MarTech Overtime: Why partnerships matter in securing your martech stack
Senior marketing manager Jorge Garcia shares advice from MarTech East on security reviews and how marketing and IT teams can work together.
Jorge Garcia, Senior marketing manager at Akamai Technologies, shared his company’s journey to protect their data and brand in his MarTech East session, “Securing Your Martech Stack: Partnering with IT and Enterprise Security.”
A lot of questions around the roles of purchasing and managing martech stacks and who “owns” the privacy compliance process, were submitted by session attendees, so I wanted to answer some of them.
Q: IT teams often tell marketing that they’ll choose and run your stack. Do you now have a clear agreement about respective roles and what did that take?
Mostly. I say “mostly” because the industry is ever-evolving and each new technology raises questions about roles. What we are clear about is our engagement when these questions come up. We have a regular forum for these discussions and a practiced motion of how to address them. That rhythm took a while to build, but it started with requirements gathering. We changed the conversation from “We want this tool; how and when can you help us get it?” to “This is the problem we’re trying to solve and the capabilities we’re looking to enable our marketers with. What do you think?” It created a collaborative environment instead of a transactional one.
Q: Who makes the decision on which tool/company to go with?
It’s a collaborative process between legal, security, IT, marketing and procurement. I know that might seem a bit excessive, but it ensures we’re picking the best vendor for our needs and that key stakeholders are involved at the appropriate stage of the purchase.
- Legal provides advice and support for contract review and data protection agreements
- Security ensures the tool/company is compliant with our risk and information security policies
- IT supports the technical assessment of integrating the tool into the existing infrastructure and processes
- Marketing is the key stakeholder that advocates for their requirements and vision
- Procurement drives the RFP process, demo scheduling, negotiation, and coordination with Legal
I like to think of marketing technologists as the bridge builders of marketing, especially for new tech purchases.
Q: In a distributed marketing organization the emergence of a martech group like yours can get backlash that you are just replicating IT in slowing down what marketing needs. How has that gone for you?
At first, not great. Any time a team comes in to add process or centralize responsibility, there’s the risk for an accompanying resentment or expectations of restrictions and bottlenecks. We weren’t the exception.
Early on we spent the majority of our time telling the martech story and finding champions who understood our mission and supported our efforts. Then we demonstrated that story by relying heavily on transparency. As our partnership with IT matured, the overlap between our teams diminished. Over time, stakeholders were able to see the extensive body of work that goes into managing a martech stack, bringing on new technologies, providing ongoing support to existing technologies, and the unique skillset of translating business requirements and technical requirements. Someone who speaks Spanish to a person who speaks Italian can get by; but the world opens up to them when they have a translator.
Q: Is privacy compliance built into your process? Who owns it?
It’s absolutely built into our process. Where I work, we’re entrusted with delivering and securing digital experiences for the world’s largest companies. A critical component of that trust is in our commitment to the privacy rights of our customers and our employees. We’ve built privacy compliance into our processes across the organization, and especially into our processes for evaluating, assessing, or implementing new technology.
Our Global Data Protection Office sits with in-house counsel. They own developing, implementing and maintaining a comprehensive corporate-wide privacy program and policy framework. The rest of us are responsible for working within those frameworks and embedding privacy into everything we do.
Q: If a vendor has some sort of certification – such as ISO 27001/02 – does that make your review process more streamlined?
It does. I wouldn’t say one certification is better than another for our reviews, but typically, vendors that have gone through certification are those that prioritize security and compliance. As a result, they’re more likely to have considered many of the areas we assess during our security review. I typically ask for ISO 27001/02 or SOC 2, but they aren’t a requirement, more of a facilitator.
Q: Does the request to IT/security start with business requirements for a tool or a recommendation from?
Before a request makes its way to IT/Security, it’s vetted and prioritized by marketing leadership. Bringing in the leadership team early has been integral to our success prioritizing projects. With over 7,040 marketing technologies in Scott Brinker’s latest 2019 Marketing Technology Landscape, it’s dangerously easy for martech teams to get distracted by shifting priorities. Making strategic decisions about our investments at the most senior level ensures everyone across the organization is aligned to our initiatives and understands why they were prioritized.
Once those decisions are made, we bring in IT and share marketing’s business requirements. Our team works with the requestor to understand the what and why of their request: What is the problem they’re trying to solve and Why do they think technology will solve it. We use these requirements as our foundation for working with IT to develop an initial scope, phasing design, systems impact analysis, and prioritization plan. The outcome of these discussions, our Security review, and the Procurement process help us narrow down the best vendor to solve our what and meet our why.