Field notes
Your marketing stack is a security problem. Here’s the protocol.
Enforced 2FA, tight access, a real onboarding and offboarding. Not IT’s afterthought — RevOps’ job. Your data’s integrity and your customers’ trust run through it.
On this page
Your CRM, your ad accounts, your marketing automation platform, your analytics — that's not just your growth engine. It's a pile of customer data and live payment methods, held together by whoever happened to get access along the way. Most teams secure it about as carefully as a shared streaming password.
That's a RevOps problem, not an IT afterthought. Here's the protocol that should exist and usually doesn't.
Enforce 2FA. No exceptions.
Microsoft found that multi-factor authentication blocks over 99.9% of automated account-compromise attacks — and Microsoft sees roughly 600 million identity attacks a day. Verizon's 2024 breach report puts stolen credentials as the way in for 38% of breaches, with a human element in 68% of them. So make 2FA mandatory across every marketing tool, and use hardware keys (YubiKeys) for anything that touches admin, money, or customer data. A texted code beats nothing; a physical key beats the code.
Give access where it matters — and nowhere else
Two failure modes, both common. Too many admins who can't actually administer — five people with the keys, none of whom can safely rebuild a workflow. And too many hands in the ad accounts — people who can't set up a campaign or read the data, one misclick from torching a budget. Access isn't a courtesy or a status symbol. It's a liability you hand out. Give it to the people who can use it correctly, and take it back the moment they can't.
Lock down money and data movement
A short, named list of who can touch payment methods and billing — not "whoever set it up." And the boring hygiene that prevents most of the damage: don't paste passwords into chat, don't email card details, don't move customer data through personal accounts or unmanaged spreadsheets. None of it is clever. All of it is where breaches actually start.
Why this is a growth issue, not a compliance chore
IBM puts the average data breach at $4.88 million — but the number that should worry you isn't the cost, it's the trust. Higher security means the integrity of your services and your data holds. It means you don't compromise the customers who handed you their information on the assumption you'd look after it. Lose that once and no campaign wins it back.
Make it a protocol, not a vibe
This can't live in someone's head. It's a written marketing-operations security protocol that starts at onboarding — access provisioned deliberately, 2FA enforced on day one — runs through regular check-ins and training, and finishes properly at offboarding, with every account of a departed employee actually closed. The gap between "they left" and "their access left" is where a surprising number of incidents live.
Security isn't the opposite of moving fast. It's what lets you move fast without one bad afternoon undoing a year of trust.
A marketing-operations security protocol that’s actually enforced — onboarding to offboarding — is part of the operating system we build.
Get the next one
New field notes twice a month. We don’t do newsletters — follow RevOps XL on LinkedIn instead.
Follow on LinkedIn ↗