The 2015 Reddit Revolt and How Information Security Could Have Prevented It

Tue Jul 07 2015 14:05:06 GMT-0400 (EDT)

Most everyone on the Internet knows of Reddit. Maybe a few of you know about the Reddit Revolt that unfolded over the long holiday weekend. It was covered by NPR, Bloomberg, Wired, The Wall Street Journal, CNN, and others. Here's an excerpt from Wired's article:

Moderators have all but shut down more than 265 subreddits to protest the termination of Victoria Taylor, the site’s director of talent. She managed the site’s wildly popular “Ask Me Anything” interviews that have included celebrities ranging from President Obama to a guy with two penises.

Articles and commentary about the incident are covering the lack of control that Reddit's management has over their community, or how Ellen Pao (Reddit's CEO) has spent the weekend back-peddling, or how Reddit is going to address the problems in the future. All the commentary and coverage is overlooking a critical part of the story - what happened (or didn't happen) before Reddit revolted.

Anyone who knows of Reddit will concur that it's greatest asset is the community - it's users. Without the users, Reddit wouldn't have any content, wouldn't have anyone to advertise to, wouldn't have a need for any servers. So you would think that Reddit's management team would beg, borrow, and steal to protect that asset. What is most glaring about this situation is that Reddit's management team didn't have an accurate picture of what the business needed to protect.

A comprehensive Information Security program includes policies for protecting critical business assets - data, systems, and people. Reddit likely knows how to protect the first two, but fell short on that last one. Protecting people isn't just putting locks on doors and cameras in the parking lots - it's understanding their role in the organization and how the business would be impacted if that role changed.

Specifically, Reddit's management didn't know how important Victoria Taylor's role was to supporting the company's most critical asset, until she was terminated and the asset revolted. With a comprehensive Information Security program, Reddit's management team would have identified Victoria as a critical business asset. They would have understood her role in the team, how she contributed to the success of the organization and how her work supported Reddit's critical assets.

Sometimes it's called a 'Bus Factor' - what would happen to the company if a particular person got hit by a bus. Reddit's management team found out - the hard way - that Victoria's Bus Factor was quite high.

Obviously, there are many factors and events that led up to the revolt, but the triggering event (Victoria being terminated) could have been planned for if Reddit had identified her has a critical business asset earlier.