Social Media – C-Levels Tricked and Trapped

During various conversations at the dmexco 2012 in cologne I realized that Social Media Risk Management already hit the boardroom but almost nobody is aware of it. So was I!

The reason why I believe that social media already reached the boardroom is so simple and so complex at the same time.

Almost everybody knows that you need to be active on social media. As social networks and social media is constantly gaining more and more power it is the ultimate source to solve a couple of challenges companies and their C-Levels experience:

Marketing Efficiency

Who wants to spend millions for marketing campaigns some really enthusiastic and creative brains build without giving you the tools to find out how effective your campaign is.

War for Talents

New employees are the lifeblood of every professional services firm. Attracting the right people and retaining them is key. But how do you do that? Go social! Young people leaving university and school have an incredibly huge social media competence and define themselves different than people like I did at their age. During interviews with potential candidates for our firm I had to realize that the questions I am asked are different than 10 years ago. People ask for BYOD, Smartphones, Work Life Balance Concepts, Mobility Concepts and much more. Most of the time they already used social media to inform themselves about my company. They even do not use our website, but they use facebook and twitter. So going social is not optional! It’s mandatory and therefore it’s a boardroom issue. The C-Suite usually approves this “HR stuff”.


Is customer relationship management an application to plugin to you ERP system or buy a monumental application that stores all your client data. I believe we will see distributed CRM systems in the future. These are the Facebook profiles, twitter lists and Xing / linked in groups which are the data marts for future CRM systems. Right now most of the professional people, being active on social networks, maintain not only private but also business contact lists and support sales and delivery through these channels. It became more viral than most of the non social networking C-Levels believe. In the end it means that you need to rely on those people acting in social networks and facilitate sales and generate leeds. In most of the companies (especially the professional services firms)  this is done unintentionally and the leaderships are overwhelmed by the “new” opportunities that arise.

What is the conclusion

You might ask yourself or me why a blogger about security and risk management writes something about CRM and war for talents and what this has to do with Social Media Risk Management.

As I already said it is simple but also complex. Everybody accepts that social media is in important factor in people’s life and business matters. We design campaigns for our businesses.  We sometime try to enforce social media policies. But do we really think that there is a difference between private and professional social media? We think so but it’s not! People have to disclose which company they are working for or they should not write one word about this company and stay private.

When asking people about their profiles on social network sites like facebook I very often get the answer:

Uuuh good question, but I am prepared for this! I arranged this in a propper way: facebook is used privately and linkedin is used in the professional part of my life!

Sounds reasonable but reality looks different. If you look at those facebook profiles you see that people disclose their company name and their position in the firm. This is the moment when a private account is not private any more. In Germany there was a law suite about where the judges came up and said that the use of a company name and maybe writing that you want to get (business contacts) is sufficient to assume you are not a privateer and that you have to behave professional.

Following this argumentation the C-Levels need to be in control over what their employees do just in case a third party cannot find out ad hoc if a person is a private or a professional person when looking at posts or their profiles.

C-Levels need to have an overview, who is acting as an employee of their company (even when knowing it). And last but not least it means that C-Levels have to enforce and monitor the use of policies in these open spaces. Right now I believe that boardroom members do not realize that they have to extend their control to social media or tell their people that they may not act on behalf of the firm and have to stay strictly private.

But who wants this? Nobody! You would loose the viral effect of social networks!

I know that this is a provocating statement but I absolutely believe what I wrote. Any comments are highly appreciated.

Collateral Damage of Cyberwarfare is Unpredictable – Security 2.0

During the last quarter of this year I had a lot of talks with CISOs and CIOs from major European companies about the impact of cyber warfare on their organizations.

Most of them refused even thinking about the impact of cyber warfare, which I can absolutely understand since most of them are not working in the defense industry and thinking about warfare is nothing we like to do. Nevertheless I feel that everybody should be encouraged to think about this topic and what it means to civil organizations in general.

Remember the latest press releases about Stuxnet, Duqu and Flame. What was / is the difference between cyber warfare and traditional war concepts.


Artwork found on jewlicious

The main difference – and that is what makes it so important to me – is that collateral damages can never be linked directly to the armed conflict. In traditional warfare concepts you will always be able to see the collateral damage caused by a bomb. You will see it on TV. You will see it in the press. You will hear it on the radio.

With cyber arms no one really knows who fired the gun – remember distributed attacks – and who is the target. Companies or organizations experience that they are hit by a serious attack but never know if they have been really the target. They just feel like it.

But what does that mean to civil organizations and companies?The situation regarding cyber attacks is heating up. We increasingly see serious attacks which are linked to those three “governmental” viruses (Stuxnet, Doqu, Flame) or experience malicious code like the trojan code built by the German government, called the “Staatstrojaner”. After Stuxnet we saw a huge number of organizations that had security incidents linked to Stuxnet which underpins the opinion that the company might experience a collateral damage without even knowing that it is the result of a (cyber) armed conflict. One nationstate might attack the other using cyber arms turning off the light in small and medium businesses in other, not in this conflict involved, countries, disturb operations in hospitals and so forth.

In the future companies need to built their own “cyber shield” to protect themselves against this kind of “advanced persistent threat”. In case of Stuxnet, Duqu and others we can learn that these intelligent pieces of code have been distributed in a way where traditional concepts like IDSes, IPSes and firewalls have been useless. Distribution was done using eMails, USB sticks, removable media and other very simple vehicles. They did not cross traditional company borders.

The conclusion is: Perimeter security does not work anymore and companies need to rely on safeguards they will have to put around individual assets. We arrived at the absolute need to create asset based security mechanisms instead of big walls! This is another reason why I believe: We reached security 2.0! We need to change the way we are doing security. I absolutely know that I do not meet everyone’s opinion of this serious topic but nevertheless I encourage you to discuss it with me and discuss what you feel what security should look like in the future. Maybe I am wrong. Convince me if I am wrong!

Cloud Computing – Security versus Industrialization

Some of you asked me to write more about Cloud Computing and issues related to this topic from the security and forensics space.

I would like to share some experiences that I made during the last year mainly from (Public) cloud projects where my team and I discussed security issues with business owners but also with security experts. Sometimes I am really worried about what I see and hear.

The Mystery of Cloud Computing Hardware

I can’t resist to write this paragraph because it was so surprising to me. In one of the project kick offs an experienced penetration tester of major German security firm said:

“Hm – the stuff I saw in the presentation was ordinary IT – I am missing the cloud technology!”

I found this comment a little bit bizarre because it shows that there is not yet a common understanding of what Cloud Computing is.

According to the NIST definition it is not a hardware or software model. It is a service delivery approach for IT services. The conclusion must be: Never expect to see a hardware register or a software register that tells you “This is a Cloud”.

Key criteria to name a service a cloud service are:

  • On demand self service
  • Broad network access
  • Ressource pooling
  • Rapid elasticity
  • Metered service

Taylormade Public Clouds for each Client – lessons learnt about cloud strategy

Just in case a security advisor tells you:

Let me take a look at the cloud offering of provider XYZ and I’ll tell you what you need to change to be secure.

What is wrong about this statement? From my perspective this approach helps you to leave your path of industrialization and helps you to move back to IT manufacturing. I know that this is sarcastic thinking but the reason why I believe that you are a on a path of industrialization is that you are thinking about a highly automated delivery approach for IT when thinking about Cloud Computing. In case that you will tell your provider

  • “Implement this control”
  • “Create that report”
  • “Change authorizations in this way”
  • “Move my data to a single datastore”
  • “Do not host any other clients in the same environment you are using for me”

you are loosing the efficiency of a cloud service that is usually designed to run without paying attention to individual needs.

If you want to have your own resources you are stepping back to traditional service delivery concepts which are called “IT Outsourcing”.

Let me clarify my thoughts: It is the right idea to test your suppliers and find out whether they are able to deliver the level of security you need. But it is the wrong idea to start negotiating what they need to change to meet your expectation. The only moment when I feel that this is acceptable is the moment when your requirements would be accepted as general requirements to be implemented for each cloud user.

The consequence of negotiating hardware and software architecture as well as the delivery model and individualizations of a service model would be one of the following or even both in combination:

  1. Service Quality would remain the same like the contracted while other clients will benefit from continuous improvement processes.
  2. Cost model for the service will be higher than for the “standard service” due to individualizations.

I think you would not want to experience this.

Just in case that you experience breach of regulations you might want to discuss this with a cloud provider because complying with regulations is mandatory and not optional and is in the interest of the provider.


I want to summarize some basic Do’s and Dont’s when negotiating cloud service contracts:

  • Never change the delivery model – Do not try to change the IT architecture
  • Always test the service if it meets your requirements
  • Check for compliance
  • Never change the reporting format

I know that it attracts a huge number of consulting firms that tell you to negotiate changes with cloud providers to meet your expectations. Resist!

If you are talking about your own custom made cloud you can do whatever you want – but not with a public cloud service!