Last year, we announced The Voice of the CISO, a new series in which we interview prominent individuals in the field to gain detailed insight into the mind of a CISO and to better understand their role within an organization. Our latest interview features Thom Langford, an information security professional who is the Director of Sapient’s Global Security Office. In that capacity, he is responsible for all aspects of delivery and internal security, risk and compliance, and business continuity across Sapient’s global operations.
Tripwire: What are your business priorities, and how do they relate them to your cyber security efforts?
Langford: While I can't talk here about our specific business priorities, I can that say unless our security stance matches those priorities, we would be considered more of a hindrance than at a competitive advantage. Any security group that doesn't know what their company's vision is—its goals both short- and long-term, not to mention its values and purpose—has little chance of contributing anything meaningful to its success. The CISO must therefore make an effort to engage the company writ large, such as by attending earnings meetings and by reading the annual company report. Even spending some time on the ‘production floor,’ regardless of whatever form that might take, will help the CISO understand what the business is about, how it operates, and what is important to people's daily jobs, as well as what is unimportant.
T: In your opinion, what is the single most important component in cyber security success?
L: It sounds contrived, but the greatest component of success is the people at the organisation to which you belong. You should be striving to make each and every one of them a fanatical advocate of security. Don’t get me wrong, that is not to say that they should be so committed to security that they start pouncing on each other’s workstations the moment a co-worker leaves. Neither should they be reporting every open door regardless of the circumstances. Rather the CISO should help them come to understand security as a natural and normal part of their daily lives. Employees take the physical security of their homes seriously, yet that attitude does not seem to easily translate to the workplace (or even to their own computers at home). It is our job to help educate them, to market security as a benefit rather than an encumbrance.
T: How literate are your executives about cyber security, and how does that level of literacy affect the manner in which you communicate with them?
L: My executives are not hugely literate, but then again, I would not expect them to be. After all, many of them come from business schools or organisations that were successful prior to the rise of the CISO and the security function. Many of them know financials and marketing inside and out because that is their background. That is what they are good at, and that is why they are in the position that they are. That being said, they do have an awareness of security; they understand its importance within the business. It is my job to merely act as the subject matter expert and ensure that they are fully apprised of the risks. I frame the risks in such a way that makes sense to them as the operators of the business. Now that may be a financial or reputational or whatever measure, but at the end of the day, what I say needs to align with their business priorities. The moment I start talking about DLP or blinky boxes, I hinder their ability to make clear, apples-to-apples decisions according to their interests. I (and other business units) have to communicate in as consistent and straightforward a way as possible. If the execs don't understand what we are talking about, that is more a reflection on us than them.
T: What questions do you get asked, and how often? Are you confident in responding to them?
L: In reality, it comes down to two questions: “How secure are we?” and “Could such and such incident happen to us?” The challenge is to respond with a truthful answer—even if it’s something they don’t want to hear. After all, it is very rare that anyone can provide a positive answer to both questions. The adage of not “if” but “when” rings very true here. This means that the confidence of my response rests with my ability to ensure that everyone truly understands the context. If people understand the uncertainty, not to mention the resources (financial and technical) necessary to enhance our security, then a realistic answer is perfectly acceptable. I’m sure the exec’s don’t like the answers they get from Finance or HR sometimes, but the truth allows them to make the right decisions—the decisions that need to be made.
T: What other business units do you work closely with?
L: I work with the IT, Facilities, HR, Legal, Marketing, Communications, and Delivery departments. As many of them as possible, if not all of them concurrently. Without their participation and input, my security programme would fail.
T: What will your business look like in three years, and what are you doing to prepare for that? L: Our industry (the Consultancy and Digital Marketing space) is undergoing dramatic changes at the moment, so it is difficult for me to be clear here. As I mentioned before, however, regardless of the direction and changes that the company will ultimately undergo, I am confident that the security organisation will be able to adapt. Ultimately, we are very clearly mandated to support and enable the business rather than act as its moral compass.
T: Who do you think is doing cyber security right and why?
L: Everybody who is meeting the clearly stated goals of their business’ leadership board is doing something right. The problem of course is that the board doesn't always know what it wants, whereas security organisations aren’t always communicating with and educating employees the proper way. The key though is that every organisation has a different security and risk profile, so the notion of “doing it right” is like asking what the best flavour ice cream is. It’s all subjective.
Thom is responsible for highlighting and advising on delivery, compliance and industry security risks across North America, Europe and India. Having successfully built security and IT programmes from the ground up Thom brings an often opinionated view of risk, both in assessments and management, but manages to do so with humour and pragmatism (mostly). Thom is also an international public speaker and award winning security blogger and can be found at both thomlangford.com and @thomlangford.
Resources:
The Executive’s Guide to the Top 20 Critical Security Controls Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required]. Image header courtesy of ShutterStock.com.
