Why this global CMO is urging marketers to care more about cybersecurity

There’s something particularly contradictory for Mimecast CMO, Bernd Leger, in persistently low awareness of cybersecurity across marketing leaders given the rise and rise of cybersecurity threats.

“When I talk to my marketing peers at conferences, there just doesn’t seem to be this high-level awareness that cybersecurity is something they should be aware of,” he says. “I struggle with that. Think about when your website goes down because of a security attack – there is a very real impact on your business in terms of lost revenue and negative brand ramifications.”  

Leger joined Mimecast as its chief marketing officer 18 months ago and today oversees a team stretching 240 employees globally. He boasts of deep credentials as a marketing practitioner and within the world of cybersecurity, holding senior roles with the likes of Checkmarx, Cisco, CloudLock, and Rapid7. Prior to joining Mimecast, Leger was chief marketing officer for Nexthink, a leader in digital employee experience management software.

Since taking up the Mimecast post, Leger has been working to drive overall awareness of the Mimecast brand as well as continue to drive pipeline. Over the last couple of months, this has culminated in the launch of the security vendor’s first ‘lightning strike’ announcing its new story, corporate branding and ‘Work protected’ tagline.

“When you think about where work is now happening, things have changed so significantly off the pandemic. We’re doing more email but we’re also increasingly in more collaboration solutions,” Leger explains. “For us, talking about how we help organisation to protect work where work happens has been a big part of the journey we have been taking since I have been here.”

Fresh from unveiling the new brand positioning at the Gartner Security Summit in the Gold Coast, Leger talks to CMO about why marketing leaders need to sharpen their game when it comes to cybersecurity and the emerging threat landscape.

In statistics released by RSA Security back in 2017, marketing as a function was seen to have very low awareness and understanding of cybersecurity. CMOs were generally not part of the cybersecurity discussions in an organisation. What’s more, only four in 10 had a communications plan around a cybersecurity breach. How do you think CMOs rate today?

Bernd Leger: I’m not shocked by those stats – I don’t think they have changed much. I think the awareness levels around cybersecurity for CMOs is still fairly low and the thought process that it’s not really my job, we have a security and IT for that, continues to persist. Yet you think about the heightened risk and security levels that come up… or how easy it is for hackers to take advantage in this new landscape we live in of hybrid working; it’s a very different place to be. We have more and more hackers taking advantage through ransomware and other means.

So for me, it’s an oxymoron to say there is still a low level of awareness about cybersecurity on the CMO while at the same time, the threat levels have gone up and up. I work at a security company so for us, it’s very real and the brand risk is heightened. But even when I talk to my peers at CMO conferences, there just doesn’t seem to be this high-level awareness that cybersecurity is something they should be aware of.

Credit: Mimecast

I struggle with that. Think about when your website goes down because of a security attack – those are very real impacts on your business in terms of lost revenue and negative brand ramifications. So I do believe CMOs need to play a larger role in that conversation and be a partner in the c-suite engaging in that conversation. I talk to our head of security [CISO] monthly to share what he’s seeing and what we’re doing to protect our brand, as well as trends they’re seeing. We always talk about the implications for our business and as the marketing team.

The other thing is as marketers, we’re so much in the centre of communicating with prospects and customers – we send out emails, we’re communicating, have Web presences we’re managing. I don’t think we can sit back and ignore the fact that we, more so than any part of the organisation, are directly engaging with other stakeholders and those stakeholders could be put at risk.

What are the big risks we should be particularly concerned about right now?

Leger: At a high level, the way we work has fundamentally shifted as a result of the pandemic. We still predominantly use email, but our forms of communication have shifted. Now, we’re able to use Zoom, Teams, Slack and other forms of collaboration tools, and at a higher level. At the same time, our barriers have gone down. We are not checking as much what we’re clicking on or following security policies. Things like ransomware have increased as a result: We see specific increases including in Australia of ransomware attacks, as well as impersonation attacks and hackers going where we go.

In our most recent State of Email Security report, we also saw a 73 per cent increase in Australia in email-born attacks. When we survey Australian businesses and consumers, they’re quite concerned about what would happen if their favourite brand was attacked or if there was a financial downside from that. It really only takes one attack for all that work we’re doing as marketers to build trust in our brand to go away – and quickly.

We have seen several data breaches and cybersecurity attacks globally contributing to consumer fears around personal information being used nefariously and have elevated visibility of the risks. How do you see this impacting the marketer’s role?

Leger: Even on the business side, companies have to take it more seriously. In Australia, increased legislation requires you have to report a breach within 12 hours. That’s a level of increased transparency you can’t brush under the carpet. It creates a whole new level of scrutiny of our organisations.

And we as CMOs must play a greater part in this equation. Think about our participation in those response plans: When something like this happens, marketers are at the centre of those communication plans and efforts. What does our crisis communication and plans look like? I’m sure not as many companies as should have those plans in place do have them right now.

You have suggested reasons why marketers should be more aware of cybersecurity risk. What can we do to be prepared? Are there pillars that absolutely need to be there so you’re helping an organisation internally and externally with managing cybersecurity risk?

Leger: What I see as our obligation as c-level executives sitting in leadership meetings is to firstly create awareness that the risks are real. It’s not just security people who need to do this. Highlighting the potential impact on brand and being clear on what the impacts are on brand is key – there is good data here and marketers arguably have more data points at their disposal on this point than security or IT leaders have. Often, that’s misunderstood and executives in an organisation don’t necessarily understand what the brand impact be.

The second role we can play is working closely with our security and IT counterparts to ensure those dialogues are happening around cybersecurity. It could be maintaining the website infrastructure and making sure those things are locked down; working with our counterparts on looking out for email security and making sure what we send out is secure. There’s educating our employees as well around threats out there and educating users on what can happen with communication we are sending out as well as what’s coming our way.

We’re also right in the middle of this digital transformation that’s happening. The pandemic has accelerated how we use digital tech to accelerate the business vision. Marketers are at the forefront of this transformation, and we have a role to play to ensure this is seen as a business risk and one to the company.

At the opening to the Gartner Security event this week, the stat shared was that 88 per cent of executives and board level agree cybersecurity is a business risk today. The brand is a critical element of that which can be impacted.

What emerging cybersecurity threats are on the horizon?

Leger: Email security is a seemingly well understand phenomenon, but with these new communications channels opening up… there just isn’t that same level of scrutiny or policies in place. There have been some interesting attacks happen as a result. When we talk to prospects and customers, we are still seeing lagging awareness. Just imagine a developer copying in a set of code into a Slack message – if that person is impersonated, that code could get into the wrong hands. We are starting to see those sorts of attacks happening in real time and that’s a real emerging frontier.

The attackers are leveraging a lot of the same vectors they have been for years – ransomware, phishing – because they’re still working.

What other things do you do as a CMO to ensure your team are educated around cybersecurity risks?

Leger: A very important piece is the security awareness training we all do, and we use our own solutions for that. We all participate in monthly security awareness training that reminds you what threats are out there and what you should and shouldn’t be doing. I also bring our CISO in for regular conversations and to educate the team on what security threats are internally, but also to help communicate that externally.

What we are also doing externally is a weekly podcast series, where we interview individuals and security experts around what it means for their organisations. For us that’s about being a megaphone for the industry and educate the broader market as well. It’s been exciting to lead that change and educate the broader market.

Don’t miss out on the wealth of insight and content provided by CMO A/NZ and sign up to our weekly CMO Digest newsletters and information services here.  

You can also follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, follow our regular updates via CMO Australia's Linkedin company page