As a company grows, building a decentralized, global team is very important for a number of reasons. Expanding internationally and taking on remote workers can help companies save money and meet their budgets. Current and prospective employees also might prefer the ability to work outside of major cities or even offices so they can lead a more affordable or flexible lifestyle.
Information security is also a major factor. Just like the modern businesses they prey on, attackers operate from multiple time zones and utilize automation tools that work around the clock. This means companies need team members who are capable of monitoring and responding to incidents 24 hours 7 days a week, hence from different points on the globe.
Many businesses face budgetary and staffing challenges when taking steps to expand globally. Company leaders often don’t know where to begin to staff or how to maintain core company values while still building a unique global culture. As a CSO who has expanded a core security team across global offices, the blueprint for success comes down to answering four common questions about creating a global team.
Where do I start?
The first step is to determine the drivers of decentralizing your security teams. Drivers typically fall into the following categories: reducing costs, hiring for hard-to-find skills, building a 24/7 security operation, and developing capabilities that require geographical proximity to business partners or internal stakeholders.
In this step, it is important to think about dependencies between the potential new roles and the existing organization. Remote teams and workers are more likely to succeed when there is either lower dependency on frequent face to face interactions with cross-functional stakeholders, or the organization has invested heavily in collaboration tools and has an established remote work culture. For example, while security architecture may require close work with IT, product management and software engineering, roles such as security operations and offensive security can work more independently and are strong candidates for decentralized teams.
It’s also important to consider the management structure for the new, remote teams. Start by hiring a manager for the team in the remote office or location and have them drive team creation, this enables organizations to benefit from the new manager’s network in the geographical area to hire qualified talent. You can also temporarily or permanently relocate leaders from your central team to the new location. The manager can act as the seed for the new team which will allow an effective transplant of the team’s processes, tools, culture, etc.
Where do I find talent?
Before you begin a hunt for any individual skillset, consider the challenges posed by new localities, for example: employment laws, benefit norms, political landscapes, organizational risks and other environmental factors (e.g. organized crime). To negotiate these concerns and learn about the environment, it’s worth working with a local consultant to make educated decisions. This doesn’t have to be a big expense — one of my peers recently found a talented recruiting consultant for $35/hour in Uruguay who advised on local work culture, compensation and employment law. Once you’ve determined that a location is suitable, the hunt for talent begins.
In the United States, we tend to see LinkedIn as the center of the recruiting world. But when your goal is to build a security team that can thrive across the globe, looking beyond LinkedIn lead to more diverse and effective hiring strategies.
To find new hires, consider working with a local recruiting agency. Another option is to designate one employee from your team to source prospective candidates for new offices. This person can network on the ground, attend industry events, and ultimately shorten the hiring cycle by interacting with prospects before starting a formal interview process.
Where are the landmines?
Considering the professional background of any candidate is key when evaluating a hire’s value — and potential risk — for the team.
As mentioned earlier, talent supply exists across all kinds of communities in different countries. In some environments, that can include individuals with an intelligence background. A potential employee with this background likely brings discipline, technical expertise and knowledge of nation-state attack techniques, however, that experience doesn’t necessarily come without potential risk. It’s important to recognize the potential for insider threats when evaluating candidates who served in certain geographies where intelligence organizations can legally call on their former employees to help with a project, which can happen at any time. Ask yourself whether your customers entrust you with data that can be helpful to the intelligence community, or if your business would even benefit from hiring employees with intelligence background.
A security leader should also consider a number of other risk factors as they work on creating global teams, including cultural attitude towards bribery, the influence of organized crime, the stability of the political environment and the potential for adversarial government actions.
How can I build a collaborative culture?
As a team grows internationally, leaders must ensure core company values transfer to each new employee and office. Creating this culture of inclusivity can take on many forms, including hosting offsites outside your headquarters and organizing a few team gatherings each year.
Another important element of the distributed team is the ability to effectively collaborate online. Luckily, today’s organizations have access to a growing number of productivity tools like Slack, Google Docs and Zoom to streamline communication and enable highly productive day-to-day team interactions. But more often than not, it is necessary to make changes to accommodate the decentralized team. For example, Incident Response will need to establish handoff procedures to allow operational continuity across shift and time zones. In some cases, it may be necessary to converge on standard collaboration tools and deprecate those that may be preferred by a subset of the team.
A significant part of building an inclusive security team culture also means establishing location-agnostic career paths for all types of roles. For the centralized team to succeed, there shouldn’t be a situation where promotions are concentrated in headquarters. That said, the organization may have specific location requirements for leadership and executive roles that will come into play at some point in an individual’s career.
For every CSO, it’s critical to consider these four questions before building a decentralized team in order to ensure each decision improves the team’s effectiveness. And it’s worth the effort — CSOs that can implement a global team of experts to open pathways to a 24/7 presence and untapped global security talent that is capable of keeping their company secure.