Marketing technologists: Here are eight steps to boost your info security
SapientNitro CTO Sheldon Monteiro summarizes his MarTech 2016 presentation on this evergreen topic.
Like centaurs, marketing technologists are merged creatures — part marketing, part IT.
As such, says Chief Technology Officer Sheldon Monteiro of digital marketing agency SapientNitro, they are central figures in helping marketing merge its needs with the requirements of information security.
Monteiro, along with Publicis Groupe Chief Information Security Officer (CISO) Thom Langford, presented at our recent MarTech 2016 conference eight steps toward information security for enterprise-based marketing technologists. We caught up with Monteiro to get a little more background on the recommendations.
To begin with, marketing technologists’ skillset clearly needs some upgrading. In a study of about 300 marketing technologists’ skills and attitudes that SapientNitro did in 2014 with Scott Brinker, program chair of the MarTech conference, the weakest of ten self-assessed job skills was “information security/firewalls/encryption/data recovery.”
And it’s an upgrading that has no small amount of urgency attached, given the cost and growth of security lapses.
According to a 2015 study by the Ponemon Institute, for instance, the average cost of a data breach is $3.79 million. Cryptography Research notes that “the number of new digital security threats has increased 10,000-fold in the last 12 years.”
Botnets, pharming, phishing, worms, spam, spoofing, spyware, viruses. The list of threats is only growing longer, so Monteiro/Langford recommend that marketing technologists settle in for a cultural change. Here are their eight recommendations:
- Embrace a security culture
Staff should be provided with ongoing policies, discussions, and workflows that maintain and highlight security, helping security-consciousness become second-nature. People should immediately know, for instance, not to re-use their username and password for multiple logins, a bad practice since that means one lost UN/PW opens many doors.
- Get to know your CISO (Chief Information Security Officer)
Do you know the person who’s in charge of enterprise-wide security issues? If not, it’s a good idea to become a regular acquaintance.
- Get your team assessed
A 2015 National Security Agency study reported that more than 40 percent of security threats to enterprises came from non-malicious insiders, with the balance from malicious insiders, hackers, nation/states, or cybercriminals. Non-malicious users, for instance, lose data by losing thumbdrives. Monteiro points out that the assessment should cover a range of issues, starting with whether individuals’ access to data is accompanied by the right controls. You assess for security just as you assess for functional needs, he noted. As a starting point, teams and practices should be assessed according to the best practices of the Open Web Application Security Project (OWASP).
- Educate on the basics
The assessment should uncover specific areas where staff needs education, such as knowing not to click on anything they’re uncertain about in emails or on the web.
- Architect, build and test for security
The development team needs to embed practices and standards into their processes. Regularly test your systems for their vulnerabilities, such as employing the security-testing (and sometimes security-exploiting) software tool, Metasploit.
- Leverage security from the start
Monteiro discounted the common idea that “you can have security or functionality or usability, but not all three.” In fact, he said, “if you bring in security from the start, you won’t have to make tradeoffs.” Tradeoffs happen when you wait, he said.
- Partner with Legal, HR, Procurement, and 3rd parties
Companies need to understand the level of security for each software product you use, which admittedly can be a daunting task — martech alone has nearly 4000 vendors in Scott Brinker’s newest Landscape, for instance. When necessary, bring in third parties to help you “kick the tires.”
- Incident management
It’s not if there will be security incidents, but when. To prepare, have things in place for the incident. Monteiro noted that it takes the average large enterprise 223 days simply to find out they’ve been compromised. When the incident happens, he said, enterprises should immediately address their security gaps, maintain their brand integrity by honestly presenting the facts and owning up to issues, and be prepared to manage their shareholders.