• United States



World View: CISO Types Spotted ‘In the Wild’ at a European Security Conference

Dec 03, 20076 mins
CareersCSO and CISO

Sure the speakers droned on--but at least our daring CISO columnist won’t be deluged with marketing calls afterwards

As I write this month’s column, I am sitting in the midst on a mind-numbing information security conference in a large country in central Europe. The speaker has a Ph.D. and has turned his back to the audience whilst he spends five minutes at a flip chart scratching out an organization diagram for best practices in implementing an organization-wide business continuity and disaster recovery test plan…zzzzzzz. I notice seven members of the audience take the opportunity to sneak out of the room. That got me to thinking about how CISOs from different countries communicate–or fail to.

First, there are the American conference speakers, who are either working for a European company (very rare), representing a U.S. company doing business in Europe (more likely) or stationed in a U.S. company headquarters but have come to Europe to survey their domain (usually the case). Their lectures are invariably full of pithy implications like, “Security is all screwed up, and if people would only do things the way I say then all their security problems would be solved.” I’m using literary license, of course, but that’s the way they typically come off to the audience. Also, their PowerPoint slides are notoriously devoid of any substance and full of marketing slogans stating why their company is the best in security. I’m guessing this is because their public relations department has deleted anything that might be deemed vaguely interesting on the grounds that it is intellectual property. What’s left, of course, are empty slogans, nice graphics and (usually) entertaining animation and music. It’s the conference presentation equivalent of a Big Mac and fries–tastes good but not particularly nutritious.

Next are the Brits. They’re famous for affecting a faux carefree, debonair attitude during their presentations. I think this is a hold-over from the days of bad ‘60s British TV drama. I’m guessing these people must have cut their teeth on sappy episodes of the Avengers. They probably fancy themselves a modern day Mr. Steed–gaily hopping their way across a globe full of intrigue and espionage whilst solving the most difficult cases with effortless grace, charm and nonchalance. Call me crazy, call me irresponsible, but if there is one adjective I would never use to describe an information security officer, it would be nonchalant. I’m sorry, but when a zero-day attack explodes inside your corporate LAN, you’re not going to turn to your colleague and say, “My what an interesting little problem we have here. Why, don’t we go out for a spot of tea and have a chat about this little annoyance.”

Now it’s the Germans turn. Would someone please get the word to German presenters that a conference presentation is not a defense of a Ph.D. dissertation? Their PowerPoint slides are invariably bursting at the seams with monochrome charts, graphs, explanations and caveats. The writing on the slides is so small that the audience needs to be equipped with opera glasses just to read the damn thing. I also think German speakers must all go to the Immanuel Kant School of public speaking.  If you’ll remember, Kant was the philosopher who could spend an entire page on one interminable, run-on sentence. I imagine he must have been the life of the party at all the philosophers’ beer bashes. Take that mind-set and combine it with a dash of deep, humorless, monotone voice and you have the stereo-typical German presenter.

Probably the best speakers at the conference are the French. The French educational system teaches them to be organized, by beginning with an introduction of the three main points of the presentation, then elaborating on the three main points in the presentation, and then concluding by summarizing the three main points of the presentation. Oh, did I mention that most French presentations have three main points? Seriously, though, the French probably have the best presentations, plus they combine it with their world famous joie de vivre to make it entertaining. I know all this praise must sound strange to Americans in the reading audience who are used to bashing the French. For those people, I promise to tell a French joke before the end of the article.

Is there anything good about European security conferences? Yes, a few things. For starters I’d take a conference in any European city over one in, say, Orlando. Second, after attending a European conference you don’t have to worry about being deluged with e-mail solicitations from vendors, consultants and the four-time divorced bartender you happened to engage in a conversation with when you ordered a beer in the hotel lounge. (We’ll save that last story for another time.) The reason is the Europeans take seriously their obligation to protect the personal details of the conference attendees. In contrast, the last time I went to a major conference in the States (hint: it’s three letters and the first letter is R and the last is A), I returned to find my e-mail box stuffed with junk mail from sponsors of the conference. Over the next few weeks my phone wouldn’t stop ringing from solicitations.

So what type of CISO am I, an American who has now worked for a European organization (twice), represented a U.S. company doing business in Europe, and been stationed in a U.S. company headquarters but gone to Europe to survey my domain? I’m not sure, but I do know that nowadays I tend to tell jokes not about the French, but in French. As promised:

Les numeros zeros avaient une fete. Un numero 8 vient a la porte de la fete. Le garde de securite dit, “Je suis desole, mais cette fete est seulement pour les numeros zeros.” Le numero 8 repond, “Ne peux pas je porte une ceinture?” *

OK, so it may not be that great of a joke. But it sure beats most of what I heard at the conference.

Paul Raines, columnist
World View columnist Paul Raines is CISO for a non-profit organization based in The Hague, Netherlands. Send feedback to Managing Editor Sarah Scalet at

* Translation (but only because the editor made him): A group of the number zeroes are having a party. A number eight comes to the door. The security guard says, “Sorry, Pal, this party is just for zeroes.” The number eight replies “Can’t a guy wear a belt?”


Comments on this article:

European Conference

Thanks Paul. A very entertaining summary – and you have the nationality stereotypes nailed. Your report is a great reminder to all of us to focus our presentations with 3 main points, provide meaningful content, etc.

This also reminds me of life in England and begs another trip to Europe, if the dollar wasn’t so weak.

CISO Types

Paul Raines’ rundown of CSO speakers is hilarious and right on the money. I would just add that the Swiss start out with the same PhD dissertation as the Germans, but then they break early for lunch (and their slides are much more elegantly formatted).


Paul Raines is the Chief Information Security Officer for the United Nations Development Programme. In that capacity he is responsible for the information security and disaster recovery planning for the Organisation’s 177 locations around the world. Previously, he worked for the Organisation for the Prohibition of Chemical Weapons (OPCW) and, like all current and former members of the organization, shared in the 2013 Nobel Peace Prize. Prior to working for the United Nations he was the Chief Information Security Officer for Bloomberg LP and the Federal Reserve Bank of New York. He is a graduate of the United States Air Force Academy and Harvard’s Kennedy School of Government. For relaxation he enjoys opera, Shakespeare, French wine and sometimes just sitting in a cafe with an espresso and croissant reading a good book on Roman history.

The opinions expressed in this blog are those of Paul Raines and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author