Marketers often focus on cybersecurity best practices after there is an incident, though experts say that needs to change to improve a company's chances of surviving a cyberattack.
Marketing departments are not considered vital cogs when it comes to securing a company's digital assets—that is, until something happens. Then marketing teams get busy, as they're the ones who explain what happened and relay the company's position going forward to affected customers and the media.
"It is time for marketers to become educated in the threat landscape, understand how to respond to threats, and take a leadership role in communicating to customers," writes Norman Guadagno, senior VP of marketing and chief evangelist at Carbonite, in his Medium article Marketers, You Will Be Hacked. "Just as we embraced the language of big data and analytics to reinvent marketing, we must now embrace the language of cyber-security—and maybe invent new language—to reinvent how we communicate to increasingly wary customers."
What marketers should do now—before a cybersecurity incident
Guadagno believes marketers need to be more involved before a cybersecurity incident. They should understand:
- What data the business controls;
- Where the data is stored;
- The relative value of the data; and
- Ways in which a cybersecurity incident can occur.
In order to achieve this kind of involvement, Guadagno suggests, "They (CMOs) have to form tight partnerships with the CFO, CSO, and CSIO so they can be seen as knowledgeable, valuable partners."
Sam Bocetta, a now-retired security analyst with the Department of Defense who has 30-years of experience, agrees with Guadagno. In his Marketing Land article, Cybersecurity for marketers: Teamwork is key to protect data, he writes:
"Marketing teams should regularly reevaluate how they approach cybersecurity—especially during a merger and acquisition—and work in tandem, not separately, with the IT department.''
SEE: Incident response policy (Tech Pro Research)
Why marketing departments are cybersecurity targets
Because of what they do, marketing departments are potential cybersecurity risks themselves, and digital bad actors are well aware of it. "Since marketers are more closely connected to networking on social media, they share a lot of close-to-home data," writes Bocetta. "It can turn into a simple endeavor for cybercriminals looking to social specialist their way inside an organization."
According to Bocetta, attackers employ social engineering to get marketers and their assistants to open or click on fake email—or other messaging applications—solicitations with the intent to infect the victim's digital device with malware. It's a common ploy, but marketing departments are particularly prone to spearphishing, since it's their job to check out what may appear to be a business lead.
SEE: Phishing and spearphishing: An IT pro's guide (free PDF) (TechRepublic)
Bocetta points out additional areas where marketing teams need to be cautious:
- When working with outside vendors and software programs that require the exchange of delicate and confidential company information;
- When installing new marketing tools, marketing personnel need to collaborate with members of the IT department, in particular, those responsible for cybersecurity, to ensure company and customer information remains secure; and
- During each new merger or acquisition, as either can create or expose new vulnerabilities.
Marketing pros should help, not hinder, cybersecurity efforts
"Marketers can resign themselves to being targets or risk factors, or they can become champions of the CISO's office," suggests Juliette Rizkallah, CMO at SailPoint, in the Forbes article The Role Of Marketing In Cybersecurity. "Creating a culture of cybersecurity in an organization requires the talent of a marketing department that, campaign after campaign, will reiterate the importance of security training, good password hygiene, physical security enforcement, social engineering awareness and so on."
SEE: 10 ways to raise your users' cybersecurity IQ (free PDF) (TechRepublic)
As one might think, teaming up the CISO and CMO seems odd. But Rizkallah's employer, SailPoint, provides on-premise and cloud-based identity-management software, which would suggest everyone including marketing personnel, needs to be focused on cybersecurity.
"Our marketers pride themselves on avoiding social-engineering traps and complying with security-technology council rules," adds Rizkallah. ''The marketing employees are the best megaphones a CISO can find to recruit more champions or—as we call them at SailPoint—'security heroes' in the organization.''
A commitment to the company's cybersecurity stance
Guadagno, Bocetta, Rizkallah, and others are concerned that too many marketing departments are not committed to doing their share to improve their company's cybersecurity stance.
"Marketing and advertising teams should regularly reevaluate how they approach cybersecurity—especially during a merger and acquisition—and to work in tandem, not separately, with the IT department," concludes Bocetta. "Security programs and processes should be woven into everything that digital marketers do, making them genuine stewards of information-security best practices."
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Phishing attacks: A guide for IT pros (TechRepublic download)
- Information security policy (Tech Pro Research)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2019 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)