In

https://twitter.com/alexstamos/status/1103462941632782337

@alexstamos talked about Trustworthy Computing at Microsoft. I don't know anything about FB but having been part of TwC since the beginning, offering up some of our humble lessons about what was important:

- Top level commitment, consistent on voice, holding people accountable, making resources available, and having decision courage that lives the values when the conflicts come up. Bill wrote very few “tidal-wave” memos because he wanted them to count.

- Have experts across engineering, privacy, policy, legal, chartered with fleshing out the new state of the art, the ship/no-ship bar, tracking processes, how accountability is managed, guidance, and tooling

- Be humble in the beginning, communicate progress, be candid on stumbles, and put off any urge to brag about successes for years down the road

- In the beginning, it was important to have a team of experts responsible for an independent view, separate from the product team, so trade-off conversations happen at the right level.

- It’s easy for a team to say “we’ll address it in the next cycle”, but that can be corrosive on the principles. The telegraphing on “we’ll get to it next time” v. “no, we made a commitment, so that’s what we’re doing” from these decisions speaks volumes to the rank and file.

- A serious investment in tooling, guidance, and training that works for engineers. If you’re serious about having engineers do something, their engineering system should reflect that and not come across as some bolt-on. You may not start here, but you need to end up here.

- A note on training for Engineers. Engineers hate being told what to do. Tell them what the problem is, as detailed as you can, so they internalize the issues. They're tackling problems when you're not around, so the right mental model versus a checklist mentality matters.

- We learned a lot from the external research community. I can’t say enough about how vital this global collective of critical and brilliant people were to our progress.

- Even though we had an exec mandate and review of every product, our mental model was to be “the small helpful team”. The attitude of focusing on learning and solving problems v. lording over teams made the difference between teams “managing the problem” v. “managing us”

- On hard problems, ultimately a company places its bet on people not plans. The achievement of vision, takes not only trustworthy computing, but trustworthy people--because to get people to act, you need them to listen first