As EU’s GDPR nears, RSA’s CMO warns of security threats within martech infrastructures
Holly Rollo will be a panelist for the MarTech Boston session, "Digital Marketing and Cybercrime: What Every Marketer Should Know."
Between the multitudes of consumer data now collected daily by marketing organizations around the world and the EU’s coming enforcement of its General Data Protection Regulation (GDPR), cybersecurity has never been more of a priority for CMOs.
As the lead marketer for RSA, Holly Rollo has a unique perspective on cybersecurity issues within the martech community.
“RSA has been around for decades, doing a lot of cybersecurity and advanced threat research,” says Rollo, “I’ve learned a lot about the threat landscape and the lengths bad guys go in order to steal or abuse information.”
After leading marketing for two different cybersecurity software platforms, Holly Rollo was named CMO for RSA in April of last year. At this year’s MarTech Boston Conference, Rollo will be part of a panel discussing digital marketing and cybercrime.
“When I look through this lens, I get really concerned because marketing technologists and marketing leaders that aren’t in the security space don’t have the awareness of what’s going on, and may not fully understand the potential vulnerabilities of the marketing structures as they are setting them up.”
Rollo says she hopes to raise awareness around cybercrime and the threat of data breaches so that the marketing community can be more proactive when it comes to security.
What do you believe is the biggest cybersecurity threat marketers face right now?
Rollo: There’s a false assumption that someone in IT or legal has responsibility for the data, and that’s part of the gap. It’s not so much the type of data as the infrastructure itself having holes in it.
The biggest risk in building that infrastructure is not building it with security in mind, and working around IT in the first place.
There is a new data regulation that is going to be a game-changer starting in May of next year — EU’s General Data Protection Regulation (GDPR). It’s no longer just about getting breached — it’s going to be about breaking the law by not complying with GDPR, and there are significant fines associated with that.
It’s not about the individual vendors or the solutions that are primarily built in the cloud — it’s about how you connect them together and monitor the whole thing end-to-end.
For instance, your cloud servers and applications can be individually safe, and the individual vendors may have good ways for guarding cyberthreats. But the more complex your engine is, and the more tools you add, the more vulnerabilities it can create as the data flows across and between these applications.
The whole thing needs to be monitored and managed as a system, not the individual pieces.
Where are marketers failing when it comes to avoiding data breaches and security issues?
Rollo: When it comes to martech, we’re using a whole bunch of things – we’re using a dozen, two dozen different types of tools. And we go around IT, because traditionally, they’ve stood in the way.
I’m saying “we” generally — I don’t do that at RSA because I understand the threat. IT is totally involved with what I’m doing.
But traditionally, marketing people have learned to fend for themselves. They use outside contractors or they build shadow IT within their organization to help get tools implemented.
Also, sometimes at the end of the quarter, marketing people will get an influx of money to spend. We have a list of the things we want to buy and add to the engine. We want to buy this tool and this service. You get the security team to do an assessment and implement that one thing, but the IT team doesn’t understand the whole thing you’re trying to build. They don’t have the context to help you figure out how it’s going to be managed and monitored after the fact.
I don’t think marketing people generally have been good at communicating how their technology is an infrastructure. We talk about it like they’re just tools, and we don’t effectively communicate or help IT understand how big of an infrastructure we’re building — potentially outside of the walls the security teams may be looking at.
What about the costs of security risks? Is there a way to quantify how much money a data breach could cost a company?
Rollo: We’ve done a piece of research that says breaches are doubling every 15 months.
IT security teams are already overwhelmed with the amount of threats coming into the core enterprise that they monitor, let alone any shadow applications that they may or may not be monitoring. And nobody could quantify the cost of a breach.
If you look at some major breaches two or three years later, they can look back and say, “Actually, this breach cost us $100 million or $200 million.” But, that’s after the fact — you can never understand what the actual consequence is going to be.
In 2018, the GDPR goes into effect. It’s the first regulation of its kind to center around the protection of personal data for any citizen in the European Union.
A lot of companies are confused that it’s only a regulation that’s enforced in the EU, and that’s not actually the case. What the law does, it follows the data.
If you have any personal data that you’ve collected — for example, on a web form for someone to download a white paper from anybody in the EU, and it could only be their first and last name — if that person in some way feels that data fell into the wrong hands, or got shared with someone they didn’t want it to, they could report you as breaking the law.
The fines are up to 4 percent of all global revenues for a company that fails to comply with properly protecting personal data. So that means any company that has any data from any EU citizen needs to comply.
The front door of a company might be the marketing automation form. More companies are capturing hundreds of thousands of names a day from countries all around the world. So the main fault flows through that lead-waterfall, and it is shared across borders wherever those systems and applications are.
That’s where the law goes, protecting any possible way someone could come in and try to steal it, or corrupt it, through vulnerabilities, or access privileges, or an intentional use.
If one piece of personal information is taken, and you’re a billion-dollar company, you can be fined $40 million. That’s what the mistake would cost. Never before has it been that quantifiable.
In light of the GDRP, and the growing need for more in-depth cybersecurity policies, what are your top three recommendations for CMOs?
Rollo: I think it’s critical to partner with your security and IT team so that they understand your long-term vision for your marketing platform. This includes vendor evaluation assessments, and [in] what order you intend to implement these tools.
You also need to talk in IT language: It’s an infrastructure, not a tool. They’re not just tools and applications. And then, building that roadmap together, along with a monitoring strategy.
The tough part is some companies, especially if they’re small, may not have a chief security officer. They might have an IT network person who comes from an orientation of keeping the network up, provisioning laptops and that sort of thing.
Every company’s cybersecurity level of maturity is different, so it’s really important that marketing force the issue around how we are going to monitor all these tools, and making sure security decisions are a key factor when choosing vendors.
The second thing is to increase your overall cyber[security] awareness, and understanding of the business. The marketing people I’ve spoken to recently are starting to get asked questions by legal because of GDPR. Even the legal departments are trying to get a handle on what’s this risk going to mean — it’s not necessarily translating into a major awareness issue.
The third thing, and this is the cruel joke of it all, is a lot of companies don’t even have a breach-readiness plan in place. If a company does get breached or goes through an incident, it’s PR’s job to clean up the mess.
If you talk to a lot of different companies, marketing groups may not have a crisis-communication plan in the event that a breach happens, especially mid-sized companies who think they’ll never get breached.
You may have a plan if something happens to an executive, and you have to manage that. But a breach-communications plan is very different because it’s a reveal. The company is trying to understand what happened, who did it, what they were after, and what the consequences are.
Such a situation can sometimes create multiple news cycles for a company. It’s not a one-time event that can be managed by a traditional crisis-communication plan.
I think that’s an important thing companies need to think about.
If you’re headed to the MarTech Boston Conference, be sure to attend Holly Rollo’s session on Wednesday, October 4. As part of the conference’s technology track, “Digital Marketing and Cybercrime: What Every Marketer Should Know,” the panel will include MarTech Today’s own SVP of Content and Marketing Technology, Michelle Robbins, as moderator.