Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
BUSINESS-DRIVEN SECURITY™
SOLUTIONS
RSA CMO CYBERSECURITY SURVEY:
HOW SECURE
IS YOUR MARKETING
TRANSFORMATION?
RSA CMO CYBERSECURITY SURVEY
2
Modern marketing transformation in the age of
cyber risk.
Under pressure to show ROI and dr...
RSA CMO CYBERSECURITY SURVEY
3
Marketing needs a deeper understanding
of cybersecurity risks associated with digital
trans...
RSA CMO CYBERSECURITY SURVEY
4
Marketing organizations don’t fully understand the
business and cybersecurity risks associa...
RSA CMO CYBERSECURITY SURVEY
5
DATA INSIGHTS
Marketing teams may not have a good understanding of the sensitivity of
the d...
RSA CMO CYBERSECURITY SURVEY
6
RECOMMENDATIONS
■■ CMOs, CISOs, CIOs and marketing leadership should discuss
marketing’s di...
RSA CMO CYBERSECURITY SURVEY
7
Marketing departments may unknowingly
be putting their organizations at risk during
digital...
RSA CMO CYBERSECURITY SURVEY
8
RECOMMENDATIONS
■■ Marketing and IT security teams should proactively discuss potential
bus...
RSA CMO CYBERSECURITY SURVEY
9
Considerable discrepancies exist between marketing
and IT respondents’ perceptions of colla...
RSA CMO CYBERSECURITY SURVEY
10
Marketing is largely unaware of security protocols
and crisis communication plans.
DATA IN...
RSA CMO CYBERSECURITY SURVEY
11
■■ Increase your cyber awareness and understanding of the business
risks associated with y...
RSA CMO CYBERSECURITY SURVEY
12
METHODOLOGY
This survey was conducted using an online quantitative instrument from
January...
ABOUT RSA
RSA offers business-driven security solutions that uniquely link business context with security incidents to hel...
Upcoming SlideShare
Loading in …5
×

'HOW SECURE IS YOUR MARKETING TRANSFORMATION' RSA CMO Cybersecurity SURVEY

94 views

Published on

'HOW SECURE IS YOUR MARKETING TRANSFORMATION'

Published in: Business
  • Be the first to comment

  • Be the first to like this

'HOW SECURE IS YOUR MARKETING TRANSFORMATION' RSA CMO Cybersecurity SURVEY

  1. 1. BUSINESS-DRIVEN SECURITY™ SOLUTIONS RSA CMO CYBERSECURITY SURVEY: HOW SECURE IS YOUR MARKETING TRANSFORMATION?
  2. 2. RSA CMO CYBERSECURITY SURVEY 2 Modern marketing transformation in the age of cyber risk. Under pressure to show ROI and drive pipeline, marketing is modernizing its engines and adopting new platforms and tools at an incredible pace—choosing from an unprecedented array of martech innovations. It’s well reported that in the next few years, marketing will spend more on technology than IT does—putting marketing’s digital transformation in the same tier as yesterday’s large, high- priority ERP and CRM implementations. The demands of a successful modern marketing strategy—speed, precision and accuracy—depend increasingly on cloud-based applications that are easy to deploy and use, often with no assistance from IT. Traditionally underserved by IT, marketing has been resourceful in developing “shadow IT,” along with a network of third-party providers that can implement and integrate these new tools. The result: If you’re leading a digital transformation in marketing, you’re effectively in the business of IT. Today, there are more than 4,500 vendors in the martech space, half of them less than two years old. Most are cloud-based services, and many are not fully tested for security. Even if a cloud-based marketing application passes an initial security audit, ongoing build-out and integration with other systems can open up new vulnerabilities, which INTRODUCTION in turn expose the business to risk. Furthermore, this virtual marketing infrastructure—being built outside of IT’s purview with an increasingly complex set of tools—isn’t being monitored end to end for vulnerabilities or intrusions. As marketers make greater use of digital assets, services, and big data to append, score, analyze and target customers and prospects, they must also be accountable for ensuring a strategy for monitoring and protecting that data on a daily basis. When the new EU General Data Protection Regulation (GDPR) comes into play in 2018, fines for violating data protection laws will increase tenfold for any company doing business in Europe—regardless of where it’s headquartered. Before this happens, marketing must have greater visibility into how its data is managed, identify risks involved in handling and protecting customer data, and develop a safe data plan. In short, security isn’t an IT problem, it’s a business problem—and it’s one that marketing needs to pay attention to. In an attempt to map the depth and breadth of security issues related to the modernization of marketing, a new RSA survey evaluates how—and how well—today’s IT and marketing teams are working together to ensure that they aren’t inadvertently opening up their organizations to the growing risks that come with a changing cyber threat landscape.
  3. 3. RSA CMO CYBERSECURITY SURVEY 3 Marketing needs a deeper understanding of cybersecurity risks associated with digital transformation. RSA surveyed over 300 marketing and IT professionals with headquarters in North America. The primary objectives of the CMO Cybersecurity Survey are to gain an understanding of 1) how both functions think about security in the context of a digital transformation and 2) how well IT and marketing teams collaborate to ensure that proper security measures are taken when modernizing their marketing engines and adopting new marketing tools. EXECUTIVE SUMMARY KEY FINDINGS ■■ Marketing organizations don’t fully understand the business and cybersecurity risks associated with the digital transformation of modern marketing. ■■ Marketing departments may unknowingly be putting their organizations at risk during digital infrastructure transformation. ■■ Considerable discrepancies exist between marketing and IT respondents’ perceptions of collaboration and effectiveness during transformation. ■■ Marketing is largely unaware of security protocols and crisis communication plans in the event of a security incident.
  4. 4. RSA CMO CYBERSECURITY SURVEY 4 Marketing organizations don’t fully understand the business and cybersecurity risks associated with the digital transformation of modern marketing. DATA INSIGHTS Marketing is significantly less concerned than IT about the potential for the marketing function to expose the organization to a security incident. ■■ IT respondents are significantly more likely than marketing respondents to be highly concerned with internal and external cyber threats. ■■ IT respondents are most likely to claim that between one and ten security incidents occurred in the last year, and to attribute an average of 45% of such occurrences to the marketing function. ■■ Marketing respondents are most likely not to know how many such incidents affected their organizations in the last year, and to believe that the number of incidents attributed to marketing is much lower. ■■ Marketing staff is not paying enough attention to marketing’s potential impact on cybersecurity; only 10% of marketing respondents say they are concerned with this impact. ■■ Of 12 major departments reviewed, IT ranked the marketing department most likely to cause a cyber incident. KEY FINDING #1 0% 10% 20% 30% 40% 50% 60% 70% 80% MarketingIT Moderately to extremely concernedNot at all to slightly concerned CONCERN THAT MARKETING IS EXPOSING THE ORGANIZATION TO CYBER RISK PERCENTAGE OF INCIDENTS IN PAST 12 MONTHS ATTRIBUTABLE TO MARKETING 25% 56% 75% 44% 78% 33% 11% 23% 7% 4% 31% 13% 0% 20% 40% 60% 80% 100% Marketing IT 25% or less 26–50% 51–75% 76–100% 45% Average 19% Average
  5. 5. RSA CMO CYBERSECURITY SURVEY 5 DATA INSIGHTS Marketing teams may not have a good understanding of the sensitivity of the data they work with. ■■ IT respondents are significantly more likely to believe that marketing staff work with a wide array of sensitive information, while marketing respondents report a smaller range of data types. ■■ IT respondents are most likely to say that their companies have access to 10,000 or more customer-related records, and that a breach of 20–29% of those would create a major issue. ■■ Marketing respondents are most likely not to know how many customer-related records the company has, or at what threshold a records breach would become a major issue. NUMBER OF SECURITY INCIDENTS IN LAST 12 MONTHS NUMBER OF CUSTOMER-RELATED RECORDS WHEN DO NUMBER OF RECORDS BREACHED BECOME AN ISSUE? AS A PERCENTAGE OF TOTAL RECORDS 0% 20% 40% 60% 80% 100% Don't know None of the above Other Federal Information Security Management Act (FISMA) Student loan application information (GLBA) Student education records (FERPA) Export-controlled research (ITAR, EAR) Sensitive identifiable human subject research Attorney/client privileged information Protected health information Social security numbers IT security information Credit card or payment card industry (PCI) information Personally identifiable information Enterprise data IT Marketing IT Marketing 6% 5% 12% 29% 25% 23% 39% 5% 7% 13% 8% 29% 0% 10% 20% 30% 40% 50% Don't know < 1,000 1,000–9,999 10,000–99,999 100,000– 500,000 500,001+ 58% 50% 60% KEY FINDING #1 (CONTINUED)
  6. 6. RSA CMO CYBERSECURITY SURVEY 6 RECOMMENDATIONS ■■ CMOs, CISOs, CIOs and marketing leadership should discuss marketing’s digital transformation initiatives, identify potential business risks, and collaborate on strategies for decreasing cybersecurity vulnerability. ■■ Marketing leaders should actively educate their teams on the state of cyber threats, fostering a “built for security” mentality along with the move to modern marketing infrastructures. ■■ Marketing teams should accurately classify the data they collect, collect only what is needed, and properly secure different types of data. ■■ As marketing creates customer journeys, marketing staff should keep in mind data access and data governance processes related to the company’s industry. WHEN DO NUMBER OF RECORDS BREACHED BECOME AN ISSUE? AS A PERCENTAGE OF TOTAL RECORDS IT Marketing IT Marketing 6% 5% 12% 29% 25% 23% 39% 5% 7% 13% 8% 29% 0% 10% 20% 30% 40% Don't know < 1,000 1,000–9,999 10,000–99,999 100,000– 500,000 500,001+ 12% 20% 26% 30% 11% 58% 24% 11% 2% 5% 0% 10% 20% 30% 40% 50% 60% Don't know 0% to <10% 10% to <20% 20% to <30% 30% or more KEY FINDING #1 (CONTINUED)
  7. 7. RSA CMO CYBERSECURITY SURVEY 7 Marketing departments may unknowingly be putting their organizations at risk during digital transformation. DATA INSIGHTS Marketing’s use of “shadow IT” and third-party services, without IT oversight, could increase cybersecurity risk. ■■ Both marketing and IT respondents overwhelmingly agree that marketing knowingly uses workarounds to avoid IT policies and procedures. ■■ IT respondents rank marketing as the function most likely to cause a cyber incident due to shadow IT. ■■ IT shows higher confidence in marketing staff’s understanding of, and compliance with, IT security policies, protocols and procedures to minimize cyber threats—while marketing’s confidence in its own understanding and compliance is much lower. ■■ Though native security is considered routine by most software evaluation standards, when asked about its importance when selecting and considering third-party marketing services, only 26% of marketing respondents saw it as very or extremely influential in selecting a vendor. KEY FINDING #2 Occasionally to a great deal Never to rarely Marketing respondentsIT respondents USE OF SHADOW IT IN MARKETING MARKETING’S UNDERSTANDING OF IT SECURITY PROTOCOLS 21% 35% 11% 33% 47% 44% 34% 40% 21% 15% 22% 16% 6% 4% 25% 7% 5% 3% 8% 4% Marketing IT Marketing IT ComplywithIT securitypolicies andprotocols Havearobust understandingof ITsecuritypolicies andprotocols Strongly agree Somewhat agree Neither agree nor disagree Somewhat disagree Strongly disagree 78% 73%
  8. 8. RSA CMO CYBERSECURITY SURVEY 8 RECOMMENDATIONS ■■ Marketing and IT security teams should proactively discuss potential business impacts and cybersecurity risks associated with digital transformation initiatives, especially if outsourcing or cloud-based services are used. ■■ When evaluating third-party vendors, marketing should understand what security best practices those vendors should be following. ■■ Marketing should work with IT and security teams to clarify what certifications may be required, what standards vendors need to follow and who vendors need to work with for security or operational issues. ■■ Marketing should work in partnership with IT to understand the integration/data exchange requirements between internal and external applications, along with any vulnerability points. ■■ Marketing should develop a plan for how the entire marketing technology stack will be tested and monitored on a continuous basis. ■■ Marketing should determine how user access will be managed and authenticated most effectively. 'BUILT FOR SECURITY' AS BEING INFLUENTIAL ON MARKETING'S DECISION TO PURCHASE THIRD-PARTY APPLICATIONS OR SERVICES 7% 20% 47% 19% 7% 0% 10% 20% 30% 40% 50% Not at all influential Slightly influential Moderately influential Very influential Extremely influential KEY FINDING #2 (CONTINUED)
  9. 9. RSA CMO CYBERSECURITY SURVEY 9 Considerable discrepancies exist between marketing and IT respondents’ perceptions of collaboration and effectiveness during a digital transformation. DATA INSIGHTS ■■ IT respondents indicate that meetings and reviews occur between the two groups; however, marketing respondents are less likely to be aware of such interactions. ■■ IT respondents indicate that the two groups are likely to collaborate at least quarterly; marketing respondents are significantly less likely to know the frequency of such collaboration. ■■ IT respondents are significantly more likely than marketing respondents to rate collaboration between IT and marketing as very or extremely effective. RECOMMENDATIONS ■■ IT and marketing leadership should form a more effective and collaborative working relationship—not just to combat cyber threats, but to keep marketing staff engaged throughout the process. ■■ For all major digital transformation milestones, both marketing and IT security teams should ensure a full security review, including vulnerability testing. ■■ Marketing and IT should create a strategy for monitoring the marketing infrastructure for possible intrusions, and apply the same security approach to this hybrid or cloud environment as they do across their core infrastructure. KEY FINDING #3 FREQUENCY OF COLLABORATION COLLABORATION EFFECTIVENESS IT Marketing 6% 3% 15% 13% 27% 21% 15% 42% 9% 11% 12% 14% 8% 5% 0% 10% 20% 30% 40% 50% Don't know Less often than annually Annually Semi-annually Quarterly Monthly Weekly IT Marketing 0 10% 20% 30% 40% 50% 60% 70% 80% Not at all to slightly effectiveModerately effectiveVery to extremely effective 51% 70% 43% 24% 7% 6%
  10. 10. RSA CMO CYBERSECURITY SURVEY 10 Marketing is largely unaware of security protocols and crisis communication plans. DATA INSIGHTS ■■ IT respondents are significantly more confident than marketing respondents that their companies have both protocols and crisis communications plans in place in the event of a security incident. ■■ Marketing respondents are significantly less likely to know about crisis management protocols and communication plans—despite the likelihood of marketing being involved in crisis response. ■■ Marketing staff’s lack of knowledge about the extent of cybersecurity crisis communication plans is even more pronounced in companies with less than $1 billion in revenue. RECOMMENDATIONS ■■ Marketing should collaborate more closely with IT to understand its role in the event of a security incident. ■■ Marketing could offer to take the lead on developing a cybersecurity crisis communication plan in cooperation with the IT security team. ■■ Marketing leaders, particularly in small and medium-sized companies that may be in a hyper-growth stage, pre-IPO or seeking investors, should pay particular attention to developing a security strategy. These same companies should develop clear customer and media communications strategies in the event of a breach, which may carry with it potentially devastating consequences. ■■ CMOs should lead executive-level discussion about brand protection in the event of a breach. KEY FINDING #4 READINESS TO HANDLE A MARKETING SECURITY INCIDENT READINESS TO HANDLE A MARKETING SECURITY INCIDENT, SEGMENTED BY COMPANY SIZE 37% 55% 39% 56% 20% 23% 2% 34% 22% 12% 7% 31% 21% 20% 22% 0% 20% 40% 60% 80% 100% <$1B $1B+ <$1B $1B+ Crisis Communication planProtocols Definitely yes Probably No Don't know Definitely yes Probably No Don't know 47% 67% 48% 70% 22% 29% 27% 26% 6% 4% 3% 3% 25% 21% 0% 20% 40% 60% 80% 100% Marketing IT Marketing IT Crisis communications planProtocols , , - -
  11. 11. RSA CMO CYBERSECURITY SURVEY 11 ■■ Increase your cyber awareness and understanding of the business risks associated with your transformation: Get—and stay—smart about cybersecurity. Actively seek to understand more about how your innovations may unintentionally cause vulnerabilities for your company or organization. ■■ Take accountability for the security of your martech: If you’re spending a large portion of your budget on marketing technology, and using third-parties or shadow IT to help you implement and manage that technology, you are in the business of IT security. Help company leadership understand that this isn’t a technology problem, it’s a business problem. Don’t allow marketing to leave security behind in an effort to move more quickly. ■■ Make security a key decision factor when choosing vendors: Require that your vendors go through security audits if they aren’t already, and make security one of your top decision factors. Ask as many questions as possible about their ability to protect and defend your data, and any possible entry points into your environment. Remember, almost half of martech vendors are less than two years old, so it’s prudent to make sure their tools and applications are well tested. STEPS YOU CAN TAKE TODAY ■■ Partner with IT on a roadmap and monitoring strategy: Build marketing infrastructures with security in mind, partnering directly with IT security teams to build an implementation roadmap and plan for how your tools are tested and monitored on a regular basis. Resource constraints or lack of diligence won’t matter if an intrusion isn’t property contained. ■■ Determine the best approach for managing user access across systems: Work with IT to determine the best approach for protecting user and privileged accounts with a solid identity assurance and authentication strategy. ■■ Advocate for a breach communication plan: A crisis communication plan should be in place and practiced regularly. A breach communication plan forces discussion about disclosure policies, gains alignment on definitions and communications protocols for crisis communications, and clearly assigns responsibilities.
  12. 12. RSA CMO CYBERSECURITY SURVEY 12 METHODOLOGY This survey was conducted using an online quantitative instrument from January through March 2017. RSA partnered with a third-party research organization to execute the survey and administer it to IT and marketing staff. While the majority of survey questions were the same for both respondent groups, each group was also presented with a small block of questions about which groups have the potential to cause cyber incidents. SAMPLE In total, 303 qualified individuals responded to the survey: 171 IT respondents and 132 marketing respondents. Due to survey logic, sample sizes vary across questions. RESPONDENT DEMOGRAPHICS ■■ Primarily managers, directors and C-level executives ■■ Representing organizations with at least 10,000 employees ■■ Representing international and national organizations with headquarters in North America ■■ Representing a wide range of industries, including manufacturing, finance/banking, computers, professional services, telecommunications, retail, healthcare, internet, construction, advertising, transportation and utilities SURVEY METHODOLOGY & SAMPLE SIZE PARTICIPANTS' ROLE PARTICIPANTS' PRIMARY INDUSTRY WHERE COMPANY DOES BUSINESS 73% 0 5% 10% 15% 20% 25% 30% 35% 40% OtherAssociateVPC-levelDirectorManager Local Regional National International 0% 2% 4% 6% 8% 10% 12% 14% 16% 18% Pharma/chemicals Transportation Utilities Marketing/PR Media Construction Advertising Healthcare/medical Telecommunications Retail Professional services Finance/banking/insurance Tech Manufacturing 37% 22% 18% 11% 7% 5% 48% 35% 12% 6%
  13. 13. ABOUT RSA RSA offers business-driven security solutions that uniquely link business context with security incidents to help organizations manage risk and protect what matters most. RSA solutions are designed to effectively detect and respond to advanced attacks; manage user identities and access; and, reduce business risk, fraud and cybercrime. RSA protects millions of users around the world and helps more than 90% of the Fortune 500 companies thrive in an uncertain, high-risk world. For more information, go to rsa.com. © 2017 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners. Published in the USA, 05/17, RSA CMO Security Survey. Dell Inc. or its subsidiaries believe the information in this document is accurate as of its publication date. The information is subject to change without notice.

×