Social Networking for CISO's

by Richard Archdeacon, Strategy & Technology

According to Wikipedia there are currently around 200 social networking sites in existence around the world. The largest of which are Facebook and Twitter but the use of any of these sites by employees is a challenge for the CISO. But an enlightened approach is the key.

How should CISOs deal with the inevitable growth of social media? The first thing NOT to do is react without thinking. In other words don’t automatically assume that all social media are a bad thing. Don’t assume that their use during working hours is a bad thing. Do not assume either that social media is the domain only of those under 25, that they may grow out of them or they will disappear.

For example, Facebook’s user base in the UK is around 30 million - pretty much half the population. In 2010, Mark Zuckerberg, Facebook’s founder and CEO, said it was “almost a guarantee” that the site would hit one billion users. There’s no reason to doubt him, even allowing for some slowdown of membership in recent months. And even if Facebook was to disappear tomorrow, you can be sure that something else would take it place - Google+ perhaps?

Therefore social media, as its name suggests is embedded in our wider society. Further, some CISOs will be aware that within their own organisations are departments actively looking for ways to exploit social media for advanced marketing and customer relationship purposes.

Often these initiatives will be undertaken without recourse to the CISO office or the information security team. That’s a challenge - but let’s return to that later.

Let’s deal with the fundamental challenges of social media use in the enterprise. Often the knee jerk reaction is to go into lock down mode and block all usage on corporate networks. This is the default option for organisations who believe that employees hog bandwidth and waste time on Facebook and other sites.

But because of the effects of consumerisation (the CIO and CISO’s other challenging techno social trend) employees will spend just as much time accessing social networks on their own devices via 3G networks. So the blocking route is ultimately fruitless.

And we have moved on from the Facebook “panic” of 2007 - the year that Facebook really caught on across the world. There were dire warnings about the cost to industry from employees “wasting time” on Facebook -- figures of £130m being lost by UK industry each day were bandied about in the media. However, like the figures calculated for the effects of strikes, extreme weather and transport failures - they are hard to prove and highly questionable.

There may well be some cost from unregulated social network usage but now it seems a more mature approach to social media is emerging. The problem with blaming lost productivity on social networks - and by extension web browsing  -- is it assumes that employees previously spent all their working hours actually working and not chatting, making tea, smoking outside, reading newspapers or other “non-productive” activities.

According to research from Australian technology and communications researchers Datacurve, fears over productivity loss from social media usage are exaggerated and not borne out by reality.

The report, which looked at social media and web usage in Australian enterprises, states that: “Social media’s polarising affect on managers and their workplace policy will continue to persist in light of increasing efforts by enterprises to harness social networks for marketing and customer relationship purposes, while simultaneously trapped by the perception that social networking during work-time is a monumental threat to workplace productivity.” Very true.

It continues: “The hype about thousands of hours lost in productivity due to a social media addiction or pathology is not supported by the evidence. Spread out across a 20-day working month, Facebook will be accessed (on average) every second day, at approximately nine minutes per session.  In the case of MySpace and Twitter, engagement is even less of an issue in the context of workplace productivity. Compared with entrenched behaviours like smoke breaks and coffee runs, social media behaviour is a very distant third in terms of employee ‘distractions.”

The report concluded that the negative connotations associated with the use of social media had been overblown but that there was still a disconnect within some organisations which had a public facing endorsement of social media yet still restricted usage by its own staff.

So there are two challenges for the CISO: first, a change of fixed mindsets to accept social network use by employees within the enterprise based on a TRUST model. Second, ensure that the CISO’s department is engaged at fundamental points with Marketing, Communications and HR teams to ensure safe and risk-assessed usage of social media within the business for both personal and enterprise business usage.

This will entail a reworking of Acceptable Use Policies to embrace social media, taking full account of the above findings. On an ongoing basis it will mean full integration with marketing teams and other C-level teams so that social media campaigns are conducted for business benefit and minimise risk.

The paramount concerns must be that business-critical data and information is not exposed on social media and that employees do not bring the organisation into disrepute or fall foul of the law or compliance regulations via their social media usage.

Finally, remember the big lesson of consumerisation: empowering employees with their own devices makes them happier. Trusting them with social media will have the same effect.