NEW BRIEFING PAPER Best Practices for Reducing Third Party Risk

CISO, Meet CMO. CMO, Meet CISO.

I know, I know. This title sounds more like the start of a bad dating app more than it does a title to a blog, but these two seemingly different functions have much more in common than they think they do. Or they should.

by Betsy J. Walker

February 28th, 2018

T

These unlikely coworkers working closely together and understanding each other’s roles are crucial to your organization’s security. I’ve read many research and thought leadership articles discussing the “digital partnership” of the CMO and CIO relationship, especially with the rise of marketing technology and tools. In fact, Gartner even predicted that CMOs will spend more on technology soon than CIOs will. While this partnership is important, I can argue that the CMO and CISO relationship is just as, if not more, important.

Marketers are your company’s lead generators and brand protectors. They usually know company news before anyone else and they help create the internal and external image of the company. They are also one of your company’s greatest vulnerabilities. Marketing has access to data – lots and lots of data from both external and internal systems. They have Admin access to all your organization’s social media platforms, such as Linked In, Facebook, Vimeo (to name just a few), and they are likely the only department accessing, updating, and managing those systems. Marketing also has access to your corporate websites, marketing automation software, customer portals, and your CRM tool that contains your customer data, sales data, and in some cases, customer contracts. In fact, most marketing departments have so many different logins and passwords to systems that they struggle to properly manage these credentials in a way that would make any CISO proud (and not written down in a notebook or a yellow post-it on their desk).

A commonly overlooked area in marketing departments are their use of multiple third party relationships. Marketing teams, from small or large organizations, are using more and more vendors to help them do their jobs. PR teams, graphic designers, digital marketing agencies, SEO experts, website developers, and videographers are all just a few of the third-party relationships that marketing teams rely on. Many times, these vendors need to have Admin access to external and internal systems for them to properly do their jobs. This creates a big concern for CISOs. Last year, Deep Root Analytics, a marketing agency that helps with targeted television advertising and vendor to the Republican National Committee (RNC), was identified as the source of the breach that compromised 200 million personal voter records. The vendor had more than a terabyte of data stored on an AWS cloud server without the protection of a password. Anyone with the URL could find and access this personal voter data.

Marketing teams work with large data sets every day. Many times, multiple vendors have access to these files and the data gets passed back and forth in many different types of formats and from many different applications, making this a nightmare for a CISO. However, this should also be a nightmare for a CMO. CMO’s cannot afford to let a data breach occur within their department and should be working together with their CISO to ensure that security policies are put in the place and are followed by all marketing team members regarding passwords, systems access, and vendor access.

Some recommendations? CISOs, get to know your marketing department today. Know what technologies they use and know what third parties have access to those technologies. CMOs, make sure you understand your company’s security policies and that your department is following them. Work together with your CISO to maintain an up-to-date list of marketing vendors and ensure that each vendor is properly assessed and continuously monitored to help reduce risk to your organization.

On a personal note, I treat security very seriously in my department. I also have a great relationship with my CISO. I would encourage every marketer to do the same.

TagsSecurity