Honesty, humility and humour with Thom Langford, CISO at Publicis Groupe
October 18, 2018
It should hardly come as a surprise that I do some background research on my interviewees before meeting them. I’m intrigued to discover that this CISO is somewhat of a celebrity in the infosec world.
Thom Langford, CISO at Publicis Group, forms part of the trio behind the humorous cyber security series, Host Unknown.
Humour? In cyber security?
You read correctly.
With most cyber security being “as dull as ditch water”, Thom, along with Javaad Malik and Andrew Agnes, decided to lighten up the tone by making a series of entertaining videos on issues that plague the industry. “We just felt that it (the industry) was really overly serious,” he says.
Aware that he’s stereotyping, he feels, however, this attitude does the industry no favours when it comes to building a robust cyber security culture in organisations.
“Being rigid and by the book doesn’t work, you have to adapt to the business. Security does not trump everything,” he states.
In fact humour seems to be an intrinsic part of how Thom communicates and engages with staff. He references Maya Angelou’s words, “I've learned that people will forget what you said, people will forget what you did, but people will never forget how you made them feel.” He adds, “I think it's about getting that visceral response in somebody.”
By way of background, Thom began in IT at the end of the 90s, then joined Kinesis, a computer consultancy company, based in Swindon. From there he moved to Sapient which was acquired by Publicis in 2015.
Leading a team of 55 (and growing), Thom’s role touches all aspects of the business. There’s the cyber security side which is security testing, penetration testing, vulnerability assessments, static and mobile code analysis, threat intelligence and security architecture. Additionally, there’s the enterprise side which is policy and compliance, training, awareness business continuity, disaster recovery and security risk management.
Thom states: “I think it's our job, from a security perspective, to try and mould ourselves around the culture but also to adapt to being told ‘that's not how we do things around here’.” It's about learning to forget about the battles and think about the war, he adds.
Over the years he’s learnt that every company thinks they’re different, and yes, the culture in a creative company might be different to that of an energy or automotive company, but for the most part they’re more similar than not.
Referring to his own company, “I was told many years ago that we would never have mandatory security training, it’s just not in our culture. Actually they're exactly the same as everyone else.” Seeing the obvious need for mandatory training, Thom went ahead and created training courses, providing them to tens of thousands of people. His initiative proved fruitful. “Over three or four years, the culture has changed because of a variety of aspects. Hopefully many of them to do with us,” he says.
Building a robust cyber security culture
Unlike some CISOs, Thom’s team is separate to the company’s IT department which has freed him up somewhat to be able to influence security decision making.
The key to a strong security culture is to work out your policies, work out that framework and then build on top of that, he emphasises.
The first decision Thom made was to set out the security policies and guidelines in the company. It was an 18 month mission but worth it. “I'm not a believer in documents for documents sake, but you have to have some kind of baseline,” he advises.
His role has been educating people on the differences between a policy, a guideline and a procedure.
“So often people misunderstand what a policy is. They use the word policy interchangeably with procedure and guideline. By educating people on the framework and how it works, we define the policy and we create guidelines. It’s up to them to define the procedures and the operating processes that will meet the policy statements,” he states.
“We know how to structure, manage and audit documents. To the outside person, it's not the most thrilling of things but it is a real solid base that we can work from. It sounds very rigid but it's not, it frees you up to do stuff,” he explains.
Thom says much of the security industry's defensive approach and culture of ‘no’ is based on uncertainty and on the fact that “I need to cover my arse because if I say yes to this and it fails, I'm the one in trouble.”
This uncertainty is due to a lack of “baseline”, he feels. “I think having that baseline in place allows us to engage with the business because we're very clear about where the responsibility and accountability lie,” Thom says.
As a team, they’re completely technology agnostic, not forcing anyone to use a particular product or system. They simply highlight the importance of protecting data from exfiltrating the organisation at the end point; how they do that is entirely up to them.
“When we go in review or audit them, if they're meeting the policy then that's good. If something goes wrong because they've implemented bad technology or done it in a bad way, it's on them. If they've implemented it entirely in accordance to what we've got in our policy and there's an instance when it goes wrong - that's on us. So that distinction between who's responsible and who's accountable is very clear,” he states.
So often he finds that security decision makers rush to build a new system or integrate expensive technology to fix a problem. But is that really necessary? “Let’s come down a little bit and see what the policy and guideline say. Would a simple spreadsheet suffice, at least for the time being? I think a lot of people would either say no or over-complicate something to the point of delaying the actual requirement,” Thom asserts. The question he always asks himself is: how do I make this work? Not, how do I make this secure?
Stress and cyber security
Despite sporting a fine pair of New Balance trainers, Thom doesn’t have much time for exercise. However, since September last year he stopped drinking which has been “a massive, massive help”.
That’s got to be pretty tough working for a French company, with no dearth of fine wines floating around the office. However, it’s not a decision that Thom regrets.
He feels that the cyber security industry has a problem with pressure on the state of the individual's mental wellbeing. A problem the profession needs to confront.
“I still get stressed, but I ask myself: is it something I can change? Yes? Go and change it. Is it something I can't change? No? Well, just get on with it,” he concedes.
Thom’s a keen photographer and enjoys watching films, a passion he shares with his 15 year old son, an aspiring filmmaker. An ardent sci-fi fan, his favourite film is Terry Gilliam’s, Brazil.
The love of sci-fi extends to literature and he’ll read anything by Isaac Asimov or Arthur C Clarke. He is, however, currently reading a book on persuasion, entitled, How To Argue With Your Cat, “because if you can persuade your cat to do something, you can persuade anybody to do something,” he adds.
Thom is currently writing his own book with a fellow CISO. We eagerly anticipate its publication!
Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Center), says it's essential to identify areas of IT weakness before the bad guys do... As the impact of COVID-19 has …