Web 2.0 hinges upon the notion that online users add value through (1) explicit co-creation;  think of Dell’s Ideastorm or Threadless, (2)  their behavior; think Amazon’s recommendations “people like you also bought…” or (3) the meaning implicit in their actions; think of how Google uses your search behavior to improve each subsequent search result.

Web 2.0 businesses leverage user contribution to build valuable, unique data sets.   The more users, the richer the data – The richer the data, the better the resulting good or service.

Security hinges upon the notion that users add risk and new technologies increase vulnerability.   Where Web 2.0 puts a premium on open networks and user contribution, our models of security seek to create limits to both.

In many engagements the  question comes down to finding a balance between the proponents of Web 2.0 (usually marketing or innovation officers) and the people (usually IT and legal) who are tasked with security.  This is a healthy tension.

Here are some questions to ask in order to keep these in balance.
Can we separate mission-critical data from potentially value-added data? Very often large company’s make no distinction between data that is usable/sharable vs. data that is not.  An example, Mint.com takes financial information from its users (in aggregate) to help users make wise financial decisions.  Meanwhile, Financial Services company’s would not dare to use this data (I know since I suggested it to an FS client years ago) – even as an anonymous, aggregated service.  Opportunity Missed!

Can we gain more benefit from releasing “sacred” data than we get by withholding it? Barack Obama’s campaign decided to give away top secret voter lists to online volunteers to allow them to canvas and make calls directly.    See Open Beats Closed on this point.
Can we create guidelines that encourage our employees to join the Social Web without releasing sensitive information? HP, Cisco and Wells Fargo all have constructive (and instructive) policies encouraging employee participation while setting limits to how employees use social media.

In my experience just getting these groups talking (web 2.0 proponents and the guardians of security) usually resolves the problem.  Legal and IT are there for a good reason — it’s just that usually that “reason” doesn’t mean you can’t get your Web 2.0 project going…