IBM Center for Applied Insights                                                                Executive Series           ...
Executive Series                                                                                                        Se...
Executive Series                                                                                                          ...
Executive Series                                                            Security Intelligence                   © Copy...
Upcoming SlideShare
Loading in …5

Security Essentials for CIOs: Navigating the risks and rewards of social media


Published on

Engaging in social media allows companies and their employees to access a global community of experts, innovators and potential clients. It also opens the door to new risks. Here are some best practices to build a risk-aware culture for the social world.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security Essentials for CIOs: Navigating the risks and rewards of social media

  1. 1. IBM Center for Applied Insights Executive Series Security Essentials for CIOs Navigating the risks and rewards of social media Imagine an immense tradeshow floor filled with all of your clients. It’s also teeming with your most promising prospects, Highlights: along with thousands of talented potential hires. There’s no better place for you to showcase your offerings, your smarts, Today, there are over 280,000 IBMers on and what sets you apart. Naturally, your rivals are there too, LinkedIn, over 170,000 people on Facebook with IBM listed as their workplace, and angling for clients, brainpower and ideas. So there’s plenty an estimated 30,000 IBMers engaging on of competitive pressure to attend. But, regrettably, there’s a Twitter each month. Done the right way, downside. Growing numbers of thieves, industrial spies and social media can pay off both for individuals and the enterprise. other ne’er-do-wells are circulating the same halls. As is so often the case, opportunity comes with its share of risk. This non-stop global conference, of course, is social media. At IBM, we feel that these digital gatherings provide near limitless opportunity for our employees to make connections, exchange ideas, and innovate. For us, engaging in social media, inside and outside of the company, is a strategic imperative. So is security. We believe the solution is to create a risk-aware culture — one that acknowledges both the value and the risks associated with the digital world. It is important that we engage digitally in a smart and secure way. Just a few years ago, many companies saw social computing as an outcropping on the periphery of their businesses. Since then, social networks have exploded, with hundreds of millions of people trading ideas and leads, from work, home and on the move. This growth has created enormous value, for everything from recruiting staff to customer service. In a recent Ponemon Institute survey, nearly 70 percent of global respondents said that social media is now very important for achieving their business objectives.1
  2. 2. Executive Series Security IntelligenceHowever, there is still a long way to go between seeing the value Analyze the risksand actively engaging. In IBM’s latest CEO Survey of 1709 The next step is an analysis of the risks inherent in each ofCEOs around the world, only 16 percent of them are currently these initiatives. ISACA has defined five primary social mediaparticipating in social business platforms to connect with risks for business.3 They range from the increased threatcustomers. Within five years, that will likely grow to of viruses and malware to brand hijacking and lack of content57 percent.2 Outperformers in the survey were more likely control to changing customer expectations to increasingto identify openness, often characterized by a greater use the chances of non-compliance.of social media, as a key influence on their organization. One growing trend is for criminals to harvest personalThis growth and attention has created new opportunities for information from social networks, and then to use it to craftthieves and hackers, and many enterprises are unsure what to personalized phishing attacks. If successful, these can deliverdo about it. In the Ponemon study, 63 percent of respondents malware, which can quietly steal information, shut downsaid that social media puts their organization at risk and vital operations, or even carry out a serious security threat. The risk is recognized, but only29 percent admitted to having the necessary security controls There are not only external risks, but also risks from employeesto mitigate that threat. There is still a long way to go. as well. What if company secrets are exposed via social media? What would happen to the firm’s reputation if negative photos of employees made their way onto Flickr? What to do if an uglyNearly 70% and false rumor goes viral on Twitter or if a colleague appears to be spilling details from yesterday’s meeting on Facebook?of global respondents said that social These risks may be common across enterprises, but the way in which organizations respond will likely be unique to theirmedia is now very important for corporate culture. The important element is to raise theseachieving their business objectives.1 early on in the process, and build appropriate response plans.Source: Ponemon Institute Create and communicate your policy The third step of the process is crucial. It involves communicatingBecause of this growth, in both opportunity and risk, the opportunities and risks of the digital world, and providingwe feel it’s important to share our ideas on how to help policies, awareness programs and tools to guide the entire workbuild a risk-aware culture for the social world. force. For this, ongoing education and guidance must be built into the fabric of the enterprise’s social media strategy.Define your social agendaThe first step for every enterprise is to determine where it fits At IBM, we began these efforts with our own Intranet. Inin the social sphere, and what it might gain from social media. 2005, IBMers were using an in-house social network knownIdeally, top executives from every division will meet to explore as Connections to exchange everything from algorithmsthe possible benefits. Core questions include: Will participation to chili recipes. Then, external blogs and social networksboost brand awareness? Can it improve customer satisfaction? began to take off, and IBM considered the opportunities andCould we use social media to drive collaboration or crowdsourcing challenges of engaging far beyond the corporate firewall.for product innovation? Discussions must also extend to Collaborating on a wiki, IBM employees drew up our Socialthe costs of not engaging. Will the company be hamstrung Computing Guidelines. This initial effort was a starting pointin responding to public relations issues if it lacks a well-known and we’ve been evolving it ever since.Twitter account or Facebook page? Will it be at a disadvantagefinding and communicating with good recruits if it doesn’t Today, there are over 280,000 IBMers on LinkedIn, over 170,000use social media? people on Facebook with IBM listed as their workplace, and an estimated 30,000 IBMers engaging on Twitter each month.Each enterprise will come up with its own answers. Some Done the right way, social media can pay off both for individualsmay conclude that certain functions, perhaps HR, Sales, and the enterprise. By participating, our employees build whatand Marketing need to be active on social networks whileother functions require a smaller presence or none at all. 2
  3. 3. Executive Series Security Intelligence Social Computing Tips • espect others’ rights. You should respect the rights of R others, including their privacy and intellectual property rights. for Employees • Be careful with connections. Your employees might Like many of today’s emerging technologies, social receive connection requests from those who are hunting computing puts employees in the driver’s seat—essentially for private company information so remind them that it’s making them your brand ambassadors. You might want good to be choosy when considering who to connect with. to consider the following tips as you empower your employees to effectively navigate the risks and reap • ead the fine print. Social networks have terms of use R the rewards of social platforms: and privacy policies, and you and your employees should review these closely to confirm that you can live with those • Be authentic. Encourage employees to identify their terms and policies. Also, social networks may change employer in their profiles, but provide a disclaimer that their terms and policies over time, so you should regularly their opinions remain their own. check them for changes before connecting. • hink before posting. Content and context go hand-in-hand. T • dmit mistakes. Things move faster than ever in social A Confidential or private information isn’t ever appropriate media, and employee mistakes are likely to happen. to share in a public context. For example, a tweet about A culture where employees are encouraged to admit and a recently released whitepaper would be fine, but a tweet quickly correct mistakes can help to avoid any fallout about confidential company financials would not be. from the inevitable social media faux pas.we call Digital Eminence, a reputation for sharing experience Join the conversationand ideas that can boost their professional persona as well as the To read additional articles, learn more about Security Essentialscompany’s prestige, while drawing people and business to IBM. for CIOs, or share your thoughts with other security leaders join us at security and measure progressOne word of warning, enterprises must be extremely careful About the authorto balance privacy issues and security when it comes to social Kristin Lovejoy is Vice President of IT Risk, Office of the CIO,media use. Gartner recently reported that by 2015, 60 percent IBM. She can be contacted at enterprises are expected to actively monitor employee’ssocial media use for potential security breaches.4 It’s important About IBM Center for Applied Insightsto maintain a secure environment, but companies should The IBM Center for Applied Insights ( consider doing so in a way that is sensitive to privacy and introduces new ways of thinking, working and leading. Throughother concerns. evidence-based research, the Center arms leaders with pragmatic guidance and the case for change.Once an enterprise delves into social media, it is usefulto measure various efforts and to gauge their effectiveness. 1 P onemon Institute, “Global Survey on Social Media Risks: Survey of IT ITIf human resource professionals are using social networks for Security Practitioners”, September 2011 2 2 012 IBM CEO Study, “Leading Through Connections”,recruiting, how do the talent pool and pipeline match up and after? If developers are collaborating through social 3 I SACA, “Social Media: Business Benefits and Security, Governance and Assurance Perspectives”, June 2010,, how much more quickly are products and services Research/ResearchDeliverables/Pages/Social-Media-Business-Benefits-and-getting to market? With the development of new tools and Security-Governance-and-Assurance-Perspectives.aspx 4 “Gartner Predicts Huge Rise in Monitoring of Employees’ Social Media Use”, constant flows of data, social media is an ongoing laboratory. PC World, 29 May 2012, learning never ends. gartner_predicts_huge_rise_in_monitoring_of_employees_social_media_use.html 3
  4. 4. Executive Series Security Intelligence © Copyright IBM Corporation 2012 IBM Global Services Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America June 2012 All Rights Reserved IBM, the IBM logo and are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at Other company, product and service names may be trademarks or service marks of others. References in this publication to IBM products and services do not imply that IBM intends to make them available in all countries in which IBM operates. Please Recycle WGW03006USEN-00