Social Media: A Cautionary Tale Mike Gotta & Alice Wang #w2e

Social Media: A Cautionary Tale

Mike Gotta – Burton Group
Alice Wang – Burton Group

Social tools enable employee self-expression
Facebook, Twitter, YouTube, Blogs, etc 

Benefits of Social Tool
Often associated with Enterprise 2.0 or CRM
  • Benefits expected from social media
  • Connect people internally & externally
  • Build community across different function areas
  • Improve external relationships and “brand” reputation
  • etc.

At times, we want to control what is revealed

Risks of Social Tools
Social tools generally lack management capabilities that help support identity, security, privacy and compliance needs
  • Poor support for policy-based management
  • Inability to support assurance needs
  • Inadequate access to granular levels
  • Privacy
  • Compliance
  • E-Discovery and data retention
  • Data loss prevention
  • Increase risk due to correlation/social engineering capabilities

Saying “No” is not the answer
Survey – Listen to people, construct use cases from the stories, identified where risks can be mitigated
Use Case #1: Social Claims
Corporate Facebook style site at Booz Allen Hamilton
Enterprise profile ex: outlook content vs. social profile

Use Case #2: Profile Proliferation
A single profile? Multiple profiles? Federated profiles?

Use Case #3: Over-Sharing
Activity streams reveal conversation and community actions
“Twitter” in the Enterprise where sensitive information might be shared

Use Case #4: Connected Identities
External social data can be “plugged into” social network sites, email and other contexts
Is it me? How much is being shared? Under what controls?

Use Case #5: Oversite – Approved Use
Regulatory policies can define use/non-use of capabilities
Identity (brand/individual), content, communications, collaboration, connections, applications, notifications, etc.
Some regulations can determine how SM should be used
Personal Use
Ad-hoc business use can cause enterprise risk

Use Case $6: Deciphering Relationships
Their are social roles and defined in the roles. Social is intended to identify the participation in the network that sits beyond their “definition” in the outlook context.
There are ways that relationships can be studied where private connections can be vetted out.

Identify Control Point to Mitigate Risks
A mix of strategies and tactics to product results
  • Effective policies
  • Balanced privacy considerations (enterprise & employee)
  • Adequate training
  • Visible enforcement
  • Relevant social feedback
  • Assessing social media risks
  • handling social information
  • delivery social applications
  • Support for access control and entitlement management
  • Effective monitoring, auditing and logging
Awareness & Management of Risks
Use case concerns relevant to identity and security teams
Profiles and profiling
Credibility of profile and social claims
possible bias against employees by co-workers based on race, diversity or affiliation information made open and transparent via social tools
Information security
Intellectual property, compliance, e-Discovery

Moving forward with social media and social networking efforts
Social is here to stay, saying “No” isn’t an option
Governance is essential
Policies and procedures need to focus on the human element
Identity and security objectives need to be on the same level as desire for openness
IT teams should be key stakeholders

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s