Security Masterminds

CISO, vCISO, and the unexpected benefits of storytelling

March 15, 2022 Thom Langford Season 1 Episode 4
Security Masterminds
CISO, vCISO, and the unexpected benefits of storytelling
Show Notes Transcript Chapter Markers

In this week's episode, we speak with industry veteran and self-described recovering CISO Thom Langford.

We discuss how Thom got into cybersecurity and became a CISO. Whether a CISO needs to be technical or not, and what differentiates a conventional CISO from a virtual CISO. 

Thom also explained the benefits of storytelling, the use of videos humor, and how to influence security culture.

We also hear about Thom's biggest security mistake.



Show Links

Thom Langford:

And in fact, if your security culture suddenly just becomes the company culture and you remove the word security then even better, because the best security is when people don't know it's security, they just, this is how we do business. Hi, my name's Tom Langford. I am a recovering CISO. I'm also run my own business as a virtual CISO consultant and security strategist for hire. And I've also been a security advocate. So I like the sound of my own voice, probably a little bit too much.

Erich Kron:

Hello and welcome to security masterminds. The podcast that brings you the very best in cybersecurity. Taken an in-depth look at the most pressing issues and trends across the industry. I'm Erich Kron..

Jelle:

And I'm Jelle Wieringa and we are your hosts for this exciting episode.

Erich Kron:

I had a fantastic chat with Thom Langford. He's worked as a CISO, a vCISO, and he's held other cybersecurity roles as well. I've known Tom for a few years now and something I've always liked about Tom is that he, while he's really quite brilliant and takes his work seriously, he doesn't take himself too seriously. And this makes it really easy to chat with.

Thom Langford:

I think like most people, I ended up here by accident because , like most people, IT backgrounds always been into IT since the ZX 81 and ZX spectrum days., it was called the Sinclair one in the U S with the rubber keyboard. At the BBC microcomputer did computing at school , as an afternoon hobby. At university. I did, , industrial relations personnel management with computing, which is the most made up name of of a degree you could possibly come up with, but it was the computing that really me passionate. And so I moved into the computer industry, VAX VMS operator, a field service engineer, an it manager, although at the time I was just the IT guy, but fast forward to 2008, and I was running IT services, frontline services, as well as even facilities management as well. And I noticed that we had this gap where it came to business continuity, incident response in our capabilities. There was no services there at all. And so I, messaged and chatted with our COO and he literally said, Okay, you're going to do that now from next week. So I had literally a week's notice told my line manager, that's it I'm off. So we built up the team and then we actually got to a CISO in who I learned a huge amount from. And then he moved on and I took on his role and then the company was acquired and I became a CISO myself. But the interesting part for me was when I was in IT, it was just a job. I was just, going from day-to-day operations within weeks of getting into security, I knew I had a career. It felt right. It felt like this was where I was supposed to be. And I think a lot of people feel like that they finally fall into the role that they want be that a technical or a management role or whatever and it just feels right and that was the case with me.

Jelle:

He's definitely a fun guy to talk to. And I think he's very well grounded as well, which is really good for any CISO since they need to take things at face value. If they really want to change something and build a proper security posture.

Erich Kron:

I agree. A hundred percent. A question that I often hear when people are talking about senior leadership roles in cybersecurity, such as a CISO is whether or not they need to be technical. We've heard this argument before. And I know this is very debatable either way, but I asked Tom about it and this is what he said.

Thom Langford:

So it depends where you are. There is some opinion that you have to have a technology background to be a CISO. And I'm of the opinion that you don't have to have a technology background. Yes. It's important, understanding technology, given that most of the challenges, the threats that we face and most of the vulnerabilities we have are technical. So yes, of course, having that technical background helps, I think the higher up you go up the tree, the less relevant it is. You mostly need leadership, the ability to communicate at the executive level, the ability to manage politics, your ability to see the bigger picture, et cetera. And yes, I understand that there is some element of technology you need to know when a technology or when a particular threat or vulnerability is more dangerous than another one, for instance. But frankly, my view is that as a CISO or as a senior level executive, you don't have to have that deep rooted up to date, most bleeding edge, knowledge of security technology, because that's what you have your team for. That's where you have your trusted team members to actually understands those kinds of things, and to work with you and allow you to then communicate that to the rest of the business. The same about having a finance background or a legal background, or an operational background, because the broader, your knowledge, of those particular areas, the more you can draw upon in your decision-making. Yes, IT is important because ostensibly, the CISO and the CIO are going to be at loggerheads over many of their challenges. The CIO is about uptime. The CISO is about maintaining confidentiality, integrity and availability. That means that if something's going to break the confidentiality and integrity of something, then the system needs to come down. Now that's going to be at loggerheads with what a CISO thinks, but conversely, knowing about the legal implications of doing a particular action is going to be useful for a CISO in order to make certain decisions, a lawyer will stop a CISO from doing something, even though the CISO says it's the right thing to do, because from a lawyer's perspective, it's a risk-based decision from a different viewpoint of risk. Is it important to have an IT background? Yes, of course it is. It's very, very useful. It's not the be all and end all. I think you can come into a position of CISO, from largely any other position like, , finance or, legal, et cetera, you may have some challenges dependent upon where security is located within the business because if it reports into the CIO, you've got no chance as a lawyer, a finance officer and operations personnel, HR person, whatever, because your role is actually chief IT security officer, not information security officer. And I think that's the distinction here. Information covers all disciplines, IT, legal HR, et cetera. Whereas, IT security is purely focused on the security of IT objects, Jelle: Well, you can really tell He's been around block. He knows what he's talking about. From my own experience, it makes a world of difference. What type of organizations you actually work in generally the bigger the organization, the more you politically, and you need to be completely in communication savvy, but it also matters what the organization expects of the CISO himself. It's about that balance between the two and how you apply to any of your day to day.

Erich Kron:

That makes perfect sense. And I agree with you there. I think, the communication part is definitely a very, very important part. So speaking of communication, Tom has done some really interesting video series that are designed to explain security concepts to people and he also does a lot of public speaking.

Thom Langford:

Yeah. The lost CISO , was an interesting project and an aim at getting bite-sized pieces of advice, education in of knowledge and experience, et cetera, over in quite a sort of personable and engaging way. The idea was literally just standing in front of the screen, talking for a few minutes , having a few graphics thrown up behind me to help emphasize it and then move on to the next one. And it was just trying to make it a little bit more interesting and engaging than anything else. I think also it's very good for anybody to do something like this because you're having to stand up and defend your knowledge and defend your opinions. I always like education and awareness. I always liked to impart that knowledge. I mean, That's why I think public speaking And that's really important because until you have an opinion on something and until you've presented it to an audience, be it virtual or real who are on the whole probably smarter than you. You're not going to be in a position to be able to hold your own in any office, meeting, boardroom wherever, because you've never been challenged because you've not had to think through what it is that you're saying. You're not saying it in a forum in which someone could literally stand up and say, you're talking rubbish.

Erich Kron:

I really liked his point about having to defend your positions on certain topics. It's like the old saying about, , if you really want to learn something, teach it. And I found that to be very true and, you know, doing talks and panels in front of live audiences has certainly helped me step back and look at the other sides to certain issues and see them from different angles. As I am going to be up there, potentially defending these things afterwards.

Jelle:

Well, he understands how you can connect to an audience by reading relatable and providing interesting content. And this point about being challenged by live audiences. That's so true. It's what we ourselves you Eric and myself being stage a lot, we experienced that all the time, but that can also be very challenging to people's ego. Your ego is important and that is why Thom, he's simply perfect for this job because he doesn't take himself too serious he simply wants to deliver the best content and information that he can., Erich Kron: He can definitely too much ego in the way. I love some of the things he does with some of these other videos like this serious ish videos, like the lossy, so are out there, but as just to kind of show you what Tom's about, he's also done some really fun parody videos, these are hillarious, music based parody videos. And while these do deal with real topics and serious. They're also just a lot of fun.

Thom Langford:

They were for fun. We primarily were just three fellows, having a bit of a fun and pretending that we're Hollywood stars and all that sort of thing. But we also think there is a serious message in all of them. I think our first stab at it with the C I Double S P video, obviously at the time, that particular certification was going through a hard time. You know, there was photos on Twitter of people burning their certificates and stuff. And so we thought let's try and redress the balance a bit here. Let's try and put the call back into, the CISSP and then with the success of that, we thought, Hey, that was good. Let's do that again. I was a good laugh. So we actually tried to come up with something a little bit more on point a little bit more in it, you know, and I stress this very much with air quotes, educational, and informative, and it makes people sort of engage in because they're laughing a little in their sort of buying into it. And then the third one was even more serious in inverted commas, because it was even more of a public service film. If you sell it to me, you know, it was talking to the general public rather than just the security public. obviously we do host unknown. Anyway, we have a podcast we've done various other films. We've done white papers. We've done all sorts. With the thing that we've always been told is that actually , it's fun. And it's interesting. And I didn't know, security was actually interesting. I always thought it was boring, et cetera. We make no apologies for the fact that we, kind of modeled it on the concept of top gear, , which international show, , three middle-aged men who really should know better kind of sums us up But the fact is it gets people who aren't interested in cars watching a show about cars and taking stuff in. And that's the idea with what we want. I mean, it may not surprise you if you've listened to our podcast, my mother listens to it every week. She finds it fun. She's, you know, three guys just having a laugh and she finds it enjoyable. And infectious, I dare say she's picked up a few things here and there because how can you not, you know, if we talk about a particular subject, you know, like ransomware or phishing or something like that, but she wouldn't ordinarily listen to something like this, obviously, but I think , that goes beyond just her it's people listening to it because it's fun and it's engaging. And , we all learn something from it. if our show is 45 minutes long, we only want you to take one thing away of any value or importance. Just one thing. It doesn't matter how small it is, but if you take that one thing away, it's been a positive experience. And because it's a good message to have. And frankly, if we can make one person to learn one thing, it's mission accomplished.

Erich Kron:

I love these parody videos that host unknown, puts out, they're just awesome.

Jelle:

I've seen them. They're funny. And if you guys are listening or haven't seen them yet go look them up online, we'll share the links below ,but it's a great showcase of our humor, lack of ego can be a very effective way in getting the message across. So cybersecurity is already pretty serious business as it is. Right? So having videos like these, lighten things up a bit and come at it from a different angle without actually losing of the value of the message.

Erich Kron:

You mentioned how serious cyber security is , and that's no lie. We've all made mistakes in cybersecurity and especially in the cybersecurity industry, because of the level of permissions that were often given, like we get the keys to the kingdom a lot of times. So I asked Tom to tell us about a time he made a mistake, what he learned from it and why owning it matters so much.

Thom Langford:

So, so many failures, the one that I think has the best learning from it. So quite early on in my infosec career, talk it out reporting to the said COO, who put me in the position. I now had a team of about five or six people. So it's about a year, 18 months on. And he felt rightly so he felt that we should find out how many personally identifiable information records we as a company held because, , he'd read the stat that it was $35, $65,$122 per records if they get lost because we were a services company, delivering services to organizations we had lots of access to lots of client data and client customer data. So we would import, you know, millions of records in some cases. So he said, go out and find out how many records who've got. Sat down with a team. And we produced the mother of all Excel spreadsheets that was going to track this to the nth degree. And we sent this out to every single project manager and which unit in itself was a feat. And I think we've got about 12 responses and we went back to the COO's, oh, we can't do this. Nobody's listening to us. Oh woe is us. And he went, are you kidding me? This is ridiculous. Why are you asking 70 odd questions? People are just not going to answer that. Of course they're not, you know, I don't care if we've got 25 million records or. 27 million records or 30 million. I just need to know whether it's 25 million or 25,000. This is about orders of magnitude. It's better than I know, about 80% of the problems. They're known about 10% of the problem and making up the rest in my mind. And so we went back, changed it, it was then became a, an eight question questionnaire done in a very straightforward in mail click, click, click, and we got to something like an 80, 85% hit rate back from everybody. And for me, that was a lesson in two things actually quite early on, that was one protect the team because he was ripping the team apart. And I was able to stand in front and say, they were doing this because of me, they did their job perfectly. I screwed up my part and I was told afterwards that actually was a bit of a captain, my captain sort of moments for them as it were. But secondly, it really taught me that don't let perfect be the enemy of good enough. You'll never get perfection. You'll never get a hundred percent except in, some very, very rare cases. Knowing 80 to 90% of the problem is often good enough because how you address it will take into account the small amounts of unknowns. Whereas if you only know 10% of the problem and you try and address it, and then you only hit 30% of the problem, you're screwed, and you've wasted time, effort, and money. So that for me was a really big deal. So yeah, don't let perfect be the enemy of good enough.

Erich Kron:

Okay. So who among us that has worked in security for an amount of time has not had that mother of all spreadsheets for something? And eventually you step back and you go, what have I done here? So I can absolutely relate with what he's saying there and the ability to say, Hey, I messed up. And the ability to say when you need help or some of the most important traits in security professionals, it's easy to get in over our head. And sometimes rather than turning around and saying, you know what, I need some help with this. We continue to try to flog through it and sometimes things don't go as well, as they could.

Jelle:

Well, one thing being in PR told me is that it isn't really about you making a mistake. It's more about how you deal with it. So, I'm a firm believer in the fail fast methods. Like you can't learn something new without making mistakes. Mistakes are part of the journey. You just have to make sure that you fail fast, meaning you correct a wrong and move forward from there.

Erich Kron:

Speaking of spreadsheets, we're gonna move forward to talking about some CISO stuff. You know, many regulatory requirements have a need for a CISO role. That's a check on that spreadsheet. Right? However, in some organizations, the idea of having a full time CISO is not practical. There's just not enough funding there. There's not enough work for that. So I asked Tom to reflect on the CSO and vCISO roles, the difference between them and especially for someone who's considering taking on one of these roles.

Thom Langford:

I'm struggling to think of some of the downsides of being a vCISO, you know, and I think the reason for that is that you can go in and you advise, but you're doing so effectively on a part-time basis. And so if it screws up, it's like, oh, it was, it was all down to the execution. Being a vCISO it does allow you , to have , that level of distance. And that's almost that greater level of confidence because you've got people who are actually having to execute the work for you. And, of course the downside is you've got people who you're not watching and working with on a regular basis doing the work. And so you could come back a week later or a month later or whatever, and find that they've done something completely different. It could be good, though. It could be much better than you intended in which case you take all the credit. but nonetheless, it's consulting and contracting all rolled into one at the end of the day you're just a consultant CISO. You come in, you tell people, what the time is using their own watch. And, because you have been brought in to do so you're either reinforcing their, their beliefs as to what they need to do, or you're challenging them, such that they will have another good think about what it is that they want to do. So it's kind of a win-win. So I think a virtual CSO role is positive for all sides. To be honest with you, The downside of a CISO role in, contrast is frankly, it's relentless. It is utterly relentless. You just don't stop. I, and I found that to my, to my own sort of downfall as it were. I blogged about it at the beginning of 2019 about the challenges that I had as a CSO towards the end of three years into my tenure and it was really tough. It was very difficult. So yes, as a CISO, you can see things through you've, you're working with a team that are doing it, but it's relentless. Conversly as a vCISO , you can practice your seagull management to the best of your ability, sweeping and eat all the sandwiches, and go off and let everybody clean up the mess, but you don't have a team that's executing necessarily your vision to the fight, to the goal that you might want to see it. My approach for the vCISO when I was running my consultancy was my job is to make sure I don't have a job in 12 months time or whatever that period of time is. Because if I can't get you to the point where you're self managing, I've not really done my job properly. The hope is that at the end of that 12 month tenure, I've done my job well, and they go, oh, there's this other thing we want you to do as well. What we don't want you to do at the end of it is say, Hmm, well, I would recommend you have another 12 months of, of my services, you know, twice the daily rate, and twice as often, which I is untrustworthy. And it doesn't show respect for either the industry or your client. Erich Kron: So I can absolutely see where

Jelle:

Well, this is the beauty of talking with somebody that has experience in the field, right? He's done both. I'm sure there are many challenges, but I get that as a vCISO. Having some distance from the organization can really help to stay focused on the larger picture. But on the other hand, not having a team that executes your vision to the maximum can be a big hindrance too. So for me, well, both have the merits and you just have to decide what works best for you in a particular situation. That's what it comes down to.

Erich Kron:

As someone who's been in, in these leadership and consulting roles for quite a while now, I ask what's the big problem in the next decade?. Thom Langford: I'm going to say on technology, because there's a lot of great tech out there. Let's not lose sight of the fact. There's a lot of great tech out there, but far too many people, I think, feel that the tech is all that's required. There's so many other things because we've come from an IT background I'm of the opinion that we are still overly reliant on technology. We think it's a panacea when actually it's just a single tool. So, for me, the biggest threat is complacency, especially as tools and technology get bigger, better, faster, smarter. We're going to think that we can just do away with it. Like these things are getting smarter and so much better every single day. And we're just going to start to think that we're not going to need the human being. We're not going to need anything else in between , and I think secure by design is a bit of a pipe dream in my humble opinion., because we're humans.

Jelle:

I agree fully with him. So the complacency kind of lures you into that false sense of security. Technology won't solve everything for you. It should be about the combination between technology processes and people, are the three pillars that we look for in cybersecurity. So it's about finding that balance between them, so that you can tackle a certain. So technology is definitely one of the pillars which evolves the fastest having AI and that sort of thing. It really moves quickly. But relying on this too much will get you into trouble eventually. It needs to be about a good balance.

Erich Kron:

Sounds like wise words to me. As someone who's been in these roles, I was curious what Tom thought were the most beneficial skills for those wanting to take on a CISO or senior cybersecurity role.

Thom Langford:

I think any leadership, you need to know how to communicate. You need to know how to empathize and you need to know how to store retail. And the reason I say that is you communicate because any leadership role means you're going to have to communicate your vision, your strategy, your goals, both to your team and upwards to your leadership. if you get that communication wrong, then they're going nowhere. it doesn't matter how skilled they are. It doesn't matter how smart they are. If they're, completely misinterpreting what you're saying, that they're never going to succeed. And empathy, I think is important because if you go into every single meeting, every single negotiation, every single, communication without understanding where the other people are coming from. You go nowhere very, very quickly. And it doesn't matter if it's your leadership saying, we need to do it this way. If you don't, if you just say, oh, that's wrong. Well, you talk about us. That's a rubbish. You're missing the point entirely. their objectives are very different to your objectives. Your objectives may comprise 10% of their objectives if you're lucky. so understanding where they're coming from is important and conversly understanding where your team is coming from and why they're behaving the way they are, the way they're working, the way they are behaving and delivering work. Understanding that somebody whose marriage is breaking down, understanding that somebody is having mental health issues, understanding that actually somebody is just a little bit burnt out or even understanding that somebody is ready, willing, and able to take on much, much more work and is incredibly, pumped up and ready to deliver. You're constantly manipulating how you're interacting with your team based upon influences like this. And you don't get that if you're not listening and being empathetic to them all the time, actually understanding where they're coming from. you also need to encourage that within your team leads as well. Because certainly for me, I had three direct leads into me who I would talk to speak with most days and they would be communicating to the rest of the team, but they will be talking to me about individual members of their team because they knew what was going on in their lives. And then we would work out what to do together

Jelle:

So I think he's dead on with his answer here, communication, empathy, and especially an understanding that you have of the actual business. Cause those are your customers as a CISO, those are key. And most often is forgotten by more technically inclined people. So being able to convey your message through storytelling, then it's just a cherry on the cake. Storytelling involves your audience on a greater level.. Combined the three a really powerful way to communicate your purpose and your goals within the organization.

Erich Kron:

I'm going to switch gears a little bit here. We've been talking a lot about the impact culture for a while. Now. We had Kai Roer on here previously talking about culture and measuring it. I wanted to see what Tom's thoughts were about the CISOs influence on culture within an organization.

Thom Langford:

So interesting two completely opposite roles. In a sense I'm going to say one, they should have no role whatsoever. And two, they should be completely involved. Now I'm going to qualify this. they should be completely involved because it's , security culture they should be setting that vision and that strategy of how that culture is going to happen. However, they may not necessarily be the most qualified to drive that, they are CISO, they are not necessarily part psychologist, part sociologist, part scientist, part marketing and PR, because that's what culture is. Culture takes all of those things and conduit through. If you were to look at a TV advert for a Mars bar in one country versus another country, there'd be two entirely different types of adverts. And the reason for that is the culture of the countries themselves. That the actual product is exactly the same, but the culture actually talks to the people of those particular countries. And so you're taking in information and knowledge of that culture. Specifically of that country's culture to sell that product, we need to be doing the same thing. We need to be looking at who we are as an organization, both as a company, but also as a group of people and seeing, and defining and guiding our people to embrace that culture that we're trying to create. And that's why I say the CISOs shouldn't be involved because they're probably terrible when it comes to marketing and PR and psychology and all that sort of stuff. They know where they want to do that, or don't necessarily know what to do with it or how to do it, but they should be working with HR, they should be working with marketing. They should be working with, you know, whomever else in the, in any organization that makes sense. You might have teams of people who are working on user interface and user experience, all your materials are being communicated to your people need to be consistent around that security culture that you're trying to create to ensure that when it comes down to it, every message you put through that filter of that security culture is going to be received exactly as you transmitted it. So yes, a CSO should be absolutely involved in, setting it up in establishing that culture in the first place, but there's plenty of other people that may well be more than qualified or more qualified to actually deliver that culture itself. And that doesn't even touch on the company culture, let alone the security culture, because these two have to work together as well. And in fact, if your security culture suddenly just becomes the company culture and you remove the word security then even better, because the best security is when people don't know it's security, they just, this is how we do business.

Jelle:

I love the whole topic of security culture and company culture. A CSO should be partly responsible for security culture, meaning they should be directly involved in building it. Together with the other specialized departments like marketing PR, HR, et cetera. But I also think someone needs to be accountable for the final results. Somebody needs to own it. And as long as the CEO is empowered to do this, he's an excellent center point for this. It can be a hard job, but by having somebody at the center of all of it, you at least ensure progress.

Erich Kron:

We mentioned earlier the parody videos that Tom's done with a host unknown and, the really good use of comedy but they also tell a story. And that's part of, of what the videos are, is it's telling a story. Now I asked Tom, how can storytelling, help security awareness professionals engage their audience to break their bad habits of clicking and plugging in USB drives bad passwords, all that kind of stuff. You know, how can storytelling make a difference?

Thom Langford:

I saw a really interesting video the other day. And And it was a chap sat at a desk, obviously looking at something on his monitor. And on the left-hand side, it said, watching, computer based training on, Excel or PowerPoint or something like that. And it was a time-lapse and he was moving around. He was spinning his chair. He was, you know, all over the place. The other side of it was him then watching Star Wars and he was sat stock still for the entire video. That's what storytelling does. Storytelling engages. And engages you at a physiological level. It changes the chemistry in your brain. People will remember the story of Star Wars more than they will remember how to import data into a table from the web in Excel. They may have only been shown Star Wars once, and they may have only been shown how to import data from the web in Excel. Once I guarantee you they'll, there'll be able to relate the story of Star Wars or whatever it is. Storytelling is as old as humankind, you can see that on the paintings, in the walls of caves of people going hunting for wild animals and setting up campfires and, and all that sort of thing. Storytelling was how, before the written word, people used to educate each other on how to do things and how not to do things and what to do. And Without storytelling, we wouldn't have survived as a, as a species. And I think we forget that so much, but conversy, it's gotta be good storytelling because we've all switched to film off halfway through or after the first 10 minutes or whatever. If it isn't compelling, if it doesn't engage and it's just as bad as poor education and awareness. So storytelling it for me is the absolute pinnacle, , the primary way of ensuring that people will receive and understand the message.

Erich Kron:

I feel somewhat vindicated here because my primary skill is a presenter is telling a story . I'm all about getting a storytelling and try to get them engaged., so it seems like I'm not doing it all wrong, then that's a good feeling.

Jelle:

Well, storytelling is incredibly hard to do. It takes so much more effort than just simply conveying a bunch of numbers and stats to people. If you're a security practitioner and you're having difficulty getting your message across, consider doing a course or two in storytelling, I promise you it will really help you out.

Erich Kron:

No, that's a great point. It is a great way to learn, to look at things a little bit differently think about how you can engage interest. So great point on doing a course or two on that. I agree with you a hundred percent there. So now I've asked Tom all kinds of questions through this thing., and I wanted to give him a chance to, put out a message that he wanted to share.

Thom Langford:

The only thing I'd say is that you can still be a human being and be successful in this business. All too often, we see a lot of people who are angry at the world and that comes through and it's either comes out as anger towards other people or just this mass inflation of ego, of their own or worse combination of both. The best piece of advice I ever read was four words by Wil Wheaton. Wheaton's law, , which is basically don't be a Dick. If you, in any of your interactions with anybody be a personal or professional. And again, I think this does particularly apply in our industry and that can come across even in the way that we educate people, the way that we approach people, the way that we might even shoulder, tap somebody and say, Hey, you've been distributing malware from your desktop. If you do that in a way that humiliates them makes them feel bad, it makes them feel worse about themselves. That's not a learning moment for them maybe even make them make worse decisions in the future as a result. Actually empathizing. As I mentioned earlier, empathy being important, empathizing understanding where they're coming from, understanding the challenges they have and then helping them and holding their hands on the way out is the best thing you can possibly do.

Erich Kron:

He makes a good point about interactions, possibly impacting future actions. If you shame them on something, if you, they may react differently next time. And I think that's actually a really cool point and a great takeaway from this.

Jelle:

I'm of the mindset that you should treat others you would like to be treated? Yes. So life is simply too short to do things that you don't enjoy. It let alone having to work with people that are toxic. So this goes for every aspect in your life we simply don't have a time for it. So I fully agree , with Thom's final thoughts.

Erich Kron:

I asked Tom, if somebody is a listener, wants to contact him, how do they go about doing it?

Thom Langford:

So you can throw a rock through my Twitter window at Tom Langford. That's T H O M Langford. My website is Tom langford.com. You'll never guess what my email address is and, , Do reach out. Give us a shout., I'm here for, anything you want to be honest with you. I always like having a chat with people let's have a chat over a beer or a coffee about it.

Jelle:

So thank you for joining us for another episode of security masterminds. I would like to thank , James, our producer. If there are topics you would like to hear about or people you would like us to interview, let us know.

Erich:

We hope you enjoyed this discussion. And if you did please subscribe and share the show with others. We will continue to bring you new episodes every month.

Erich Kron:

So until next time folks, bye for now.

Introduction
Getting into Cybersecurity
CISO at Technical Role or Management Role?
Videos & Public Speaking
Parody Videos - Host Unknown
Biggest Mistake & Lesson Learned
vCISO vs CISO
Biggest Threat in next Decade
Beneficial CISO Skills
CISO Impacts Culture
Storytelling
Final Thoughts
How to find Thom Langford