John Pescatore

Yesterday’s “Twelve Word Tuesday” post (“If humans use a technology, businesses employing humans will contain, not block”) was in reference to reports that, in respose to security issues, the US DoD Strategic Command was looking into the security issues of allowing military use of social networks. This announcement came at about the same time the US DoD Principal Deputy Assistant Secretary of Defense for Public Affairs (or, as his close friends call him, Pdas Dpa) was touting DoD use of social media.  This is happening at most government agencies, where the Obama administration has put “new media” officers in most Departments Public Affairs office to drive government engagement with citizens through social media, Web 2.0 and the like.

Andrea DiMaio in Gartner’s government practice gave his thoughts here, while Anthony Bradley in our Application Architect group did so here.  Greg Young had previously demonstrated Twitter data leakage here.

There are real security issues. There has been all kinds of damage to OpSec as DoD personnel have used social network sites. The DoD defines OpSec as:

“OPSEC is a systematic, proven process to identify, control and protect generally sensitive but unclassified information about a mission, operation or activity, and, thus, denying or mitigating an adversary’s ability to compromise or interrupt that mission, operation or activity. If an adversary has knowledge regarding your capabilities, interests, intentions, plans, or procedures, then he has an opportunity to exploit your vulnerabilities.”

Now on one side people are saying “Just use governance, tell people to behave and they will.” But we know that doesn’t work, never has, never will. The myth of the responsible user is just that. Speed limit signs don’t work without enforcement.

On the other side, we have a knee jerk security reaction – “Block it!” But we know that doesn’t work either, never has never will. We don’t put governors on cars to make sure they never, ever exceed 65 mph. As I said, if human beings use a technology outside of work, businesses that employ human beings will inevitably have to move from block to contain and (sometimes) someday to embrace. Mark Nicolett and I have a research note on making this migration as a way of balancing business demand and security.

People will always exhibit risky behavior unless there is a mixture of policy and controls – Gartner surveys have shown the vast majority of enterprises do filter some Internet access and will need to continue to do so. However, there are ways to limit the damage while still meeting real business need to use new technologies. That’s what business is all about.

1 Comment »

Category: Uncategorized     Tags:

Share