Building Security for an Open Internet: Why Privacy-First Architecture Matters

For twenty years, I've watched the internet evolve from a bastion of open innovation into an increasingly surveilled and centralized ecosystem. As a CISO who cut his teeth on a Commodore 64 in an era when "computers for the masses, not the classes" wasn't just a slogan but a revolutionary promise, I've seen firsthand how the fundamental tension between security and openness shapes our digital world.

Today, as we stand at another inflection point with AI transforming how we interact with technology and privacy becoming a luxury good, we need security leaders who understand that protecting users doesn't require sacrificing the open, innovative spirit that made the internet transformative in the first place.

The False Choice Between Security and Openness

Too often, security conversations start with the premise that openness is inherently insecure. We're told we must choose between transparency and protection, between innovation and safety, between user agency and enterprise control. This is a false choice that has led us down a path where security becomes a justification for surveillance and control rather than a tool for user empowerment.

In my years building security programs at companies like Netlify, HelloSign, and through my advisory work with organizations focused on trust and transparency, I've learned that the most resilient security architectures are often the most open ones. When users understand how their data is protected, when developers can audit the systems they're building on, and when privacy is designed into the foundation rather than bolted on as an afterthought, we create security that scales with human trust rather than against it.

Privacy as Security Architecture

At Netlify, when we eliminated phishing threats by taking our entire workforce passwordless with FIDO2 devices, we didn't just improve security, we improved user experience. Eighty percent adoption in six weeks happened because the solution respected user agency while providing robust protection. This is what privacy-first security looks like: solutions that make users more powerful, not less.

Privacy-first architecture means:

• Data minimization by design – Collecting only what's necessary and retaining only what's valuable
• Transparent governance – Users understanding what happens to their data and having meaningful control
• Distributed trust models – Reducing single points of failure through decentralization
• Open source security – Leveraging community review and transparent implementation
• Default privacy – Making the secure choice the easy choice for both users and developers

The Open Source Security Advantage

Throughout my career, from early days at companies like Qualys to current work with innovative startups, I've seen how open source approaches to security consistently outperform closed, proprietary solutions in both security outcomes and user trust. This isn't ideological, it's practical.

Open source security tools benefit from:

• Community review – Thousands of eyes making bugs shallow
• Rapid response – Vulnerabilities patched within hours, not months
• Transparent algorithms – Users can verify privacy claims rather than trust vendor promises
• Interoperability – Standards that prevent vendor lock-in and enable innovation
• Democratic governance – Security decisions made in the open rather than behind corporate boardrooms

When I advise startups on security architecture, I consistently recommend open source foundations not because they're free, but because they're accountable. The same principles that make open source software more secure make organizations that embrace transparency more trustworthy.

Building for People, Not Companies

The internet was built on the radical idea that information wants to be free and that connecting human knowledge and creativity would benefit everyone. Somewhere along the way, we started building for shareholders rather than users, for surveillance rather than empowerment, for control rather than freedom.

As security leaders, we have a responsibility to remember that our ultimate job isn't protecting corporate assets, it's protecting people. This means:

• Designing security that enhances rather than restricts user agency
• Building systems that are transparent and accountable to the communities they serve
• Prioritizing user privacy even when it's not the most profitable choice
• Creating security awareness programs that educate rather than intimidate
• Advocating for policies that strengthen digital rights

The Path Forward

Building an internet that serves people rather than companies requires security leaders who understand that our role extends beyond traditional risk management. We must be advocates for user privacy, champions of transparency, and architects of systems that distribute power rather than concentrate it.

This isn't just about choosing the right technologies, though open standards, decentralized architectures, and privacy-preserving technologies are crucial. It's about building security cultures that value human dignity, democratic participation, and the radical idea that technology should make people more powerful, not less.

The C64 taught me that computing could be joyful, creative, and empowering. Twenty-plus years later, that same spirit drives my work helping organizations build security programs that protect what matters most: people's ability to create, connect, and thrive in a digital world built for them, not just for the companies that profit from their data.

A Call to Action

We're at a critical moment. The choices we make about privacy, openness, and user agency today will determine whether the next generation inherits an internet that empowers them or exploits them. As security leaders, we have both the responsibility and the opportunity to ensure that security serves human flourishing rather than corporate surveillance.

The future of the internet depends on leaders who understand that the strongest security is built on trust, transparency, and respect for the people we're supposed to protect. Let's build that future, one conversation, one design decision, and one privacy-preserving architecture at a time.