Campaign management systems vendors are realizing a simple truth: They have to support multiple channels, particularly e-mail and the Web. Over the next 12 months, about 75 percent of CMS vendors are expected to begin offering e-mail support (.7 probability) and 25 percent will offer personalized Web capability (.7 probability). This bodes well for clients looking to be able to synchronize their campaigns across channels other than direct mail. However, in firms’ exuberance to adopt these upgraded solutions, there is a looming danger that firms must be aware of lax security.
CMS vendors have always had surprisingly poor security in their products, considering that they are working with the most valuable asset the firm has: customer data. CMS vendors reluctantly adopted security systems over the past several years, and this was usually only to support private vs. public queries and adding support for work-group structure.
In many cases, the product relies only on the underlying security of the RDBMS or the operating system, adding little more to safeguard the information. For many firms, this was sufficient. The customer data was often difficult for nonauthorized users to access, and there was no easy way for someone outside the organization to access it. This was fortunate, as these marketing databases often contain credit-card information, social security numbers and other personal data, which could easily be used against the customer.
But the presence of the Web channel changes all of that. With the Web, people outside the organization now have a portal to customer information. Think about the implication of a malicious hacker tapping into the customer database and duplicating a large amount of detailed customer data. The scenario of the hacker corrupting customer data is also a possibility. No CMS offering coming to market over the next year could stop even a beginning hacker, and it is highly unlikely that any will be able to stop a good hacker over the next four years (.8 probability). There are three reasons for this.
First, the CMS vendors just aren’t used to their product having customer access. This is a complete different direction for them. While it will also have ramifications of the user interface, performance, and functionality of the product, it will most glaringly impact the area of user security.
Secondly, since CMS vendors tend to have weak security, it is going to take a long time to understand how to fix this. This problem is more then just adding passwords. This is about an industry coming up to speed on what is state of the art in compromising computers. And, it is about embedding personal protection schemes and not just relying on the underlying security of others.
Lastly, security is hard to demo and sell. Increasingly CMS vendors need sizzle to distinguish themselves in what is becoming a more generic product offering. As such, security isn’t a high priority because it is not more than a check box on the RFP right now, and it doesn’t show well on sales calls. Only firms requiring this capability in product offerings will cause the industry to pay attention.
Because of this, firms need to do three things. First, do not deploy any CMS solution to the Web channel until adequate security has been incorporated. Second, firms need to begin asking for detailed documentation of security features in CMS solutions. It is unlikely that any vendor will be able to answer this request well over the next 12 months, but it will force their development people to begin working on it. And third, firms need to think seriously about their data scheme for online access and ensure that they have in place the policies and procedures to safeguard customer information.
It is highly likely that we will see a highly publicized incident involving the compromising of customer data via a Web site in the next 12 to 18 months. Such an incident will set back the efforts of many firms to use their Web sites effectively.
