Working my way through the issues specific to physical security professionals, of course I ran across big picture organizational issues that should be addressed. For instance, how do you handle staff members in the organization you're protecting that violate INFOSEC rules?
I always assumed INFOSEC concerns would be addressed through the "usual" channels, but it's becoming more clear there's a problem.
Even organizations with robust INFOSEC policies and practices can have trouble when a new avenue pops up that doesn't follow the traditional information paths. The beauty of social networking is how effectively it cuts through tradition - but by doing so, it leaves behind the safeguards designed to secure sensitive info. Having that robust INFOSEC policy in place isn't enough anymore, it's the organizations with robust INFOSEC people that are keeping up in this game.
So, like many things in this field - there are pros and cons to the situation. The cons are of course sensitive information being spread out to the world by staff members who don't think before they tweet/update/etc. But the pros are hopefully a return to support behind giving security groups the resources to mold and maintain INFOSEC rather than just audit it.
How well does your organization communicate with staff (or whoever) about INFOSEC on social networking platforms? This could be something that can easily be covered by expanding current programs - or it could need much more.
