'Security isn't a special flower; it’s another piece of business, like finance'

Hajra Rahim
Updated
A special flower is precisely what information security is not; it’s a core piece of business, like operations, says Thom Langford
A special flower is precisely what information security is not; it’s a core piece of business, like operations, says Thom Langford

Publicis Groupe’s chief information security officer, Thom Langford, explains why a good security culture is one that doesn’t have the word 'security' in it.

What are some of the main cybers ecurity threats facing business today?

Malware, ransomware, phishing emails and a lack of awareness.

This is because criminals are able to profit from attacks that target every single person in an organisation. If you have 100,000 employees, only one of them has to click on the wrong email, or download an attachment, and the criminals have won. They only have to win once, but businesses have to win every single time.

Lack of awareness is challenging, because cyber threats are not well understood compared to traditional security issues. For example,
if a fire alarm goes off in an office, people know what to do; they have been trained to know that this means danger.

Join the community | Future-proof your business
Join the community | Future-proof your business

But if someone ran in and said “computer virus”, nobody would do anything – and that’s because there’s not the same level of awareness. As a result, people don’t know how to react.

How can security professionals manage these threats?

Security must be built in by design, and through public information campaigns, in order for it to become part of people’s daily habits. Security behaviours require a cultural and generational change in attitude; much like the change brought about by the seatbelt and anti-smoking campaigns from 30 years ago. My mother only started wearing a seatbelt all the time about 10 years ago, even though ads were everywhere well before that.

It’s vital for security professionals to recognise that it takes a long time for change to occur. Today, we can do lunch and learn sessions, presentations, training, posters and so on, but the problem is that we expect immediate results.

Businesses that embrace long-termism will be better off.

At Publicis, we've tried to manage these threats in the short term in different ways. For example, we engage people by telling them about high profile cases in the media, as it gives more context to our environment. People rarely remember what you tell them, but they remember how you made them feel.

Security has been seen as a gatekeeper, but it should be regarded as an advisory role

We also send out a monthly email that highlights potential threats. If there has been a breach, we immediately communicate to the entire company – through email or our internal social tools – what happened, why and what we’re doing about it.

We also host meetings on risk assessment. Many staff members highlight issues to us to make sure that they're addressed by management; they see it as a way of supporting the business, not a waste of time.

How do you see the role of the CISO changing?

Historically, security has been seen as a gatekeeper, but it should be regarded as an advisory role. CISOs are often used as a tool for prevention, when they should be supplying the business with information, in the same way that finance provides information on whether it’s a good idea to buy another company. It doesn’t mean that a business can’t enter into certain activities; it just means that they're cognisant of risks.

The role of the CISO has evolved and needs to be on a par with other C-Suite roles. Information security is not its own special flower; it’s another piece of the business, like finance or operations.

What defines a strong security culture?

A good security culture is one that doesn’t have the word security in it. It’s a company that polices itself when it comes to knowing when to allow an employee to use a USB stick, or telling people upfront how you do things.

It’s technically attainable, but difficult to get. Security experts must take charge, but must do so with the support of the business. A strong culture is a long-lasting set of values, attitudes and mindset that's regularly exhibited and demonstrated, by every member of a company, from the C-Suite downwards.

It’s an attitude, and a way of working that should touch on every single thing a company does. Working securely should be throughout it, without even mentioning the word.

For example, if you’re reading a book about how to run a project, a section labelled "security" is unhelpful. A project manager should know that as people enter and leave the project, their access to sensitive documents should be managed accordingly – not because of security, but because it’s the right thing to do.

Thom Langford is chief information security officer at
Publicis Groupe

  • Up next
  • Up next
  • Up next
  • Up next

Latest stories