Yes, I know… ‘Another Network World article’, you say. Yes, because lately they have been hitting trends fairly accurately…. read on!
This article outlines a Sophos survey of businesses that  ranks Facebook as the biggest threat simply (at 60% surveyed) because it has become the biggest social network, followed by MySpace (t 18%, then Twitter at17%. Well, I tend to agree with that reasoning, but think the threat is somewhat limited on a couple of levels. In more secure environments in the financial industry, we have seen much broader implementation of Websense that keeps employees out of such sites through filtering or outright implementation of white lists that completely block access to such sites. So the 60% of businesses out there are probably not dialed into the fact that a network appliance or proper proxy server implementations ‘almost completely’ eliminate this threat – which is scarier. Okay, okay, I won’t get into about how most CIOs are warmed over MBAs and aloof.
The next point of the article points out the new security setup within Facebook, which suggests that users are more likely to share more information because it is more secure as a web application. Yes and no. Yes, because I can see Joe Le End-User migrating to Facebook, using default settings, and boasting about the move to a more secure social web site. But no, because I think that Facebook, and the Facebook community in general, did a good job of communicating the security and privacy changes.
Not that the paper-pushers are going to disappear, as we’ll always need policies and guidelines, but the future of security will strongly be based on three fundamental skills – the ability to monitor and analyze  the health of your environment (logging analysis, metrics, and overall analytics), the ability to prevent bad configuration and code implementation (configuration management and code review), and the ability to train and keep end-users informed. The last point I credit Facebook with during the last software security change.
The ability of IT and development organizations to pursue proper code review and configuration management is almost depressing every time I have a review of this facet. I cannot count how many times I have seen a sign-off on a code release, knowing full well that the person signing knows nothing about the program, the code, much less the overall potential impact on the systems.