<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=6226337&amp;fmt=gif">

In a globally connected threat landscape, CISOs are often thrust into navigating cross-border issues and teams. In my experience, many CISOs “don’t know what they don’t know” about global security team management. Yet, mastering global leadership may be the difference between success and failure. 

During the 20+ years that I worked across EMEA, Latin America, and APAC, I saw some CISOs fail, and others succeed in building high performing, effective, cross-border security programs. Success was never based on the CISO’s level of IT skills. Instead, it was their global insight that helped build the right team, drive an effective communication strategy, and adapt to regional challenges.

Here are the three key areas a CISO needs to master to lead a high performing, global, cybersecurity team.

Global Success Starts with People

There is no substitute for being on the ground, in-country. Security leaders need to know and live in the region they lead. You cannot be an EU team leader and live in Washington DC. Sometimes CISOs assign aspiring US-based managers to lead foreign teams to “get international experience”. That may be good experience for the manager, but it could lead to cultural misunderstandings with global staff. The best leaders live in the region and know the local challenges.

A combination of expats and local talent can be used to build a successful team. When hiring expats as leaders, ensure they have genuine experience in that culture. Prior work in Mexico and being able to speak Spanish does not necessarily mean a person is a good fit to lead your Spain team. Spain and Mexico may speak the same language, but have very different cultures.

Quality of life matters. You cannot rely solely on HR for your team’s support. HR may have little or no experience with unique expat challenges, like visas, healthcare, housing, and foreign retirement planning. These issues make a huge difference to the quality of life for expats and influence the effectiveness of your team. Your team can’t be focused if they are worried about personal issues.

Successful global teams are a mix of local staff and expats. These teams leverage the expats to connect back to the home country office or manage a set of countries where they share experience or language ability. They pay expats and local hires on the same scale and the CISO is actively involved in ensuring the personal wellbeing of team members.

Real Communication Drives Real Success

To effectively lead a global team, you need to conduct meaningful visits, not just “fly-by” drop-ins to the office. Trust and communication are built on spending time with local teams and really understanding their unique challenges. Use visits to listen and learn. Get to know your team, and the region, personally. Then use brief visits to re-enforce that trust and catch up on any changes. In between your visits, rely on trusted in-country staff to be your on-the-ground trust builders.

Other best practices for communicating with your global team include:

  • Scheduling global team alignment meetings
  • Giving equal time to all teams and encouraging participation
  • Being mindful of scheduling cross-border meeting times when everyone is in their office – take turns staying up late or waking early for the meeting if necessary.

Real communication means making sure teams can understand critical materials and align to common standards. One solution may be to conduct multi-country team meetings to train to a common baseline on critical tasks with key leaders. Ensure that materials for critical systems are translated or confirm the understanding of an English manual by local staff. Communication can’t be accomplished without clear written and oral instruction across teams.

Finally, pre-planning your visit to a foreign country is critical to the success of a program. For example, when preparing to lead a digital forensics training seminar in Kenya, I discovered that intermittent electricity failures might impact the training process and back-up generators were needed to avoid disruption. Insights about a country cannot be discovered over a video call. Use quick regional visits to gather information, identify challenges, and confirm strategy with local team leaders.

Stay Aware of Local Challenges and Focus on Solutions

An understanding of local security challenges, awareness of regional security frameworks, and knowing unique legal requirements are critical to cross-border security success. For example, German privacy laws once prevented data loss prevention strategies and endpoint protection deployments that my company had used in other regions. Working with German privacy experts and making strategy adjustments avoided costly legal penalties and ensured a successful deployment of security tools. 

Identifying and building relationships with regional partners or regional industry groups is critical to success. For example, my engagement with the Europol advisory board proved helpful in establishing law enforcement contacts across Europe. When a data breach happens, or you need support from law local enforcement, these relationships are invaluable.

Building a local footprint in each area may not be economical or feasible. A key consideration is “build vs buy”. Relying on local partners is often needed, although this requires specific attention to confirm compliance with company standards. Using outside vendors may also prove more costly over time. Evaluate whether investing in trained local staff is less costly than relying on expensive consultants. Take time to also understand local vendors. Harmonizing security tools is an important efficiency goal, however, some regions may have strong preferences for a local vendor or partner that should be considered.

To deepen your understanding and ability to adapt, you need to understand local legal or regulatory requirements. Develop local partners for guidance. Analyze the costs of consultant reliance vs. an in-house team in regions where you may have additional long-term needs.

The Insight

Even as a seasoned CISO, continue learning. That one-week trip you take every year to the regional office does not make you an expert in the region. Listen carefully to what is said, and not said, before defining your strategy. Gain an understanding of the unique problems of your local teams as well as the local laws, standards, and requirements. Efforts to fully understand and support your regional teams are valued and will make your entire global security program much more likely to succeed.

November 2023

© 2024 FS-ISAC, Inc. All rights reserved.

Listen on

FS-ISAC members around the world receive trusted and timely expert information that increases sector-wide knowledge of cybersecurity threats.

Learn More