Thinking a lot about all the amazing conversations I had this weekend at #Shmoocon, and there’s one thing that kept coming up in some of them that I’d actually like to push back against publicly.

I keep hearing variants on “it’s my job to make people paranoid,” and “it’s my job to scare users so they don’t make mistakes,” and I can’t keep letting this ideology go unchallenged.

Maybe that really IS in your job description... but I think about poorly how fear and intimidation work as educational devices in other contexts, and don’t think security is any different.

Instead of trying to lay down the law and put the fear of God into users, we need to be working with them to empower them to make more secure choices. Instead of shaming them for their mistakes, we need to help them recover and do better next time.

As security practitioners, we are far better served by building a culture of blameless postmortems and keeping open lines of communication with our users so they actually come to us when they have a problem.

Every pair of friendly eyes we have on our systems is an additional monitoring and alert system, and blaming and shaming users does us a disservice as security professionals.

Maybe this won’t resonate with some of you, and that’s okay... but I’m a security engineer, and my job is to empower users to be a first line of defense, instead of antagonizing them into becoming an abstraction layer. I have enough adversaries without adding users to my list.

(tl;dr if you maintain a good enough relationship with your users, they can collectively work as a sophisticated detection engineering tool, custom tailored to your shared environment. Stop abusing your users.)