Everyone from Deloitte to Ad Age to Forbes and many more are talking about why CMOs should care about cybersecurity and become more involved in the overall strategy. That makes sense as security moves beyond the purview of IT and becomes more of a board-level issue.
Having seen cybersecurity from publicly-traded company and venture-backed perspectives, I wanted to share some hints and tips with my fellow marketing leaders.
While some recommend CMOs become cybersecurity experts, laying out extensive process around it, that’s just beyond the capability and simple time demands of most of you. So where should you start?
4 Key Focus Areas for CMOs
One of the best articles I’ve seen to date, from CMO magazine in Australia, lays out 4 key things on which to focus:
- Give attention in advance to the possible customer impact of breaches.
- Think about your own brand value impacts from cybersecurity incidents.
- See a more secure business as a way to attract more customers.
- Develop relationships and a common language with your security team.
Of the above, the first three are really mindset approaches that you’ll likely be able to get your arms around by giving the required time and attention with your own team, other customer-facing organizations, and your executive leadership team.
Number four is likely the most critical to getting a handle on your cybersecurity strategy. But you’ll likely need to do some homework. It’s no different than when you take your first trip to someplace like Italy – it helps to read up a bit in advance.
Cybersecurity 101 for CMOs
Fortunately, there are some “Rosetta Stone” guides before you go on your excursion if you’ve never been to Cyber-Milan before, all well-reviewed on Amazon:
- Cybersecurity: The Ultimate Beginners Guide is only 42 pages and really a good place to start for the time-crunched– it lays out a quick foundation on cybersecurity.
- A more detailed (and longer) good intro: Cybersecurity for Beginners.
- The Cybersecurity to English Dictionary is a companion book to either of the above– a terminology guide for cybersecurity.
So once you have your basic “language” structure down with an idea of some of the very basic concepts and terms of cybersecurity, you’ll want to get comfortable with the culture and some of the more common phrases before diving in.
I’d suggest you start with what is currently top of mind for most cybersecurity practitioners and executives – cloud security. According to Cybersecurity Insider’s 2018 Cloud Security Survey, 90% of security pros are concerned about cloud security, way up vs. 2017. In fact, 62% say their biggest threat is misconfigured cloud services.
For simplicity, when we’re talking about public cloud (Infrastructure as a Service) where your engineers have built the apps that your company delivers to your customers, we’re generally talking about Amazon Web Services, or AWS. They’re the 800 pound gorilla, as, Synergy Research Group states – they’re in a league of their own.
But why is cloud security such a big concern when Amazon (like Microsoft, Google, and the other major cloud service providers), spends hundreds of millions of dollars on security and has thousands of security experts around the globe working 24/7 to keep their cloud safe? (And they’re very good at it.)
It starts with what Amazon calls the Shared Responsibility Model. As shown below, AWS is responsible for the security “of” the cloud, and your company as an AWS customer is responsible for security “in” the cloud. As you can see, there’s a lot to be concerned about “in” the cloud- and it has to be managed differently than the legacy security approaches of the data center, virtual-machine world that predominated even a couple of years ago.
Now, many of you, particularly technology startups like CloudPassage, are cloud native, so have always had a cloud-based security approach. Yet, the scale and speed at which anyone in your company can consume services for free or by swiping a credit card massively expands what is called the “attack surface”. And, the speed at which AWS releases new services to your dev teams is staggering, making it difficult for your security teams to keep up. (For example, AWS released almost 500 new services and features in just one recent quarter.)
To learn more about the basics of Cloud Security, I highly recommend grabbing a free 7 day trial to Cloud Academy and taking their fine video course on AWS Security Fundamentals. It’s just over an hour and is awesome for beginners. (If you want a sub-101 level course to start with check out their course What Is Cloud Computing?)
Ok, at this point, you may feel good about some language skills, and know some key Cyber-Italian phrases. So, it’s time to take your new knowledge down to the local Italian restaurant (you know the real authentic one where the Nonna is in the back making the meatballs). You can do it by setting up an AWS account and using an honest to goodness cloud security tool on an AWS cloud storage service. (It’s easier than it sounds – some of the least technical folks on my Growth team gave this a whirl and found it easier than they thought as well as educational. Trust me, if you can handle Google Analytics and Marketo this will be a breeze.)
How to set up an AWS Account
- Open your own free AWS account.
- Set up an Simple Storage (S3) bucket (like Dropbox or Box on steroids) and upload some files into it.
- Go to cloudpassage.com/freetrial. Follow the prompts to set up your AWS account in our product Halo Cloud Secure.
- See your risks and threats on the Cloud Secure dashboard.
- Pat yourself on the back.
That’s it. You’ve gone beyond passing the annual pain-in-the-rear security training (yes, even here at a security company we moan about having to do that and our CISO has to stay after us to get it done).
Now you still know 99% less than your cybersecurity team, but they’ll appreciate all the questions and insight you now have, and the effort you put in to understanding their world – which is a profoundly difficult one to live in by the way. In any case, I hope this gives you a better idea about why CMOs should care about cybersecurity, as it is now everyone’s responsibility, from the top down.
I would love to hear from you what you’re doing to keep on top of cybersecurity issues – and how your discussions with your cybersecurity partners are going – it would make a great follow up post in the near future. You can reach me at firstname.lastname@example.org.
In the meantime, I’d invite you take a look at the 2018 Cloud Security Report mentioned above. It’s a great read, packed with visuals and stats on overall cloud adoption and vendor trends that you’ll find intriguing.