A CSO’s perspective on emerging global security risk

April 11, 2024
Former Boeing CSO Dave Komendat shares his vision of what a comprehensive risk plan must encompass for a global enterprise.

For global enterprise businesses, it has become clear over time that the needs of staff and employees deployed around the world extend beyond physical and cybersecurity.

In his nearly four decades as a senior security professional, of which 14 years were as a Vice President and Chief Security Officer with The Boeing Company, Dave Komendat realized his duty of care for the thousands of Boeing personnel working globally required a full menu of services to ensure their safety and well-being.

Komendat was responsible for the company’s global security and fire protection policy and procedures, site security, executive protection, supply chain and aviation security, structural and aircraft fire protection, government, and proprietary information security, classified cyber security, strategic intelligence, international security, business continuity and disaster preparedness, Global Security Operations Center, and security background investigations.

To say he had a full plate would certainly be an understatement. However, the focus for global staff had to be more direct and intentional in the event of disasters, political upheaval or terror events. CSOs like Komendat often partner with specialty security and risk management companies to satisfy these unique and critical services.

Komendat, who retired from Boeing in 2022 and subsequently founded DSKomendat Rick Management Services, recently joined one such company that he relied on during his Boeing tenure.

International SOS, a consortium of security, risk and health experts that provides real-time, actionable intelligence and on-the-ground delivery of security and emergency medical care in the event of a serious medical or a security incident, brought Komendat aboard in 2023.

He serves as a Senior Security Advisor and is responsible for working with International SOS leaders and clients to solve complex challenges, including the areas of travel risk management, business continuity, event security and threat intelligence.

I sat down with Komendat before the ISC West show to catch up on life after Boeing and his new role with International SOS.

Steve Lasky: I suppose it would be a misnomer to say you’ve retired. How did this relationship with International SOS come about and why?

Dave Komendat: I just wanted to work differently, and one of the first companies that reached out to me was International SOS. I was a customer of theirs at Boeing and I've always had great respect for what they do. I believed in their mission and I've always been a mission-oriented guy. They offered me an opportunity to do some work for them, so for me, it was super appealing.

Lasky: Tell me about what International SOS does, since some people in the security industry may not be familiar with them unless they've got global enterprises.

Komendat: The way I like to describe International SOS is that it’s truly the only fully integrated security and medical company within the market today. Some companies say they do all the above, but really only do parts of it. International SOS is the only company that does all.

Their medical services are very well known and have been around for many years. Most of the Fortune 500 uses them, but they also have a large, sophisticated security business (intelligence, Executive Protection, event protection, etc.) and that's lesser known. That was one of the reasons why they brought me in, as well as four other U.S.-based colleagues who come from the security industry and are also tenured senior security advisors with International SOS.

Our role is to help educate and grow that security portion of the International SOS business and everything that you can think of from a security perspective within that portfolio -- crisis management, executive protection, intelligence, employee mental health; all of those types of capabilities. They exist and it's our job to help the industry know that this is an option.

Lasky: When major companies are shopping for companies that are going to help them protect and secure their facilities and their personnel abroad, what are some of the best practices they should be looking for?

Komendat: I think the most important thing to do in this space is you've got to look at “performance”. Do they have a demonstrated track record of success? There are a lot of people who say they can do certain things, but when the chips are down, do they have the capability to make it happen? We've seen several occurrences now over the last few years, whether it's what's going on right now in Haiti or what has transpired in Ukraine or Israel and Gaza, when those crises broke out, helping people in need safely evacuate is job one.

It is extremely important to perform due diligence on the company that you're considering selecting and to make sure that they've got a demonstrated history of doing what they say they can do. Some companies say that they can get people out, but I always look for who is actually successful in accomplishing that task. It's kind of a get-what-you-pay-for type mentality.

"If you're going to go on the cheap, likely you're not going to get the desired results and in the worst-case scenario are going to get hurt. I used International SOS many times during my career, and they always came through for me, so I would encourage anybody out there to shop before you commit.

Lasky: During your tenure at Boeing as CSO, what were some of the challenges that kept you up at night as far as your global operations were concerned?

Komendat: You hit on some of them, just the depth, breadth and size of scale of the operation. We are in 72 countries around the world. Some of those countries were not great places to be. Our defense business was quite large, and we would have Boeing employees in several locations around the world that were and still are extremely dangerous.

Those are the types of concerns that would worry me when we had people deployed in forward operating bases under the protection of the U.S. forces, or maybe third-country guardian angels.

That was always a concern, and I was very intentional during my tenure, of going out and visiting those locations and countries around the world to see exactly the type of protection and services that they were receiving. I always felt if something went wrong, I wanted to understand, very quickly, the environment that they were working in so that if we decided that they had to leave or we needed an evacuation service -- or we had a medical situation -- we knew exactly what we were going to be facing.

The only way I could do that was to see, touch, feel and smell it. Boeing had so many people in so many different places, that we had to make sure we had good situational awareness so that if necessary, we could react early to a growing risk and be out in front with informed decision-making.

Lasky: As a CSO at a global company, how do you put contingencies together to both protect your personnel and facilities, while formulating a game plan to survive economically and mitigate risks in particularly dangerous regions?

Komendat: It's important to practice, to the extent possible, staying left of boom. We would spend a lot of time as a leadership team going through the different regions and looking at what was bubbling up in those areas and asking ourselves the “what if question” -- what if this happened, what would we do, where would we go, how would we handle a situation, what would our trip wires be?

I always felt like these discussions and tabletops were invaluable because inevitably, one of those things would bubble up during the year and we would have likely already had a tangible discussion about a scenario before bringing the entire Crisis Management Team (CMT) together. Our CMT was regularly exercised, so even when we would meet on an issue the first time, it didn't feel like the first time. It felt more like we were in the refined plan phase because of the CMT’s experience working

As a CMT, we would validate assumptions made early on and then we would act. That always allowed us to be agile from a business perspective. It's especially important from a resiliency and continuity perspective that you do this right. You want to be able to go back and tell the business leaders “we can stay here if we do X&Y, or we can't stay here, and here's what we need to do differently so we can reconstitute business safely and securely”.

You can't do these things in a vacuum. You must do them in partnership with the business leaders and make sure they understand “the thought process” It’s a partnership. And when you must make those decisions, many more times than not, management is on your side and fully supportive of the direction you are recommending if they are kept informed.

Lasky: Most security executives understand the paradigms of risk and security preparedness. But the third leg of the stool, which is health safety, really doesn't get a lot of press. Explain how health safety is incorporated into that entire risk plan and how it is approached at Boeing and other Fortune 500 companies.

Komendat: I can only speak from the Boeing perspective, but I would tell you that we put a lot of emphasis on the health side because the reality is that's the most likely situation you're going to deal with. It's far less likely you're going to be caught in some major civil conflict, an act of terrorism or a natural disaster.

It is much more likely that somebody is going to get sick or multiple people are going to get sick and perhaps critically ill. Having the ability to quickly call upon resources, trusted resources that have vetted providers, who speak the language and can cut through all the red tape to get that employee the care that he or she needs in a professional and timely manner is critical.

When an employee knows that within their company those types of actions will be taken to make sure their health is put above everything else, it's a real morale booster. Not only to the employee that was impacted, but to his or her family and just as importantly, their coworkers. They see the care that these people get when they need it and how quickly they get it. I think companies that don't spend time thinking about this and planning for health emergencies are putting themselves at risk.

Lasky: As we look at the advanced nature of the challenges that your peers and colleagues are facing now and into the future, how do security professionals at the global enterprise level put together a game plan to meet the challenges?

Komendat: That's a great question, and there's no easy answer. Security professionals need to be thinkers and contemplate what's sitting out there. We're technically in a Gray War right now with China, Russia, Iran and North Korea. For those not familiar with the term Gray War, it's a step below kinetic conflict, but it doesn't mean that nasty things aren’t going on back and forth. And then there are the everyday threats on the cyber side. The election and social-influence campaigns, things of that sort.

I also think about bio security risk, not necessarily in the sense of another pandemic, but about an unnatural occurring event, an unintentional or intentional lab escape, the intentional introduction of the virus into the population or against the U.S. I think that that's a real threat that doesn't necessarily get the amount of attention that it should, but it's an area that we need to think about because when it happens, CSO’s will likely once again be the focal point for response within their companies.

Artificial intelligence possesses such potential to do remarkable things, but there's an equal potential for harm and security professionals need to understand the Ying and the Yang and how their company, their systems and tools can be favorably or unfavorably impacted by AI.

Those discussions need to be taking place now! So, those would be the three areas that encompass a lot of potential threats that a CSO needs to be constantly vigilant about.