As part of a series exploring cybersecurity and its impact on consumers, marketers, and marketing (see here for Part 1, Part 2, Part 3, and Part 4), I talked with Holly Rollo, the CMO of RSA, a Dell Technologies business. RSA solutions enable customers worldwide to deliver business-driven security strategies. The following focuses on marketing’s role in cybersecurity.
Whitler: In general, do marketers play a role in managing data security? If yes, what do they do? If not, why not? Should marketers play a role in managing data security? If yes, what role should that be?
I don’t think we do and it’s a big mistake.
Here’s the situation in a nutshell. Marketing as a function is spending the most amount of money on technology according to 2016 research by IDG; more money than finance, engineering, sales and HR. This is a result of recent technology innovations that have allowed marketers to take advantage of data science to drive ROI and deliver more highly quality results for Sales. Many of those innovations have been delivered by companies who understand that marketing traditionally doesn’t get a lot of IT support, so many if not most of these are delivered as web-based or web-enabled applications. But we aren’t buying one application; we are connecting together say ten of these tools when we go through a new web launch for example. There’s a huge amount of pressure to go fast and we don’t always get the IT support we need, so we outsource, get parts from the company’s shared services, or create shadow IT.
So, there is lots of spending and tools being put together, using mostly cloud and some form of outsourced IT. Meanwhile, the IT security organization is busy protecting the enterprise’s core infrastructure. These teams are working really hard, but only 27% of enterprises say they actively monitor cloud-based infrastructure as part of their security strategy based on our research. And they absolutely can’t monitor and protect systems or applications they don’t know exist. So, who is looking at the security strategy for all of these marketing assets that we just spent all this money to acquire? Yes, security-conscious IT organizations will help us through a security audit for each vendor, but we are connecting the tools together with APIs and the connections are what is concerning. Remember, at some point, all that connects to CRM and ERP, so the modern marketing infrastructure with that marketing automation forms page, it’s a front door to sensitive information.
Realizing this, we as marketing leaders need to do all that we can to be more security-aware and partner with our CIOs and CSOs to be sure we have an end-to-end security strategies for our infrastructure.
Whitler: Is this optimal or should marketers be involved?
Rollo: The cornerstone of modern marketing is technology and data. In addition to being security-conscientious employees, marketers can have access to highly confidential information, making them potential targets.
However, there is a bigger concern that marketing poses. Given the increased utilization of applications and services, marketing controls a number of technology decisions, whether it be solutions that are hosted in the cloud or purchased through third-party providers. Marketers need to proactively bring IT and the security teams together (if they are in separate groups) to manage data security more than ever.
Marketing functions generally create and/or utilize large sets of data, and therefore must understand best practices around data use and security. As a simple example; a marketing program could be designed to collect personal information such as email addresses, addresses, phone numbers, etc. A more complex example is a marketing program designed to collect preferences, purchasing history, and propensity attributes as a prospect or customer engages digitally over time. Beyond regulatory requirements, data use policies, or opt-in permissions, there is a whole strategy that must be considered when adopting new technologies or transforming marketing infrastructure and operations to a modern marketing model.
Whitler: How, then, can marketers do a better job of getting involved in cyber security decisions?
Rollo: First, we as marketing leaders and CMOs need to take the time to understand what’s going on in cybersecurity, what this means for our marketing infrastructure, and what we require. We need to understand the risks to our tools and internalize the burden we carry because of the information we collect and use and it’s potential as a target.
This isn’t going away. The recent DNC hack was reported to have started with a vulnerability in a technology platform used for fundraising, social networking, and organizing campaigns—basically, the hack came through marketing-related technology solutions. There is a trend happening where more intrusions are coming through a company’s marketing and social applications and it appears to be growing according to reported data.
Second, when considering new technologies, the marketing department should be sure that vendors pass security audits that IT security can feel good about. In recent years, this has proven a frustrating process because there are so many marketing technology start-ups that are trying to sell great solutions, but haven’t thought through how they intend to demonstrate security to the marketing people they are trying to sell to. And while Marketing wants to move fast, sometimes these audits seem to take forever to complete.
Third, Marketing must have an IT security business partner that can be held accountable, and this often presents a huge challenge. In smaller companies, say under $1B in revenue, there aren’t enough resources to go around, and often marketing has to hire its own technologist or outsource it. In larger companies it can be difficult to get dedicated IT support overall let alone security support, particularly in industries where marketing isn’t seen as a priority. I’ve implemented a handful of modern marketing infrastructures and I do know we can be a modest bunch. I’m not sure we fully communicate to the organization the technical depth of what we are actually implementing and the detail of the data that we have on hand. In an effort to get to the results, coupled with people’s attention span on such detail, we probably don’t do a good enough job insisting that we get the IT and IT security help we need. I think IT security would say that they are ultimately responsible, but we need to advocate for support we need to ensure they own it.