Q&A: Thom Langford

Written by

Thom Langford has successfully built security and IT programs from the ground up. He brings an opinionated and forward-thinking view of security risk, often with some humor and pragmatism thrown in along the way. An international public speaker and award winning security blogger, Thom contributes to a number of industry blogs and publications. He is also the sole founder of Host Unknown, a collective of infosec luminaries who make security education and ‘infotainment’ films.

How did you get into information security?

Even in my earliest IT days I was always drawn to the security side of things, using tools like Back Orifice to justify expenditure on a firewall for the office. It was in 2008 that I got into it properly, when I saw a gap in what my company was doing and spoke to the COO about it. He had just been a victim of identity fraud and so was adamant that something should be done. As a result, I established a security team and the rest is (LinkedIn) history.

What’s the most misunderstood thing about information security?

That we know what a company should and shouldn’t do. Security is not the conscience of the company, avoiding risky activities at all costs; we are just one voice of many that advises the business of what is going on in our world alongside the CFO, CIO, HR, legal etc. The moment we demand that the business do as we say we have forgotten what we are in the business to do, which is to increase shareholder value, create more widgets and help the business achieve its aims.

What’s your proudest achievement?

Building a high-performing team that was able to scale from virtually nothing, and doing it twice – so I know it wasn’t luck alone! I make a point of hiring smart people (certainly smarter than me) and then not telling them what to do. This empowerment and support means they perform well with very little effort from me, get the job done and make me look better than I deserve to look.

What did you want to be when you were growing up?

For the longest time I was going to follow in my grandfather’s and uncle’s footsteps and join the Brigade of Gurkhas in the British Army. I did all the courses, was offered a bursary through university and then turned it down at the last minute. I realized I hated doing ostensibly pointless tasks when, upon arriving 10 minutes early for a pre-Regular Commissions Board course, we were told to run backwards and forwards for those 10 minutes. In my eyes we could have had a sit down and a cup of tea!

Quick-fire Q&A

What’s your favorite book?

In my private time, probably Old Man’s War by John Scalzi. Business-wise, Presentation Zen by Garr Reynolds.

What’s your guilty pleasure?

I don’t believe in ‘guilty’ pleasures, but an unlikely pleasure is a love of reading comic books/graphic novels. I grew up on 2000 AD and Judge Dredd comics, which are still my favorite, but I also read Marvel and DC comics too.

What’s your biggest regret?

Not moving from IT to information security sooner. As soon as I did, I knew I had found my career and home.

What’s hot on Infosecurity Magazine?