Bruce Schneier has written a good commentary in Wired Magazine about the security mindset. I have talked about hiring information security people in the past, and how I believe the most important skill-set is not any specific technical attribute, but rather how the person thinks. A good security person thinks about the world differently. Just as many engineers grew up taking things apart to understand how they work, good security people often grow up thinking about how to make things perform in ways they were not intended to (or breaking them altogether). They easily see the flaws in everyday items and how to exploit them.
As Bruce writes, they are now attempting to teach this way of thinking at the University of Washington. I think this is a great idea. If this way of thinking becomes more common for graduates, the products they design and build once in the workforce will be much easier for us all to protect and rely on. It’s the difference between bolting on security as an after thought versus building it in as part of the product in the first place.
