Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Security Leadership and Management

How to Become a Customer-Facing Security Executive

By Diane Ritchey
Dave Tyson

Dave Tyson

"As CISOs and CSOs we are on a continuous journey to become real business partners and have a ruthless focus on business priority,” says Dave Tyson, Senior Director, Information Security, at S. C. Johnson & Son, Inc. Photo courtesy of Dave Tyson

Dave Komendat

Dave Komendat

 “You have to have a big picture understanding of the business and inter-dependencies of your company. The only way to is to learn what’s important is to engage your internal business partners and glean what matters to them and their program(s),” says Dave Komendat, CSO at Boeing. “After clearly understanding what is important to my internal Boeing partners, I can then concentrate on developing the appropriately aligned service expectations and success metrics for my suppliers that support The Boeing Company.” Photo courtesy of Dave Komendat 

Mike howard

Mike Howard

 “Our vendors have to understand our strategy and where we are going as a company,” says Mike Howard, CSO at Microsoft, when talking about their customer-centric strategy. “People/Companies want to sell you products and services, but who is taking the time to study us, to understand our services and act accordingly? That’s how you take the vendor relationship to the next level. We expect our vendors to understand our mantra, which is  “You have to have a strategy before you have technology.” We partner with various Microsoft business groups, and they don’t necessarily have to understand the security group. The idea is to make Microsoft as a company more efficient. That is a two-fold benefit for our sales team, as it showcases the technology that Microsoft is trying to sell, and allows us (the security group) an opportunity to understand the verticals of the company, making us smarter and helping the sales team to sell product with the company’s bottom line in mind.”  Photo courtesy of Mike Howard 

Michael Couzens

Michael Couzens           

How does Michael Couzens, VP and CSO at Baker Hughes, take a customer relationship to the next level? “The customer should be at the forefront of any security design. Recognize that as times change, so do the needs and expectations of the customer.  Today’s solution is unlikely to be a fix for tomorrow’s security challenge. Getting your own team to think about the customer and to challenge them to take steps to improve a relationship, solicit feedback, propose enhancements etc.  Customers generally prefer bespoke solutions that are designed to meet their specific challenges and requirements. One size doesn’t fit all, interpretations and requirements differ.  You have to be pragmatic, prepared to adapt and to act at their pace. In addition, you have to understand the customer’s regulatory framework and be prepared to demonstrate your own compliance, which provides confidence.” Photo courtesy of Michael Couzens    

John Imhoff

John Imhoff

 John Imhoff, CSO at EY (formerly Ernst & Young), says that with regards to the company’s vendors, “When a service is critical we are big enough to do business only with reliable partners, so if a key partner doesn’t have the standards that we need in terms of their own resilience and internal controls, we will walk away. We can influence downstream, and we do that quite often.” Photo courtesy of John Imhoff 

Dave Tyson
Dave Komendat
Mike howard
Michael Couzens
John Imhoff
May 1, 2015

In early April, Wall Street’s oversight committee announced that bank’s oversight of cybersecurity measures at outside firms it does business with remains a work in progress, at best. It cited a survey of 40 banks that found that only about a third require their outside vendors to notify them of any breach to their own networks, which could in turn compromise confidential information of the bank and its customers.

Fewer than half the banks surveyed by the committee said they conducted regular on-site inspections to make sure the vendors they hire – like data providers, check-processing firms, accounting firms, law firms and even janitorial companies – are using adequate security measures, the report said. About half require vendors to provide a warranty that their products and data streams are secure and virus-free.

“Benjamin M. Lawsky, New York’s superintendent of financial services, whose office began surveying banks on digital security in October 2014, said the responses showed financial institutions need to do more to keep tabs on the outside firms that have access to their networks,” said a Wall Street Journalarticle on the topic. “Over the last year, financial regulators nationwide have increasingly focused on steps taken by banks and financial firms to not only safeguard their own networks, but to ensure the outside firms they use are adequately protected as well,” the article said.

A separate Forbesarticle by Betsy Atkins, titled “Why It’s Time For a Board-Level Cybersecurity Committee,” reported that up to $21 trillion in global assets could be at risk from cybercrime. “As digital security breaches escalate, corporate boards should be aware that providing oversight on cybersecurity risks is part of their fiduciary duty. Boards should form a dedicated cybersecurity technology committee that may require new candidates with computer security backgrounds,” Atkins wrote. “The board also should require management to present their policies on cyber security in written form in terms of security practices, standards, and protocols for responding to security breaches. The board also should be able to identify the manager responsible by title, and in what timeframe they are to respond to an intrusion. In the event of a cyber-breach, the board should schedule an update from the security committee on any forensic review. The company may need to disclose any data breach in SEC filings if the breach was material. Courts consider failure to disclose a cyber-attack as a ‘material omission,’ according to some interpretations of new SEC guidance on disclosure. In addition, the board should work with the general counsel to determine the extent to which existing directors and officer’s insurance coverage provides protection, and identify what issues should be overseen by the CIO, the board, or board/committee for action and/or approval.”

What does all of this mean? It’s an opportunity for you, if you are not already doing it, as CISO or CSO, to be the bridge connecting the two worlds of business and security and to be “customer facing.”

Possibly one of the biggest hurdles for some CSOs and CISOs is to understand they’re no longer the practitioners. The good ones realize this, and use their understanding of the security world to talk to their customers, to understand what they need and why they need it. Then they translate this to fit in with business objectives and explain it to the C-suite, to employees and to customers. By bridging these very different worlds, CSOs and CISOs can ensure that security has a seat at the “Customer Facing Board Table,” and keep security baked into the core of business driven decisions.

Depending upon your enterprise, your customer can take many shapes and forms, as seen by Dave Tyson, Senior Director, Information Security, at S. C. Johnson & Son, Inc. in Racine, Wisconsin, who has had the opportunity in several roles to be customer facing. His customer facing CISO role is one of “A relationship with business partners, including a growing and expanding field of vendor security, which entails evaluating and providing a high level of assurance that with that relationship, there is an appropriate amount of security,” he says. 

Tyson, who is also the 2015 President of ASIS International, the first CISO to lead the organization, was previously CISO at Pacific Gas and Electric, the first power utility in the U.S. to develop and deploy the smart grid. “At the same time, people started to ask questions about the safety of the grid, so the California public utilities commission launched an investigation into the security and usability of smart meters,” he explains. “As the CISO, I had to publicly give information to convince the regulators that consumers were safe. It was one of the first times that a CISO was in front of a customer speaking publicly about a security issue.”

At eBay, where Tyson was Senior Director of Infosec Operations, he regularly engaged with other business teams, he says, in addition to using the public and eBay customers to identify risks to the enterprise. “Those are examples of how a CISO has to stand up in front of the public and do things differently now,” he says.

“The financial services industry is taking a battering right now [in the public eye],” he says. “I tend to come to their rescue and say that they are also the most under attack. While I was at eBay we got attacks all of the time, so when you are the proving ground for new attacks, you have to be at the top of your game. And the CISOs who are not necessarily in front of the public, they are still working hard every day to protect their customer’s investments.”

Tyson adds that around the world, many Board of Director teams now have what some refer to as their “designated geek” who “understands the technologies speak; a senior leader on the team who can ask the right questions of management so as to provide appropriate Board-level oversight of cyber risks. When I was at eBay, I was seven levels from the president of the company, so I had to rely on my CISO for that. When I was at PG&E, I could directly speak to the CEO and tell him my concerns. As CISOs and CSOs we are on a continuous journey to become real business partners and have a ruthless focus on business priority.”

 

The “Grow Guy”

Robert A. Messemer, Chief Security Officer at Nielsen, the world’s leading global consumer measurement company consisting of 40,000 employees and operating in more than 100 countries, was appointed the company’s first-ever CSO in 2007. His experience of customer facing within Nielsen is that: “The CSO/CISO role has always been an evolving role. As the business grows and matures, so must our role as a key leader to positively influence top-line growth.”

“Irrespective of our business, clients are more focused on cybersecurity than ever before,” Messemer explains. “No one should be better qualified within an organization to directly address these concerns both internally and externally than the CSO.”

For Messemer, close collaboration with business leaders positions him CSO to act as a trusted advisor on a broad spectrum of strategic risk issues, to include addressing client concerns for data protection and privacy. “In this way,” he says, “the business leadership perception of the CSO shifts positively from being perceived as the ‘No Guy’ to the ‘Grow Guy.’ Our senior business leaders, particularly in new business development, marketing and client service value my direct engagement with our clients, especially because it demonstrates our deep commitment to data protection and privacy concerns.”

Michael Couzens, VP & CSO at Baker Hughes, Enterprise Security, says that a number of corporate security teams still focus to a great extent on their internal customer and overlook the needs of the company’s external customer.

“There have recently been some well publicized security breaches where customer data may have been compromised or stolen,” he says, “and it is against this backdrop and a growing awareness of security risks that customers are rightly starting to ask more probing questions about the security their partners, vendors and suppliers provide. Increasingly security has become marketable and a competitive advantage.  Companies need to able to give assurances about security, confidentiality, privacy, resilience, integrity and availability. A strong customer focus can be a significant contributor towards overall success and involves ensuring that all aspects of the company put its customers’ satisfaction first.  The company that best anticipates, understands and exceeds customer expectations, in this respect, stands well positioned to gain market share.”   

In this regard, the role of the CSO at Baker Hughes, he says, is to play a key part in building trust, transparency and confidence. The CSO has to be able to bridge between the business, the customer, vendors and regulatory authorities. Just as elsewhere in the business, they need to be customer-centric, focused on service delivery, execution, quality and reliability and customer satisfaction. Being visible and willing to talk openly about security and the value an enterprise places on security provides reassurance. “The CSO has to be prepared to meet with the customer, to listen to their requirements, solicit and act upon feedback and, seek to add value beyond the immediate terms of the contract or service being provided.  It is worth asking yourself how well attuned are you to the voice of the customer and how easy is it for them to have their voice heard,” he says. 

At Baker Hughes, one example of where Couzens and his team have developed excellent customer and vendor relationships is by collaborating on crisis management training and exercises. This has helped forge strong relationships, build trust and better prepare the organizations involved, for any future crisis, he says. Other areas where collaboration has improved the customer experience has included incident management, product design and integrated security solutions. “We have also been willing to share our knowledge and assist other security teams develop their policies, processes and systems,” he says. “Security is not just an add-on but a differentiator and marketable. Providing a trusted service can contribute towards significant revenue generation,” he explains.

Just as Couzens and his team seek to surpass their customers’ expectations, he says he expects the same from vendors. “Security partners should not only have a good understanding of our business but also the primary risks we face and the prevailing market conditions,” he says. “A mindset of enabling and contributing towards the success of the client is fundamental. There needs to be an open dialogue so that both sides can optimize the relationship while recognizing any constraints that may exist. There is merit in working together to collaborate on services and products for longer term benefit and to develop solutions for shared challenges. Like many others, within our contracts we set ‘stretch’ KPIs and meet regularly to discuss performance. We’ve considered including penalty clauses and incentives but have yet to fully introduce these, recognizing that security is a combined effort with shared responsibility for performance.”  

Dave Komendat, CSO at Boeing, says CSOs need to be engaged with the business leaders within their company. The first dialogue you have with a key management official should not be as a result of a crisis. Engaging early and often to make sure that there is a known and trusted relationship is key. My team strives to be customer facing, he says. “The leadership team shouldn’t have to reach out with questions; they should already know the players, processes and procedures in advance.”

For example, during the April 2011 earthquake in Japan, Komendat says he happened to be awake around the time the earthquake struck (2:00 a.m. PST), so he immediately got in touch with senior leadership to assure them that he and his team were not only aware of the situation, but were already in the process of contacting Boeing employees in the country and employees in route to determine their health and the safety and of their families, and that he would be back in touch within two hours with an update of the situation. “That initial contact showed leadership that we were already engaged, and it gave our Crisis Management team the time it needed to fully assess the situation and the impact to our employees and operations in-country.”

John Imhoff, CSO at EY (formerly Ernst & Young), has worked specifically with procurement staff at the firm to ensure that language in contracts ensures that “key vendors are not exposing us,” he says. “And that happens at several levels. For example, Security has been involved in the designing of business continuity clauses for contracts to ensure that there is substance behind the words. Thirteen years ago when I started with this organization that was not the usual practice; it might have happened, but now, everyone is looking for that. There has been an evolution over the course of my tenure here.”

Imhoff is also partners with the company’s IT and privacy team to employ a platform used to respond to customer queries to inform of the company’s own business continuity, cyber physical security and privacy practices, to ensure regulation and implementation.

Frankly, with regards to the company’s vendors, Imhoff says “when a service is critical we are big enough to do business only with reliable partners, so if a key partner doesn’t have the standards that we need in terms of their own resilience and internal controls, we will walk away. We can influence downstream, and we do that quite often.” 

KEYWORDS: Customer Service in Security security as a service security executives security leadership value added security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Diane 2016 200

Diane Ritchey was former Editor, Communications and Content for Security magazine beginning in 2009. She has an experienced background in publishing, public relations, content creation and management, internal and external communications. Within her role at Security, Ritchey organized and executed the annual Security 500 conference, researched and wrote exclusive cover stories, managed social media, and authored the monthly Security Talk column.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Red laptop

Cybersecurity leaders discuss Oracle’s second recent hack

Pills spilled

More than 20,000 sensitive medical records exposed

Coding on screen

Research reveals mass scanning and exploitation campaigns

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Cover feat

    2013 Security Leadership Issue: How to Become a Better Security and Business Leader

    See More
  • Security Talk Default

    Becoming a Global Chief Security Executive Officer

    See More
  • The War Room

    How to Leverage a GSOC for Unified International Security

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

  • contemporary.jpg

    Contemporary Security Management, 4th Edition

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing