Transcript:
Ben: Hi, Gary. How's it going this afternoon?
Gary: I'm doing really well. Pleasure to chat with you this afternoon, Ben. Thanks for having me on the show.
Ben: Yeah, absolutely. As we were chatting before jumping into the interview here, I'm really excited to have this conversation with you because this is a very different topic for our show and for our audience. I think it's one that's really important for marketers to develop some awareness around and be smart when it comes to the security of the software and the systems that they use. So before we get too far along, would you mind introducing yourself to our audience and explain what you do?
Gary: Sure. Well, my name is Gary Chan, and I help businesses improve their sales, meet compliance, and stay safe. I graduated from MIT with a Bachelor's in Electrical Engineering and Computer Science. I hold four security certifications, and I've helped a number of different organizations from commercial to nonprofit to government agencies with their security.
Ben: Very cool. I think it's safe to assume that when it comes to cybersecurity issues, you know a little bit about what you're talking about today, it sounds like.
Gary: I hope so and I think my clients believe that too, so I'm good to go.
Ben: So I think right off the bat, why should marketers care about cybersecurity, specifically as it pertains to their work?
Gary: Well, I think a few things. One is the obvious, which is it helps keep them safe. The second is it actually helps them do their job better. You can use security concepts as an example to get more emails into their recipients' mailboxes rather than for them to go into spam boxes. So there's a number of things that they can do. And I think the third reason why they should care is because security can be a market differentiator, right? And being able to message that properly to businesses will get them larger clients because those larger clients tend to care about buying from companies with good security.
Ben: Yeah, and I can attest to that. I know here at CoSchedule with some of our larger customers, it is very common for them to want to have someone from the IT team talk to a salesperson or see some sort of technical documentation before they'll even sign off or before they'll let the marketing team sign off on a contract. That's extremely true.
One thing that you touched on there was email. I know that marketers of all stripes are very concerned about email deliverability and abiding by all the numerous best practices that apply to the technical side of email marketing. So just to touch on that one benefit specifically for a moment, how much does security knowledge actually improve email deliverability?
Gary: Quite a lot, actually. If you don't configure things properly, a lot of your emails will go to spam boxes, which means that your recipients don't read them. I mean, you could get like a threefold increase or sometimes even more if you properly configure all of the settings in there. And that goes beyond you not writing Viagra in the body of the email but actually setting up your SPF properly and all these other acronyms to make sure that they do get delivered appropriately.
Ben: Yeah, and I think all of our listeners would probably like to see a 3X increase in email deliverability.
Gary: I don't, as a recipient of the marketing emails, necessarily.
Ben: So maybe on a personal level, you feel it would benefit you to not share that information.
Gary: It kind of works both ways on the security side, just to give you from my perspective. I'm quite happy to help customers. Obviously, whatever they need is what I want to do, but it's kind of funny because I can help you bypass spam filters, but then I can turn around and go work with other organizations to help block the exact same things that other people are now helping to authorize. It's just a game of cat and mouse, right?
So if you're investing in it, you're going to be at the forefront, you're going to get all your emails in there. Or, if you're investing in stopping it, then you're going to have the best from a defense perspective. It just depends on how you're using the security, and that's what's so interesting about security—basically, the same thing can be applied on either side, and you can get a completely different outcome.
Ben: Certainly. It sounds like there are two different sides there. There's the side of security that actually helps you do your work better and help you get better results, and then there's also the defense side, which I assume—not being a super technical person myself in this area—what you mean by defense is you're preventing bad actors from hacking your systems.
Gary: That's right, and it's not just hackers. It could be insider threats because sometimes you get disgruntled employees and they do stuff. Basically, defense would be anything to stop bad things from happening to you.
Ben: I think that all of us would like to stop bad things from happening to us.
Gary: Right. Fear is a primary motivator for defense, yes.
Ben: Sure. I think that this has always been an important topic for marketing teams. I think maybe over the last years, it's become even more important. As more marketing teams have adopted more web-based software platforms like our own here at CoSchedule, but just all kinds of different platforms that help them manage remote work and do all these other things that they have to do now that more people are working from home as a result of the pandemic. Which has gotten me thinking about you know, just as a marketer myself, how many different tools does our company use that are creating all these different connection points, and there's all this exchange of data that's all flying in all different directions in ways that we really take for granted?
But all of those tools have to be secure, and all those different integrations and connection points between things need to be secure, or else you could have serious problems. And we very often do hear about serious problems happening when different tech services get hacked or have a significant outage. How can marketers know that the tools that they're using are secure—from a defense perspective—in order to prevent getting hacked or succumbing to an internal threat, leaking customer information, or doing something else that's going to land them in the
headlines for reasons they would probably not prefer?
Gary: I think, first off, they should be delegating that to their IT department or to their risk management department. Different organizations will do it differently, but there will be usually someone who is managing third-party risk.
Let's say that you're the marketer, and you're calling all the shots, and you're doing it yourself. The first thing I do is read the terms and conditions and privacy policies that are associated with whatever it is that you're buying. Sometimes simply reading that will give you a better understanding of how they're going to use your data, or at least how they're intending to use your data. You don't know, actually, what they’ll actually do. So that would be one thing.
The second thing I do is use only reputable software. Use things that you know lots of other people are using. It's not a perfect thing by any means, but it's way better than finding a thing that's been downloaded like once before by somebody else, right? So use reputable software.
The next thing is probably the best thing that you can do, which is to look for security certifications. This is pretty rare, to be frank. If you are wanting to subscribe to some sort of service or buy some sort of product, some of them will have security certifications. One of them that you might see is an ISO 27001 certification. You might also see a logo for a SOC 2. Stuff like this will help you, but I would also just add as a side note that a lot of marketing folks, like people on this show, can get pretty tricky with their marketing.
What I actually see a lot of times is these companies will market their things and they'll say, we've built our software on Microsoft Azure which has been certified as all of these things. And then they spend two, three pages talking about the certification they have, but that's for Microsoft. That's not for them. You just have to be really, really clear that the certification is for what you're actually buying, and then go from there.
And then, I would say the final thing is making sure that you avoid using free software. If they're giving it away for free, well, they're making money somehow. I would say in the absence of a full-blown technical security assessment, those are the four things that I would do.
Ben: Just to touch on that last one about free software, I think for marketers, there's a number of different simple tools and different things out there that a lot of us use because they're either free or they're low-cost. I was just wondering if you would be able to articulate when you say free software—say like here at CoSchedule, we have a tool that we call our headline analyzer. Basically, you make a free account with your email address and you're able to use this free tool for life. How would someone be able to maybe make the distinction between a tool like that, which is legit, versus something that's free that may not actually be so secure?
Gary: Well, I'm not familiar with the tool that you mentioned.
Ben: Right. That’s just an example.
Gary: Sure. What I would say is, just in general, everybody who is making this stuff for the most part is looking to make some money. So if you're not paying them, just understand how you're paying them. If you're not paying them in cash, maybe they are using your data.
There's a lot of actually free software that works pretty well that are set up by nation-states where they actually let you use it for free, but what they're really getting is not just your data, but they’re taking your username and password. Because a lot of people will use their email address as their username, then they'll use the exact same password that's used for their email address, and then they'll log in. So now you've just told them your username and password for your email, which they can then use for something else. If it's not a nation-state, maybe it's a criminal ring, which will then use that to then reset your password for your bank account and drain your bank account.
The only point is with the free software, you are paying somehow. So if you're not paying in cash, then you really, really need to be thinking about whether or not you should be using that. What I would say is, if you're okay with the information becoming public or all of that stuff that you're using that tool for, you don't care if other people are using it, then that's fine. That's not a big deal. But if it's private in any way whatsoever, I would not use it.
Ben: Like we said at the beginning of this episode, you might think that marketers don't really need to worry about cybersecurity and that it's something for IT or maybe for other teams to worry about. It might just be a thing that's just never really come up, or it's just never been a thing that you've ever consciously thought about.
But if you're a modern marketer, then you're likely dealing with a lot of customer data somewhere within your marketing practice. And failure to keep that data safe and secure could not only lead to a publicity nightmare, but potentially the end of your business may be in very extreme cases, but the possibility isn't off the table. So if the benefits behind getting at least a little bit educated here aren't clear, then consider the cost of inaction. Now, back to Gary.
So that covers the defensive side, and we've touched a little bit on the side of it where security helps us actually be more successful. To get back to the point that you were making earlier about email deliverability, I imagine that for most of us marketers, most of us don't really get our hands dirty in the technical side of things. But we do need to know how to talk to marketing automation specialists, software engineers, and IT folks.
We have people that we work with that we need to be able to have a real conversation with in order to clearly communicate what we need as marketers, to communicate what we need from them just for all manner of technical issues including security, and making sure that we're handling data responsibly, and we're configuring our systems correctly.
If I'm a marketer listening to this and I feel like I can understand that security for my email platform is really important, but that's as much as I can understand. But I know that I need that in order to get that 3X return.
How would you advise that I educate myself so that I could go talk to IT, I could go talk to automation so that I could talk to the technical folks in my organization and actually have a conversation with them about why this is important? Maybe to open up a conversation around maybe what they could be doing or what we could be doing to do better in that area in a way where I'm not going to feel like the technical people are talking over my head? How can I get myself up to speed enough to actually talk about this in a real way?
Gary: Obviously, doing any type of reading online could be helpful, but I would pretty much say that it's really about talking to the right people in your organization. If you're talking to the first-line help desk employee—the person that you call the 1-800 number for—he's going to want to talk maybe the tech stuff because he won't really understand the business aspect. But if you're talking to a higher-level manager, I would say in pretty much every case when I've been talking with folks, all they really need is your business case.
So if you go to them and say, hey, look. I send out 10,000 emails a month, and I believe that 80% of them end up in spam boxes. Can you help me? That pretty much is good enough if you show the use case, and you're very articulate around what it is and how you're measuring it. The technology manager, I mean, his job is to translate from the business to the technical stuff for his staff. I don't think you necessarily need to learn a whole bunch of technical jargon. It's really about being very clear on your use case and how you're measuring success.
Ben: Yeah, I think that makes a lot of sense, and that's probably a relief for some people too. So on the flip side of all of this, I think you've made a pretty good case for why security needs to be something that is on marketers' minds. On the flip side of that, though, what are the risks that marketers face if they don't take data or data security seriously? You had mentioned that fear is a powerful motivator here, but what are some of the risks and consequences we might face if we just gloss over these things?
Gary: Well, your company might just go out of business. It really only takes one sort of event to cause a lot of chaos. You read about all this stuff where there's ransomware and basically the whole system gets shut down. We've had cities shut down, we've had schools shut down. We even have, with Zoom when people log in to do what's called Zoombombing people, they basically would just have to shut down class.
It only really takes one thing to cause a significant event. I would categorize it as you're going to lose customer data, you're going to lose intellectual property, you're going to lose time, you're going to lose money, and you're going to lose some of your reputation. But this is at the company level. If you don't care about any of those things at the company level because the company is not you, then I guess it doesn't really matter. But if you took any of that personally, then I think you should care a lot. I'd also like to emphasize that the fear is losing one of these things, but you really do get a lot from security.
On the positive side, you get that peace of mind from knowing that you're going to stay safe, from knowing that you're probably going to have a job tomorrow because it's not going to go out of business because you're doing good security hygiene. But you can also leverage security in ways that I actually frankly rarely see marketing people do, unless I go up to them and say, hey, would you like to do this? That's a great idea. But no one ever asks me to do that.
You can benefit from security a whole lot. Just to give it yet another example—Google will actually do rankings. You already know you have to have good content, right? Assuming you have good content, they actually will give you a higher rating if you have better security on your website. There's a ton of stuff that you can do that's a positive benefit that is not driven by fear. So these are the things you're missing out on if you don't worry about security.
Ben: Yeah. That's great insight there. So let's say I'm a marketer listening to this episode, and I'm just wondering where do I even begin making use of all of this information? I think that maybe one logical starting point for a marketer might be just auditing their technology stack, just assessing their current practices. If you were in their shoes, where would you recommend they start?
Gary: I know you have a variety of marketing folks on this as your audience, but if you're in a company that has a technology team, let them do that. Your job, from a security perspective, is to follow the guidance that's there. Use strong passwords. Do that annual security training. Report suspicious events. You need to use that technology team. You shouldn't be going out and doing that technical assessment on your own.
You should be taking that software and bringing it to the IT team before you buy it and say, hey, I want to use this thing, whether it's free or otherwise. Can I do that? And then have them vet it. I think that's really the role, and it really offloads a lot of work from the marketer. You don't have to worry about these things, that's why you have security people there. You don't have to do their job for them, but you need to bring it to their attention because, otherwise, they won't know about it.
But of course, if your audience member is on their own, then they'll probably want to do a little bit of reading up on security on their own, and need to put in some very basic precautions. You'll find a lot of this stuff like back up your data, use encryption. Basically, they'll need to recreate what the IT department in a company would typically do. Those are some of the things that I would suggest.
Ben: I think that's great advice. I think, once again, it's probably going to come as a relief. As long as you can articulate why you care, your technical folks should be able to work with you on those things. Well, this has been great Gary, but before I let you go, is there anything else on this topic that we haven't touched on that you'd like to leave our audience with?
Gary: Sure. Especially with working from home, I think that security awareness—whether it's what everyone heard about phishing emails, I'm sure everybody's heard about that sort of thing. Whatever it is, it's a lot more things that you should be aware of because you're working from home now. You have a lot more attack factors, you don't have that corporate firewall blocking things on your laptop anymore, and things like that.
What I would suggest is, if your company doesn't already have annual security awareness training, that you go to my website. That will be start-training.alfizo.com, and you can just watch any of the free videos on some of the security things that you should be aware of in this day and age. So that's something that I would leave your audience.