Since the internet was created users have been using it for connecting to other people. From the very beginning, with dialup bulletin boards, people have sought ways to connect with friends or strangers across the country and around the world.
The motivations behind today's social media are nothing new. It's simply been a process making connecting easier, thereby getting more and more of the population connected. 25 years ago the only folks connecting online were highly technical.
Today grandparents and young children have Facebook accounts.
Considering the momentum in our culture to be more connected to more people, it's no surprise that corporations have to deal with social media in the workplace. Employees spend much of their lives connected to their social networks.
Combine that with the reality that our employees are more and more becoming knowledge workers, and more and more reliant on technology, and our workforce does not expect their social networking to end when they punch in for the day.
Employees see ways to integrate social media into their jobs, and they want to take advantage of that.
Enter the Enterprise Information Security team. It's our job to protect the data and infrastructure of our company. It's our responsibility to assess risk to our systems, and implement countermeasures to keep the risk down to an acceptable level.
Connectivity is the enemy of security. The most secure system in the world is the one to which nobody and nothing can connect. As we start adding more connections we start adding vulnerabilities.
Yet, the holy grail of social networking is the ultimate nightmare of security; complete connectivity between everyone brings unlimited communication and exploitation abilities.
Often this conflict will turn information security into a roadblock. The potential for InfoSec to become an opponent of progress is real and harmful. Organizations do not flourish when they maintain the status quo.
When a new technology hits the market, the innovators at an organization are usually among the first adopters. They want that cool smartphone, software, or other do-hickey, and they want it now.
Information Security is tasked with performing immediate assessments on unproven technologies. Is the data on that phone sufficiently protected? Is that new laptop OS going to cause issues in our environment?
Social media is going through this wringer right now. The business wants to be plugged in.
There are some legitimate reasons for this (HR performing recruiting and background checks, Marketing connecting with potential clients, all professionals keeping tabs on what's going on in their field), and there are some serious risks as well (potential data loss through inappropriate posting, hacker attacks via social engineering, or malware).
The solution is not to simply rubber stamp whatever new technology trend comes along. We have a responsibility to ensure our infrastructure is kept safe, and just rubber stamping new technologies is a poor execution of our duties.
The most important step is to consider new technology requests with an open mind. Work collaboratively with the business to accomplish goals. Rather than asking, "Is this thing secure?" ask the question, "How can we meet this business need?"
By asking the "how" question we start a collaborative process, putting our wits to work to solve the issue, rather than using our authority to quash innovation.
Social media is a polarizing force. InfoSec teams see it as an unnecessary risk to corporate systems. Organizational innovators see it as a new opportunity to connect with customers and learn about forces shaping their market.
Business leaders need to decide what is right for their organization. Are the benefits outweighed by the risks? These are the questions the business leaders must address.
We in information security exist as a tool to educate the business leaders on what the risks are. A disconnect occurs when we start creating policies on how business will be done.
The conflict between InfoSec and social media is not going to go away. As our society grows more connected the issue will be highlighted all the more. But just as social media will not go away, neither will the need to secure our data and systems.
The winning organization is the one that can find the balance between encouraging their employees to connect in meaningful ways and preventing data loss through those ways.
Each time a new technology is introduced to our environments it is going to bring along with it unknown risks and vulnerabilities. The way we handle that uncertainty is what defines us.
Cross-posted from Enterprise InfoSec Blog from Robb Reck.