The Gist

  • Brand impact. Cybersecurity affects brand value and loyalty. Breaches hurt trust.
  • Buying choices. Good cybersecurity encourages higher spending. Customers trust and share more.
  • Teamwork. CMOs and CISOs must align. They protect and manage data together.

I want to suggest something almost counterintuitive, that two executives, who typically don’t connect, do so at the next company event or holiday party. Who specifically, you may ask? I want to request that CMOs take the time to meet with their company’s chief information security officer (CISO). You are probably asking two questions right now. First, why should this occur? Second, how will this meeting relate at all to things that CMOs own such as customer experience? Let me take you there.  

The Importance of Brand

One of the most important things that CMOs own is a brand. According to University of California Berkeley Professor David Aaker in "Managing Brand Equity," “Brand equity is a set of brand assets and liabilities linked to a brand, its names and symbols add to or subtract from the value provided by a product or service to a firm and/or to that firm’s customer.” To be clear, controllable disasters subtract from brand equity and this impacts customer loyalty, perceived quality, switching costs and brand associations. 

At this point, you are probably asking yourself if there is research to prove the connection that I suggested above between brand loyalty and cybersecurity. Well, there actually is such research. In a survey by Vanson Bourne, 66% of respondents said they were unlikely to shop or do business again with a company that experiences a breach in which their personal financial information is stolen. The ability to trust that one’s personal information is protected is foundational. And dare I say required to create customer intimacy. This is important as consumption of "experiences" outpaces the consumption of "goods."

Cybersecurity can drive customers to purchase higher-priced products. 

A Deloitte Global Powers of Retailing Report found that the primary reason consumers choose to purchase higher-priced products is that they are buying from a trusted brand. Importantly, the study found, like Vanson Bourne, that for 59% of consumers, just a single data breach would negatively impact the likelihood of them purchasing from a particular retailer. Deloitte found as well that with confidence in an organization’s ability to protect their data, consumers are more inclined to share information where they see a benefit. This means the company data needed to build a better experience must be protected but of course, remain accessible to those who need it to perform their jobs.

Related Article: The State of Consumer Data Privacy Legislation in 2023

A Conversation Guide for CMOs 

Outlying strategic differences between CMOs and CISOs definitely exist, but they should not exclude these officers from communicating frequently about growth and acceleration. CMOs just need to ask the right questions to determine how objectives can align for the benefit of the company as a whole. I have graded the answers they get back from A-F in reverse order so CMOs can determine how the answer they receive back can be used to outline a more cohesive approach moving forward.

How do you protect our customer data? 

F) We do not protect our data currently because of a lack of resources.

D) We encrypt sensitive data so only approved employees can access sensitive data.

C) We have role-based access controls so only certain people can see all data.

B) We have some fine-grained access controls currently but could definitely use more help and a longer tail strategy.

A) We have sophisticated security and access controls in place already. We know who can see every piece of data and are currently using roles and attributes to manage these controls. 

Do we have defined customer data policies?

F) This is currently a mess for our organization.

D) They either have access or they don’t have access.

C) We have a limited number of role-based policies.

Learning Opportunities

A) We have clearly defined, transparent policies and education teams on why they matter.

How long does it take for my people to get access to the customer data to perform their jobs?

C) Each person needs to be granted access or have access eliminated.

A) Access is granted by role and attribute-based policies. Enforcement means data is protected at the same time.

So, what will the potential answers mean to you as CMO? The protection, governance and standardization process need to be viewed as a journey. For this reason, having a CISO and CIO with a plan is incredibly important. What is the impact of the answers provided above? If customer data isn’t protected, it means if the bad actors get in, they will have access to everything. In the cybersecurity business, we call this "moat and castle thinking." This situation is dangerous. 

The fourth answer gets a “D” because if any approved employee is phished then the bad actors again get everything or if an approved employee becomes disgruntled, they can hurt the company including by taking customer data with them when they leave. Role-based access controls clearly represent an improvement, but this still means a sophisticated hacker can get in. All they need to do is hack the person who has all the keys and phish them. This happened at a major healthcare payer a few years ago. They phished the database administrator and took everything.

Sophisticated controls, on the other hand, are best for addressing the potential of a hack. They also enable you to meet the requirements of compliance legislation including the General Data Protection Regulation (GDPR). In this instance, no one has access to everything. 

For example, let’s say that you are a healthcare provider. The doctor should be able to see a complete picture of your health, pre-existing conditions, previous and current medical issues, and medications. Put simply, they can see almost all of the data collected for their patients. Meanwhile, due to the Health Insurance Portability and Accountability Act (HIPAA) compliance, finance cannot view what the doctor can see. However, they can view and validate all information related to payments across various doctor practices. And system administrators can view the setup of the system but none of the existing data. Further, a partnering pharmaceutical company can see all aspects of the patient except identifying information.

So how does all of this become aligned for CMOs and CISOs? Simply put, data policies. Data policies protect organizations because they show you set out to be policy compliant and that you are working around the clock to protect customer data while providing the transparency required to demonstrate your intention to auditors. Organizations tend to vary in sophistication. They either have zero policies, a limited number of policies, or clearly defined and transparent policies. It is important to have the latter in place. Otherwise, the consequences can potentially land your executives in jail. These are not only exorbitantly costly, but they can also result in the loss of customer trust and significant damage to your company's reputation.

At the same time, you want your employees, regardless of access level, to be able to access  data in ways that improve time to insights, and while delivering an optimized customer experience, which supports cross-selling and upselling opportunities. If privileges are granted employee-by-employee, you increase the time to self-serve data, create workflow bottlenecks and eliminate access when and where it is needed most. This means it will take longer to build the data models that will truly transform customer experience for the long term. When access is granted by role and attribute policy then access is immediate. No request needs to be made and you as CMO, will be able to focus on your branding and marketing efforts.

Related Article: Consumer Wants: Privacy Transparency, Online Security, Better Customer Experience

Some Parting Words on Data Security

I hope I've conveyed the critical importance of data security for every CMO. It's essential to establish close working relationships with your CIOs and CISOs. Ask insightful questions and get meaningful answers to ensure your company's customer data is handled with care, as it's crucial for secure transactions, customer support and long-term digital transformation. Taking these steps helps prevent issues that can negatively affect your brand and its ability to effectively market to your customers. A few years ago, Brian Cornell, CEO of Target, reflected on a major data breach in 2013 that exposed personal and financial information of up to 110 million customers. He stated, "We can never again have a mass release of customer data. Otherwise, we will no longer have our business franchise." Perhaps it's time to add your CIO and CISO to your VIP contacts?

fa-solid fa-hand-paper Learn how you can join our contributor community.