RSA’s chief marketing officer talks about why marketers are now in the business of IT security and how to minimise risk in the face of digital marketing transformation
Marketers must not only be in the business of IT today, they need to be in the business of IT security.
That’s the view of RSA Security’s CMO, Holly Rollo, who spoke at this week’s Marketo Marketing Nation summit about why marketers need to up the ante on their understanding of cybersecurity in the face of increased marketing technology investment and digital transformation.
RSA’s CMO Digital Transformation Study, which is being released this week, found the marketing function has low awareness and understanding of cybersecurity. Yet marketing is considered the function most likely to cause a security incident, according to 75 per cent of IT departments. The research also found 45 per cent of incidents they have today were something to do with marketing technology or the marketing function.
“According to Gartner, we’re spending more money on IT than the technology department, which means we’re in the business of IT, And if we’re in the business of IT, we’re in the business of security,” she told attendees.
There are a number of reasons why, Rollo said. Firstly, three-quarters of marketers and IT executives surveyed agreed marketing is knowingly using IT workarounds and shadow IT as they build out their marketing technology systems. In addition, security is not a major decision factor in evaluating vendors for the marketing function, she said. Data sensitivity, impact threshold and protocols are not well understood, either.
Rollo pointed to the startup nature of many of the martech and adtech platforms in the market today, noting half the companies listed on Scott Brinker’s infamous martech lumascape are less than two years old.
RSA’s research also found 42 per cent of CMOs are not involved in cybersecurity discussions, while only 37 per cent report having a breach communications plan.
“What marketing doesn’t know is the protocols in the event of a breach, what types of sensitive data they have, how their infrastructure works, where it is, and who is monitoring it if anyone, and how long it will take to complete their digital transformation,” she said. “The irony is if you cause the breach, you are also responsible for the PR to try and fix it.”
The business implications can be severe. Rollo noted 80 per cent of investors would be discouraged from investing in a hacked company. “You need to know the risk you’re putting your organisation in as you go through digital transformation.”
To help, Rollo provided a checklist of five things marketers can do to minimise their exposure to security risks. The first is to increase their cyber awareness and better understand the risk.
“Understand what’s going on and share what you learn with your peers,” she advised.
Rollo’s second piece of advice is to take accountability for the security of your marketing technology by asking the question of both vendors as well as third-party suppliers such as integrators and implementers. It’s also important to make security a key decision factor when choosing vendors.
Another big one is to partner with IT on your roadmap and monitoring strategy. “Some companies I talk from a marketing standpoint will have a three-year plan, and might be doing the website now, progressive profiling and some scoring… but don’t have a plan for next year,” Rollo said. “Wherever you are, make a plan and document it, and share it with IT so they can properly resource it.
“Part of the problem is IT is thinking about their core infrastructure, their network, and also in terms of major implementations like ERP, CRM or HR. When we think of marketing systems, we’re not using that language… we’re saying we’re implementing this scoring tool, for example. But IT needs to understand we’re implementing an entire platform, that it’s going to take three years and could include 45 tools. Then they can resource it properly.
“I’m not convinced that as marketers, we’re asking for help in the right way.”
Rollo’s final piece of advice is to advocate or create a breach communication plan. “I doubt DNC [Democratic National Committee] thought it was a target,” she said, referencing the party’s exposure to cyberattack in 2015 and 2016. “Any company is a target. You may not be interesting, but you may know someone who is.”