Social Media Policy

Do companies need Social Media Policies?

I’ve wondered at times why the company I work for doesn’t have a policy specific to social media.   In the absence of such a policy, I chose to make sure my blog follows other corporate rules.   Additionally for any rants related to work, I either make them generic or make sure the opinion isn’t a surprise were management to read it.  

While I’m not ultra-paranoid about security, I have tried (unsuccessfully) to keep my full name disassociated with this blog.   Some might worry that an attacker researching the company could discover what we use for antivirus, firewall, IDS, etc.  

What is the goal of the social media policy?   The goal of some social media policies seems to be to keep people from using social media.   I just can’t agree with this.   If I were blogging with full name and company name, it would help grow my personal brand, and that benefits the company.  

Many of the policies that people say should be in a social media policy should already be in other policies.  

“You shouldn’t be speaking on behalf of the company.”   This is already in policy.   The only change for social media is to designate that you are not an official company contact, except where you are official then that needs to be noted as well.

“You shouldn’t be tweeting/blogging/facebooking about that confidential contract.”   Hey no kidding.   That should already be covered in policy and doesn’t really need to be in a redundant policy.

Michael Hyatt has some good points in his post about why your company doesn’t need a social media policy.   Shouldn’t companies be encouraging the use of social media?    Check that out and the comments there for some deeper discussion.

Where I work, I’ve seen a couple drafts of a new social media policy.   I’m not happy.   It must be similar to the first draft Michael Hyatt received from his lawyers.    There are two things that I find particularly galling.   There is a prohibition on recommending any current or former employees on a social media site.   I’m not entirely sure what problem they are trying to solve.   For many today, social media is a primary vehicle for the job search.   If you don’t have a searchable brand, then you don’t exist.   This is like saying don’t buy resume card stock.  There isn’t a policy I am aware of forbidding me from recommending a co-worker.   I believe management is restricted to reporting time of service.

The second potential policy change is more problematic for this blog.   Before blogging about any vender, I need management to get the approval of that vender.    So if Symantec releases an update and hoses my machines, I can’t warn people about that update without getting approval.    I don’t think they’ve thought this through.    Can I at least complain about the cafeteria provider Eurest without getting approval?

Hopefully this gets fixed because otherwise to stay in compliance with this policy I will have to sell the blog to my friend Raul.   Ignore any similar posting style between Raul’s Infosec Blog and my own posts.