FINRA 11-39: Applause, Missing Pieces, and Users

In the week that “retweeted” was officially added to the Oxford English Dictionary, after only two years of use, FINRA beats the retweet and issues new guidelines on social media, just 18 months after 10-06 hit our doorsteps, and “So, what do you read into 11-39?” is the question on the tip of everyone’s tongue.

As expected, a few points are clarified; the latest guidance has become more prescriptive in some areas and less so in others.  (Puzzled looks abound, I’m sure.)  If you’d rather hear more about this, than to continue reading, please join me on a webinar Wednesday, August 31st at 10am EST and I’ll explain.

I’ll start with the missing pieces of 11-39

What’s missing is the specific reference to individual social networking sites (I bet that’s not what you were expecting).  And for this, I applaud FINRA.  Examples were given in 10-06 – Facebook was mentioned twice (OK, three times if you look at the endnotes), Twitter four times, and LinkedIn just the once.   Interesting that, in the conversations I’ve had with wealth management firms and wire houses, it’s LinkedIn that is the network of choice.

Why my applause though?  Good job, FINRA, I say, because you’ve recognized that this world moves very quickly.  Three months ago, YouTube was the fastest growing social network.  Then it was Google+.  And now, as Google+’s new member growth falls by 30% a day to 700,000, we’re not sure anymore.  That said, LinkedIn has added 20 million new profiles since its IPO in May and now boasts 120 million profiles.  Equally, since January 1, 2011, we’ve tracked 938 changes across Facebook, LinkedIn, and Twitter (yes, really!).

Good job, FINRA, because you’ve recognized that loyalty in our social world is somewhat limited.  And, that just because Facebook, LinkedIn, and Twitter are today’s Holy Trinity of social, it doesn’t necessarily mean that they will be tomorrow.

What else is good?

It’s also good to see clarification on business versus personal commentary – this reinforces what we’ve been saying for some time, that “the regulator is interested in the communications related to the business and when the individual is representing the business” – the advice we have been giving since January 2010, is NOT to go against the Facebook rules (for instance) and set up two profiles, but take advantage of Facebook giving you the ability to set up a profile for personal use and a page for professional use, because contrary to a lot of public opinion, you CAN do this – as a businessperson, you can set up a specific page for your business use (drop me a note if you want step-by-step instructions).  The SEC itself has stated that the content of an electronic communications determines whether it should be preserved.  Just like the FSA out of the UK does.  It doesn’t matter about the modality.

I do believe that, as an industry, we are perhaps being somewhat short-sighted by thinking that you can absolutely separate  personal from business communications in the social world.  I think the lines will continue to blur (increasingly so) as we become more accustomed to social.  I do believe we’ll see more guidance on this as time goes on.

What else is new? 

A proposed social media site must be approved in the “form in which it will be launched.”  FINRA is talking here about the launch of new social media sites.  So, if you’re launching a new design, a new Twitter feed, for instance, then the graphics that you’re using, the imagery, and the actual site – the “wireframes” in design parlance – need to be part of the approvals process.  Third Party Data Feeds are referenced also.  FINRA reminds us that the firm is responsible for checking the proficiency of the vendor of the data and its ability to provide accurate data – and it must regularly review for red flags.

Don’t Delete!

In reaction perhaps to the number of new companies popping up purporting to provide control and manage social media, FINRA specifically calls out details on technology that automatically erases or deletes content, stating that this precludes the ability of the firm to retain the communications in compliance with their obligations under SEA Rule 17a-4, yet further into the 11-39 guidelines, FINRA details more about the deletion of inappropriate third-party content.

It’s clear that a record of communications that doesn’t contain the full record is no record at all.  However, I do hold to the fact that some content simply has to be deleted.  I can’t control the 750 million other Facebook users out there (heck, I can’t even control what my little brother says on Facebook), and not all of those users have the same filtering mechanism that I have when it comes to content.  I’ve deleted some friends and banned others because their language would offend my Mother, who to me, is my ultimate Facebook controller.  In a corporate environment, I certainly don’t want the Actiance brand associated with profanity, racism, or a host of other comments, that we automatically delete through the use of our Urban Dictionary.

But we do record the fact that they were made.  We also record the fact that they were deleted.  We also record what the page looks like before and after the delete.  Belt and braces.  It might not be on the social network anymore, but it’s in the archive.

Mobile IS mainstream, and network barriers have crumbled.

And, it’s clear to see that the growth of mobile is having an impact; 250 million of the 750 million active Facebook users use the site through a mobile device – and on mobile, they’re twice as active.  It’s clear that firms are concerned about mobile, rightly so, but equally, that FINRA is being sensible about how firms operate and how they do business.  And, not all of us use devices that are firm-owned to post content and collaborate on social networks.  That’s the way the world is changing.  It’s one of the biggest challenges of today’s CIO:  the personally owned device (whatever that might be – iPhone, BlackBerry, Droid, iPad, Tablet, Netbook).  FINRA reminds us that it’s the communications, not the device, that is important.

The Users, the pesky Users…

FINRA gives an even bigger call-out about training and education.  Human beings, I’m convinced were put on earth to create chaos.  And in a social world, we can do this very quickly and very easily.  (I should at this point, before our CEO, @Kambwani, sees this, reference that this quote is mine and mine alone.)  But equally, you don’t just give 20,000 financial advisors access to LinkedIn and expect that they know what to do.  In a lot of instances, there is a generational gap, injecting social into the DNA of individuals doesn’t happen overnight.  FINRA is dead-right by saying that training is important, that certification is important.  And regular training is not just a one-off, because people forget when they’re on a social network.  They forget who they’re connected to, and who might see their content.

We are, after all, as human beings, ultimately fallible.  And, we have technology in every other area of our business lives to protect us (anti-spam and security in the email world), to stop us sending our bank account details to Nigeria or our intimate personal details to hackers, Web filtering in the Web world to stop us playing online poker all day, and maybe even Actiance to limit our usage of Farmville to a mere 30 minutes a day.  In other words, we use technology to protect us against technology.  And it goes without saying that using technology to protect us from malware infection (our very own @jaeho9kim wrote about this recently right here on this blog), from ourselves, and from malicious intent.

I think I’ve rattled on quite long enough now, so I’ll leave you with this final set of questions.  Did 11-39 answer your questions?  Did it raise more?  What do you think it didn’t cover?  Tune in next week for our webinar – and for thoughts that I’ve gathered recently, when I got together with 60 Financial Services Marketing, Compliance, and IT professionals and asked them what they thought FINRA should issue in terms of guidance.

NCIS vs. The Network

Recently, Chief of Naval Operations, Admiral Gary Roughead commented that the Navy is ‘irreversibly’ committed to engaging in social media.  Junior officers are now maintaining their own blogs and Facebook pages to form online communities and to communicate on behalf of the department.

Adm. Roughead is clearly a realist and knows that blocking social media altogether is not only a wasted opportunity but also an entirely futile effort.

The epic rise and adoption of Facebook, Twitter, and other social networks and their integration into mobile computing, BlackBerry, or I mean, smartphone (we don’t get paid a royalty for every time we mention a particular ‘fruit’, by the way) makes connecting with friends and loved ones super easy, regardless of timezone or war zone.

Of course, the trouble with social networks is that you are essentially communicating on an unsecured line.  Social networks, by their very nature of encircling you with your twenty closest friends and 200 nearest acquaintances, enable oversharing.  Who’s to judge what is sensitive information?

Across the pond, the United Kingdom’s Ministry of Defence is taking this threat so seriously that it has debuted slick videos with an educational message – that spilling the beans on the likes of Twitter and Facebook could land you and your dearest in a situation that only Jack Bauer could appreciate.

If you think sifting through the copious amounts of real-time chatter generated by hundreds of thousands of military personnel via social media channels seems more stressful than sitting through an episode of “24,” then happily, I’m glad to say this challenge can be met by the technology available to us today.  Bauer, you can stand down now.

---

Keep It Simple, Stupid

We’ve all heard this saying before and it’s easy to get lost in the bewildering array of communications channels available to us. There’s the usual email, instant messaging networks (Yahoo!, Google Talk), peer-to-peer networks (Skype), enterprise IM applications (IBM Sametime, Microsoft Lync/OCS), and social networks (Facebook, Twitter). And these are just the big boys. There are literally thousands of IM, P2P, and social networks, in addition to those listed above.

To give you an idea of the bevy of tools out there, the US Department of Agriculture (USDA) uses over 21 different email systems, but they’ve recently decided to award Microsoft a contract to provide cloud-based email, Web conferencing, IM, and collaboration solutions. Similarly, the US General Services Administration (GSA) awarded an email contract to Google. What this goes to show is that messaging in large organizations (in this case, it’s the government) is starting to move to the cloud as companies look for ways to streamline their messaging systems, improve efficiency, and cut costs.

What with all these communications options available to end users, it’s all too common for folks to use Facebook, Yahoo!, or Skype while they’re at work on company-issued computers. Oftentimes, individuals use a combination of Web 2.0 (think Facebook or Skype) and enterprise (think Microsoft Communicator or Cisco Jabber) applications. The problem with doing so is that it opens up new vectors for malware to invade the corporate network. In other words, there are far more avenues for evil to infiltrate the corporate network these days than ever before.

Thankfully, platforms like Actiance Vantage make it easier to manage the proliferation of communications tools within the enterprise. From blocking virus attacks to managing file transfers to logging and archiving of all IM activities, Vantages provides end-to-end security and compliance coverage for an organization’s unified communications.

We can all learn a lesson from the government contracts cited above. Long ridiculed for being the poster child of bureaucracy and antiquated computer systems, it must be saying something to have two large agencies moving their communications applications to the cloud. Looks like the US government has taken heed of that old KISS principle after all.

Why China’s Web Filtering Plan Won’t Work

As you’ve no doubt already heard, China recently announced plans mandating that all new computers sold in that country – including imported PCs – be delivered with pre-installed and pre-configured Web filtering technology beginning July 1, 2009.

 

Branded Green Dam-Youth Escort, China’s foreign ministry spokesman defends the software claiming it’s “aimed at blocking and filtering some unhealthy content, including pornography and violence” in an effort to protect children.

 

Putting aside the obvious discussions of censorship versus freedom of information, there’s a fatal flaw in China’s plan. Maybe we shouldn’t tell them this, but Web filtering software alone doesn’t block people from visiting Web sites and/or accessing Web applications.

 

Surprised? While the Internet used to be primarily about transmitting and accessing fairly static information via HTTP, FTP and e-mail it’s now dominated by Web 2.0 applications such as instant messaging, P2P, VoIP and social networking sites. Savvy Internet users already use tools like anonymizers to mask their browsing habits, and real-time communications and Web 2.0 applications are highly evasive, specifically designed to get around Web filtering, firewalls and other traditional security solutions using a variety of techniques like port crawling, tunneling, onion routing, etc. – after all, their goal is to grow their communities and ensure users have the full experience.

 

From what I’ve read, neither China nor the media has considered or addressed this. I’m certainly not in favor of China to block access — yes, FaceTime helps organizations control employee Web browsing and use of Web 2.0 applications, where visiting certain sites or using certain applications may be inappropriate in the workplace, put the company at risk or impact productivity — but the Web sites you choose to visit and applications you use at home are for you to decide and parents to control.

 

The backlash over China’s censorship plans is widespread, including nearly 20 trade groups representing technology companies calling on the Chinese government to reconsider the mandate contending that it “raises significant questions of security, privacy, system reliability, the free flow of information and user choice.” There’s also the California company that claims the mandated Internet filtering software contains stolen programming code. Other articles say the Chinese government has already backed down, retreating on its controversial new web filtering plan, saying the software can be uninstalled or switched off.

 

It’s not clear yet how all of this will play out, but you have to ask, if China’s mandate won’t be effective, why do it at all?

Peace, love and free URL filtering

Every self-respecting marketing person would dress up like a hippie for the sake of a marketing promotion, right? Well, Sarah Carter and I would, anyway.

 

You see, here at FaceTime, we’re all about peace, love and free URL filtering. Okay, yes, it’s a promotion we’ve been running for the past couple of months, but we really do feel the love when it comes to helping our customers manage their budgets by eliminating URL filtering renewal fees. Rumor has it there will be a group of protesters at the RSA Conference next week speaking out against those fees so be sure to stop by the FaceTime booth #2339 and check it out. And don’t forget to wear your tie dye.

 

Seriously, all this commotion and protesting, but we really don’t have anything against URL filtering. Everyone needs URL filtering, it’s just that it’s not enough when it comes to managing the New Internet. A much more granular level of application control is required when it comes to securing and managing Web 2.0 including social networking, multimedia, virtual worlds, VoIP … and the list goes on.

 

So we’ve been having a lot of fun with our No URL Filtering Fees promotion in our Larissa and Sarah Show episodes. NetworkWorld even called our YouTube videos quirky. We’ll take that as a compliment.

 

Peace out. 

 

Finding the Application Needle in the Traffic Haystack

It seems as soon as a new technology is adopted into mainstream business, a whole host of support technologies soon follow to fill in the gaps and solve the new issues that are created. Consider the enormity of the anti-virus market that was created after the ILoveYou Virus hit in 2000, and the addition of URL filtering to enterprise IT’s checklist of “must-haves” following the adoption of the Web browser.

 

The good news is that browser based traffic is now monitored and managed in most organizations. So, what’s the next new technology? Always one step ahead, employees have turned to other real-time applications including social networking platforms, IM, peer-to-peer file sharing, Web 2.0 VoIP and conferencing applications. And the next new technology solution? Application filtering.

 

This week, FaceTime announced that we’ll begin licensing our application inspection and classification technology, called ACE (Application Control Engine), to other network security vendors. This same technology is at the core of our Unified Security Gateway product, detecting and classifying more than 1,400 Web 2.0 and real-time communications applications and more than 50,000 social networking widgets – a number that grows daily.

 

This is the new frontier for Web security, as Sarah Perez points out in her analysis of how Web applications fly under IT’s radar,

 

“… when users become their own I.T. department, they’re unknowingly introducing inherent risks into the previously hardened network infrastructure. Just because a web app is easy to operate, that doesn’t make it safe and secure for enterprise use. As users upload and share sensitive files through these unapproved backchannels or have business-related conversations through web-based IM chatrooms, they might not only be putting their company’s data at risk, they could also be breaking various compliance laws as well.”

 

Sarah’s analysis is spot on. She goes on to point out that

 

“If FaceTime’s ACE or other similar technologies become a mainstay in the enterprise I.T. toolkit, the explosion of Web 2.0 for business use, a trend typically called Enterprise 2.0, may be dealt quite a blow. The only Enterprise 2.0 apps that will succeed given that scenario will be the ones that worked with the I.T. admins from the very beginning to assure them of their safety. The apps reliant on a slew of the company’s rule-breaking users for adoption, however, will be out of luck. Perhaps being sneaky may not have been a great business model after all.”

 

From our conversations with IT managers and through our annual study of usage trends, end user attitudes and IT impact, it’s clear that the number of unsanctioned applications on enterprise networks is exploding because the nature of the workforce is changing. In fact, one in three employees say they feel they have the right to download whatever applications they need to do their jobs, regardless of policy. And interestingly, one in three IT respondents believe that written policies are ineffective methods for controlling enduser downloading of applications.

 

Given not only the sheer number of Web 2.0 applications but their obvious increased rate of adoption in business, I believe we’ll eventually see application filtering become standard, and most likely even more important, than URL filtering is today.

What does Tom Brady have to do with employee productivity?

At the beginning of the season, Tom Brady was a top fantasy football league (FFL) draft pick. The guy can move his team downfield and put up points for an FFL team. But this all came to an “oh-my-god-you’ve-got-to-be-kidding” stop on Sunday when he went down with a year-ending knee injury in the first regular season game.  

 

Now what?  For millions of FFL managers the season is in jeopardy – not to mention serious bragging rights. Next step? Join the conversation and start thinking about a replacement for your QB position – even if it means doing it during “work hours.”

 

And, this is precisely why you should care – not you the football fan, but you the IT fan. Your employees are in the conversation.  Some are less concerned about their jobs and much more interested in solving their QB problem, and they’re using Web 2.0 tools to do it.

 

As I said a few months back in a post about March Madness, scenarios like this occur in organizations every day. And when employers block or put limits on what their employees can do, does it really solve the problem? For example, being overly aggressive with Web filtering controls can drive employees to install anonymizers designed to circumvent URL filtering. 

 

An estimated 19 million people in North America play fantasy football according to the Fantasy Sports Trade Association.  In the past 48 hours, more than 2500 Twitter messages (or “tweets”) were sent out regarding Tom Brady and his injury. In the same 48 hour period, nearly 800 individual blog posts were made referencing Tom Brady. Facebook has 225 fantasy sports applications available to its subscribers and over 500 groups alone for fantasy sports. There are countless others available on sports sites, Yahoo and other Web properties.

 

A recent study referenced by NBCSports suggested that fantasy football could result in as much as $500 million dollars of lost productivity per week.  I think we’d all agree that employees are capable of wasting time in several ways.  Talking on the phone to friends and smoke breaks are two that come to mind, so I’m not suggesting that if you lock down fantasy sports you’ve solved your productivity issues. 

 

In my opinion, online fantasy sports don’t cost American businesses a dime. In today’s work environment, some amount of personal, online activity is acceptable. However, IT professionals need to maintain visibility so they can make decisions about what should be controlled and to what level it should be controlled. 

 

Is it time for HR to call an audible? After all, it’s not just a network or security issue any more. It’s a business issue and an employee morale issue – and I wonder if HR may have to help re-write the playbook?

What exactly are “work hours?”

At 3 pm today, I was in my office working on my expense reports. A colleague here at FaceTime popped his head in and said “you do your expense reports during work hours?”

 

What exactly are work hours?

 

For professional workers, there is no such thing any more. That’s pretty clear to me, as I get ready to post this around 9 pm. Joe McKendrick over at the FastForward blog thinks so too.  The lines between work and personal life continue to blur. Expense reports, employee reviews, press releases, product plans… they all need to get done, and it doesn’t really matter when you work on them. My guess is that if employers started saying “your work hours are 8 to 5” there would be a lot less work accomplished. No one at FaceTime would ever attempt to define my work hours, for this very reason.

 

In contrast, though, my neighbor told me recently that the NCAA Web site was blocked by his employer during March Madness – so he called in sick on a Thursday to watch a day of college basketball from home since he couldn’t get to it while at work. 

 

Scenarios like this play out in companies all over the world every day. And when employers block or put limits on what their employees can do, does it really solve the problem?  Or create a bigger one?

 

We’ve seen time and time again that users will continue to do what they need and want to do.  Take something as simple as setting email size restrictions – users will find a work around, either using their personal Web mail or a file transfer via IM. Are you better off with that outcome?

 

According to Wordtracker, over the last 100 days there were a little over 20 Google/Web searches related to “block facebook.”  Presumably a combination of IT Managers, parents and educators are looking for information about how to restrict access to social networking. 

 

But contrast that with the 359 searches by users looking to “unblock facebook.”  In total, more than 10,000 searches were made in the same period related to unblocking websites, social networking sites, using anonymizers, proxies and other related searches. 

 

We’re always socializing. We’re always working.  And users will always look for the work around when they are cut off from either.