100 Brains: Security's Christofer Hoff speaks out about social media and online safety
Q. Tell me about how you got started in social, from blogging to using Twitter and other social networks. What made you want to more broadly engage with the security community?
A. I started blogging when I was a CISO in 2003 in an attempt to try and share some of the innovative things my team and I were doing and solicit feedback from others who would otherwise I would not be able to reach. To be frank, a lot of the motivation came from a selfish need to quickly gather feedback on technology or approaches to things we were experimenting with. Much of my initial blogging was also an extension of older school forums and mailing lists that evolved into more community-focused efforts.
I have never been one to shy away from contention, provocative topics or back down (which is not the same thing as changing my mind!) because someone else blogs or tweets "louder." Further, while others treat online personas as sacred cows, I'll engage with anyone and I don't say anything online I wouldn't say to someone's face. This, combined with a rather warped sense of humor, the ability to rhyme and the lucky timing of coming up at the same time as our industry's biggest "rock stars," thrust me into some interesting situations.
I was further inspired in terms of community outreach and expanding my use of social media by Alan Shimel. He urged me to step up my blogging as a way of inspiring discussion, debate and dialogue in the security community.
In terms of other social elements such as Twitter and Facebook, they are more like extensions of my personal self; I keep my blog more clinical and career-related whilst Twitter is a smorgasbord where anything goes. A big, non-stop, hysterical smorgasbord. Don't tell anyone, but I actually maintain about 10 different twitter identities and about 5-6 blogs. Some of them are quite visible, others not.
Q. You've mentioned that Twitter had a role in your joining the #58 Fortune 500 company. Tell me about how this happened and how social relates to your daily activities at work.
A. I decided to leave my security strategy job and put up a blog post announcing that I was for hire. Since I wasn't particularly busy as I was enjoying some time off, I stepped up the effort on Twitter. I got a tsunami of responses and ultimately got a tweet and then a call from one of my followers. He became my boss. The funny part is that I was a thorn in the side of many of the companies who offered me employment. Being honest, opinionated, steadfast, technically-solid and a reasonably good guesser using these platforms caused quite a shock when I discovered who -- and at what level -- people were reading my blog and following my rambles. I don't take for granted the reach a tweet or blog might have. Sometimes that's a good thing, sometimes not.
In terms of how Twitter and my blog are related to my daily job, it's part instant messenger, part pulpit, part PA system, part outreach and generally "social." I don't use either to really "talk" about my direct employer, but rather those things that I am focusing on and how that affects the industry in general. I also don't shy away from relaying what I feel in the terms I feel most appropriate for expression.
One funny job-related issue occurred when my CTO (@padmasree), who has over 1 million followers, jokingly tweeted that she was concerned because I hadn't tweeted in three hours. The @'s and retweets that flooded my Tweetdeck caused it to crash constantly. Sometimes too much is too much.
Q. Beyond your day job, you've been using social to promote your HacKid conference. Please tell me about this conference, what it means to you, and how social is playing a part.
A. When I came up with the idea for HacKid it was a bit of an experiment. What better way to fast fail than to use twitter to crowd source an off-the cuff reaction to an idea? That's what I did. When the feedback came back immediately positive -- and in such numbers -- I used it to organize volunteers, solicit sponsors and advertise. In conjunction with the HacKid web presence, I used Twitter almost exclusively for advertising. It was a fantastic success and now we're looking to figure out how we're going to replicate and scale it to the other 10+ locations that are being suggested. You can follow @HacKidCon for more information.
Q. What do you think is the most important part of the online security community? In other words, do you think the community has yet been able to accomplish what it could?
A. The most important part of the online community is the ability to give a voice to those who might otherwise not have one -- especially those operators who are heads-down and not exposed to mainstream press, the conference circuit or others in their field. What's missing? A way of more concretely binding the virtual/social network with those in "real" realm. Being good human beings is still a priority in my book. Being there for people in real life, shaking their hands, grabbing a beer or sitting down to actually talk -- all very important things. Social media doesn't -- and shouldn't -- replace those things.
Q. What do you think is the biggest mistake that less-than-savvy internet users make?
A. Trusting in the fact that someone else -- or some technology -- will save them and that the impact a seemingly innocent but bad decision will reap no outcome for which they have no accountability.
Q. Those who know you online and offline know that you are a dedicated father. How do you feel about kids joining social networks, and what additional safety measures would you like social networks to take?
A. I have three young girls. In one way or another, they are all online; from GMail to Facebook to Webkinz. I think it's important to educate them, help guide them and be there for them when they have questions. They need to know that if they feel something is odd they can approach me and I will give them my perspective and guidance. In my opinion it's better for them to gain experience with assistance before they leave the nest. Go ahead, ask my 6 year old to share her passwords...I dare you.
Providing kids with good education and helping them understand what they should do if something goes wrong -- without retribution -- is extremely important.
In terms of safety measures the providers can take? It's a slippery slope. We're dealing with a generational issue where over-sharing is normal and collaboration and uncensored expression is not the exception, it's the rule. Balancing civil liberties, freedom of expression, and community/networking along with the need to keep kids safe, not exposed to inappropriate materials and people and allow them to control their privacy is a difficult proposition for providers. This isn't an attempt to make excuses for poor practices on the part of providers, but we've helped create this monster -- they take a mile for every inch we're willing to Tweet about. When we push back, they respond.
Q. Do you think it's possible to provide enough education so that users make smarter online decisions, or is it the usual case of security that it's not convenient so people prefer to be oblivious?
A. Yes, but that doesn't obviate risk and won't stop people from being owned. Further, accountability is an issue. When nothing particularly bad happens, behavior doesn't change. It's not about being oblivious, either. We've all just become numb so much of what we preach as "common sense" simply gets in the way of usability and becomes white noise in the background.
Education only goes so far, but when accountability is missing, education gives way to utility and people make bad decisions. My Latin is very rusty, but I'd make a T-Shirt that says "Security is painful. Trust is delicate. Compromise is inevitable." Yes, I know I'm full of sunshine, rainbows and unicorns...
Q. You're also active in Brazilian Jiu-Jitsu. Have you used social at all to raise awareness of this sport, or even help local athletes?
A. Constantly. There is an enormous community in BJJ and MMA, especially in the security community. My friend (and fellow blogger/Tweep) Jeremiah Grossman and I are known for our love of those sports. We use Twitter/blogging to organize grappling sessions at various security conferences when we are in town together and we generally look to help promote local fighters and venues when we can. We're also known to provide realtime commentary during UFC MMA matches, much to the chagrin of others.
Speaking of Jeremiah, it was his blogging about BJJ that got me into the art.
Q. Finally, if there's one thing you'd like ZDNet readers to know about you, your passions, your initiatives, what would it be?
A. There are so many things I'm passionate about and so many things I'm involved in at all levels. The one thing I'd suggest best sums up my answer to your question is that
I think it's incredibly important to be passionate about SOMETHING and share your love of that thing with others. Sharing means giving back, it means communicating, it means outreach -- and not just online, either.
