BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

How Marketers Can Help Protect Their Firms From A Cybersecurity Attack

Following
This article is more than 6 years old.

As part of a series exploring cybersecurity and its impact on consumers, marketers, and marketing (see here for Part 1, Part 2, Part 3, Part 4, and Part 5), I talked with Holly Rollo, the CMO of RSA, a Dell Technologies business. RSA solutions enable customers worldwide to deliver business-driven security strategies. The following focuses on how marketers can help protect their firms from a cybersecurity attack.

Kimberly Whitler: In prior articles, we’ve talked about what cybersecurity is, the degree of threat firms face from an attack, who manages it, and why CEOs/CMOs should care. Let’s assume you’ve convinced firm leaders. What steps can a CMO take to help protect customer data?

Holly Rollo: The basis of a modern marketing engine revolves around a web platform and the supporting systems, marketing/customer databases, automation, operations, analytics tools and connections to CRM, ERP, and a whole host of other systems. There are bells and whistles galore that can be used to capture, score, manage, nurture, clean, append, correlate, analyze, and connect customer and prospect data for the purpose of promoting, selling, enabling selling, syndicating, replicating, or socially promoting anything you can imagine.

We must build our modern marketing infrastructures with security in mind, partnering directly with the CIO or CSO on it. It is important that we drive a conversation about how the IT security teams can better protect the marketing infrastructure and respond in the event of a breach. We must also insist that vendors go through security audits and that we ask as many questions as we can about their ability to protect and defend our data and any possible entry points into our environment that can affect other parts of the business.

There is an incredible learning opportunity right before a new website is pushed live, when all of these tools are put together for the first time, to partner with IT to run a breach scenario in the test environment and see what happens. How does the marketing organization respond, how does IT respond, where are the gaps in response, how long did it take, who was involved, how was it handled? This is a time when marketing can also act as a change agent for better security practices and SLAs overall as it relates to response.

Whitler: Any additional ideas for marketers who want to get more involved in cyber security?

Rollo: Certainly marketing already helps in managing sensitive internal communications, but they can also offer security teams messaging and internal delivery mechanisms for security awareness programs. Again, outside of very large companies where security or IT may have their own dedicated communications function, more and more I’m seeing this fall on marketing’s plate. This is an excellent way marketing can step in as a positive change agent.

As another example, marketing is on the front lines of communications when a breach happens. Therefore, I would strongly recommend having a crisis communication plan put in place as soon as humanly possible. If 75% of organizations think they are exposed to cyber risk, that means there’s a good chance that you’ll need to use that plan. There is nothing worse for a company than to be trying to figure out how to communicate a data breach while it is happening. Preparing for and managing a breach must be part of a company’s security strategy.

Firms should conduct a risk assessment to identify scenarios that would require communications with all stakeholders. Other essential elements of a crisis communications plan are the need to coordinate the release of information and the consistency of message. Preparation can take many forms such as tabletop exercises or simulations. The important part is to engage someone with the experience to help designate roles and responsibilities and ensure the breach will be handled well.

Again, large companies typically have this as a dedicated function around crisis communication, but private, mid-sized or smaller businesses or entities may not have this as a role, nor have they engaged a crisis communication agency to help them create a plan.

Whitler: Do all breaches require a crisis communications effort?

Rollo: What’s important is that there is a breach response plan and in that plan there is a communication component. First, know your disclosure policy, (well first, do you have one, and do people understand it), build for the worst case scenario and then work backwards from there. It’s important for the entire executive team to understand what gets disclosed to whom, what constitutes or gates disclosures, how it is communicated, who communicates it, who are the spokespeople for which aspects of the communication, how are customers contacted, and what the internal messages are.

Also, reputational harm can be caused by compromises that aren’t actually real. Here’s a hypothetical scenario. A hot new IPO creates the latest home IoT gadget; and they are going into the Christmas season. At the same time a hacker goes into a forum and brags that the device can be hacked to a closed group. Someone else posts on a different forum and a newspaper picks it up and a news cycle begins. The company, who doesn’t have a Chief Security Officer or a sophisticated security program, denies it can be hacked and gives some technical reasons why that hackers love to take as challenges. Hacker forums go nuts and hackers try to compromise the device, with some claiming success. The mainstream media doesn’t know the technical hairs being split on whether it’s a hack or not. Legal advises that no one says anything so rumors aren’t managed. Customer service gets flooded with calls; stock goes down, sales stall…all during the holiday season and closing out Q4…and there may have never actually been an intrusion.

This kind of story is why EVERY company should think through breach scenarios and at least create a communication plan. News cycles don’t wait for investigation and fact finding, so have a game plan.

Whitler: To summarize, how might marketing involvement change the firm’s data security management or management of a data breach?

Rollo:

As responsible marketing leaders, we MUST play a role in cybersecurity.

1. We all need to get and stay smart on cybersecurity and understand what the risk is in our marketing infrastructure.

2. We must build our modern marketing infrastructures with security in mind, partnering directly with the CIO or CSO on it. It is that important. Drive a conversation about how the IT security teams can better protect the marketing infrastructure and respond in the event of a breach.

3. We must insist that marketing vendors go through security audits and that we ask as many questions as we can about their ability to protect and defend our data and any possible entry points into our environment that can affect other parts of the business.

4. If your company doesn’t have one, build a crisis communication plan for a breach whether or not it’s considered your job. If you need a motivator to get people behind it (or just an adrenaline rush), stage a breach exercise for an offline version of your website in partnership with your CIO and see what happens. In building your plan, force a discussion about disclosure policies and get straight about the definitions and protocol for communication.

5. We need to help our leadership team understand this isn’t a technology problem, it’s a business problem. We can help our business by taking the lead to communicate internally to employees about the risks of cyber threats and help IT educate everyone on keeping credentials safe and hacking tactics so everyone can be smarter.

Join the Discussion: @KimWhitler and @HollyRollo