What Bluesky and Twitter use tells us about cybersecurity people ( spoiler:nothing great)
I will begin by sharing another excellent Teen Vogue article offering advice for young people who are worried about the political landscape.
Then I will ask us to consider where similar advice is coming from in the cybersecurity education space, and indeed if we even have ENOUGH people who WANT to offer it. Have we shared similar information at work, so that coworkers worried about themselves or loved ones can prepare for ..whatever..is coming down the line? Or is that too “political” and we'd better stick to phishing ?
I ask the challenging question as I have been more disappointed in cybersecurity people than any other sector over the past two years or more. Why? Because their continued use of Twitter, refusal to prioritise digital literacy over phishing etc has potentially had an impact on public education. I am not suggesting everything could be different, but I am asking us to question if we could have done more? As the people who are PAID to think about risk, threat and digital harm.
I am not advocating for a mass move to another social media app. I do think that Bluesky is a nicer user experience, and there is plenty of journalism around that already. My concern always has been that we continue to make social media public infrastructure. And the Twitter issue shows how badly that can go.
Your source of truth should be your website. I am passionate about this for public sector organisations such as weather, or education or power or libraries. Nike or Starbucks can do fun meme content on social media and increase sales or create a good brand image. Or not. But they still drive people to the website or app for sales.
I work with a lot of schools who are struggling to build community and trust with families as they can’t get the coveted “engagement” via newsletter,socials or emails. And part of this, in my opinion, is due to the over use of social media. In telling parents/carers to “follow us on insta/facebook/twitter” you drive them NOT to your trusted website, but to splinter groups, fake groups and many people end up a long way from the intended page. Hearing gossip, mis and disinformation. As an example, I have parents in my own circle who have no idea what day school starts or what to bring for events, because they rely entirely on the unofficial Facebook group, not the school website. That’s anecdotal, but it is a truth seen in listening sessions I have run for schools.
Cybersecurity people had an opportunity years ago, when Musk took over, to help organisations move away from socials. To help people look for truth in the way they used to use a book or speak to an expert. Instead, people kept posting there, often spreading mis and disinformation themselves,instead of showing they had discernment and could evaluate sources.
Twitter became more and more toxic, brand posts showed up between adult content and racist images.But we celebrated infosec newsletters that were promoted on Twitter, big accounts on cybersecurity paying for subscriptions or doing “Lives”. All these interactions, monetised or not, clearly helping Musk and nation state actors to make money. It was truly bemusing to see people say they were anti Putin, or say they were “natsec experts” while actively supporting an app used for disinformation. All for what? Clicks and likes?
The move to Bluesky isn’t ethical for them,it is simply because they as attention seeking grifters can get the likes and shares that they crave again. Most aren’t even abandoning Twitter, they remain posting there to “fight”. Even though history shows many of us who know them, that they won’t fight any discrimination or harm, they will laugh and go along with it. Because they don’t care about securing anything or anyone. Just attention and money. Which is exactly how hate content makes money- clicks, ad revenue etc. An advert only needs somone to watch it for 2-4 seconds to “count” for monetisation. Think on that. Starving hate of attention does work. That is the appeal of Bluesky for now as the established user experience is to block and not engage. We will see if this continues, but again, we can exist without social media. Please don’t make it your single source of truth or income.
My point is that cybersecurity and the entire GRC function should have been instrumental over the last few years in moving brands and comms infrastructure OFF of ANY social media. Socials can be huge fun, but they aren’t used by everyone and when things go bad, they can be used very efficiently for harm. It is best not to direct the public consistently to any source of information that requires an account and that is owned by a private interest. This is basic risk surely?
The move of U.K. organisations from Twitter following the summer unrest, shows how reactive the approach is. How many cybersecurity teams, complaining of never being heard or given budget, lost a golden opportunity to show insight by not flagging Twitter as a risk in 2022? Or even early 2023? If you want credibility, you have to scan the horizon not ring the bell because an iceberg is suddenly there.
The worst part is that the move off Twitter has been led by Marketing and Comms teams, not Cyber or Risk teams.Explain that one to me. It is just incredible that so few people in a risk and threat function did not recognise Twitter as a risk. And it was VERY clear, after all the events of 2016 and 2021 that social media would be used again for harm.
In conclusion, I am sad that we have focussed so much on phish smish vish, and continued to enable a toxic app, instead of doing critical work on digital literacy. Now the work is also digital self defence. And not just in the USA. What a mess.Did it have to be like this and what can we do now, locally, to mitigate? Let us think on that and do more so that we don’t let anyone down. And maybe we could stop giving opportunties to people just because of social media following? Some of the best people are not posting anywhere, they are quietly doing the work. Support that as a culture.That’s your security culture.