There is a really good article on the security mindset from Bruce Schneier. His basic tenet is that instead of just thinking of how to get things working (yes, I’m guilty of this too) we should be thinking of how to get things to break, so that the things we build are more secure and less prone to failing.

Today I had lunch with IBM’s Chief Privacy Officer. As Bruce talks about the security mindset, I was educated today on the privacy mindset. Some good base principles were developed by the OECD. To give a simple example, a well-intentioned employee built a widget for intranet web pages that would track who visited, so you could see who visited your pages. The widget would display this not only to the page owner, but to anyone else who visited the page. The privacy mindset should ask questions like: “did you tell me you were going to collect this personal information? Did I as a user give you permission collect this personal information? Is this personal information protected? Do I want all my fellow employees knowing which intranet web sites I visit?” I suspect these are questions that did not get asked by the well-intentioned widget author. But I think the lessons from Bruce and the CPO are mind-widening (especially for engineers), grounded in reality, inherently valuable, and necessary.