Managing Marketing: The IT Risks Facing Advertising Agencies

Raja_Pradeep

Raja Pradeep is the CEO of IT company AUP IT who provide CIO consultants to work with small to medium businesses to ensure governance, risk mitigation and compliance for the IT network and systems. He shares the changing role of the CIO and CTO in not just reducing risk, but working with the business to unlock value and performance within the IT infrastructure and how agencies can ensure they meet the security and risk expectations of their clients in handling data of all types.

You can listen to the podcast here:

Follow Managing Marketing on SoundcloudTuneInStitcher, Spotify and Apple Podcast.

Transcription:

Darren:

Welcome to Managing Marketing and today I’ve got an opportunity to sit down and talk about a topic that we all sort of dance around and that’s the role of IT and cyber security in advertising and marketing. To do that I’ve got a chance to sit and have a chat with Raja Pradeep who’s the CEO at AUP IT. So welcome, Raja.

Raja:

Hi Darren, how are you doing?

Darren:

I’m very well. Look, IT is one of those things that everyone largely takes for granted until something goes wrong, true?

Raja:

That’s so true and it’s hard for us as well to be honest because we always tend to be called in after the building has been burnt down.

Darren:

Yes, the old saying is close the door after the horse has bolted.

Raja:

Exactly.

Darren:

The reason I wanted to have this conversation is that we’ve read a lot in the last few years about the CIO and the CMO in big corporations needing to work together because marketers in these big organisations are investing a lot in Martech and AdTech, so platforms and systems for them to do their marketing and advertising.

When that translates down to an agency level, there’s sometimes a disconnect and so I thought it would be great to have a chat to you about how agencies can make sure that they’re aligned to the expectations of the clients around their IT security, I guess we’d call it cyber security, yes?

Raja:

Absolutely, that’s a really interesting point that you brought up that the CMO and the CTO or the CIO have to work together more now and why that’s happened.

If we go back a couple of decades, the marketing function was separate to the IT function and the CMO and the CTO often were in their own silos. They wouldn’t talk to each other because the CMO was typically outward focused in terms of promoting the brand through traditional channels and the CIO or the CTO was inward focused in how can I keep the house in order, keep the plumbing working for the IT systems and what have you.

Now we find just in the last few years there’s been a massive convergence and their roles are all up in the air. The CTO is now being called on to advise on the business or the CIO is being called on to advise the business on what should my strategy be in bringing out new products, new services.

What markets should I address? How do I leverage the data that’s already within my business to make impactful changes in the market place or to be number one, right now we are number four for instance.

The other questions they often get asked is, we have so many different processes within the business but they are not really functioning optimally. Can you advise us on that? How do I know which processes are optimal? Are we really following a process or is it a work around?

We often see now that a lot of internal staff go out and download their own apps. They don’t use the app that’s been prescribed by the IT department that’s being managed by them and they go and do their own thing and IT has no views on this.

Darren:

Look, you are absolutely right. We had a financial services company that with something as simple as sending a power point presentation, they had such an old version of Microsoft Office that they couldn’t open a Power Point presentation.

What I discovered was that it’s because often traditionally the CTO, especially the CTO had a mandate to lock down the system to protect it. It was all about risk management and minimising the risk by shutting down as many of those entry points into the system as possible.

You even get it in some organisations, you walk in with a thumb drive and none of the systems have a USB because you are not allowed to put a thumb drive into the system because it could have all sorts of malware on it.

Now doesn’t that attitude almost work against that idea of technology, which is to facilitate productivity, expand opportunities, and make businesses more successful?

Raja:

100% and that’s what the traditional CTO and CIO used to think. Even to this day we find there are large organisations where the focus on risk and compliance and the fear around cyber security has shut them down so much that they have become almost inflexible to work with.

So there is an interesting tension between allowing a level of flexibility so that you can go out and grab the opportunity and do something with it and also have a governance risk and compliance framework that’s basically common-sense, so you don’t stop people being productive and being effective in their jobs.

In some ways you could argue things have come full circle because with the cloud everyone assumed that all the risks and all the threats automatically disappeared because you don’t have to manage that infrastructure in-house now, and it’s the cloud service provider now that’s going to take the risk.

Darren:

I’m glad you bought that up because I have had that conversation. Especially agencies have gone, ‘oh we don’t have to worry about that anymore cause it’s just all in the cloud. We are with AWS or any of the other service providers and of course they just manage it for us’, but that’s not the truth is it?

Raja:

No, just in the last couple of years as cloud models mature and there’s more and more organisations have shifted into the cloud, we find some of the major banks have been hacked.

There was a case study last year where WPP, which is the world’s largest advertising agency, was crippled by the Not Petya attack and there was a very sophisticated ransomware attack and they spent millions trying to fix the damage that happened after the attack.

Darren:

Now, I’ve heard about ransomware a lot, in fact it affects all sorts of companies, not just the big companies like WPP. I remember hearing a news report that a medical practice or a dental practice had had this. What is ransomware, how does that work, how do I get into this game?

Raja:

To give you a bit of context around ransomware, what typically happens is cyber criminals hack into a network and they lie dormant, so they are still there sniffing around trying to find information but their presence is not made known.

Darren:

Right.

Raja:

Then they figure out what information is critical for the functioning of the business. Let’s say for example a hospital or mid-sized dental practice, their patient data is critical information because a single record could be used for identity theft if you’ve got someone’s name, date of birth, where they live you can extrapolate.

Darren:

And their number.

Raja:

Yeah, you can do many things with it. If you take that to a slightly bigger level, if it’s a digital marketing agency whose dealing with for example the Commonwealth Bank’s internal marketing because they do internal and external.

They just surveyed 10s of 1000s of employees and all that data is there and that data could be on a USB stick on someone’s laptop which has just been uploaded to Google Drive. It’s very easy for a cyber-criminal to hack in there. But then they encrypt the data and demand a sum of money to release that.

Darren:

So to get access to your own data you have to pay, which is why it’s called ransomware.

Raja:

This is why it’s called ransomware. Once you pay they know someone will pay and from my experience, what we’ve seen is most organisations that have fallen prey to ransomware once, they become repeat victims. It happens again and again.

Darren:

So Raja, just to clarify for me, whether that’s sitting on my server hosted in my business or up on the cloud, it could still happen?

Raja:

100%.

Darren:

So it doesn’t matter where it is?

Raja:

It doesn’t matter where the data sits. It could be in Azure, AWS or IBM’s cloud, it could be in your own private cloud which is in a data centre in Sydney or Singapore or Melbourne. It could be on a physical server which is sitting in your office, you could still fall victim to ransomware.

Darren:

So you mentioned say a digital agency working with say a CommBank, a financial service company, we have noticed in the last 8 years, contracts between especially financial services, insurance, banks, the whole lot and their agencies have become thicker and thicker and thicker and a lot of that is around data security, IT infrastructure and redundancy .

There’s more and more onus on agencies working with these companies because financial services particularly are very aware and also held very accountable to the security of their customer data.

Raja:

Absolutely.

Darren:

Because we are talking about dollars, filthy lucre. Anyway, so how do agencies keep up to date with what they need to be doing to meet these expectations? Because I would think some agencies are signing these contracts and not actually knowing what they are doing.

Raja:

Absolutely and that’s been our experience as well. And to your point, we will soon find that before these agencies can even bid for the business of these large organisations, whether that’s through an RFI or RFB process , one of the requirements that will soon be set in stone will be, are you GTBR compliant?

Darren:

Yes.

Raja:

What are the cyber security frameworks that you have in place to protect your clients’ data? How secure is your own network environment against cyber criminals and cyber threats which can be both internal and external? Do you have a security and governance compliance statement that every employee, every staff member, every contractor even has to sign?

Most often the answers to these questions is ‘no’.

Darren:

Right.

Raja:

So a good place to begin would be a cyber hygiene audit if you will, where you get an external provider to come in, a cyber security expert to come in, and if they have an understanding of advertising agencies and how they operate that’s even better.

They can then look at everything from the lens of cyber security to the governance risk and compliance perspective, put in place common-sense measures which would include having a clearly articulated policy that everyone’s bought into.

So as a business woman, as an advertising agency, you have made everyone aware that there is a risk element here, there is a risk profile and we are dealing with sensitive data and you’ve got to adhere to certain frameworks or certain standards if you want to work with us. So there’s an awareness piece as well.

Darren:

So it’s almost like getting independent validation that you have in place almost the basics to make you secure and compliant.

Raja:

100% because ultimately no one can guarantee that a cyber-attack can be prevented but in our experience if you practice proper cyber hygiene you can keep the cyber criminals out, most of the time.

Darren:

It’s a bit like the old thing of securing your house; if you do the basics then the criminals are going to look for the house that doesn’t have any protection because it’s easier to hack.

Raja:

Exactly. A big thing that I would also like to highlight, obviously I can’t talk names but we walked into an advertising agency just a couple of weeks ago. We found they are in a shared work space with another large agency and they both share a common network. As a guest into their environment I was able to log into their guest WIFI and through that guest WIFI I could even access the files of the directors of both companies.

Darren:

Unbelievable!

Raja:

And then all I had to do was turn my laptop around and say, guys is this your personal folder, is this where you keep all your company minutes and there’s the contracts that you’ve been bidding for, it’s all in here. Me, logging in as a guest, as a contractor I was able to see all this.

Darren:

And that’s the other thing about WIFI, you don’t always have to walk into the office, you can be sitting outside. What do they call that, there’s people that just go along looking for WIFI networks they can hack into?

Raja:

Scanners, and the other thing is to secure that WIFI, it’s not a cost prohibitive exercise. It’s very simple, a few tweaks and both of them can share the internet vibe and secure each organisation’s individual networks.

Often we find it’s not because they don’t have the money or they don’t want to do it, it is that they are not aware, there’s no awareness around this. Most of the people supporting them from an IT standpoint tend to be very reactive.

If the computer is broken the IT guy will come and fix it. If the printer is not working the IT guy will come and fix it. The IT guy will keep fixing things but they will never ask the main question which nobody asks which is, why does this keep happening? And why does it keep happening on the same day, on a Tuesday at 9 am when this person walks into the office?

They don’t have that 30,000 feet view of the organisation.

Darren:

Well, that is more moving from a technologist, a technician into more a strategic role where you start looking at, what is the role of our IT network, what is it that we are trying to secure, what is it that we are trying to achieve by doing this?

I mean that then comes down to all sorts of issues around what type of network do you need and what is the role of cloud versus having your own storage and the like?

There is a lot of talk around the industry about Martech and AdTech, these are just all platforms that people are plugging and playing across the internet and yet there’s a sense that they are secure but the connection between your office and these platforms that you are using, isn’t necessarily secure is it?

Raja:

Absolutely not, and we find there’s lots of vulnerabilities in terms of, the physical location; where these offices are. Often we find small to medium sized organisations tend to share an office and then they share the WIFI infrastructure as well.

They also let contractors into the office, and number one, does the contractor have an agreement with the business that they have to adhere to certain common standards when it comes to cyber hygiene, probably not. And they have access to all parts of the network so there’s a huge element of risk.

Darren:

And even things like setting up the VPN’s just to help secure your connections. But I remember a CTO once said to me, the biggest weakness in any IT network is the idiot using it.

Raja:

That’s right.

Darren:

He said almost every problem that he’s ever had in a network is usually the person punching the keys at one end.

Raja:

You’re absolutely right there and these days when we walk into digital advertising agencies, midsized organisations we find there’s varying levels of maturity. The Millennials tend to be much more IT savvy than the generation before them.

You could say they were born into the IT revolution when everything went into the cloud and they’ve been around a smart phone and they know how to use technology. They are fairly conscious when it comes to sharing their personal information and where and how.

But there is a layer which is outside the awareness of the normal user, and that’s the network layer. That’s your WIFI, your cloud platforms and sharing of data at a network level.

Darren:

So that’s where you are saying you go from a user knowledge to a sort of management knowledge?

Raja:

Correct.

Darren:

And then I would imagine there is a layer above that which is more your strategic planning process. There’s the manager who manages the infrastructure but then there’s also got to be a role, I’d imagine, this is where a CTO, CIO comes in to actually think about what are the future requirements of the business.

Raja:

Yes

Darren:

How are we going to evolve this, how do we scale, that’s one of the big things for an agency.

Raja:

100% and the big evolution for a CIO, CTO has been, that they no longer just look at lagging indicators, they‘re also focused on leading indicators because now they are seen as enablers of business and drivers of business.

So what decisions do I make based on the data that I’ve currently got. What areas of business can we explore based on where we are at now? What share of wallet do we have of our existing client base?

These are all questions that are not just marketing and sales orientated, this is where the CIO along with the CMO has a big input.

So going back to your previous question about that divergence of roles between a CMO and a CIO, now we find that there is a common platform there. The CMO has to become more tech savvy and the CIO has to become more marketing and sales savvy.

Darren:

It’s interesting you should say that because certainly a lot of people are saying CMO’s are now investing more budget in technology than ever before and in fact in some cases have a bigger budget than the CIO because they are investing in all these platforms.

The problem seems to be if they try and make decisions around platforms without actually engaging the IT department and procurement. Both of those have an important role in the integration of those platforms into the overall system don’t they?

Raja:

100% and because I have sat on both sides of the fence I can also see why the CMO’s are reluctant to engage the CTO, CIO because traditionally they have been the road block to adoption of new technologies because they often come up with ten reasons why you shouldn’t do it. It’s very hard for them to come up with a solution and as to how to do it and make it work.

I’ll draw a distinction here; there are two types of CIO. One’s still in the old world of prohibitions and road blocks and restrictions. Then there’s the future ready CIO whose more savvy, who understands that the CIO can’t stay in his or her own silo anymore and needs to collaborate with the CMO and the operations manager or operations director to take the business forward.

They tend to be more flexible. They tend to have a business focus and tend to be more commercially savvy and that’s where we find a happy marriage as it were, where things get done.

Darren:

It’s because the main mandate is no longer just risk mitigation, that they actually realise that the role for the CIO is to help the organisation and all of the stakeholders maximise the potential of the technology.

I think there is also a problem because of the two areas in any business; CIO’s and CMO’s also have their own languages, there’s the language of marketing and there’s the language of technology.

I think probably technology wins on the use of three letter acronyms because IT seems to have so many 3 letter acronyms that they would beat most marketers hands down in a game of who has more, don’t you think?

Raja:

Absolutely, and the CTO needs to understand that they need to start talking in a language that business gets them.

Darren:

And marketers.

Raja:

Absolutely, otherwise they will no longer be part of that conversation; there’s no point in throwing 3 letter acronyms at people. Arguably, I think it is a great conversation to have because I think in the main, the tension between the CMO and the CTO is dissolving because they both understand how integral they are to each other’s roles. IT as well is now being seen as a real enabler, not just a POS centre.

That’s great news for the CTO and the tomorrow ready CTO’s, the future ready CIO’s have embraced that 100 % whole heartedly and they realise that for me to stay relevant in the conversation, these are the things I need to deliver back to the business.

Darren:

There’s another role that CTO’s can play especially for marketers is that there’s the thing called the stack, you’ve probably heard of the marketing stack.

Raja:

Yes.

Darren:

And that is all the different applications, platforms, solutions that sit there. They have Sales Force and Adobe marketing experience and they’ll have like 3 or 4 different platforms that all have a lot of cross over. But it is because often marketers will buy into a SAS solution for a particular functionality and then they’ll get another platform to do something else, when in actual fact it was available to them.

Probably the best example of that is we had a procurement team that had run a global tender for a DAM, a Digital Asset Management system when in actual fact they had Sitecore which has a DAM in the centre of it. So they had already gone out to see if they could buy a DAM when the very platform that they were using had one, it’s just that no one was using it.

Raja:

No one was using it! You are spot on because a lot of times a technology option is driven by a perception that something they’ve got in house doesn’t work. Often the case is that they are only using 10% or 20% of the whole technology piece.

And there’s actually a gap between the CMO and the CTO, and there’s a whole space there, there’s a big play around process analysis. So, if it’s marketing automation in the marketing process, sales process and if you talk to an IT person they have a completely different view of what a business analysis or process analysis is supposed to do.

And if you speak with a marketing person they will have a different view. But from a business standpoint a process needs to be mapped and what we need to really understand is, is the process being followed or not. Because if we start doing process mining, which is a whole different area, you’ll often find with most companies 80% of the processes are not being followed correctly because people have found a work around that works for them.

But when that person moves, someone else comes in and takes that role, that knowledge which is in the head, walks out with them

Darren:

Walks out the door.

Raja:

That knowledge has not been qualified, it’s not written there and there’s no way, if you take the event log from the application and run it, you realise, for example why are we not using the DAM from Sitecore.

Darren:

Look that’s a really interesting view but I have also been involved or come in off the back of someone doing process mapping where they’ve gone right through the organisation and asked everyone questions, so how do you do this and how do you do that, and almost to the person, they’ve all regurgitated the instruction manual.

Raja:

Correct.

Darren:

But I think a much better way of doing it is to look at anyone’s work station and in fact in one particular case there were post it notes everywhere. And I said what are the post it notes for? And they said, oh well it’s too hard to do this so I just write down the code on here and it’s like everywhere had all the access to every single part of the platform all coded on bits of paper. I think it’s often better to watch what people do rather than ask them what they do.

Raja:

100%. Because people tend to (to put it kindly) embellish how they go about doing things because they know the answers someone wants to hear and they tell you that. A better way, as you said, is to watch what they do.

Another way to do it is to look at the application logs that are there and you could run. There are tools in an area called Robotic Process Automation and Process Mining; it analyses keystrokes, event logs and gives you a real view of how an application has been used.

Darren:

Because even if you’re watching them they’ll still probably start doing it the way it should be.

Raja:

Correct. And this is now a very interesting area because it gives you a real time view of exactly what’s happening in the environment. And the other thing it does is if someone is not using a process because people are smart; if a process is not working they find a workaround.

So, if the process is broken you’ve got to fix it because if the process is fixed you can apply automation and smarts to it and then it gets better and faster. Fundamentally, if the process is broken no amount of technology is going to fix it.

Darren:

My father, who was a technician, said, the people you want to have working for you are smart and lazy because they will always find a more efficient way of doing something. They don’t want to do it the way it should be done because that takes too much effort.

I think he was justifying his own behaviour. Back to the idea about the end-user often being the weakest point. Email now has been around for more than 20 years and email has become so ubiquitous in business. We send billions (trillions) of emails globally each day. And yet there was one area you wrote about: phishing.

I think people have forgotten that emails are a huge risk as far as accessing a network aren’t they?

Raja:

100% –they totally rely on users mistaking them for genuine emails and clicking on a link or downloading stuff they’re not meant to. And this talks to the whole social engineering aspect of security which doesn’t receive a lot of attention.

We came across a case recently where malicious hackers had gone in and looked at people’s Facebook profiles, created fake identities and doing catfishing where, with a fake identity they’ve befriended them, got them to reveal very personal and confidential information, used that to do very sophisticated phishing emails and hacks and run away with 100s of 1,000s of dollars just because they were able to con that person into doing this.

And the way around this is through education. There is no other way around it. And it shouldn’t be a HR function because HR will typically push it to HR and it shouldn’t be IT because IT will send it to finance. But everyone in the organisation has to own it.

Recently, we ran some sessions where we trained people on how to identify phishing emails, if an email is genuine or not or sent by a scammer. What you should do to protect your endpoint device, your own laptop.

And, interestingly, the reason a lot of these hacks are happening now is because of BYOD (bring your own device) to work. In this day and age people don’t just have the one work laptop. They might have a work laptop, two machines they own themselves, a couple of Smartphones (one for work, one for their own personal use).

One individual might have 5 or 7 devices and each device has probably only got the one password. Then if the home machine is infected because of downloading videos and games and what have you, then if they plug that into the corporate network there is a risk there.

If someone has cracked their personal password and if that’s the same password they use at work the entire corporation is at risk. They do this because there is no awareness and that just needs to be brought to the surface. They need to be educated.

Darren:

I’m notorious; I hate those passwords that my IT manager insists that we have with all the letters, symbols, numbers, upper and lower case and I notice Google now will create a password for you. And that’s great except for when I updated my laptop I had to start it all over again because the old passwords that Google was memorising (and that’s a worry because that’s sitting in their cloud somewhere).

Raja:

100%.

Darren:

Even though it’s the most unmemorable randomly generated password possible, someone could easily hack that and suddenly all of that goes out the window.

Raja:

True. It’s called two-factor or multifactor authentication, where you have your own password but then you have a key generated through the Google authenticator or a number of others—it’s just an algorithm. As long as that’s not cracked.

If someone wants to crack your device they will need to know your password, which if you’re changing every 30 days and they have to know the algorithm for the randomly generated number so it becomes a bit harder.

Now, organisations are introducing biometric security, there are fingerprint scanners on a lot of devices. If you have triple factor authentication that makes it harder.

Darren:

And as you said, nothing will stop someone who is determined to hack you. But if you’ve got all of this they will look for someone who doesn’t.

Raja:

100%. There is still a chance but the chance becomes less because the way these cyber criminals operate; they are sophisticated machines and bunches of hackers sitting in a corporate building wearing ties and suits and their job is to hack into people’s networks and make money.

So if someone is very hard to crack they’ll move onto the next one and they keep moving on to find the soft touch because they don’t have the time.

Darren:

A lot of advertising agencies use Mac so iOS and there is a general story going around that you don’t have to worry about malware and viruses and all those things because they’re all set up for Windows. So, if you’ve got a Mac network you don’t have to worry about all this.

Raja:

That was the perception; not true anymore. There are a lot of sophisticated attacks on the Mac networks as well for the sheer fact that there are now more Macs than before.

Darren:

So, it’s worthwhile phishing in a pond that’s big enough to find a target.

Raja:

Absolutely.

Darren:

It’s been fascinating talking to you, Raja. As the CEO of AUP IT, thanks for making the time and having a chat.

Raja:

Thank you, Darren.

Darren:

Just one last question. I’m assuming you’re a Windows/ Microsoft man but outside of your laptop, do you have any Mac or Apple software?

Ideal for marketers, advertisers, media and commercial communications professionals, Managing Marketing is a podcast hosted by Darren Woolley and special guests. Find all the episodes here