Vendor Assurance and Brand Monitoring

Brand Monitoring is Just Smart IT

Imagine for a moment that you are sitting there just enjoying a rather unexceptional day in IT. There are no big fires to put out, no projects that are getting behind, and no one really complaining about anything. Life is  just good. 

Then, quite out of the blue, you get forwarded an email about a third-party vendor that you all use (such s [24] in the case of Delta Air Lines) . It's a link to a story about how they have had a data breach and in that moment you realize your entire day, if not the entire week, has just been prioritized for you and your team. Meetings are pulled together and that tabletop exercise that was done last quarter just became a bit more real.

Sadly, this is what most can expect when a third-party vendor suffers a data breach, whereby the entire business will have to assess the collateral damage and potential ongoing operational impact. And it's especially the case when it lands in the public domain without any advanced warning from that provider. 


Getting Ahead with Brand Monitoring

Cybersecurity Brand Monitoring

Brand monitoring itself is certainly not new. It's something that marketing teams do at more of a macro level on a daily basis. What is starting to take hold though is really focusing those efforts in the context of cybersecurity. It's monitoring a particular brand for all online mentions, measuring the sentiment, then deciding which pieces of content are actionable. When cybersecurity context is applied, it means understanding which cybersecurity influencers (Brian Krebs, Bruce Schneier...hundreds more) are now talking and what, exactly, they are really saying. There's real value in seeing how many of those mentions apply to various categories that are of particular importance to your brand, such as PCI, HIPAA, NIST Cybersecurity Framework, ISACA, InfraGard, and ISSA.

If you believe at all that monitoring your own online brand and reputation is important, then it stands to reason that doing the same for your key partners and vendors is equally important. Right? Otherwise, why did you even bother doing all of the vendor assurance exercise in the first place, only to lose sight once the "artifacts" are filed away in the GRC application? To the same degree that you would want a real qualitative and quantitative analysis of how your cybersecurity brand/reputation is being impacted every minute of every day, you should also want to track those key external relationships, especially the ones who can potentially sink you. 

But, the only way to get ahead in this game is to play it. And not just play it, but play it exceptionally well. 


Partnering with Marketing

It's always been a bit funny to me when I see IT organizations who are clearly designed and architected to operate only in their own silo believe that they are "aligned/partnered with the business". Because when asked to name their marketing peers and then give a sense of how often they are engaged with them in any meaningful dialogue, it's typically a blank stare that comes back. At best, it's a mention of how that's all part of the tabletop exercise. So that's it? Having a tabletop exercise is the definition of a real partnership? 

What might surprise such IT departments is that marketing teams are tuned to help them, typically far more than they are given credit for. There are no "Don Draper" [AMC's Mad Men] characters to be seen. Today's marketing teams are deep in data and analytics. But more importantly, they are exceptional brand managers, always seeking to build the coveted invincible brand, but also ready to step in and help recover one if that should be needed. 

ZecurityAscent Arrows Up

To put a finer point on it, if anyone in information security thinks their job is to primarily to protect the data, then I'm afraid they have it all wrong. Their job is to protect the brand and reputation of the name and logo that's on their paycheck. If that is the real focus, then protecting the data is just a part of that service.

And this is exactly why IT and marketing should be joined at the hip, constantly working to improve both the internal and external brand/reputation of the cybersecurity program.


How It Gets Done - A Framework

While I can't prescribe a formula for exactly how it will work in your organization, I can at least offer up a highly level 3 step framework to get you started. 

  • Monitor: Your marketing team probably has a brand monitoring tool, such as Brandwatch (that's what we use), Meltwater, or Brand24 (there are many more). Get with them to see how that can be applied to the context of cybersecurity. Your eyes will be opened to a whole new world of data that can be positively applied to the benefit of the businesses, thereby bringing IT ever closer to the alignment you are always chasing. 
  • Alert: With all the listening in place (remember, including for your vendors) and focused on the cybersecurity elements (authors, hashtags, sites, keywords, mentions, sentiment...) set up alerts so that anything that goes above the baseline by a set percentage or where certain keywords pop up. Might it be interesting if someone who just left a vendor that you use decided to get all chatty on Reddit about how poor their cybersecurity is? You bet it is. 
  • Act: When you do find something out about your program or that of a vendor, you have to act. You can bet your vendors will be impressed when you give them a call to ask what it up and that you are now kicking off a deeper review of their program, based on just one negative sentiment of their program that you found online. Not doing so would be like finding out later that all the forensic data was right there in your SIEM, but no one acted on it. 


In-House or as a Service?

For many, the best approach is to simply outsource this to a service provider who specializes in cybersecurity brand / reputation monitoring (Yup, that's us here at ZecurityAscent). Because while the in-house talent is not really in question, either within the cybersecurity or marketing ranks, efficiency and scale is typically cited as the real reasons why this is not already being done; or perhaps not being done at the level it should be. 

How will you know? Well, if you can't commit to your own service level agreement (SLA) to monitor your entire cybersecurity brand at a truly world-class level, as well as those of your partners, then it's not going to hurt to at least get some outside coaching. But always remember that when the lights go out, it's not loss of any data that keeps the board members up at night; it's the loss of brand and reputation. When the right focus is applied to that concern, everyone wins.

Of course please do feel free to schedule some of my time even if you just want to learn a bit more.  

Schedule Kevin's Time 


Written by Kevin Peterson, CISSP

Kevin Peterson is the founder and cybersecurity practice lead at ZecurityAscent. His background includes: 3.5 years at Zscaler as Director, Security & Network Transformation; 8 years at McKesson (Fortune 5), the last 2 as a business unit security officer / cloud application security lead across all business units (introduced Zscaler); and 7.5 years at Juniper Networks as Sr. Product Manager for the Pulse Secure SSL VPN. Adding to this is his own professional brand as an author, blogger, speaker, InfraGard board member, former police officer, pilot, and United States Air Force veteran.
Find me on: