Power Asymmetry as Attack Surface

A pattern across well-documented breaches and across less-documented territories.

Marriott acquired a network and removed the people who could read it. MGM built a helpdesk operated by people who could not refuse the calls the policy was designed to refuse. Target drew a security boundary that did not include the contractors who held the keys to the back door. Booking.com built a trust architecture in which no actor in the chain could verify the actor next to them. DarkHotel found the place where every link in the business travel chain had already conceded the territory. Across the Maghreb, infrastructure is administered by people whose names appear on no contract, in scans that return clean because the methodology was built for a different geography, on devices sold for the price of a meal.

These cases are expressions of the same structural feature. Organisations and territories distribute power according to internal logic, which means they also distribute attention according to internal logic. The distribution of attention is the map of the security perimeter, and that map is rarely drawn by the people who would draw it differently.

Security work that addresses controls without addressing the asymmetries that produced the controls reproduces the same blind spots in stronger form. A helpdesk with new verification protocols is a helpdesk where the same call will succeed if it sounds important enough. A vendor portal with MFA is a vendor portal whose vendors are still treated as facilities. A network with EDR on every endpoint is a network whose institutional knowledge has been reduced to documentation no one has time to read. A scan with low exposure findings in a CGNAT region is a scan that returned what its tools could see.

The technical layer is observable, measurable, and addressable, and it is where most of the work goes. The layer below decides whether it holds.

That layer reads in the same way as a network: by people who spend enough time inside it to know which patterns are normal and which are not: the structure of the organisation, or the texture of a place.

The organisations and the analyses that get this right tend to share one feature: they do not separate the people who design the controls from the people who live inside them.