Marketers are eager to adopt technology that makes their efforts more effective, but ideally, they should wait until their IT team ensures the tech is safely connected to their company’s infrastructure. However, IT often doesn't have the resources to vet every marketing tool. Holly Rollo, CMO of cyber security firm RSA, spoke with eMarketer’s Sean Creamer about the risks of shadow IT—when marketers implement technology without following IT protocols.
Are IT teams able to keep up with marketers’ demands for new tools?
No, and marketers are filling the gap. In our 2017 CMO cybersecurity survey, 75% of marketing and IT respondents stated that shadow IT is prevalent in their organizations. Marketing is a data science and budgets increasingly focus on acquiring tools and technology, but marketing is typically under-resourced from an IT perspective.
What’s the reasoning behind marketers filling the gaps without IT’s help?
They go around IT protocols to procure shadow IT resources for quick fixes. Through a patchwork of vendors, marketers integrate shadow IT tools into brand infrastructures. Ranging from a dozen on the low end to hundreds on the high end, APIs stitch this patchwork together and enable systems to talk to each other.
Marketing is typically under-resourced from an IT perspective.
How do marketers initially put the systems together?
Marketers place third-party vendors or shadow IT people on web teams to build out connections. The tools range from social listening functions down to integrations with a CMS, and they are built on cloud-based applications with APIs to connect them.
What potential dangers face marketers that use shadow IT tools?
Individual cloud applications with APIs in the middle are not secure because they operate outside of what IT traditionally monitors. In a different survey we did, about 75% of IT security teams said they do not monitor cloud applications and shadow IT applications in security checks.
The marketing technology industry is growing by leaps and bounds, which makes it difficult for IT teams to keep up. Scott Brinker's martech vendor chart had about 6,000 companies on it in 2017, and half of those companies are less than 2 years old. Many vendors are not fully proven, and that creates vulnerabilities for organizations.
Individual applications aren’t vulnerable—it's the cracks in between them that cause problems.
Do specific martech tools pose more risk than others?
Individual applications aren’t vulnerable—it's the cracks in between them that cause problems. Think of WordPress: The top 10,000 websites in the US use WordPress as their core contact management system. The open-source product requires constant updates and patches. If marketers regularly keep up that's good, but it’s difficult to chase down the latest patches in complex marketing tech infrastructures.
What’s a high-profile example of bad actors taking advantage of the connective functions in tech infrastructures?
The Democratic National Committee hack came through an application built to coordinate fundraising, similar to outward-facing consumer applications that marketers work with. The Equifax breach came from a cookie tool that drove traffic to the site. These martech tools are becoming a major vulnerability. Bad guys aren't going after protected apps—they’re going after what isn’t protected or monitored by IT.