For my story today on how CIOs are balancing the use of social media at their companies and security concerns (with great difficulty, BTW), I discovered something that all of you probably know. The business is touuuchy about talking about its use of social media, especially when coupled with the word security.
As I mention in the article, a number of CIOs I contacted for the story declined to be interviewed. A couple said their organizations were not into social media, or they were too new to the whole phenomenon to speak knowledgably about useful security tools. Fair enough. More startling was what happened to an IT executive I contacted whose HR and marketing departments are using social media. He used gateway security software from Websense as one line of defense and could talk about why he liked it.
Not so fast.
In the space of a few hours, my five innocuous questions got vetted up and down the executive ranks, from the head of communications to the head of marketing and over to the CIO. The communications department sounded the alarm, arguing that really “very few of our employees have access to social media sites.” That
fiction fact, “coupled with the fact that our own practices and policies are still in the early stages of development,” made the interview request problematic, according to the marketing executive. “I think these would be very difficult questions to navigate.
“And I certainly would avoid Q.5 ….” he said. Moreover he was “not really sure how much information on this topic we want to share externally at this point in time.” Even an industry trade story could get read by “consumer reporters and bloggers,” and thus out to “other media.” An hour later, yet another higher-up sent out the official kibosh: “We do not wish to participate in this interview.”
To be fair, this organization was not the only business to nix the request. (Motorola was not interested, either.) And I understand that CIOs and CISOs may have to avoid publicity when it comes to security measures. But social media? For business purposes? Who knew.
Here, by the way, is the notorious Q5. (OK, it is a little out there.)
5. Even with education programs, there will always be employees who, through maliciousness or laziness, pose a security threat to the business. Whose job is it to police these people? And are CIOs/CISOs and other technically trained people equipped (or should be expected) to deal with the human dimension in security?