All Contents © 2010 Burton Group. All rights reserved.

Social Media: A Cautionary Tale

Wednesday – May 5, 2010

Michael Gotta Principal Analyst mgotta@burtongroup.com mikeg.typepad.com

Alice Wang Director alice.wang@gartner.com

www.burtongroup.com

•  Testing •  Testing •  Testing

2

3000 friends 100 fan pages

50 groups Following 325 Followers 915

Has Own Channel Blogs

Daily

Social tools enable employee self-expression

Benefits of Social Tools

Social tools are often associated with “Enterprise 2.0” and CRM strategies • Benefits expected from social media •  Connect people internally and externally (e.g., expertise location) •  Build community across different function areas (e.g., best practices) •  Improve external relationships and “brand” reputation •  Break down organizational barriers and information silos •  Promote broader participation in innovation (ideation) efforts •  Address generational shifts (e.g., aging workforce) • Meet technology expectations of younger workers •  Support strategic talent and learning initiatives

3

At times, we want to control what is revealed

Risks of Social Tools

Social tools generally lack management capabilities that help support identity, security, privacy, and compliance needs • Risks associated with social media •  Poor support for policy-based management •  Inability to support identity assurance needs •  Inadequate access controls at granular levels •  Privacy concerns (such as racial and diversity profiling) •  Compliance demands •  E-Discovery and data retention •  Data loss prevention •  Increase risk due to correlation / social engineering capabilities

5

photo by *smiling pug*: http://www.flickr.com/photos/bugbunnybambam/2171798309

Saying “no” is not the answer

Listen to people

Construct use case scenarios from those

stories

Identify points where risks can be

mitigated

Use Case #1: Social Claims 8

zxcvxvxcccb

zxcvbcvxvxcccb@bah.com

zxcvbcvxvxcccb@bah.com +1-234-567-9012

+1-234-567-9012

Source: Booz Allen Hamilton

Use Case #1: Social Claims 9

Enterprise Identity HRMS Directory Other Systems-of-Record

Trusted Identity Sources

zxcvbcvxvxcccb@bah.com +1-234-567-9012

zxcvbcvxvxcccb@bah.com +1-234-567-9012 zxcvxvxcccb

Source: Booz Allen Hamilton

Use Case #1: Social Claims 10

Internal Social Identity Personal Claims

zxcvbcvxvxcccb@bah.com +1-234-567-9012

zxcvbcvxvxcccb@bah.com +1-234-567-9012 zxcvxvxcccb

Source: Booz Allen Hamilton

A single profile? Multiple profiles? Federated profiles?

Professional Support Group

Outreach Network

Community Of Practice

Internal “Facebook

Site”

Use Case #2: Profile Proliferation 11

Women Returning To Work After Extended

Leave

Professional Exchange of

Best Practices

Diversity Community

Activity streams reveal conversation and community actions

Use Case #3: Over-Sharing 12

Jane Doe: Joined Community: “Women Supporting Women”

John Doe: “Working on a big M&A deal, need to work late tonight… stay tuned!”

Fred Smith: &#%^%$* we just lost the Company ABC account…

Jane Doe: Joined Community: “Diversity Appreciation Community”

Betty Smith: @Bob Jones That patient ID number is 123456789

Bob Jones: @SamJ I’ve changed the access controls so you can get into the workspace

“Women Supporting Women”

“Diversity Appreciation Community”

Automatic posting of community

actions

Activity streams & “Enterprise

Twitter” messages

Use Case #4: Connected Identities 13

External social data can be “plugged into” social network sites, e-mail clients, and other application

contexts Personal Claims

zxcvbcvxvxcccb@bah.com +1-234-567-9012

zxcvbcvxvxcccb@bah.com +1-234-567-9012 zxcvxvxcccb

Is it me? How much is being shared? Under what controls?

Use Case #4: Connected Identities 14

Unification of an employee’s work and non-work social

structures

“The Work Me”

“The Citizen

Me”

Profile Groups Contacts

Profile Status Message Activities Photos

Profile Following / Followers “Tweets”

Enterprise Identity + Enterprise “Social Identity”

My politics My groups My music My friends

Regulatory policies can define use/non-use of capabilities •  Identity (brand

and individual) •  Content •  Communications •  Collaboration •  Connections •  Applications •  Notifications •  3rd parties •  Correspondence,

recordkeeping, and supervision requirements

Use Case #5: Oversight: Approved Use 15

Source: http://twitter.com/bofa_help

Ad-hoc business use can cause enterprise risk

Use Case #5: Oversight: Personal Use 16

Use Case #6: Deciphering Relationships 17

HRMS Directory Other Systems-of-Record

Trusted Identity Sources

Role Management Applications

Business Process Management (BPM) Systems Enterprise Portals

Role Sources

Authentication, Authorization, Provisioning, RBAC, etc.

Enterprise Roles

My Roles •  IT Architect •  SME on “ABC” •  Approver for access to “XYZ” •  Certified on “123”

zxcvbcvxvxcccb@bah.com +1-234-567-9012

zxcvbcvxvxcccb@bah.com +1-234-567-9012 zxcvxvxcccb

Social Roles

Use Case #6: Deciphering Relationships 18

“Answer Person” “Wiki Gardener” “Idea Person” “News Filter”

Social Role Attributes

Social Data Aggregation & Correlation

Social Network Analysis

Use Case #6: Deciphering Relationships

Social analytics •  Assess, correlate, and visualize relationship structures •  Within the enterprise, discovery of latent connections most valuable •  Evolution of tool capabilities can discover too much information on

organizational structures, activities, and relationships

19

Source: Telligent

Needs to figure out how to help a

company deal with export / import

regulations in country XYZ

Has dealt with import / export

problems in country XYZ for years in past

job role

Node 8 To Node 10 To Node 14 To Node 15

Members Of Investigation

Unit

Identify Control Points To Mitigate Risks

A mix of strategies and tactics to produce results • People

•  Effective policies •  Balanced privacy considerations (enterprise and employee) •  Adequate training •  Visible enforcement •  Relevant social feedback

• Process •  Assessing social media risks •  Handling social information •  Delivery social applications

• Technology •  Support for access control and entitlement management •  Effective monitoring, auditing, and logging

20

Awareness & Management Of Risks

Use Case concerns relevant to identity and security teams • Profiles And Profiling

•  Credibility of profile and social claims •  Possible bias against employees by co-workers based on race, diversity,

affiliation information made open and transparent via social media tools •  Information Security

•  Intellectual property, compliance, e-Discovery, monitoring… •  Aggregation / correlation capabilities •  Data management and data integration (profiles, roles, etc)

• Privacy •  Adherence to regulatory statutes, level of employee controls, possible

stalking situations (hostile workplace) • Social Network Analysis

•  Makes relationships visible that perhaps should not (“connecting the dots”) •  May lead to “befriend / defraud” situations, social engineering

21

Recommendations

Moving forward with social media and social networking efforts • Social media and social networking are strategic initiatives that are

here to stay – saying “no” is not the right approach • A decision-making framework and governance model is an

essential component of any strategy • Policies and procedures need to focus on the human element and

avoid technology as a panacea •  Identity and security objectives need to be viewed on the same

level as desires for openness and transparency •  IT teams that should be viewed as key stakeholders in social

media and social networking strategies include: •  Groups responsible for collaboration and community efforts •  Identity management and security groups •  Information management and data analysis groups

22

Social Media: A Cautionary Tale

References Collaboration and Content Strategies

• Social Media & FINRA: Twitter and LinkedIn Considerations • Social Media: Identity, Privacy, and Security Considerations • Field Research Study: Social Networking Within the Enterprise • Field Research Study: Getting Started with Enterprise Social Networks • Field Research Study: Addressing Business and Cultural Needs • Field Research Study: Facilitating Social Participation • Field Research Study: Enabling Social Platforms • Field Research Study: Actions To Take

Identity and Privacy Strategies • The Emerging Architecture of Identity Management • Barbarians at the Gate: Identity Proofing and Assurance • Privacy • A Relationship Layer for the Web . . . and for Enterprises, Too

• Blogs • Collaboration and Content Strategies blog (http://ccsblog.burtongroup.com/) • Identity and Privacy Strategies blog http://identityblog.burtongroup.com/

23

All Contents © 2010 Burton Group. All rights reserved.

Q&A

24