Social Media Policies: Leading Without Bleeding

As I continue to discuss government 2.0 with peers across the globe, I am happy to report that progress is being made! Specifically, I have noticed that the content of the dialog is changing.  For most of the past year, when I was asked to do a presentation on 2.0 for conferences or webinars, the vast majority of conference organizers asked me to focused on the “what” and the “why” of Web 2.0 in government:

“Please explain Twitter, tell me how to set up a blog,” etc.  I was happy to oblige because in order to understand the value offered by these toolsets, you have to have at least a basic knowledge of their general purpose and capabilities.

But in the last few months, I’ve noticed that the focus has shifted to the bigger picture of governance.  Now the conference/webinar organizers are saying “Okay, everybody gets it – Facebook has some viability for us in government.  But how do you control it? Who manages it? Who can post?” Last week, I participated (remotely via SecondLife) as a guest speaker at a conference organized by the Florida Institute in Government. The conference was focused on the challenges of social media in government. When planning the content of my presentation, the organizer asked me to focus specifically on policy development.  How did we work through the process here in Roanoke County? What were the essential components?  How did I “sell” the value of it to my administration and elected officials? And she was dead-on with this line of thinking: the session ran long with questions from the audience, the majority of which were focused on policy versus the specifics of a given technology. Next week, I am scheduled to speak (remotely via videoconference) to a Public Adminsitration graduate class at Syracuse University. Throughout the planning the content for the session, the professor has asked me to focus on “New media policies in the public sector…hoping that you could walk us through your county’s strategy, main elements, how you came up with the different elements, what potential implementation problems might be and adoption constraints that you might have encountered (security, cultural issues, identity management, public record creation, records management, etc.).”  She asked me to participate not just because of my MuniGov affiliation, but because I am just one example of how government are putting their money where their mouth is…not just talking the 2.0 talk but walking the walk.

Collectively, we’ve moved beyond the “what” and the “why” of govt 2.0 and into the stickier realm of “how”. I call it stickier because how we do this stuff – the controls, the process, the procedures – are a sign that we’ve moved beyond the R&D and into the acceptable use realm.  This means accountability, stakeholders and policies that have to be created and <gulp> approved.

macgyver1

Your Social Media Policy can do it all, just like my man Macgyver!

However, social media policies should not be feared.  Believe it or not, they are not that difficult to construct. I’ll grant you that although it can be an arduous process to get them fully vetted, when they are done, they can be used as a shield, a megaphone and a flashlight! They’re like the MacGyver of policies.

Now, my humble apologies here dear reader, but I am afraid that I won’t be able to tell you exactly how your policy should look.  There are too many variables involved (i.e. state laws, political climate, organizational size and culture, etc.) to develop a foolproof checklist for every organization.  However, I have discovered some common elements that seem to be inherent in the successful social media/2.0 policies that I’ve seen in government organizations. Here are a few tips to help you get started:

  • If you are still in the “justification” mode, don’t start with a policy.  You need to do some controlled experiments and test the waters first.  Policy development before establishing value will be a death knell for 2.0 in your organization.  Start with some hands-on value development.  (See my earlier post “Incorporating Web2.0 in Your Organization Part 1 – MIX IT UP! ” for some suggestions on how to do this).
  • Once you are ready to start on a policy, be sure to think high level. Do not focus your policy on specific technologies or procedures.  One of the biggest values of 2.0 is its nimbleness.  If you tie a document with the weight that a policy holds to a specific tool, you will never be able to keep up with the technology times.  Yes, Youtube might be ideal for your organization now, but you might find something more effective in the future.  Use your policy as a general “big picture” guide to the sanctioned use of 2.0 in general – leave the specifics of use to a separate procedure.  For example, here in Roanoke County we do not mention Twitter at all in our policy.  Yet we have separate procedures that dictate the details like background images, whom we will “Follow”, and our avatar design requirements. Keep it high-level – avoid acronyms, specific technology names or processes used for only a single purpose. Make your policy flexible.  It is not intended to be an engraved headstone but rather a dry-erase board. Expect – heck, plan ahead – to make changes to it on at least an annual basis to keep up with the times and the “organizational acceptance” of it all.
  • From the beginning of policy development, you need to involve your organization’s key players.  At a minimum, every policy should govern a workflow process that includes public information/marketing, information technology and legal counsel.  These are the three legs of the 2.0 stool that have to be rock solid for it all to truly work.  Anything new you want to implement on a permanent basis should be approved by these departments.  I know that my colleagues have at times considered me (IT) to be a bottleneck. But IT, like the others mentioned above are here to support and protect you and your organization from harm. So my advice is to get them on board early.  It may take some gentle cattle-prodding to get them to focus on it. Provide them with information.  Answer their questions promptly.  And I have found that providing doughnuts and/or cookies at meetings often helps to grease the skids as well!
  • The policy itself is simply a document.  Don’t let it sit on a shelf in a dusty binder.  Exercise the policy by developing a cross-departmental workgroup to keep things moving along.  Start with the three legs mentioned above, but add representatives from your departments that have a direct connection to your citizens (Libraries, Parks and Recreation, Public Safety, Human Resources, etc.)  There are typically folks within these departments that get this stuff, that want to be operating in this space.  A policy, coupled with this workgroup will ensure a balance of governance and innovation within your organization…a true key to success and longevity for your govt 2.0 efforts.
  • Next, dress that policy up and take it out on the town!  Don’t let your policy get bored.  Use it as tool of advocacy. By promoting a social media plan that is backed up with the quintessential “big guns” of policy approval, you’ve got a much better chance of making things work across your organization.  The policy is the firm foundation from which you can launch a comprehensive communications plan.  Use it to help you tell your organization, your elected officials and your constituents that “this stuff is here, we are using it (the right way) and it is a good thing!”

I hope these thoughts above give you a jumpstart on your own policy development.  Below are a few examples of social media policies for government organizations that may help even more.  By no means is this a comprehensive list of governments that have policies in place. This is just a sampling to show you that organizations engaged in social media come in all shapes and sizes. Please feel free to shoot me a message and let me know if I’ve missed one you’ve found particularly helpful.

Arlington County, VA Social Media Policy and Guidelines

Arvada, CO Social Media Policy

Chandler AZ Social Media/Social Networking Administrative Regulation

Fairfax County, VA Social Media Policy

Hampton, VA Social Media Policy

Roanoke County, VA Social Media Policy

Suwanee, GA Social Media Policy

State of Delaware Social Media Policy

State of Utah Social Media Guidelines

Virtually Yours,

Greever

Can’t We All Just Get Along?

I had planned this week to get back to my suggestions regarding the make-up of your internal Web2.0 group, but a few colleagues brought something to my attention that I thought might be more timely.  Most of the articles I have been following over the last few months have been on the potential value and the practice of using Web2.0 as a business tool.  Most of these articles vaguely reference the “security concerns” brought about by Web2.0 technologies, but they fail to provide guidance or cite any specific dangers.  So, the vague threat of potential malware embedded in Web2.0 apps doesn’t hold much water with me.  Everything we do in IT has this potential.  That’s exactly why you have an Information Security program. However, this week I read an article from Sarah Perez, Your Web 2.0 App is a Security Threat,  that subtly raises the other IT fear regarding Web 2.0 technologies – namely that misuse of Web2.0 technologies can endanger the confidentiality of your corporate data and information as well as pose a threat to legal compliance. The article itself is a broad review of a new product called ACE, which is designed to make it easier for IT to shut down rogue Web2.0 applications.  The point Sarah raises regarding the potential dangers of rogue web apps is dead-on in its concern.  Under-the-radar apps can pose a serious threat to your infrastructure and they must be monitored and controlled. 

mole.jpgHowever, although I appreciate the value of a tool like ACE, I think it is futile to consider such a tool to be the solution as to how we as IT managers can “control” Web2.0.  Due to its very nature, you cannot shut down Web2.0.  Trying to isolate and filter “Web 2.0 technologies” is like trying to nail Jello to a tree.  Sure, you’ll be able to pinpoint whatever the hot technologies of today are, but tomorrow three more will spring up to replace it.  As Chesterfield County CIO Barry Condrey pointed out in his feedback to the article, you will be forever chasing your tail in a futile “whack-a-mole” syndrome.  You will be much more successful in your security efforts if you engage your user population in a give-and-take dialog to help you find a middle ground that everyone can live with and then implement the technologies that support the mutually-agreeable approach.

NOTE TO THE READER: Feel free to skip the next paragraph of introspective and perhaps self-indulgent  “How I Got Here” detail.  Although germane, it isn’t required in order to get to the point of this post.

It wasn’t until I got to the executive level of technology management that I truly began to appreciate the necessity, value and process of maintaining balanced technology service delivery.  Most of us who are focused in one area of technology service get very, very good at it.  You thrive on technical challenges and you typically work in a world of black and white answers.  When I was in that stage of my career, I frequently had run-ins with customers who liked to toss their “flies” into my technology miracle cure-all ointment, or at least that’s how I saw it.  Although I was (almost) always patient and I tried to remain customer-service oriented with them, I was frequently vexed.  I felt that they were just being difficult (and wrong) because they didn’t have enough to do or because they were just uninformed.  So I got frustrated with them because I couldn’t focus on the “right” solution immediately and they got frustrated with me because I was trying to categorize or jump to conclusions about their needs. (As an aside, here’s a big “I’m Sorry” shout-out to all of you former customer co-workers who might come across this in your net travels.) Over time and with experience, and moving up through the ranks, my technology and business knowledge became much wider and more shallow.  Multiple discipline multi-tasking and business management skills became the order of the day. It became much easier for me to truly appreciate and honestly value the business user needs.  No longer was I focused on the technical solution…now it was more about focusing on just the solution.  (Is that a collective “duh” I hear from those you who have been at the exec level for a long time?)

chameleon.jpgFor those of us who are in the IT field, we must be constantly vigilant lest we fall into the rut of getting wrapped up in the technology for the sake of technology.  Advocating, marketing and even proselytizing for technology as an enabler should be a big part of our job focus.  But don’t let the tail wag the dog.  We need to be one of those funky chameleons with one eye towards our users (business needs) and one eye towards our infrastructure (technology capability and requirements).  I often think of my role as that of a sales engineer – I need to know my tech stuff, I need to know what my customers need and I need to know how to put those things together. 

As I have said in previous posts, Web2.0 at its core is not about technology.  Technology is merely the method used to redefine the way an organization communicates and collaborates with its customers.  Likewise, technologies such as ACE are also enablers in terms of focusing that Web2.0 adoption into secure and reliable channels.  But they are not the sole savior, nor should they be. The answer is to rely first on well-crafted policy that balances the need for security of information and systems with the business needs of your users.  I spoke to Sarah offline and although we may take different paths to get there, we share the goal of having an organization that runs technology in a safe and controlled manner to the benefit of all internal and external customers.  Here in Roanoke County, we use a product similar to ACE to filter web applications because I don’t want any covert apps popping up in the departments either, whether they are business legit or not.  But before we install a technology solution, we need to get a strong, flexible and reasonable policy and practice in place to govern the use of Web2.0 in the enterprise.  This policy cannot be solely a product of the IT department.  We’ve got to have the conversation with all the stakeholders at the table in order for something of this magnitude to be effective.  Everyone involved needs to approach the issue with an open mind and stay focused on the ultimate goal of improving the organization.  IT folks must be willing to refrain from assumptions and be flexible on some of the traditionally locked-down areas and practices. Business users must be willing to adhere to the tenants of the policy and abide by the security and technology that must remain intact in order to preserve the security of an organization’s resources. 

Once you have the global policy in place and the details have been communicated to the organization, then you can fire up an application like ACE, provided it can be modified and customized to meet the current and evolving needs of your organization.  By then, everyone should be on board with the technologies adopted and not finding ways around the policy.  Violators should be disciplined accordingly because of the potential danger to technology resource integrity and the privacy and security of your corporate information.  I’d also recommend periodic reviews of the policy to ensure that it remains in line with the changing needs of the organization and the new Web2.0 technologies that spring up on a regular basis.  This follow-up will provide business users with a conduit to raise issues regarding the policy and security technologies and it will hopefully curtail attempts at circumventing policy direction.

Don’t get me wrong – I know this not going to be a simple process.  You may experience wailing and a great gnashing of teeth, but the end result will pay off in dividends for all involved.  As a former boss told me early on in our working together – “the best solution is not often the easiest”.

Virtually Yours,
Greever