Four questions CSOs should ask when building a global security team

As a company grows, building a decentralized, global team is very important for a number of reasons. Expanding internationally and taking on remote workers can help companies save money and meet their budgets. Current and prospective employees also might prefer the ability to work outside of major cities or even offices so they can lead a more affordable or flexible lifestyle.

Information security is
also a major factor. Just like the modern businesses they prey on, attackers
operate from multiple time zones and utilize automation tools that work around
the clock. This means companies need team members who are capable of monitoring
and responding to incidents 24 hours 7 days a week, hence from different points
on the globe. 

Many businesses face
budgetary and staffing challenges when taking steps to expand globally. Company
leaders often don’t know where to begin to staff or how to maintain core
company values while still building a unique global culture. As a CSO who has
expanded a core security team across global offices, the blueprint for success
comes down to answering four common questions about creating a global team.

Where do I start?

The first step is to
determine the drivers of decentralizing your security teams. Drivers typically
fall into the following categories: reducing costs, hiring for hard-to-find
skills, building a 24/7 security operation, and developing capabilities that
require geographical proximity to business partners or internal stakeholders.

In this step, it is
important to think about dependencies between the potential new roles and the
existing organization. Remote teams and workers are more likely to succeed when
there is either lower dependency on frequent face to face interactions with
cross-functional stakeholders, or the organization has invested heavily in
collaboration tools and has an established remote work culture. For example,
while security architecture may require close work with IT, product management
and software engineering, roles such as security operations and offensive
security can work more independently and are strong candidates for
decentralized teams. 

It’s also important to
consider the management structure for the new, remote teams. Start by hiring a
manager for the team in the remote office or location and have them drive team
creation, this enables organizations to benefit from the new manager’s network
in the geographical area to hire qualified talent. You can also temporarily or
permanently relocate leaders from your central team to the new location. The
manager can act as the seed for the new team which will allow an effective
transplant of the team’s processes, tools, culture, etc.

Where do I find talent?

Before you begin a hunt
for any individual skillset, consider the challenges posed by new localities,
for example: employment laws, benefit norms, political landscapes,
organizational risks and other environmental factors (e.g. organized crime). To
negotiate these concerns and learn about the environment, it’s worth working
with a local consultant to make educated decisions. This doesn’t have to be a
big expense — one of my peers recently found a talented recruiting consultant
for $35/hour in Uruguay who advised on local work culture, compensation and
employment law. Once you’ve determined that a location is suitable, the hunt
for talent begins.

In the United States, we
tend to see LinkedIn as the center of the recruiting world. But when your goal
is to build a security team that can thrive across the globe, looking beyond
LinkedIn lead to more diverse and effective hiring strategies. 

To find new hires,
consider working with a local recruiting agency. Another option is to designate
one employee from your team to source prospective candidates for new offices.
This person can network on the ground, attend industry events, and ultimately
shorten the hiring cycle by interacting with prospects before starting a formal
interview process.

Where are the landmines?

Considering the
professional background of any candidate is key when evaluating a hire’s value
— and potential risk — for the team. 

As mentioned earlier,
talent supply exists across all kinds of communities in different countries. In
some environments, that can include individuals with an intelligence
background. A potential employee with this background likely brings discipline,
technical expertise and knowledge of nation-state attack techniques, however,
that experience doesn’t necessarily come without potential risk. It’s important
to recognize the potential for insider threats when evaluating candidates who
served in certain geographies where intelligence organizations can legally call
on their former employees to help with a project, which can happen at any time.
Ask yourself whether your customers entrust you with data that can be helpful
to the intelligence community, or if your business would even benefit from
hiring employees with intelligence background.

A security leader should
also consider a number of other risk factors as they work on creating global
teams, including cultural attitude towards bribery, the influence of organized
crime, the stability of the political environment and the potential for
adversarial government actions. 

How can I build a
collaborative culture?

As a team grows
internationally, leaders must ensure core company values transfer to each new
employee and office. Creating this culture of inclusivity can take on many
forms, including hosting offsites outside your headquarters and organizing a
few team gatherings each year.

Another important
element of the distributed team is the ability to effectively collaborate
online. Luckily, today’s organizations have access to a growing number of
productivity tools like Slack, Google Docs
and Zoom to streamline communication and enable highly productive day-to-day
team interactions. But more often than not, it is necessary to make changes to
accommodate the decentralized team. For example, Incident Response will need to
establish handoff procedures to allow operational continuity across shift and
time zones. In some cases, it may be necessary to converge on standard
collaboration tools and deprecate those that may be preferred by a subset of
the team.

A significant part of
building an inclusive security team culture also means establishing
location-agnostic career paths for all types of roles. For the centralized team
to succeed, there shouldn’t be a situation where promotions are concentrated in
headquarters. That said, the organization may have specific location
requirements for leadership and executive roles that will come into play at
some point in an individual’s career.

For every CSO, it’s
critical to consider these four questions before building a decentralized team
in order to ensure each decision improves the team’s effectiveness. And it’s
worth the effort — CSOs that can implement a global team of experts to open
pathways to a 24/7 presence and untapped global security talent that is capable
of keeping their company secure. 

Comments are closed.