I'm in engineering of a financial services. When we built our front-end UI for eKYC our marketing requested for google tag manager / facebook pixel and various other tracking features to be built.
I had to fight hard as an engineer to make sure that it does not happen. We had meetings after meetings, and it took a lot of effort for me to explain the risk of data leakage. I was questioned on my "insecurity" for not "trusting" people. It was not a nice experience. I had to inform them that tracking needs to be dealt with properly, not just lazily install google tag manager because it gives marketing 'flexibility'.
The only thing I knew about 'tag manager' before this was that it was always blocked by NoScript. Your comment made me go look up what it does and now I know that I will never unblock it.
Apparently it lets people drop in random code from a bunch of different analytics platforms, so it's pretty much guaranteed to consist entirely of the sort of stuff I have NoScript enabled to block in the first place.
I've seen GTM take down production multiple times because of marketing shipping random JS with no approvals.
Some random guy in his basement assured someone in marketing they could handle our volume? Chuck their tag in and watch their website get DDoS'ed with millions of requests per minute, which takes out our website because marketing made it fail loudly.
I'm surprised that GTM doesn't handle that. They would have a good idea of how long requests are taking to different domains and limit requests to the slower ones.
I mean, yes, true, but it kind of misses the point: marketing doesn't ask you, they ask up. And we're just the BOFH pinheads who make everything so harrrrrd with our stupid "concerns."
IT can often be "we make someone else's bad idea happen," and that's because we simply lack veto power.
That's par for the course for technically orientated roles. I was labelled 'defensive' and denied a pay increase because a business development executive wanted to make our documentation dynamic based on user access, and I pointed out it was difficult to find a solution when users can have over 400 access permissions, which varied depending on country, and our documentation was 900 HTML pages, some of which were equavlent to 200 A4 pages.
If you are the most knowledgeable person then you get blamed for their bullshit fantasies being impossible or unwise (or illegal)
I was questioned on my "insecurity" for not "trusting" people.
"I trust people just fine. I trust people working for outside companies dependent on information gathering to gather information. Google has no fiduciary duty to our clients. Same with Facebook. We DO have a fiduciary duty to our clients and it includes not doing things that may send their confidential information to third parties because SOME of the information used may be useful to our marketing department."
The reason for that is I'm the CTO, responsible for building out the tech / engineering team.
Hiring people is difficult as there is lack of supply of talented people. We hire InfoSec on contract basis not full-time and they don't join such meetings due to the nature of the contract. So all the responsibility fell on me to defend our technical decisions at that point in time.
I'm working on building out the engineering culture / awareness within management now, to ensure these things do not happen, and I don't have to be questioned as to why we cannot install "google tag manager" in our front-end.
It all comes down to creating awareness, and making people understand. Fortunately for me our CEO gets it, he ended up siding with me.
Honest question: how can a financial services company not have an in-house infoSec team?
To me, this is an even more concerning issue. But then, I have no idea how the finance services world works, so maybe this is more common than I think?
FinTech doesn't always mean global mega bank. There's lots of small scale start-ups that fit into the financial services category that wouldn't/couldn't afford full time InfoSec roles.
Outsourced CISO/InfoSec is a valid and reasonable thing for some companies.
I feel like a small scale startup needs internal infosec and audit teams even more. Unlike the incumbents, who are "too big to fail" and therefore are able to get away with blatant insecurity, a startup's in a much more vulnerable position, and any security breach is significantly riskier in terms of corporate longevity.
If I was running a financial services startup, those groups would be near the front of my list in terms of internal hiring.
There are huge repercussions. We are governed by PDPA (our GDPR equivalent) law where penalties are extreme. Thailand takes Data Privacy as seriously as EU.
But again, since it's not always easy to find the right people I end up having to fill in for everything we don't have a team member to execute on.
Worth sharing this thread around your company, maybe?
Could help with convincing people that there are negative marketing consequences to careless and seemingly harmless decisions.
No has nothing to do with tax. Usually contractors have very fixed scope, they focus on doing what is in the contract. Sometimes things that come up ad-hoc like marketing requesting installation of Google tag Manager, is outside the scope of the contract. It would require a lot of giving them context, amending contract etc... It's not necessarily convenient to have to ask them to come in every time there is a problem.
Usually I try to reason with management first. If it can be resolved internally we would not include outside consultants, however if it gets serious beyond something we can handle internally we would ask outside consultant to come in.
LOL, worked at a place and we uploaded all of the inventory for Facebook integration. We charge millions to customers for this data but "we need to show up on Facebook" wins the cake.
Sure, in the end I asked our head of compliance to join the meeting. I made it very clear to everyone what was at stake, and that I’ve done my duty in raising awareness. If they would like to proceed I hold 0 responsibility. Usually when you do it like that no one wants to put their neck on the line. Our head of compliance take this stuff really seriously as he has to report to central bank, so him and our CEO ended up agreeing to not use GTM.
You really need to present well and be careful about arguments like “millions of websites use GTM”. I did days of research and presented that while yes using GTM on Wordpress sites that hold no sensitive data might be fine however we are a financial services and we collect customer private data. So getting everyone on the same page and presenting alternative ways of solving the problem was critical.
I had to fight hard as an engineer to make sure that it does not happen. We had meetings after meetings, and it took a lot of effort for me to explain the risk of data leakage. I was questioned on my "insecurity" for not "trusting" people. It was not a nice experience. I had to inform them that tracking needs to be dealt with properly, not just lazily install google tag manager because it gives marketing 'flexibility'.