Dear Twitter, I urge you to please hire a CSO. A Chief Security Officer. Somebody to lead the charge and organize a security team around what is arguably one of the biggest things to happen to social media in the past 10 years. A security team to balance the risk of being completely open with our lives, happily geo-tagging our way to a billion-dollar valuation of Twitter.com. A security team to realize that we are quickly losing any privacy we have had by opting in to the great and amazing features that you’re releasing on a daily, if not weekly, basis. A security team to protect us from our own poor choices.
There’s a story on TechCrunch that Twitter was hacked tonight by the Iranian Cyber Army. Regardless of whether this is true or not, Twitter desperately needs an individual in their organization to guide them on security as they carve the path in both social media and the openness and revealing of privacy on the web. From spam to meter-precision geo-location, you are failing in this respect.
Over the course of the past year, I’ve alerted Twitter to a number of different security incidents. From cross-site-scripting to server mis-configurations to a simple heads-up about other security issues I’ve seen randomly crop up. The problem is, the same issues continue to crop up on a regular basis. Sadly, for a company with $150 million dollars invested at a $1 billion valuation and over 100 employees, they have no Chief Security Officer. And I’m not even sure they have dedicated security engineers. Just rockstar developers.
To Ev Williams, CEO of Twitter. And Dick Costolo, COO of Twitter. I beg of you. Make the investment in security before It’s too late. Twitter needs to be aware and proactive about security if it is to continue in the way that you dream of. Security is not something that can be solved as easily as bringing in a firm to do a two-week assessment and call it good. It’s a culture that has to be built from the inside that permeates not only to those responsible for systems and code, but also those that are simply part of the company in any way shape or fashion.
While no organization is ever completely secure, it is critical at your stage that you start building security from within the organization, instead of having it beat upon you from painful experiences. This is a lesson that it took Microsoft many years and millions of dollars to learn and one that you (Twitter) should proactively attack.
Please. I understand you’re building some awesome business intelligence and some advertising that we’re just really going to love. But realize that you are changing the way we share data on the Internet. And not only do you need to be the leader in social media and openness, you need to be the leader in social media privacy and security.