In April 2009, employees of a Domino's Pizza store posted videos on YouTube of staff performing offensive and possibly illegal actions with ingredients and implements used in the preparation of pizzas and other foods, write Andrew Walls, research director, and Brian Prentice, research vice president, at Gartner.
Although Domino's Pizza did not initially characterise the negative impact as very large, the organisation monitored the popularity of the videos on YouTube, which exceeded 1 million viewings within 24 hours.
Approximately 48 hours after the videos were posted, the CEO of Domino's Pizza released a video on YouTube condemning the actions of the staff in the video and assuring the public of its commitment to safeguarding customer well-being. The workforce involved in the videos was fired and faced criminal charges.
The lesson is that corporate reputation and confidentiality are being affected by public social software environments. Reputation monitoring typically falls to marketing and PR teams. However, responding to damaging content can require capabilities in internal and external security investigations that are rarely found in these teams.
In many organisations, the required investigative support processes are already available through a defined computer emergency response team (CERT) or computer security incident response team (CSIRT) function. Security teams should leverage the investment in CERT processes and engage with the PR departments to develop relationships and procedures to escalate investigations without impeding the responsiveness and flexibility of the reputation management process. This approach avoids duplication of effort and enhances the consistency of investigations.
Three crucial measures
Often, investigations are not automatically escalated when critical event criteria are met. Preparation, planning and co-ordination are required to ensure the security team can provide appropriate support to the PR/marketing team when that support is required. There are three critical steps in developing a close articulation between PR and security:
First, develop relationships. Security is sometimes perceived as an obstacle to business innovation. The security team must seek out and build positive relationships with the staff that use social media monitors. Although this process can be kicked off through a formal meeting, effective relationships require frequent, informal interaction.
Second, determine the scope of monitoring. Various individuals and teams within the business may be managing formal and informal monitoring tools and services. The spread of social media use means that any employee, customer or friendly stranger can be a source of alerts concerning the corporate reputation. Ideally, the security team stays aware of the principal users of monitors within the company and relies on the PR organisation to collect, collate, analyse and escalate the disparate inputs from staff, service providers and the public.
Third, redefine processes. Modern communication teams have formal processes to manage PR opportunities and threats. In some cases, social-software-related issues will be easily accommodated in these systems. However, where new relationships and monitor dynamics are identified, they must be embedded into revised communication processes. If you are using, or intend to acquire, an incident or case management system for security investigations, then provide PR, marketing and other social media monitors with access to the software to facilitate communication concerning the escalation of incidents.
The optimal approach to monitoring and managing social media monitoring, and incident response, requires an approach that combines the efforts and capabilities of the PR, HR and information security teams.
Gartner analysts will explore information security issues at the Gartner Information Security Summit 2009, 21-22 September at the Royal Lancaster hotel, London.