Sometimes you do an interview and then everything changes. I interviewed Twitter’s new Chief Information Security Officer Rinki Sethi very late in December, mostly about her personal experience as a CISO. Since then, of course, Donald Trump’s Twitter account was suspended, and much has changed. Sethi’s comments are relevant to this, as well as current challenges to public conversation. But if you’re wondering why we didn’t discuss that specific topic, that is the reason why. It’s also important to note that Twitter’s Safety Team makes decisions on suspensions, not Sethi.
“Information security” sounds horrifically boring. If only reality conformed to expectations and it stayed that way.
Unfortunately, it probably never will be again.
As a culture, society, and planet, we are now in the age of infowars. Nations are hacking corporations and each other to gain economic, political, and military advantage. Countries are also spoofing each others’ citizens online and influencing their public conversations via social media: inserting ideas, memes, and biased information, and outright falsehoods. Public interest groups, isolated individuals, and loosely-affiliated politically-focused groups are doing the same. The result is a confused, chaotic — potentially post-truth — meta-reality in our digital national consciousness. That chaos can boil over into rage and violence, as we saw on January 6 at the U.S. Capitol build.
Twitter is a major target in these new reality-warping wars of ideas. Twitter is also a prime target doxxing political opponents — and for hacking to dox dissidents.
In other words, not the easiest gig for a chief information security officer.
And yet it’s one that Rinki Sethi, formerly of Palo Alto Networks, Rubrik, and IBM, chose for a reason.
“I interviewed at Twitter at a very interesting time, right before the election when Twitter was in the spotlight,” Sethi told me in a recent TechFirst podcast conversation with her and Frank Sargent of Info-Tech Research Group. “And actually that’s what drew me to Twitter, was just their mission around protecting the public conversation. And it was such an important time, and it still continues to be, around making sure that the public is getting the right information, the information that they want, they need, and that it’s accurate.”
Watch the interview
That’s it’s accurate, of course, is the kicker.
The SolarWinds hacks exposing much of the U.S. government and more than 80% of Fortune 500 businesses put an exclamation point on big tech’s risk — and the risk that big tech poses. Then the suspension of Donald Trump’s Twitter account threw an atom bomb on everything, particularly when Facebook, Apple, Google, Shopify, and other tech companies followed Twitter’s lead.
Essentially, Twitter decided that Trump’s history of sharing information about the election which was debunked by government and election officials, many of them Republican, and his calls for action by his supporters, rose to the level of shouting “Fire” in a theatre.
All of that, of course, happened after our conversation.
But information security — or at least an attempt to ensure accurate information has a chance to emerge in our public digital conversations — is clearly more relevant than ever. As MIT Media Lab found, it takes “true claims about six times as long as false claims to reach 1,500 people, with false political claims traveling even faster than false claims about other topics.”
Or as Mark Twain is rumored to have put it, “a lie can travel halfway around the world before the truth puts on its shoes.” (That statement is an example of itself; there is no evidence that Mark Twain actually spoke or wrote it.)
Listen to the interview on the TechFirst podcast:
Today, it’s not the case that digital failures only impact virtual and ephemeral spaces. Unfortunately, our information security vulnerabilities aren’t just about the digital realm, says Info-Tech’s Frank Sargent. They’ve infiltrated the physical world.
“Physical safety has been drawn right in, kicking and screaming,” he told me.
That’s true in an industrial sense: control systems for water, power, transportation, or other systems. It’s also increasingly true in a social and political sense.
Which, for Sethi, was a critical factor in deciding to take the CISO role at Twitter.
“Twitter’s mission of protecting the public conversation is exactly where I wanted to be,” she told me. “And some of the choices they had made, how they were leading best practices in this space, I thought were very core and aligned to my values, and I couldn’t think of a better challenge to go and take on, so that’s why I chose Twitter.”
Which doesn’t mean everyone’s aligned with the choices Twitter makes around protecting public conversation. Global leaders such as Germany’s Angela Merkel called Trumps’ Twitter suspension problematic, and Poland has begun drafting legislation that would bar social platforms from banning people who do not specifically break national laws.
On the flip side, many wondered why it took so long.
All of which is unlikely to have made Sethi’s first quarter as Twitter CISO an easy one. Which, being in security, she’s probably used to.
“Security’s always playing catch-up,” she says. “It’s rare that you’re in front of the problem and you’re designing right from the beginning. And if you’re not, then you’re constantly playing catch up.”
That might not just be the case in managing hacking and technical risk. It’s likely also the case in the interplay between free speech and platform rules, or free speech and conversational health.
One good thing: if Twitter’s going to be the focus of the infowars, the company does at least have a CISO who can communicate.
“The CISO’s role has morphed and changed … you used to see two camps of CISOs,” Rinki says. “One that were really technical, more like architects, and then another that was very business savvy, really good at communications. And I think those are merging together, and it’s really important for CISOs to communicate really well across their different stakeholders and partners in a company, such that it’s not that back office job and it’s in the forefront on a day-to-day basis.”
That forefront might be a very challenging place to be over the next year. And, given the fracturing of our public discourse and lack of agreement about basic aspects of reality … perhaps almost impossible.
Perhaps Sargent’s comments on information security and risk are appropriate here.
“It’s just understanding risk,” Sargent told me. “Worry about what you can, and do something about those things that you can, and [don’t] worry about things that you can’t.”