Monday, November 23, 2009

The Last Person on Earth who Should Own a Social Media Policy

I read a blog post by "CIO in Training" Anjuan Simmons that tries to make the case for the CIO to own the corporate social media policy. It's been a while since I have so vehemently disagreed with something I read online. All I can hear in my head is John McEnroe screaming "You can't possibly be serious!"

Simmons makes his case with three arguments:
  • The CIO Holds the Keys to the Kingdom
  • The CIO is the Best Monitor
  • The CIO can play Angel's Advocate
Let's take a look at each of those and why I think the CIO is the wrong owner of the social media policy.

The CIO Holds the Keys to the Kingdom
This is the same argument we used as kids. Why do I get to make the rules during the neighborhood game of football? Because it's my ball, that's why. Simmons argues thusly:
If an employee accidently unleashes a virus onto the corporate network by using Facebook at work, who do you think will be contacted to resolve the problem? It won't be PR or marketing.
If the virus impacts systems that touch customers or the public does Simmons really think that the CIO will be doing the press conference? Or writing talking points for managers? Or responding to calls from reporters? The CEO won't be asking the CIO what the key message should be. With this logic, imagine all the company's janitor will be in charge of since he unclogs the toilet.

Let's remember, it was the IT geniuses at Amazon who created a system for the company's Kindle product that allowed anyone to photocopy a book, upload it and sell it to people. When the owners of George Orwell's copyrights for 1984 objected to a blatant infringement on their rights, Amazon deleted the offending books from people's Kindle devices without notifying them. Funny, but I didn't see the CIO anywhere near that crisis.

The CIO is the Best Monitor
This is really a derivative of Simmons "my toys, my rules" argument. He writes:
Since most of that content is done on corporate networks, CIOs have access to tools (many of which are probably already in place) to track social media behavior.
Personal use of social media while at work is one part of a social media policy. How the company will use social media to listen to, talk with, connect to, collaborate with and energize employees, customers, stakeholders, investors are critical parts of the policy about which Simmons is silent.

Again, just because you have the tools, doesn't mean you get to make the rules.

The CIO can Play Angel's Advocate
What Simmons argues here is that the CIO can be the grand arbiter of the binary choice of outright ban on social media use or social media free-for-all.
Instead of knee jerk reactions, CIOs can come up with structured yet flexible policy guidelines that allow employees to enjoy the fun of social meda while protecting the company's strategic assets.
So, the computer geeks (or head computer geek, in this case) get to determine how much "fun" I can have at work with social media? This is nowhere NEAR the point of a social media policy. The point of a corporate social media policy is to set the strategy that aligns social media use so that the company can reach its goals. Goals like sell more stuff or deliver better service.

So, who should own the corporate social media policy? My vote is for the head of the PR or Communications function. Great social media use comes from great content and communicators are content creators. The CIO may the Lord of the Hardware, but great content comes not from hardware, but from people.

If the CIO doesn't like that, they can pack up their TCP/IP and go home.

Bill Salvin


  1. I began reading this post preparing to hate it. Afterall, I am a CIO that developed my organization's social media poilcy (and posted it on my blog). But, your logic is sound. The social media policy is not about the technology.

    That isn't to say that CIO's should not own the policy. IT should be somebody that actually understands social media. Often that is not the CIO, but it can be. This CIO had a blog long before most heard the term. I started using twitter long before it was popular. I have spent a long time understnading where the world is going now that facebook is this hyper-personalized persistent feed connecting the majority of Americans.

    These are my credentials, not that I employ the guy that configures the web filtering software.

  2. Communicators are content creators? Are you kidding me? So, the person reading the teleprompter on my local new wrote those stories?

    PR, is not the content creator. They are the content homoginizer. Afterall, someone shouldn't communicate directly to a customer. They might actually say something.

    People turn to social media for genuine communications from genuine people. The people that have the information that they seek. Social media should be a safe harbor from corporate branding messages. People want specific messages from real people, not the corporate voice.

    A good soical media policy doesn't establish the PR department as the sole users of social media. It turns all of the employees into online representatives of the organization (warts and all) to answer customer questions about services that PR does not understand.

    So, now that I have fired back I propose a truce. In my organization the social media policy was developed by a team including PR (whom I love), me (the CIO), HR and other people passionate about the topic. The goal of the policy was to give employees guidelines so they don't embarass themselves or malign the organization.

  3. Candidcio-Thanks for your comment. It sounds as though you came to your social media policy from the right place... that it's not just about the technology. It could be the CIO is the most appropriate person to be the policy owner... as long as they understand that it's more than the hardware. And that they understand that the technological risks posed by social media are not the show-stoppers they are often made out to be. And yes, it does help that you own the web filtering software.

    Thanks for reading. I really appreciate you taking the time to comment.

    Bill Salvin

  4. Will-I appreciate your response. What you describe sounds to me how things should be... a team effort with each member contributing their expertise in a passionate way toward a common goal. PR never should be the sole users of social media, I agree with that completely.

    One of the challenges companies face (from my experience) is a CIO outlining the eight ways the company could be harmed (technologically) by social media instead of focusing their efforts on the one way that will solve the eight problems and lead to success.
    From your post it sounds like you're the kind of CIO that gets what social media can do for the organization and how each department can contribute.

    So now, a truce... works for me. More time to move the social media ball down the field.

    I appreciate your thoughts and for taking the time to read.

    Bill Salvin

  5. Reading the commentary from this blog made me feel better. I am a CIO in public schools and the challenge I see is getting out of the "head-geek" profile. The very point of the CIO is to bridge across the organization, not be the IT top dog. From the first days when the CIO executive position was proposed by Synott and Gruber (1981), this has been a difficult concept. My role is not to be the IT manager with a fancy name. My job is to be the member of the executive team that knows IT AND the rest of the organization's mission to facilitate effective technology use in every phase of the game. And as such, it does make sense for me to assume the responsibility for the social networking policy... no other executive on the cabinet has the skills to deal with it.

    Where I think the problem lies here is "ownership." You obviously wrote this with the feeling that IT owns your technology, not you. I think of this as the "tenant" model of IT where the IT department controls your technology and the CIO is the landlord... nobody likes the landlord.

    I seek an ownership model in my district where people feel like they own the technology and the IT department is the service provider. So, following that line of thinking, every teacher in my district has the override credentials for the Internet filter. Every school has open wifi that will service any IP device that comes in the door so Principals can decide if they want to buy some extra tech on their own. And every high school welcomes student-owned technology like laptops, iPods and Smartphones so kids don't have to disconnect when they come to school.

    The effective CIO must break free of the geek profile. My job isn't about TCP/IP and it's not about "users"

    It's about people.

  6. Dan-Thanks for taking the time to comment. What I like about your description about technology in schools is that it comes from an enabling point of view. You do things to make it easy for people to use the technology on their terms.

    Sadly, this isn't the case with a lot of CIOs and their minions at large organizations. I do feel that IT feels it owns the technology because they are the ones always telling people "no". If I can't customize my work space including putting 3rd party apps onto my machine (Like TweetDeck, etc) then I don't own the technology. I have a several clients whose default position is "we'll never get that thru IT." In those cases, IT will find itself protecting an asset of diminishing value.

    The people with whom you work are lucky you have the views you do because I bet you make their jobs easier. Thanks again for reading and for the comment.

  7. As I've read through social media policies for news organizations, nonprofits, public companies and government institutions, I'm always struck by how different industries and stakeholders react.

    Now that I'm in DC, I'm watching federal agencies work through who, where, why and how to communicate. In each case, when CIOs are involved, a strong business case for social media used is required, along with an risk assessment for that engagement.

    You write that that the dangers aren't the showstoppers they're made out to be. I'm not so sure. Security is the Achilles Heel of Web 2.0. Collaboration tools behind the firewall are one thing. Web applications that provide a vector for malware and phishing are another.

    As I read through your post, Bill, I hear your communications DNA loud and clear here. As an editor, I have a great deal of empathy for that perspective. I want to be able to use the best tools that help me do my job with a minimum amount of friction. And I genuinely do find I can collaborate better with many distributed colleagues across my organization than I did, says, in 1999 with email, IM & a static intranet.

    There's another two parties who should be involved in forming that social media policy: compliance officers and security officers, assuming the executives have decided that the latter are a critical business asset.

    When accounts are hacked or a data breach occurs, the CEO will be looking for accountability, with respect to whether the risk for using a give platform securely was addressed and balanced with potential business gains. As I understand the CIO's role - and Dan articulates this well above - it's to leverage technology to accomplish business goals.

    If the organization's bottom line improves by allowing unfettered access to Facebook and Twitter to every employee -- think Zappos -- off to the races. What about a hospital, law or accounting firm or consultancy? What about a financial firm, where records management rules apply, or a brokerage, where FINRA matters?

    This is not to say that social media could not be employed in each use case, but that it would probably make sense to incorporate its use into existing data management and security policies. That, in turn, probably means involving a CIO, since storage, networking and compliance are his budget items.

    Should the CIO *own* the social media policy? I'm not sure. But I do know that he or she is likely to be held accountable for any increased risk to the business if something goes awry.

  8. Alexander-Great comment...I appreciate you adding to the discussion. I particularly like your point about different organizations approaching social media in different ways. That is as it should be. Since every company is unique, the social media policy has to be tailored to fit.

    I'm in complete agreement with making sure all the people who have a hand in bringing the social media policy to life have to participate from day one.

    As for security being the show stopper, I'm still in the camp that these aren't showstoppers, just problems to overcome. I wonder what the expectation of the CIO (and the CEO) when it comes to social media. How much risk is acceptable?

    There's a whole bit of employee training that has to go on. People make the content, people make the hardware work right and people will be ones that misuse or hack into the system.

    Not sure any system will be foolproof since we still seem to be on humans 1.0. Thanks again for reading and for joining in.

  9. Bill, I think we're all missing the point here. The "owner" of any policy is the CEO. For Social Media, the CEO is the owner, the CIO is the enabler, the PR/PA people are the coaches, teachers, mentors to those employees who decide to engage in the social media sphere, as well as the scouts, surveyors, trail-blazers looking for opportunities and discussions about the company and its products. It is a community enterprise, is it not?

  10. Jack-Very well put. Social Media is a community enterprise. The organizations that collaborate best on non-social media endeavors are the organizations that will do best in Social Media. Thanks for reading.

  11. Bill

    Your post is such an inspiration! As the head of internal communications for one of the biggest companies in Switzerland me and my folks had to fight against the head of e-media and the IT dept. The IT guys eventually agreed to introduce social media for internal use under protest. But during the first year they tried to charge everyone who wanted to run a blog $6000 per year for this (technically extremely challenging...) service. They thought they could kill internal dialogue before it would even take off. Too bad they did not succeed with their tactics. Symmetrical two-way communication via the intranet plays now an important role in shaping corporate culture. And yes, the $6000 bills have all been waived.

  12. Pascal-Thank you so much for taking the time to read and for your gracious comment. I'm thrilled that you were able to find success with your social media efforts despite road blocks put in your way. Good for you.

  13. After many years of bad experiences working with obstinate IT people, I'm inclined to agree with you, Bill. For example, when I was writing and designing publications for a large metropolitan hospital system, the IT department "investigated" me and reported to HR that they'd found pornographic photos on my computer. Those photos -- clearly labeled in files -- were for a bilingual brochure on breastfeeding, that had been requested by the head of Obstetrics. (Thank God I wasn't working on any projects for Gynecology or Urology!)
    Time and again, I've encountered techies who understand hardware and software, but don't have a clue about company goals, and can't communicate with people. Many don't even want to communicate, and prefer to remain holed up behind locked doors in a "secure" environment. They can't even tell a co-worker how to fix a simple computer problem without regurgitating a stream of confusing IT jargon.
    As a corporate communications director, I NEED a good IT partner to handle the technical aspects of our social media policy. But we should work together. Just as I would not presume to understand how to do his job, he (or the CEO) shouldn't assume that, because he knows how to use a keyboard, he can "do PR." It takes both of us to create, implement, and maintain a successful social media strategy. Neither one should "own" it.

  14. I didn't realize that such a great conversation had been started from my article. Of course, I agree with many of the people who raised points that supported my article.

    Bill, I think you "so vehemently disagreed" due to either bad experiences you've had with CIOs or based on stereotypes. A truly effective CIO operates as both the owner of a company's technology strategy and liaison to the business. They do not simply try to lock out new technologies like social media. On the contrary, they should look for ways to use social media to support the organization's business strategy.

    I do admit that there are many CIOs that do not fit this model, and I can see why you would be concerned about social media falling into their hands. However, I wrote the article on the assumption that the CIO was an effective one. That, unfortunately, is not the case across the board.

  15. Anjuan-
    Thank you so much for writing your original post and for commenting here. This is a great discussion to have.

    All the best,