Staring across the fence at each other
Bugs Bunny and Elmer Fudd. Cobra and mongoose. Corporate marketing and security. These are examples of age-old adversaries constantly locked in battle. These days, that battle between marketing and security is showing itself most readily in the area of social media.
Smart corporate marketers have learned that social media isn’t a fad or a option: it’s a necessity. If you use social media, there’s no one in your organization (except maybe your legal group) who seems to have as different an outlook, purpose, approach and goals as your security group. You need to be nimble, flexible, and on the cutting edge. And when you talk with security it seems the word you most often hear is “no”. Between your security and legal groups, getting approvals for new social media initiatives may make you feel like a suspect on “Law and Order” having to explain and justify everything again and again.
On the flip side, smart people in charge of keeping your digital properties secure know that they face unprecedented threats. Against that threat background, it can be frustrating to have to field constant requests to use tools that are untested, unproven and unknown. You need to be in control of your systems, your network and your data. It’s hard enough to keep your environment secure against the threats you know; being asked to secure against unknowable threats is crazy, especially in an era of shrinking budgets. Dealing with these requests may make you feel like you’re talking with an overenthusiastic teenager who’s so fixed on the cool thing, they have no idea the potential consequences when something goes wrong.
I understand the gap that separates these two sides because I’ve been on both sides. I’ve run computer networks and been an engineer in charge of securing them. I’ve said “no” plenty of times to requests because I felt they weren’t secure. I work now in crisis communications and PR. I’ve made requests for social media channels and had them denied because they don’t meet security policy.
I can say the marketers are right: social media is as important to business now as the telephone. And I can say the security folks are right: the technology is young, not well understood, in constant flux and is harder to secure than known technologies.
Both groups serve equally important but different functions in the company. When an impasse arises around social media the only way forward is for both sides to first understand each others’ needs and requirements. And then to take that understanding, collaborate and move forward in a way that satisfies as much of every ones’ needs and requirements as possible in service to the shared strategic direction of the company.
What are you thinking?
To understand what’s driving this frenzy around social media, its important to understand that communications has been undergoing the most profound shift since the development of the printing press.
The changes began with the broad use of the Internet in the 1990’s and has been accelerating exponentially ever since. In particular, the recent growth of social media, most especially Facebook, Twitter and YouTube has overturned all the old rules.
People in marketing and communications in 1987 would reach their customers in much the same way as they did in 1957. But in 2012, these same people don’t reach their customers in the same way as they did in 2009.
Communications has not only changed drastically, it’s showing no signs that it’s going to stop changing. Current technology trends and an unquenchable thirst for novelty among consumers means that from a marketing point of view, the most effective communications channels are often the newest. An example of a new communications channel breaking on to the scene is Pinterest, a new social media site, that is already making waves among early adopters and raising questions about its potential to replace Facebook. You can be sure that marketing folks are reading this article and trying to figure out how they can use Pintrest for their business and many will be coming to their security group soon with a request to use it, even as their security group may still be evaluating concerns with Facebook. Not to mention the potential legal issues regarding the use of Pinterest.
To understand what the security folks are going to think when that request comes through, its equally important to understand that the online threat environment is more dangerous than it has ever been in history.
A look at Trend Micro’s review of 2011 shows that online security incidents are continuing to climb and the chief focus in attacks is stealing organizations’ data. Symantec’s 2011 State of Security Report had 46% of respondents saying that social media was affecting the difficulty of them providing cybersecurity. 2012 only promises more of the same. Attacks are growing in sophistication and number; even major security companies and governments can’t successfully defend against these attacks these days. The only good thing about the current threat environment for security folks is job security.
It’s an axiom in security that you can only secure that which you can understand. It’s also the nature of new technology that it’s not known, certainly not to a level most security people are comfortable with.
This is the crucial point where the needs of marketing and security collide. Marketing has a need to use new technologies because they’re new. Security can’t comfortably use these technologies precisely because they’re new. And from a security point of view, introducing new technologies like this against the most dangerous threat environment in history is recipe for disaster. How can a security officer feel confident that marketing’s new Pintrest presence won’t be hijacked and used to serve up pornography and malware? If the risk is too great, they’re going to say no.
And that’s when we come to the impasse.
Moving Forward Together
That doesn’t have to be the end of the story though.
Plenty of major corporations have embraced leading-edge social media strategies without disaster. A look at Facebook, Twitter, YouTube and now even Pinterest shows plenty of success stories. The question isn’t “can it be done”, it’s “how can it be done”.
The key to effective, safe (or more accurately, acceptably safe), leading edge social media for corporations is to view marketing and security both as partners and agents of checks and balances.
A good security person will tell you there’s no such thing as being absolutely secure: part of the process for them is determining what risk is acceptable and accepting that risk. A good marketing person should be able to come up with creative solutions to work around resource constraints: they never have unlimited budgets after all. Both sides should be able to function successfully without getting everything they want so long as they get some of what they want.
Finding the right mix of each side getting some, but not all, of what they want happens by bringing people together from both sides who understand some of the point of view and needs of the other side. Once together, they should work through a process of understanding the marketing side’s business needs, the security side’s risk assessment and then make a determination of whether to accept the risk associated with meeting that need or not.
In those instances where, despite their best efforts, they can’t resolve the impasse, the issue should be taken to a senior decision maker with authority over both parts of the business. They then can then make the final decision of which is more important: the needs of marketing or the needs of security.
Companies that have embraced close ties like this between marketing and security will find over time there will be fewer impasses. In fact, over time, the ties between those two sides can sometimes grow to be strong enough that people pass from one side to the other, to the benefit of the company. A company that can quickly bring security expertise to bear on new technologies can deploy them more quickly. And as we’ve seen, that is squarely in the realm of what marketing needs to succeed these days.