How are global companies typically structured when they have a global CISO and additional CISOs responsible for different regions? In these organizations, how are policies, approval processes, and compliance with local regulations managed across different regions?

Most global companies run a centralized model: the global CISO sets the framework, and regional CISOs adapt it to meet local laws/standards. Policies start at the top, but regions adjust them through local approval channels; escalation only happens when there’s a legal or operational conflict. This setup works when regional leads have real authority. If HQ controls every detail, it slows things down and risks compliance gaps. What matters is alignment on principles, not uniformity in execution.

In very large companies, the CISO structure is often federated. The global CISO defines the overarching cybersecurity strategy, policies, and standards (e.g., data protection, access control, incident response), while regional CISOs (e.g., EMEA, APAC, Americas) adapt and implement them locally.

Policies are typically created centrally but allow for regional tailoring to meet local laws and regulations (e.g., GDPR in Europe, CSL in China). Regional CISOs work closely with local legal and compliance teams, and any exceptions or adaptations are generally reviewed and approved by both regional and global teams (often via a policy governance forum). This structure ensures global consistency (in tools, controls, and reporting) while maintaining flexibility for regional requirements and regulatory compliance.

That said, in large to medium-sized organizations, I would favor a centralized approach, where the global CISO is supported by subject matter experts (SMEs) in key domains (e.g., SOC, GRC, cloud security). Each SME focuses on developing deep expertise and operational excellence in their area. While this model may require more effort and hands-on involvement, it offers greater control, consistency, and visibility across the organization—particularly when geographic or regulatory complexity is more manageable.

This is a relevant question - I really like it. This is a key point to define in a setup, where there is a Global / Group CISO and regional / country level / subsidiary level CISOs in the organization. They have to work together according to a well defined workflow. The Group CISO should be a strategical / supportive function. This role should help the local CISOs / Security Officers to deliver their tasks by setting the strategy and the framework around them. The policy structure should follow the same approach. There should be some group level (global) and lower level (local) policies, procedures, etc. The local ones should reflect the local legislator requirement and local needs while the global ones provide the frame and the main requirements. Approval lines should follow the organizational structure. Local ones should be reviewed and approved locally. Global teams mostly in a supportive role for all activities mentioned above. And never forget, each teams - global and locals - should support the business goals.