Advertising, media, and consumer loyalty businesses hold a particular kind of sensitive data. Customer profiles, purchasing behaviour, loyalty programme identifiers, and the creative and campaign data of some of the world’s biggest brands all pass through their systems. These are consumer facing businesses at global scale, and a security failure does not just expose data. It undermines the trust that advertising and loyalty programmes depend on to function. The leaders in this feature are protecting organisations that sit at the centre of how brands reach and reward consumers, and their programmes reflect the discipline required to secure that relationship.
Paul Scott – Global CISO, Omnicom
Paul Scott has served as global CISO at Omnicom since May 2017, building and leading enterprise wide security architecture and compliance programmes spanning more than 1,500 agencies across 100 countries. He has achieved a 45 percent drop in incidents globally and a 100 percent audit pass rate across multiple cycles, while implementing Zero Trust, advanced IAM, and AI and machine learning governance frameworks. He serves as executive sponsor for global security and compliance, steering board level risk discussions and directing global incident response and business continuity to ensure uninterrupted operations during large scale disruption.
Before Omnicom, he spent more than two and a half years at TBWA Worldwide as chief security officer and CISO, reducing vulnerabilities by 40 percent and driving a 95 percent improvement in incident reporting. He spent nearly eleven years at Deloitte Switzerland across security operations lead, Swiss security programme manager, and deputy head of technology security roles, and began his career with a six year run as a network consultant at Arthur Andersen. Nine years at the helm of security for one of the world’s largest advertising holding companies, spanning 1,500 agencies and 100 countries, makes him one of the longer tenured CISOs in this feature.
Paul Hennessy – Global CISO, dentsu
Paul Hennessy has served as global CISO at dentsu since September 2024, having spent more than seven years before that as deputy global CISO and director of the security programme at the same company. His path to security leadership ran through a long career in large scale programme and transformation management rather than a traditional security track. Before dentsu, he held cyber programme director roles at Barclays and JPMorgan Chase, a programme director position at Direct Line Group, and spent nearly three years at Deutsche Bank as head of cyber security business and application programmes, delivering data leakage prevention, cryptography, cloud security, and application security solutions.
Earlier in his career, he managed multi site datacentre consolidation and application transformation programmes at Man Investments, led an interim datacentre migration for Ecobank in Ghana, and worked across investment banking, telecoms, pharmaceuticals, and broadcasting through consulting roles at Symantec and Company-i, with clients including UBS, ABN-AMRO, Merrill Lynch, and JPMorgan. That programme and transformation heavy career, built across some of the biggest names in banking and technology before consolidating into nearly eight years at dentsu, reflects a security leader whose strength lies in delivering complex global change at scale.
James Edwards-Scott – CISO, Williams Lea
James Edwards-Scott has served as CISO at Williams Lea since September 2021, bringing more than two decades of experience securing global and academic organisations to a business process outsourcing and document services company. Before his CISO role, he spent more than three years as group information security architect at Williams Lea Tag, and before that nearly three years at Cambridge University Press across enterprise security architect and enterprise architect roles, giving him direct experience with the unique security challenges of academic publishing.
Earlier in his career, he spent three years as infrastructure service design manager at Circle Anglia, a large housing association managing around 70,000 homes for nearly 200,000 tenants, and more than five years at Brink’s Europe and Developing Markets across technical manager and manager of infrastructure engineering roles, leading European Active Directory, Exchange, and Cisco IP telephony migrations across more than a dozen countries. That breadth across academic publishing, housing, and global security services, combined with hands on infrastructure delivery experience, gives him a practical foundation for securing Williams Lea’s outsourced business services operating across client industries.
Shahzad Ashfaque – Technology Operations Director and CISO, Virgin Red
Shahzad Ashfaque has served as technology operations director and CISO at Virgin Red since May 2019, holding both operational technology and security accountability for the Virgin Group’s consumer loyalty and rewards platform. Before Virgin Red, he spent more than eight years at Transport for London across end user computing service ownership, digital and professional services ownership, and performance and operations management roles, where he developed and supported AWS hosted infrastructure and services for TfL’s online applications and tools.
His TfL tenure gave him direct experience managing technology risk and service delivery for a critical public transport authority before moving into the consumer loyalty space, where Virgin Red’s platform touches millions of customers across the Virgin Group’s various consumer brands. He holds a CISM certification. That shift from public sector infrastructure and transport technology into consumer loyalty security reflects a career built on service ownership and technology risk management applied to two very different but equally high stakes environments.
Tom Johnson – CISO, IAG Loyalty
Tom Johnson stepped into the CISO role at IAG Loyalty in March 2026, bringing more than six years of security leadership built at ITV, where he most recently served as head of SecOps and head of cyber security operations and engineering. At ITV, he led the development of a modern, business aligned security function, transforming security from a reactive control layer into a proactive enabler of digital growth, resilience, and customer trust, with a particular focus on embedding security into engineering teams and strengthening resilience across cloud, data, and platform ecosystems.
Before ITV, he spent more than two years at Barclays as senior cyber investigations manager, headhunted to build a new investigations function from scratch and achieving a more than 60 percent increase in savings against cyber crime threats in the 2018-19 financial year. Before Barclays, he spent eleven years at the Metropolitan Police, rising from detective constable to detective sergeant and establishing a new digital investigations function supporting the Counter Terrorism Command, a team recognised in a 2017 staff survey as among the top 2 percent in the Metropolitan Police for feeling valued and able to perform effectively. That path from digital forensics and counter terrorism investigations through financial services cyber crime response to media sector security operations gives him an investigative foundation now applied to protecting IAG Loyalty’s airline rewards platform.
Consumer Trust Is the Product
The organisations in this feature sell attention, loyalty, and reward, and every one of them depends on consumers trusting that their data is handled responsibly. Advertising holding companies manage campaign and customer data across thousands of agencies and countries. Loyalty platforms hold the purchasing behaviour and personal details of millions of members. The leaders in this feature understand that a security failure in these environments is not just a technical incident. It is a breach of the exact trust that makes advertising, loyalty, and consumer engagement work in the first place.
Discover more CISOs protecting the media space:
- Brand Trust at Scale: The CISOs Securing Marketing, Media, and Advertising
- Cybersecurity Leaders to Watch in Tennessee’s Media, Entertainment and Marketing Sectors
- Cybersecurity Leaders to Watch in California’s Media & Entertainment Industry
- Security Leaders to Watch in the Netherlands Media and Entertainment Sector
- CISOs to Watch in Canadian Media & Entertainment
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

