Security Culture: TikTok CISO says this trend is here to stay
Infosec Inspire talks to some of the big guns of our industry to reveal many important aspects of cybersecurity that we can all benefit from. Infosec recently spoke with the global chief security officer of ByteDance and TikTok, Roland Cloutier; Roland has a long and distinguished career working in information security and risk management. Throughout the discussion, Roland gave us an insight into a critical aspect of modern cybersecurity, building a culture of security.
With the phased inclusion of the Cybersecurity Maturity Model Certification (CMMC) program into government tenders by 2026, Roland's insights into security education and awareness can help SME contractors to meet the five levels of CMMC compliance. TikTok is one of the most popular social media platforms for dances, comedy skits, and even security culture.
Phishing simulations & training
What makes security tick at TikTok?
Roland was brought into TikTok as an information security expert to build the company's security program. As one of the most scalable technologies and fastest-growing companies globally, this was an essential task. TikTok is only three years old yet supports over one billion active monthly users (MAUs). The mass, cross-country use of the platform requires an "always-on" view of security and privacy risk.
The security ecosystem that TikTok operates is vast, including users across many countries, a large partner ecosystem and business associates in privacy and legal, product delivery, media, etc. This massive endeavor means that the security process must be streamlined and highly efficient. This calls for a new approach, scaling defenses and creating specialist hubs of excellence in security.
Roland works on the scaling of the defenses of TikTok and calls upon the services of experts to review tasks and validate these defenses. The company currently has around 250 open positions to fill in this area, giving an insight into the vast remit of TikTok's security mission.
TikTok is creating an alignment with their trust and safety hubs by creating regional hubs and fusion centers in the US, Europe, and Asia. They are also integrated with the centers of excellence of practitioners in 19 different disciplines across the globe.
Building TikTok's culture of security
"Security is everybody's responsibility" — Roland Cloutier, TikTok CSO
Infosec asked Roland about the culture of security that is now an inherent aspect of life at TikTok. He told us that at TikTok, everyone is intrinsically connected to the practice of security "it doesn't matter if you're in content development, creator management, or security, everybody in TikTok is involved in maintaining a secure environment, our employees truly are our first line of defense".
Roland told Infosec that to create and maintain a culture of security, the mission message must be simple, "they (employees) are here to protect the last sunniest corner of the internet (as TikTok has become known as)." Roland and his team train employees to understand how to achieve this. In doing so, this imbues a sense of security into every action; the result is a culture of security.
How TikTok educates TikTok employees in security
TikTok is unique as it can use its video games internally to educate employees on cyber security. Roland told Infosec that "we use TikTok videos and TikTok tips videos internally about cyber security to be cyber smart ."TikTok's internal training videos are part of a wider emphasis on consistent education in the company. TikTok uses the concept of 'command groups' that come together to form a larger command group. These groups are augmented with external specialists that help train internal groups.
In October, TikTok used these videos as part of its internal security awareness program during cybersecurity awareness month. Roland explained that "TikTok has a cool series called Mission Possible" that is designed specifically to train employees around security awareness topics. Mission Possible uses practitioners and specialists to design security-specific exercises that educate employees; one example is the security feud competition that pits employees against each other to help people understand the complexities of social engineering.
A continuous program of security awareness
"TikTok uses the adage, if you see something, say something." — Roland Cloutier, TikTok CSO
Providing avenues of communication between employees and security are essential to ensure a continued culture of security and protection.
Providing easy access to experts and security personnel ensures that TikTok's people remain committed to security. Roland told Infosec that "people are the foundation of our organization." "Security needs more than cyber security experts within the global security organization. Security needs security expertise intrinsic to the business".
To achieve this Roland and his team at TikTok share their expertise beyond their areas to ensure that security knowledge is part of everyday life at the organization. As Roland states, "I think everybody benefits from a more secure business, and a more secure platform, it creates a more secure world. So, I think the more we do in this education training and openness and transparency into our world; it helps everyone."
How TikTok educates its user base on security matters
"We're giving them (end users) new tools in-product to protect their accounts. And we're also giving training.” — Roland Cloutier, TikTok CSO
The one billion MAU's on the TikTok platform places the company in an influential position regarding end-user security education. Roland told us that "TikTok has a responsibility, as the people who use TikTok entrust their data to us. We take that duty extremely seriously, so we invest in our people, process, technologies, and partnerships."
The size of the platform and the amount of content it handles means that the threat landscape that Roland and his team must deal with is expansive and evolving. He told us that "we update our defenses every day to defend against people with malicious intent. And we're building state-of-the-art cyber incident monitoring programs and investigative capabilities, integrated between cyber, digital crimes and our trust in services organization, using the fusion centers mentioned earlier."
End-user education is a key part of keeping the threat landscape under control. Roland told Infosec that TikTok empowers end users by giving them the tools to make smart decisions about their privacy and security.
Using initiatives such as TikTok's "Be Cyber Smart," in partnership with entities like the National Cybersecurity Alliance and others, helps to keep end users on top of evolving cyber-threats.
Phishing simulations & training
Five lessons from Roland Cloutier for SMEs implementing CMMC
Be transparent: "first, be transparent." Explain to your employees and users how your system works. Explain why certain behaviors lead to poor security and how this can impact their job or the future of the company.
Be educational: educate the entire organization on the values and the opportunities of cybersecurity and how it helps in the market. This also benefits the company as it helps get to market faster by ensuring a competitive edge.
Use security to differentiate your business: talk to security leaders directly think about security as a differentiator. Use concepts such as "converge security" to bring multiple disciplines together. This can be an excellent way to educate a business about how risk impacts the organization.
Create effective processes: align processes with business objectives and don't create processes just as a tick box exercise for regulatory reasons.
Integrate the business and the people into everything you do: Roland told us that as a former boy scout, he knows that you should always be prepared: "perform table talk exercises, crisis response drills, scenario training, start with your top five, go to the top 10 bad things that can happen to your company, go to the top 20. And remember, it's not just about a cyberattack or DDoS attack or what have you. Maybe it's a catastrophic incident. Maybe it's a physical security incident that impacts your people, such as a hurricane or a tsunami." Above all, involve all the people across your business from C-suite to HR to legal partners to procurement. Bringing all the people together to make decisions will create a company's integrated capability to tackle modern cyber threats.
Sources:
- Becoming a Global Chief Security Executive Officer, Roland Cloutier
- Infosec interview with Roland Cloutier, Wistia
- Infosec CMMC eBook, Infosec