Why CMOs should be paying more attention to cybersecurity
- 06 July, 2016 09:48
There aren’t many marketers who would rate their ongoing interest and involvement in their company’s cybersecurity defences as ‘high’.
But for Carilu Dietrich, San Francisco-based head of corporate marketing for Australian-born collaboration software maker, Atlassian, checking in on the status of its ‘severity 1’ support tickets is part and parcel of the job. And it is not just Atlassian she is worried about.
“First and foremost, we worry about the impact of cyber incursion on our customers - their data, their privacy, their content, their source code, their reputation with their customers,” Dietrich says. “Our collaboration software is such a central part of the way our customers do business, and we have a huge responsibility to protect them and their data.
“We take that responsibility very seriously, and work hard to maintain and grow their trust. We are constantly on high alert, modelling, monitoring and responding to security threats of all types.”
Keeping track of incidents allows Dietrich and her team to understand how customers might be affected, and how Atlassian can be proactive, transparent and helpful with communications and resolution plans. And unusually for a marketer, this also means she has a great partnership with the company’s security group.
“They have their specialist skills, and we have ours – both are needed for us to protect and inform our customers in the best way possible,” Dietrich says.
Branded with security consciousness
It is a situation that is relatively commonplace among marketers within technology firms – particularly those whose companies play a role in either hosting or securing their customers’ data. But step beyond the realms of the IT industry, and it’s rare cybersecurity gets a mention within marketing circles.
Unless something goes wrong, of course.
High-profile cyberattacks, such as those launched against Sony, Ashley Maddison and Target in the US, shone a light on the connections between cybersecurity and marketing, particularly with regards to the potential damage to brand value.
While marketers often discuss brand safety in terms of not wanting their brands to appear in publications or websites that might lead to negative associations, surprisingly little attention is given to ensuring brands are not the victims of bad actors from the darker corners of the Internet.
Partner in cybersecurity at PwC, Richard Bergman, frequently talks to company boards and senior executives about the connection between brand, reputation, trust and cybersecurity.
“I don’t think companies are taking their existing brand’s value and connecting that to cybersecurity and how it could be impacted,” Bergman says. “Boards, senior execs and marketing are still struggling to understand how to manage ‘cyber’ as a risk, and they are not quite treating it as a whole-of-enterprise risk or something that can have a significant impact to their brand.”
The data, however, tells him they should. Research by PwC shows of all the cybersecurity incidents that took place globally in the last 12 months, 22 per cent of companies experienced an impact to their brand or reputation, 17 per cent lost customers, and 10 per cent of companies wound up in some form of lawsuit or litigation.
The lack of engagement of marketers is a phenomenon also noted by Peter Ruchatz, CMO for data backup and availability specialists, Veeam. He says other marketers rarely participate in conversations relating to cybersecurity or the general availability of data and systems.
“Especially in not-so IT or technology focused companies – they look at me and think ‘what are you talking about?’” he says. “But we are in transition right now, and very soon marketers will realise their products and services are delivered mainly through software. And when the service is out, or the data is not available, they are out of business.
“Few companies make the connection to overall brand experience and impact that this might have. But if you really want to be responsible for the brand experience as the CMO, you cannot just wait until something happens.”
Why CMOs should make IT and security incidents a priority
The key reason for disconnect may be cultural in nature. Marketing functions have traditionally been removed from the IT function, where cybersecurity tends to reside. However, the rise of digital marketing has brought the two groups much closer together, even if the languages spoken by each are not yet common.
These language barriers are much lower at a company like Atlassian, where Dietrich says security and marketing teams work together to actively and transparently alert customers of issues, and work to have customers to adopt secure practices.
Just because a company does not live in the technology sector does not mean it is safe from attack, however, as was demonstrated with Target. Dietrich cautions cybersecurity has the potential to damage companies in all industries by undermining the ability of marketers to build brand affinity, customer loyalty and sales.
“Handling security incidents should be top of mind for every CMO,” she says. “It's a huge legal, PR, social media and customer trust risk – and an opportunity to earn trust if you do it right.
“Top marketers should all have an active interest in helping brainstorm potential threats and being prepared to protect and respond. Many companies already do this as part of their crisis communications planning with PR teams. They should seek to learn what real threats concern their security group, identify if there are proactive ways they can protect their customers through communications, and have plans in place to act quickly should the worst happen.
“Developing relationships with the security team, identifying first responders from marketing and other groups, and identifying a crisis communications external agency before you need them are all good places to start. You don't want to build all those relationships at 2am in the heat of a disaster.”
The concept of having an incident response team that includes marketing and public relations executives in prominent roles is gaining favour, especially as the attack against Target actually generated more damage from the company’s messy response of than from the hack itself.
Bergman says brands are advised to think about their response to a hack in a similar way to how they might handle a product recall.
“If it is done badly it will erode customer loyalty and trust faster than the incident itself,” Bergman says. “It is not about the loss of customer records or the financial damage, how you react and respond to it, and how the general population sees you react and respond to that, has a bigger impact on your brand than the actual incident.”
He cautions many brands may have no choice about taking cybersecurity more seriously, should the Australian Government introduce proposed legislation for mandatory reporting of cyber breaches.
For many, that means a lot of work has yet to commence. Ruchatz recommends one of the first steps for marketers should be to engage in a dialogue with IT to negotiate service-level agreements for security and availability. This should be a two-way conversation, with IT explaining which systems are critical to customers and marketing, and marketing explaining which data is most critical for its operation and sensitive to its customers.
This also means marketers understanding what the recovery options are from a breach, in terms of how often backups are taken and how quickly they can be restored.
“Right now, most companies haven’t really cared for this in a way that they have a reliable service-level agreement or even something they could promise to their end customers, so they try to avoid that topic and exclude it from the marketing message,” Ruchatz says.
Getting the support of the board
Another path of action is to raise the topic of cybersecurity and brand damage at higher levels in the organisation. Chief executive officer at the Australian Information Security Association (AISA), Arno Brok, says cybersecurity is an issue that should come from the top of the organisation down.
“It is not an IT problem,” he says. “The IT guys will do their best, but at the end of the day they have limited resources and limited capabilities.
“The business has to drive it. If the CEO, CFO and the whole board actually understand cyber risk, and they understand that they have to have a plan in place, it should be a business driver to do better security. People should think much more from a business sense, rather than ‘what happens if we get breached?’
“They should be asking how can they make their business more secure, and then attract more business as a side effect.”
The value of taking a greater interest in cybersecurity is not just defensive, either. As more organisations seek to gain access to customer data, Bergman says it’s likely customers will become more interested not just in how that data is being used, but how it is being protected.
“There is a real opportunity for companies, and particularly digital and online companies, if they can be trusted from a cyber point of view then that will help them win marketshare,” Bergman says. “But I don’t think anyone has made that part of their core strategy.”