Operations

10/28/2015
10:30 AM
Kal Bittianda
Kal Bittianda
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Global CISO: Why U.S. Leaders Must Think Beyond Borders

To compete for the top cybersecurity jobs on a world stage, home-grown CISOs need to take a more international approach to professional development.

Being the head of the cybersecurity practice for one of the global executive search firms gives me an ideal vantage point to see what companies are looking for in their next CISO -- and what the CISO talent pool is offering. Having those two constituencies in sync means a good fit between job candidates and positions, which in turn strengthens the collective security environment in which we all operate. When expectations start to diverge, not only do you have a great many frustrated people on both sides of the table, but cracks more readily appear in the world’s cyber-armor.

That’s why I can’t help but be a little concerned when I look at the three searches I am doing right now for multinationals headquartered outside the United States, each in a different industry. As I talk with them about what they are looking for in their next CISO, I am surprised to hear a wariness of hiring an American for the role.

Given the fact that the United States is still the world’s leading “producer” of CISOs, this is no small reservation. But the concerns are real.  “We do business everywhere from the U.K to Central Europe,” one told me. “Different jurisdictions, different cultures. We can’t have an American walking in with a binary mentality and just shutting everything down.”

“Binary mentality.” When I heard that, I understood exactly what my clients were concerned about. To borrow terms from the accounting industry (which has a lot in common with cybersecurity), Americans are rule-based whereas Europeans are principle-based. Americans like things clearly defined, so that every possible case can be neatly fit into a predetermined category. Europeans are more comfortable with establishing general guidelines and working out the specifics as they go along. It’s not that their standards are lower; they just take a more flexible approach to getting where they are going. That’s one reason that by one estimate, the U.S. tax code is eight times longer than the French tax code.

Translated to the world of cybersecurity, rule-based vs. principle-based might mean a different approach to structuring permissions or vetting new technologies. The important point isn’t that my European-based clients are advocating for one over the other; it’s that they want a CISO who can work in both environments and draw from each toolbox according to what’s best for the organization within the local context. Unfortunately, few American born-and-trained CISO candidates have the global perspective and adaptability that is increasingly becoming a must-have in today’s borderless economy.

Other business functions, as well as business operating units, have responded to globalization by including foreign postings as part of a rising executive’s training. Ideally, global companies need to do the same thing for cybersecurity leaders. In the meantime, however, there are three things cybersecurity leaders in America can do to stay in step with a wider world:

Keep your bags packed. American cybersecurity leaders aren’t only reluctant to consider job offers outside of the country; many won’t even look beyond their metropolitan area. Increasingly, American CISO candidates will be taking themselves out of consideration for prime appointments unless they are prepared to relocate in the same way that other senior executives are expected to in the course of their careers.

Get mentored. If you are at a company with international reach, a good way to develop a global sensibility is to be mentored by someone for whom it is an essential part of their job. That might be the head of a business unit, or someone like the CFO, general counsel or head of compliance, who has to operate across a range of regulatory regimes and sensibilities.

Look outside the office. If your company doesn’t have the global footprint that can provide exposure to different cultural and regulatory systems (and even if it does), consider a volunteer leadership role for a non-profit or professional organization with an international mission. In addition to broadening your perspective, you will be expanding your network in ways that may bring unexpected benefits down the line.

The expectation that cybersecurity leaders can work across borders as do their counterparts in other functions is just emerging, but it will surely gather momentum as economies become truly global. Although developing a global perspective is a long-term undertaking, current and future CISOs who start now can help ensure that their professional development keeps pace with the needs of the talent market—an alignment that makes for better security for everyone.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Kal Bittianda, based in New York, focuses on technology and communications, specifically the systems, software & services, and digital segments. He also serves in Egon Zehnder's Private Equity and Financial Services Practices. Kal conducts executive search and provides ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/3/2015 | 9:16:02 AM
Re: Important area for development
@Dr. T: I accidentally misread that as "leveling the country."  Of course, the sentence still works.  You wouldn't want that happening -- and certainly not happening again.

In any case, it's little wonder that Israel has top cybersecurity experts -- not only because of the sociopolitical climate, but also because the country starts students young in cybersecurity.  (The US, meanwhile, barely gets kids involved in programming.)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/3/2015 | 9:13:45 AM
Re: Good depiction of the current state
@Dr. T: Certainly.  NIST is a US federal agency, whereas ISO is an international group.  (Of course, ISO standards are facets of the NIST Cybersecurity Framework.)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/1/2015 | 10:30:32 PM
Re: non-binary
On the other hand, availability and accessibility are really the mortal enemies of security (and vice versa).  Want something to be as secure as possible?  Make it as inaccessible as possible.  And vice versa.  Want something to be readily available and accessible?  Reduce security measures to nil.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/1/2015 | 10:28:36 PM
Re: Good depiction of the current state
Yes, I'm starting to see familarity with ISO27001, specifically, on job requirements.

Worth pointing out, incidentally, that the NIST Cybersecurity Framework incorporates ISO standards.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/31/2015 | 10:01:50 AM
Re: Important area for development
Yes, I like the article too. Israel does not look at the current state of an individual, theyu even do the questioning when you are leaving the country, they want to know the background of that person so they can block that person coming in next time.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/31/2015 | 9:59:13 AM
Re: Good depiction of the current state
There are lots of things are overlapping between ISO27001 and NITS. If you are a global company then ISO27001 has more weight actually.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/31/2015 | 9:57:17 AM
Re: non-binary
Agree. The definition of security is Confidentiality, Integrity and Availability. Without availability we could not really talk about security.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/31/2015 | 9:55:16 AM
Re: Good depiction of the current state
ISO27001 is picking up in US too, I have involved with a few companies that are working toward to this for their security practices.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/31/2015 | 9:52:39 AM
principle-based approach
 

maybe we need to try principle-based approach more often than rule-based approach, Security itself requires an approach where we define rules along the way for that specific situation. It sounds like it may be more effective approach.
SudeshK064
50%
50%
SudeshK064,
User Rank: Apprentice
10/30/2015 | 12:27:02 PM
Important area for development
Hi Kal

Excellent article and very good tips/advice for future cybsersecurity personnel.

I agree that we must take a global view of cybersecurity. As an example, I always contrast the approach to airport security in Israel versus US airport security.  The principle based approach used by Israelis tends to look for patterns and screenings of the passenger travel history. Their security personnel are trained to ask specific questions about the passenger unlike the pure "physical" screening employed stateside.

I look forward to follow-up articles.


SK
Page 1 / 2   >   >>
It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/12/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: LOL  Hope this one wins
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.