Building Security Culture Across Global Operations
Thomas Zeulner, CISO and Global Head of Security at TDK Electronics, shares insights from managing cybersecurity across a global industrial organization with over 21,000 employees and production sites worldwide. He emphasizes that effective security cannot be managed from a desk alone—it requires personal presence, cultural understanding, and direct engagement with employees across different regions. Zeulner explains how security culture must be adapted to local contexts, with awareness training delivered in native languages and tailored to regional work styles. He contrasts European employees' tendency toward experimental workarounds with Asian colleagues' more structured approach, highlighting the need for culturally sensitive security programs that account for these differences.
Real-World Threats and Human-Centric Defense
The conversation explores concrete attack scenarios TDK has faced, including a sophisticated voice phishing attempt targeting a finance employee. The attacker impersonated the company president using AI-generated voice technology, creating urgency around a supposed acquisition. The employee's security awareness and verification protocols—including requesting a callback to the official number and recording the suspicious call—prevented the attack. Zeulner uses such incidents as learning opportunities, sharing them across the organization to demonstrate real threats and reinforce the importance of verification procedures. He stresses that technology alone cannot solve security challenges; the human element—from awareness to usability considerations—is equally critical in building effective defenses.
Supply Chain Risk and Shadow IT Challenges
Zeulner addresses the growing complexity of supply chain security in a global manufacturing context. TDK categorizes suppliers by criticality and risk level, with IT and OT service providers facing stricter requirements including certifications like TISAX for automotive suppliers and NIS2 compliance for European operations. The company requires suppliers to demonstrate security practices, including employee training programs, with critical partners' staff participating directly in TDK's internal security training. Beyond traditional supply chain concerns, Zeulner identifies shadow IT and shadow AI as parallel challenges, with employees seeking unauthorized tools to improve productivity. He advocates for open dialogue, encouraging employees to voice their needs so security teams can evaluate solutions that balance usability with protection.
The Future of Enterprise Security
Looking ahead, Zeulner identifies three major concerns for global organizations: AI-driven cyberattacks that will become increasingly difficult to distinguish from legitimate communications, the proliferation of shadow IT and shadow AI as employees seek productivity tools outside approved systems, and supply chain vulnerabilities where less technologically mature partners create entry points for attackers. He emphasizes that future security will require both advanced technical solutions and enhanced human psychological awareness to detect manipulation attempts. The key to success lies in building trust between security teams and employees, maintaining an open error culture where incidents become learning opportunities, and ensuring security enables rather than blocks business innovation. Zeulner's background in emergency services informs his people-first approach, viewing security professionals as having a helper syndrome—a desire to protect and enable others rather than simply enforce restrictions.
