Don’t allow it, don’t worry, it’s a fad that will soon go away . . . . NOT!

I admit it.  I was one of the security professionals that stuck my head in the sand.

As I take great pride in not sticking my head in the sand, I have to wonder which part of my exposed body stood out most to Generation Y people who quietly smiled inside when I would say “don’t allow it, don’t worry, it’s a fad that will soon go away.”

Just last night I spent about forty-five minutes of a two-hour talk on the subject of Facebook.  While driving home from the occasion, I reflected on the history of Social Media in community banking and felt maybe I should use this as an opportunity to update Dan’s New Leaf.

Facebook was launched in 2004, and by the time my daughter Dani went to college in 2007, every new student at Indiana University was signing up for Facebook as part of their orientation.   As nervous parents watching our daughter grow up, I didn’t think much about Facebook then.  I figured it was just a fad.

But within a couple of months I had a Facebook account, only because my demands for Dani to send us pictures regularly (after all, we bought her a shiny new digital camera for her graduation present) were met with “how about I post them on Facebook.”  Being one who didn’t like tying up e-mail with heavy attachments, I enjoyed the ability to download pictures from Dani’s college experience.  I always remember my first wall post, which went something like “the only reason I’m here is so I can get pictures from Dani’s college experience.”

I’m not writing about this to brag that hey, I was on Facebook way back in 2007.  Instead, I’m writing to say that even though I had the ABILITY to see the power of Facebook, my ATTITUDE still caused a standard reaction when clients would ask about it:  “Don’t allow it, don’t worry, it’s a fad that will soon go away.”  Unfortunately I held that position until 2009, when I realized not only is social media NOT going away, but the risks to banks aren’t as much in their own Facebook sites, which can be controlled, but moreover the risk is in the way bank employees use their own social media tools WHILE AT HOME.

And even that belief was wrong.  At least in 2007, social media use was predominantly still at home.  But by 2009 the use of social media became a mobile thing-to-do with our shiny new smart phones.  This compounded the risk even more, as bank employees could now tweet their disgruntlement with that last rude customer, in real time, from the teller line.

I look back now and wonder why I didn’t see this coming.  By 2008 I had signed up for LinkedIn and created the Infotex page primarily because my geek friends and clients were demanding that I do so.  At first I would send a message back saying “I’m not really into social networking, do I have to?”  But when the people inviting me to be their connection on LinkedIn were my clients, I could no longer resist.

And as a LinkedIn user, I saw the risks right there.  I saw people being endorsed by middle managers from the same bank that fired them.  I connected to a head-hunter who then went after my own employees.  I saw the ability for us to leverage social media in our own pretext calling on Clients.  All this is why I started saying “don’t allow it, don’t worry, it’s a fad that will soon go away.”  I wrote an article for a trade magazine (that will go unnamed in 2008.)  The magazine was interested at first, but when I raised issues about people using LinkedIn at work to network and find jobs somewhere else, the publisher understandably got cold feet, worrying that the article would be too controversial.   The words of the publisher (I just dug out the email to confirm) were “this article could put us in an awkward position with our readership.”

In 2009 I audited a bank that had a Facebook page and though I was relishing the opportunity to slam them with a list of deficiencies they had actually done a GREAT job of leveraging the technology.  They made the page exude their community-ness.  They used Youtube to show you how to perform various tasks in their on-line banking account.    They had even taken our customer awareness training PowerPoint to the next level, and offered security tips to their customers via social media.

I did a complete 180.

At least I admitted my short-sighted stupidity.  And at least I have a stellar team that can turn on a dime like me.  We set up two infotex twitter accounts (vigilize and infotexnow), our infotex Facebook page, our my.infotex.com blog (which is where this article originates), etc.  We created a “design probe social media kit” and had an attorney review the templates and boilerplates in it.  From that process we published our Social Media Policy Set and have received many kudos and accolades because of it.  We even created a guidelines document for management team members, which is now in the policy set, as well as a tools page that will help you find decent social media management tools. Though we were late to recognize the power of Social Media, so was most of the other professionals in our field, and we were at least quick to act once we pulled our head out of the sand.

But that was still 2009.

It wasn’t until 2010 that the usage of Social Media EXPLODED.  In 2010 Facebook became phenomena not only for young people, but also for grandparents and adults like me.  In 2010, my Facebook visits went from maybe one per month to one per week to one per day to where it is now, which is about half as often as I check email.

We all know the benefits of Facebook.  We can keep up with our family and friends without having to spend a lot of time doing it.

And interestingly, clients who said to leave Social Media out of my user-level Security Awareness Training in early 2010 are asking me to focus on it just a year later.  Where in March 2010 I would typically dedicate about five minutes of my talk to the dangers of social media, now my presentations include around 45 minutes of slides about checking privacy settings on social media, the Kevin Bacon game and why friends-of-friends is really public, and why you would probably get fired if you yelled something negative about the bank in a crowded restaurant.

Banks are now using social media . . . . primarily Facebook for now . . . as an excellent marketing tool to build loyalty, solve customer problems, advertise events, brand themselves, teach customers how to change their ATM pin, provide customer awareness training, and just have a regular good time.  Bank employees are cautioned not to advertise loan rates by answering simple questions, to refrain from putting anything about the bank that you wouldn’t put in a normal resume, and remember that anything they post on their own accounts could get them in trouble with the bank.

So I admitted it.  I got it off my chest.  I’m not proud of my stance on social media, but I’m past it as well.   And as far as downloading pictures of Dani’s college experience?  Why bother, when I can always log onto Facebook to see them!

And as I plod through time as an Information Systems Auditor, I now wonder what other new technologies are resulting in: “Don’t allow it, don’t worry about it, it’s a fad that will soon go away?”

————————-

Dan Hadaway CRISC, CISA, CISM
Founder and President, Infotex

————————-

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”