Social Media: Lightning Storm

Monday, December 03, 2012

Joel Harding

94ae16c30d35ee7345f3235dfb11113c

When Social Media first emerged into the mainstream, many in industry and government restricted their employees from participating.   In many meetings I heard seniors exclaim: ‘Sure they will reveal proprietary information’.  ‘Surely they will reveal classified or sensitive information’.  ‘Surely they will reveal troop movements’.  ‘Surely they will…’

I worked for one company who wanted desperately to get information out quickly to all their stakeholders. The problem was the company was mired in an old-school unhealthy aversion to any risk. Their mind-set was risk avoidance, whereas almost the entire industry has transitioned to risk mitigation. That company is doomed to fail unless it embraces a 21st century mindset.

Facebook, Twitter, blogs, email, SMS/texting, websites, the list goes on and on and on…  these are means of communication.  In the United States this is all protected by the First Amendment, it’s called Freedom of Speech.

If I am a US soldier and I have an opinion different from that of the administration, I have the Constitutional right to voice, or in this case, write my opinion and share it freely.

…and then you have ‘Surely they will…’

Education.  It boils down to the education of leaders and the education of anyone and everyone voicing an opinion.  Many, if not most people in the military and the defense industry tend to have a Republican lean.  Many, if not most, in the educational, media and unionized industry tend to have a Democrat inclination.  I cannot count the times I have heard political discussions, usually centered towards one politician or another, or I have received email touting the strength of one party or another.  These same people then want to restrict speech of individuals, saying ‘Sure they will…’

These people lack the education on how to not discuss sensitive topics.  These people lack the education on how discussions of professional topics, counter to one’s opinion, is healthy and promotes democracy.  These people lack the education on how one person’s personal opinion can differ from their organization’s goals or path and yet professionally they will appear totally aligned with their organization.

Just recently I read an article by John McGreavy in Information Week:  The Problem with Social Collaboration on IT Projects.  In the article it is discussed how one might “socialize” a project.  It starts with discussions at the senior level, thinking of the company first. After necking down the choices, a wider group is included, asking for pros, cons and possible alternatives.  Then the idea is opened up to yet larger group…  at each level further refinement occurs.  This is top-down leadership with healthy input from subordinates and stakeholders.  All through social media.

I have a very good friend who I have defended to all those around me.  He is the #2 guy at a local organization.  He and I have commiserated in the past that his boss is a poor leader.  I used to joke that if you would look up the definition of a bad leader, the #1 guy’s picture would appear.  In the past year or two, there has been a hurricane of controversy surrounding the #1 guy, but my friend appeared loyal throughout.  My friend epitomizes the definition of someone who can separate his personal and professional opinions.  That is the same compartmentalization needed to have a blog.

Admiral James G. Stavridis is a perfect example of a prolific social media user who Tweets prolifically and encourages the same of his subordinates.  I follow him on Twitter, he follows me and I believe we’re friends on Facebook.

Then there is the case of professional blogs.  Ugh.  The taste in my mouth when it comes to professional blogs has never been good.  Usually one gets a junior staffer to write the blog as a word document, then the document is staffed and then forwarded to the leader for approval.  If the paper was finished by 10 am and staffed, by the end of the day the leader might see it and, after editing the stuffings out of it, it comes back ‘approved’.  Then it is published in the blog and usually is about as dynamic as a day old sandwich.  By this time it is inconsequential, old hat and a total waste of electrons.

A good professional blog is barely possible if the writer is not empowered to write and publish quickly.  The writer must know the organization’s opinion, a quick phone call can usually tell the writer that, and if the writer has a differing opinion, it might be well phrased as “others believe that…”.

It would be even better if a leader were to have a blog in their own name.  There is nothing better than to have someone in charge share the big picture with the reader, then cite some of the points which are important and which influence his or her opinion.  It is important, to reassure the reader, that conflicting points and opinions should also be reflected.  Good leaders can do this, bad leaders have a difficult time.

As I expressed in Social Media Security 101, one must be vigilant for any information which would give competitors and possible adversaries any advantage.

What am I missing?

Cross-posted from To Inform is to Influence

Possibly Related Articles:
10081
Privacy
Information Security
Risk Management Social Media Communications Policies and Procedures
Post Rating I Like this!
35d93e1eda881f6e3dde4e87428a975e
Michael Johnson Couldn't agree more. In fact, I'd say a heavily restrictive ban, especially without the education and awareness, would even increase the risks of sensitive information getting out. Employees and personnel will eventually post stuff without an understanding of what information's deemed sensitive and why. It's inevitable.

The government and military here in the UK recognise this - if an employee is a soldier, it's guaranteed that person would identify him/herself as such on blogs and social networks at some point. It's inevitable. Here, anything is fair game, except for a few very specific restrictions, things that might give adversaries/threats a piece in a much larger puzzle, and the underlying reasons are explained reasonably well. For example:
http://www.blogs.mod.uk/onlinesecurity/
Other departments provide advice and online security risk assessments for employees, which can be applied to both personal and work lives.

Similar principles should apply to any security awareness programme - it has to be relevant to the individual and his/her personal life to be effective.
1354606114
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.