Shaping Tomorrow’s Security Today 2: Joe Sullivan, Chief Security Officer of Facebook

Enrique Salem’s presentation continues with Facebook’s Chief Security Officer Joe Sullivan stepping in to discuss how digital natives are impacting business and analyze problems of the so-called ‘lockdown’ approach to securing the workplace.

Openness of today’s enterprises makes them vulnerable

Openness of today’s enterprises makes them vulnerable

But now we’re getting to what’s going to be difficult. Yesterday’s enterprises tried to be more locked down. Today’s enterprises are more open, more distributed and less secure than they need to be. And I think many of you are frustrated by how much complexity has been introduced. But this new world is one where we don’t control the devices. With the expanded use of the public and private cloud, we don’t know where our data necessarily resides. With the increasing use of virtualization, it’s not always clear where a specific workload is being run. So the digital native generation brings into sharp focus 3 questions:

1. How do we manage online identities when our employees maintain dozens of them?

2. How do we protect information when the workforce shares information freely and isn’t that concerned about its security?

3. How do we keep track of a substantially higher volume of online activity?

TThe challenge of combining mobility with compliance

The challenge of combining mobility with compliance

If we can’t answer these questions, it will be a barrier to the new world of business. It won’t work. We’ll be held back by the threats we already can see today. Of course, there are some benefits to this new workplace. We’ve already seen how mobile devices and virtual desktops can enhance IT productivity. However, this starts to further stretch the already conflicting requirements on the security professional. We’re being required to offer more services and mobility, and access, while at the same time dealing with more requirements around governance and compliance, not to say all the other things we have to do from an IT perspective.

What I’d like to do at this point is I’d like to bring up a guest and say a little bit more about this topic; someone who deals with the digital native generation every day. He has a very good perspective on the future of business, and he has got a clear view of how this world is really changing. So please help me welcome Joe Sullivan, the Chief Security Officer of Facebook.

Alright, Joe deals with digital natives every day, and you’ve told me some great stories. So how do you think digital natives are going to impact business?

Joe: I think they are already impacting business every day. First, working at Facebook, we have to design our product for those digital natives. And so that means we have to understand what they want. And they want something different. We talked a little bit about how, when Facebook launched our new messaging product last year, we actually had to design it differently. We looked at how our teenagers communicate. You mentioned that the inbox is not something they look at, and we needed to get rid of the “Subject” line. When you think about that as a company, the idea that we’re going to change e-mail and take away the “Subject” line – that’s a hard thing to do. But we did it and no one noticed, because it made communication better.

Enrique: So, here’s the topic, obviously, that this group is very interested in, because if we believe that digital natives are working in the way that our own employees are starting to work, how do digital natives, in your perspective, think about security?

Joe: In terms of security for us, the digital immigrants, I could say we grew up in the Wild West of the Internet. We learned about carrying our own guns, about hiring guards when we’re on the stagecoach, about ducking when there’s a shootout in a bank. But I think the Internet’s changed, and I think expectations of the community have changed. I think at a service like Facebook we’re expected to build security into our product; we’ll be judged if we don’t. And so we need to work with companies like Symantec to bring a secure experience to everyone who uses our service.

Enrique: When you think about this notion of trying to drive a new security model, what do you think the implications are going to be in the future as these folks get into workforce?

We’re seeing much more integrated experiences across devices, we’re seeing a lot more mobile.

Joe: Well, like you said, we’re seeing much more integrated experiences across devices, we’re seeing a lot more mobile. One of the guys on my team has a great interview question for new candidates. When people show up and sit down, he asks: “Use this whiteboard and draw the Internet for me”. And people respond to that question very differently. As a technical information security professional, you would draw the Internet very differently than I would as someone with a legal background. But if you take a digital immigrant and ask them to draw the Internet, it’s very different than a digital native. I wonder if in 20 years we’ll even use the term “Internet”, because we’ll be so connected all the time. So we’re seeing this dramatic evolution in definitions and expectations, and we’ve got to figure out how do we secure that identity as it moves from the mobile device to your Bluetooth in your car, to your office in a single stream of interaction.

Enrique: Makes sense. Now, before I let you go, you told me a great story the other day. You and I were talking about a local elementary school who had tried to control the whole school from being able to use chat and collaborate online; and you told me how the fourth-graders got around it.

Joe: Sure. This is a neat story. There’s a school district that thought: “We’ve got to keep these fourth-graders away from having a private chat that we’re not supervising or moderating”. Well, the kids were using a collaborative document tool, and it turns out that the default on the document tool is that there’s chat inside the document. So the kids were creating a doc called “Conversation”, and then they would all go home, and they were sitting at their computers at home telling their parents: “Yeah, I’m working on my research report”. But they were all inside the same doc having a conversation, sponsored by their school district.

Enrique: I think it really brings home the point that we’re talking about, which is: the way they work – we can’t stop it. It’s going to drive real change. You’ve given us some great examples of how this next generation think, and we need to figure out how to collaborate and work with them. So, fantastic, Joe, thank you very much. Ladies and gentlemen, Joe Sullivan, thank you!

Lockdown approach

Lockdown approach

So, as you just heard from Joe, the workplace is going to continue to change, and we need to find a way to protect identities, information and the interactions between the two of them. And we all know that there is potentially one simple approach we call “lockdown”, locking sites and blocking ports, and saying: “no personal devices”, “no mobiles allowed”. Some companies have certainly tried to go this way. But there’s a couple of big problems with this lockdown approach. First is, it slows down creativity and problem solving; your employees today are trying to use these great resources to generate solutions; they have vast networks and resources that they can use to find answers. So this notion of the lockdown environment closes off lots of these great resources. I believe that the next generation workplace will need to be wired for social, because your employees will be more productive in what we’re calling the social enterprise. We have to make sure that we take advantage of their unique perspective and make sure that we provide the tools to enable further collaboration.

The second problem with lockdown is that it’s not fault-proof. People are finding workarounds today. Your employees are storing company files in places like Dropbox because it’s quicker and easier; or they’re consulting Twitter to figure out how to solve a business problem.

Read previous: Shaping Tomorrow’s Security Today: Digital Native Generation
Read next: Shaping Tomorrow’s Security Today 3: “Wired for Security” Model

Like This Article? Let Others Know!
Related Articles:

One comment

  1. Samrin says:

    Please Mr Joe sullivan help me because one guy bothered me in facebook and he make face facebook with my name and with my picture.

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: