Security: A Marketing Conundrum: why IT security experts are taking marketing directors to lunch

19 08 2010

I was reading an excellent InformationWeek analytics report by Michael Davis called Global Threat, Local Pain: 2010 Strategic Security Survey (May 2010). As someone involved in cyber security and working with Narus, this report was especially enlightening. Technology alone is not sufficient to keep your networks secure. Working with marketing to incorporate people and process as part of your holistic solution is a good first step to protecting the integrity of IP networks.

We know that technology can be used to initiate or defend against network attacks. This may enable planting of malware and the potential to exfiltrate or move data out of the network or system. In many cases, firewalls and intrusion detection and prevention systems are used to reduce these types of attacks. These technical approaches are far from sufficient. Security directors need a holistic view of the network and multi-layered approach to security especially when fighting against the newer types of attacks.

There are more insidious ways to attack a network. Yet, we – the general public- don’t think of compromising security through psychological, behavioral, and social engineering means. Yet that is exactly what is happening today. And that is where marketing comes in.

Marketing is the battle for the mind as Al Trout and Jack Reis claimed in their seminal work called “Marketing Warfare.” Who would have thought that the concepts in a book written more than twenty years ago- prior to the tsunami called the internet- would have repercussions in maintaining the security of networks? Marketing is tasked to get customers to become aware of products or services, and to find ways to get customers to take an action through a promotion, a click through, or an interactive dialog. Think about the tools that marketing uses: search engine optimization (SEO) techniques or a well worded direct email program with embedded URLs.
When a customer clicks on a URL it opens the possibility for someone in a corporation to open a “window” to confidential or private data. Pieces of malicious code can be downloaded and over a period of time be used to send information out. The InformationWeek survey indicated that the second greatest security risk is from authorized users/employees mostly due to phishing expeditions. We see legitimate email programs all day with embedded URLs. Why wouldn’t we assume that a phishing expedition is legitimate as well? These attacks are on the rise because people are susceptible to clicking on messages that seem to be real. You don’t need the technology to get information from corporate networks. Rather, with these social engineering attacks all you have to do is to convince the user to voluntarily provide information!

SEO attacks whereby a user search for specific items- say those high on Google analytics ratings- sends the user to a site that looks real. In reality, the user is redirected to a “spoofed” or “fake” site where the user can be targeted, with the intent to gain credit card or account information of an individual or corporation. No wonder the survey made this interesting comment that there is a potential new bond between the marketing people who understand the psychology and how to get customers to take action through marketing programs and social engineering, and the IT directors who tend to work on technical solutions.
How can companies and organizations reduce their risk of cyber threats from these new social attacks? Let’s make the assumption that the IT Directors implement the right technology such as the combination of signature based malware protection, policy management, and traffic intelligence by companies such as Narus. In addition to technology, policies such as filtering, blacklisting, and most of all training of employees are needed to prevent attacks. First, the security officers have to work on policy and filtering of sites that are normally risky. Perhaps screening certain emails which contains known types of embedded risks has to be done. Most importantly, the marketing directors must work with the IT directors to help educate employees on how to protect themselves against these social engineering attacks which will have the attendant benefit of protecting both the employees in their private lives as well as their companies.

Unfortunately, it’s a complicated problem. Yet the combination of people, process, and technology coupled with a good bond between marketing and IT specialists may be a good first step to protect the integrity of IP networks.




3 responses

19 08 2010
Mister Reiner

More education and process is necessary given today’s technology and computer security paradigms, but it won’t address the root cause of the problem, which is that the underlying computer technology is insecure.

As you indicate, technical approaches are not sufficient – but why? Don’t we already know everything there is to know about computer security and hacking? Hackers aren’t doing anything new, just variations of what we already know they can do. I mean, how many buffer overflows do people need to find in Adobe Reader before Adobe realizes that their coders and security team don’t have a clue as to what they’re doing?

Computer won’t be secure until the hardware, operating systems and software are re-engineered from the ground up. All this “bolt-on” security isn’t getting us anywhere and the fact that people are getting hacked just proves it. Over ten years of computer security product development and the world still isn’t secure. What’s wrong with this picture?

20 08 2010
David Friedman

I understand your comment. My comments suggest that technical solutions are part of the overall solution. There are several levels of security – from the machine to the network. It’s not a simple solution. The vulnerability and risk of distributed IP networks is significantly different than the risk of a compromised PC. Just looking at the PC for example, even with the best anti-virus programs, security breaches can be accomplished via phishing and social engineering programs.

Yet, I do believe that we, in the industry, are making significant progress on the technical front. It is not just bolt on products, but a redesign of technology from the ground up. A holistic multi-layered approach is necessary for combating malicious intent. A call to action for governement/private cooperation will also help over time.

I know this is a very short answer to a very complex problem. Unfortunately, it is just not that easy to stop what we are doing and start again from the ground up.

28 09 2014
astropid not loading

Everything typed made a ton of sense. But, consider
this, suppose you composed a catchier title?
I am not saying your content is not solid., but suppose you added a headline
that grabbed a person’s attention? I mean Security: A Marketing Conundrum:
why IT security experts are taking marketing directors to lunch | The Business of Business is a little vanilla.
You should look at Yahoo’s front page and see how they create news headlines to grab viewers to click.
You might add a related video or a related pic
or two to grab people interested about what you’ve written. In my opinion, it would make your blog a little bit more interesting.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: