Report from David Burrill's presentation at CSO Perspectives conference I have a lot of empathy for our Executive Programs staff who plan these events. Specifically,I wonder how they manage to find the right speakers for the right time of day. Take the first session after lunch. Attendees come from a sun-drenched veranda into the main hall for an hour-long discussion. It better be good or there’ll be some serious snoozing. But David Burrill, CSO of British American Tobacco, had little trouble fending off his colleagues’ somnolence in his post-lunch session, Security as a Business Enabler. “I’m conscious of the fact that I’ve drawn the after-lunch session,” Burrill, a Brit, joked. “Feel free to nap. However, if you snore, you’ll be evicted.”Burrill delivered a high-level talk–laced with edgy humor, some of which was not a perfect fit for this forum (you’ll have to ask a colleague who was here)–about how BAT is organized for security and how he hopes that, even after he retires next year, the function will continue to grow. His goal: Have a BATCSO on the board within ten years, something that hasn’t happened yet, he says, because he has not successfully convinced his bosses that he’s worthy.Burrill is overly self-critical that way. “I’m never satisfied with anything I do. Never ever,” he said. In fact, he’s been extremely successful at BAT’s CSO, managing a huge, well-organized security function that includes 85 security managers and many more staff. He shared the company’s security structure and its transformation with the attendees. His philosophy, Burrill says, was “born in 1992,” when he left the British Army (military intelligence) and joined British American Tobacco. It “came of age in 1998” and it was “fully recognized” in 2003, right about the time that his boss, the Legal Director, became the “Legal & Security Director.” Finally, security had a seat on the board. Next, he hopes the CSO gets one. Burrill also related some useful tactical experiences. In 2002, security at BAT went under an audit, the biggest audit of any function at BAT ever, and came out with some impressive metrics. One in particular stood out: For every $2 spent on securitythe company avoided $1 of loss from theft and other crime. Burrill’s energy and his enthusiasm for the security profession were evident from the beginning. So was his ambition. He summed up his philosophy this way: Corporate Security is to companies what national security is to nations. Related content news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry news UK data regulator warns that data breaches put abuse victims’ lives at risk The UK Information Commissioner’s Office has reprimanded seven organizations in the past 14 months for data breaches affecting victims of domestic abuse. By Michael Hill Sep 28, 2023 3 mins Electronic Health Records Data Breach Government news EchoMark releases watermarking solution to secure private communications, detect insider threats Enterprise-grade software embeds AI-driven, forensic watermarking in emails and documents to pinpoint potential insider risks By Michael Hill Sep 28, 2023 4 mins Communications Security Threat and Vulnerability Management Security Software news SpecterOps to use in-house approximation to test for global attack variations The new offering uses atomic tests and in-house approximation in purple team assessment to test all known techniques of an attack. By Shweta Sharma Sep 28, 2023 3 mins Penetration Testing Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe