It is a common perception that marketing is generally at odds with security and privacy. Although these are broad generalizations with plenty of excluded nuances and exceptions, marketing is seen as thriving on data—the more, the better. Conversely, security and privacy view the accumulation of large volumes of data as a potential risk to the individuals whose data are being processed (e.g., if the information is inappropriately leaked) or to the organization processing the data (because of the potential regulatory and reputational impact of data leaks).
However, there is a happy common ground. Done correctly, the implementation of appropriate privacy practices, as codified in ISACA’s privacy certification programs for example, actually supports effective marketing and drives measurable improvements in bottom line results. In a well-known example, the Dutch public broadcaster Nederlandse Publieke Omroep saw its digital ad revenue increase by more than 60% after eliminating tracking cookies outright from its website.1 The notion that better privacy protection hampers targeting or sales can use some refinement.
Done correctly, the implementation of appropriate privacy practices…actually supports effective marketing and drives measurable improvements in bottom line results.
Such refinement starts with marketing, security and privacy teams working collaboratively. This means there should be close cooperation at every step of the way for all major initiatives on all sides, to mutual benefit.
Interestingly, privacy regulations, starting with the EU General Data Protection Regulation (GDPR), have placed a heavy emphasis on organizations doing precisely what marketing teams thrive on: understanding the organization’s stakeholders and understanding, in depth, the data being processed. In this sense, security and privacy teams can engage in constructive, mutually beneficial conversations with their marketing counterparts in 3 key areas:
- Know the audience—Security and privacy leaders will likely encounter 2 different types of marketing leaders: those who are painfully aware of the data dilemma and those who are so focused on pushing for near-term results that they are unaware of bad data privacy practices lurking around the corner. As a security and privacy professional, the engagements with each will differ, for example:
- Responsible marketing leaders are acutely aware of their data problems and spend a great deal of their time scrubbing bad, inaccurate data. In fact, nearly 1 out of every 5 marketers report privacy compliance as their main concern across marketing channels, especially as regulation continues to evolve across regions.2 When approaching these types of marketing teams and starting the conversation, security and privacy leaders need to remember that marketers are not necessarily privacy experts and are likely managing these concerns in what little spare time they may have. Offering to partner through ongoing meetings or problem-solving brainstorms will be of most help to this audience, who are actively looking for ways to tackle each individual problem in front of them.
- By the same token, 4 out of 5 marketers are not reporting any privacy concerns, despite the fact that consumers are increasingly pushing for stricter protection.3 These marketers are often focused on meeting near-term goals and, therefore, anything beyond their daily roles and efforts to meet their metrics feels like someone else’s problem. Security and privacy leaders should approach these marketing teams in a way that recognizes the business goals they are up against and the resources (or lack thereof) available to them so as not to overwhelm them. In this instance, security and privacy leaders need to become educators on the cost of not addressing the problem and the additional long-term barriers to marketing goals should customer data protection be compromised.
- Know the data—There are countless vendors that offer data management through customer relationship management (CRM) platforms, yet many of these solutions just scratch the surface. Why? CRMs were not designed to be individually tailored or personalized to be truly actionable for marketing employees. They were designed with business-level reporting in mind. This has created a proliferation of add-on tools and services to existing CRMs, with some marketers still using Excel spreadsheets to manage their data. How marketers remediate data issues will depend on how many different systems and hands the data pass through. As it happens, data mapping is a fundamental requirement of new privacy laws, so gaining a deep understanding of the data being processed benefits both the marketing and security and privacy teams.
- Unify under a common mission—Unethical behaviors, especially around how data are sourced and leveraged, have no place in today’s socially conscious world. Organizations across the globe are often knowingly (and sometimes unknowingly) operating unethical sales and marketing practices. This can happen either first-hand or by the vendors with whom the organizations have relationships. These practices can create long-term damage to brand reputation and future growth. For the security and privacy professional, partnering with marketing and unifying around a core mission of supporting ethical marketing is not only the right thing to do, it is also a way to help the organization achieve a key competitive differentiator that will fuel growth and create lasting impact for customers. How many security and privacy initiatives can be said to do that? Conversely, when the security team wants to drive an effective security awareness campaign (a key need to keep data safe), it is likely that the marketing team can help develop the best messaging.
Marketing and security and privacy teams must no longer be squarely positioned at opposite ends of the organizational spectrum. Coming together to help marketing access, clean and protect the data that flow through its department keeps the organization secure, eliminates crisis-fueled meetings and positions it to win in an increasingly privacy-focused marketplace.
Endnotes
1 Edelman, G.; “Can Killing Cookies Save Journalism?” Wired, 5 August 2020
2 Marketing Evolution, “Tackling Data Privacy Issues in a Data-Driven Marketing World,” 9 June 2021
3 Ibid.
Alain Marcuse, CISA, CDPSE
Serves as chief information security officer for Validity, Inc., and oversees all strategic and operational aspects of data privacy, compliance and security for the organization. Marcuse brings more than 30 years of experience in information security, data privacy and global 24×7 IT infrastructure operations to Validity. He has led high-growth global IT, security and privacy teams in organizations based in the Americas and Europe. Prior to joining Validity, Marcuse led RSM’s cybersecurity consulting practice in New England, USA, and its US data privacy practice.