Leaked Democratic Party email exposed a simple fact: People gossip. But in today’s cybersecurity environment, leaders would do well to recognize that a bigger crowd can listen.
At this point, you may be so tired of hearing about emails that you’ve decided to stop using it—smoke signals, telegraphs, semaphore flags, whatever unhackable communications method works. Considering the proliferation of hacks, that may not be the worst idea, actually.
Consider the latest high-profile incident. Last week the Democratic National Convention was thrown off-message before it began by Wikileaks’ release of a trove of internal emails from Democratic National Committee staffers. Among the most attention-grabbing disclosures were exchanges that criticized then-presidential candidate Sen. Bernie Sanders and seemed to subvert his campaign (thus questioning the DNC’s official impartiality). A PR person talked about encouraging the press to describe the Sanders campaign as “a mess”; in another exchange, staffers spitballed the possibility of attacking Sanders on religious grounds. Perhaps most damningly, DNC chair Debbie Wasserman Schultz (who resigned after the incident) dismissed one conversation by saying flatly, “He isn’t going to be president.”
I’m not interested in revisiting the Democratic presidential primary process in particular, or even discussing politics in general. I bring up the DNC email kerfuffle because it’s exhibit A in the vulnerabilities that all organizations have when it comes to cybersecurity—which in turn is a reminder that all leaders’ communications ought to be conducted with the expectation that they might be made public.
”If you don’t want that kind of limitation, you shouldn’t be working for an organization that depends on its reputation for its life.”
This notion gets formulated in a variety of ways: The one I grew up with is “never write anything down that you wouldn’t want to see on the front page of the New York Times.” In the association space, I’m reminded of a moment when I was sitting in on a 2011 roundtable of association legal pros, and attorney Paula Cozzi Goedert delivered a harsh message about social media and communications in general. “I think the bigger problem is really staff and volunteers getting onto blogs, often late at night, on a topic they are passionate about, and using hyperbole and using humor perhaps in a way that ultimately reflects poorly on the organization they are representing, even if it’s not on the topic in which the association focuses,” she said. “I tell my clients to tell their staff that ‘the badge is always on.’ If you don’t want that kind of limitation, you shouldn’t be working for an organization that depends on its reputation for its life.”
The badge is always on. At the time, I thought Goedert was being overly demanding—back then, it seemed like an uphill climb just to get an association executive to pronounce “blog” correctly. But I’ve come to see her point, not just in terms of the public-facing online statements she was discussing but the private ones as well. Because there’s plenty of evidence that the private stuff gets made public too, from the frat-house emails of Snapchat’s CEO to the sniping that defined the leaked emails from within Sony Pictures.
Perhaps the most troubling element of such leaks is that while there might often be a comprehensible cause for the hackers’ motivations, at other times the rationale is no rationale at all, or a bizarre one. You’ll recall that the proximate cause of the Sony Pictures hack reportedly was North Korea’s concern over how it was portrayed in a low-priority comedy, The Interview, that would’ve vanished from the public consciousness in a week if Dear Leader had left well enough alone. (As it was, The Interview all but vaporized in two weeks.)
The experience left Sony Pictures chastened, CEO Michael Lynton told a conference last December: Employees “are a bit more moderate in the way that they are expressing themselves,” he says. “A lot of things…should be kept in a phone conversation.” That makes good sense—we can worry about phone hacking another day, and it’s probably more practical than giving up on email entirely, though it’s not unheard-of among CEOs.
But if the badge is always on, then what we’re talking about is not so much concern about statements getting disclosed—it’s about how people conduct themselves so that when statements do get disclosed, there’s nothing to be concerned about. I’m not so pollyannaish as to believe that association leaders won’t talk about their volunteer leaders, staffers, and members, and that sometimes that talk will be unflattering. And I don’t think it’s healthy to operate in a state of constant paranoia. But the hacks and revelations should be a reminder that in a public-facing job, your conduct is public more often and in more ways than you might assume.
What do you do to establish your organization’s tone when it comes to email and other online activity? Share your experiences in the comments.