It's been a few years since I trained my youngest child how to drive. But when I did, I recall one of the real joys is that moment when you start seeing his or her eyes no longer focusing on what is just in front of them (as in, a few feet from the front bumper), but rather looking far enough down the road to see what really matters.
And so it is with cybersecurity, where many practitioners are so keenly focused on the data and what is going in their internal domain that they fail to see what really matters to the business. Because it's not the data that ultimately matters in business terms. On no! It's the brand. It's the reputation. It's both combined. Don't believe me? Go ask any of the board members, CEO, partners, or other stakeholders what really matters between the two. If they say "the data", then they are almost surely just trying to give you the answer they think you want to hear. Because when then get back in their stratosphere, they aren't talking about the data nearly as much as they are about the brand and reputation. As the saying goes, this is what they lose sleep over at night.
The 7.ai Brand Example for Us All
You might not have heard of 7.ai, but you have likely heard of the breaches that occurred this past year with Delta Air Lines, Sears, Best Buy and Kmart. In each of those cases, their 3rd party provider for customer messaging services was 7.ai. And it's this provider at the very heart of the matter.
The timeline from there has been made quite clear. The hack itself apparently started on September 26, 2017 and ended on October 12, 2017 when the incident was noticed and corrected. From that point on they worked with forensics, law enforcement...all the usual players. Then, in March, the companies became aware of the incident, leading to the early April 2018 public disclosures.
I'll save you counting on your fingers. Yes, that's approximately 6 months from the time it was noticed until the public was made aware.
Okay, so that's the back story. Now, what's the broader brand impact a full quarter gone by?
The ZecurityAscent Analysis
A big part of our business these days is helping customers understand the brand impact to their business as it relates to cybersecurity. Why? Because CIOs, CISOs, and CMOs desperately want to get this piece right. They want and need to understand the impact of a cybersecurity incident, then hopefully use that to their distinct advantage before anything bad even happens. Of course these are very different roles, each with a language all their own. So, not surprisingly, they look wherever they can to find the resources to not only build those bridges, but also maintain them. That's where the cybersecurity brand analysis, among other tools, comes in.
Cybersecurity professionals do tend to think that marketing people are somehow "Don Draper" clones. But that's just not the case. Once upon a time, sure...maybe. But now they are deeply, deeply analytical, seeking to quantify every marketing dollar spent. The CIOs and CISOs who understand this and can then tap into it that expertise are going to learn important things about their business that they never thought to even ask.
Kevin Peterson, CISSP | Chief Content Officer
<<< Rewind <<<
To really understand the brand impact, we needed to go back and see what it was before the incident dates. Most notably, we needed to collect everything that was out there before that initial September 2017 date, so we went back an entire year (July 2017 to July 2018). And when we say everything, we truly mean everything that one could possibly expect to find across social media, blogs, news media, even down to subreddits. Once we had all of that raw content data at hand, we set about to filter it out, really drilling into the cybersecurity context. After all, it's the context that really matters, right?
Now we start to really focus on what the brand impact looks like...
Our Cybersecurity Marketing Findings
Jumping straight into the 7.ai data, we wanted to answer 3 key questions:
- Attachment: How many unique pieces of 7.ai related content was now also attached to the brands of Delta Air Lines, Sears, Best Buy and Kmart?
- Association: To what degree were lesser monikers and various other content and context buzzwords now being associated with 7.ai?
- Brand Damage: Not for their customers, but for 7.ai themselves (we have to measure the customers separately), was the impact of the breach an overall positive or negative?
We basically took every mention of 7.ai on the public Internet and then sub-divided it up by which brand(s) were being mentioned. As can be seen in this pie chart, Delta was mentioned the most, followed by Sears, then Best Buy, then Kmart. These all generally make sense, as it's more of a popularity contest at this point. The takeaway is that such attachment exists. There's just no escaping it, as media coverage is driven to finding these relationships, then reporting on them.
Here we invite you to take a big step away from cybersecurity, risk, compliance, and all the typical buzzwords that swarm in the minds of IT professionals everywhere. Instead, look at these topics and see which ones, if any, you would perhaps want to key in on and address from the corporate marketing and branding point of view?
To put it another way, which of these would you think someone, perhaps someone creative, might want to go after as a way to actually boost your brand?
Confused? Okay, here's an example. See here "Delta and Sears" is one association? Wouldn't it be cool if the CISOs for both those organizations were to jointly host a webinar where they talked more openly about their own findings, remediation steps, and various calls to action for others? Now, that one topic is starting to be owned by those two fine organizations, rather than those with their own agendas. Done right (and really, why wouldn't it be?), they are also scored with a very positive sentiment!
This is simply the ugly side of the coin. Or is it?
Also taken from our report/findings are the much deep drill-down into what the organization is doing to perhaps maintain or build up the brand equity of the cybersecurity program. Is this organization being mentioned in context with any of the top frameworks or standards, such as ISO27001, COBIT, or PCIDSS?
Then we take that to the leadership level, looking for any evidence that the organization is, at the very least, getting some interaction and/or content generated alongside leading cybersecurity thought leader meeting places (conferences, events, chapter meetings, etc...).
Then, having quickly assessed the cybersecurity brand equity and leadership, we cast a light on the external brand. And we kind of have to look externally, because we just aren't seeing very much data that helps the 7.ai case here.
Now, here's where it gets a bit more interesting. While this is a relatively small company, notice how there's no data related to their cybersecurity program prior to the April announcement. Not even an honorable mention.
But here's the reality. There doesn't have to be. It's a small niche player with no real footprint. And to the extent that give them the business opportunity, it also helps to shield adopting organization from added scrutiny. After all, their impacted customers can now point at a small startup as being to blame, which people generally accept with less bashing than if the top brand logo had done it themselves.
Oh sure, if there's to be any follow-on lawsuits the plaintiffs will go after the deepest pockets. Just know that those attorneys will all be going after this very same data as they build their case(s).
I'm not going to get into the brand impact of the Delta Air Lines or any of the others. I'm happy to drill into that with them, of course, but for a host of reasons (a much, much longer blog post than this one being just one of them), it's really out of scope for this 7.ai focus. But, as it relates specifically to 7.ai, it's difficult to conclude that this is anything but a net positive for them. Looking back the chart above and the April to July focus below, while there was certainly some negative sentiment and a huge spike there in April, their overall visibility and sentiment seems to be doing just fine. (note that the green/positive spike in June was their partnership announcement with Blue Prism). No doubt the media exposure helped to highlight their impressive customer list, which then helps to drive more opportunities.
Call to Action
Just as organizations regularly take on penetration testing and increasingly subscribe to a multitude of proactive scans, both IT and marketing teams need to come together to focus on their brand reputation in the context of cybersecurity. This means:
- Monitoring the web, especially social media, like never before to unearth cybersecurity-related opportunities worth chasing. There are more that most can imagine.
- Including 3rd party vendors in your data collection and daily monitoring strategy. Because wouldn't it be interesting if you were to find someone on, say, Reddit who said something unfavorable about the security effectiveness of your partner days, weeks, or even months before a breach? I know I would sure want to capture that before someone finds it for me.
- Changing the culture to one that really focuses deeply on the brand and reputation of the cybersecurity program internally, all the way to the corporation externally. A lot of people in IT talk about what matters in the boardroom. This. This is what matters in the boardroom.