Data systems and password protection are typically the buzzwords for security and oftentimes keeping Marketo secure isn't at the top of every marketer's list. We sat down with Peter Liske, Security Officer for Digital Pi, to learn more about why security can't be an afterthought. In this PiPointer, he covers how a few minutes a day can truly keep threats away! Check out the PiPointer here:
Jeff Coveney: Keeping Marketo secure isn't always at the top of every marketer's list. Well, today we're joined by Peter Liske. He's going to tell you a little bit why you might want to make security a little bit more of a priority at your organization.
Peter, one of your specialties is around security and technology. A lot of marketers aren't necessarily focused on that area. Why should marketers start to think more about security in terms of their systems and specifically in Marketo?
Peter Liske: I think one of the underlying goals of marketing is to establish trust, trust in the company, in your brand, your products, and that trust also that covers how you treat your customers and your prospects' personal information. And if you do a poor job of that, you could find yourself with some PR headaches that really undermine all of your marketing efforts.
People forget that with Marketo, and other marketing applications, these are really channels of communication from your company out to the rest of the world. And you need to keep those channels secure and locked down because kind of the worst-case scenario is an attacker gets into that and start sending out misinformation. That could be really disastrous. So I don't think marketing should ever treat security as an afterthought. It really needs to be part of the whole consideration
Jeff Coveney: Security isn't always there as a KPI, but if a marketer wants to start, where do they start? How do they start thinking about security?
Peter Liske: Well, I think kind of at the broad level, when you think about the security of a system and Marketo, and your whole stack is a system, usually you're only as secure as your weakest link. And the weakest link is almost always a person. It's people. Not people doing intentionally things bad, but people just unaware. So, I think the baseline is you need to have some form of security awareness at your company, and you can start out with some basic things.
Don't send passwords over email. Don't share passwords. When you pull data out of the system and you have extractions of this PII, make sure it's in a secure place and it doesn't get emailed around, that it doesn't get put up on a shared site. So these are all basic security policies that if you don't have one, spend an afternoon putting together some of these basic things, and make sure everyone who accesses your system is aware of it. That's the beginning of a whole security awareness program.
Peter Liske: Getting into a few more tangible things, when we go into a client's site, we will do an audit and we'll look at things like how many users do you have and who are the admins? And do you need that many admins? And how come these people haven't logged in in months? I mean, are these people who have left the company?
I recommend put on your calendar every week, spend five minutes, review your user list, make sure it's clean and remove anyone who doesn't need admin access or who shouldn't be there. Do the same thing with your API keys. Make sure that you don't have a bunch of old API keys that you've been accumulating. So keep them clean. That's some very basic things to start with.
Jeff Coveney: Just I know sometimes when we're going in and helping our clients, we find different names in the system that don't even belong to the company, because maybe somebody had jumped into the Marketo system at some point. Is that a good or bad thing?
Peter Liske: Well, this is something very relevant to us because we're a consulting firm and we are invited by our clients to have access to their systems to do our work. And so they're putting their trust in us. So every company, when you have outside vendors access your system, they become part of your whole security sphere, and they need to have trust in you.
So you need to review, first of all, the third party that you are giving access to, you need to do some basic screening to make sure that they're aware of all the implications, that they have some good protocols in place, which is obviously one of the reasons why we spent so much time putting these security procedures in place for ourselves is so that our clients can trust us.
Jeff Coveney: Well, thanks so much Peter, today, for sharing all your insights on security. We'll see everybody next time on the next edition of Pi Pointers. Thanks.