Security should support, but not manage, Social Media Event Monitoring

Andrew Walls and Brian Prentice write that corporate reputation and confidentiality are being affected by public social software environments

In April 2009, employees of a Domino's Pizza store posted videos on YouTube of staff performing offensive and possibly illegal actions with ingredients and implements used in the preparation of pizzas and other foods. Although Domino's Pizza did not initially characterize the negative impact as very large, it monitored the popularity of the videos on YouTube, which exceeded 1 million viewings within 24 hours. Approximately 48 hours after the videos were posted, the CEO of Domino's Pizza released a video on YouTube condemning the actions of the staff in the video and assuring the public of its commitment to safeguarding customer well-being. The staff involved in the videos were fired and faced criminal charges.

The lesson is that corporate reputation and confidentiality are being affected by public social software environments. Reputation monitoring typically falls to marketing/PR teams but responding to damaging content can require capabilities in internal and external security investigations that are rarely found in these teams.

In many organizations, the required investigative support processes are already available through a defined computer emergency response team (CERT) or computer security incident response team (CSIRT) function. Security teams should leverage the investment in CERT processes and engage with the PR departments to develop relationships and procedures to escalate investigations without impeding the responsiveness and flexibility of the reputation management process. This approach avoids the duplication of effort and enhances the consistency of investigations.

Often, investigations are not automatically escalated when critical event criteria are met. Preparation, planning and coordination are required to ensure that the security team can provide appropriate support to the PR/marketing team when that support is required. There are three critical steps:

First, develop relationships. Security is something perceived as an obstacle to business innovation. The security team must build positive relationships with the staff that use social media monitors. Although this process can be kicked off through a formal meeting, effective relationships require frequent, informal interaction.

Second, determine the scope of monitoring. Various individuals and teams within the business may be managing formal and informal monitoring tools and services. The spread of social media use means that any employee, customer or friendly stranger can be a source of alerts concerning corporate reputation. Ideally, the security team stays aware of the principal users of monitors within the company and relies on the PR organization to collect, collate, analyze and escalate the disparate inputs from staff, service providers and the public.

Third, redefine processes. Modern communication teams have formal processes to manage PR opportunities and threats. In some cases, social-software-related issues will be easily accommodated in these systems. However, where new relationships and monitor dynamics are identified, they must be embedded into revised communication processes. If you are using, or intend to acquire, an incident or case management system for security investigations, and then provide PR, marketing and other social media monitors with access to the software to facilitate communication concerning the escalation of incidents.

The optimal approach to monitoring and managing social media monitoring, and incident response, requires an approach that combines the efforts and capabilities of the PR, HR and information security teams.

Andrew Walls is research director, Gartner and Brian Prentice is research vice president, Gartner