Bruce Schneier, contributor to Wired Magazine, recently wrote about the security mindset in an article entitled: "Inside the twisted mind of a security professional." I really do recommend you read the whole thing - it contains very practical advice about security - computer and otherwise. But by all means, do please come back, eventually, because I think I have a good inverse point.

Schneier's article explains the always-looking-for-loopholes "security mindset."

Security professionals -- at least the good ones -- see the world differently. They can't walk into a store without noticing how they might shoplift. They can't use a computer without wondering about the security vulnerabilities. They can't vote without trying to figure out how to vote twice. They just can't help it….

This kind of thinking is not natural for most people. It's not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don't have to exploit the vulnerabilities you find, but if you don't see the world that way, you'll never notice most security problems. …

The designers are so busy making these systems work that they don't stop to notice how they might fail or be made to fail, and then how those failures might be exploited.

The only point that I disagree with Schneider on is that most people don't have a security mindset. Ultimately, I believe that they do - and this is not cynicism - but that we, as human beings, are wired to fear the risk of a big loss. Perhaps we don't go about thinking of how to beat other people's systems evaluating other people for weaknesses and constantly planning escape routes, but I think we do think about how we protect our own property and family.

According to Schneier, that's not enough, and I agree with him. He's right in saying that thinking about how things can be made to fail is too often limited to the mind of the security professional. But, inversely, thinking about how things can be made to work is too often limited to the mind of the engineering professional.

Indeed, engineers see things differently as well. Instead of seeing things for what they are, they see things as they could be. Engineers are the people who make things and make things better. Geeky, to be sure, but they're the guys and gals who overclock home computers and build old computers into Beowulf clusters. They're the guys who compared torque and horsepower on automobiles during the 1970s and now compare fuel efficiency and aerodynamics on automobiles today. Hell, even in gaming, from D&D to Monopoly to World of Warcraft to poker - engineers see things to the maximum benefit from the minimum cost.

This isn't just a mindset, this is a culture. And I may be wrong - and I don't say this to disparage the network security guys. But I don't think a mindset that consists of finding the breaking point and tearing things down can create as much of a vibrant culture as exists among engineers and those who think like engineers. You can't build through destruction.

But again, the human mind is geared towards risk, which is why, as a topic of discussion, and especially on the Internet, network security (protection from failure) is more of a hot topic than network performance (improvement from the status quo).

Network monitoring can be done for preventative purposes, certainly. If a router goes down, you want to fix it as soon as possible, and reducing the mean time to repair is always a worthwhile goal. And if that's all that IT did with network monitoring products like ours, that's good - but what we really like to see is people taking the information for new ideas about how to organize the network based on the application response times they're getting.

Or put another way, the same paintbrush that protects the house with a coat of paint can create the next Mona Lisa. It just requires thinking about creating.