The partnership between IT and marketing is in its infancy, but now it has to grow up, and fast. Companies have until 2018 to upgrade the digital security of their martech systems, or risk hefty fines in the event of a data breach. This was the conclusion of RSA‘s CMO Cybersecurity Report, issued in August of this year.
Driving this urgency is the European Union’s implementation of its General Regulation Protection Regulation, due to go live in 2018. The catch is that the rule attaches to any data gathered in Europe, following it no matter where it goes inside a company, even if the data is stored outside of Europe, noted Holly Rollo, RSA’s CMO.
Now for the bad news. In case of a data breach, the company owning the data only has 72 hours to notify those affected and take steps to mitigate the damage. Failure could result in fines up to 4 percent of a company’s revenue. “It’s the first regulation ever with teeth like that,” Rollo said.
IT and marketing are well-partnered in many companies. It is a natural marriage, as IT has the data that marketing uses to find customers and convert their product interest into sales. Despite this partnership, both departments have different starting points and different views on IT security.
In the RSA poll, cyber risk exposure from marketing was a major concern for IT departments, with 75 percent of respondents flagging this as a major weakness. This worry was only shared by 44 percent of marketing respondents. About three-fourths of IT and marketing respondents recognized that “shadow IT” and other workarounds were an operating reality in their companies.
This is where a systemic vulnerability emerges. Marketing is making the fullest use of cloud-based marketing technology, but adds these “tools” on incrementally as needed, Rollo observed. “They’re adopting a dozen or two dozen tools and patching them all together.” Yet in large companies, seven out of ten IT departments are not looking at this systemically. “IT has a pretty full plate already,” Rollo said.
Budgeting practices aggravate the problem. At the end of the quarter, any extra money could be used to “buy another tool” for marketing, Rollo continued. “No one is talking about it as infrastucture.” she said. “Marketing leaders aren’t considering these things as an area of business risk.”
Companies need to monitor and manage their IT systems with security in mind. Yet making the business case for security is a challenge. “You can’t show the efficacy of security,” Rollo said. “Linking the details of security with a business context is the next step.” A fine equalling four percent of annual revenue will get the attention of executives of a large company. For a medium-sized company with a thinner profit margin, a fine that big could be an existential threat, Rollo noted.
There are only four months to go until 2018. Companies are still getting up to speed on the EU’s GDPR. No one quite understands how this rule will be enforced, Rollo said, or which company will be tagged first as an example to others.
Smaller, high-growth companies need to pay special attention to data security, the report added, as a data breach can be more damaging. Eighty percent of investors will not take a chance on a a smaller firm that has suffered a data breach, Rollo noted.
In conclusion, every company should do these five things:
- Stay smart about cyber-security
- Take responsibility for the security of your martech operation
- Make security a key factor when choosing vendors
- Partner with IT on roadmap and monitoring strategy, and
- Be sure to have a breach communication plan in place.
RSA is in the business of providing IT security solutions for large corporations. It periodically issues reports examining various facets of cyber security.