How to argue with engineers for attribution data

Talking points for a secure Google Tag Manager

Hey friends,

The value of marketing attribution is undeniable and yet… The request to install Google Tag Manager on a website is often denied.?

The site engineers say, “No can do. GTM is too much of a security risk.”

If marketers don’t have a technical grasp on GTM, they tend back down from the argument. Their work, and the company, will both suffer because of it.

So on numerous occasions we’ve stepped in on behalf of our marketing clients to have a spirited – and fruitful – debate with the engineering team.

Now we’re passing some talking points on to you. Use these to advocate for the safe implementation of Google Tag Manager on your own website.

?? ?Google Tag Manager is better for the engineering team, too

GTM enables the?marketing team to manage site analytics tags on their own.?

This means that marketing won’t need to constantly ask engineering for support. The engineering team only needs to add the Google Tag Manager JavaScript code once. After that, marketers can add pixels and JavaScript without touching code.

?? And of course there are some security risks…

Engineers are often quick to point out that GTM, because it allows JavaScript to be deployed independently, opens up the door to two admittedly scary scenarios:?

• A malicious actor within your company uses this ability to insert JavaScript that steals sensitive customer data (addresses, credit cards, etc.).
• Someone on your team unknowingly copy/pastes malicious code from an arbitrary Web site that does the same thing.

??? But there are ways to mitigate these risks…

For example:?

• Limit access. Keep the number of people who require GTM access to an absolute minimum.? Be especially wary of granting access to temporary contractors. If you must, make sure they’re a fully vetted, insured, and trusted partner.?
• Remove unneeded access immediately. This is a big one and many companies forget to do it. If someone leaves their company, remove their GTM (and any other related) access immediately.
• Never grant access to anyone outside of your organization. Instead, if someone needs access to data within your organization, create an organizational account for them. That way, when their time working with your org is done, your Google Business administrator can just delete their account.
• Use granular container management. Google Tag Manager supports containers, which segments your tags and governing rules into buckets. Grant access only to the containers that a given individual needs.?

• Use an approval workflow. An approval workflow can keep engineering stakeholders in the loop without pushing the overhead of shipping code changes into their laps. (You can use environmental support in GTM to make workflows quite rigorous.)

?These are all standard measures that will keep risk low.?

?? And, most importantly: the alternatives to GTM are generally very painful.

The skeptical engineering team might offer up some alternatives to GTM.

One is to provide direct access to the website to enable changing the site’s HTML and templates directly. That requires marketing to have a lot of technical how-to. It also requires granting what is, frankly, overprivileged and potentially dangerous access.?

The other is to ask engineering to make the change through their official dev process. That makes engineering a bottleneck for all tag change requests.

At ércule, when we’re negotiating with engineers on behalf of clients, we frame it like this: GTM is the standard setup. The other options are non-standard, which will result in a mess of complications down the road.

Besides, site engineers accept various kinds of risk every day.? So use these talking points to lay out the actual risks – which are minimal and easily controlled – and advocate for yourself, in the name of data-driven marketing!

??