• by Ray Schultz , Columnist, April 26, 2019

Hardly a week goes by without news of another major data breach. Marketers can be forgiven if their eyes glaze over — they have other things on their minds. But they should be concerned. A breach can destroy a firm’s reputation and its marketing program.

To learn more about security—and why email marketers should worry about it — MediaPost interviewed Phillip Merrick, CEO of Fugue, and Drew Wright, co-founder and VP of communications for Fugue. 

MediaPost: What kind of job are companies doing at maintaining data security?

Phillip Merrick: The steady stream of headline stories about data breaches shows that companies are not doing a particularly good job of it. But thanks to all that negative publicity, there’s more of a heightened awareness. And regulatory regimes like GDPR are forcing organizations to ask questions, and to make sure data is being secured.

MP: How does this affect marketing?

Merrick: Marketers might think security is not my domain, not something I necessarily worry about. But those marketers are typically going to be using a pretty decent amount of cloud software, hosted and operated by vendors in the cloud. They should be asking about it to protect the security and reputation of the organization.

MP: What else do they need to know? 

Merrick: Are you using apps and email delivery software coming from your own in-house system that developers have built, or are you using commercial marketing apps?  With a commercial app, you should ask where the app is hosted. Is it a reputable cloud provider like Amazon, Microsoft or Google? Do they have an SOC2 certification? If they say, ‘Yes’, that's obviously a good answer.  If they say 'We don’t, but we are working on it,’ that might be OK but you would want to understand how serious they are about it.”

MP: And if they don’t ask these questions?

Merrick: It’s a marketer’s worse nightmare: You’re doing your job, and you think everything’s secure and under control, but your brand reputation gets compromised because the organization’s security gets compromised somehow. 

MP: Should email marketers be worried?

Merrick: Email marketing capabilities are increasingly being accessed through cloud apps and the email delivery structure resides in the cloud somewhere. Email is being created and delivered through cloud apps like Spark Post, SendGrid, Mailgun. All of them are in the cloud in various ways, so asking questions of vendors is more important. 

MP: Is there anything else they can do? 

Merrick: Email marketers might proactively put out a statement on their website around all the steps the organization takes to protect their data. They can assure their customers and recipients that they take this very, very seriously.

MP: Is the cloud really so dangerous that they need this help? 

Merrick: I don’t think the cloud is wild west anymore — the major providers are very large, reputable organizations that have been doing this for a very long time

Drew Wright: We conducted a survey. The number one risk in the cloud is misconfiguration, and that is 100% on the customer to get right. If the cloud is a collection of APIs, you need to be concerned how you configure those APIs. 

MP: Where do they go wrong?

Wright: Humans are bad at managing complexity at scale, and when you use the cloud at scale, there’s a lot of complexity. That’s essentially where automation come in.

MP: So you’re saying that vendors like Amazon Web Services are not to blame when there’s a breach? 

Wright: AWS is an innocent bystander there — these breaches are 100% the fault of the AWS customers, and have never been the fault of AWS.

MP: What can Fugue do to help?

Merrick: We help our customers ensure that what they’re doing in the cloud stays in continuous compliance with their enterprise security policies, including GDPR, PCI (the Payment Card Industry security standard) or HIPPA, and to make sure all the data used is encrypted. We help them set controls and standards when they’re using cloud-based software. We also help SaaS vendors themselves. We’ve recently added SOC 2 and ISO 27001 to our libraries of prepackaged cloud security controls.

MP: What do companies need in terms of staffing? 

Merrick: Regardless of size, you need somebody to have the responsibility for information security. At a certain scale, it make sense that it would be a dedicated person and on an even bigger scale an entire team. We actually know some banks that have 1,000 people or more working on security. 

MP: Your final word on the subject?

Merrick: You can either choose to be curious about it and ask questions. Or you can put your head in the sand, but you do that at your peril.