Developing the security mindset

What is a mindset? It can be defined as:

  • beliefs that affect somebody’s attitude: a set of beliefs or a way of
    thinking that determine somebody’s behavior and outlook

This might be simplified by saying, “the way you think”. So how do you make yourself think in a way that is security focused?

Mild tangent: It’s true that good cops think like criminals. By this logic, who do good security professionals think like? Like hackers? Like information gatherers similarly to China? This is not good enough. A security professional should be a paragon of security; a cop should think like a criminal and the person being offended and the landlord of the apartment being robbed and then so on. Simply put, every angle should be covered.

One such person is Bruce Schneier. On the page where Schneier talks about his views on security he makes statements that might be out of the normal range of statements for a non-security pro, such as “What’s really interesting is that these people will send a tube of live ants to anyone you tell them to.” (talking about a company that does just that). There is always a weakness, something exploitable. Is the security mindset about finding weaknesses, like a therapist’s arch-nemesis?

A security mindset can always use improvement. How do you create a security mindset. Security pros will look at how something can be broken. So are people with this method of thinking applying it to everything they do? Or is there a “security mode” that is turned on when something that has a weakness appears.

Surely, everyone will have their own approach to security. So what is security to you? I think security is an understanding in full, including it’s shadow (what is and what isn’t). It is about repairing or using weaknesses. Imagine new ways to look at a problem, different resources to exploit, and you will be closer to finding a better solution. Understanding the way other people think of security will allow you to be a better security guy or gal. But what really is security, and it’s ‘mindset’?