Profile: Thom Langford, CISO, Publicis Group

PRESENTING SECURITY TO THE BOARDROOM

Thom Langford, the CISO of Publicis Group, believes his experience presenting to large audiences at global information security events has helped him better communicate with senior executives at his organization. Whether presenting to a room full of CISSPs, or strategic business executives, he strives to engage in concise, relatable, relevant and engaging content.

“In 2010, I decided to start doing more public speaking. I got engaged in the information security event circuit and I crashed and burned a few times,” said Langford. “But I worked hard to hone my presenting skills. I studied the industry, and solicited honest feedback from friends and colleagues.” Langford learned the fundamental key for presentations is less is really more. “Instead of presenting a lot of data and facts, focus on simple statements that you can back up with facts,” said Langford. “Overtime, I got to the point where I could deliver a presentation without breaking into a sweat.”

For Langford, presenting to the Board should not differ from how he presents to conference audiences. “In the Boardroom, you still have a fixed amount of time. You have a set amount of time to deliver information that will be understood and remembered more than 30 minutes later.” Langford recommends Slideology and Presentation Zen to those looking to fine-tune their presentation skills. “They helped me boil down what I want to get across into a two minute visually impactful presentation.”

OPPORTUNITIES, MENTORS, AND MISSTEPS

Langford started working at Sapient in 2002, after a long career spanning IT and facilities roles in global companies such as PWC. At Sapient in 2008 he identified a gap in the company’s internal services, specifically related to information security. “I spoke to the COO and explained what I felt was missing and that I could do the role. He added four or five other components to it and I was tasked with starting the security office on two beans.”

Eventually, Sapient brought in an official CISO to work with Langford. The two quickly developed a close working relationship and Langford realized the many learning opportunities he could glean from the new CISO. “We got along really well and I was fortunate to work with him. I learned so much from him. It is always valuable to have someone who has been in the industry and understands your perspective. It is also good to have a mentor to champion you and be in your corner, to validate your decisions and say, ‘yes, you are right’, even if the company ultimately goes in another direction.”

An early failure with a big security project was just as integral to his development. “I tried to overcomplicate a solution and that meant the business was not behind me in the roll out. The project did not get the results it needed and I got a stern talking to from the COO,” said Langford. “We ultimately made it work because we simplified, simplified, simplified. Now, whenever we need to engage directly with the business for a security project, we simplify. It works.”

Ultimately, the CISO left Sapient for another role and Langford quickly moved into the CISO position. Soon after, Publicis Groupe acquired Sapient and the marketing and advertising giant recognized the strength of Sapient’s security program and put Langford in charge of the global company’s security effort.
“The transition into Publicis Groupe was straightforward in some ways, but challenging in others. The team was made up of existing Sapient and Publicis people. I had to lean heavily on the team to keep the wheels on, and they were fantastic at responding to requests and getting the job done while I navigated the new corporate structure. As a CISO, you need to be able to trust your team, give them a framework and empower them to make decisions.”

“In many ways, we were a new team last year. We were largely the same group of people, but in a whole new environment. We had to focus on delivering the basics. Now our goals are broader. We are establishing consistent policies and working on consolidating our business continuity and disaster recovery programs. A new program is focused on threat intelligence and being proactive about identifying zero day threats. Security awareness and training is a priority this year as it is critical to everything we do. We are one year in and we have started to establish ourselves as the security team and people are now coming to us with their issues,” said Langford.

SECURITY AS A COMPETITIVE ADVANTAGE

Now that Langford’s security team has settled within Publicis Groupe, he seeks to positively impact the business through strategic security initiatives. “I am just back from a conference where I delivered a talk on competitive advantage. We can make security a competitive advantage by supporting the business. To do that we have to be flexible and adapt at the same speed the business adapts to changing business decisions.”

Langford continued, “Within the advertising and marketing services industry, security can be a competitive advantage. Campaigns take in a lot of sensitive consumer data and it matters how we handle that. We don’t want data stolen or lost to competitors. A client told me that it takes them three months to accept code from their suppliers because of multiple security reviews. If we can do security code review before we send it to the client, then we can cut that timeframe down to a single security review. Testing then takes just three or four weeks. For Publicis, that means we can finish and bill projects more quickly and clients can get to market with their campaign more quickly.”