From the Target breach to the Sony intrusion to the recent WannaCry global ransomware attack, the frequency and scale of cyberattacks is increasing. The recent admission by Equifax that sensitive consumer information was stolen is the latest, and arguably the worst breach we've seen to date. As we watch company after company essentially fumble these cybersecurity crises, I've wondered why marketers aren't more involved. To better understand why and what marketers could/should do, I’ve been interviewing several cybersecurity experts (see here for a series).
I recently interviewed Theresa Payton, former CIO for the White House (during George Bush’s administration) and current CEO of Fortalice Solutions, a cybersecurity and intelligence consulting firm that helps nations, businesses and people protect themselves from emerging threats. As the person charged with protecting the security of the White House, a prime target of cyberattacks, her perspective is incredibly useful in understanding what marketers can learn from cyberattacks and how they can get more involved. Below is not only insight useful for marketers, but also the humorous story of how Payton became the White House CIO. To see Payton's perspective on the top 7 cybersecurity questions executives should ask following the Equifax breach, click here.
Whitler: It is interesting that you worked at the White House. Can you share a little about how that happened?
Payton: It is a bit of a funny story. I was just back from maternity leave with my second baby and was getting ready to finish the day. My executive assistant (EA) said I needed to return a call to the White House. I asked her whether she meant the apple juice company or the clothing company. My EA said, “No … the White House.” My next thought was that we were in trouble for something and so I asked my EA what was wrong. She said that the White House was interested in including me on a slate of candidates for the CIO position. At the time, I thought this was a joke or social engineering and was convinced someone was pranking the office. After refusing to call, my EA said that she promised I would call back, so I dialed the number of the contact given, and in a cheeky and sleep-deprived sarcasm, I said, “I heard President Bush is looking for a CIO and somehow I managed to end up on the list even though I don’t know anybody there. I need you to validate that this is legitimate.” The contact on the other end told me to go to WhiteHouse.gov, call the main number and ask for John. Of course, I thought this was a joke. When John actually answered the phone, I had to apologize profusely. So that was the introduction. I went through the entire process and ended up becoming CIO for the White House. John and I still laugh about the first encounter to this day.
Whitler: How did you end up at Fortalice and what is the company’s area of expertise?
Payton: When I transitioned out of the White House, I was looking for a firm that was really focusing on solving the big picture issues in cybersecurity in an innovative and creative way. Fortalice is unique in that we are focused on protecting nations, organizations and individuals from cyber breaches. We’ve been able to prevent major calamities from occurring and when minor issues do happen, we are able to manage and mitigate any issues. For example, we helped a rookie football player when an ex-girlfriend posted private photos. We’ve helped women who have been cyberstalked by their exes, helped individuals of all ages who have been cyber bullied…on up to CEOs and politicians. On the business side, we work with every industry vertical. We work with Fortune 50 to Fortune 1000 firms. Our approach is a customized one to help assess risk, design preventative and monitoring solutions, and should an incident occur, enact mitigation efforts.
Whitler: When did you start thinking about marketing’s role in cybersecurity?
Payton: While technologists are working feverishly to protect companies from data breaches, CEOs and boards cite cybersecurity as a top firm-level concern. But are CMOs concerned? If CMOs are responsible for architecting and stewarding the brand, what impact do data breaches have on the brand, growth, and firm and does this warrant greater attention from marketing? I’ve been speaking about the need for greater marketing inclusion for some time.
Whitler: Why do you think marketing can help?
Payton: Remember the Yahoo! breach? It takes an average of 211 days to figure out that criminals are in your system. Recently, we saw the biggest ransomware attack ever with the WannaCry malware and now we have the Equifax breach. When we see these crazy headlines, cybersecurity firms believe that the “globe will now understand how important this is” and prioritize it. My pushback has been for some time that this is a wake-up call for the security side. The reason these colossal security systems don’t work is because we don’t design for humans. We design the perfect systems and then we claim that the users are making the mistakes. Look at what happened to Sony when North Korea didn’t like the movie that was about to be released. The ensuing cyberattack caused massive disruption. Sony had to take all their systems offline to the point that the company was using old BlackBerry phones and post-it notes to keep the business afloat. By the way, I have colleagues that work on their security team and they are good at their tradecraft. To prevent and/or mitigate damage is exceptionally difficult.
The CMO must be the best friend of the chief information security officer of the company. The old way of looking at security was to build a huge moat and fill it with piranha; this would protect the castle, where all the data was stored, from an intruder. Today, the users are mobile and global. We can’t control devices and data. The new mindset must be that while companies try to do the right thing for consumers, they may be doing the wrong thing for security. And so how do we create a win-win? We should build safety nets around the customer. Because the CMO is focused on the consumer, they must now be involved in protecting the consumer and the company. Meeting compliance and regulation isn’t sufficient to protect something bad from happening. Security must be an enabler and not a detractor from productivity. In the global WannaCry attack, people went into hospitals in England to have surgery and couldn’t because of operational disruptions. Security and consumer experience are now fully intertwined.
For more articles on cybersecurity and marketing, see: A Wake-up Call, Why Marketers Should Care, How Marketers Can Protect their Firms, Consequences of Cyberattacks for Marketers, Why Now is the Time for Marketers to Get Involved, Cybersecurity: Who Owns it and Manages it
Join the discussion: @KimWhitler
