Invest in your people through education and awareness. We used to say that human beings are the weakest link in the security chain, however the reality is that they are the only link in security chain. If we don’t invest in humans, humans always will be attacked. Hacking computers is hard, but hacking humans is easy.
As a part of our series about “5 Things You Need to Know to Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Thom Langford, an analyst at Gigaom, a leading technology research and analysis company, and the founder of (TL) 2 Security, a strategic information security consulting firm.
As the former Chief Information Security Officer of Publicis Groupe, Thom was responsible for all aspects of information security risk and compliance as well as managing the Groupe Information Security Programme. Having successfully built security and IT programs from the ground up, Thom brings an often opinionated and forward-thinking view of information security and business risk, both in assessments and management.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about your background?
I have more than two decades of experience in the cybersecurity and IT industry within multiple capacities. Currently, I am an analyst at Gigaom, a technology research and analysis company, and the founder of (TL) 2 Security, a strategic information security consulting firm.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Years ago, I read the Cliff Stoll’s book, “The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage,” which my grandmother recommended to me. While reading it, I was gripped all the way through and it stood out to me as a moment where I was first exposed to the cybersecurity world. Many of the elements that made that book a good story is what drew me into the industry — the subterfuge, the excitement, the detective work. Eventually working in cybersecurity felt like a very natural progression.
Can you share the most interesting story that happened to you since you began this fascinating career?
When the internet was still learning to crawl through dial-up modems and the like, the company I installed a high speed leased line into our office. Because it was so expensive, the leadership decided there was no money for a firewall, of any kind. Although it was still early in my IT/security career, I knew this was a bad thing, and my protestations landed on deaf ears.
So, I set myself up at home with some hacking and cracking tools I had found online (L0phtCrack and Cult of the Dead Cow as I recall). Within a day I had all of the leadership teams’ usernames and passwords, printed off and individually sealed in our fire safe.
My email requesting a firewall again also mentioned that I had their usernames and passwords and how I had got them from home. Only three of the six leadership team members came to confirm I had their passwords; two days later I had 20k dollars to buy my firewall.
This also impressed upon me the power of storytelling and ensuring everyone has skin in the game!
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
There are many people that helped me to get to where I am. Two of the most notable include Colin Windsor, who I met at Kinesis Systems, later becoming a partner at PWC and Sapient UK. Colin helped me focus on getting the job done and gave me the autonomy to do what I thought what was right. He taught me a lot about how to best build a strong team and I am very grateful to him.
The next person that stands out is Curt Dalton, who I met at Sapient when he stepped into the CSO role. At first, I thought we wouldn’t get on, but that feeling barely lasted 5 seconds. Curt is very knowledgeable, business focused and trusted me to do the right thing. I still remain friends with Curt and Colin today. Both of them allowed me to trust myself, grow my confidence and become stronger within my career. They also have provided numerous pieces of helpful advice and feedback when I really needed it.
Are you working on any exciting new projects now? How do you think that will help people?
At Gigaom, I am working on a field test report on PDF software. The report analyzes one particular company that ships PDF software, in regard to digital transformation and how it impacts organizations’ environment and productivity. Then at (TL)2 Security, I’m working with a number of clients one of which I’m building a service that will help CISOs do what they do best — information security by giving them simple creative resources. The service is based on communication, allowing them to communicate more effectively with their organizations in minutes rather than hours.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
The truth is that people innately know when they’re beginning to burn out. We know when we’re becoming stressed and when your work life is getting too stressful to handle. Your body adapts to it so easily at first, and you recognize what is happening and deal with it. It should come as no surprise when you burn out, but it does because the body gives up with no further warning, a day, a week, months or even years later.
It’s important to keep in mind that many people believe they’re not expendable to their organization. The unfortunate reality is that if push comes to shove, in order to remain viable as a business, organizations will let you go without a second thought. While there are good companies out there run by good people, the only one person who is going to look out for you, is you.
As someone who has burnt out a few years back, the advice I’d give is to be kind to yourself and listen to yourself. Try to build an environment and a team around you that is reliant and successful with or without you. Make sure that you can take holidays, time off and sick days when needed. The bottom line is that no company is worth your health or life.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the cybersecurity industry? Can you explain?
First, the people and the community when it’s at its best is second to none. The friendships I’ve made in cybersecurity have been fundamental to my own growth. People can be so generous with their time and their knowledge.
Second, the cybersecurity industry is ever-changing, even compared to 2008 when I jumped into this space. A simple example: in 2008, it was commonplace advice is that you have to change your password regularly. Now there’s a new way of looking at that problem. It’s an industry that’s not afraid to reassess itself. I think depending on who you spend time with, the industry is not afraid to do what it needs to do and get the job done.
Finally, the cybersecurity industry is something that affects everyone’s life to one degree or another. People know what information security is nowadays, which wasn’t the case a decade ago. It’s now better understood how security impacts everyone’s data protection and confidentiality.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
I could talk about the phishing threat that is on the rise, or the reality of malware attacks. However, the thing I’m really interested in at the moment is deep fakes. For instance, it wasn’t that long ago that someone used a deep fake voice to pose as a senior finance person, and encouraged a senior employee to release a quarter of a million dollars. When you combine that with doing deep fake faces (although they are not quite convincing yet), with a dynamic changing location due to remote working, the threat is becoming more critical. In the next year or two, I’d predict that attacks based on deep fake video conference calls with requests coming from CEOs or other senior officers will become more indistinguishable than ever.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
There are plenty, but of course I’m limited from a legal standpoint as to what I can share. In every case, it came down to basic issues that led to the data breach. In one case for instance, there was an old server that hadn’t been patched, which a tiny proportion of the company was being run on. A small group of people within the company were influential enough to keep server online and running, which unfortunately resulted in a significant breach.
The takeaway is that it’s essential to patch and retire old servers and focus on the business case to keep them rather than the seniority of the people that demand it.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Powerpoint and Excel are the main tools that I use on a frequent basis. As an ex-CISO, I used to joke that my job was “Powerpoint and politics”, but it quickly became true! I was constantly reporting and used it as a tool to address insights to stakeholders. Then twice a year it was Excel, when we used to the tool to discuss the budget. Year-round, we’d use Excel to run asset trackers, documentation and risk trackers. Of course, I used other tools as well, but those were the most common.
The reality is that cybersecurity vendors help automate your existing processes and frameworks. But if all you do is buy security tools in order to fix a problem, you’ll have the same problem and an expensive cybersecurity tool sat on the shelf. Cybersecurity solutions should be used on top of the tools you already have in play.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
If your IT requirements are such that you need an IT team, then you’ll certainly need a security function. There are tools out there that are very good value that you can get for 30 quid a month, ranging from trackers to basic compliance tools. There are obviously more expensive also tools that can track complex environments.
Smaller companies can also employ virtual CSOs. Virtual CSO tools were popularized by data protection officers, because lawyers are expensive when used just to look at data protection issues. A virtual CISO is very effective even for a few hours a week. It gives you opportunity to access high quality thoughts around how risky your organization from a security perspective, advice and long-term thinking. If you want to hire your own CISO, then you’re probably at a scale where that will be obvious to your organization.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Key signs include requests to do things out of process, such as someone asking: Can you make this payment? Can you send me this product? Can you invoice us rather than wait for our payment? If you’re asked to do anything that doesn’t adhere to established processes, you should stop and escalate. Outside of that we get into rather standard advice around phishing. If the CEO that you’ve never met is asking you to do something via email, there’s a high likelihood that something is amiss.
Another sign is that if you receive unexpected emails with a sense of urgency. For example, a call from Paul Password from the password inspection agency asking you to reveal your password! Anyone who asks you to tell them to tell your password, don’t. Any quality IT function can do without your password and has the capability to change it on the backend. Unfortunately, as human beings we trust people, which leads us to get caught out. It’s a fact of life that we have to be distrustful to spot the complexity of these attacks.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
First and foremost, be open and transparent with your customers. If companies try to hide it from their regulators and customers, they will be found out and the trouble will be tenfold. To protect themselves further, it’s essential to invest in security and find out what was the root cause of it was. NASA has an informal process of asking “why?’ seven times to get to the root of a problem. For us it would be “was the server unpatched? Why was it unpatched? Why is the application hosted on that server incompatible with the patch? Why has the application not been updated? Why was it deemed important enough to not patch? And so on. Continue to question everything until you get to the bottom line reason. Solve all of those issues and then that will protect future customers as well.
When it comes to privacy measures, the regulation measures are a legal framework to protect individuals. Information security is designed to protect the data. That is a conflict of interest. What we must do is protect the customer and the data in a way that benefits all parties.
Up until GDPR came out, there were some unethical and immoral practices when it came to using people’s data. The bottom line is that if you can’t look your customer in the eye and tell them where their data is going without feeling ashamed, then you shouldn’t be in that business in the first place. Data privacy regulations force businesses to look at their data models and see if it’s being used in a sustainable, ethical way.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The most common mistake is defunding security because nothing has happened. It’s self-explanatory, because cybersecurity is an industry that’s measured on failure. Bizarrely when you fail you get more budget, and when you succeed you get less budget.
Since the COVID19 pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
No, I haven’t actually, but there may well be statistics that conflict with what I’m saying! I think the reason for the question though is that a lot of businesses wrongly believed that in order to do jobs properly, you had to be in the office where bosses could see the workers. While certain professions can’t do their jobs from home, the average office worker is quite capable with modern communications to effectively work remotely and securely.
Companies underestimate their employees and may even downright distrust them. That’s not to say there’s not advantages to being in the office. We should be seeing much more or a hybrid model between the home and office worker. People are happiest when they can live their lives in harmony with their jobs, rather than living their lives around their jobs.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs to Know to Tighten Up Its Approach to Data Privacy and Cybersecurity” and why?
- Know where the important data is, such as the source code, customer data, credit card information and so on. Know where it is, so you can protect it the most.
- Be prepared to be breached. When you have a security breach, the average time between when a breach happens and when a company finds out is in the region of 6–8 months. There are many companies that have had their data breached and still don’t know it! Basically, have an incident plan prepared and practiced.
- Following on from that, take security seriously! You have been lucky until now not to have had a serious security incident; when you do, you will have wished you had invested earlier as it gets really expensive, really fast otherwise.
- Security is important, but not at the cost of strangling the business. If your security department is telling you to stop doing things, you probably need to get a new security department.
- Finally invest in your people through education and awareness. We used to say that human beings are the weakest link in the security chain, however the reality is that they are the only link in security chain. If we don’t invest in humans, humans always will be attacked. Hacking computers is hard, but hacking humans is easy.
If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Practice Wil Wheaton’s Law, which says: “Don’t be a dick.” If you look at everything I’ve said up to now, from burnout to GDPR, ethical business and so on, it really comes down to practicing that. People get very blinkered by what they think and their world view. If all it took was people questioning their treatment of others every day, the world would be a better place.
How can our readers further follow your work online?
You can follow me on Twitter at: @thomlangford, or follow my work with Gigaom here: https://gigaom.com/analyst/langford-thom/
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
About the Interviewer: Jason Remillard is the CEO of Data443 Risk Mitigation, Inc. (Publicly Traded as Symbol: ATDS). Data443 is a leading Data Privacy and Security company with over 40,000 customers worldwide.
Formerly of Deutsche Bank, TD Bank, RBC Bank, IBM, Dell/Quest Software, TUCOWS and others, Jason has been in information and data security for over 30 years with customers in virtually every country in the world.
Trusted to deliver — All Things Data Security — he is leading the charge in bringing data privacy as affordable, deployable and realistic solutions that every business owner can take advantage of.