Security Culture: TikTok CISO says this trend is here to stay
Infosec Inspire talks to some of the big guns of our industry to reveal many important aspects of cybersecurity that we can all benefit from. Infosec recently spoke with the global chief security officer of ByteDance and TikTok, Roland Cloutier; Roland has a long and distinguished career working in information security and risk management. Throughout the discussion, Roland gave us an insight into a critical aspect of modern cybersecurity, building a culture of security.
With the phased inclusion of the Cybersecurity Maturity Model Certification (CMMC) program into government tenders by 2026, Roland's insights into security education and awareness can help SME contractors to meet the five levels of CMMC compliance. TikTok is one of the most popular social media platforms for dances, comedy skits, and even security culture.
Should you pay the ransom?
What makes security tick at TikTok?
Roland was brought into TikTok as an information security expert to build the company's security program. As one of the most scalable technologies and fastest-growing companies globally, this was an essential task. TikTok is only three years old yet supports over one billion active monthly users (MAUs). The mass, cross-country use of the platform requires an "always-on" view of security and privacy risk.
The security ecosystem that TikTok operates is vast, including users across many countries, a large partner ecosystem and business associates in privacy and legal, product delivery, media, etc. This massive endeavor means that the security process must be streamlined and highly efficient. This calls for a new approach, scaling defenses and creating specialist hubs of excellence in security.
Roland works on the scaling of the defenses of TikTok and calls upon the services of experts to review tasks and validate these defenses. The company currently has around 250 open positions to fill in this area, giving an insight into the vast remit of TikTok's security mission.
TikTok is creating an alignment with their trust and safety hubs by creating regional hubs and fusion centers in the US, Europe, and Asia. They are also integrated with the centers of excellence of practitioners in 19 different disciplines across the globe.
Building TikTok's culture of security
"Security is everybody's responsibility" — Roland Cloutier, TikTok CSO
Infosec asked Roland about the culture of security that is now an inherent aspect of life at TikTok. He told us that at TikTok, everyone is intrinsically connected to the practice of security "it doesn't matter if you're in content development, creator management, or security, everybody in TikTok is involved in maintaining a secure environment, our employees truly are our first line of defense".
Roland told Infosec that to create and maintain a culture of security, the mission message must be simple, "they (employees) are here to protect the last sunniest corner of the internet (as TikTok has become known as)." Roland and his team train employees to understand how to achieve this. In doing so, this imbues a sense of security into every action; the result is a culture of security.
How TikTok educates TikTok employees in security
TikTok is unique as it can use its video games internally to educate employees on cyber security. Roland told Infosec that "we use TikTok videos and TikTok tips videos internally about cyber security to be cyber smart ."TikTok's internal training videos are part of a wider emphasis on consistent education in the company. TikTok uses the concept of 'command groups' that come together to form a larger command group. These groups are augmented with external specialists that help train internal groups.
In October, TikTok used these videos as part of its internal security awareness program during cybersecurity awareness month. Roland explained that "TikTok has a cool series called Mission Possible" that is designed specifically to train employees around security awareness topics. Mission Possible uses practitioners and specialists to design security-specific exercises that educate employees; one example is the security feud competition that pits employees against each other to help people understand the complexities of social engineering.
A continuous program of security awareness
"TikTok uses the adage, if you see something, say something." — Roland Cloutier, TikTok CSO
Providing avenues of communication between employees and security are essential to ensure a continued culture of security and protection.
Providing easy access to experts and security personnel ensures that TikTok's people remain committed to security. Roland told Infosec that "people are the foundation of our organization." "Security needs more than cyber security experts within the global security organization. Security needs security expertise intrinsic to the business".
To achieve this Roland and his team at TikTok share their expertise beyond their areas to ensure that security knowledge is part of everyday life at the organization. As Roland states, "I think everybody benefits from a more secure business, and a more secure platform, it creates a more secure world. So, I think the more we do in this education training and openness and transparency into our world; it helps everyone."
How TikTok educates its user base on security matters
"We're giving them (end users) new tools in-product to protect their accounts. And we're also giving training.” — Roland Cloutier, TikTok CSO
The one billion MAU's on the TikTok platform places the company in an influential position regarding end-user security education. Roland told us that "TikTok has a responsibility, as the people who use TikTok entrust their data to us. We take that duty extremely seriously, so we invest in our people, process, technologies, and partnerships."
The size of the platform and the amount of content it handles means that the threat landscape that Roland and his team must deal with is expansive and evolving. He told us that "we update our defenses every day to defend against people with malicious intent. And we're building state-of-the-art cyber incident monitoring programs and investigative capabilities, integrated between cyber, digital crimes and our trust in services organization, using the fusion centers mentioned earlier."
End-user education is a key part of keeping the threat landscape under control. Roland told Infosec that TikTok empowers end users by giving them the tools to make smart decisions about their privacy and security.
Using initiatives such as TikTok's "Be Cyber Smart," in partnership with entities like the National Cybersecurity Alliance and others, helps to keep end users on top of evolving cyber-threats.
Phishing simulations & training
Five lessons from Roland Cloutier for SMEs implementing CMMC
Be transparent: "first, be transparent." Explain to your employees and users how your system works. Explain why certain behaviors lead to poor security and how this can impact their job or the future of the company.
Be educational: educate the entire organization on the values and the opportunities of cybersecurity and how it helps in the market. This also benefits the company as it helps get to market faster by ensuring a competitive edge.
Use security to differentiate your business: talk to security leaders directly think about security as a differentiator. Use concepts such as "converge security" to bring multiple disciplines together. This can be an excellent way to educate a business about how risk impacts the organization.
Create effective processes: align processes with business objectives and don't create processes just as a tick box exercise for regulatory reasons.
Integrate the business and the people into everything you do: Roland told us that as a former boy scout, he knows that you should always be prepared: "perform table talk exercises, crisis response drills, scenario training, start with your top five, go to the top 10 bad things that can happen to your company, go to the top 20. And remember, it's not just about a cyberattack or DDoS attack or what have you. Maybe it's a catastrophic incident. Maybe it's a physical security incident that impacts your people, such as a hurricane or a tsunami." Above all, involve all the people across your business from C-suite to HR to legal partners to procurement. Bringing all the people together to make decisions will create a company's integrated capability to tackle modern cyber threats.
Sources:
- Becoming a Global Chief Security Executive Officer, Roland Cloutier
- Infosec interview with Roland Cloutier, Wistia
- Infosec CMMC eBook, Infosec
In this Series
- Security Culture: TikTok CISO says this trend is here to stay
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Cybersecurity and Windows 11: What you need to know
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization