← resource center home

As consumers, we’re all on the lookout for the newest product and/or service that can make our lives easier — and that same sentiment is true for brands. As the advertising ecosystem continues to evolve, brands have raced to keep up with new technology and trends by enhancing their tech stacks with new data sets and partners. In today’s data-driven landscape, media success and ROI depend on how well your tech stack is built and how well you can use it to not only measure ROI but improve it with your next campaign.

However, brand safety is not just tied to the environments where your ads may run but also to the data behind your advertising decisions. Because most brands are running frequent media campaigns, it’s vital that brands and their agencies be aware of and screen their partners’ data collection practices to ensure that they themselves are in a safe position.

As you evaluate new and current partners on privacy, it is also important to understand how well they are equipped to protect their data. When choosing a new data provider, it’s fundamental to ask the right questions. Lucky for you, we’ve developed a set of questions for you to ask as you RFI new partners and audit current ones.

Below please see the five security questions to ask in your next RFI. Happy reading!

1. Do you have an internal security team?

This is a question a lot of us may simply forget. While it’s important to ask about security when evaluating new partners, it’s even more important to find out if there is an actual team in place. If so, the next thing to know is the size of the team and how it compares to the size of the company as a whole. If data partners have a good-sized security team in place, it means they take security very seriously (which is a very good sign!)

2. Cloud vs in-house data centers — which one do you use?

The main difference between the cloud vs data center is that a data center refers to on-premise hardware, while the cloud refers to off-premise computing. When it comes to security, this question is pretty important. While some companies leverage in-house data centers, it can be argued that cloud partners have better security solutions and technology. Because of this, it’s imperative to ask this question so you can understand what they use and why.

3. Can you share a vulnerability analysis/penetration testing executive summary?

Vulnerability analysis/penetration testing (VA/PT) is an active process of identifying existing vulnerabilities and available exploits in a security implementation, to penetrate susceptible systems on the basis of this information. A penetration test is useless, unless paired with a well-drafted technical report. By asking partners to share these summaries, you will see whether or not they perform these routine assessments. You will also get a chance to review the findings to see if their efforts meet your criteria.

4. Does your security team perform routine red/blue teaming exercises?

Red team/blue team exercises take their name from their military antecedents. The idea is simple: one group of security pros — a red team — attacks something, and an opposing group — the blue team — defends it. Originally, the exercises were used to test force-readiness. These kinds of exercises in terms of security are fundamental, as they help reduce risk and enhance a company’s ability to detect breaches.

5. Can I speak directly with your security team?

There’s no better way to understand how a provider approaches security than speaking directly with the team. There is no a checklist big enough or certification high enough that could provide better insight into a company’s approach to security.

To learn more about how to evaluate a potential offline partner, check out our blog.

About the Author

Nicola Mutti, Head of Security

Nicola is the Head of Security at Cuebiq in Milan. He has worked at various big, complex finance companies, but came to Cuebiq over a year ago to lead the security team in exploring new technologies and trying innovative hacking-defense techniques. A strong supporter of the "security by red teaming, instead of checklist" philosophy, Nicola is still very compliance/risk and business-oriented.