- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
Network World - National Harbor, Md. -- Risks associated with employee use of Facebook, Twitter and other social media websites social media shouldn't really be considered the primary responsibility of the IT security department, a Gartner analyst said Tuesday.
There are many risks in social media, including loss of reputation and possible liable suits when employees blab or posts photos and videos about what they shouldn't. There are also risks of malware, identity theft, phishing and privacy breach of sensitive data.
But after posing the question "Is it the job of the security organization to manage those issues?", Gartner analyst Andrew Walls answers that the risks of social networking are tied to individual behavior that takes place outside the infrastructure boundaries of the organization and carries with it issues related to content and freedom of speech.
"People say inappropriate things in these environments, so clearly we have some security problems here," Walls said, speaking on the topic at the Gartner Security & Risk Management Summit 2010. But setting policy guidelines related to the conversations of others from an organizational perspective is not the job of IT security but of business managers, says Walls. "It's a personnel management issue."
Walls said IT security managers are probably making the wrong move when they rush into a business manager's office warning about the dangers of social media and the need to block it. That business manager probably has four e-mail accounts and uses Facebook, and will be wondering why the IT security manager doesn't want to support it.
But the larger issue is that the burden of determining policy should fall to personnel managers, who should be looking at social networking in the same context as they do when it comes to talking to the press, says Walls.
"It all starts with governance. Social media posts are public speech, governed by PR, marketing and human resources, not security," says Walls. He advises extending corporate communication policy to cover not just the press and media, but social networking. He added it may take a corporate lawyer to make sure the policy is in accord with local laws.
In all likelihood, though, it will be the "most valuable people in the organization" who will demand and need social networking the most, Walls argues.
Blocking social networking through policy and technical means such as Web security gateways appears to still be the predominant practice but may be easing. "About 60% of people I talk to block," says Walls. "But a year ago it was 75%."
After that, the question is, can technology play a role in carrying out the corporate policy?
Blocking use of social networking on corporate PCs obviously doesn't prevent anyone from using alterative means, such as home PCs or mobile devices, to go out and make the same outrageous mistakes that could harm the company. So it's necessary, from the company's perspective on social media and employees, to monitor the wide world of social networking, says Walls. "You've got to monitor. Otherwise, how do you know the effect of your policy?"