On August 1, Facebook’s chief security officer (CSO), Alex Stamos, posted that he’s leaving on August 17. “We are not naming a new CSO,” emailed company spokesperson Andrew Flick. Instead, Flick continues, “We embedded our security engineers, analysts, investigators and other specialists in our product and engineering teams.” In other words, in less than two weeks, no central point person will own security. “The senior leaders of those teams will be responsible for keeping Facebook and people’s information secure,” he explains.
Unlike other industries, where companies with similar products face the same security issues, social media doesn’t really have any data protection best guidelines. For starters, the industry is too small. According to Pew Research Center, only eight platforms are used by at least 20 percent of the country. Even they don’t work with the same types of data: YouTube and Facebook top the list, and while Facebook streams videos, the two collect and store radically different files and information.
“The spread of risk and concern and extremes inside of social media varies significantly,” according to Michael Coates, a former Twitter chief information security officer (CISO) who left in April. “The requirements and expectations that could be on a Twitter or a Facebook would differ greatly from a Pinterest or a Snapchat,” he says.
That’s why when you ask Coates’ opinion on Facebook’s recent decision to get rid of its chief security officer role, he’s hesitant to judge: “We can’t conjecture on what specifically is happening at Facebook,” he says, but adds he’s always concerned to see companies “move from a structure that has a centralized security leader to a distributive model.”
Facebook security: What is at risk
That’s exactly what Facebook has done. “When you move from a structure that has a centralized security leader to a distributive model,” Coates says, there’s a long list of risks. For starters, he explains, “If security is what you do when you have free time, nobody does it; nobody has time.” Then it’s tough to even identify security risks or to get leadership to agree on how to prioritize them against new product features. Finally there’s the security theater of it all.
“There’s definitely a PR perspective of it,” Coates says. Depending on the source, in 2014 and 2015, Facebook either breached or sold user data to British firm Cambridge Analytica, where Russia accessed it to rig the United States’ presidential election, an action CEO Mark Zuckerberg apologized to Congress for on April 11.
On June 5, the company faced data nightmares again, with the New York Times revealing Facebook sold user information to a Chinese firm flagged by U.S. intelligence. Then on August 6, the Wall Street Journal reported that Facebook asked banks for users’ credit card transactions and account balances — an allegation Facebook staunchly denies.
Is this really the best time to eliminate the CSO position?
A seat at the table
As sister publication CIO has reported, not every company needs a CSO. “It’s not a person who needs a seat at the table,” Simple Tire CIO CJ Das said at a CSO event, “The topic needs a seat at the table.” Indeed, Flick says, “We expect to be judged on what we do to protect people’s security, not whether we have someone with a certain title.”
Pinterest and Tumblr don’t have CSOs. Neither they nor Twitter responded to our requests for interview, but Coates says Twitter filled his opening with an interim security leader immediately after he left, announcing plans to hire permanently.
“The creation — and I guess I would say appointment of any leadership role,” Coates notes, “also tells a story to the public, intentional or otherwise. In some regards, a chief security officer is also a central point to inspire confidence that this is something where they’re putting a senior role at the table to tackle this issue.”
That’s why, he says, New York State mandates all financial institutions have a CSO. “Because there is a challenge in security when the work is distributed amongst teams without a central owner, you can lose some of that experience and central visibility that a security organization brings to the table,” Coates explains, “A commitment to a high placed individual shows the company has kind of matured to that level and is thinking of it that way.”
“This is not to say by any means that Facebook is not mature,” he quickly adds. “But those are some of the things that people associate with the presence of a chief security officer.”
Is the traditional CISO role a good fit for social media?
In the end, the decision to do away with the role is Facebook’s. The company is an independent business, after all — not a recognized utility or a federally regulated bank. Some of the problems it’s having might not fit under a traditional security role anyway: Whether Facebook willingly sold data or not, there’s a difference between a sale and a breach. Is it security’s job to police business deals or to make sure users are real?
Normally, no — but by the nature of the beast, social media might be an exception. Coates says, “Given the sample size, it’s hard to say, because there’s only a handful of companies in this space and the security organizational structure at companies varies dramatically across even companies within the same industry.” Depending on each platform’s business structure, he adds, “it’s not uncommon for something like fake news or bots to be within an engineering team.”
“There are traditional elements that we associate with the role, such as IT security and — more these days — application and product security,” but account takeover security, anti-bot considerations, and fake news are relatively new problems, he explains, so “there is no playbook on where they go and it very much depends on how the company wants to tackle it.” Some CSOs, he continues, even oversee “elements of physical security — executive protection, building security, physical perimeter control.” At Facebook, though, those priorities aren’t going anywhere, as chief global security officer Nick Lovrien says, “There are no changes to my role, responsibilities or organizational structure.”
“There are no hard and fast rules between a CISO and a CSO,” Coates says. “The CSO is really a function of what the business wants it to be.” At Facebook, that’s apparently non-existent.