[TheChaplain]

> ... the problem with security measures that cause too much friction is that users tend to disable them in order to get on with their work. To fulfill its security purposes, a good trust system needs to stay out of your way.

I wish this was understood clearly by more security engineers, but, alas...

[JohannesH]

At my work when our IT sec org tighten the screws harder and harder, people just have to get "creative" to do their job effectively. For us this meant that some of my coworkers started using their own machines to write code making the whole setup much more unsafe and prone to breaches.

But I definitely feel there's a huge missing part in our setup and lack of accountability in the It sec org when it comes to not hurting productivity unnecessarily. They can just keep putting up barriers without any real consideration to the impact and side effects they may have.

[dmd]

It’s blame shifting. If the security people are allowed to make it impossible to work without breaking the rules, they’ve successfully moved all blame for anything that goes wrong away from themselves. “Oh, you turned your computer on? Well, the security guidelines clearly state that’s not allowed, so that’s your fault.”

[michaelcampbell]

"If you're able to do your job, InfoSec isn't doing theirs."

I've worked with some great sec orgs that get this and I'm sure everyone reading this in that role is one of those, but understand there are some that are not.

There are some who, for example, are not given ANY agency whatsoever and have to accept every alert from tool-du-jour as some malicious moustache-twirling evilness from the developer. (And they AI should be taking over _development_ jobs...)

[chocochunks]

This is how I felt about macOS for my workflow. It was like living in a house where every room autolocks every time you leave the room, great for security but horrible if you need to move from room to room constantly.

[euroderf]

Well, but if there's a chance of random attackers walking around your house then the autolocking kinda makes sense (assuming a realistic timeout on it).