CMOs, cybersecurity and the criticality of customer trust
That’s the sound of Wikileaks.
As the CMO of a large or small business, or as a senior marketing executive, how concerned are you about Wikileaks, Russian hackers, or someone else raiding your company and then publicizing or selling information about your customers for the whole world (and even the media) to see? During the daytime hours, this risk may seem fairly remote, but I bet it creates an uncomfortable level of nameless, formless anxiety late at night.
Now, here’s the second question: what are you doing about it—if anything?
In fact, how exposed is your organization—both to the risk of security breaches themselves and the risk of negative consequences due to sensitive/damaging leaks? What is the Chief Security Officer saying to you and the organization about your level of risk? Are you even talking to one another, or is security too geeky for marketers to focus on? And, just what is your company’s cybersecurity program? Is it robust or is the organization a sitting duck just waiting for hackers to disclose information about thousands or even hundreds of thousands of customers?
We now live and work in a new age where CMOs ignore cybersecurity at their peril. There’s a continuum that gets marketers from their bailiwick—namely, marketing information—to cybersecurity. It goes like this:
- Personalization and e-commerce. In today’s age of very sophisticated websites and ubiquitous mobile platforms, companies have amassed petabytes of information about customers. To delight buyers, companies spend dollars and time personalizing their offers to customers, and are rewarded by knowing what those customers bought and are likely to buy, how much they spent and are likely to spend, what they considered buying and are still watching, and so on.
- Trust. Over time, the personalized buyer/seller relationship builds trust. The buyer trusts the merchant with his or her most personal information, including financial data, bank accounts, and credit cards. As the seller safeguards this information over months and years, and distributes policies about how the information will be used, a trusted relationship (which is often emotionally based), forms between the buyer and seller. (For just a small glimpse of consumer trust issues, see “Consumer adoption of location marketing hinges on trust and value” and Consumers Give Location Marketing a Resounding Maybe.)
- A security breach that breaks through cybersecurity. Then, along comes a security breach. It may be that massive amounts of credit card information are stolen (e.g. Target), or private/sensitive/personal health information is hacked (e.g. Anthem Blue Cross Blue Shield) or highly sensitive personnel records are ripped off (e.g. US Office of Personnel Management), or something else. In just a few moments that bond of trust between buyer and seller is ripped to shreds and the customer, feeling victimized, becomes very angry and holds the seller responsible and accountable for everything. But that’s not all—it becomes a very personal, emotional issue to the customer.
This has happened to me, so I’m writing from firsthand experience. I’ve had my credit card information stolen from a merchant, my health records hijacked from an insurance company, and my personnel records ripped off as the spouse of a government worker and a military dependent.
Usually at this point, when the security breach is only hours or a couple of days old, the Chief Security Officer steps in and the risk management staff write an all too often terse, non-helpful letter to the customer warning that a breach has occurred. Typically, that’s all they say. It’s maybe a paragraph at best. Some organizations have figured out how damaging this type of communications is and they instead send a thoughtful letter explaining what the risk is, giving hotline information and someone for the customer to call to get questions answered, providing a free subscription to LifeLock and offering anything else they can think of to show empathy and provide real help.
CMOs must take note: in an age of state-sponsored cyber-terror, Wikileaks, and regular run-of-the-mill hackers, it’s vital for marketing to talk with security officers regularly before a security breach has occurred. Yes, these two parts of the organization seemingly talk different languages, but it’s imperative for the two endpoints of the trust continuum to be in constant communication and collaboration. And by all means, avoid those terse letters that are sure to get customers upset even more than they already were before receiving a letter.
Here are some of the steps CMOs and the marketing staff can take:
- Collaborate. In the event of a breach, immediately work with the security and risk office to jointly issue all correspondence to customers.
- Take safeguards. Prior to any breach, or risk of a breach or any thought of a breach, take safeguards that protect customers, starting with never requiring or requesting the customer’s Social Security Number. This is not just a Chief Security Officer responsibility; CMOs have co-equal responsibility. (However, this is easier said than done because some government agencies require SSNs, even though some states have made it illegal to ask for SSNs. For example, Medicare card numbers are the holders’ SSNs, which means that doctors’ offices throughout the country have all their patients’ SSN data. Honestly, this is really stupid.)
- Encrypt customer data. Safeguard all customer data that is stored in digitally by encrypting it and then enforcing limited access to this customer data using strict controls.
- Be proactive. Proactively provide guidance to customers about how they can best protect their information, including encrypting their devices. And issue regular information to customer about privacy policies and safeguards.
- Enforce passwords. Regularly force password changes, including requirements for an 8-12 digit combination of special characters, numbers, and text. Use the same rigor that financial services companies apply, even if you are in a different industry.
- Safeguard hard copy information. Make sure your organization doesn’t require customers to write down highly sensitive information on paper forms, which can be copied or stolen.
The security and risk office has many more guidelines to familiarize yourself with and learn.
(By the way, most of these actions are required or strongly encouraged by the new General Data Protection Regulation (GDPR), which applies to any company that does business with EU residents. For more information, see our Executive FAQ and podcast.)
As a marketing exec, the most important thing to know instinctively and intuitively about this topic is that security and risk experts think in terms of cybersecurity, enforcement, and punishment–and they don’t think in terms of customer experiences. While marketing organizations can’t change that cold, hard reality, they can provide a much needed buffer when customers’ trust has been violated, privacy is in tatters and terrified customers are rethinking the whole buyer/seller relationship. That’s why CMOs absolutely, positively must pay attention to security, risk, and cybercrimes.
For more information on this topic, see the Digital Risk Management Institute.