The 2011 CSO Compass Award winners discuss prioritizing investments, learning lessons the hard way, and much more
As vice president and CSO at Boeing, David Komendat needs to balance the security needs of the commercial and defense sides of the business, which includes over 160,000 employees in over 70 countries. Komendat's team is responsible for protecting people, property and information, as well as for making the business resilient. His team works to embed security and safety expertise within the business units, projects and sales teams of the largest aerospace company in the world.
CSO: What is the most difficult or rewarding accomplishment of your career?
Komendat: Elevating the security division as an organization that can enable Boeing's individual businesses to succeed in acquiring new business opportunities. It's really exciting to know we can provide the internal expertise to help the business secure a contract instead of having our business partners expend precious funds on outside security consultants.
What has been the biggest change to the CSO role in the past few years?
You really do need to possess good business acumen. You need to run the organization like any other department in the company, with solid financial performance and rigorous metrics and governance processes. If you can talk about business articulately, it brings you more opportunity to help influence what's going on at the company. That's a big change from years ago, when the CSO job was perceived to be only about securing the facilities and preventing bad things from happening.
What are three fail-proof principles of security leadership?
Surround yourself with people smarter than you. They will challenge you when necessary, help drive improvement and make you think beyond yourself. You want people who are good leaders at every single level, as well a diverse group of high-potential personnel in the pipeline.
Be a good communicator. Tell people what the vision is and how to get the team there. Just as important, be a good listener and ask for input frequently--and use it.
Third, be decisive. A lot of times you want to lead by consensus, but sometimes you need to make critical decisions very rapidly. You don't always have all the data you'd want to have, but you've got to make a decision. Trust your experience, make the call and move forward.
What are two things about security or security leadership you wish you'd known 10 years ago?
I did not anticipate the speed at which technology would advance security, in both positive and negative ways. Like the BlackBerry or iPhone--you can't live without them, but those little devices can create significant security issues. Ten years ago, very few of us understood how disruptive new technology would be in the workplace and how quickly we'd have to adapt our security thought process and procedures.
Second, as we approach the tenth anniversary of 9/11, no one could have imagined the scale of the devastation that occurred that day. Before that, security leaders were not necessarily viewed at the same level as others with similar-level jobs. Now, there's a lot more visibility and a lot more expected from the CSO position. Security leaders across the country have had to adapt and learn what it means to be not just a security leader, but also a business leader.
What will be (or do you think should be) the next big topic in the security field?
It's not a new topic, but business continuity and resilience is truly one of the things that corporate America has not necessarily embraced. Given what we've seen with natural disasters globally and in the United States, companies need strong emergency-preparedness and business-continuity plans. We've worked closely with our business partners to understand the risks and have worked together to mitigate them.
A second topic is global expansion of the security organization. We've gone out and found the best and brightest security professionals to work in or lead the regions we've expanded into. They understand the norms and the security climate, and they connect to the security infrastructure of that country. We're reliant on those leaders to paint an accurate picture of what's really going on so we don't underreact or overreact.
If a CSO could get budget approval for one security investment, what should it be?
If I were given a blank check today, I would invest in smart people. There's not a piece of equipment or software that won't be obsolete in a few years, but good people will never be obsolete.
When it comes to business stakeholders, what is their most dangerous misunderstanding about security?
The perception still exists that we're a cost center. It's incumbent on me and the other security leaders in the organization to take any opportunity to show how we've brought value to the business. One of the biggest shortcomings I've had personally--and [our communications organization] has helped me tremendously with it--is I wasn't always a big fan of articulating the activities we're involved with, the value of what we're doing and how it ties to the business. I thought, if we just do a good job every day, the recognition will come naturally. Now, we proactively share the successes of our team and how we've enabled the business.