Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Kal Bittianda
Kal Bittianda
Connect Directly
E-Mail vvv

The Global CISO: Why U.S. Leaders Must Think Beyond Borders

To compete for the top cybersecurity jobs on a world stage, home-grown CISOs need to take a more international approach to professional development.

Being the head of the cybersecurity practice for one of the global executive search firms gives me an ideal vantage point to see what companies are looking for in their next CISO -- and what the CISO talent pool is offering. Having those two constituencies in sync means a good fit between job candidates and positions, which in turn strengthens the collective security environment in which we all operate. When expectations start to diverge, not only do you have a great many frustrated people on both sides of the table, but cracks more readily appear in the world’s cyber-armor.

That’s why I can’t help but be a little concerned when I look at the three searches I am doing right now for multinationals headquartered outside the United States, each in a different industry. As I talk with them about what they are looking for in their next CISO, I am surprised to hear a wariness of hiring an American for the role.

Given the fact that the United States is still the world’s leading “producer” of CISOs, this is no small reservation. But the concerns are real.  “We do business everywhere from the U.K to Central Europe,” one told me. “Different jurisdictions, different cultures. We can’t have an American walking in with a binary mentality and just shutting everything down.”

“Binary mentality.” When I heard that, I understood exactly what my clients were concerned about. To borrow terms from the accounting industry (which has a lot in common with cybersecurity), Americans are rule-based whereas Europeans are principle-based. Americans like things clearly defined, so that every possible case can be neatly fit into a predetermined category. Europeans are more comfortable with establishing general guidelines and working out the specifics as they go along. It’s not that their standards are lower; they just take a more flexible approach to getting where they are going. That’s one reason that by one estimate, the U.S. tax code is eight times longer than the French tax code.

Translated to the world of cybersecurity, rule-based vs. principle-based might mean a different approach to structuring permissions or vetting new technologies. The important point isn’t that my European-based clients are advocating for one over the other; it’s that they want a CISO who can work in both environments and draw from each toolbox according to what’s best for the organization within the local context. Unfortunately, few American born-and-trained CISO candidates have the global perspective and adaptability that is increasingly becoming a must-have in today’s borderless economy.

Other business functions, as well as business operating units, have responded to globalization by including foreign postings as part of a rising executive’s training. Ideally, global companies need to do the same thing for cybersecurity leaders. In the meantime, however, there are three things cybersecurity leaders in America can do to stay in step with a wider world:

Keep your bags packed. American cybersecurity leaders aren’t only reluctant to consider job offers outside of the country; many won’t even look beyond their metropolitan area. Increasingly, American CISO candidates will be taking themselves out of consideration for prime appointments unless they are prepared to relocate in the same way that other senior executives are expected to in the course of their careers.

Get mentored. If you are at a company with international reach, a good way to develop a global sensibility is to be mentored by someone for whom it is an essential part of their job. That might be the head of a business unit, or someone like the CFO, general counsel or head of compliance, who has to operate across a range of regulatory regimes and sensibilities.

Look outside the office. If your company doesn’t have the global footprint that can provide exposure to different cultural and regulatory systems (and even if it does), consider a volunteer leadership role for a non-profit or professional organization with an international mission. In addition to broadening your perspective, you will be expanding your network in ways that may bring unexpected benefits down the line.

The expectation that cybersecurity leaders can work across borders as do their counterparts in other functions is just emerging, but it will surely gather momentum as economies become truly global. Although developing a global perspective is a long-term undertaking, current and future CISOs who start now can help ensure that their professional development keeps pace with the needs of the talent market—an alignment that makes for better security for everyone.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Kal Bittianda, based in New York, focuses on technology and communications, specifically the systems, software & services, and digital segments. He also serves in Egon Zehnder's Private Equity and Financial Services Practices. Kal conducts executive search and provides ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
10/30/2015 | 11:39:47 AM
Re: Good depiction of the current state
Companies stateside *have* to follow HIPAA (because it is the law for those companies in the healthcare and life sciences sectors) and the NIST Cybersecurity Framework (because, while not the law per se, is required for government contractors and subcontractors, and is used by regulatory agencies such as the SEC, the CFTC, the FTC, and so on as a yardstick) as a matter of course.  There is so many regulatory burdens that, for many, throwing in additional rubrics is unpalatable.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
10/30/2015 | 11:36:22 AM
Really, the "non-binary mentality" is simply a way of looking at cybersecurity as one piece of the risk management pie.  Security is constantly at odds with accessibility, and compliance issues further complicate all of that.  All of these come down to ROI and risk -- and, yes, many American execs that I meet and discuss these issues with are, at first, reluctant to look at security that way.
[email protected],
User Rank: Apprentice
10/29/2015 | 9:05:50 AM
Good depiction of the current state
Well written article Kal, thanks for sharing.

"Binary mentality" really puts it as it is.  Another good example is the typical legal term used in the US: "... including but not limited to ... LIST OF 25 EXAMPLES..." - my challenge for you: if it is not limited to, why do you list it in the first place :-) ?

Also, most companies and people here in the US only understand US culture - and think it's always the best and only.  Not true.  There are plenty of good cultures and well educated people and viewpoints in many other countries, too. 

On the subject, the ISO27001ff framework is the best international security standard so far - but most US com\panies focus on NIST or HIPAA or FIPS or FISMA etc.  ITIL (ISO20000) is a well established change management control standard but few have heard of it. 

On privacy, the US is looking like the fiethdoms in middle Europe in the 15th century - no federal privacy law, 48(?) various state laws, no true protection from government and NSA snooping, and zero protection while at work ("no expectation of privacy") anyway.

Well, the latest developments from the highest EU court to invalidate safe harbor for any data transfer from the EU into the US may ring in a bell in Washington.  Or, maybe we'll wait until January and enforcement kicks in.
<<   <   Page 2 / 2
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-20
The Quiz And Survey Master &Atilde;&cent;&acirc;&sbquo;&not;&acirc;&euro;&oelig; Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.