Security Should Steer the Enterprise Social Networking Bandwagon

| 0 Comments | 0 TrackBacks
What should IT and physical security folks do when their user base suddenly embraces a popular but potentially insecure technological phenomenon?

Just a few weeks ago, the mini-blogging service Twitter  twitter.jpgseemed a wee bit silly--its often inane tweets, or posts, gently satirized in comic strips and on late-night shows. (A typical Tweet: "I'm writing a blog entry now!")

Then came the news here in Houston that Shell and Chevron will add Twitter to their line-up of mass notification services, particularly for use during hurricane season. Earlier this week, Dell, the computer manufacturer, announced it has sold $3 million in merchandise via Twitter. And today's print editions of The New York Times carry a story explaining how the U.S. State Department asked Twitter to hold off on routine network maintenance so that Iranians could continue "tweeting" about the results of elections in that country.

Suddenly Twitter seems less a novelty and more a technology likely to become ubiquitous, at least among folks who leave their BlackBerries and iPhones on their bedstands so they can check them before they've even thrown the covers back. What does this mean, if anything, for enterprise security?


Steer the bandwagon

Comments on Linked In's Mass Notification and IT Security Professionals groups indicate there's some head-scratching going on about the significance of Twitter, Facebook and other social networking services. Most of the conversations center on the potential security hazards of the services. What if security personnel instead looked at how they might be able to use these to their advantage?

The risks shouldn't be ignored, of course. None of these services is designed for transmitting secret messages--they are as open as possible. Yet the security community questions brought to mind something former Citigroup CISO and security consultant Pam Fusco once told me: security can't just say "no" all the time.

Fusco said if security--physical or logical--wants to be seen as an enterprise asset, it needs to talk to business users, find out why they are using a particular device or technology, understand what need it's meeting for them. Then security needs to design strategies around that use case. That way business sees security as a partner, not an obstacle.

Tell 'em what to Tweet

Why shouldn't it work the other way, too? Why not make Twitter, Facebook, YouTube users, etc., your allies, extra sets of eyes and ears?

The notorious Virginia Tech shooting showed that people will text in an emergency. Embrace that fact, set up security Twitter accounts, and teach the users to send the kinds of messages that will be useful to emergency responders. Demonstrate the language needed to clearly convey location, health status/needs, unknown persons, suspicious behavior, imminent threat from human or natural causes, etc.

That may require preparation in some enterprises, such as clear floor maps: how many office users could easily say where their cubicle sits amongst a warren of other cubes?  Turning social networking to your advantage should also include education about what information shouldn't be posted or exchanged via less secure devices and services. IT and physical security can brainstorm these issues together.

Embracing today's social networking technology may also require a perspective shift. Generational communication issues are real: Younger users are extremely comfortable with texting, tweeting and portable devices--and those preferences are heading into the enterprise. Security can either engage in a futile fight with these, or figure out how to make them an ally. The latter course seems the best way to fully understand the technologies, secure them where necessary and exploit their capabilities.

Questions to ponder: Who in your enterprise is tweeting and why? Have any business groups created Facebook communities? Could IT set up an intranet-based site at which users could share security questions and concerns?


What should IT and physical security folks do when their user base suddenly embraces a popular but potentially insecure technological phenomenon?

Just a few weeks ago, the mini-blogging service Twitter  twitter.jpgseemed a wee bit silly--its often inane tweets, or posts, gently satirized in comic strips and on late-night shows. (A typical Tweet: "I'm writing a blog entry now!")

Then came the news here in Houston that Shell and Chevron will add Twitter to their line-up of mass notification services, particularly for use during hurricane season. Earlier this week, Dell, the computer manufacturer, announced it has sold $3 million in merchandise via Twitter. And today's print editions of The New York Times carry a story explaining how the U.S. State Department asked Twitter to hold off on routine network maintenance so that Iranians could continue "tweeting" about the results of elections in that country.

Suddenly Twitter seems less a novelty and more a technology likely to become ubiquitous, at least among folks who leave their BlackBerries and iPhones on their bedstands so they can check them before they've even thrown the covers back. What does this mean, if anything, for enterprise security?


Steer the bandwagon

Comments on Linked In's Mass Notification and IT Security Professionals groups indicate there's some head-scratching going on about the significance of Twitter, Facebook and other social networking services. Most of the conversations center on the potential security hazards of the services. What if security personnel instead looked at how they might be able to use these to their advantage?

The risks shouldn't be ignored, of course. None of these services is designed for transmitting secret messages--they are as open as possible. Yet the security community questions brought to mind something former Citigroup CISO and security consultant Pam Fusco once told me: security can't just say "no" all the time.

Fusco said if security--physical or logical--wants to be seen as an enterprise asset, it needs to talk to business users, find out why they are using a particular device or technology, understand what need it's meeting for them. Then security needs to design strategies around that use case. That way business sees security as a partner, not an obstacle.

Tell 'em what to Tweet

Why shouldn't it work the other way, too? Why not make Twitter, Facebook, YouTube users, etc., your allies, extra sets of eyes and ears?

The notorious Virginia Tech shooting showed that people will text in an emergency. Embrace that fact, set up security Twitter accounts, and teach the users to send the kinds of messages that will be useful to emergency responders. Demonstrate the language needed to clearly convey location, health status/needs, unknown persons, suspicious behavior, imminent threat from human or natural causes, etc.

That may require preparation in some enterprises, such as clear floor maps: how many office users could easily say where their cubicle sits amongst a warren of other cubes?  Turning social networking to your advantage should also include education about what information shouldn't be posted or exchanged via less secure devices and services. IT and physical security can brainstorm these issues together.

Embracing today's social networking technology may also require a perspective shift. Generational communication issues are real: Younger users are extremely comfortable with texting, tweeting and portable devices--and those preferences are heading into the enterprise. Security can either engage in a futile fight with these, or figure out how to make them an ally. The latter course seems the best way to fully understand the technologies, secure them where necessary and exploit their capabilities.

Questions to ponder: Who in your enterprise is tweeting and why? Have any business groups created Facebook communities? Could IT set up an intranet-based site at which users could share security questions and concerns?


No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/58

Leave a comment