Cyber security consultant Thom Langford doesn’t merely relate to the current noise about CISO burnout – he has lived it. In a heart-wrenching blog on his personal website Thom explains how, in 2017, the pressure of his CISO role led him to the top of a building in the middle of the night, unwilling – and unable – to carry on.
He had been self-medicating his stress through alcohol for months and would soon be diagnosed as clinically depressed. Thankfully he was talked down by an ambulance crew, and he credits his family and the NHS for helping him to heal. Crucially, there was no pressure to return to work until he felt ready.
Two years on from the experience, Thom is a stronger person and has become an advocate for talking about issues before they become destructive. He has spoken on panels about CISO burnout and admits to being floored by the reaction he gets when he shares his experiences.
“I’ve been overwhelmed by the number of people who have contacted me to thank me for speaking out,” Thom says. “I decided the story would come out, so I wanted it to come out in a way I had control over, and it seems it has really helped other people. I’m shocked by how many of my colleagues are struggling with the pressure.”
Thom suggests two endemic issues could be part of the reason why: “This is an industry measured on failure and an industry too used to keeping secrets; secrets are what we do.” He also thinks that the male-dominated environment of cyber security compounds the problem, because “it’s harder for men to ask for help. It’s the traditional part of growing up – you don’t cry, you don’t admit weakness. Look at the suicide rates around the world; the majority are young men.”
His experience has taught him the importance of self-care and “being a bit kinder to yourself. Yes, CISOs work hard and have to put in a few more hours than other people at times, but I have learnt that not everything needs to be done today, and no one is going to die if I stop and go home.”
There is a cruel irony that the role that caused his breakdown is also a job he adores. “The moment I got into security, it felt right,” he says. “It felt like coming home, and I knew I’d found exactly what I wanted to do. I’m not really into things like programming, but I love the creativity and the leadership of this role. I remember a boss telling me that I had a security mindset.” The root of this outlook could be from his days at university, suggests Thom, when he was a keen practitioner of Taekwondo.
“I liked how Taekwondo changed my view of the world: you were suddenly looking for risk everywhere and being a lot more observant” he says. Scrolling back further in his life provides other clues as to why Thom is poised to meet risk. He grew up in London, which he says was “Rough. A gun was pointed at me at the top of a slide once. I was about nine.” His father had died when Thom he was six, leaving Thom and his mother to cope alone. “It wasn’t easy,” he admits, “but the family really rallied around, and my mother sacrificed a lot to ensure my education and upbringing were strong.”
Despite losing him at such a tender age, Thom is quick to mention his father’s enthusiasm for technology. “He owned one of the first portable calculators ever made,” Thom recalls. “It was huge. And he had a TV in his car, which was almost unheard of back in the 1970s. He just loved technology, and we both loved taking things apart and seeing how they went back together.”
Thom studied technology to A Level and was keen to continue at university but lacked the grades in physics and maths that were (then) crucial for a degree. He settled for Industrial Relations (Personnel Management) with Computing at the University of Kent, but spent his three years there longing for more computing and less industrial relations.
Roles in IT followed, often as the IT manager. He was handling everything from (literally) building computers to designing system architecture, but by 2008 he was bored with “staring at blinky lights”. He admits, “I’d lost my passion for the job and didn’t really know where I was going with my career.”
And then the universe conspired to offer him the solution. “At Sapient, we had one security person and he left,” he remembers. “There was no talk of replacing him, plus I didn’t feel he had been given the opportunity to do much beyond business continuity and annual training. I saw a gap and spoke to the COO.” Thom was told to get on with it, and he “started a security team of me plus half a person on no budget. We grew to 18 at our biggest.”
Sapient was eventually acquired by Publicis, who were so impressed with what Thom had achieved they hired him as CISO. “I was asked to start from the ground up building their cyber security provision. When I left in January, my team was 61 people.”
Thom is now a cyber security consultant, working for a variety of companies while always finding time for the speaking gigs. “I love engaging with people, it’s one of the best bits,” he says. Increasingly, he finds himself being asked to talk about burnout as the industry becomes more concerned over the growing issue. Our own research found that nearly 17% of CISOs are currently medicating or using alcohol to cope with stress.
“I don’t want to become the ‘breakdown guy’, but I feel passionately that people should be able to reach out when they need help and we only encourage them to do that by talking about it,” says Thom. “This is important stuff that the cyber security industry needs to address. And no, it’s not the mission of our work, but if we deal with this well, we can achieve the mission.”
Download our recent research report, Life Inside the Perimeter: Understanding the Modern CISOs. Read about other CISOs on our blog, including Ian Golledge from Square Enix and consultant CISO Phil Huggins.