3 Ways CMOs Can Bolster Cybersecurity Learned From When My Brand Was Hacked

Not only is McAfee entrenched in the industry, but it’s also susceptible to attacks

Large hand with binary code reaching for small man
Cybersecurity is now too important to be left exclusively in the hands of IT. Getty Images
Headshot of Allison Cerra

I’ll never forget Easter Sunday of 2017. That was the day McAfee’s page on a prominent social media platform was defaced, less than two weeks after we had spun out of Intel to create one of the world’s largest pure-play cybersecurity companies. The hack would have been embarrassing for any company; it was especially humiliating for a cybersecurity company.

No, Easter Sunday 2017 isn’t one a fond memory for me. Instead, my mind conjures the seemingly endless phone calls I made to McAfee executives letting them know of the digital vandalism, the unending hours attempting to restore the social media presence of our newly-minted brand, the back and forth with our cybersecurity team to identify the culprit.

And to add insult to injury, I recall the moment of clarity on an otherwise confusing and panic-filled holiday that still strikes me to this day. I was ultimately responsible for a hack I wish I could blot from history since it happened on my watch. As the CMO of McAfee, it was my team’s responsibility to do everything in our power to safeguard the image of our company on that social media platform. We failed to do so.

I’m not alone in having experienced an unfortunate hack that may have been prevented had my team and I been more diligent in practicing habits to minimize it. Every day, organizations are attacked, and behind every hack, there’s a story. There’s hindsight of what might have been done to avoid it. While the attack on that Easter Sunday was humbling, the way in which my McAfee teammates responded and the lessons we learned were inspirational.

From individual contributors to the board of directors, every corporate employee needs a prescription for strong cybersecurity hygiene. Everyone can play an indispensable role in protecting his or her organization from attack. This is especially true for CMOs, who are most often ultimately responsible for the channels that a brand communicates to its customers, advocates and the world.

I’m not only a marketer who works for a company that has its origins in cybersecurity, but one who found herself on her heels because of a cyberattack. It’s this unusual confluence that gives me perspective of the critical role marketing must play in protecting a company’s culture of security.

Here are three ways CMOs play a critical role in creating and stewarding a culture of security at their organizations. 

Create a plan before a breach occurs

No company will be able to prevent all breaches. Determined cybercriminals need only score once. When they do, the marketing and communications teams will need to strike back quickly with a coordinated, choreographed communications plan that engages all relevant stakeholders with clear instruction and sincere empathy. Customers and employees will measure a company based on its response. And when the smoke clears, they may not recall everything a company said or did, but they’ll certainly remember how a company made them feel.

Take ownership of marketing’s role in building security

Security must be built into the product lifecycle at every level. That means the highest functional leader in the company for each department, including marketing, should explicitly review and approve that the security requirements for their function has been sufficiently built into the product before it is introduced to market.

For example, is the product a connected device (keep in mind that with the internet of things, there are indeed a lot of “things” that are now connected)? If so, are the instructions clear to the user as to how to change the factory default password? Is the product software requiring user registration? If so, how, where and for how long will the user’s personally identifiable information be stored? These are just a couple of examples to illustrate that sound security starts at product inception.

Work with your cybersecurity organization to reinforce your culture of security

CMOs have an opportunity to align with an unlikely business partner: the chief information security officer (CISO). Employees are often unwitting participants in a bad actor’s battle against a company. CISOs want to protect the company’s digital assets and intellectual property while CMOs want to protect the company’s reputation. Both are aligned when it comes to educating employees about the importance of sound cybersecurity hygiene. Partner with your CISO to implement internal campaigns that increase the awareness and practice of strong cybersecurity habits. Whether training employees on how to spot phishing emails or instructing them on the mundane—but essential—need for strong password habits, there is much to be done to enlist employees on your company’s side of the battle.

It’s a new world, one where every employee plays an important role in thwarting cybercriminals. I’m not so naïve as to believe that cybersecurity will become everyone’s primary job. But I know that cybersecurity is now too important to be left exclusively in the hands of IT. I also know that CMOs can play a critical role in building cultures where sound cybersecurity practice becomes so routine that all employees regularly do their part to collectively improve the defenses of their organization. CMOs, hear me when I say, your organization needs you in this fight.

Allison Cerra is senior vice president and chief marketing officer at McAfee.