I just finished an excellent book by renowned technical journalist Paul Gillin called The New Influencers. He lays out in great detail, and nice brevity (an easy 218 pages), why a company cant afford not to blog, and how to blog correctly. You need to know about blogs, and this book is a great way to start.
Part of the problem for us in security is his well founded recommendation that the blog be relatively untouched, reflecting the honest opinions and views of the author. It's our job to help make sure the company's intellectual property and secrets remain secure and unpublicized. With competitive fortunes often dependent on being first to market, not to mention SEC rules on disclosure, we have to walk a fine line to protect the company and still create the candid dialog a good blog requires.
The Importance of Blogging
As Paul eloquently points out in his book, blogging has become critical to many companies in the post Internet age. It humanizes the firm, creates a dialog between executives and customers, and provides a firewall against other bloggers who take the company to task. Generally the most exposed companies in this new connected world are those that can't control their image and have that image sullied by professional and armature bloggers, some of whom have stature that exceeds many legitimate journalists but often do not adequately verify their sources.
Microsoft is a company that lost control of its image through traditional marketing means, but it is slowly building it back with one of the most successful, and controversial, blogging efforts in the segment. Apple, which has a very solid marketing-based image, often loses control because others blog for them.
In the end, I firmly believe companies have no choice but to allow blogging. But to do so without some protection would be foolhardy and could destroy a companys competitiveness and/or create an embarrassing enforcement action, possibly resulting in significant fines, executive terminations, and sanctions.
People are people and often forget that things they can talk about at work aren't to be discussed outside. Back when I was at IBM, we had clear rules that were regularly communicated about what not to talk about in public places: unannounced new products, internal financials, internal politics, rumors about acquisitions, and internal disagreements.
Why? Because you could never tell who was listening and reporters often hung out at places IBM employees frequented to get inside stories. That still goes on, by the way -- Microsoft in particular has several reporters that virtually live on campus looking for little tidbits that they can publish about a company that's known to leak badly.
Sometime it's hard not to get excited, angry, or just forget where you are. Company bloggers pressed for time who have to post their daily/semi-daily entry may not always remember it's an external communication. Weve all seen (or been) employees who get really upset about a review or management action, and blast out a global email reflecting their views. Think of this behavior on a blog, it could be devastating to both the employee (who is likely to be fired and unemployable) and the company.
Once posted and linked to, this stuff tends to get a half-life all its own; even if the original is pulled off the Web. It is always better to prevent the problem then to try to correct it after the fact.
Securing the Company Blog
Radio stations have a similar problem. A DJ or guest can say something unthinking that can result in major problems for the station. Many use a delay to ensure they can bleep the offending word or comment before it goes out on the air. We just saw what happens when that doesn't work with Don Imus' comments on a women's basketball team. (See What Imus Can Teach IT.)
I believe company blogs should be edited for grammar and spelling because they reflect on the company. Part of this edit should be a review of content, not to wordsmith it -- that's a quick way to kill a blog -- but to make sure it adheres to company policies. This is tough to do with the CEO, who clearly has the authority to say anything, but raising the question could prevent an unintentional mistake. And the goal is to prevent errors, not to change the blog.
This suggests that security be involved in setting and enforcing the blog policy but should not be involved in the actual editing. The whole point is to allow a slight delay to ensure the blog is what the employee -- and the company -- intend it to be and that mistakes don't get out. Security policy is not about changing the tone or legitimate message of the blog.
Keep It in Perspective
People who have difficulty controlling their tempers or who otherwise don't show good judgment should not be let out in public. But, while you can advise, it will always be the responsibility of line management to make the choice of who blogs and what they blog about. This isnt to say you cant make suggestions, nor that if you foresee a problem you shouldnt try to keep it from happening. But if you get carried away, you could destroy the very reason the blog is being done in the first place. That could have material consequences for your companys success and your own.
In the end, blogging like any tool has huge benefits that are not without risks. It's our job to help and make sure our companies just see the benefits.