I don’t know how you spend your weekends, but I seem to need to use the downtime to clean up my email folders. While going through the many security email newsletters I subscribe to, an ad for some sort of blocking device caught my eye with a fairly bold statement:

See how new technology can block Facebook and MySpace once and for all!

There is something vaguely “English as a second language” about the ad, but no matter. What got my attention about this claim was the notion that this message might actually appeal to information security professionals with money who don’t reside in the Peoples Republic of China. Is this really a compelling product feature in 2008 or did I stumble upon an industry wannabe who is going to fail miserably?

My career went on the information security offramp some time around 1993. My primary profession as a network architect, helping enterprises integrate their computer networks with mainframes, minicomputers and now the Internet, took a fateful turn. The excitement of being on the Internet quickly turned into the terror of being on same. The IT departments that hired me to install 3270 gateways now were asking me to install firewalls to tame this beast. We had a lot of fun in those early days, but one customer in particular stood out. My main point of contact was an IT administrator with an IQ of about 200. He asked me to setup the firewall with all rules disabled, reasoning that people would let him know what they needed the Internet for and he would best be able to implement a rule set with a “deny all except that which is explicitly permitted” design. Funny enough, people did let him know, to the point that he almost firewalled himself out of job. As it turned out, this company had some visionaries that were betting the business on the Internet, and taking a few risks was not out of the question.

Which brings me back to 2008. I have an outpost on a few of the popular social networks out there. I am far from a power user, some of my friends certainly have more interesting lives and keep their profiles filled with cool stuff, although many of them seem to Twitter which airport they are in way too much. My kids were early adopters and still use them, but are mostly bored of them and are on to other things. But I get it. I see the power of the serendipitous discoveries, mobilizing the masses and how talented people can leverage social networks for fun, profit and even altruistic causes. Even I have used a social network to conduct real, useful business. I would wager in your business that the top 10% of your employees use social networks more than the bottom 10%. So, are information security professionals really spending their days trying to block Facebook? I really hope not, the risks a social network poses to your business is probably a lot less than the risk of ostracizing the top 10% of your workers. I think even the horror stories of the exploitation of children through social networks is likely way overblown, strictly from a numbers perspective.

The Web 2.0 technology popular social networks use is complex, and does in fact create a target-rich environment for hackers to attack networks. However, the proper formulation of our security strategy should be to make social networking safer and more effective, so an organization can increase its innovation and productivity. That’s risk management. Or, we can marginalize ourselves and party like its 1993.