At Tuesday's morning keynote of the InfoSec World Conference, TikTok Chief Information Security Officer Roland Cloutier said a key factor in managing TikTok's internal security was his ability to communicate with employees on their own level.
For Cloutier, who only entered the industry after a decade in law enforcement in the 1980s and '90s, that means gearing activities for a workforce that often mirrors TikTok's own product users, rather than expecting employees to engage with him using his native communication style.
"I think any organization should do that. They should look at their demographics in general, and make those changes," he said. Sharing an antiphishing TikTok he filmed, Cloutier added: "I'm a big proponent of TikToks obviously, but whatever works for your organizations in their demographics."
The internal TikTok Cloutier shared while speaking to Cybersecurity Collaborative Executive Director Parham Eftekhari showed him on a boat, fishing, making phishing puns while offering advice about reporting dangerous content. Cloutier said it was a celebration of how his staff sees him - an older figure making "dad jokes."
TikToks are not the only way Cloutier said he conveys messages on the level of a much younger employee base and security staff. He said he has gamified security training with video games and challenges employees with quiz show-styled trainings. All of that, he said, helps rapidly prepare a workforce for increasingly sophisticated adversaries that inevitably target a product experiencing exponential growth (and with it, an exponentially growing threat surface).
Cloutier joined TikTok, the world’s most popular app with some 1 billion downloads annually, at a challenging time. While the app has only existed for a few years, the company came under scrutiny early on in the United States over security and data privacy issues that emerged with the discovery of vulnerabilities within the app, as well as concerns about ties between Chinese parent ByteDance and the Chinese government. In the words of leadership at the time, the addition of Cloutier contributed to the company's "ability to earn the trust of the broader community by delivering world-class security systems, processes and policies.”
While Cloutier did not address the earlier challenges faced by TikTok during his keynote, he did emphasize transparency as a key component of any security program during the keynote.
"We have to deliver trust. We have to ensure that part of our roadmap is showing the world how we're changing; how we're expanding; how we're improving; how we're addressing that new concern," Cloutier said. And as laws or threat evolve, companies need to change their control environments, he added, and communicate those changes to stakeholders. "We want people to understand that we know what we're doing."
"This stuff's coming at speed," Cloutier continued. "You just can't send someone back for their post-grad degree for six months, have them come back and hopefully they're smarter. You have to engage with them, you have to do it in a way that's practical, that gives them the information, but also gives them the skill set."
