Shadow IT: Marketing and IT at the security crossroads

Data safeguarding is no longer just a concern for IT departments, says Holly Rollo. There are very real business risks that marketers must pay attention to, especially those using and choosing their own software solutions outside the remit of IT.

RSA-Holly-Rollo-2017In many companies, the IT department no longer controls technology. Instead, other departments are taking things into their own hands, giving rise to what’s known as ‘shadow
IT’.

Marketing, which has become increasingly central to business operations as the spearhead for everything to do with the customer, is one of the biggest users of shadow IT.

Modern marketers have become both data scientists and technology architects, oftentimes we must do this on our own, building shadow IT outside the walls our IT and security teams work hard to protect.

Although shadow IT has its benefits, including cost, fast platform roll-out, and tools users want, the rise of this technology in the marketing department is a cause for concern. As
shadow IT projects are implemented – and they could be CRM systems, web management or the latest martech software – it’s often done without much consideration for customer
data and the associated security needed to protect that critical information.

The reason for this lack of security is that marketing and IT have very different priorities.

IT wants everything controlled, locked down, and under its purview. Marketers want tools they can use, and they don’t want to jump through hoops or be forced to use outmoded
software.

They also want to do things fast, and without the typical restraints that a formal IT project puts in place.

New survey data from IT advisory company Gartner shows that martech spending fell by 15% in 2017, as CMOs pull back on previous high spending commitments amid concerns
over marketing’s capability to acquire and manage technology effectively. Martech continues to account for a significant proportion of CMO’s spending power, with 22% of the total marketing expense budget allocated to technology.

However, this is a significant drop year-over-year, as last year’s survey reported that 27% of marketing budget was allocated to martech.

Partly fuelling the rise of marketing technology power is the growth in software as a service (SaaS). This type of software is cloud-based, paid for by subscription and delivered using
mobile apps and web browsers. A great example of this is Salesforce and its CRM platform.

Using SaaS means that the marketing department can control the budget, often using a corporate credit card to pay for it, and they can control the roll out. It’s often as simple as
getting a login and pointing a browser toward the relevant site.

Where this causes problems is in areas like password management, and the security of the SaaS provider. Poor password management and poor security can lead to data breaches,
such as the landmark Yahoo! data breach of 2013 that impacted three billion user accounts, and knocked an estimated $US350 million off Yahoo’s sale price to telco Verizon.

More recently, the Equifax breach in the US saw the personal details of 143 million people exposed to hackers. This led to a management overhaul, and the company’s stock price
took a major hit, to say nothing of its reputation with consumers.

Perhaps more important than stock price – at least to marketers – is the fact that consumers won’t do business with a company that has had a data breach. A survey by Ponemon found that one-third of Australian consumers would not do business with a company that had experienced a data breach. The research found that on the day a data breach is announced, affected companies experience a customer churn rate of around 7%.

For marketers investing in IT, this is a significant development, and is made more so by the fact that in February 2018, mandatory data breach notification laws will take effect in
Australia. Under the law, any organisation subject to the Privacy Act will have to notify the Office of the Australian Information Commissioner, and the general public, as soon as they are aware of a breach.

The Information Commissioner can also levy fines for data breaches, although this is not a mandatory part of the law. Customer data is our treasure, but it comes with the responsibility of safeguarding said data from fraud, breaches or malicious intent the best we can, or risk putting our brand reputations and customer confidence at risk.

This all adds up to a situation where marketers must become a little more like IT departments.

Data safeguarding is no longer an IT problem or security problem, it is a very real business risk that marketing must pay attention to. If marketers don’t put security first when modernising technology, they are putting their business at risk.

When rolling out software and devices, information security is paramount, as are the security practices associated with access control and the location of where the data is stored. What’s needed is a more flexible working arrangement between IT and marketing, where both departments can bring skills to bear that lead to a better outcome for marketers, customers and for the company.

Without cooperation, the likelihood of a data breach grows. Marketers need to take the security message to heart, because unless they do, companies will take a hit from hackers,
undoing the work that marketers have done to build a positive business reputation, driving customers to take their business elsewhere. Through cooperation, both marketing and IT
can do what they do best, with secure, outstanding results for customers.

 

Holly Rollo is CMO at RSA.

 

 

Image copyright: waraphot © 123RF