ASIS International recently announced that Dave Tyson, senior director, information security and CISO for S.C. Johnson, would serve as its president in 2015. Tyson, who has nearly 30 years of experience in enterprise security, began his career in the industry as a bodyguard, working to protect both high-profile executives and celebrities. After spending between four to five years in executive protection, Tyson would go on to work for several different guard services providers in his hometown of Vancouver, Canada.
"I did all of the jobs. I was a security officer and guarded all of the hotspots like a big empty hole, a pile of sand, all kinds of great jobs," Tyson said jokingly. "I also worked in some high-profile environments over time such as government office buildings. I did all of the traditional jobs… and even pulled some cable through the roof to put in some alarm systems."
Tyson would eventually become the chief security officer for Vancouver, during which time he was recognized by our sister publication, Security Technology Executive magazine (formerly Security Technology & Design), as one of the "Top 10 Movers & Shakers" in the industry. Recognizing the convergence taking place between IT and physical security, Tyson spearheaded security policies in Vancouver that were well ahead of their time.
In this "At the Frontline" interview, Tyson discusses what he believes are some of the biggest challenges currently facing the industry and how security practitioners can better mitigate risk in an ever-evolving threat landscape.
SIW: What are some of the goals that you hope to accomplish as ASIS president next year?
Tyson: I want us to continue to globalize. Since ASIS became ASIS International, we have been focused on growing but we need to continue the job of globalizing our society and getting more vendors into the organization that bring differing opinions and differing views so we can truly have a global view of the security industry. Continuing to advance our organization in several markets where there are potentially large opportunities for us, such as India, China, Brazil and other places are a big focus for me. Also, focusing on member value – it’s not always necessarily about doing more for them, but really trying to ensure what we do is highly valued and coveted by them – so they see that value in their membership. Lastly, we need to continue the discussion with our partners in information security and making sure that our members have that enterprise-wide view of the risks that face corporations today.
SIW: What do you believe is the biggest challenge facing security professionals from a physical standpoint?
Tyson: I’m not sure you could narrow it down to one thing, but certainly the impact of technology and the velocity of data that people have to interact with today is challenging. All of these things are challenging security professionals to be more efficient and more effective and I think that will continue. The impact of technology and the threat from the Internet and the Internet of Things; the more that we plug into the Internet the more risk that (malware could get) in the network. Since our physical security infrastructure runs on the network, it creates more need for folks to be aware, educated and properly trained to respond.
SIW: How has the explosion we’ve seen in data breaches and other types of cyber threats impacted the role of the contemporary CSO?
Tyson: I think that it has resulted in a couple of things. One is that the CSO now truly has to be tenacious in his or her relationship with the board and with senior leadership because they have a much bigger sense of the urgency of security in general terms as it relates to the cyber side of the house. They have to have that view of the risks associated with the cyber side of the house no matter what part of the industry they are in, so that’s one thing. The second thing is the CSO who may have had less IT-related experience before has to understand the impact of cyber threats. Those breaches are very telling because just because it doesn’t happen to you today, a reactive event for one company could be a predictive event for another and if you are in the same industry as someone else, that could be a real good calling card for what might happen to you. Understanding these types of attacks and understanding the motivation behind the threat actors and what they are after can be very instructive for the CSO in terms of what the bad guy is after and how you can protect your organization from that kind of risk.
SIW: How should security directors go about getting that seat at the C-suite table?
Tyson: From a contemporary perspective, we’ve seen that you have to learn to speak the language of business. I think now we’re a place where CSOs or security managers who want to get a seat at the table have to become ruthless in their pursuit of focus on the business. They have to prioritize their security program - whether it is brand protection, information security, guard force management or anything else – and we really need to align our security programs, our spending and risk-investment tradeoffs, against what truly matters for the business. You’re talking now about the things that really determine how your business succeeds. It’s about looking at the value-creation activities in your business, instead of what we have historically done where we peanut butter spread our security program to cover every risk, now we see a lot more focus on the things that truly matter to the organization.
SIW: Having served in high ranking security positions for companies in a variety of industries, what is one common thread that they all share in terms of their security requirements?
Tyson: At the end of the day, what you’re talking about is business risk. All companies have a risk number, an investment number and there is a portfolio of risk that they need to manage. Having the conversation about that risk-investment tradeoff based on the threats that face the company and their risk tolerance level, that’s the common thread. I’ve had conversations with folks from just about every vertical and, at the end of day, what we are talking about is the business has risk and you have to make sure that you’re investing in risk mitigation that truly lines up with what is most important to that business. And where that conversation is healthy and productive and well-received, these are the companies that are having these high-quality results. Risk management is not about bringing risk to zero, so bad things can happen to good companies because the pace of technological change and the pace of innovation by the bad guys sometimes is faster than the innovation of the good guys.
