Brandon01/12/2021, 6:07 PM
Brandon01/13/2021, 12:03 AM
is only defined as users knowing what any tool that could potentially collect sensitive information does and displays an audit to them. I think most users would get irked if they had to review every tool that does this. OSquery/EDR/AV/HR/IT tools... this would create lots of friction. Also, I feel the following statement by the author is not based on facts but a bias driven opinion.
I think most users will say that they know the security/it/hr team collects information (although they may say they don't know what) and that it is part of the job. I believe users should assume
But what about the most common case, when end-users answer "no?"
. I do like the transparency piece where if a user wants to know more then they should visit the team's office hours or just ping them.
I think most users will say that they know the security/it/hr team collects informationYes, I agree with this. But this was not the question I posed is, Do you know if your organization looks at your web browser history? Most people cannot answer that question correctly. This is not bias but fact. There are no prominently distributed tools that enable user-accessible audit logs of how the security tools are used. I am a major advocate for this.
I believe users should assumeAssuming positive intent is a good thing, I agree users should not assume their security team is out to abuse the power they have. But simply assuming positive intent is not a system that provides any accountability for the security team. This is why we advocate for allowing users to understand how and when tools are being used by the security team. This doesn't mean their permission is required for each action. But it does mean they can pull the audit log anytime they wish to look at it.
I do like the transparency piece where if a user wants to know more then they should visit the team's office hours or just ping themThis is a good start but the key to making this work is not gating the transparency to those who have the courage to ask a member of the security team. Making someone ask the team, "can you show me what queries you ran on my device this month?" to get that information is going to result in people not asking. The key to is give them this info on-demand. There are a minority of organizations out there looking for tools like this. But my mission is to educate end-users to demand this visibility of their security teams. I think it's the key to building a much healthier relationship between end-users, IT, and security.