As Chief Information Security Officer of Publicis Groupe, Thom is responsible for all aspects of information security risk and compliance as well as managing the Groupe Information Security Programme. Additionally the role is responsible for business continuity capabilities across the Groupe’s global operations. Having successfully built security and IT programmes from the ground up Thom brings an often opinionated and forward thinking view of security risk, both in assessments and management, but is able to do so with humour and pragmatism (mostly).
WHAT IS YOUR GENERAL APPROACH TO BUILDING AN INFORMATION SECURITY TEAM?
I think my general approach to building a security team is focused around passion. So, you know the idea that you hire passionate people and then inspire them, rather than just hiring technically capable people because they’re not necessarily the most passionate. So passion is always one of the key things that I will look at and that will come across in CVs and through interviews, you know, fairly apparently and fairly quickly.
HAVE YOU DEVELOPED ANY TECHNIQUES TO IDENTIFY GENUINE PASSION FROM CANDIDATES?
So, I think in order to find out if somebody’s passionate, it’s not just a case of asking them if they’re passionate, it’s about asking them what it is that they’re passionate about, and what it is that they’re doing about it. So, they could be passionate about things outside of info-sec, and that’s fine in of itself. Obviously I want to know what makes them passionate about this role as well but it’s going to be things like getting involved in social media, actually attending events, engaging with people, perhaps even you know, blogging or writing papers about stuff that they may not necessarily be qualified to do, but they’re actually engaged enough to want to do it in the first place. I think actually finding out what it is that they’re actively doing is really important. I mean, I think the benefits are getting involved in things like social media and conferences is actually that they get to engage with people who are already in the business. They’re not just trying to get a job from the outside, they’re trying to work with people who are already in there, who can give them advice, who can point them in the right direction, and actually who can also refer them as well. So, I think you’re actually starting your career choice from the inside of a community rather than the outside.
WHAT OTHER ADVICE WOULD YOU OFFER FOR SOMEONE BEGINNING THEIR CAREER IN INFO-SEC?
I think, other advice for people starting out is things like, really find out what it is that the company you work for is doing, what is their business? What is their core business? What are they trying to sell? If you haven’t read their company report yet, then how do you know what the company is actually trying to achieve? So, actually aligning yourself to the business, rather than the business of security is significantly more important. It actually changes your perception and changes your priorities some way as a result. Now that should come across as well, from the leadership of whichever company you’re in, or whichever security group you’re in, but sometimes you just need to do these things for yourself and actually start to form your own opinions and then you can engage with your broader team internally, around what it is that you think you should be doing, or the team should be doing, in order to meet and further the aims of the company.
WHAT ARE SOME OF THE SKILLS THAT YOU BELIEVE WILL BE BE MOST IN DEMAND IN INFO-SEC IN THE NEXT FEW YEARS?
So, I think the skills that will be in the most demand in the near future, near to middle term future are things that are more hybrid skills. So, there’s a lot of niche skills, so security testing or business continuity from two sides of the same coin there. But, I think the hybrid skills also involve you know, legal aspects for instance. So understanding the legal impact of you know, security provisions and privacy etc. I think people who come from a background of physical security, and then combining that with the stronger elements of information security. Having that hybrid approach is actually going to help someone be a far more rounded individual, which means that they can be fluid in where they work in an organisation, and with security teams being stretched to fulfil, you know, any demands and at any time, and short notice etc., you do need these kind of hybrid roles because they can turn their hands to most things most times, and that I think is going to be very, very key.
HOW IMPORTANT IS CULTURE WITHIN AN INFO-SEC TEAM?
I think culture is vital because a culture is what will help somebody identify with a group of potentially random strangers. It helps people, you know, create a bond, they have; the culture will often have shared goals or should have shared goals, it should have shared objectives and actually that people feel more aligned, and they feel more of a part of a team as a result. So, actually having that culture very clearly stated is really important, and that doesn’t just cover business objectives as well. So for instance, you know, one of my cultural objectives is that we work hard and we play hard at the same time. We actually try and enjoy ourselves, we try and laugh. I was in an office just a few weeks ago, and actually it was great to walk in and hearing people chatting and laughing about things, the work that they’re doing and you know, some of the experiences they’ve had, because they are actually creating an emotional and visceral response in people, that makes them feel a part of something, makes them feel a part of something that’s doing good. So culture for me is really important, and it has to come from everybody at the top, and now and it can manifest itself in different ways be that: going out for dinners, having social events etc. But, it’s also in the way that you pull together when you actually have to deliver work on very short notice in difficult circumstances; you know you can rely on people because they’re sharing the same aims and goals as you are. I think a strong culture is by its very nature inclusive, and it doesn’t come from a place of separation, and you know, trying to you know, create some niche groups etc. A good, strong culture is one that includes everybody, so I think when it comes to diversity, it should be very welcoming. It should be you know, it should be you know, culturally very, as I say, very inclusive and not actually making people feel uncomfortable, or you know, feel as part of an outsider. It can come down to you know, even little things like you know, a good strong culture doesn’t rely on alcohol for instance, you know, that may be an element of it for, you know, at some times but actually alcohol itself is not necessarily, you know, important for certain people, you know, be it for religious or personal reasons. So the culture has to surpass that, and actually has to go beyond just key aspects like that. So, I think it again, it depends on the environment, it depends on who’s there, but if your culture stops certain people from actually entering into it, it’s a toxic culture you know, by its very definition.
WHAT DO YOU TYPICALLY LOOK FOR WHEN EXAMINING A C.V.?
So when it comes to CVs, the key things for me are a social media presence, you know, and it could be Twitter, it could be LinkedIn, it could be anything really, as long as there’s some kind of presence on there because our jobs are very much in, you know, the public eye at the best of times, and it also shows a willingness to put yourself out there. I think it is, you know, to be honest with you, a C.V. that is well laid out and easy to read and actually talks about capabilities, and evidence of those capabilities in past accomplishments etc., rather than purely stating job after job or project after project. Actually, what was the individual impacts that you were able to to bring to that? The things that really stick out for me are spelling mistakes. I think the C.V., love it or loathe it, is still, you know, the single most important document for for getting work in any industry. So you need to put some care into it, and you need to present it well. It needs to be in an easy-to-read font, you know, that sort of thing, so anything that helps make it stand out for all the right reasons, rather than the wrong reasons.
CAN A CANDIDATE MOVE INTO THIS ROLE AT ANY TIME IN THEIR CAREER, OR SHOULD IT BE THE GOAL FROM THE OUTSET?
Yeah, I think people can move into this industry at any point in their lives. I think, you know, transferable skills alone are something that can be used. If you’re a student of psychology for instance, and you decided that academia is not for you, well actually you’d probably make quite a good auditor because you can actually use some of those psychological skills to work out, you know, and find out evidence and analyse evidence and how it has been presented to you. I think again, it’s not what, it’s not always about the technical skills, it’s about the passion. So you know, I always say that we can teach technical skills, that’s not an issue at all, but what we can’t teach is the passion, and the values and the culture as it were. You need people to come in who really want to do this. I witnessed, you know, multiple people you know, thinking of one in particular, who I met through Twitter who was working self-employed in a retail environment. And just through his spare time, and you know, kindness of strangers on Twitter as it were, has actually you know, now progressed into a very highly respected security researcher and has got you know, a good paid job out of it and that’s over a period of, you know, five years. But this individual has just decided that, you know, it’s what they want to do. They have numerous skills, they’re willing to learn, they’re passionate, they’re vocal and they’re engaging with the community. So actually it doesn’t matter whether you’re, you know, 18 or or 80 to a certain extent. If you’re willing, able and capable to demonstrate that passion, demonstrate what you can do for the community, then all should be welcomed.
HOW DO YOU ACHIEVE THE BEST INTERESTS OF THE BOARD?
So I think there’s a couple of ways of getting engagement from the board and executive leadership. I think the first one is, just forget this notion that information security is about reducing risk by saying no to everything. It’s an old-school approach; yes you can reduce risk by saying no to everything, but you’re also squashing business fluidity and flexibility. You’re creating shadow IT and shadow security, as a result of it, which is stuff you just don’t know anything about which is even greater risk than saying yes to something in the first place. I think the role of the CISO, and the role of the security group is to help the business do more, sell more, be able to hit the market with more product, or you know, a broader range of skills or whatever, you know, maintain shareholder value, increase shareholder value. That’s the core business of a CISO, but by doing so through the judicious use of information security. So you can start to engage your board by talking about risk profiles. What is the board, what is the business willing to accept from a risk perspective? It’s not for security to say what you can and can’t do. It’s for the business to say what you can and can’t do. Just because something is a high security risk, doesn’t mean it’s a bad business idea, it could be a very valid business move to continue anyway. I think the other way as well, is to start communicating with the executive leadership etc. in a way that means something to them. More often than not, that’s financial. I think, you know, as they become more aware of the impact of security breaches around the world, if you can translate some of your own incidents or translate some of your own investments into financial returns, or financial opportunity costs, or financial fines etc. then you can actually start talking to them about the value that you bring to the business, and so it’s a two-way street you know; they’re being more made aware of these these things through the media and we need to bring things to them in a way that makes sense to them.
HOW BEST CAN SOMEONE WITHIN THE INDUSTRY EDUCATE AND INFORM THOSE FROM OUTSIDE THE SECTOR?
I think the role of individuals within the info-sec communities, is really important in sharing the key messages as to who we are, what we do you know, how we operate. Actually, how open we are to getting people with different skills, different- you know- career stages, the transferable skills we spoke about etc. It’s down to all of us to do that, you know, we have to volunteer our time for this. This could be through conferences, it could be through engagement of schools. There’s various info-sec bodies out there, which help info-sec professionals to talk about security in schools, and then you know, talk about the importance of it etc. We need to, rather than just talking in security conferences, let’s start going to pitching ideas to, you know, finance conferences, or to HR conferences, or to legal conferences, there’s so many crossover subjects that we can get involved in and start talking about. I think we often get stuck in our own echo chamber, just shouting the same thing to the same people expecting, you know, changes to be made when we actually should be engaging in a far more broad manner, and that’s down to everybody, you know. Be that, you know, shouting on Twitter or, you know, shouting at a conference, we all need to do that in our own individual ways.