Sergey Nivens - Fotolia

CISOs need to be more business-focused, says Publicis CISO

Information security leadership is about politics, getting a place at the top table and showing what security can do for the business, according to Publicis CISO Thom Langford

Chief information security officers (CISOs) need to be more business-focused, according to Thom Langford, chief information security officer at Publicis Groupe.

“Many CISOs are trying to be the best security people, when they should be leaving their security teams to do that, while they become more focused on business,” he told Computer Weekly.

Being a Ciso is not just about making the business secure, it’s about helping the business be more successful through the use of security. A lot of what I do involves PowerPoint and politics.”

Langford believes CISOs should follow the same pattern as other sectors of the business, arguing that the general counsel or chief legal officer of a business is typically not the best lawyer in the company.

“Similarly, the chief financial officer is usually not the best accountant, but they are the best at applying their particular skill set in a way that maximises benefit to the business,” he said.

But historically, Langford said CISOs have been “woefully under-represented” at the board level, and have tended to report to CIOs, CFOs and COOs rather than having their own seat at the table. Fortunately, he said, this is starting to change, but more CISOs need to become far more trusted by the business.

“CISOs need to become politicians to ensure that their risk-based analysis of a situation is heard on an equal footing with legal, finance, operations and human resources,” said Langford.

But that is often hard work, he said, and – for many information security professionals – switching focus to the business and maximising benefit of security for the business is a challenging step to take.

Trust and openness

Langford is a nominee in the “security leader” category in the inaugural Security Serious Unsung Heroes Awards taking place on 4 October 2016.

While not claiming to be a great security leader, he said what works best is trusting members of the security teams to get on with their jobs.

“The minute you start breathing down people’s necks, they start double-guessing themselves and making silly mistakes,” said Langford.

“Trust, but verify, and then support their decisions. Even when they get it wrong, a security leader has to support team member as much as possible. They need to know you have got their backs,” he said.

Langford said it is also important to recognise when someone is doing a good job, when they are doing something differently and when they are having more success than their peers.

Security Serious Week is a good opportunity to raise awareness about the importance of security and about what information security professionals can do for business,” he said.

Read more about information security leadership

However, while Langford supports promoting awareness about information security, he cautioned against assuming that if a company is breached, it is not taking security seriously enough.

“Businesses are operating in a very challenging environment, and breaches will happen, but it is more important to focus on how they respond to a breach than on the breach itself,” he said.

And when breaches do happen, Langford said he would like to see more openness on the part of the company that has been breached about what happened.

“We need to have more sharing among information security professionals because anything that happens to one company is likely to happen to others,” he said.

But this tends to be difficult, said Langford, because businesses are reticent to disclose anything because of fears about the potential damage to the company’s brand and reputation.

Security leaders, he said, need get business more onside and be more willing to exchange cyber threat information by encouraging a wider view of information security and demonstrating that it is relevant to every single department.

Read more on Privacy and data protection