How to Talk to Your Data Security Personnel

It’s come to that time in your project when you have to submit your website to your data security department for review. Most marketers approach this with a common feeling: Dread. What are they going to object to this time? What seemingly arbitrary hoops are your customers going to have to jump through now?

If it makes you feel any better, your data security person probably feels the same way about looking at a marketing initiative. In our experience, data security and marketing speak different languages, strive after different goals and generally don’t understand how each other operate.

This article is a guide for preparing for your next conversation with data security. We’re going to approach it from the point of view of a conversation. We’re going to have to talk to a person, and to do that effectively we need to understand a bit about what that person wants and how he or she thinks about his or her job.

Data security is usually thought of as an IT job. It’s not. It’s a job in risk management. Your security folks are trying to identify risks to your company, coming from all sorts of sources, and address them in a way that’s effective, cost-efficient and doesn’t compromise the business’ ability to operate.

With which types of risk are they concerned? Security people are taught the CIA triad” in their studies. “C” for Confidentiality, “I” for Integrity and “A” for Availability. These three factors are necessary to secure anything.

Confidentiality is the most straightforward, and it’s what most people think of as “security.” It means protecting the data from unauthorized access. This protection needs to be from attacks from any source: Hackers, unscrupulous employees/vendors, accidental disclosure, improper disposal of old paper/disk, etc.

There is a sliding scale of confidentiality depending on the sensitivity of the data. An HCP’s business address is not a piece of confidential information, while a patient’s home address must be protected. A person’s name and date of birth is sufficient identity information to open a credit card account, so this must also be guarded.

A patient’s date of birth is a great example of a piece of information that’s often collected by pharma marketers. In most cases, this is used to drive segmentation of the customer based on age. It’s possible to achieve the same business goal by instead asking for the person’s age (as a number) instead of their birth date. The age can’t be used for identity fraud. Collecting age reduces the risk to the company while fulfilling the business need. The best way to secure a piece of information is not to collect it in the first place.

The next security principle is Integrity. Integrity is about ensuring that the data is accurate and reliable. The security professional is concerned about processes around gathering the data, defining it, storing it and processing it. Errors can creep in along the way through malfunction, human error or deliberate falsification.

Integrity is the principle on which pharma marketers can usually compromise the most. Whenever we ask a customer (patient or HCP) for information, we have little way of knowing how accurate their responses may be. Our purpose is to market to these customers, so the accuracy of the information is of limited importance. If the postal address is wrong, we miss a mailing. If the email address is a fake, we fail to deliver messages to someone who didn’t want them anyway.

The age idea from before is a good example of a trade-off. If we only collect a person’s age, we won’t know their birthday and the data will eventually be wrong. This can be addressed by giving the entire user set an artificial birthday (bump age up by one) six months after registration. Half of the users will be too young. Half will be too old. They’ll average out to accurate, though, so you can still look at the customer population in aggregate and get valid conclusions. And being half a year off on an age-related segmentation is not likely to change the behavior of the customer.

Finally, Availability is concerned with making sure that a service or piece of data is there when you need it. Marketing programs are of no use if they can’t be accessed. Security people will be interested in server uptime for websites, database backups, disaster recovery plans, and the financial health and technical capabilities of agencies and other vendors that provide you with service.

For digital pharma marketing, we typically recommend a 99.9% uptime contract (i.e., a maximum of about 8.5 hours down each year) for websites, with an allowance for a late-night maintenance window. Email marketing can be reduced even further, perhaps to 99.5%.

Security professionals begin an assessment by coming up with risks to your program in each of these categories. Each risk is assigned a severity, based on the combination of the impact of a failure with the likelihood of occurrence. In quantitative risk analysis, a dollar value can be assigned to each risk. One of the key principles of security is that you should spend no more than the value of the risk to mitigate (or transfer) it. This is why your IT department spends a ton of money on securing the availability of your manufacturing and distribution systems, and less on making marketing websites bulletproof.

Now that you understand a bit about data security, imagine your next conversation with your security people.

“We’re going to collect age for marketing purposes. We thought about date of birth, but that’s personal info and we’d rather respect the customer’s confidentiality. We can make do with the hit on our data integrity.”

By speaking security’s language and framing things in their terms, you’ll go much further with your discussion. You’ll also start to build a relationship with the person on the other end, which can be both satisfying and powerful.

  • Alfred Whitehead

    Alf is responsible for the Systems Administration, Quality Assurance and Security practices at Klick Health. His security experience includes defense of high-profile targets against active threats. The goal of his position is simple: To weave security and quality into everything the technical team produces and operates.