Security execs are insecure about Twitter

Rob WhiteleyOn Friday we wrapped up a very successful Security Forum. I’m very pleased at how well the theme — navigating the new security & risk reality — resonated with the two hundred security execs that joined us in lovely San Diego.

For those who attended, let me send out a big THANK YOU. I know it’s a lot to take two days out of your schedule and, as always, we appreciate your attendance. And remember, you can head to the link above to get all of the presentations.

But now we must return to work and start implementing all of the insight we discussed. To help, I thought I’d take an opportunity to summarize this year’s top three takeaways, in no particular order.

Takeaway 1: Giant squids are the stuff of horror movies, and stand-up comedy. For those of you following along, you’ll know I struggled with whether I should incorporate the recent squid invasion of San Diego in my opening remarks. I did — and it went over well. I shall live to host another event.

Takeaway 2: It’s critical for security execs to master a shift in ownership. Ok, the first takeaway isn’t of much help, but I couldn’t help myself. So this one is for real. The entire event was organized around three shifts in the security and risk management landscape: 1) a shift in business expectations; 2) a shift in data ownership; and 3) a shift in security architecture. The shift in ownership proved to be the most critical. Why? Because a new generation of outsourcing and the consumerization of IT are usurping control from IT. The introduction of cloud computing gives IT the flexibility to tactically outsource IT services. At the same time, the enterprise workforce is demanding more flexibility, and employees sporting consumer-grade gear are eroding traditional security controls. As a result, today’s organizations don’t own their data anymore.

This leads me to . . .

Takeaway 3: Security execs hate Twitter. I’m not joking. This year’s audience was most excited when two speakers — Marcus Ranum and Hord Tipton — denounced the use of Twitter. On day one, there was loud, thunderous applause when Marcus mentioned that he is adamantly against Twitter. This was repeated on day two when Hord mentioned he, too, didn’t see the value in Twitter. Ironically, I was tweeting during both accounts (search for #FSF09 if you’re interested in my observations), but I digress.

In all honesty, this makes perfect sense. Twitter is a scary. There is the chance that intellectual property could be leaked; that users could click on malware links ingeniously disguised in tiny URLs; or that your company could be liable for inappropriate comments tweeted from a corporate device. Of course, all of that is added to the fact that there is a misconception that Twitter is just filled with nonsensical observations like, “The line is long at Starbucks right now.”

But I was still a bit shocked by the audience reaction. It’s very clear to me that we’re at an inflection point in information security. What we called a “shift in ownership” will be the challenge of all CISOs heading into 2010. It’s no longer sufficient — and definitely not necessary — to denounce the use of social media. Security has to find a way to let enterprises security embrace consumer hardware and software. Stay tuned for more research and blog posts, but in the meantime I’d love to hear your thoughts. Can security execs continue to simply prohibit apps like Twitter?

Let me know. Oh, and feel free to email me. I know you won’t tweet me your thoughts. (But just in case, it’s rwhiteley0.)

Comments

re: Security execs are insecure about Twitter

Sage wisdom on Twitter. You are 100% correct that security is at a crossroads. CISO's who continue to act as the "business prevention department" will be replaced by those who embrace emerging technologies that make modern business processes secure without impacting productivity. Old solutions, such as static acceptable use policies and draconian, binary controls (allow/disallow technology) are next to worthless in today's world.

re: Security execs are insecure about Twitter

Great example of a Twitter gaffe in the news this week... Replace Kanye West with ANY international leader and we could have had a real problem on our hands ;)http://www.politico.com/blogs/michaelcalderone/0909/ABCs_Moran_tweeted_OTR_Obama_swipe_at_Kanye.html?showall

re: Security execs are insecure about Twitter

IMHO this kind of contrary remark is classic Ranum and nothing more. If an attack is simple enough to leverage a service like Twitter, it can leverage practically anything. If you are concerned about attacks that rely on short URLs, your problem is with short URLs, not Twitter. Short URLs predate most social networks in general, nevermind Twitter in particular.

re: Security execs are insecure about Twitter

Whatever can be communicated/distributed within 140 characters can be equally dispersed via a pile of other applications/services/ports/protocols. I would agree that short URLs pose a risk- this is unrelated to Twitter. Twitter & Social Networking are not the root cause of the data leakage- people are. Covert channels & command channels can be implemented in just about every application out there.