In April 2009, employees of a Domino's Pizza store
posted videos on YouTube of staff performing offensive and possibly
illegal actions with ingredients and implements used in the
preparation of pizzas and other foods, write
Andrew Walls, research director, and
Brian Prentice, research vice president, at
Gartner.
Although Domino's Pizza did not initially characterise the
negative impact as very large, the organisation monitored the
popularity of the videos on YouTube, which exceeded 1 million
viewings within 24 hours.
Approximately 48 hours after the videos were posted, the CEO of
Domino's Pizza released a video on YouTube condemning the actions
of the staff in the video and assuring the public of its commitment
to safeguarding customer well-being. The workforce involved in the
videos was fired and faced criminal charges.
The lesson is that corporate reputation and confidentiality are
being affected by public social software environments. Reputation
monitoring typically falls to marketing and PR teams. However,
responding to damaging content can require capabilities in internal
and external security investigations that are rarely found in these
teams.
In many organisations, the required investigative support
processes are already available through a defined computer
emergency response team (CERT) or computer security incident
response team (CSIRT) function. Security teams should leverage the
investment in CERT processes and engage with the PR departments to
develop relationships and procedures to escalate investigations
without impeding the responsiveness and flexibility of the
reputation management process. This approach avoids duplication of
effort and enhances the consistency of investigations.
Three crucial measures
Often, investigations are not automatically escalated when
critical event criteria are met. Preparation, planning and
co-ordination are required to ensure the security team can provide
appropriate support to the PR/marketing team when that support is
required. There are three critical steps in developing a close
articulation between PR and security:
First, develop relationships. Security is sometimes perceived as
an obstacle to business innovation. The security team must seek out
and build positive relationships with the staff that use social
media monitors. Although this process can be kicked off through a
formal meeting, effective relationships require frequent, informal
interaction.
Second, determine the scope of monitoring. Various individuals
and teams within the business may be managing formal and informal
monitoring tools and services. The spread of social media use means
that any employee, customer or friendly stranger can be a source of
alerts concerning the corporate reputation. Ideally, the security
team stays aware of the principal users of monitors within the
company and relies on the PR organisation to collect, collate,
analyse and escalate the disparate inputs from staff, service
providers and the public.
Third, redefine processes. Modern communication teams have
formal processes to manage PR opportunities and threats. In some
cases, social-software-related issues will be easily accommodated
in these systems. However, where new relationships and monitor
dynamics are identified, they must be embedded into revised
communication processes. If you are using, or intend to acquire, an
incident or case management system for security investigations,
then provide PR, marketing and other social media monitors with
access to the software to facilitate communication concerning the
escalation of incidents.
The optimal approach to monitoring and managing social media
monitoring, and incident response, requires an approach that
combines the efforts and capabilities of the PR, HR and information
security teams.
Gartner analysts will explore information security issues at the
Gartner
Information Security Summit 2009, 21-22 September at the Royal
Lancaster hotel, London.