NATIONAL HARBOR, Md. – According to a Gartner Inc. social media security expert, banning Facebook, and other social networking services like LinkedIn and Twitter, is an exercise in futility. To boot, securing social media in the enterprise is not a responsibility that should fall to information security teams.
Tuesday at Gartner's Security and Risk Management Summit, research director Andrew Walls told attendees that although infosec pros may worry that social networking will lead to uncontrolled malware outbreaks, phishing, breaches of confidentiality and trade secrets, and even damage to the corporate reputation, trying to take control or even block its use is akin to monitoring employees' home phone calls and rifling through their postal mail.
"All this message traffic is not in your infrastructure," Walls said. "It all takes place out there in the cloud," plus it can be accessed from anywhere, and users' privacy settings can make monitoring nearly impossible. "At the root of it is staff productivity, and security isn't responsible for monitoring and managing the productivity of the organization."
Some believe social media represents a growing platform for malware distribution, but Walls countered that argument, noting that antimalware vendors he's spoken with say social networks are being victimized by the same malware plaguing email and websites. "So if I'm going to block social media on the basis of malware distribution," Walls asked hypothetically, "why not block email?"
Social networking threats put new pressure on healthcare CSOs: Healthcare security managers say their bosses and others are increasing the pressure on them to allow access to social networking and other Internet services.
Walls said the most viable strategy for managing social media is a governance policy that clearly defines what an enterprise wishes to control and what behaviors are expected. Ultimately, he said, it's a communications policy, which can be enforced by security teams, but must be defined by other business groups like marketing, communications, public relations or the CEO's office.
"Clarify the ownership of the risk," Walls said. "You might manage it, but you're doing so on behalf of someone else. Define the deliverables, metrics … define current usage patterns."
As the workforce evolves, Walls said, organizations will come to realize the value of hiring someone who possesses a vast social network; when there's a problem to be solved, for instance, that person will have his or her own knowledge plus the knowledge of that social network at his or her disposal.
"What we're going to see going forward," Walls said, "is that the most valuable people doing the most valuable things for an organization are going to be the ones who demand social media the most."
Walls said security managers may even find themselves in politically tenuous positions if they try to tell their business managers that social media exposes the organization to too much risk when most employees use it in their personal lives without incident.
"It's a dangerous proposition," he said. "It suggests to the manager that either you're incompetent and can't protect us, or you don't want to support it and have a hidden agenda."
Walls strongly encouraged all organizations to monitor social media for discussions involving its brand and business activities. He cautioned against being blindsided, mentioning last year's Domino's Pizza video prank when employees of the pizza chain posted a video online showing them violating various health codes.
"If you're not monitoring these networks, then you don't know what your exposure is, and you'll be blindsided," Walls said. "Be ready for help from strangers … increasingly the big incidents we have to deal with will be detected by customers and others, so be listening and be prepared to receive help from outsiders."
An attendee who works on the security team for a large enterprise in the auto industry said his organization has been engaged in outward-facing social networking for some time, and has prepared an internal policy on social media with the help of the company's general counsel.
"We're going to let employees talk [on social networks]" said the attendee, who declined to give his name. "But what we need to do is make sure that if employees are talking about engineering problems, that they're only sharing enough information to solve the problem, not tell outsiders what we're coming out with next year."
He disagreed with Walls, who said employee training wasn't necessarily worth the effort. "I think awareness is key; people want to know how to protect themselves."
Walls said about 75% of the Gartner clients he spoke with last year had policies in place to block social media use, but this year that number dropped to about 60%.
"Companies that have a blocking policy are essnetially just buying time to integrate more integrated, granular control of social media," Walls said. "You know that block is going to crumble eventually. When it does, you need to have a plan. Use the time you've got now to get ready for that."