Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/28/2015
10:30 AM
Kal Bittianda
Kal Bittianda
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Global CISO: Why U.S. Leaders Must Think Beyond Borders

To compete for the top cybersecurity jobs on a world stage, home-grown CISOs need to take a more international approach to professional development.

Being the head of the cybersecurity practice for one of the global executive search firms gives me an ideal vantage point to see what companies are looking for in their next CISO -- and what the CISO talent pool is offering. Having those two constituencies in sync means a good fit between job candidates and positions, which in turn strengthens the collective security environment in which we all operate. When expectations start to diverge, not only do you have a great many frustrated people on both sides of the table, but cracks more readily appear in the world’s cyber-armor.

That’s why I can’t help but be a little concerned when I look at the three searches I am doing right now for multinationals headquartered outside the United States, each in a different industry. As I talk with them about what they are looking for in their next CISO, I am surprised to hear a wariness of hiring an American for the role.

Given the fact that the United States is still the world’s leading “producer” of CISOs, this is no small reservation. But the concerns are real.  “We do business everywhere from the U.K to Central Europe,” one told me. “Different jurisdictions, different cultures. We can’t have an American walking in with a binary mentality and just shutting everything down.”

“Binary mentality.” When I heard that, I understood exactly what my clients were concerned about. To borrow terms from the accounting industry (which has a lot in common with cybersecurity), Americans are rule-based whereas Europeans are principle-based. Americans like things clearly defined, so that every possible case can be neatly fit into a predetermined category. Europeans are more comfortable with establishing general guidelines and working out the specifics as they go along. It’s not that their standards are lower; they just take a more flexible approach to getting where they are going. That’s one reason that by one estimate, the U.S. tax code is eight times longer than the French tax code.

Translated to the world of cybersecurity, rule-based vs. principle-based might mean a different approach to structuring permissions or vetting new technologies. The important point isn’t that my European-based clients are advocating for one over the other; it’s that they want a CISO who can work in both environments and draw from each toolbox according to what’s best for the organization within the local context. Unfortunately, few American born-and-trained CISO candidates have the global perspective and adaptability that is increasingly becoming a must-have in today’s borderless economy.

Other business functions, as well as business operating units, have responded to globalization by including foreign postings as part of a rising executive’s training. Ideally, global companies need to do the same thing for cybersecurity leaders. In the meantime, however, there are three things cybersecurity leaders in America can do to stay in step with a wider world:

Keep your bags packed. American cybersecurity leaders aren’t only reluctant to consider job offers outside of the country; many won’t even look beyond their metropolitan area. Increasingly, American CISO candidates will be taking themselves out of consideration for prime appointments unless they are prepared to relocate in the same way that other senior executives are expected to in the course of their careers.

Get mentored. If you are at a company with international reach, a good way to develop a global sensibility is to be mentored by someone for whom it is an essential part of their job. That might be the head of a business unit, or someone like the CFO, general counsel or head of compliance, who has to operate across a range of regulatory regimes and sensibilities.

Look outside the office. If your company doesn’t have the global footprint that can provide exposure to different cultural and regulatory systems (and even if it does), consider a volunteer leadership role for a non-profit or professional organization with an international mission. In addition to broadening your perspective, you will be expanding your network in ways that may bring unexpected benefits down the line.

The expectation that cybersecurity leaders can work across borders as do their counterparts in other functions is just emerging, but it will surely gather momentum as economies become truly global. Although developing a global perspective is a long-term undertaking, current and future CISOs who start now can help ensure that their professional development keeps pace with the needs of the talent market—an alignment that makes for better security for everyone.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Kal Bittianda, based in New York, focuses on technology and communications, specifically the systems, software & services, and digital segments. He also serves in Egon Zehnder's Private Equity and Financial Services Practices. Kal conducts executive search and provides ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
michael.oberlaender@gmail.com
50%
50%
[email protected],
User Rank: Apprentice
10/29/2015 | 9:05:50 AM
Good depiction of the current state
Well written article Kal, thanks for sharing.

"Binary mentality" really puts it as it is.  Another good example is the typical legal term used in the US: "... including but not limited to ... LIST OF 25 EXAMPLES..." - my challenge for you: if it is not limited to, why do you list it in the first place :-) ?

Also, most companies and people here in the US only understand US culture - and think it's always the best and only.  Not true.  There are plenty of good cultures and well educated people and viewpoints in many other countries, too. 

On the subject, the ISO27001ff framework is the best international security standard so far - but most US com\panies focus on NIST or HIPAA or FIPS or FISMA etc.  ITIL (ISO20000) is a well established change management control standard but few have heard of it. 

On privacy, the US is looking like the fiethdoms in middle Europe in the 15th century - no federal privacy law, 48(?) various state laws, no true protection from government and NSA snooping, and zero protection while at work ("no expectation of privacy") anyway.

Well, the latest developments from the highest EU court to invalidate safe harbor for any data transfer from the EU into the US may ring in a bell in Washington.  Or, maybe we'll wait until January and enforcement kicks in.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/30/2015 | 11:36:22 AM
non-binary
Really, the "non-binary mentality" is simply a way of looking at cybersecurity as one piece of the risk management pie.  Security is constantly at odds with accessibility, and compliance issues further complicate all of that.  All of these come down to ROI and risk -- and, yes, many American execs that I meet and discuss these issues with are, at first, reluctant to look at security that way.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/30/2015 | 11:39:47 AM
Re: Good depiction of the current state
Companies stateside *have* to follow HIPAA (because it is the law for those companies in the healthcare and life sciences sectors) and the NIST Cybersecurity Framework (because, while not the law per se, is required for government contractors and subcontractors, and is used by regulatory agencies such as the SEC, the CFTC, the FTC, and so on as a yardstick) as a matter of course.  There is so many regulatory burdens that, for many, throwing in additional rubrics is unpalatable.
SudeshK064
50%
50%
SudeshK064,
User Rank: Apprentice
10/30/2015 | 12:27:02 PM
Important area for development
Hi Kal

Excellent article and very good tips/advice for future cybsersecurity personnel.

I agree that we must take a global view of cybersecurity. As an example, I always contrast the approach to airport security in Israel versus US airport security.  The principle based approach used by Israelis tends to look for patterns and screenings of the passenger travel history. Their security personnel are trained to ask specific questions about the passenger unlike the pure "physical" screening employed stateside.

I look forward to follow-up articles.


SK
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/31/2015 | 9:52:39 AM
principle-based approach
 

maybe we need to try principle-based approach more often than rule-based approach, Security itself requires an approach where we define rules along the way for that specific situation. It sounds like it may be more effective approach.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/31/2015 | 9:55:16 AM
Re: Good depiction of the current state
ISO27001 is picking up in US too, I have involved with a few companies that are working toward to this for their security practices.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/31/2015 | 9:57:17 AM
Re: non-binary
Agree. The definition of security is Confidentiality, Integrity and Availability. Without availability we could not really talk about security.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/31/2015 | 9:59:13 AM
Re: Good depiction of the current state
There are lots of things are overlapping between ISO27001 and NITS. If you are a global company then ISO27001 has more weight actually.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/31/2015 | 10:01:50 AM
Re: Important area for development
Yes, I like the article too. Israel does not look at the current state of an individual, theyu even do the questioning when you are leaving the country, they want to know the background of that person so they can block that person coming in next time.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/1/2015 | 10:28:36 PM
Re: Good depiction of the current state
Yes, I'm starting to see familarity with ISO27001, specifically, on job requirements.

Worth pointing out, incidentally, that the NIST Cybersecurity Framework incorporates ISO standards.
Page 1 / 2   >   >>
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24368
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.