Bob Rudis, who does security training seminars, describes himself as "a fairly outspoken advocate of awareness programs."
"Awareness is a strategic component of a full security program," he said. "It is not enough just to train employees and it's also not enough just to talk to them once about security awareness. It must be a continuous part of the ecosystem and culture in an organization."
Lieberman is less enthused about the effectiveness of training. "In some types of organizations, security awareness is like writing on water," he said. "The U.S. government is an example."
"If you have a dollar in your pocket I would tell you to spend it on data loss detection, not on fancy access management tools," he said.
That doesn't mean he thinks employees should be given a pass, however. "I would not waste time on security awareness training, but I would have the top management lead by example and make it clear that abuse of the company acceptable-use policy will lead to immediate termination without severance," Lieberman said.
"Like [ex Intel chairman and CEO] Andy Grove once said, 'a little fear in the workplace is not a bad thing.'"
Read more about access control in CSOonline's Access Control section.