(30th April 2020) By Roland Cloutier, TikTok Chief Information Security Officer
As someone who has spent my entire adult life working on the industry's most challenging security issues, it is great to see that the broader community is now taking these issues as seriously as those of us who work on them everyday. People are asking tough questions of internet companies – and that’s a good thing.
Since its creation, TikTok has been focused on protecting our users and building out an outstanding security team. However, we fully appreciate that the work of securing a global community of users is never done. We must constantly strive to do better and evolve to meet the next set of challenges.
That means looking both backwards and forwards.
Looking backwards means re-evaluating security practices that may have made sense when the platform was smaller, but which may no longer work at our current scale. Companies get into trouble when they assume that systems, technologies, policies, and practices that were sufficient at one point in time will work forever. That’s rarely the case. Companies change, threats change, and security practices must adapt or risk falling behind.
Looking forward means trying to anticipate where the security needs of our community are going. That isn’t easy. Six months ago, nobody could have predicted that #thankyouNHS would be one of our most popular hashtags today, or that people would be coming to TikTok not just for playful videos, but also for public health information from health organisations, local government departments and politicians. My team is laser-focused on building out our advanced security infrastructure, designing relevant programs, and engaging with the broader industry to further develop our capabilities, and lead as our sector continues to evolve and change.
With those goals in mind, in the weeks since I began, my team and I have been undertaking a broad review of TikTok’s security, our infrastructure and practices, testing current practices and actively seeking to anticipate what we will need in the future. As I begin my work at TikTok, I am excited for the new challenge and appreciate how much everyone on the team has made it clear that security is a top priority for the company.
Let me take this chance to highlight a few areas where we are going to focus:
- We are engaged with the world's leading cyber security firms to accelerate our work advancing and validating our adherence to globally recognized security control standards like NIST CSF, ISO 27001 and SOC2.
- Transparency is the foundation of our next generation security programs underway here at TikTok, as we continue to work hard to earn our community's trust. Our Cyber Defense, Security Assurance, and Data Protection programs will be front and centre in our new Transparency Center in LA.
- Similar to industry peers, we will continue to drive our goal of limiting the number of employees who have access to user data and the scenarios where data access is enabled. Although we already have controls in place to protect user data, we will continue to focus on adding new technologies and programs focused on global data residency, data movement, and data storage access protections worldwide. Our goal is to minimise data access across regions so that, for example, employees in the APAC region, including China, would have very minimal access to user data from the EU and US.
In the same way that I hope we all continue to wash our hands thoroughly long after the COVID-19 crisis has ended, so too will we continue to advance the protection and privacy of your data. That’s how together we can take some important lessons from this terrible crisis and use them to build a better, more secure future for us all.