2. RSA CMO CYBERSECURITY SURVEY
2
Modern marketing transformation in the age of
cyber risk.
Under pressure to show ROI and drive pipeline, marketing is
modernizing its engines and adopting new platforms and tools at an
incredible pace—choosing from an unprecedented array of martech
innovations. It’s well reported that in the next few years, marketing
will spend more on technology than IT does—putting marketing’s
digital transformation in the same tier as yesterday’s large, high-
priority ERP and CRM implementations.
The demands of a successful modern marketing strategy—speed,
precision and accuracy—depend increasingly on cloud-based applications
that are easy to deploy and use, often with no assistance from IT.
Traditionally underserved by IT, marketing has been resourceful in
developing “shadow IT,” along with a network of third-party providers
that can implement and integrate these new tools.
The result: If you’re leading a digital transformation
in marketing, you’re effectively in the business of IT.
Today, there are more than 4,500 vendors in the martech space, half
of them less than two years old. Most are cloud-based services, and
many are not fully tested for security. Even if a cloud-based marketing
application passes an initial security audit, ongoing build-out and
integration with other systems can open up new vulnerabilities, which
INTRODUCTION
in turn expose the business to risk. Furthermore, this virtual marketing
infrastructure—being built outside of IT’s purview with an increasingly
complex set of tools—isn’t being monitored end to end for vulnerabilities
or intrusions.
As marketers make greater use of digital assets, services, and big data to
append, score, analyze and target customers and prospects, they must
also be accountable for ensuring a strategy for monitoring and protecting
that data on a daily basis. When the new EU General Data Protection
Regulation (GDPR) comes into play in 2018, fines for violating data
protection laws will increase tenfold for any company doing business in
Europe—regardless of where it’s headquartered. Before this happens,
marketing must have greater visibility into how its data is managed,
identify risks involved in handling and protecting customer data, and
develop a safe data plan.
In short, security isn’t an IT problem, it’s a business
problem—and it’s one that marketing needs to pay
attention to.
In an attempt to map the depth and breadth of security issues related to
the modernization of marketing, a new RSA survey evaluates how—and
how well—today’s IT and marketing teams are working together to ensure
that they aren’t inadvertently opening up their organizations to the
growing risks that come with a changing cyber threat landscape.
3. RSA CMO CYBERSECURITY SURVEY
3
Marketing needs a deeper understanding
of cybersecurity risks associated with digital
transformation.
RSA surveyed over 300 marketing and IT professionals with headquarters
in North America. The primary objectives of the CMO Cybersecurity
Survey are to gain an understanding of 1) how both functions think about
security in the context of a digital transformation and 2) how well IT and
marketing teams collaborate to ensure that proper security measures
are taken when modernizing their marketing engines and adopting new
marketing tools.
EXECUTIVE SUMMARY
KEY FINDINGS
■■ Marketing organizations don’t fully understand the business and
cybersecurity risks associated with the digital transformation of
modern marketing.
■■ Marketing departments may unknowingly be putting their
organizations at risk during digital infrastructure transformation.
■■ Considerable discrepancies exist between marketing and IT
respondents’ perceptions of collaboration and effectiveness
during transformation.
■■ Marketing is largely unaware of security protocols and crisis
communication plans in the event of a security incident.
4. RSA CMO CYBERSECURITY SURVEY
4
Marketing organizations don’t fully understand the
business and cybersecurity risks associated with the
digital transformation of modern marketing.
DATA INSIGHTS
Marketing is significantly less concerned than IT about the potential for
the marketing function to expose the organization to a security incident.
■■ IT respondents are significantly more likely than marketing
respondents to be highly concerned with internal and external
cyber threats.
■■ IT respondents are most likely to claim that between one and ten
security incidents occurred in the last year, and to attribute an average
of 45% of such occurrences to the marketing function.
■■ Marketing respondents are most likely not to know how many such
incidents affected their organizations in the last year, and to believe
that the number of incidents attributed to marketing is much lower.
■■ Marketing staff is not paying enough attention to marketing’s potential
impact on cybersecurity; only 10% of marketing respondents say they
are concerned with this impact.
■■ Of 12 major departments reviewed, IT ranked the marketing
department most likely to cause a cyber incident.
KEY FINDING #1
0%
10%
20%
30%
40%
50%
60%
70%
80%
MarketingIT
Moderately to extremely concernedNot at all to slightly concerned
CONCERN THAT MARKETING IS EXPOSING
THE ORGANIZATION TO CYBER RISK
PERCENTAGE OF INCIDENTS IN PAST 12 MONTHS
ATTRIBUTABLE TO MARKETING
25%
56%
75%
44%
78%
33%
11%
23%
7% 4%
31% 13%
0% 20% 40% 60% 80% 100%
Marketing
IT
25% or less 26–50% 51–75% 76–100%
45%
Average
19%
Average
5. RSA CMO CYBERSECURITY SURVEY
5
DATA INSIGHTS
Marketing teams may not have a good understanding of the sensitivity of
the data they work with.
■■ IT respondents are significantly more likely to believe that marketing
staff work with a wide array of sensitive information, while marketing
respondents report a smaller range of data types.
■■ IT respondents are most likely to say that their companies have access
to 10,000 or more customer-related records, and that a breach of
20–29% of those would create a major issue.
■■ Marketing respondents are most likely not to know how many
customer-related records the company has, or at what threshold a
records breach would become a major issue.
NUMBER OF SECURITY INCIDENTS IN LAST 12 MONTHS
NUMBER OF CUSTOMER-RELATED RECORDS
WHEN DO NUMBER OF RECORDS
BREACHED BECOME AN ISSUE?
AS A PERCENTAGE OF TOTAL RECORDS
0% 20% 40% 60% 80% 100%
Don't know
None of the above
Other
Federal Information Security Management Act (FISMA)
Student loan application information (GLBA)
Student education records (FERPA)
Export-controlled research (ITAR, EAR)
Sensitive identifiable human subject research
Attorney/client privileged information
Protected health information
Social security numbers
IT security information
Credit card or payment card industry (PCI) information
Personally identifiable information
Enterprise data
IT Marketing
IT Marketing
6% 5%
12%
29%
25%
23%
39%
5% 7%
13%
8%
29%
0%
10%
20%
30%
40%
50%
Don't know < 1,000 1,000–9,999 10,000–99,999 100,000–
500,000
500,001+
58%
50%
60%
KEY FINDING #1 (CONTINUED)
6. RSA CMO CYBERSECURITY SURVEY
6
RECOMMENDATIONS
■■ CMOs, CISOs, CIOs and marketing leadership should discuss
marketing’s digital transformation initiatives, identify potential
business risks, and collaborate on strategies for decreasing
cybersecurity vulnerability.
■■ Marketing leaders should actively educate their teams on the state of
cyber threats, fostering a “built for security” mentality along with the
move to modern marketing infrastructures.
■■ Marketing teams should accurately classify the data they collect,
collect only what is needed, and properly secure different types
of data.
■■ As marketing creates customer journeys, marketing staff should keep
in mind data access and data governance processes related to the
company’s industry.
WHEN DO NUMBER OF RECORDS
BREACHED BECOME AN ISSUE?
AS A PERCENTAGE OF TOTAL RECORDS
IT Marketing
IT Marketing
6% 5%
12%
29%
25%
23%
39%
5% 7%
13%
8%
29%
0%
10%
20%
30%
40%
Don't know < 1,000 1,000–9,999 10,000–99,999 100,000–
500,000
500,001+
12%
20%
26%
30%
11%
58%
24%
11%
2%
5%
0%
10%
20%
30%
40%
50%
60%
Don't know 0% to <10% 10% to <20% 20% to <30% 30% or more
KEY FINDING #1 (CONTINUED)
7. RSA CMO CYBERSECURITY SURVEY
7
Marketing departments may unknowingly
be putting their organizations at risk during
digital transformation.
DATA INSIGHTS
Marketing’s use of “shadow IT” and third-party services, without IT
oversight, could increase cybersecurity risk.
■■ Both marketing and IT respondents overwhelmingly agree that marketing
knowingly uses workarounds to avoid IT policies and procedures.
■■ IT respondents rank marketing as the function most likely to cause a
cyber incident due to shadow IT.
■■ IT shows higher confidence in marketing staff’s understanding of,
and compliance with, IT security policies, protocols and procedures
to minimize cyber threats—while marketing’s confidence in its own
understanding and compliance is much lower.
■■ Though native security is considered routine by most software
evaluation standards, when asked about its importance when
selecting and considering third-party marketing services, only 26%
of marketing respondents saw it as very or extremely influential in
selecting a vendor.
KEY FINDING #2
Occasionally to a great deal Never to rarely
Marketing respondentsIT respondents
USE OF SHADOW IT IN MARKETING
MARKETING’S UNDERSTANDING OF
IT SECURITY PROTOCOLS
21%
35%
11%
33%
47%
44%
34%
40%
21%
15%
22%
16%
6%
4%
25%
7%
5%
3%
8%
4%
Marketing
IT
Marketing
IT
ComplywithIT
securitypolicies
andprotocols
Havearobust
understandingof
ITsecuritypolicies
andprotocols
Strongly agree Somewhat agree Neither agree nor disagree Somewhat disagree Strongly disagree
78% 73%
8. RSA CMO CYBERSECURITY SURVEY
8
RECOMMENDATIONS
■■ Marketing and IT security teams should proactively discuss potential
business impacts and cybersecurity risks associated with digital
transformation initiatives, especially if outsourcing or cloud-based
services are used.
■■ When evaluating third-party vendors, marketing should understand
what security best practices those vendors should be following.
■■ Marketing should work with IT and security teams to clarify what
certifications may be required, what standards vendors need to follow
and who vendors need to work with for security or operational issues.
■■ Marketing should work in partnership with IT to understand the
integration/data exchange requirements between internal and external
applications, along with any vulnerability points.
■■ Marketing should develop a plan for how the entire marketing
technology stack will be tested and monitored on a continuous basis.
■■ Marketing should determine how user access will be managed and
authenticated most effectively.
'BUILT FOR SECURITY' AS BEING INFLUENTIAL ON
MARKETING'S DECISION TO PURCHASE THIRD-PARTY
APPLICATIONS OR SERVICES
7%
20%
47%
19%
7%
0%
10%
20%
30%
40%
50%
Not at all
influential
Slightly
influential
Moderately
influential
Very
influential
Extremely
influential
KEY FINDING #2 (CONTINUED)
9. RSA CMO CYBERSECURITY SURVEY
9
Considerable discrepancies exist between marketing
and IT respondents’ perceptions of collaboration
and effectiveness during a digital transformation.
DATA INSIGHTS
■■ IT respondents indicate that meetings and reviews occur between
the two groups; however, marketing respondents are less likely to be
aware of such interactions.
■■ IT respondents indicate that the two groups are likely to collaborate
at least quarterly; marketing respondents are significantly less likely to
know the frequency of such collaboration.
■■ IT respondents are significantly more likely than marketing
respondents to rate collaboration between IT and marketing as very or
extremely effective.
RECOMMENDATIONS
■■ IT and marketing leadership should form a more effective and
collaborative working relationship—not just to combat cyber threats,
but to keep marketing staff engaged throughout the process.
■■ For all major digital transformation milestones, both marketing and
IT security teams should ensure a full security review, including
vulnerability testing.
■■ Marketing and IT should create a strategy for monitoring the marketing
infrastructure for possible intrusions, and apply the same security
approach to this hybrid or cloud environment as they do across their
core infrastructure.
KEY FINDING #3
FREQUENCY OF COLLABORATION
COLLABORATION EFFECTIVENESS
IT Marketing
6%
3%
15% 13%
27%
21%
15%
42%
9% 11% 12% 14%
8%
5%
0%
10%
20%
30%
40%
50%
Don't know Less often
than annually
Annually Semi-annually Quarterly Monthly Weekly
IT Marketing
0
10%
20%
30%
40%
50%
60%
70%
80%
Not at all to slightly effectiveModerately effectiveVery to extremely effective
51%
70%
43%
24%
7% 6%
10. RSA CMO CYBERSECURITY SURVEY
10
Marketing is largely unaware of security protocols
and crisis communication plans.
DATA INSIGHTS
■■ IT respondents are significantly more confident than marketing
respondents that their companies have both protocols and crisis
communications plans in place in the event of a security incident.
■■ Marketing respondents are significantly less likely to know about
crisis management protocols and communication plans—despite the
likelihood of marketing being involved in crisis response.
■■ Marketing staff’s lack of knowledge about the extent of cybersecurity
crisis communication plans is even more pronounced in companies
with less than $1 billion in revenue.
RECOMMENDATIONS
■■ Marketing should collaborate more closely with IT to understand its
role in the event of a security incident.
■■ Marketing could offer to take the lead on developing a cybersecurity
crisis communication plan in cooperation with the IT security team.
■■ Marketing leaders, particularly in small and medium-sized companies
that may be in a hyper-growth stage, pre-IPO or seeking investors,
should pay particular attention to developing a security strategy.
These same companies should develop clear customer and media
communications strategies in the event of a breach, which may carry
with it potentially devastating consequences.
■■ CMOs should lead executive-level discussion about brand protection
in the event of a breach.
KEY FINDING #4
READINESS TO HANDLE A
MARKETING SECURITY INCIDENT
READINESS TO HANDLE A MARKETING
SECURITY INCIDENT, SEGMENTED BY COMPANY SIZE
37%
55%
39%
56%
20%
23% 2%
34%
22%
12%
7%
31%
21%
20%
22%
0% 20% 40% 60% 80% 100%
<$1B
$1B+
<$1B
$1B+
Crisis
Communication
planProtocols
Definitely yes Probably No Don't know
Definitely yes Probably No Don't know
47%
67%
48%
70%
22%
29%
27%
26%
6%
4%
3%
3%
25%
21%
0% 20% 40% 60% 80% 100%
Marketing
IT
Marketing
IT
Crisis
communications
planProtocols
,
,
-
-
11. RSA CMO CYBERSECURITY SURVEY
11
■■ Increase your cyber awareness and understanding of the business
risks associated with your transformation: Get—and stay—smart about
cybersecurity. Actively seek to understand more about how your
innovations may unintentionally cause vulnerabilities for your company
or organization.
■■ Take accountability for the security of your martech: If you’re
spending a large portion of your budget on marketing technology, and
using third-parties or shadow IT to help you implement and manage
that technology, you are in the business of IT security. Help company
leadership understand that this isn’t a technology problem, it’s a
business problem. Don’t allow marketing to leave security behind in an
effort to move more quickly.
■■ Make security a key decision factor when choosing vendors: Require
that your vendors go through security audits if they aren’t already, and
make security one of your top decision factors. Ask as many questions
as possible about their ability to protect and defend your data, and any
possible entry points into your environment. Remember, almost half of
martech vendors are less than two years old, so it’s prudent to make
sure their tools and applications are well tested.
STEPS YOU CAN TAKE TODAY
■■ Partner with IT on a roadmap and monitoring strategy: Build
marketing infrastructures with security in mind, partnering directly
with IT security teams to build an implementation roadmap and
plan for how your tools are tested and monitored on a regular basis.
Resource constraints or lack of diligence won’t matter if an intrusion
isn’t property contained.
■■ Determine the best approach for managing user access across
systems: Work with IT to determine the best approach for protecting
user and privileged accounts with a solid identity assurance and
authentication strategy.
■■ Advocate for a breach communication plan: A crisis communication
plan should be in place and practiced regularly. A breach
communication plan forces discussion about disclosure policies, gains
alignment on definitions and communications protocols for crisis
communications, and clearly assigns responsibilities.
12. RSA CMO CYBERSECURITY SURVEY
12
METHODOLOGY
This survey was conducted using an online quantitative instrument from
January through March 2017. RSA partnered with a third-party research
organization to execute the survey and administer it to IT and marketing
staff. While the majority of survey questions were the same for both
respondent groups, each group was also presented with a small block of
questions about which groups have the potential to cause
cyber incidents.
SAMPLE
In total, 303 qualified individuals responded to the survey: 171 IT
respondents and 132 marketing respondents. Due to survey logic,
sample sizes vary across questions.
RESPONDENT DEMOGRAPHICS
■■ Primarily managers, directors and C-level executives
■■ Representing organizations with at least 10,000 employees
■■ Representing international and national organizations with
headquarters in North America
■■ Representing a wide range of industries, including manufacturing,
finance/banking, computers, professional services,
telecommunications, retail, healthcare, internet, construction,
advertising, transportation and utilities
SURVEY METHODOLOGY & SAMPLE SIZE
PARTICIPANTS' ROLE
PARTICIPANTS' PRIMARY INDUSTRY
WHERE COMPANY DOES BUSINESS
73%
0
5%
10%
15%
20%
25%
30%
35%
40%
OtherAssociateVPC-levelDirectorManager
Local
Regional
National
International
0% 2% 4% 6% 8% 10% 12% 14% 16% 18%
Pharma/chemicals
Transportation
Utilities
Marketing/PR
Media
Construction
Advertising
Healthcare/medical
Telecommunications
Retail
Professional services
Finance/banking/insurance
Tech
Manufacturing
37%
22%
18%
11%
7%
5%
48%
35%
12%
6%