The document discusses security essentials for CIOs regarding social media. It makes three key points: 1) Social media provides both opportunities and risks for businesses, with opportunities to connect with customers and prospects but also risks from thieves, spies, and data breaches. 2) To navigate these risks and rewards, companies should define their social media agenda, analyze the inherent risks, and create and communicate clear social media policies to guide employees. 3) At IBM, they have embraced social media engagement but also created social computing guidelines and ongoing education to build a risk-aware culture and engage digitally in a smart and secure way.

1. IBM Center for Applied Insights
Executive Series
Security Essentials
for CIOs
Navigating the risks and rewards
of social media
Imagine an immense tradeshow floor filled with all of your
clients. It’s also teeming with your most promising prospects,
Highlights: along with thousands of talented potential hires. There’s no
better place for you to showcase your offerings, your smarts,
Today, there are over 280,000 IBMers on
and what sets you apart. Naturally, your rivals are there too,
LinkedIn, over 170,000 people on Facebook
with IBM listed as their workplace, and angling for clients, brainpower and ideas. So there’s plenty
an estimated 30,000 IBMers engaging on of competitive pressure to attend. But, regrettably, there’s a
Twitter each month. Done the right way, downside. Growing numbers of thieves, industrial spies and
social media can pay off both for individuals
and the enterprise. other ne’er-do-wells are circulating the same halls. As is so
often the case, opportunity comes with its share of risk.
This non-stop global conference, of course, is social media.
At IBM, we feel that these digital gatherings provide near
limitless opportunity for our employees to make connections,
exchange ideas, and innovate. For us, engaging in social media,
inside and outside of the company, is a strategic imperative.
So is security. We believe the solution is to create a risk-aware
culture — one that acknowledges both the value and the risks
associated with the digital world. It is important that we
engage digitally in a smart and secure way.
Just a few years ago, many companies saw social computing
as an outcropping on the periphery of their businesses.
Since then, social networks have exploded, with hundreds
of millions of people trading ideas and leads, from work,
home and on the move. This growth has created enormous
value, for everything from recruiting staff to customer service.
In a recent Ponemon Institute survey, nearly 70 percent
of global respondents said that social media is now very
important for achieving their business objectives.1

2. Executive Series Security Intelligence
However, there is still a long way to go between seeing the value Analyze the risks
and actively engaging. In IBM’s latest CEO Survey of 1709 The next step is an analysis of the risks inherent in each of
CEOs around the world, only 16 percent of them are currently these initiatives. ISACA has defined five primary social media
participating in social business platforms to connect with risks for business.3 They range from the increased threat
customers. Within five years, that will likely grow to of viruses and malware to brand hijacking and lack of content
57 percent.2 Outperformers in the survey were more likely control to changing customer expectations to increasing
to identify openness, often characterized by a greater use the chances of non-compliance.
of social media, as a key influence on their organization.
One growing trend is for criminals to harvest personal
This growth and attention has created new opportunities for information from social networks, and then to use it to craft
thieves and hackers, and many enterprises are unsure what to personalized phishing attacks. If successful, these can deliver
do about it. In the Ponemon study, 63 percent of respondents malware, which can quietly steal information, shut down
said that social media puts their organization at risk and vital operations, or even carry out sabotage.
is a serious security threat. The risk is recognized, but only
29 percent admitted to having the necessary security controls There are not only external risks, but also risks from employees
to mitigate that threat. There is still a long way to go. as well. What if company secrets are exposed via social media?
What would happen to the firm’s reputation if negative photos
of employees made their way onto Flickr? What to do if an ugly
Nearly 70%
and false rumor goes viral on Twitter or if a colleague appears
to be spilling details from yesterday’s meeting on Facebook?
of global respondents said that social These risks may be common across enterprises, but the way
in which organizations respond will likely be unique to their
media is now very important for corporate culture. The important element is to raise these
achieving their business objectives.1 early on in the process, and build appropriate response plans.
Source: Ponemon Institute Create and communicate your policy
The third step of the process is crucial. It involves communicating
Because of this growth, in both opportunity and risk, the opportunities and risks of the digital world, and providing
we feel it’s important to share our ideas on how to help policies, awareness programs and tools to guide the entire work
build a risk-aware culture for the social world. force. For this, ongoing education and guidance must be built
into the fabric of the enterprise’s social media strategy.
Define your social agenda
The first step for every enterprise is to determine where it fits At IBM, we began these efforts with our own Intranet. In
in the social sphere, and what it might gain from social media. 2005, IBMers were using an in-house social network known
Ideally, top executives from every division will meet to explore as Connections to exchange everything from algorithms
the possible benefits. Core questions include: Will participation to chili recipes. Then, external blogs and social networks
boost brand awareness? Can it improve customer satisfaction? began to take off, and IBM considered the opportunities and
Could we use social media to drive collaboration or crowdsourcing challenges of engaging far beyond the corporate firewall.
for product innovation? Discussions must also extend to Collaborating on a wiki, IBM employees drew up our Social
the costs of not engaging. Will the company be hamstrung Computing Guidelines. This initial effort was a starting point
in responding to public relations issues if it lacks a well-known and we’ve been evolving it ever since.
Twitter account or Facebook page? Will it be at a disadvantage
finding and communicating with good recruits if it doesn’t Today, there are over 280,000 IBMers on LinkedIn, over 170,000
use social media? people on Facebook with IBM listed as their workplace, and
an estimated 30,000 IBMers engaging on Twitter each month.
Each enterprise will come up with its own answers. Some Done the right way, social media can pay off both for individuals
may conclude that certain functions, perhaps HR, Sales, and the enterprise. By participating, our employees build what
and Marketing need to be active on social networks while
other functions require a smaller presence or none at all. 2

3. Executive Series Security Intelligence
Social Computing Tips • espect others’ rights. You should respect the rights of
R
others, including their privacy and intellectual property rights.
for Employees
• Be careful with connections. Your employees might
Like many of today’s emerging technologies, social receive connection requests from those who are hunting
computing puts employees in the driver’s seat—essentially for private company information so remind them that it’s
making them your brand ambassadors. You might want good to be choosy when considering who to connect with.
to consider the following tips as you empower your
employees to effectively navigate the risks and reap
• ead the fine print. Social networks have terms of use
R
the rewards of social platforms:
and privacy policies, and you and your employees should
review these closely to confirm that you can live with those
• Be authentic. Encourage employees to identify their
terms and policies. Also, social networks may change
employer in their profiles, but provide a disclaimer that their terms and policies over time, so you should regularly
their opinions remain their own. check them for changes before connecting.
• hink before posting. Content and context go hand-in-hand.
T • dmit mistakes. Things move faster than ever in social
A
Confidential or private information isn’t ever appropriate media, and employee mistakes are likely to happen.
to share in a public context. For example, a tweet about A culture where employees are encouraged to admit and
a recently released whitepaper would be fine, but a tweet quickly correct mistakes can help to avoid any fallout
about confidential company financials would not be. from the inevitable social media faux pas.
we call Digital Eminence, a reputation for sharing experience Join the conversation
and ideas that can boost their professional persona as well as the To read additional articles, learn more about Security Essentials
company’s prestige, while drawing people and business to IBM. for CIOs, or share your thoughts with other security leaders
join us at ibm.com/smarter/cai/security.
Monitor security and measure progress
One word of warning, enterprises must be extremely careful About the author
to balance privacy issues and security when it comes to social Kristin Lovejoy is Vice President of IT Risk, Office of the CIO,
media use. Gartner recently reported that by 2015, 60 percent IBM. She can be contacted at klovejoy@us.ibm.com.
of enterprises are expected to actively monitor employee’s
social media use for potential security breaches.4 It’s important About IBM Center for Applied Insights
to maintain a secure environment, but companies should The IBM Center for Applied Insights (ibm.com/smarter/cai/value)
also consider doing so in a way that is sensitive to privacy and introduces new ways of thinking, working and leading. Through
other concerns. evidence-based research, the Center arms leaders with pragmatic
guidance and the case for change.
Once an enterprise delves into social media, it is useful
to measure various efforts and to gauge their effectiveness. 1
P
onemon Institute, “Global Survey on Social Media Risks: Survey of IT IT
If human resource professionals are using social networks for Security Practitioners”, September 2011
2
2
012 IBM CEO Study, “Leading Through Connections”,
recruiting, how do the talent pool and pipeline match up http://www-935.ibm.com/services/us/en/c-suite/ceostudy2012/
before and after? If developers are collaborating through social 3
I
SACA, “Social Media: Business Benefits and Security, Governance and
Assurance Perspectives”, June 2010, http://www.isaca.org/Knowledge-Center/
media, how much more quickly are products and services Research/ResearchDeliverables/Pages/Social-Media-Business-Benefits-and-
getting to market? With the development of new tools and Security-Governance-and-Assurance-Perspectives.aspx
4
“Gartner Predicts Huge Rise in Monitoring of Employees’ Social Media Use”,
constant flows of data, social media is an ongoing laboratory. PC World, 29 May 2012, http://www.pcworld.com/businesscenter/article/256420/
The learning never ends. gartner_predicts_huge_rise_in_monitoring_of_employees_social_media_use.html
3

4. Executive Series Security Intelligence
© Copyright IBM Corporation 2012
IBM Global Services
Route 100
Somers, NY 10589
U.S.A.
Produced in the United States of America
June 2012
All Rights Reserved
IBM, the IBM logo and ibm.com are trademarks or registered trademarks
of International Business Machines Corporation in the United
States, other countries, or both. If these and other IBM trademarked
terms are marked on their first occurrence in this information with a
trademark symbol (® or ™), these symbols indicate U.S. registered
or common law trademarks owned by IBM at the time this information
was published. Such trademarks may also be registered or common
law trademarks in other countries. A current list of IBM trademarks is
available on the Web at “Copyright and trademark information” at
ibm.com/legal/copytrade.shtml Other company, product and service
names may be trademarks or service marks of others.
References in this publication to IBM products and services do not
imply that IBM intends to make them available in all countries in which
IBM operates.
Please Recycle
WGW03006USEN-00