Small Talk with Sam Small: CSO, Chief Security Officer or Chief Social Officer?

Hi, welcome back. This is the second installment of our Small Talk series, highlighting the role of Chief Security Officer (CSO), both in its importance to a company’s success and its evolution over time. In these posts, we’re sitting down with ZeroFox’s very own CSO, Dr. Sam Small. Dr. Small is one of the country’s foremost experts on security operations and intellectual property (IP), and at ZeroFox, he defines, executes, and manages the security strategies for ZeroFox and our customers. Over the course of this series, we’ll be featuring a mix of posts sharing Sam’s ideas, direct interviews, and blogs written by the man himself. If you want to read the first post in this series, you can find it here. Otherwise, let’s dive in.

In our last post, we discussed how the role of Chief Security Officer (CSO) has changed in the past five years and continues to evolve today. From the mass adoption of SaaS products and recent innovations in cybersecurity, IT and security professionals have had to adapt to a multitude of changes in policy, process and technology. With the adoption of each new technology, barriers break down. Salesforce, for instance, is no longer used solely by sales teams; more and more, security concerns have become a part of everyone’s purview and responsibility. Yet, when it comes to social media, organizations are often quick to associate Facebook and Instagram solely with engagement and CMOs rather than security and CSOs.

ZeroFox’s own CSO, Dr. Sam Small, says, however, “an effective Chief Security Officer knows better than to ignore social media.” Why?

Greater engagement means greater threats

As customer and prospect engagement grow on social media, your marketing team expands its usage and reach. However, with each new ad, post, and click, the risk associated with these channels only continues to increase. For example, Cisco’s 2016 Annual Security Report revealed that social media is now the number one source of malware delivery. One contributing factor is that social media users are trusting, at times to a fault. We all know the rules of email (don’t click that link!), but when it comes to social media, the rules aren’t quite as clear. Coupled with the fact that it is in the nature of social media users to share and engage, the risks facing your employees, customers, and followers are higher than ever.

“Social media platforms have also brought about a renaissance in social engineering attacks, enabling attackers to realize advances in reach and efficacy through automation like never before,” Sam notes. What does that mean for the Chief Security Officer? Put directly, “Your attack surface is larger and your weakest link more accessible than ever.” Social media presents unique risks that marketing teams cannot handle on their own. Combating these risks is critical to protecting your organization, employees, and brand.

Where security and marketing intersect

In the security industry, we talk a lot about protection. Protecting confidential information, locations, employees and more is critical for security teams at organizations of all sizes. However, there’s one crucial form of protection that security teams can often forget, or perhaps naively believe marketing teams can handle on their own: brand protection.

When it comes to brand value, loyalty, and consumer confidence in marketing: perception is reality. Brand protection is a team effort, and human-scale efforts alone will quickly exhaust a marketing team. As Sam puts it, “In the same way that technology is enabling marketers to target and reach demographics more efficiently than ever, Chief Security Officers and security professionals must also enable marketing teams to monitor proactively for (and effectively react to) risk.” Whether reacting to trends in sentiment, potential issues, or strategic opportunities for positive customer engagement and brand management online, marketers and security teams share a common need for situational awareness.

Employees on social: ambassadors or imposters?

Good marketing teams know that employees can be the best promoters. Engagement and promotion tools provide marketing teams with the opportunity to blast new content through their employees’ personal social media channels, expanding their reach and personalizing the promotion itself. However, these new brand ambassadors also bring a heightened security risk that Chief Security Officers cannot ignore. Malicious actors often pose as your employees, whether as customer support representatives or marketing team members, to twist your message and damage your brand. Offering product discounts or technical support, these imposters serve to create distrust between your organization and your real customers. And speaking of customers…

The customer case study you can’t write

CSOs aren’t usually in the market of writing customer testimonials, but when it comes to social media, it’s worthwhile for security team members to pay attention to who’s talking and what they’re saying. We have all seen the viral posts. It starts with a single customer complaint and can escalate quickly into a full-on PR crisis. Take the United Airlines social media crisis in April of 2017. A single tweet containing a video of men dragging a passenger off a United flight sent the internet into outrage. “Facts” of the incident were shared left and right across platforms before United could get a word in; by that time, the damage was done.

Those are the real customers. The truth is that across the social media and digital landscape there are also bad actors pretending to be your customers. Even if you don’t face a major public scandal, impersonators can still be detrimental to your brand. From fake reviews on your Facebook Page to posting slanderous messages tagged at your headquarters, these imposters threaten your customer loyalty, revenue, and overall organizational security. CSOs and other security professionals need to work alongside marketing teams to identify these risks and remediate them towards a common goal.

Chief Social Officer, reporting for duty

In 2018, security is everyone’s responsibility. Threats exist (and continue to grow!) on new and expanding platforms; social media is a prime example. An effective Chief Security Officer needs to recognize social media for what it is: an unavoidable aspect of being a successful modern business, an excellent resource for marketers to promote brand and customer engagement, and a prime source of risk for your security team to monitor. As you evaluate your cybersecurity coverage and your team’s responsibilities, don’t forget to add social media protection to your security stack.

Learn how the ZeroFox Platform can secure and protect your organization’s social and digital presence here.