Building a Business-Aligned Cybersecurity Strategy | Interview with Thom Langford
Welcome to Secure and Simple podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. Hello, I'm Dejan Kosutic, the CEO at Advisera and the host of Secure Simple podcast. Today, guest is Thom Langford and he's the CTO of EMEA Region at Rapid7, a global cybersecurity company, and is also a director at (TL)2 Security, a cybersecurity consultancy. He's also a host at Host Unknown podcast and he is in this IT and cybersecurity business for about thirty years now and he has clients from three continents.
Dejan Kosutic:And what is really interesting about Thom is that he's focused on this strategic aspect of cybersecurity and building a cybersecurity culture. So in today's podcast you'll learn what are the best approaches for these, I would say strategy aspects of cybersecurity and also how to connect this to business. Welcome to the show, Thom.
Thom Langford:Thank you very much, Dejan.
Dejan Kosutic:Okay, it's great to have you here. So in your view, what is really cybersecurity strategy and why is this important?
Thom Langford:I think cybersecurity strategy is is seeing the role that cybersecurity plays in the larger organization. All too often, I think, we as cybersecurity professionals, we just focus on just the security part, just the cybersecurity part. We don't take into consideration any of the other elements of the business. We think there's a phrase I use, which is, you know, special flower syndrome, which, you know, we think in the bouquet of flowers that that is our business, we think we're the single red rose in there and that everything needs to revolve around us. And we're not.
Thom Langford:We are just one of the regular flowers, you know, that comprises the whole. And it's the all of the flowers put together that combine to make a successful organization. And so the one of the key reasons why we fail, is because we don't understand our positioning and the strategy of the organization as a whole.
Dejan Kosutic:Okay, so how do you then position cybersecurity strategy within a company to make it actually meaningful and that it contributes to company goals?
Thom Langford:First off, think is one of the key questions to ask yourself is what does this company actually do? Most people when asked, if you I asked this regularly at at conferences and, you know, get a show of hands, and it has improved, but certainly when I first started asking ten years ago, less than a quarter, but sometimes barely a third of the audience had actually read their organization's annual report or read or actually truly understood what they did. That's that has increased over a little bit of time. I think the message is getting there. But the the key here is that the vast majority of cybersecurity senior leadership do not really know fully what their business does.
Thom Langford:What is the core goal, the core vision of their organization? And without knowing that, they have no hope at all of aligning their services and aligning their, you know, their strategy, their own cybersecurity strategy and aligning their offerings to further the interests of the business.
Dejan Kosutic:Okay, and then once a cybersecurity professional learns about, let's say business goals of the company and basically business strategy, how exactly then to make this connection between the business and the cyber?
Thom Langford:So I think the first part is to understand that your role as a CISO, just as a broad as a broad role or senior security leadership, your role as a CISO is not to make that organization the most secure you possibly can. Because if you do that, they will stop doing business. If you say that everything that you do has to be fulfilled by that organization in order to make fully secure, they will not be able to operate flexibly, dynamically, in an agile manner. Your role as a cybersecurity professional and senior leadership is to help the company achieve its primary goal. Back to that first point of what are we trying are we trying to sell widgets?
Thom Langford:Are we trying to improve the human experience? You know, if we look at Apple's vision and strategy, you know. Mhmm. Is it to maximize shareholder profits? Because frankly, if you work for a public company, that's exactly what you do.
Thom Langford:That is your primary goal. Now you achieve all that through the judicious use of security, but that is not your primary purpose. The security is not your primary purpose.
Dejan Kosutic:It's kind of counterintuitive, isn't And I would say most security professionals would not really agree with you. But how do you actually balance this, I would say, good security but not too much of security?
Thom Langford:So I think part it is, there's a couple of things here. Let's look at some examples. The the examples that some of your audience are probably shouting at their screens right now. So if we look at say MFA, know, multi factor authentication. Yeah.
Thom Langford:That's a that's pretty much a fundamental. It's table stakes. It has to be done. And I think you can make a very strong business case as to why it's important. And in fact, the the cyber security press, the national press in whichever country you're in, will help you make that business case.
Thom Langford:We we know, for instance, in my day job, of all of the vulnerabilities that have been exploited in in the wild, I think it's something like 75 or 80% of them are actually exploited through accounts that don't have MFA on them, you know, for whatever reason. It's it's a shocking shocking statistic. So I think in some ways you can actually say, hey, I can provide a very little cost and very little friction to our users because they're doing this anyway on their bank accounts. They're doing it already on many you know, on their Facebook accounts and, you know, their their Reddit accounts, whatever. I can provide these fundamentals that will massively improve our ability to, to repel an attack or some description.
Thom Langford:So that's that's one side, you know. Fundamentals, yes, we can deal with. The rest of it though, if we want to start looking at other security tooling or or the ability to run a security operation center, the ability to to react effectively and decisively during an incident. You have to tie these things back to the business goals and tie them back to the business operations. So one way, for instance, that I sold business continuity, what it used to be called business continuity, now it's it's it's resilience, isn't it?
Thom Langford:That's that's the that's the buzzword today. But the old BCP, business continuity plans, the way I sold those was if we implement these and we and we ensure we identify the right services, this ensures that we can continue to bill our clients, I e, we can continue to maintain an in an inbound revenue stream. Now that talks a lot more effectively to a company leadership than, oh, well, it's it's industry standard practice to have a business continuity plan for something that may or may not happen. You know? So it's actually relating it back to the fundamentals of how that business operates.
Dejan Kosutic:Okay. And then what kind of, let's say, toolset can cybersecurity professionals use actually to decide, know, whether they they apply more or less security. I mean, above this level of basic security. So is this a risk management or is this something else?
Thom Langford:Yeah. Risk management is is is important. Risk management is really difficult though. It's really tough. And you know, we look at the best way of doing risk management, it's through something like the fair methodology, which is incredibly time and resource intensive.
Thom Langford:Not not easy at all. But there are other mechanisms that you can use even down to simple rag status, you know, red, amber, green. I remember there's a there's a blog I read and it's by, I'll I'll mention I'll give you the details for the show notes afterwards. But it's it's by an ex NASA employee, senior employee. He was he was at the forefront in the mission control in Houston for a number of, you know, ranging from Apollo to shuttle missions, etcetera.
Thom Langford:The grid that NASA used on a day to day basis for measuring risk of an activity was a five by five rag status grid. NASA. Mhmm. Now Yep. Yep.
Thom Langford:Yes, they had other mechanisms behind it and other things that they could call on, much more complex environments if they needed to, but in principle, it was just a rag status. So a simple rag status is a good place to start. Emphasis on to start. You do need to evolve it over time because there are plenty of challenges with some with rag status. So for instance, green is not always good because it could be expensive.
Thom Langford:Red is not always bad because that's the cost of doing business in a particular environment, right? As long as everybody understands the context of what the red, the amber, and the green are, and the measurement, whatever that might be behind it, it gives you a good enough indication of where you should be. And the other side of it as well is, you know, knowing, you know, how much you should sell into the into the organization is how much is the organization willing to spend. This is goes back to, again, it's not down to the CISO to to to necessarily define how much to spend. It's down to the business to to know what is their risk appetite.
Thom Langford:You know, so I could say I need a million dollars to to see off a potential loss of a million dollars over the next five years. As far as the business is concerned, that might be fine because as in not to invest that million dollars because, frankly, we're gonna make a lot more money by, you know, investing that million dollars into something else. But as long as they know that that is the risk and that they are cognizant that that is the trade off they have made, that's your job as a CISO kind of done. Mhmm.
Dejan Kosutic:Now lots of companies are struggling with this concept of basically risk appetite and how do you start there? I mean, how do you define this appetite?
Thom Langford:It's really difficult. Really difficult. One, how do you measure it? It's a seven. No. It's green. No. It's nine hundreds. No. It's a alpha alpha echo.
Thom Langford:Who knows? You know, there's so many different, you know, things of what your appetite is. But ultimately, it's about what your business, your leadership, your executive leadership, your your board is willing to accept. But they can only accept it if they know what it is. It's up to you to articulate it.
Thom Langford:So you can't expect your board to tell you what their risk appetite is if they don't know what the risk is. So you have to do an awful lot. Now you'll find that if you go to you know, any kind of large ish public or, you know, even a large private organization, there will be an audit function of some description. There will be some kind of, organization measures financial risk and, you know, market risk and things like that. Ask them.
Thom Langford:Talk to them. How do they measure risk? What are the criteria they use? And then see if you can take that and apply it to your environment because then you're talking the same language. You're talking at seven or 700 or green or red or or whatever, but with your figures and your your analysis in it.
Thom Langford:If there's no direct comparison, then you can look at standards like ISO 27,005, for instance. You you know, even the old the older version still have, you know, very good valid models. The newer one is a little bit more complicate complicated. But look at those and then see how you how you can apply those to the existing models and perhaps create some kind of mapping. But there needs to be something in a in a common language.
Dejan Kosutic:By the way, there is also this ISO 27,004, which is about setting objectives and measurement, which would also be useful here in this respect.
Thom Langford:Yeah, good share.
Dejan Kosutic:Okay. And then let's say that once companies have a good overview of all the risks and when they want to define this risk appetite, do they simply say that let's say top 20% of the risks are not acceptable and that this is basically the way to approach a risk appetite or is this more a monetary exercise or what?
Thom Langford:I think that's down to the individual organization. Very often it comes down to money. That's what, you know, that's what businesses are there for. That you you have the the outliers of businesses that are not there to make money. And I'm thinking, you know, things like defense or even, you know, charity or charitable works.
Thom Langford:But even charity is about maximizing cash available to their good causes. Right? But it's very rare that, you know, organizations are not focused on making money or increasing shareholder value or something with a dollar sign, pound sign, euro sign next to it. Doesn't matter. So I think Okay.
Thom Langford:So I think really it's financial is a good place to start the conversation with the board or the executive leadership. I think by not doing x, we open ourselves up to this amount of of loss of data and therefore money, this amount of reputational risk, this amount of legal risk, which you can all get from talking to your other departments.
Dejan Kosutic:Okay. Okay. So this also implies that security professionals should try to, let's say, quantify the risk in monetary terms. Right? Because otherwise, it would be difficult to discuss these things.
Thom Langford:As much as possible, yes. My first step would be let's just at least get some kind of risk score going in the first place, and then you can convert. You know, if you try and do everything all at once, you'll fail. You know, let's let's let's eat this particular particularly risky elephant one bite at a time, you know, because otherwise, it becomes so big six months later, you still haven't produced anything that's of any valid use. But if you can start to measure it in some way, be that, you know, in simple terms, and then start to convert the individual or the key rolled up risks into financial terms, that's a good place to be.
Thom Langford:But don't expect to get everything done in one go.
Dejan Kosutic:So far we were speaking about cybersecurity supporting business. Can we actually think about cyber a step forward, where actually cyber becomes one of the elements competitive advantage of a Yeah,
Thom Langford:I think, even going back ten, fifteen years, the competitive advantage of cybersecurity was the holy grail. It was, if we can evidence the fact that we are winning business, we are making more money because of cyber security, then then we're there. We're we're making it happen. I think I think we can still do that. So for instance, if we can if we can ascertain that an average, you know, breach of a certain severity blah blah blah would cost somewhere in the industry x 100 thousands of dollars to recover from.
Thom Langford:And because of our cyber security expertise, we've been able to minimize it and close it down within a day as opposed to three weeks, and therefore we reduced our huge spend, I think we can show that we've made a significant impact.
Dejan Kosutic:Okay, mean this aspect of cybersecurity is more about reducing cost. Whereas if we think about, let's say, a competitive advantage, we are, you know, normally thinking about, let's say, sustainable competitive advantage, which gives a company advantage over, let's say, a couple of years.
Thom Langford:So to follow on, competitive advantage in that case would be if if I've saved you a million dollars by closing this incident down by, you know, you know, quickly and managing it, etcetera. That's a million dollars that the sales function doesn't have to make or sell. So and and given that we operate often on, you know, 10 points, for instance, as an average, that's $10,000,000 that the sales function doesn't have to sell. Because, you know, because we've we've saved that. So that's one side of it.
Thom Langford:I think the other side of the competitive advantage, and a lot of this does depend on the industry you're in, etcetera. But a a lot of it is when it comes to industry standards, regulation, etcetera, etcetera. Would you rather go with a bank that can demonstrate that it behaves and acts with the consumer interest at heart has got has a proven cyber security capabilities, is engaging in, you know, whatever forums ensure that, you know, they are safe versus a bank that just says, we'll look after your money. Trust us. You know?
Thom Langford:And I know most of it it's it's a slightly trite example. Most of us don't even look that deep into our bank accounts. Right? But if we're talking business to business, it's a very big deal. I I used to work in the in the London insurance markets and the number of, you know, know your supplier questionnaires that came through and cyber security questionnaires that came through and and were followed up on rigorously.
Thom Langford:Because if if if the particular company I was with was not able to follow it, they were unable to do business with us. Their company policies and their their industry regulations stated they were unable to do business with an organization that couldn't demonstrate x y and zed from a cybersecurity perspective. So that in itself is a cybersecurity is a competitive advantage, I should say.
Dejan Kosutic:Yeah. Yeah. Actually, there is an interesting use interesting business case of Apple. Right? I mean, their products are, you know, greatly designed, you know, and this they have so many of apps and so on.
Dejan Kosutic:But let's say maybe third or fourth, the most important feature about their products is really security and privacy, And they insist on security and privacy much more than all of their competitors and that actually makes an additional appeal for for end customers to buy their products because they're the most secure. Right?
Thom Langford:Was it was about five or six years ago that Apple led their entire advertising campaign for a season on privacy. Mhmm. The competitors which were were leading it on their cameras and their ability to take action shots, etcetera. And the Apple one was the Apple logo kinda converted into a padlock with the word privacy underneath it or something like that. They they knew it was important.
Thom Langford:And in fact, it's that was before its time, in my humble opinion. You know, if we look at, you know, the state of of of the public perception of large companies dealing with our data today, privacy is is significant significantly higher up in there. Especially when we're talking about governments trying remove end to end encryption or trying to get back access back doors and things like that. Privacy and a a fundamental trust in a in a company to to do the right thing by me as a consumer is actually top of mind now.
Dejan Kosutic:Okay, if one of the ways for cyber actually to enhance a competitive advantage is actually through marketing or through, let's say, brand building, I mean, building trust in a brand. How can then security professionals or consultants actually help their companies build their trust, their brand through cyber?
Thom Langford:Oh, that's a tough one. I would say I'd say put the money where the mouth is. You demonstrate, show that actually what we are the fundamentals of what we're doing. I've used that word a few times in the last few minutes already. But but fundamentally, show that the products you're producing, the products you're supporting, etcetera Mhmm.
Thom Langford:Are exactly what you say they are. Build a story around it. Build some kind of of narrative around why the cyber security element is important to this product even though the average consumer may not see it. That's exactly what Apple have done. You know, it's Mhmm.
Thom Langford:You don't see it on your phone. I can unlock my phone when I want. I don't get I don't get hit with difficult difficult to do activities in order to see my data, etcetera. But I know when my phone is locked, it's locked. You know, and except for the most tenacious criminals or nation states, nobody's going to get into it if I were to leave it in a restaurant, etcetera.
Thom Langford:And I think but they built a narrative around that that shows that actually we it's we've we care about this at a basic level. We've built it in so you don't even have to worry about it.
Dejan Kosutic:Mhmm. Mhmm. Yeah. I've seen some companies actually, because companies are normally doing these customer surveys and they ask their customers what is the most important and then CISOs in those companies actually introduced a couple of questions related to security. So these companies started measuring what security aspects are the most important for customers and then actually started to focus on those security features Yep.
Dejan Kosutic:The most in order to build the the brand. I mean, the secure the trust in their brand. So this might also be one way to to approach this.
Thom Langford:Absolutely. Trust I think in any brand, and this is me coming from when I was at a marketing and communications organization, trust is so important.
Dejan Kosutic:Now, can security professionals help, let's say product development when it comes to cyber and competitive advantage? Because obviously secure products will have a better market penetration. So how can actually a CISOs help product development?
Thom Langford:Do you know one of the things that constantly disappoints me in this industry is the fact that in the last fifteen to twenty years, we're still talking about this. You know, ten, twelve years ago, we were talking about pushing left, making sure that security is further at the beginning of any kind of development cycle. Where and then came DevOps and SecDevOps, and then came the next Agile and then came something else and some and so on and so on and so on. And yet we are still in a in a in a world where the OWASP top 10, there is still cross site scripting and SQL injection in the top 10 of of the OS top 10. And they've been in there since the OS top 10 was first invented.
Thom Langford:It's still there. How they are the single most common vulnerabilities, I don't know. So I think it's it's a good question because we haven't resolved it, you know, to be honest with you. And we should have. We absolutely should have.
Thom Langford:But the the the bottom line is, and I think it's comes back to one of the first points I was making, which was talking with your other departments. Actually working alongside your other departments and seeing them as part of that broader team rather than a competitor looking to to take your resources away from you. We have to start looking at team wins, not individual or or departmental wins. I I'll be honest with you. I I struggle to understand why it's still a problem.
Thom Langford:Why the industry, both the, you know, the development and IT industry and the security industry have not just got into a room and had our heads banged together until we've sorted this out because it's it's disappointing. Now we know I do know that software engineering is massively complex. You know, so much more than it was even fifteen years ago, let alone thirty years ago. It's massively complex, but we are still seeing these simple basic mistakes being made. And part of that, I think, to loop it all back in is because organizations want to get their products to market quickly because you get if you get your initial market share, you can actually main hold on to it.
Thom Langford:And the cost of doing that is not building in security. It's one less thing to worry about. The problem is that we as security professionals are not articulating what the true cost of that is over time. I think I heard a stat from Gartner years ago I heard this, and it's I I imagine still holds true, if not even more so, that putting security onto a product afterwards costs up to six times the amount of putting it in in the first place.
Dejan Kosutic:Wow.
Thom Langford:So it's like Why? Why wouldn't we do that? But businesses are not being informed of the true cost of not having it in there in the first place.
Dejan Kosutic:Yeah. No, that's fascinating. I actually didn't know about this data point. Also the blame is also on security professionals because especially if they insist on too much security, right? If they're not actually thinking in supporting their business, as we discussed earlier, then they start avoiding them.
Thom Langford:Exactly. It's looping back into that first point of because we've always demanded things be done and we get in the way of things, we're seen as well, I call it the business prevention unit. We're seen as, you know, the organization that is actually trying to stop the business from doing work. And so, of course, we're gonna be excluded because we slow down. I heard stories of, you know, somebody this is again going back years where the the a team was using some some cloud servers and they met only something like five of the 10 internal criteria for using a cloud service.
Thom Langford:So the security person said stop that, stop them from using it, bought them in onto a preferred cloud service provider, and then wouldn't let them go live until all 10 criteria were met, which of course was taking months to the point where Yeah. Yeah. The the team in question just pulled their servers and said, forget it. We're not doing it. And so they went from five criteria in place to no criteria in place back to five.
Thom Langford:What's better? Bring them over and then iterate on top of what they have, not stop everything. And that's that's a sign of bad security. Just stopping the business.
Dejan Kosutic:Okay. Let's switch gears a little bit to people. You mentioned in your blog post that information security is a people centered industry, right? And you also provided a quote, people aren't the weak link in the security, they're the only link.
Thom Langford:Yeah. Absolutely.
Dejan Kosutic:Can you elaborate on this a little bit?
Thom Langford:Well, absolutely. We keep saying that people are the all the saying is that humans are the weak link. I think without humans, there's nothing. But without humans, there there is literally nothing. We don't have a business.
Thom Langford:We don't have a security team. So how can we say it's the weak? It is the only link in this. We are doing security for for our human humanity's benefit. If, you know, that doesn't make us the weak link, it makes us the only link in this.
Thom Langford:And I think we lose sight of the fact. And and also I think it's a mindset thing. I'm I'm very big on shifting mindsets because I've had a few over my time, you know, where I've literally the world has shifted on its axis and I've looked at things differently. We always tend to and we see this in cybersecurity all the time. We tend to victim blame.
Thom Langford:If something happens or goes wrong, we say it's the dumb user. It's the idiot between the keyboards, you know, behind the keyboard that is causing the problem. And the same thing goes for that for that particular statement as well, which is which is, you know, that humans are the weak link. I humans are the idiots in this system. No.
Thom Langford:We're the only thing in this system. And and actually, we need to we need to start being a lot more charitable is the wrong, a lot more generous and a lot more understanding as to how humans are operating in these environments that we create.
Dejan Kosutic:Okay. And how can CSOs or security consultants then start building this, let's say people first, security?
Thom Langford:Well, actually put yourself in their shoes or and this is a very old fashioned apologize to all of our viewers here or ask what would their mother do when presented with, you know, the solutions they are offering, etcetera. We always often think we we build systems in our own image. We build solutions in our own image in a way that works for us. And we forget that we are technically capable, security minded, you know, and and fully aware of the pros and cons of doing something. We never put ourselves in the in the shoes of the user on a Friday night trying to get a job done before, you know, before the weekend, or the the executive assistant for the CEO who's being pressured to provide certain details for a phone call that's about to happen or or anything like that.
Thom Langford:Or or the and I say this as a as a 50 year old man, but, you know, the the 50, 60 year old person in the business who's really not that au fait with technology and really not that comfortable with it, and yet we're thrusting these heavy heavily regulated and complex systems onto them in the name of security. We need to pull back and start thinking about one thing I learned a long time ago is the user interface and the user experience. So what is it that they see and how easy is it is to to to to work around it. And if we think more in those terms, I think we would we would see better security solutions.
Dejan Kosutic:So you speaking here about training and awareness or or more than that?
Thom Langford:Oh, much more. Much more. Training and awareness is important. I think, you know, and by training awareness, I do not mean sticking people in a room once a year and shouting PowerPoints at them for an hour. I mean actual regular ongoing bite sized snippets through multi channel mediums, be that messaging or text or email or a little bit of PowerPoint or a bit of film or a blog or a, you know, an audio snippet or or some kind of interactive session session on their computer.
Thom Langford:It's not just that. I think it's it it goes way beyond it's I'll give you another example that brings in the training awareness part. When cybersecurity people pull together cybersecurity awareness training, they think they are the best people to do that because they know cyber security. They are not the best people to do that. We rarely have the creative skills.
Thom Langford:We rarely have the emotional capacity to empathize with the the the people who we're training. You know, we need to actually ensure that we're, again, working with other departments, the the communications department, the graphics and design department, if you're lucky to have one, or a third party. You know, other people, the the the training and development departments, you know, we need to be working with them to create this content, not just, oh, I'll bang together a PowerPoint that tells everybody what they shouldn't do and then consider them trained.
Dejan Kosutic:You mentioned several of these channels to which you can, let's say, deliver these bits and pieces of information or or training, about cyber. Why do you think that, this would work? I mean, if you send an email with some, let's say, interesting fact about cyber, why would you think that, you know, a regular person, regular employee would, care about it at all?
Thom Langford:Absolutely. And in some cases they won't care about it at all. So you deliver it in a different medium through a different mechanism. Some people are visual thinkers. Some people think while they're writing or they have to, you know, read something in order to to to visualize it.
Thom Langford:And the same goes for some people, I know people who love listening to podcasts. I mean, crazy crazy people. You know, I I I barely listen to to two or three at most and even then only rarely. And that includes my own. You know, whereas, you know, and so I can't.
Thom Langford:So so the spoken medium would not be effective for me. I love, you know, because I I'm addicted to Instagram and I like to get the dopamine hits. I love the short thirty second one minute videos that tell me something. Know, other people need to get it in an email because they will read it and file it away in a different place. So the multichannel approach, which is an old marketing term, an old sort of digital marketing term, is the way, is is a way of actually getting the message across through different mediums.
Thom Langford:That's why advertisers will use newspapers, digital advertising boards, TV, radio, the cinema. They'll they'll sponsor podcasts. They will put a leaflet through your door. That's why they do this because different people respond to different forms messaging in different ways.
Dejan Kosutic:Okay, and I know that you're also helping your clients with training strategies. So is this training strategy then basically figuring out all of these various channels or is this something else?
Thom Langford:I think training strategy is probably a little bit too over precise. I like to think of it more as culture. It's a cultural strategy. And it's, again, it's tying everything that we've just talked about up till now into what is it or what behaviors are we trying to introduce in our users? How are we trying to create an environment that automatically does the things that we want them to do without them even knowing that they're doing it?
Thom Langford:So for me, I know I will have succeeded as a security professional if people are doing things without even mentioning the word security. The moment people stop talking about security but the activities are still going on, that's when it becomes a culture. That's when it becomes Mhmm. Self policing, etcetera. So when someone if a new person joins and I'll give you a very bad example, a very simple example.
Thom Langford:But they get up from their desk and walk away, and someone says, don't forget to lock your computer. And it's like, oh, why? Oh, why? Because that's how we do things around here. Because that's what we do.
Thom Langford:Not, oh, well, we got this email from security that said we had to lock our computers and if we didn't, we get fined and it's ridiculous. So, you know, just just lock your computer. But no, it's because that's how we do things around here.
Thom Langford:And that is the culmination of your training and awareness and your the way you interact with your your your with your people and your employees and your customers, all into a culture of how we do things.
Dejan Kosutic:But I assume a senior management is also very important there because without senior management, there will be no change in culture, right?
Thom Langford:Culture has to come from the top down, absolutely. So again, by engaging with the senior leadership, the board, etcetera, looking to reinforce some of those basic behaviors that you're trying to to to encourage, giving them the reasons for it. I the the great example I think of this, of of of a cultural thing is do you remember there's that old story? I think it might been I can't even remember the bands, but a big rock band in the seventies and eighties. And their rider in the green room was that they had to have a bowl of brown m and m's.
Thom Langford:Just brown. None other no other colors. And so, you know, it was seen as a sign of rock group excess. You know, why, you know Uh-huh. We we're asking for the brown m and m's because we can, because we're big and important.
Thom Langford:Wasn't that at all. Management were doing that to test the culture of the place they were going to because, you know, the rider has all sorts of things in it. Everything from how they want the sound system set up and, you know, the how the cables need to be laid and, you know, all that sort of thing because it's a big complex thing. If management walked into the green room and saw that there was a bowl of brown m and m's, they knew that their rider had been read cover to cover, taken seriously, and put into action. It was a it was a test.
Thom Langford:That I think is a similar thing. If we have a a culture that encourages people to lock their laptops to their desktops as they get away from their desk, that is an indication that they care about the small things, therefore, we care about the big things. It's an indicator of who we are and how we seriously we take security.
Dejan Kosutic:Okay. Interesting. And speaking of training awareness, you mentioned that this humor and storytelling is really important to make this work. So can you explain or give some examples Absolutely. For
Thom Langford:So storytelling, I think one of the key problems with training is, especially in security, I can't talk about many others, but security is it's do this, do this, do this, don't do this, don't do this, don't do this. And that's it. End of. And it very rarely it's getting better, but it's very rarely is it. Here's why.
Thom Langford:Here's the scenario. Here's the from a to b story of what happens if in your day to day life you don't do this, this, and this, or you do do this, this, and this. Here are the implications. And a story helps tell us that because what stories do is they they create emotional investment and and generate a visceral response in your body. So if you're reading a good book and it's maybe an action book or even, I don't know, a romance.
Thom Langford:Who cares? But the hairs on the back of your neck will stand up at certain points because you're excited and you are and and you're you're invested in it. That's because what you're reading is creating a visceral response in your in your body, a chemical change in your body, and you will remember that. It's a bit like your very first kiss as a teenager. Right?
Thom Langford:You see, the fact that you I can tell by your smile alone that you're remembering it already because it generates yeah. Because it generated a chemical change in your body that encouraged you to remember it. Right? Mhmm. If that's what we need to do, maybe not go around kissing all of our people, but, you know, I'm available.
Dejan Kosutic:Probably not.
Thom Langford:I'm just, you know, I'm on offer. You know, I can I can consult? But not that we do that, but we create that same chemical visceral change in our bodies because it's a story that we have emotional investment in that then tells us a a gives us a lesson about how how to behave or how not to behave. And that is training awareness done right. That is training awareness that people will remember.
Thom Langford:What they won't remember is the do's and the don'ts. They'll remember how it made them feel and then connect the dots back to, oh, I felt like this because this happened and that happened because, ah, because he forgot to switch on MFA or whatever it whatever it is.
Dejan Kosutic:Yeah. And I assume that the security professionals always have these stories in their careers, right? They just have to uncover them and tell them in an interesting way.
Thom Langford:And make them relevant. Make them relevant as well. That's the other important, you know, part of it. Because if it's purely about, oh, well, that one time I was in the server room, well, most people don't even know what that is. You know, it makes no sense to them whatsoever.
Thom Langford:You know, but it needs to be a a relevant relevant story that's going to allow them allow them to do that. I think the humor side helps embellish that. Funniest there's a reason why we tell jokes. Right? Because they're funny, they create a visceral response.
Thom Langford:Most stories we tell to each other over a dinner party or whatever will often have humor in them. More often than not Mhmm. Than anything else. They might, you know, occasionally they might have, you know, extreme danger or something like that. That's a slightly different kind of story.
Thom Langford:But very often, it's a humorous story. And what humor does humor is almost like the natural drug that keeps on giving. It's very rare if you took Monty Python is a great example. Right? It's first made in the sixties and early seventies.
Thom Langford:People still laugh at it. People still watch it and enjoy it. That drug has not worn off. The comedy drug has not worn off. And I think that's really No.
Dejan Kosutic:I mean, I fully agree with you. But, you know, I see that the challenge of many security people is that they are simply not They don't consider them funny or they don't know how to tell jokes. And then how to overcome this challenge then?
Thom Langford:Bring in the experts, bring in the training people, the training and awareness people, bring in the third parties who do this. You know, I know I'm I'm very close friends with somebody who runs a production company that used to create these films until he was bought out by a larger company. I mean, he was literally so good at it that that he made millions off it by selling it to someone else, you know. You know, these these products exist. They do exist out there.
Thom Langford:But but the problem is people are scared of humor. And that's that's that's why, you know, people think that cybersecurity isn't funny, and they're correct. Cybersecurity is not funny. But cybersecurity can be fun. And just because something is fun doesn't mean we don't take it seriously.
Thom Langford:It's a bit like when you're making a comedy film. So my son is in the film industry. When you're making up any kind of film, it's a very serious business. Everything from, you know, the finances to employee welfare through to, you know, unions and all that sort of thing. That doesn't stop the film from being funny.
Thom Langford:In fact, you can use it to enhance that. And I think very often companies forget that things without being funny. You're not all you're doing is using a particular tool that is the most effective way of getting your point across. And humor is, in my mind, top of the pile. Mhmm.
Dejan Kosutic:Yep, I fully agree with you. It's a very, very effective way to communicate, yes. Okay, so let's wrap up the call. So what be your, let's say, top suggestions to CISOs and security consultants when it comes to strategy and cyber security?
Thom Langford:So firstly understand the business you're in. Truly understand the business you're in. Talk to the senior executives. Talk to the customers even. What is it that they get from the business that they don't get from anyone else?
Thom Langford:What is it? What is the unique selling point that your executives think your product or your company is delivering? What makes company your company? What makes it unique? Until you understand your business, you cannot understand how to implement the security for your business.
Thom Langford:So that would be my number one. I think number two is is really, and it's it sounds very trite because everybody says it, is oh, go and talk to people. No. Seriously, go and talk to them. Go and actually have a regular one to one with the CFO and the COO and the CRO and the CMO, etcetera.
Thom Langford:Even if it's fifteen minutes over a coffee somewhere, just have a chat. Talk to them. Find out what their problem points are, what their pain points are. And also share yours because you could be sharing that your problem that that you can't you're you're struggling to communicate a particular message. And even the CFO could say, oh, well, I've done this in the past and it's always worked.
Thom Langford:Why don't you do you know what I mean? These people are leaders for a reason. And conversely, also, start talking to your users, your your your your staff, your people, the people in your organization as well. You know, what do you understand by this? What what doesn't make sense to you?
Thom Langford:What happens if? You know, start to engage with them. All too often, we're we're IT people, generally speaking. Security is generally grown out of IT. We're IT people.
Thom Langford:We tend not to play too well with others. We tend to be inward focusing. You know, we really need to break out of that. And the third thing I would say is, again, the fun element. Have fun with this.
Thom Langford:Dear God, it's hard enough as it is. You know, we we we we're an we're an industry that deals in secrets and is measured only on failure. That's that's dark. Let's bring some fun and some levity into this. Let's take it seriously, but actually engage at a different level.
Dejan Kosutic:Okay. Great. Thank you for these insights, Thom. I learned a really lot and it's been a pleasure talking to you today.
Thom Langford:Well, thank you very much. Thank you. It's been an absolute pleasure. I don't often get to talk this long without people interrupting me. I really appreciate it.
Dejan Kosutic:Okay, great. Okay, thanks again Thom and thank you everyone for listening or watching this podcast and see you again in two weeks time in our new episode of Secure and Simple podcast. Thanks for making it this far in today's episode of Secure and Simple podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living. On Advisera website you can check out various tools that can help your business.
Dejan Kosutic:For example, Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients. The white label documentation toolkits for NIS 2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients. Accredited Lead auditor and Lead implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients workforce. Check out the links in the description below for more information.
Dejan Kosutic:If you like this podcast, please give it a thumbs up, it helps us with better ranking and I would also appreciate if you share it with your colleagues. That's it for today. Stay safe.
