Salesperson representing security technologies pay attention: The CSO doesn't want to hear about widgets. "We don't even talk unless you have integrated systems." On the same note, he says that sales people need to understand his problems before they even think about offering a solution. "There is an attitude [among security technology salesperson] that, 'I don't need to know what your problem is; I need to tell you what my solution is.'" Don't expect that attitude to fly with a seasoned security executive, said Taylor.
Any security system you're selling to a well-run security department needs to produce metrics. As Taylor said during the keynote, "If I can't measure it, then I'm not buying it." Some of the metrics that Taylor looks at daily include metrics on compliance with regulatory issues, but he says he is also measuring response time tests for the company's emergency notification systems. As mentioned before in regards to travel security, Taylor said the company measures how effective his department is in locating employees quickly in the case of an emergency (the recent landing of a U.S. Airways flight in the Hudson River was cited as an example). He is also routinely measuring the "standard" items, like his budget, security staff headcounts, security incidents and incident trends.
Employee security awareness is vital to an organization's overall security posture. Taylor helps facilitate security briefings with employees. He has put into place a method through which General Electric employees can report security concerns, and he makes sure his department responds to those concerns in a timely manner.
The CSO should do a briefing to senior management on a regular basis. For Taylor this involves a monthly briefing where he reports to the company on new concerns and threat vectors.