Cloud Data Protection and Security

CCoE Stakeholder Education: Tips for App Owners  

07-18-2019 11:29 AM


How Sales & Marketing Supports IT & Cloud Security

Hello again! This is another episode breakout from our hit whitepaper, How to Implement a Cloud Center of Excellence (or CCoE). Somewhere between requesting a Shadow IT Assessment and running a full-time CCoE there’s a moment where the CASB Administrator or IT/Security Manager needs to sit down and educate the stakeholders – which means assigning cloud application owners outside of IT, Dev, Engineering, etc. Today we’ll look at Marketing.

Let’s say I’m the Chief Marketing Officer of my enterprise, a global security company. I own a budget and manage multiple teams and their managers, including Direct Marketing, Field Marketing, Events teams, and Product Marketing Management. Each one of those teams has their own technology stack, and can include use of central CRM tools, ticketing tools, storage repositories, document sharing and collaboration, project tracking, and more. During my tenure, I’ve let each marketing director determine the tools and cloud services their team needs to do the best job possible – and I’ve never imposed rules or guidelines on which to use because I’ve relied on them to pick the best tools for their teams.

Many enterprises don’t realize how large their marketing stack is – or maybe the first inkling of the stack size and content was when the legal team sat down and worked with marketing for GDPR compliance, and reviewed contracts for each vendor to determine which could hold EU customer data. Sometimes this, too, can be delegated to the managers underneath the CMO. But marketing has been summoned to be part of the CCoE for our organization, and to represent as owners for Marketing cloud apps and services. That’s why I’m a stakeholder in the CCoE.

The two primary concerns I usually have are budget (can I consolidate and reduce cost by eliminating redundancy?) and business continuity (can my people still perform their jobs effectively?) in support of building pipeline and sales enablement. I’m therefore interested in looking at categories of tools found by my cloud access security broker’s Shadow IT report.

In the RACI matrix of responsibilities, I am the Functional Manager for Marketing. This means I will be consulted on reviews and policies, and responsible for our marketing stack ownership and responses. Exhibit A here for where Functional Managers sit:

According to the Shadow IT report I have been shown (in this hypothetical exercise), my team uses the following Project Management tools:

I can see right away that this needs attention and a decision – this could be a prime time to migrate all of my teams to the same project management tool to save money. (Especially if we have licensed multiple versions in different parts of my organization.) Or, if there are necessary features missing in the tool with the highest business readiness rating (BRR), I will still ask the CASB Administrator to mark Sanctioned vs Unsanctioned/Provisionally Approved. I can also request a list of users and assign their manager the task of determining which alternatives are going to be our official tool. Or, better yet, investigate other online project tools.


If the teams start a trial with a new project management service/app, I’ll get that vendor’s BRR in next month’s meeting to determine if it’s a more secure option along with a report on features and usefulness by the entire marketing department.


For the next category "File Sharing" which my team uses, there is a shorter list from our CloudSOC Shadow IT Audit report:

Citrix is the clear winner for BRR security scoring, and the most-used app on my team. I ask the CASB Administrator about who is using the other two services. They tell me that these are not being used by my team at all, and haven't been used recently by engineering, either.


I’ll tell the CASB Admin to go ahead and block the other two options in 3 weeks – after I send out my next team communication and add a note to the All Hands communication our executives are planning. It’s always important to give at least two-weeks’ warning before shutting off access to any service. That gives the team time to pull their files down and migrate to a better system – just in case they were using the apps in coordination with another part of the organization.


Communication is the key here.


In terms of time, I’ll attend the CCoE meeting once a month to get started, moving to once a quarter after the first six months; an hour is not too much time to dedicate to shutting down services we are not using, possibly saving money that can go back into my budget. In the end, if someone on the marketing team causes a breach, it will come back to my doorstep. Participation on the CCoE keeps me informed and aware of what IT and Security messages need to come back to my part of the organization.


Your turn!


0 Favorited
0 Files

Tags and Keywords


10-02-2019 07:34 PM

At the beginning of a CASB journey, sitting down with the functional departments whose users access these applications is important.

In a periodic review, one could simply present the new applications found. There is likely little cause to re-review old, already sorted and tagged applications. Once you know "Sanctioned", "Unsanctioned", "Critical" and whatever other tags you have chosen to represent known/approved (however grudgingly) then what the functional lead needs to see is unexpected change.

09-22-2019 09:57 AM

Should CASB Admin be the person reviewing the application list instead of the functional head? Will the involvement of the functional head be too much if he has to review the application list periodically?

Related Entries and Links

No Related Resource entered.