Thursday, February 07, 2013

Should CMOs Fund the Next Generation of Identity Management?

(Cross posted at

What does marketing have to do with cloud Identity Management?  Quite a bit, it seems. Last week, HMV (a European retailer) laid off 190 employees.  Among those being let go included Poppy Rose, the HMV "Community Manager" who happened to be in charge of their twitter account.  The result?  See for yourself...
Screen shot 2013 02 04 at 11.28.54 AM
Over 60,000 followers had a front row seat to the entire process.  Poppy, to her credit, did nothing illegal.  In fact, she claims to have cooperated throughout the process:

“Just to set something straight, I did not ‘hijack’ the hmv twitter account. I actually assumed sole responsibility of Twitter & Facebook over two years ago, as an intern. When asked (this afternoon), I gladly provided the password to head office. I also set another member of staff up as a manager on Facebook, and removed myself from the admin list. I didn’t resist any requests to cooperate.”

To add insult to injury, even after she was fired, she still had access.  In fact, she had to direct HMV on how to revoke her access (over twitter, once again, for the world to see):

@hmvtweets you need to go to ‘settings’ and revoke my account access as an admin. I’m still able to switch between accounts.”

So if it isn't already abundantly clear why your CMO should foot the bill for your cloud identity management endeavor, here it is spelled out:

Brand Management

One of the CMO's responsibilities is to uphold the firm's brand in the public eye.  And few things are more embarassing than having your social media posts run amok by an intern.  CMO's can avoid that by instituting the proper access controls for their social media apps, as advised by Susan Adams in the Forbe's article:

"The rather obvious lesson for employers in all of this: Take control of your social media accounts, change the passwords, and restrict access before you let go of the employees who run those accounts."

As noted by Nishant Kaushik earlier this week while commenting on the Twitter hack that impacted 250k users, a simple password change may not be sufficient.  In today's world of linked application access capabilities (where Twitter grants access to other apps), explicit revocation of access to the appropriate applications within Twitter may also be required to comprehensively terminate a user's access.
An Identity Management solution that integrates with Facebook and Twitter could have been used to revoke Poppy's access to those account in a timely fashion.  Of course (as mentioned above), there should be a sufficiently deep level of integration with the applications in order to comprehensively revoke the access.  In fact, the CMO should work alongside the CSO to drive the appropriate access policies that identifies those applications that have high sensitivity (read 'high damage potential'), and automates the process of suspending access to those accounts as soon as the specific person is considered for termination.
The point is, leaving all of this to manual processes puts your brand at risk.

CMO's Will Outspend CIOs on IT...

According to Gartner, by 2017, the CMO will spend more on IT than the CIO.  Most of the software spend will be on SaaS.  That means that the CMO's exposure to the Poppy Roses of the world will only increase over time.  
An Identity Management product that is pre-integrated to the CMO's most precious SaaS applications can ensure that access is duly revoked before brand damage is inflicted.  The appropriate identity management system should have the flexibility to integrate with both cloud applications, as well as the company's corporate HR application, to automate the termination process.

Can "Marketing Apps" be the new "SOX App"?

Anyone who has been in the identity space knows that traditionally, regulatory compliance pressures have driven much of the corporate identity management spend.   Non-compliance can lead to financial penalties and brand damage in the public eye, especially if that non-compliance was made public.  
The scary reality is that with the changing face of IT, "breaches" like the one described above can actually cause more damage than being non-compliant.  They can lead to consumers fleeing your brand, which directly impacts a company's numbers and longevity.  
It's for this reason, we believe that CMOs and CIOs should begin working more closely together to start treating Marketing Applications with the sensitivity they deserve.  Perhaps then, the Identity Management industry can start creating awareness regarding the value of the corporate brand to drive identity management adoption, instead of solely relying on the stick of the auditor.