Is there a way that enterprises can allow social networking securely, or are sites like Facebook and Twitter simply too risky for enterprise consumption? Security experts Bruce Schneier and Marcus Ranum discuss.
Check out other topics in this series:
- Part 1: The future of information security
- Part 3: Compliance and security
- Part 4: Cybersecurity coordinator
- Part 5: Security metrics
- Part 6: Audience questions
Read the full transcript from this video below:
Schneier-Ranum face-off, part 2: Enterprise social networking
Bruce Schneier: That's a silly question. There's no such thing as too insecure for business. Businesses go into the deepest Africa and mine diamonds. They'll go to places where there's no law and do business. It's risk versus reward, not too risky for business. Business is risk. Companies that manage risk better, do better.
The question to ask, whether it's social networking or anything, is what are the costs and what are the benefits. There are lots of ways that companies can use social networking, putting a website up on Facebook, cleverly twittering cool things about your product, which maybe somebody follows, or just trolling the network looking for people chatting about you. There are lots of ways to use social networking sites, that don't affect your corporate security at all.
Then, there are other ways that people use social networking, as virtual water coolers, around the office, or collaborative tools. There again, you look at the costs and you look at the trade-offs. Lots of times, yes, it's perfectly fine, and you could set up, sort of, a closed network inside a larger social network.
No, I don't think it's a mistake. I think it's a perfectly reasonable thing, and it's something you're going to do more of because more and more of your employees have gone through adolescence on Facebook. They've learned how to interact with their friends, and colleagues, and teachers, on Facebook. They come to work and they say, "No, no, you've got to attend meetings, not go on Facebook." It's going to be like you're asking them to speak Esperanto. They won't be able to do it.
More resources on enterprise social networking strategies
Get a CIO's view on enterprise social networking
Learn about the human side of social networking strategies
Learn how to prepare a formal social media strategy for your business
So, we're going to be stuck integrating all of this bleeding-edge cool stuff into our corporate networks, like it or not. Yes, there will be security problems and, yes, it will be annoying, but it's going to be the smart business thing to do.
Marcus Ranum: The problem is picking out the usefulness from the hype. There is a profound difference between wanting something and needing something. When we're talking about making a business justification for technology, managers need to look at that and they need to be honest with themselves and the people who are dealing with it.
I'm a former software engineer. I actually have a really good idea of what software engineers need. I used to have a tremendous amount of fun when my programmers would come and say, "Well, we need a bigger file server for this or that." No, you don't. I know exactly what you need because I used to do it, and if I could do it on what you've got, you can do it with what you've got.
I think that a tremendous amount of information is being placed at risk for what are reasons that can only be described as frivolous. So, here's one thing to think about with all of this. When someone in your org chart comes along and says, "We want to do this thing that may increase our risk and there's a business reason for it," get them to say what the business advantage of doing that is going to be. Oh, it's going to drive $2 million a year in sales? Oh, it's going to get us 600 new customers? And say, "And the best thing to do, is we're going to have an after-action review on this project in a year and see how much business the Facebook project drove."
Bruce Schneier: It's easy to see the exact line of generation gap. Above it are the people who think Twitter is a complete waste of time, and below are the people who cannot possibly live without it. There seems to be no middle ground. I can't fathom anybody using it. So, I really think this is the generation gap.
I remember reading a story, about a month ago, about an engineer who's working at a company, and he does what everybody else does when they have problems and questions, and they go on the Internet to try to solve them. He is going on to some newsgroup or chat room or bulletin board, and asking some technical question. I do it all the time. Lots of people do it all the time.
He, unfortunately, in doing it, you can argue with it or not, but the company claimed he released confidential information, and he was fired over it. That's going to happen more and more, because more and more younger people are used to asking tech questions, not on the phone of their colleagues, but in semi-public or public places. In the generation gap, the older generation gets it right, but the younger generation is correct that it's not going to destroy the world.
I think we're going to see some major changes in the next decade, in how we all use IT and how corporations use IT. It's going to be more social networking and more openness and more things that we think are completely ridiculous.