A study recently concluded that there’s a massive shortage of cybersecurity professionals. According to Enterprise Strategy Group, 53 percent of organizations are reporting a problematic skills shortage, and there’s also a considerable time lag with hiring, creating a window of vulnerabilities. Fifty-four percent of businesses experience a waiting period between three and six months before hiring someone who is qualified enough to protect their data. Cybersecurity directly affects marketing because high-profile data breaches and exposures have been damaging brands for the last several years.
In 2018, big names like British Airways, Cathay Pacific Airways, T-Mobile, Marriott Starwood, Saks, Lord & Taylor, and Orbitz all had data breaches, exposing the account information of hundreds of millions of people.
Things have fallen into a peculiar routine. To some extent, businesses and consumers have accepted this as a way of life. It’s written off as the cost of doing business in the digital age. The incident happens, headlines summarize the damage, and the brand tries to clean up the mess.
Some consumers are becoming numb. Others wonder why they should entrust personally identifiable information to certain companies at all, if the information seems to be treated recklessly and they receive negligible value in return.
But if data breaches and exposures are considered to be the cost of doing business, then that cost is rising. It’s no longer an abstract, moral cost. New data laws are setting significant penalties. French regulators imposed a €50 million fine on Google because they felt that the search giant hadn’t been transparent and clear enough.
And in light of the finding that organizations struggle to hire qualified cybersecurity professionals, it’s worth questioning whether these incidents are truly unavoidable. Some of the vulnerabilities are not inextricably built into IT infrastructure. They’re built into organizations, into the ways that people work, into each brand’s ability to attract top performers and incentivize top performance. These cyber calamities may reflect a recruiting challenge, or a legitimate gap in the skillsets of the workforce. In either case, it goes beyond the tech.
The Center for Strategic and International Studies took a look at the issue. Seventy-one percent of survey respondents stated that a shortage in cybersecurity skills does direct and measurable damage. One in three suggested that the shortage in skills had turned their organizations into more desirable hacking targets.
Cybersecurity Ventures predicted that there will be 3.5 million unfilled cybersecurity jobs by 2021. The problem has been characterized as an “imbalance between supply and demand of skilled professionals.”
How dire is the situation? Consider this. A teenager in Arizona received money from Apple’s bug bounty program after reporting a glitch. And it wasn’t a benign glitch, either. Fourteen-year-old Grant Thompson realized there was a way to secretly eavesdrop on people through the group FaceTime feature. He was just trying to discuss the game Fortnite with his friends. He reported it, Apple released a fix, and he collected his bounty (the exact figure is unknown).
When a teenager finds something from the bedroom of his childhood home that was missed by a multinational corporation earning 265.6 billion U.S. dollars annually, it’s worth really asking: What is going on here?
“You can’t just be focused on the perimeter only. You’ve got to be focused on where the data is living, how that is stored, and who has access to do what,” Cleary told DMN. He emphasized the need for proactive risk management and the right level of governance over data.
Cleary continued, “And you need to have a regular maintenance against that contact record that ensures you understand what’s occurring to it. And so perimeter layer securities, app layer securities, aren’t the only things that are going to do that. You also need the access governance controls in place as well, and then the monitoring technology.”
He said that these technologies allow data stewards to understand who has access, uniquely identify those people when they’re accessing it, and understand what they’re doing to the record. “That monitoring technology I think becomes critical at this point,” he said.
Brands could suffer long-term damage if hacks persist. But there might be ways for them to slip through the cracks and evade blame.
Some incidents are more egregious than others. For instance, the exposure of loyalty points or hotel room preferences would be treated less seriously than a massive hack that results in the dark web auctioning of passports and credit card numbers.
Also, a consumer might not be able to pinpoint blame. Breach notification laws force companies to notify affected data subjects. However, an individual consumer might be affected by multiple breaches. They might not immediately make the connection between fraudulent activity on their credit card and a particular hack. In the event of a phishing attack that replicates a brand’s messaging, it’s easier to spot the correlation. But sometimes it’s masked.
When asked about this, Brian Cleary suggested that consumers will take the severity of damage into consideration, but he added, “Their likelihood of continuing to do business with you goes down with every subsequent breach.”
If brands restore a sense of power to consumers, it’s possible that people will forgive the chaos of these modern times.
Cleary said there was a point in time when marketers wanted to know everything about consumers, but they didn’t want them to know that. However, marketing has switched over to more of a collective mindset, premised on transparency and a value exchange.
Consumers are pushing back, he said, and they expect brands and retailers to be forthcoming in the data that they’re capturing, how it’s being utilized or processed, and how it’s being stored. Additionally, consumers increasingly want and expect a preferences center. They want to determine permissions on a granular level. They want security.