Cybersecurity is Not an IT Issue, It’s a Business Issue

Security Roundtable recently had the opportunity to talk with Zulfikar Ramzan, PhD, CTO, at RSA, after his keynote “AI: Boon Or Boondoggle?” at the recent SXSW event, in Austin. You can watch the session on demand and read along with his slides. Ramzan’s message to CMOs is to engage your CISO and your C-suite if you haven’t done so already and be part of your company’s cybersecurity command. Read on for more.

Security Roundtable: If you were speaking to a group of Fortune 1000 CMOs—assuming that they know very little about cybersecurity and have not been pulled into C-suite conversations on cybersecurity—what are the three most important things you would say to them?

Ramzan:  The first thing to think about is data. The marketing team probably deals with more data than any other function in the enterprise, and it can be quite sensitive data, given the move for brands to deliver personalized experiences to customers. So, you need to understand what data you have, how are you collecting it, how are you storing it, where it is stored, who is protecting the data, how are you sharing it, and who has access to this data. 

Second, think about how you want to engage with the rest of the organization from a cybersecurity perspective. At some point, you have to have this engagement because you are dealing with mission-critical data and you’ve got to have the right level of engagement with your CISO and the entire cybersecurity team at the right level.

The third thing to think about is how you see your CMO role evolving as part of the broader cybersecurity posture of the company.  The reality is that marketing is ultimately responsible for outbound communication regarding what the company is doing. Marketing is the interface between its customers and partners. . . and when a breach or incident does happen—even if it wasn’t marketing related—it is generally the marketing function that has to respond to that incident and explain it externally and internally. If your cybersecurity team is not engaging you in this process upfront, then they are being remiss in their responsibilities. So, be proactive and engage them.

Security Roundtable:  What are some best practices you’ve seen involving CMOs and CISOs coming together as a proactive, incident-ready, collaborative cybersecurity team?

Ramzan:  Good question. . .because it is not a question of if they are going to get hacked, because they will be hacked.  So, first you need a cohesive cybersecurity team to be formed before the inevitable breach happens, and each function clearly knows its role.  So, for me, the common denominator is, “What is the business we are in and what are we trying to achieve?” We are seeing the nature of the security organization changing. Five or ten years ago, CISOs were very focused on threats, they were very technical. For them, they were the “No” person in the organization. This has changed entirely. Frankly, your security people don’t want to be the “No” person. They need to think about what the organization and business units are trying to achieve, and everything has to be articulated in these terms.

The bottom-line is that the business mission will win out over all other issues. So, as the CMO, make sure when you engage your CISO and C-suite that you articulate very clearly the business mission of your department and what you are trying to achieve. What’s key is to engage your CISO to help you solve a business problem, not a security problem. Don’t ask, “Can I do this?”  Instead, say, “Here’s the business problem I’m trying to solve. How would you recommend I solve it, and what are the ramifications?” As my RSA CMO Holly Rollo says: ‘Cybersecurity is not an IT issue. It is a business issue.” When an incident happens, everyone’s neck is on the line.

Secondly, keep track of the applications and martech tools you are using—what data is being sent to these?  How are you and your team connected to or accessing these tools. . .do you have a password?  Who knows this information?  And, are you following good security hygiene practices? In other words, don’t use the same password across all tools. We love to talk about Ocean’s 11 types of security breaches, but, the reality is, most incidents are 7-Eleven smash and grabs, with bad actors breaking in, taking something, and quickly running out. Basic security hygiene can go a long way.

Security Roundtable: Marketers are gathering enormous amounts of personal data about their customers to meet their expectations for highly personalized brand experiences. But, on the flipside, all of this personal information is so attractive to the cyber-criminals. What is your advice about this?

Ramzan: This is a classic business and security conundrum. The business case says that we have to provide the best possible personalized service to our customers. Yet, at the same time, there are risks to collecting the personal data needed to do so. My advice is to take a risk-driven view. Understand what you are trying to achieve from a business standpoint and also understand your security posture. Consider other ways to achieve the same business goal. Figure out how to mitigate your security risk. Make an intelligent risk tradeoff.

Security Roundtable:  What additional advice do you have to build a best-practice cybersecurity environment?

Ramzan:  First, to be a best-practice proactively prepared cybersecurity enterprise, the CEO, C-suite, CISO, and Board need to collaborate on cybersecurity, and you need the right governance model in place. You should also have MBOs in each C-suite leader’s group dealing with cybersecurity metrics to get alignment across the enterprise. The reality is that the CISO faces a tremendous challenge, in that they are often responsible for finding security issues, but rarely do they have the authority to fix them. They don’t own the application, they don’t own the infrastructure, and might not own the budget, yet they have to fix problems in these security-related areas.  CISOs need help too.

Lastly, even with the most aligned C-suite, when a breach occurs, your organization needs to be agile, adaptable, and flexible so that you can move strategically, smart, and fast. No breach can be fully anticipated and fully scripted out. Have the right frameworks in place, have a check list with ‘If-Then’ scenarios, and be prepared to improvise collaboratively.