Title
#core
b

Brandon

01/12/2021, 6:07 PM
^ I feel like this is end users should not be aware of the monitoring solution in place but rather the consent to monitor that the company provides.
6:09 PM
Products like Kolide should have a way of giving admins toggle switches for the above so they can align that to their companies policy
b

Brandon

01/13/2021, 12:03 AM
I think the author inserts a few biases into this. Overall, I do not feel that
honest security
is only defined as users knowing what any tool that could potentially collect sensitive information does and displays an audit to them. I think most users would get irked if they had to review every tool that does this. OSquery/EDR/AV/HR/IT tools... this would create lots of friction. Also, I feel the following statement by the author is not based on facts but a bias driven opinion.
But what about the most common case, when end-users answer "no?"
I think most users will say that they know the security/it/hr team collects information (although they may say they don't know what) and that it is part of the job. I believe users should assume
positive intent
. I do like the transparency piece where if a user wants to know more then they should visit the team's office hours or just ping them.
terracatta

terracatta

01/13/2021, 2:37 AM
Full disclosure, I am the author of honest.security.
I think most users will say that they know the security/it/hr team collects information
Yes, I agree with this. But this was not the question I posed is, Do you know if your organization looks at your web browser history? Most people cannot answer that question correctly. This is not bias but fact. There are no prominently distributed tools that enable user-accessible audit logs of how the security tools are used. I am a major advocate for this.
I believe users should assume 
positive intent
Assuming positive intent is a good thing, I agree users should not assume their security team is out to abuse the power they have. But simply assuming positive intent is not a system that provides any accountability for the security team. This is why we advocate for allowing users to understand how and when tools are being used by the security team. This doesn't mean their permission is required for each action. But it does mean they can pull the audit log anytime they wish to look at it.
I do like the transparency piece where if a user wants to know more then they should visit the team's office hours or just ping them
This is a good start but the key to making this work is not gating the transparency to those who have the courage to ask a member of the security team. Making someone ask the team, "can you show me what queries you ran on my device this month?" to get that information is going to result in people not asking. The key to is give them this info on-demand. There are a minority of organizations out there looking for tools like this. But my mission is to educate end-users to demand this visibility of their security teams. I think it's the key to building a much healthier relationship between end-users, IT, and security.
3:01 AM
Anyway, I don't expect everyone to agree with me and I appreciate the feedback