How Safe Is Social Media? (Opinion)

Don't make 'bear shaving' your security policy for Web 2.0.

by / September 29, 2009

In the classic movie thriller Marathon Man, the character played by actor Dustin Hoffman gets tortured by an evil dentist, who keeps asking, "Is it safe?" Hoffman doesn't know how to answer so he utters almost anything to get the bad guy, played by Laurence Olivier, to stop drilling his teeth. I'm reminded of this scene when someone asks me, "Is it safe to use social media sites?" Of course, there's no simple answer because it's one of those "it depends" kind of questions.

Facebook, Twitter and other Web 2.0 technologies have driven a profound cultural shift in our society. While the Internet culture grew from those people who evolved the technology and other early adopters, social media has become mainstream and virtually every individual, business and organization is using it to create public value. Government organizations across the board find themselves in the midst of this upheaval, trying to determine, "Is it safe?"

In the early days of the Internet, I remember government organizations and businesses telling employees they couldn't use it for "personal" business. I always thought it profoundly naive to give a person a computer with Internet access and then prohibit Web usage.

Seth Godin, who covers marketing, wrote an interesting blog on "bear shaving," which he defined as the efforts people go through to avoid addressing the real cause of problems. He used an example of a Japanese public service announcement that showed a girl shaving a bear to deal with the problem of global warming. The point here is that we should be preparing our employees to use Web 2.0 technologies safely rather than forbidding them the brilliance of user-generated content. That's de-evolutionary!

Clear policy on acceptable use by employees and technologies that provide new levels of protection to the infrastructure is the more appropriate direction. While you can't combat all threats to your IT environment, you can mitigate the danger.

The most important thing any organization can do is establish social media boundaries by developing specific policies about what will be tolerated. This is nothing new. We've been conducting user security awareness for years on the appropriate use of technology.

Web 2.0 is just the next iteration of technology, and it continues to be important for employees to understand the dangers of malicious code, data leakage and identity theft that come with social media.


Video: California CISO Mark Weatherford discusses social networks and other security challenges.

Anyone who thinks social media and Web 2.0 technologies are just a fad isn't paying attention. It's a profound trend that we must be proactive in addressing solutions to not only the existing security issues, but also the new unforeseen ones.

Marcus Sachs, executive director of national security policy at telecom giant Verizon, noted that "when Napster made headlines over 10 years ago, the music and movie industry fought peer-to-peer [P2P] technology with lawsuits instead of recognizing the coming cultural transformation and adopting P2P as a natural evolution. Instead of 'owning the channel,' they let the technology get ahead of them."

Today social networking is redefining how people communicate in ways that just a couple of years ago were impossible. As security professionals, we need to remember the lessons of P2P and determine how to securely "own the channel" and be on the side of helping revolutionize the use of Web 2.0 technologies.

The challenge for government is to begin instilling employee discipline in social media communications that heads off potential problems. Across the country, federal, state and local government is rushing to give the public more of what it wants: information. Web 2.0 technologies are how they are doing it. If security guys become the "Grinch Who Stole Facebook," we'll be doing our profession a disservice and find ourselves increasingly marginalized by the business and end up on the outside looking in.


Read Mark Weatherford's blog on new federal social media policy.


Mark Weatherford Contributing Writer

Mark Weatherford is the former chief information security officer of California. Weatherford now serves as vice president and chief security officer for the North American Electric Reliability Corp., an  organization whose mission is to ensure the reliability of the bulk power system of North America.