Does Facebook even need a CSO?

On August 1, Facebook’s chief security officer (CSO), Alex Stamos, posted that he’s leaving on August 17. “We are not naming a new CSO,” emailed company spokesperson Andrew Flick. Instead, Flick continues, “We embedded our security engineers, analysts, investigators and other specialists in our product and engineering teams.” In other words, in less than two weeks, no central point person will own security. “The senior leaders of those teams will be responsible for keeping Facebook and people’s information secure,” he explains.

Unlike other industries, where companies with similar products face the same security issues, social media doesn’t really have any data protection best guidelines. For starters, the industry is too small. According to Pew Research Center, only eight platforms are used by at least 20 percent of the country. Even they don’t work with the same types of data: YouTube and Facebook top the list, and while Facebook streams videos, the two collect and store radically different files and information.

“The spread of risk and concern and extremes inside of social media varies significantly,” according to Michael Coates, a former Twitter chief information security officer (CISO) who left in April. “The requirements and expectations that could be on a Twitter or a Facebook would differ greatly from a Pinterest or a Snapchat,” he says.

That’s why when you ask Coates’ opinion on Facebook’s recent decision to get rid of its chief security officer role, he’s hesitant to judge: “We can’t conjecture on what specifically is happening at Facebook,” he says, but adds he’s always concerned to see companies “move from a structure that has a centralized security leader to a distributive model.”