Over the last five years, the concept of security being a competitive advantage within organizations has become more prevalent and increasingly discussed. We recently spoke with Thom Langford, CISO of Publicis Groupe about what it means for information security to be a competitive advantage.
What’s the starting point for security professionals in creating a competitive advantage?
Thom: For me, it’s a mindset. I think it’s starting to view information security as not the business prevention unit or the unit that says ‘no’ to everything. I think in the past, as security professionals, we’ve all been guilty of just wishing to say ‘no’ to everything because we are held accountable for things that we’re not responsible for, we’re just simply told to reduce risks and make things secure and actually not playing a part within the business. I think that mindset needs to shift to more of a new school approach, to where we are a part of the business. We’re not separate from the business. We’re a fundamental part of it. And also aligned in the security function towards the ultimate goals of the business. So, for instance, knowing precisely what your business does, what product it sells, what the shareholders are after, what the long-term strategic goals of the company are, etc. Once you know what those are, you can start to align your business to those goals.
I think the shift to trust and competitive advantage requires a shift away from the old school thinking of security. Security used to be the department of ‘no’, the business prevention unit. We were being held accountable for things that we weren’t responsible for. And so, we would simply try to reduce risk as far as possible by saying ‘no’ to everything or being the big hoop that everybody has to jump through; security for security’s sake. I think as we shift to a new way of thinking, which is - we are a part of the business, we’re here to support the business. And actually, my role as a CISO is not to make the company the most secure company in the world, but it’s to help the business sell more stuff, do more things, then that’s going to make life much easier.
Is that part of a strategy of educating executives?
Thom: Actions speak louder than words. I think it’s around creating security programs that put business challenges and business outcomes first. I think if executives are reluctant to hear that, to hear your message, look at why that is, what’s happened in the past? What are the activities that you’re carrying out today that might be making them feel wary of engaging with you? Again, it comes down to trust and trusting your intentions as a security leader. What are you here for? Are you here to help the business meet its goals or are you just here to implement security blindly? And I think it’s that kind of education and those kinds of conversations that are absolutely vital, and it will take time. It could take a year or two years to actually turn an organization around based on the reputation of either your predecessors or even just the general viewpoint of information security as a function.
Talk to us a little bit about your executives, do they align with this?
Thom: Yes I think so. I think with cybersecurity and physical security becoming far more in the public eye, that first and foremost they see the threats and vulnerabilities, as any sane person would. But I think also they are being communicated to in a way that’s beneficial for security and the competitive advantages it can bring. Things like security testing so that code is supplied in a safe stable manner. For instance, with fewer testing cycles required, it is a competitive advantage over some because of the speed of delivery and the ability to deliver more cycles of work in a defined period of time.
I think there can be a variety of different activities that will bring competitive advantage. I mean even ones down to simple personal safety. Do you buy a car from a company that demonstrates it has no interest in fixing vulnerabilities in those remote driving capabilities or do you buy a car that actually has proven to be resilient to remote attacks to your car while you’re driving?
What part does customer trust play into a competitive advantage?
Thom: Trust is fundamental. For example, people don’t use or will be very reluctant to use, any kind of new technology or new service they don’t trust. You know, I think there are many examples when people would do the complete opposite. I think Facebook is an example of that in the way that data has been used. But I also think they try to make strides towards actually regaining that trust so they can take on more customers and take on more business. But fundamental to it all is trust, because if you don’t know how your data is being used, if you don’t know how that technology is being rolled out amongst your house, for instance, in the case of things like Siri or Alexa or Google Home, then you’re going to be far more reluctant to buy the product or even invest further.
Should security be marketed as a competitive advantage?
Thom: I don’t see why not. Front and center, maybe not. I think it depends on the product that’s being sold. Certainly anything that involves the delivery of codes or delivery of technology or anything like that is a fundamental part of the business. So sure, I think it should be part of it in the same way that agile methods and use of certain coding languages and the use of certain project management processes are marketed in materials. Then absolutely, I think it should be very clearly front and center as a part of that offering.
Does that mean that CISOs should be more customer facing?
Thom: Absolutely. And I think the traditional location of a CISO is to look at the internal functions of an organization and make it secure. I’m seeing, and I know others are as well, the more you engage with your client project managers and your account managers, the more trust there is. Given the statistics that it’s not a case of if but when an incident happens or a breach happens, if you’re responding to those situations in a very positive and transparent and open manner, there’s no reason why your responses to those situations can’t actually create more trust with your clients. That’s something I’ve seen in a number of occasions.
Does competitive advantage introduce a vehicle to show us security ROI?
Thom: I look at ROI from two different directions. One is the traditional return on investment which we have to do anyway as contributors to the business, we have to show that what we are asking for in monetary terms is going to be invested wisely and is going to produce some kind of return. It might not necessarily be financial. It may just be opportunistic or quite literally the avoidance of greater costs, something we are all aware of. I think the other aspect to ROI is the risk of incarceration, and to be honest, with the amount of standards and regulations and laws that are coming out, I think this is an important one. Companies are compliant moving forwards and they are working in the best interests of their customers and the public at large.
Where do you see the future of security as a competitive advantage in 5 to 10 years?
Thom: I think there’s a twofold answer to that. The first one is I hope to see more of the same, in the sense of the good things that we do now, the positions in leadership that we’re seeing, the CISO is increasingly less reporting to the CIO and more reporting to the CEO or the board directly. I think as long as you continue along that arch, we’re going to see far greater opportunity for the business to capitalize on information security as a competitive advantage in the same way it does with finance, legal, etc. Getting the right people with the right attitude, etc. So I think the evolution of the CISO is important in that aspect.
I think the other side, as CISOs, in order to make that happen, we have to be significantly less concerned with technology. Again, that’s about reporting outside of just the CIO because technology without underlying process or understanding is useless and yet, the whole industry, if you go to any industry event, is focusing so much on the purchasing of blinking boxes. The more we focus on the model where the CISO is a clear business leader, the better we’ll be as an industry and as organizations in regard to what they deliver to their customers.
ABOUT THOM LANGFORD
As Chief Information Security Officer of Publicis Groupe, Thom is responsible for all aspects of information security risk and compliance as well as managing the Groupe Information Security Program. Additionally, the role is responsible for business continuity capabilities across the Groupe’s global operations. Having successfully built security and IT programs from the ground up, Thom brings an often opinionated and forward-thinking view of security risk, both in assessments and management, but is able to do so with humor and pragmatism (mostly). An international public speaker and award-winning security blogger, Thom contributes to a number of industry blogs and publications. Thom is also the sole founder of Host Unknown, a loose collective of three infosec luminaries combined to make security education and infotainment films. Thom can be found online at both thomlangford.com and
@thomlangford on Twitter.