Marketing technologists: Here are eight steps to boost your info security

SapientNitro CTO Sheldon Monteiro summarizes his MarTech 2016 presentation on this evergreen topic.

Chat with MarTechBot

security_lock_ss_1920

Like centaurs, marketing technologists are merged creatures — part marketing, part IT.

As such, says Chief Technology Officer Sheldon Monteiro of digital marketing agency SapientNitro, they are central figures in helping marketing merge its needs with the requirements of information security.

Monteiro, along with Publicis Groupe Chief Information Security Officer (CISO) Thom Langford, presented at our recent MarTech 2016 conference eight steps toward information security for enterprise-based marketing technologists. We caught up with Monteiro to get a little more background on the recommendations.

To begin with, marketing technologists’ skillset clearly needs some upgrading. In a study of about 300 marketing technologists’ skills and attitudes that SapientNitro did in 2014 with Scott Brinker, program chair of the MarTech conference, the weakest of ten self-assessed job skills was “information security/firewalls/encryption/data recovery.”

And it’s an upgrading that has no small amount of urgency attached, given the cost and growth of security lapses.

According to a 2015 study by the Ponemon Institute, for instance, the average cost of a data breach is $3.79 million. Cryptography Research notes that “the number of new digital security threats has increased 10,000-fold in the last 12 years.”

Botnets, pharming, phishing, worms, spam, spoofing, spyware, viruses. The list of threats is only growing longer, so Monteiro/Langford recommend that marketing technologists settle in for a cultural change. Here are their eight recommendations:

  • Embrace a security culture
    Staff should be provided with ongoing policies, discussions, and workflows that maintain and highlight security, helping security-consciousness become second-nature. People should immediately know, for instance, not to re-use their username and password for multiple logins, a bad practice since that means one lost UN/PW opens many doors.
  • Get to know your CISO (Chief Information Security Officer)
    Do you know the person who’s in charge of enterprise-wide security issues? If not, it’s a good idea to become a regular acquaintance.
  • Get your team assessed
    A 2015 National Security Agency study reported that more than 40 percent of security threats to enterprises came from non-malicious insiders, with the balance from malicious insiders, hackers, nation/states, or cybercriminals. Non-malicious users, for instance, lose data by losing thumbdrives. Monteiro points out that the assessment should cover a range of issues, starting with whether individuals’ access to data is accompanied by the right controls. You assess for security just as you assess for functional needs, he noted. As a starting point, teams and practices should be assessed according to the best practices of the Open Web Application Security Project (OWASP).
  • Educate on the basics
    The assessment should uncover specific areas where staff needs education, such as knowing not to click on anything they’re uncertain about in emails or on the web.
  • Architect, build and test for security
    The development team needs to embed practices and standards into their processes. Regularly test your systems for their vulnerabilities, such as employing the security-testing (and sometimes security-exploiting) software tool, Metasploit.
  • Leverage security from the start
    Monteiro discounted the common idea that “you can have security or functionality or usability, but not all three.” In fact, he said, “if you bring in security from the start, you won’t have to make tradeoffs.” Tradeoffs happen when you wait, he said.
  • Partner with Legal, HR, Procurement, and 3rd parties
    Companies need to understand the level of security for each software product you use, which admittedly can be a daunting task — martech alone has nearly 4000 vendors in Scott Brinker’s newest Landscape, for instance. When necessary, bring in third parties to help you “kick the tires.”
  • Incident management
    It’s not if there will be security incidents, but when. To prepare, have things in place for the incident. Monteiro noted that it takes the average large enterprise 223 days simply to find out they’ve been compromised. When the incident happens, he said, enterprises should immediately address their security gaps, maintain their brand integrity by honestly presenting the facts and owning up to issues, and be prepared to manage their shareholders.

Opinions expressed in this article are those of the guest author and not necessarily MarTech. Staff authors are listed here.


About the author

Barry Levine
Contributor
Barry Levine covers marketing technology for Third Door Media. Previously, he covered this space as a Senior Writer for VentureBeat, and he has written about these and other tech subjects for such publications as CMSWire and NewsFactor. He founded and led the web site/unit at PBS station Thirteen/WNET; worked as an online Senior Producer/writer for Viacom; created a successful interactive game, PLAY IT BY EAR: The First CD Game; founded and led an independent film showcase, CENTER SCREEN, based at Harvard and M.I.T.; and served over five years as a consultant to the M.I.T. Media Lab. You can find him at LinkedIn, and on Twitter at xBarryLevine.

Get the must-read newsletter for marketers.