Cybersecurity for CMOs: Bad Bots, Breaches, Phishing… Oh My!

 

Drew Neisser: Hey, it’s Drew. I’m excited that you’re here to listen to another episode of Renegade Marketers Unite. And if this is your first time listening then welcome. This show is brought to you by CMO Huddles, the only marketing community dedicated to inspiring B2B greatness. And that has a logo featuring penguins. Wait, what? Yeah, well, a group of these curious, adaptable and problem-solving birds is called the Huddle. And the B2B marketers and CMO Huddles are all that and more, huddling together to heat up the coldest job in the C suite. And now that CMO Huddles has three membership tiers, we’re ready to inspire B2B Greatness at all levels. To learn more, check out CMOhuddles.com. Now before we get to the episode, here’s a shout out to the professionals at Share Your Genius. We started working with them over a year ago to make this show even better and have been blown away by their strategic and executional prowess. If you’re thinking about starting a podcast or want to turbocharge your current show, be sure to talk to Rachel Downey at shareyourgenius.com and tell her Drew sent you. Okay, let’s get on with today’s episode.

Narrator: Welcome to Renegade Marketers Unite, possibly the best weekly podcast for CMOs and everyone else looking for innovative ways to transform their brand, drive demand, and just plain cut through. Proving that B2B does not mean boring to business. Here’s your host and Chief Marketing Renegade Drew Neisser.

Drew Neisser: Hello, Renegade Marketers. Welcome to Renegade Marketers Unite, the top-rated podcast for B2B CMOs and other marketing-obsessed individuals. You’re about to listen to a recording of CMO Huddles Studio, our live show featuring the CMOs of CMO Huddles, a community that’s sharing, caring, and daring each other to greatness every day of the week. This time we’ve got a conversation on what CMOs need to know about cybersecurity from cybersecurity pros including Huddlers, including Laura MacGregor from CIS, Michael Callahan, who is now the CMO of Salt Security, he was at Akamai, and Dan Lowden, who is now the CMO of Blackbird.AI. At the time of this recording, he was at HUMAN Security. Okay, let’s dive in.

Welcome to CMO Huddles Studio. I’m your host Drew Neisser live from New York City. Welcome to our show focused on the critical intersection of cybersecurity and the role of the Chief Marketing Officer in B2B organizations in this crazy world, where cyber threats continue to pose and will probably always continue to pose significant risks. It is essential for CMOs to understand the intricacies of cybersecurity and its implications for marketing strategies. We have the privilege today of speaking with three esteemed B2B CMOs, who have successfully navigated the realm of cybersecurity, not just for marketers, but for a broad group of companies. Through their insights, experiences, and expertise, we hope to unpack exactly what CMOs need to know about cybersecurity risk and the strategies they need to deploy to keep their company safe. Okay, with that, let’s bring on Dan Lowden the CMO of HUMAN Security.

Hello, Dan, how are you?

Dan Lowden: Hello, Drew. Good to see you.

Drew Neisser: By the way, congrats on HUMAN being named to Time Magazine’s Top 100 Most Influential Companies of 2023. That’s cool.

Dan Lowden: It is thank you so much. What an honor for the company, especially when you have companies like Apple and Microsoft and many other big well known companies on that list. There’s HUMAN Security, the only cybersecurity company on there listed. And we’re very, very thrilled and honored to be a part of it.

Drew Neisser: Just so cool. Alright. Well, let’s talk about first what aspect of cybersecurity that HUMAN addresses.

Dan Lowden: At HUMAN Security we focus on disrupting fraud and abuse from a digital perspective, which can include bot attacks, account takeover, credential stuffing, web scraping, those type of things that can impact a customer experience, right? And we look at 20 trillion interactions per week. We protect over 500 of the Big ecommerce and internet platform companies out there and we disrupt the cybercriminals, we take them out and hopefully, they don’t come back again. In some cases, we take out their operations in some cases, we’ve actually put them in prison.

Drew Neisser: Whenever I hear the word trillion, I have to pause for a moment because that’s a big number. So there’s an example or something that you have done that you can give that will help folks sort of get what it is that you do, particularly for marketers.

Dan Lowden: We protect a lot of ecommerce sites, websites, applications, but we also protect programmatic advertising. Google is one of our biggest customers, we work with a lot of companies. So that’s why there’s just such massive numbers 20 trillion, we’re protecting a large part of the internet, to ensure there’s not fraud to ensure that if someone clicks on an ad, it’s a human, not a bot, and that the brands really get their message and their story in front of real humans who potentially will buy their product, not bots. And that’s a big part of what we do. It protects against all different types of fraud use cases and abuse use cases and, and protects the customer experience for the brand itself. One example, we discovered a very large cybercriminal group that had infected over 1.8 million devices with malware, they were sending 20 billion fake requests a day targeting websites, it was creating havoc throughout the whole ecosystem. And we were able to recognize it, we brought in big partners, we brought in law enforcement, we’re able to take that operation down. And now about eight of the cybercriminals are now in prison serving six to eight-year sentences. So it’s a big, big issue. It’s something that we need to continually fight against. Because the level of sophistication of these cybercriminals is just continuing to grow, we’ve got to go figure out ways to win, because if they keep attacking and keep winning, the incentives are there for them to continue, if we make the risk too high for them, or the consequences too high. That’s how we win. And that’s been our approach. 

Drew Neisser: There’s no doubt it’s going to keep going that the money is so big, but I think the part that always surprises me when we talk about HUMAN is how marketers and marketing simple things like form fills suddenly become an opportunity, and things that almost every website has, and particularly marketers you live and die often by Did you capture that form and that information. And so I’m just again, trying to process and help the folks listening, if a bot fills out that form, where does that end up being a risk.

Dan Lowden: Part of that is it impacts the customer experience, if bots are getting in the way, and customers can’t do what they want to do, that’s not a good thing for the brand. If you have a CAPTCHA in place, that actually creates friction for the end user, and the bots have figured out a way to get around it. That’s not a good thing either. If bots are using real customer data that was stolen from a breach that they acquired a cost the dark web, and they’re using real customer data to fill in that form. And that goes into your database. That’s what we call data contamination. And it’s not given to you by the real human, you don’t have permission to communicate to that real human. But the bot looks like the real human providing that information. Not only does it waste your ad spin and performance, marketing spin, but it also creates compliance, GDPR, and privacy issues. If you’re contacting people who you think reached out to you who never did, it was the bot. So those are the consequences. A lot of CMOs think it’s a small part of the overall percentage of their performance marketing spend, it’s actually in many cases, as high as 5, 10, 20, 30 percent of the traffic filling out these forms is bot, it’s fake. So 20-30 percent of your budget is not going to a human, that’s a big problem. And then when that data flows into your CRM, that really contaminates it. And that’s a huge, huge problem for CMOs. The other thing that’s important is just around social perception, there’s all these different narratives that are out there, and they can be influenced by bots, they can impact brands themselves. So those are things that brands need to look at. There could be positive elements of that, and negative elements of that. And I think those are important things that CMOs need to look at more and more today.

Drew Neisser: As a CMO in the cybersecurity space, I suspect you’re more thinking about this all the time, as opposed to the average CMOs who really actually thinking about how they can drive revenue. What are you worried about? 

Dan Lowden: I mean, I think that’s the key thing, a CMO wants to drive awareness and revenue, if they’re wasting their spend on these fraudulent and cybercriminal activity, that’s going to impact the bottom line. So if they pay attention to that and lean forward and figure out ways and work with companies like the teams here on this call, they can be better at doing their job of driving more revenue, because they’re engaging with real humans and taking fraud out of the equation. To me, that’s what I think about and I think every CMO should think about because it’s a much bigger number than they may think it is.

Drew Neisser: Yeah. And this may be something where they’re thinking I’ve got In a lot of problems, I gotta think about we’ve got ISO. So they’re spending all their time on this. Why do I need to worry? When you say something like, CAPTCHA’s don’t stop the bad guys. I think that’s a wake up call for a lot of CMOs because they probably have CAPTCHA in front of their forms. In fact, today I had to deal with, “find that bus” or “find that bicycle”. Alright, Dan, thank you for that. We’ll be back. But let’s bring on Laura MacGregor, VP of Marketing and Communications at the Center for Internet Security. Hello, Laura. How are you? And where are you?

Laura MacGregor: Thanks for having me, Drew. I’m doing great. And I’m located in the great upstate New York.

Drew Neisser: Alright. Well, so far, we’re very East Coast. Let’s talk about the overview of CIS or Center for Internet Security and what you all do.

Laura MacGregor: CIS is a nonprofit that’s been around for more than 20 years now. We work with a global community to create security best practices. These recommendations are mapped to or referenced by many other security frameworks like NIST, and ISO Well, we’re unique in that our guidance both prioritizes what you should be doing and tells you how to do it, so it can help you comply with some of those other frameworks a little more easily. We also run two Information Sharing and Analysis Centers, or ICEX, one for state and local government and one for election organizations. Together, these provide support for more than 15,000 entities across the US.

Drew Neisser: I feel like we’ve come to the right place here in that this show is about helping marketers become aware and understand and create the priorities through the lens of CIS. What is that intersection of cybersecurity and marketing from your purview?

Laura MacGregor: I’ve certainly learned a lot since I’ve been here, just about personal cybersecurity as well, good password hygiene, and all of those things. Really, cybersecurity is everybody’s responsibility, regardless of where you sit within the organization, because anybody could become victim to a phishing attack, or be that point of entry for a breach. So it’s really the importance of getting everybody involved.

Drew Neisser: I spent about five hours helping my wife untangle and re-secure about 30 different websites and passwords using a tool and lost access to Facebook. And there it was. But let’s talk about marketers and CMOs, we recognize that everybody needs to know, but what are you seeing in terms of marketing in particular? I mean, one of the things that I know is that marketers have a huge tech stack that is forward-facing, those obviously create opportunities for cybercriminals. So where do you look at it when you think about the intersection of marketing and cybersecurity, what’s on your mind?

Laura MacGregor: So there’s a few things you know, that tech stack is a great example, one, making sure that you know who has access to that tech stack, have you worked with consultants or other vendors in the past that had accounts that should no longer have access to your systems have employees moved on that should no longer have access. So having a process in place to remove those and regularly audit so that nobody who shouldn’t have access to your data doesn’t is definitely a good thing. And then while you’re thinking about access, putting into place role-based access controls is important. Not everyone should be an admin in every system, even if they want to be they should really only have the level of access that they need to do their job. And that can help minimize damage. Another thing on the topic of accounts is sharing accounts is never a good idea. Sometimes we tend to do that, depending on the structure of how those come up. But that’s not a great idea. And of course, reusing passwords is also a terrible idea. And same thing goes for using the default password password 123 I was doing a little research earlier, was reading one of our guides on password policies that we produced. And you know, it’s just a matter of seconds or even minutes for them to be able to crack a password that’s seven letters or less.

Drew Neisser: I wonder how many of the folks listening actually have unique passwords for every single login? I do. But I’ve been using Dashlane for like, three, four years. And it takes a discipline to do it. In the first part of this it was auditing. Does the CMO need to have their own security person? Or is this just being in contact with the CSO? And making sure that marketing is on the list and make sure it’s on the agenda.

Laura MacGregor: Yeah, so our chief information security officer calls himself a CISO. So that’s a third way to say that. But you know, I think it depends on who owns that technology. So for company-wide things like a CRM that may have many owners, maybe your CSO or your IT is controlling those permissions, but you likely have some tools that are specific to your team, like social media platforms and things like that maybe Google Analytics that no one else even knows you have, which is another type of problem, I would strongly recommend that you have a process and a policy within your team about who’s responsible for it, making sure that that’s happening on a regular basis in terms of auditing, who has access and ensuring levels of access are appropriate.

Drew Neisser: A few years ago, that data was out that marketing was spending more on IT than IT was spending on IT. Clearly with all the tools and if you’ve got 25 tools in your tech stack, probably only five are shared beyond the department, you are the number one source of vulnerability. And one of the things we’ll talk about later is the impact on brand that a breach can have. Are there any other typical blind spots that you think of that CMOs have when it comes to cybersecurity?

Laura MacGregor: It’s really the access to the system. The other thing can be the rapidly evolving privacy regulation landscape, we all kind of have GDPR down, but there are more seats coming out with legislation every month, Colorado is going into effect on July 1, are you ready? So being able to keep up with that and stay ahead of that is another potential blind spot? 

Drew Neisser: Yeah, the regulatory landscape. And if every state has its own thing, it’s really gonna be a problem. But hopefully there will be a national policy at some point. Alright. Well, that’s great stuff. We’re gonna now welcome Michael Callahan, CMO of Acronis. Hello, Michael, how are you? Nice to have you back on the show.

Michael Callahan: You as well Drew, nice to see you.

Drew Neisser: Where are you today?

Michael Callahan: I live in Dallas. I’m in Dallas, Texas. Today.

Drew Neisser: Let’s talk about Acronis. And where you fit into the world of cybersecurity. 

Michael Callahan: It’s really complex, Dan was talking a little bit about it, Laura was, that there are all kinds of attacks out there, all kinds of threats. And so you end up having a lot of technologies that combat these threats. And it gets really complicated for people. And so our view is to try to remove that complexity, people really want security just to be delivered as a service, kind of like your electricity, right or your water that comes in your house. But to do that, effectively, you’ve got to have a platform that gives people that are providing the service or service providers, a tool that they can use that they can then deliver this security to end users. And that’s our view, that’s where things are going. It’ll be smaller companies or larger companies, but people generally want security delivered to them just as a utility or as a service they can buy.

Drew Neisser: Just making sure I understand it. Because I know having talked to any number of cybersecurity companies, there’s a software component, and then there’s a service component on top of it. And are you talking about the software and the service or are you talking about both?

Michael Callahan: Yeah, a lot of times it gets so complex, there’s something like 2000 or 2500, maybe more security companies? And so how do you make sense of all that? Well, one of the ways is companies will buy security, the software, and then they’ll buy services on top of that, to help deploy it, that will probably also always be somewhere in the mix. Our view is that it’s really more you just think of it as a service. So as a service provider, you go to a customer and say, I can handle all the security for you, you’re just gonna get a bill at the end of the month, tell me what’s important to you? Do you want email security? Do you want network security? Do you want identity security, let’s package it up, you just get a bill, we’ll take care of it for you.

Drew Neisser:  Your customer typically is going to be a security person who says this is going to make my life simpler and easier.

Michael Callahan: It could be the end user, right? Or it could be a service provider that is delivering that to the end user, that could be your customer. But oftentimes in larger companies, the security team acts as an internal service provider or security service provider.

Drew Neisser: Okay, let’s zero in from your standpoint, and what are the cyber threats that you see that CMOs should really be worrying about?

Michael Callahan: I think one of the biggest ones is that a lot of what we do in marketing is email communication, we know that the vast majority of threats come through email. So someone sends something, it’s a phish, you click on a link, you go somewhere else, they’re condensing that you really need to provide your username and password. But because we use that vehicle so much as marketing professionals, we have to be really sensitive and understand to write and communicate in a way that don’t just write descriptively communicate with people. So what you typically see like in a phishing email, it’s not very personal, right? It may be oriented towards you like it says, Hey, Drew, thank you, for your Bank of America customer. We really need your password. But it’s boring. But what we can do as marketing people is communicate like a person would communicate to try to differentiate from potential phishing emails, because it’s easy for us to write in a way that actually looks like a phish. And we need to try to avoid that. 

Drew Neisser: You’re right. I get phishing emails probably every day, a lot of them look like Microsoft, saying, hey, it’s time to change your password. Fortunately, I don’t get any from the banks. Alright, beyond emails. What other threats do you think about when it comes to marketing and what you’re doing as a marketer?

Michael Callahan: One of the things that always concerns me in terms of threats as a marketing person is the tech stack and how critical it is for us to make sure that we apply patches where there are vulnerabilities. I’ll give you an example. And I won’t name the tool. But one of the key tools that we now use, it goes to our security team first to do an evaluation of it. So they make sure, is this secure? Are there any breaches, they’ll look out on what’s called the Dark Web just kind of broadly, are there any zero days. And what that means is that there’s a vulnerability that the vendor of that application isn’t aware of. So people are taking advantage of it. I mean, it’s a zero day vulnerability, there’s no patch for it, you can readily exploit it. So internally, we have any technology that we might use as part of our marketing tech stack, go through a security evaluation to make sure that it’s not vulnerable. Because once you get in, now you have access to everybody’s information, you can do whatever you want, you have their personal information, all kinds of issues for you as a company, but then also for the people that may be in your database.

Drew Neisser: It’s so interesting because I know in conversations in Huddles where we’ve been talking about without naming any brands talking about ABM tools, one of them when it lost it often lost because some cybersecurity person in Europe said it’s not quite getting us the level of compliance that we want. I guess, if you’re a marketer of marketing technologies, this is something you’ve got to address. And it’s funny, we talk about that as just the complication of B2B selling. And this is just another person that you have to enable, if you will.

Michael Callahan: So you mentioned the passwords you were working on with your wife, right? So it used to be years ago, the real concern was, oh, boy, everything’s going virtual. And if you could control that hypervisor, you had access to all those virtual machines, and it was a mess. Some of that you have now with like, what would you attacked? Well, if you’re gonna attack something, maybe a password company is someone that controls all of your passwords. It’s super valuable to the end user because you consolidate it, you don’t have to remember 15, 20, 50 passwords. But if you were able to breach one of those, and so they’ve got to be super diligent. And then internally, we are using that, we have to be pretty diligent too about what the technologies we’re using to make sure there are no vulnerabilities. 

Drew Neisser: Yeah, and you’re just reminding me that I think one of them was in fact, breached. That is just the scariest thought, particularly since it’s so hard to manage all these things. If you do it manually, or use a Google or you create a point of vulnerability somewhere.

Michael Callahan: Yeah, and there’s this line of, is it easy? Is it not easy like your passwords and how far do you go? I think Laura mentioned, you know how quick it is to hack a password. It’s like seven characters. I had a codification the other day, my own personal password was something like 15 or 18 characters, and there was a chance that someone had figured out how to crack it.

Drew Neisser: We do have a question from the audience, which I will bring back in a minute. But before that, it’s time for me to talk about CMO Huddles. Launched in 2020. CMO Huddles is an exclusive community of over 100 highly effective B2B CMOs who share, care, and dare each other to greatness. One CMO described Huddles as a cross between an executive workshop and a therapy session. And given how hard things are getting out there who doesn’t need a little reassurance that they’re not alone. Everything about CMO Huddles is designed to be a force multiplier, helping you to make faster better and more informed decisions. Since no CMO can outwork this crazy job, CMO Huddles is here to help you outsmart it. Alright, well, Laura, Michael, Dan, you’re all Huddlers. I’m just curious. Two things. One, are you on the therapy side or the executive workshop side? And two, if you have a specific example, perhaps of how CMO Huddles has helped you in one way or another,

Laura MacGregor: Yeah Drew, for me it’s really both. It’s being able to commiserate with people who are dealing with the same things in a safe space because we can all relate on a certain level to certain things. And then the vast amount of knowledge that we have within the group and the way that we workshop things and come up with more ideas that we could possibly use in the short term. But it’s great because it gives us a lot of different ways to think about things. 

Drew Neisser: Oh, I love that. Thank you for that. Dan. Michael, any thoughts?

Michael Callahan: One of the things that are expected of us in our roles as CMOs is that we know everything. Everyone comes to us as the expert, we should have an answer and the quickest and wittiest response, and a tagline like on demand. We have to know everything always, in every metric, what I really like about CMO Huddles, we’re able to share in an environment where places where we have questions, we can ask about it and we get other people’s input. In a practical example, this was probably maybe six or nine months ago, Drew, we were on some of the calls. And we were talking about events. We were saying, we’re starting to see people burn out on virtual events. Are you all seeing people travel again or not? And it was a great way to get a perspective from different industries and different groups, but all from CMOs sharing that and saying, yeah, it does look like there’s more of an interest now and appetite for in-person events. And it helps kind of validate some thinking but also gets some other experiences on the table.

Drew Neisser: I love it. Okay, Dan.

Dan Lowden: I mean, it’s a community of marketing leaders, and we learn from best practices and we also learn from what’s failed and everybody’s open to share everything and the communication through the Slack channel. If you ever want to request for different vendors, if you have different thoughts on what you’re looking for, what you need. Others have already solved the problem. That sharing can really help me do my job better. We’re under a lot of pressure to perform and deliver whether it’s leadership from a brand or whether it’s leads that drive revenue, it’s difficult times recessionary times. So, how do we do this? And, how do we do it well? And, how do we do it respectfully so that it resonates with the customers that we’re trying to engage with. And the better we are at that the community benefits from it as well. So it’s been a huge benefit to me personally, as well as for the company that I work for. Glad to be a part of CMO Huddles,

Drew Neisser: Well, I appreciate all three of you sharing. If you’re a B2B CMO, or frankly, now we have a new insider program for number twos, do yourself a favor and check out cmohuddles.com. Okay, so perfect time and segue to the question that came up. This is perfect. No one ever wants to admit a failure. So how can CMOs prepare for messaging a breach attack that avoids looking like the Hudson prayers to victims response? Oh my gosh, great question. Anyone want to tackle that?

Michael Callahan: I’ll take a shot at it. First, I think there are two thoughts on this. The first one is run simulations. But you have to keep this quiet. It has only one person can know that it’s a simulation. So usually your CSO will run it. They’ll say, hey, it looks like we had a breach. And then you’ve assembled a team and how do you communicate and you find out where there’s issues in your process. It’s invaluable to do it and you gotta make sure that it’s secret, when you do it that way, you get the real issues. Second piece on this, though, oftentimes, in this situation, the attorneys get involved. They do that for a good reason. One, because they want to make sure that you’re not increasing your liability. But at the same time, they’re very risk averse in the way that they write often leaves more questions than answers, you have to make sure that you’re balancing the risk with just communicating clearly, I’m sorry, this happened, here’s what we know, we’ll keep you updated on what’s going on kind of thing. resist that urge to just give the responsibility to the legal team and how they read it and think about it as a marketing person. And how do you communicate effectively,

Drew Neisser: Going back to that every CMO needs a crisis playbook, a plan, and that cyber needs to be part of that and that you need it. And I’m curious, Laura, Dan, do you have thoughts on this topic? And do you have a cyber risk plan, God forbid, something happens and your brand is under attack, and you need to have a plan worked out, right, in advance.

Laura MacGregor: We work with our CSO on this, he really takes the lead, but our team plays a big role in this. So, similar to what was just said, in terms of practicing this, tabletop exercises, sometimes planned ones are helpful to running through a simulation of what you would do and seeing where the gaps are in that response plan. And what are you missing? And what do you have to go back and add to later can be important. So we’re a very important partner in that beyond just breaches, but any type of crisis response, we know that we’ll be on the front lines. And so we want to make sure that we’re prepared for that. On the other side of the coin, you know, thinking about preparing for a breach, being transparent and thoughtful in how you communicate is important. But another important thing is thinking about the data you collected to begin with, because now they’re going to find out what you’ve got. And so if there are some fields in there, some things that maybe you weren’t using, it could be a time to think about what you collect. And whether that’s really important. That’s a conversation I’ve been having with our CSO lately is making sure that we can have a reason for every field that we collect and how we use it and why it’s important. Otherwise, we shouldn’t be storing that information.

Drew Neisser: I was thinking about that, and looking at a form was filling out where they were asking about birthday. And I thought, do they really need to know that information? And that’s such a good point. And I think that sometimes we want to as marketers get as much information as we can. So we can be as personal and be like 31 flavors and send you a birthday card for free ice cream on your birthday. But yeah, I don’t know, that’s a really good point about going through the forms, not to mention the fact that most people don’t want to fill out any forms these days. Dan, any more thoughts on this preparation?

Dan Lowden: The crisis playbook, I think is critical. And preparation is critical. Because every company is being attacked in one way shape or form, the more you are prepared for it, know who the core team is that you would work with, and build relationships with them in advance, especially the CSO, the CMO should have a very good relationship with the CSO. Because if there is a breach obviously it impacts customers, it impacts the brand and it could actually take the business down, it should be a top priority for CMOs to be in those conversations, be ready to be proactive, and communicate for those companies that are breached and they don’t communicate. They get hit the hardest from a standpoint of a response by the public and the press. Those who communicate very aggressively and say this is what we know. This is the steps we’re taking, this is our recommended action to you, I think is the right approach. Obviously not getting breached in the first place is critically important. But if you do, take the right steps and be open and share with customers and say hey, we’re gonna do everything we can to help get this in the best place possible.

Drew Neisser: So I’m thinking about the order of this is you got to do everything you can to prevent a breach obviously. That’s number one. And typically the breaches are going to come from an employee clicking on an email. So that’s about training and all sorts of other good things like that, then it’s prepare to be breached, prepare and run that fire drill if you will. The third part is you’ve been breached. And what Dan, you just said is so interesting, because now we know the famous, I mean, there’s target, and there’s some really huge, huge breaches that have happened. And the brand risk obviously, is tainted. I think the temptation might be among some of this, let’s close ranks and not say anything. And I’m curious, Michael, Laura, in your experience, I mean, because now suddenly, you have to go to the CEO. And you have to say, We got to get in front of this crisis by telling everything.

Michael Callahan: I think sometimes it depends on the scale. I’ll give you an example. Like, you never want a breach to happen, of course. But let’s just say you had an employee who had a couple of customer records on their phone, and he left it in a taxi right and someone and they didn’t have passwords and someone had access to it, that’s different than our entire customer database was breached. So you have to scale it and say, how broadly do we communicate this? Because if it is small, and you communicate to everyone, it creates this questioning of, well, what else is there, whatever it, oh my God, like, if you go out, and it’s one record, compared to a million records, the response is almost the same. When it is larger, you do have to communicate it. And you have to say, this is what happened. And here’s what we know. And here’s why. Here’s what we’ve done to fix it and address it and make sure it doesn’t happen again.

Drew Neisser: Fascinating, because this is a one versus 100,000 easy, right? In terms of data breaches. But I wonder where that line is, there will be some people’s voices inside, do we really have to share it, it was only 500 records, or it’s only 1000 records?

Laura MacGregor: Yeah, I think Drew, it goes back to looking at the regulation of the legislation and the area that you’re looking at, because some of those are pretty clear on your responsibility to notify at least the individuals who were impacted by the breach, having your security or legal team weigh in on that to make sure that you’re complying with that is critical.

Drew Neisser: Okay, so somebody may have already made this decision for you. And again, yet another thing that marketers need to understand that the options may be defined for you. 

Michael Callahan: It could be you communicate any breach, but you communicate the size of it, as part of that communication. There was a breach, but understand it was one person’s phone in a cab in Korea. And there were three records on it. But we’re letting you know, so you’re communicating, but you’re sizing it so that people understand just how big of a deal was because if you don’t do that, then people speculate typically, they’ll speculate to the worst.

Dan Lowden: It’s really, really important to have all these steps in place. But this shows the importance of the investment to be proactive to protect the company, the investments that CSOs need to make security teams need to make to protect everything. And that’s really, really hard. Because all the bad guys need is one small place to get in, they can protect a million different holes in a wall. But if they get in through one that can cause a problem. But the more investment, the more proactive approach, the more they are outward-looking, the better off they’re going to be at stopping some type of an attack. And if an attack happens, if they know about as soon as possible, they can react really quickly to minimize the impact to customers and to the brand. And that’s super important as well.

Drew Neisser: It makes sense. I don’t think anybody is going to be able to get away with running a business that involves any data capture that doesn’t have some significant walls of defense, if you don’t have those, you’re even more vulnerable, from a brand standpoint, because you didn’t take the actions or what would be considered some common steps or accepted practices for protecting their data. So I’m curious, are there some stories that you’ve collected that you think would be incidences that CMOs may not quite have thought about or realized that would help them understand the nature of the threat, or how their role in either protecting it or dealing with it?

Michael Callahan: I’ll talk a little bit about phishing again, right, and these threats from phishing, and they become so well crafted, that you fall for it right. And I think CMOs need to be aware of that. I have received text from our CEO that was trapped somewhere and needed me to send him some file, looks totally legitimate. In fact, it was so well done that where he was in the world, it came from that city, we need to be aware of that because as marketing people, we’re communicating through all of these channels. And we have to know that from the end users perspective, we’re just one of 10 different people or companies that are communicating with them. So they’re getting all of this from us. And so we get mixed in with that. So just like I’m gonna get a text from our CEO that says, Can you really send me an Amazon gift card? So I need to bail myself out of jail, that same end-user or I may be getting something else from another company that’s legitimate and we need to be aware of that. We’re in that mix, how do we differentiate? How do we make sure that comes across as communicating and that it’s legitimate?

Drew Neisser: So here’s the chain of events on those texts are typically are often new employees hired, they add the company to their LinkedIn profile, that criminal looks at this new person and the CEO, and then finds the text of the victim and figures it because you can get all everybody’s cell phone. So it’s through LinkedIn and public information. And they probably have it set up. So they’re triggered to get that information. So suddenly, companies need to be thinking about every new hire needs to be educated that they’re not going to get texts from their CEO or boss saying, hey, I need an Amazon gift card. 

Michael Callahan: There’s probably some regulation attached to it. But just part of our own security projects. And I’m sure learn the same thing, every employee has to go through a refresher, well, one, when they’re hired, they go through it. But then every year, or every six months, you have to go through it again to get updated and make sure that you’re aware of the threats.

Drew Neisser: I think that’s the part and particularly with small companies, for example, where you bring on someone and you figure well, everybody else knows about this, this is a marketing show with three CMOs, and we’re talking about this for a number of reasons. One, because you capture data marketer that puts a company at risk and two as the shepherd of the brand, this is probably the biggest risk that is out there for your brand, or one of them certainly, right, a cyber massive data breach can really do damage to a brand.

Dan Lowden: 100%, right, you can do a million things, build the most tremendous, well-respected brand. And one thing like this could take it out and impact it for a long period of time, especially if you don’t handle it the right way. There’s no wall anymore. There’s no barrier that the bad guys can get in and how creative they’ve been. It’s amazing. So another example is we’ve seen banks where a mobile app is created, it looks exactly like the bank, it’s put up on as one of the stores, can be downloadable, and it’s not the bank, it could look exactly like the banks app, people sign into it. And they give them their username and password. And that’s how they get in. There’s so many sophisticated ways the cybercriminals are trying to go and make money. That’s their goal. They’re trying to either disrupt operations maybe to impact stock price, or things like that, or they’re trying to get in and make money, anywhere where there’s an incentive. That’s where a CMO has to look and say, okay, if we’re giving incentives out there, we got to make sure we’re doing it the right way and doing it the secure way that’s going to protect the customer and protect the company. And that’s the biggest recommendation I would give.

Drew Neisser: So in other words, hey, we’re going to come take a trial or do a demo, and we’ll pay you $25 or $50 or $100 for your time. That’s what you’re talking about. Right, Dan. And so suddenly, that’s an example of an offer that’s on the table, that cybercriminals would try to figure out, Oh, I could cash in on that. It comes down to even like streaming services, hey, sign up for the streaming service, and will give you some incentive, they get a lot of people to sign up for it. They use fake accounts, they use real customer data, but they’re able to leverage that incentive and get paid out on that incentive, or that same thing with streaming companies, you know, attacks where somebody’s trying to influence the most popular songs of the week. And they can use bots to go do that and get paid higher out from an advertising perspective, based off of those views. So there’s so many different ways cybercriminals are getting in there, I would just make sure the CMOs are aware of these different types of attacks, and just work with the security team and understand what the company’s doing to try to protect themselves.

Drew Neisser: Laura, did you want to pipe in here on this on stories?

Laura MacGregor: Yeah, you know, I think it really comes back to what Michael was saying earlier about the cybersecurity education for everybody at the organization, not just marketing, although I think, you know, we hold the keys to the kingdom for a lot of the systems and tools where people could get in, but I know at our organization, we do phishing tests. So there are really tempting emails like a barbecue tomorrow, or a cupcake truck outside to try and see how we will pass that and if you fall prey to that you’re getting a little extra cybersecurity education. So just making sure everybody understands their responsibility when it comes to that and how important it is for the company’s reputation.

Drew Neisser: I feel like we’re often in a world of reactive to oh, there’s a texting issue. Okay, now we got to worry about texting. And I’m just curious if we were trying to help people get ahead of this. What recommendations would you have for CMOs to get ahead here?

Dan Lowden: This is what we do from a human perspective, we’re able to stop the attack as it hits a website or hits an app before it gets into the customer journey, the better you can protect the company at the first touchpoint the better you are at protecting the entire company and the customer experience. If you let them get down into the customer journey into the website into the buying and purchasing credit card, and using fake credit cards, they’ve gone really deep, and they’ve caused a lot of problems and a lot of resources. So if you can get them higher up where they first connect with you and stop them right there, you’re definitely going to have a more proactive approach and a better approach of protecting the company.

Drew Neisser: Before I asked Michael, for that response on the thing, it is time to ask the question, what would Ben Franklin say, and he has a remarkably paranoid response here for this one. And I think it’s actually appropriate to the conversation, and he said, the way to be safe is never to be secure. And I think that’s what we’re talking about. It’s like, you can’t rest in this industry, because the bad guys are never resting. Is that fair?

Michael Callahan: Yeah. I mean, if you always want to be paranoid, right, like never to be secure, but this is like, from the beginning of time, there’s always been good against bad guys, it’s never going away. You don’t go to a bank anymore now and say, you know, give me your money, right? Because you can just sit at home and do it and get way more than gold in an actual bank. Do you have to continue to be paranoid? And in us as marketers, I think we have to look at what are we doing? We are just one of many communications people or communication sources that are talking to our end users or our customers. And we have to know that mixed in that is some good guys and some bad guys. And be aware of it. Be aware that you’re writing in a way that is providing value, that it’s not click on this link and give me your password, right, whatever it happens to be, but be aware of how you’re communicating. You’re just one of 15 channels and someone’s getting throughout the day.

Drew Neisser: Alright, we’re gonna wrap up now with some final words of wisdom. We’ll try to bring it all together when it comes to cybersecurity, Laura, first up.

Laura MacGregor: Yeah, one thing I would say it’s not cybersecurity specific, but it’s related the conversation we were just having around, you know, protecting access. And it comes back to following those regulations and legislation. GDPR has been around for a while. Obviously, if there’s some kind of breach, there’s the brand reputation at risk. But with something like GDPR, there’s pretty big financial risk too in terms of penalties that you would have to pay. So making sure that you partner with your security team or your legal team, or consult a professional in this field. If you don’t have those people on staff, if you’re at a start-up, or an organization that doesn’t have that, making sure you understand what your responsibility is, is critical. When GDPR first went into effect in 2018, we were looking to see what everyone else was doing on their website in terms of capturing consent for cookies. And a lot of people just had an accept button. Accept, yes, I accept that you use cookies. But that’s not compliant, you need a way for people to decline, that has to be an option, you have to provide a way for them to opt-out. So you know, really understanding what you’re on the hook for to make sure that you’re protecting the organization is critical. And so you get the support of a team to help you.

Drew Neisser: Yeah, I can just see the startup CMOs going, look, I’m still trying to get product market fit. I’m still trying to figure out what our go-to-market strategy is. Now I got to worry about security, too. You actually do because the minute you start capturing data is the minute you open up the company to vulnerability. Okay, Michael, final words of wisdom.

Michael Callahan: Yeah. So I agree with Laura completely. And I would just add to that, this idea of the marketing tech stack, where are we vulnerable, right, as marketing people, we rely on this. And our job is we want to get information out quickly. We want to communicate with people, we don’t think about the technology at the vulnerability level, but partnering with your CSO if you don’t have a CSO, to do it, pay that 10, 20, $30,000 To have someone externally do some kind of pen testing on it, but something like look at the pennant look at the tech stack and make sure that you’re not unintentionally making yourself at risk.

Drew Neisser: Yeah, it’s interesting because we talked about in Huddles towards the end of 2022. When we are looking to cut budgets, one of the things is do an audit of your Martech stack and figure out what you’re not really using. Well, we didn’t talk about during doing that audit, we didn’t have security risk, because that might be another reason to jettison a piece of technology that you’re not using anyway. Okay, Dan, bring us home final words of wisdom.

Dan Lowden: You bet. I mean, I would tell CMOs to be proactive about it, not like hope it doesn’t happen. Be proactive about it, because you know, something is going to happen and build relationships with your CSO and the security teams understand where potentially the company is vulnerable. And just be ready with the plan if something does happen. And then finally, I would say for CMOs, this is an opportunity as well, if you go look at your performance marketing, and you see a lot of things that don’t make sense, wild movement in number of responses or a lot of fraudulent fake forms and things like that. Look at that. Because if you solve that problem, you can really have a great impact in increasing your conversion rates by making sure you’re engaging with humans, not bots. And I think that’s an opportunity to help drive a lot more revenue and a lot more success for the company. And I would say don’t create friction either the friction part for customers is problematic the bots can get by it and customers can’t. That’s a problem.

Drew Neisser:  Okay, well, thank you, Laura, Michael. Dan, you’re all great sports.

To hear more conversations like this one and submit your own questions while we’re live. Join us on the next CMO Huddles Studio. We stream to my LinkedIn profile that’s Drew Neisser, every other week. 

Show Credits
Renegade Marketers Unite is written and directed by Drew Neisser. Hey, that’s me! This show is produced by Melissa Caffrey, Laura Parkyn, and our B2B podcast partners Share Your Genius. The music is by the amazing Burns Twins and the intro Voice Over is Linda Cornelius. To find the transcripts of all episodes, suggest future guests, or learn more about B2B branding, CMO Huddles, or my CMO coaching service, check out renegade.com. I’m your host, Drew Neisser. And until next time, keep those Renegade thinking caps on and strong!