Chief marketing officers are now at a tipping point, where they need to rapidly learn about and operationalize cybersecurity measures. In most cases, this is not a marketing leader’s core competency, so for CMOs to add cybersecurity to their roles, they must somehow become part of the C-suite cybersecurity team and proactively help prepare for the inevitable breach.
Such was the theme of the recent talk given at the South by Southwest (SXSW) Conference, March 9 to 14, in Austin, Texas, by Holly Rollo, SVP, CMO, at RSA. Based on RSA’s 2017 CMO Cybersecurity Survey, ‘How Secure Is Your Marketing Transformation?’, Rollo’s session made it clear that the Internet is inherently insecure, and its original purpose was to be open and accessible by everyone. However, there is no government agency protecting businesses today—organizations are on their own. Rollo told the audience that the proactive planning you do—and the cyber-culture, awareness and capability you build—will put your enterprise in a better position to manage the risk and minimize the business and brand damage.
“As legitimate business people,” said Rollo, “we can only see four percent of the internet, or ‘surface web,’ which is the open network. The remaining 96 percent of the internet—the ‘dark web’—is closed and not easily visible. This 96% of net use is where the majority of cybercrime exists, and it’s big business, totaling $2.1 trillion.”
Rollo continued: “Cybercriminals, or bad actors, are developing digital dossiers on individuals from various sources, creating 360-degree views of people, and they are for sale on the dark web. At the same time, legitimate businesses and brands are building big data CRM files about their customers to deliver the highly personalized brand experiences we all demand today. The more robust these legitimate CRM data bases get, the more valuable they are to cyber criminals.”
Rollo emphasized that marketers have been building their marketing technology stack with blazing speed to increase efficiency and effectiveness and deliver better, personalized customers experiences. According to Scott Brinker’s 2017 assessment of the martech landscape, there are just under 6,000 new marketing tech tools. The typical number of martech applications an enterprise has is 84, and most of these tools are cloud based. Over half of these new martech companies are less than three years old. Though marketers can do amazing things with these tools, such as create highly personalized customer experiences, the new tech platforms create a shadow IT environment that can be a cybersecurity risk for the enterprise.
The reality of cybersecurity is that “complexity is the enemy of security.” The more complex your environment, the less secure it is. So, as the martech stack grows, complexity increases, which decreases security. On average, only 10 percent of marketing departments that adopt these new tools put their vendors through a rigorous security assessment. And, 53 percent of IT departments reported that breaches come from third-party suppliers—a huge risk. CMOs must be aware of this and focus here.
Said Rollo: “To get a better understanding about the CMO’s cybersecurity risk, RSA surveyed over 300 marketing and IT professionals with headquarters in North America. The primary objectives of the survey were to gain an understanding of how both functions think about security in the context of a digital transformation, and how well IT and marketing teams collaborate to ensure that proper security measures are taken when modernizing their marketing engines and adopting new marketing tools.”
The survey’s key findings are eye opening. Here are some of the highlights:
- Marketing organizations don’t fully understand the business and cybersecurity risks associated with the digital transformation of modern marketing.
- Marketing departments might unknowingly be putting their organizations at risk during digital-infrastructure transformation.
- Considerable discrepancies exist between marketing and IT respondents’ perceptions of collaboration and effectiveness during transformation.
- Marketing is largely unaware of security protocols and crisis communication plans in the event of a security incident.
Other highlights from the survey:
- The marketing function has low awareness and understanding of cybersecurity.
- 42% of CMOs are not involved in cybersecurity discussions.
- 37% report having a breach communications plan.
- 75% of IT departments believe that marketing is the most likely cause of a cybersecurity breach.
- 45% of incidents had something to do with martech or the marketing function.
- 73% of IT departments do not monitor cloud applications.
- 74% of marketers said that cybersecurity was not a major priority when selecting a martech vendor.
- The marketing function generally doesn’t know breach protocols, the types of sensitive data they have, and how their infrastructure works.
The business of security
So, what does all of this mean to CMOs? “According to Gartner,” said Rollo, “marketing is spending more money on IT than the technology department, which means marketing is in the business of IT. And if marketing is in the business of IT, we’re now also in the business of security. What this also means is that cybersecurity isn’t a security and IT issue—it’s a business and brand issue that CMOs must be accountable for.”
Rollo went on to point out that the irony is if marketing causes the breach, they are generally the function responsible for repairing brand reputation, trust, revenue, and all of the other things that marketing is generally measured on. “The business implications can be severe,” she said. “CMOs must know the risk they’re putting their organization in through digital transformation.”
In the end, according to Rollo, marketers need to proactively bring IT and the security teams together, if they are in separate groups, to manage data security more than ever. “The modern marketing infrastructure, with all of the cloud-based martech automation we use, is a front door to sensitive information. Marketing leaders must proactively do all that they can to be more security-aware and partner with our CIOs and CISOs to be sure we have end-to-end security strategies for our enterprise infrastructure.”