CISOs urged to revisit outright ban on social media
By Matthew DeBarros, SearchSecurity.com | 2010-04-30
Recent studies suggest that the use of social media in the enterprise has significantly increased at a rate which CISOs just can't completely ignore.
Results of a recent survey conducted by Cambridge, Mass.-based Forrester Research Inc. indicated that the adoption of social media in enterprises has doubled in the past year from 11% in 2008 to 22% in 2009, said Khalid Kark, vice president and principal analyst at Forrester. Kark predicted that the numbers will continue to climb.
"There is adoption of social media going on, and it is getting slightly more acceptable to use some of the social media sites at work," Kark said. "The rate of this change is very significant. We're not talking about a 5% or 20% increase; we're talking about this total doubling in one year."
The Forrester report, "Twelve Recommendations For Your 2010 Information Security Strategy," explains how taking a careful and measured approach toward planning an information security strategy in 2010 could help address skyrocketing social networking use and insulate enterprises against the threats they pose.
Tony Spinelli, chief security officer at Atlanta-based credit information firm Equifax Inc., leads a social media committee consisting of the company's sales, marketing, IT and security staff. Spinelli said the company has taken a holistic approach by dealing with social media in an open forum. The goal has been to use social media as a tool to connect with customers and at the same time protect against data leakage.
"We've tried to be balanced and put safeguards in place to ensure data protection when employees are visiting social media sites," Spinelli said.
The expanded use of social media within organizations may be causing some CISOs to rethink the way they protect sensitive data, including intellectual property. Kark said he talked to one CISO who likened the increase of social media usage to a "freight train coming, and we have to figure out what our defenses are going to be, or else we're going to be crushed."
That line of thinking doesn't bode well at organizations like Equifax, where company marketing teams are finding success targeting specific users on social networking sites. If there is a business use, CISOs must rethink how to deploy defenses to mitigate the increased risk while addressing the needs of the sales and marketing teams.
"If you allow social media in your environment without any defenses or controls, than yes, that is going to increase your risk," Kark said. "There's a fine balance at play here."
A change in data ownership
Kark breaks down his recommendations into three subsets: change in technology, change in business expectations, and change in (security data) ownership. IT teams can no longer say they "own" data, especially with the increased use of outsourcing operations to third parties, Kark said. He added that security operations are also being outsourced and organizations need to set expectations to ensure data is being properly protected.
"If you rely on the outsourcer to build your security," Kark said, "they're going to do the bare minimum, because they're there to make money."
Kark said that security professionals need to take a more proactive approach and roll with the rapid pace of technology changes.
Involving employees in security decisions, as Equifax has, can help reduce risks. A security-savvy employee can often detect a threat before most security systems, Kark added, so organizations should utilize humans as their first line of defense, devise a security strategy that best suits their needs, and embrace new technologies that can provide a secure work environment.
"Security needs to adjust to the realities of the business and when they do there are three core areas that you need to focus on in terms of protecting: the people, the process, the technology," Kark said.
It has taken CISOs time to wake up to address the rising use of social media in the workplace, said security expert Lenny Zeltser, who leads the consultant practice at Savvis and is a faculty member at the SANS Institute. Zeltser said that at first CISOs were in the "denial stage" when faced with the security risks social media sites posed, but more CISOs have made it to the "acceptance stage."
"I would like to see more open access within organizations," Zeltser said, "but this can only happen if companies invest in proper monitoring tools, and train their employees in how to properly use them."