Over the past year, security and brand safety have rapidly risen up the marketing agenda, brought to the fore as high profile hacks and data harvesting hit the headlines on a global scale and the General Data Protection Regulation (GDPR) came into force.
From TSB’s IT meltdown to Dixons Carphone admitting 10 million customer records were exposed by hackers, no scandal came close to the revelations that 87 million Facebook profiles were harvested by data company Cambridge Analytica for the purpose of creating targeted political campaigns.
Exposed by whistleblower Christopher Wylie, who subsequently joined fashion retailer H&M as consulting director of research in December 2018, the exposé forced Facebook CEO Mark Zuckerberg to take out full-page newspaper ads apologising for the “breach of trust”. He was also grilled in front of a US senate committee.
Six social media data breaches, including Facebook and Cambridge Analytica, accounted for 56% of the total compromised records during the first six months of 2018, according to analysis by digital security software company Gemalto. And a staggering 4.5 billion data records were compromised worldwide in the first half of last year, up 133% on the same period in 2017. This means every day 25 million records were compromised or exposed.
Given the high-profile breaches, it is hardly surprising people are becoming increasingly uncomfortable with the way their data is being used online. Some 71% of consumers want brands to pressure social media platforms to safeguard their personal data, according to the 2018 Edelman Trust Barometer.
There are so many risks that marketing really has to take charge of containing and eliminating them.
Raja Rajamannar, Mastercard
Many consumers also believe brands are complicit in the wider problems plaguing social media. Some 48% think if advertising appears next to hate speech, violent or sexually inappropriate content it’s the brand’s fault. Furthermore, Edelman’s analysis reveals 47% of consumers believe the content appearing next to ads on social media is an indication of the brand’s own values.
The risks to brand reputation, brand safety and consumer perceptions are so significant, that some companies are taking action.
In March 2018, the Bank of America gave senior vice-president of enterprise media, Terri Schriver, full-time responsibility for brand safety, an area she had informally managed for several years. Speaking to Business Insider in October, CMO Meredith Verdone explained that she meets with Schriver every week to look at fraud, viewability and transparency issues, choosing to pause all advertising if any “unknown activity” emerges.
Similarly, media and advertising agency Universal McCann made Joshua Lowcock its global brand safety officer. Appointed last year, Lowcock is responsible for delivering greater transparency and accountability of clients’ digital media investments, as well as ensuring advertising runs in safe and relevant environments.
Another company firmly on the front foot is Mastercard. Eighteen months ago, the financial services company appointed a head of risk management for integrated marketing and communications, charged with assessing, mitigating and eliminating future risks in marketing.
Mastercard chief marketing and communications officer, Raja Rajamannar, says he wanted someone who understood the business and would look at issues from a risk management perspective, beyond simply marketing and communications.
Based on this criteria Rajamannar gave the new role to the brand’s business finance officer of the marketing and communications division within Mastercard.
“I come to marketing from a business background. Roughly half of my career I spent managing P&L and when you’re managing businesses, risk management is an intrinsic part of what you do,” Rajamannar explains.
“Together with the [finance officer] we started getting these things slowly done six years ago, but what we have realised is this requires full-time attention, it cannot be an integral part of some other role.”
While Mastercard wouldn’t name its new head of risk management, Rajamannar says her remit covers a spectrum of issues affecting marketing, ranging from ad fraud, reputation and marketing performance risks, to the emergence of voice commerce and concerns around visibility as screen sizes continue to shrink.
She then coordinates with colleagues to create a heatmap of these marketing risks, indicating the probability of the risk happening and the magnitude of it. The heatmap helps the team quantify the “windows of risk” and tighten up those areas on an ongoing basis.
Rajamannar describes the creation of this role as a proactive move, which he sees as absolutely imperative to ensure the brand is kept safe. He is clear this is not a role one person sitting at head office can do alone, which is why the head of risk management closely collaborates with marketers in different regions to ensure they are compliant.
“At the end of the day, this is something that has to be imbibed into the culture of the company. If we know that we have got risks, let’s be aware of them and let’s address them proactively and reactively, as it is inevitable new risks will materialise,” Rajamannar explains.
Security meets marketing
The companies leading the way on appointing brand safety officers are the “canaries in the coal mine” according to Colin Lewis, Marketing Week columnist and CMO of B2B tech firm OpenJaw Technologies.
Rather than small- or medium-sized businesses, he believes it will be the most sophisticated global companies, operating in the “white heat of competition”, who can afford to invest in their purpose and reputation in this way.
“They are the companies for whom the reputational risk is huge and so they need to pull that out as a standalone item because it could bring the whole company down very quickly,” Lewis states.
“These sort of roles would not have existed 10 years ago. It is the tech stack, the data management, the content, the customer experience driving all of this. Not every brand is going to need this. Those with huge reputational risks and massive international franchises will have to look at it very closely.”
Head of legal and compliance at the DMA (Data and Marketing Association), Asli Yildiz, expects to see more heads of risk management being appointed to the marketing function in the context of GDPR, data breaches and hacks.
“If you want to keep the brand secure you need to have people on the brand doing multiple jobs, not just on the marketing job, but also assessment of the financial risk, legal risk, etc,” she explains.
“So you will see more legal people changing titles to become marketers or market advisors, as well as cybersecurity risk advisors. All these titles will definitely change because our role will change in line with the technology, the usage of data and the expectations of the customers.”
Getting the right people to take on these evolving roles will be crucial as research suggests the financial fallout of a brand safety scandal or high-profile data hack could be significant. If a data breach causes an organisation to lose just 1% of its customers it will cost the business on average $2.8m (£2.1m), according to the IBM 2018 Cost of Data Breach study. Lose more than 4% of the customer base and the cost is closer to $6m (£4.7m).
Last year a host of brands were left picking up the pieces after high-profile hacks and IT errors. A failed IT migration cost TSB £330m, caused 80,000 of its customers to switch to rival banks and forced the resignation of its CEO Paul Pester.
The bank spent a total of £125m on customer compensation, £49m to cover fraud and operational losses, £122m to fix its tech systems and £34m in lost income due to waived fees and charges.
Also in 2018, consumer electronics retailer Dixons Carphone admitted to a large-scale data breach affecting 10 million customers and 5.9 million debit and credit cards. At the time the company said it was “very sorry for any distress” caused and would contact all its customers to apologise.
The worry for businesses like Dixons Carphone is if it were to happen again consumers would be far less forgiving, says Georgina Shann, vice-president of Edelman Intelligence. In fact, the risk to companies of a data breach recurring over the next two years is 27.9%, according to the IBM report.
The way brands manage their data security is one of the key drivers of trust for consumers, according to the Edelman Trust Barometer. However, Shann believes data security has not even hit the top of consumers’ agendas yet and therefore this will become even more of an issue going forward.
“Businesses really shouldn’t be thinking of it as a nice-to-have, it’s a fundamental part of the business,” she states. “I think consumers really do feel these businesses are doing it and that’s why it’s quite shocking when you hear about specific examples where they are not.”
The rise of the chief security officer
By definition, the chief security officer is the most senior person in a business accountable for the development and oversight of policies and programmes to mitigate or reduce operational, strategic, financial and reputational risks.
However, increasingly this role appears to be bleeding into marketing. Appointed in September 2017, McDonald’s chief information security officer, Timothy Youngblood, is responsible for overseeing risk management and brand protection on a global scale, as well as driving the company’s information security strategy and operations.
Last year, Uber appointed its first chief trust and security officer. In an email to staff, Uber chief legal officer, Tony West, described the job title as a recognition that trust “is an essential ingredient” to the Uber brand proposition.
The ride-hailing firm certainly had ground to make up following revelations that it had secretly paid hackers $100,000 (£76,600) to delete personal data stolen from 57 million users and 600,000 drivers in October 2016.
Yildaz expects to see more chief security officers coming out of the IT department to work on brand protection and brand safety. She argues that whenever marketing activities are running assessments need to be made as to whether these activities present an additional or increased risk to the brand. This analysis, says Yildaz, should be done by marketing in collaboration with the risk, legal and compliance teams.
Lewis likens the discussion around risk management in marketing to the conversations being had about digital marketing a decade ago. Back then, he argues, you could have managed digital marketing through two or three people who are experts in ad words or email.
“Nowadays you need a person who is an expert in email, an expert in performance marketing, an expert on conversion and they are three different roles requiring three different skills bases. That’s what will be reflected in the issue around security, because it will fragment,” Lewis states.
Getting data security right is “everyone’s problem” from the C-suite down, adds Shann, although she sees marketing beginning to play a “fundamental role” in how risks are addressed.
“Longer term, when [brands] are thinking about the development of campaigns they’re going to have to be cognisant of those reputational history and trust issues with the brand that have happened over time,” she explains.
At Mastercard, the creation of risk management roles in marketing does not eliminate the need for a chief risk officer or chief privacy officer as these individuals bring significant sector expertise, Rajamannar insists. Mastercard’s chief security officer, for example, ensures the company’s entire network operates safely.
“His primary focus might not necessarily be to see how the marketers and PR people look at brand reputation or ad visibility or brand safety. These areas are not necessarily his primary focus,” he explains.
“There is a chief privacy officer, a chief data officer. These people are not residing within marketing, but what my risk manager does is coordinate very closely and tap into the expertise of all these people.”
Ultimately, Rajamannar is adamant that marketing needs to take responsibility for itself and address the risks head on.
“There are so many risks that marketing really has to take charge of containing and eliminating them. We should make sure we are prepared proactively [so we can] see where the world is going and what’s happening in other industries.”
Security tops the hiring agenda
Digital bank Monzo has been hiring for a “pragmatic, collaborative and experienced” chief risk officer to ensure the business is “customer focused and innovative”. With a role spanning operational, technological, conduct and credit risks, the chief risk officer will be tasked with shaping Monzo’s “appetite for risk”. It will also be their responsibility to influence and execute on the bank’s wider strategy.
Food delivery brand Deliveroo has been on the lookout for a privacy counsel to help the company “navigate the increasingly complex data privacy laws”. This individual will be tasked with advising teams across Deliveroo on the implementation and improvement of its global privacy programme and governance structure, as well as the privacy implications of using personal data relating to customers, Deliveroo riders and employees.
Royal Bank of Scotland
RBS has been looking for a chief information security officer to join its new “customer-centric” digital bank Bó. The person in this role will be charged with developing and implementing Bó’s cyber and information security strategies, as well as contributing to the overall creation of the new bank. In return, RBS promises them the chance to work in a “challenging and supportive” team with a “flat structure”.