Clash of the Titans: Marketing and Security

23 September 2021

There’s a natural tension within most companies: marketing wants to get stuff out, while IT and security are focused on protecting the business. These waters between marketing and security can be treacherous, and a recent challenge we observed in a large U.S.-based northeastern bank, illustrates the issue well.

Like many financial institutions, mobile and web banking are a critical and core component of the business model. For this particular bank, there is a constant demand for increased functionality including tools, speed, and, quite frankly, anything necessary to give customers the best experience possible, every time. That’s a tall order, but the fear is that customers will leave if they don’t get that mega-bank experience. 

In this case, the bank is one of over 5000 financial institutions who have to be as good as the Big Four —JPMorgan Chase, Bank of America, Wells Fargo and Citigroup—all of whom have massive resources and people. 

Marketing Lives in these Lands

Let’s say the bank’s marketing department wants to implement a form-field creator that instantly generates landing pages for prospects to accept an offer. The pressure is on to get it up now. However, the reality is that it can take forever to submit it as a proof of concept, get it through IT and security vetting, obtain budget approval, pass the compliance board, test, and go live. We’re talking months, which can mentally make going through the process a non starter. Unfortunately, this is also a recipe for covert operations. Marketing may get its functionality, but at the expense of security and the bank’s reputation.

Harboring the Enemy from Within

Back in the day, websites were coded line by line, usually in HTML/CSS. Now, they are assembled: huge chunks of prewritten code are appropriated from Github or other wells. WordPress is the world’s largest web platform, with tens of thousands of plugins ready to nestle into a site as easily as hitting the download and install buttons. These components load hundreds of JavaScript scripts from all over the world. Many are infected with spyware and keyloggers built to steal sensitive data without security teams’ knowledge. If installed, this malicious code can lie undetected and seemingly benign, while performing all sorts of nefarious acts. For instance, It can scrape customer info from a form field, so when someone is completing a landing page, it’s also mirroring and capturing their data. It may do the same thing on payment pages, chatbots—anywhere the user is keying in information to interact with the website.

Here Be Security

Contrary to water-cooler opinion, the bank’s CISO and CSO are not obstructionists, but want to enable marketing. They just don’t have the tools to do it. Plus, they have different key performance indicators (KPIs) than marketing’s lower bounce rates and more conversions. The bank is the fiduciary caretaker of billions of dollars of assets, with departments of talented people committed to protecting the institution. It’s foolhardy to risk security with a promotion-of-the-month campaign. Besides, there are multiple other internal departments, all with their wish lists and competing for limited budgetary dollars. They are doing it the right way, being transparent and sometimes waiting in line. So while security wants to empower marketing for success, it isn’t always at the expense of best practices. 

Inspect and Protect

Now, with Inspector and PageGuard from Feroot, stakeholders can examine, test and trust that the new code is clean. It can shorten approval cycles from months to as fast as real time, meaning you can execute with confidence at the speed of business. 

Inspector benefits both marketing and IT/security. Using a one-of-a-kind headless browser, it searches for malicious code hidden in apps. There’s nothing to install, not even one line of code, keeping it quick, light and usable by anyone. Inspector works in conjunction with PageGuard to empower companies to find, remediate and guard against client-side attacks. 

The main benefit really is peace: peace of mind that you’re utilizing a best-in-class solution and peace between departments. It allows everyone to enjoy the common ground and shared goals of leveraging IT to grow the company. For more information on putting Feroot’s solutions to work for you, visit www.feroot.com

Learn How to Guard Your Web Applications Today

See Client-side Security in Action!