Empowered International Teams

Strategic Security

Illustration by Gordon Studer​​

Empowered International Teams
 

​Diverse work teams are smarter than homogenous ones, according to a recent Harvard Business Review study. In “Why Diverse Teams Are Smarter,” authors David Rock and Heidi Grant found that such teams are smarter for three main reasons: they focus more on the facts, they process those facts more carefully, and they are more innovative. Working with people who are different from you, the authors found, challenges your brain to overcome rote ways of thinking and sharpens its performance.

I know these findings to be true, based on my own experience managing international teams in the information security field. I’ve also learned that teams are most effective when they are managed in a way that empowers each individual member. 

Empowerment is a management practice of sharing information, rewards, and power with employees, so that they can take initiative 

and improve their services and performance. It is based on the idea that developing employees’ skills; giving them resources, authority, opportunity, and motivation. and holding them responsible and accountable for their actions will all contribute to their competence and satisfaction.

But empowering international teams is not always easy. Language barriers, cultural differences, and inconvenient time zones can interfere with even the most capable of teams. It is literally impossible to stop by someone’s desk to ask a question or clarify a decision if team members are stationed around the world.

Given these challenges, this article offers some guidance and best practices on how security managers can lead efficiently and effectively by applying the principles of business empowerment to international teams. Much of this guidance is based on my management experiences in the field, with companies such as eBay and Symantec. This guidance applies right from the beginning, when the team is first being established, and continues through the different stages of the team’s operations. ​

Local Managers

Sometimes security managers are tasked with building a team from scratch. Other times, a manager is charged with working with an existing team. Either way, the first step toward effectively empowering a team is to ensure that the team’s structure matches the team’s business objectives. A structure–objectives match will serve as the foundation for empowerment, because it will make for efficient and effective use of resources. 

In the case of international teams, common drivers for members at different locations around the globe are cost, time-zone coverage, around-the-clock service availability, and skill sets that need to be divided by geographic locations. For example, when we were building the Global Information Security team at eBay, we carefully crafted our strategy for offshore and outsourced work by evaluating how potential team members’ skills should align with the company’s business and security objectives.

For example, it was critical that we demonstrate the value of information security activities to the business. We gathered data from a variety of different security tools and populated a dashboard that we shared with company executives. When we were staffing our security metrics team, we looked for individuals with coding and statistics skills. It didn’t matter where in the world this person was located, as long as he or she had the right background to perform the function. Other issues that we considered in this process were cost and cultural factors.

After interviewing candidates in more than five countries, we decided to focus our international hiring in Israel, Romania, and China. Our core team was based on the west coast of the United States, so having international team members in these three countries gave us adequate “follow the sun” capabilities. 

“Follow the sun” basically means that when team members in one area of the world are finishing their workday, team members in another are just waking up and going into the office. You can go home after work and when you wake up in the morning, several tasks may have been completed by team members in a different time zone. Then you can pick up where they left off. In this way, the overall team can function around the clock, as long as information is effectively handed off between team members. This model is particularly useful for urgent items that must be completed quickly, or when an organization needs to support customers or a service in many different time zones. It also allowed us to staff all functions. 

In each offshore region, a local manager was assigned, and then empowered in several ways. He or she was given authority to make decisions as needed to run the local team. These managers were also empowered with information and clear objectives to focus their work. The local managers were included in management meetings to ensure they would have access to the same information that was being shared within the core team at headquarters. The local managers were also held responsible and accountable for their actions, which increased both their impact and their professional satisfaction.

Once established, the Global Information Security team continued to grow. During my tenure at eBay, we built out the team from around 24 to around 60 members in about a year. As the team grew, it also changed in nature, going from a relatively small group of generalists to a much larger group of specialists.

During this growth, it was critical for everyone to stay on the same page when it came to our team’s mission and vision. So, the CISO led our management team in a formal exercise to define these factors for the team. This method is often referred to by business leaders as identifying a North Star. This common mission set the tone and gave the team purpose.

With a clear purpose and vision, every individual on the team was empowered to take the initiative and make decisions to solve day-to-day problems without having to come together and rehash the team’s overall objectives time and time again. This shared information prevented specialized teams from organically splitting away from the overall team goals. 

This alignment and prioritizing is key, because security, and especially information security, is a complex function in most organizations. There are countless dimensions to the field—from physical and network security to host and application security, and from governance and risk and compliance to technical assessment and incident response. Additionally, there is always so much work to do. The harsh reality of limited time, budgets, and resources requires teams to make tough decisions about what activities to prioritize. Whether they do this explicitly or not—deciding not to make a decision is a decision itself—they must live with the outcome. It’s an amateur mistake to rank every issue as critical.​

Accountability

Virtually every team finds clarity of process empowering. When roles and responsibilities are clear, and the step-by-step work flow is understood, a team can work efficiently and maximize its potential.

Effective managers have a key role to play in this regard. Depending on the situation, they may decide to develop new processes with clear roles and responsibilities. Or, they may decide to conduct a process evaluation that breaks down an existing process into discrete steps, with defined criteria for when work should be handed off to another team member to advance the process.

In evaluating a process, defining and documenting the roles and responsibilities for team members is often a valuable exercise. For example, asking different team members to enumerate the actual steps in a process, and to name who is responsible for what at different phases along the way, can be illuminating. Sometimes, the accounts of different team members do not match. 

One particularly useful tool that we leveraged during my time at both eBay and Zynga was the RACI model, or the Responsibility Assignment Matrix (RACI Matrix). The RACI model maps out who is Responsible, who is Accountable, who must be Consulted, and who shall stay Informed. For management, it illustrates clearly and concisely the individual roles within a team.

Moreover, the A in the RACI Matrix—accountability—deserves special mention here, given its effectiveness as an empowerment tool. As mentioned above, at eBay local managers around the world were empowered with authority to make decisions as needed. Outside of my eBay experience, I have seen the effectiveness of this throughout my career. This is particularly important when it comes to international teams. If a team’s managers are in location A and the team members executing the work are in location B, misinterpretations of risks and requirements are more likely to happen. But in these situations, I have observed greater success where a team located far away from headquarters includes a decisionmaking leader who understands the immediate reality of what the executing team is facing, and can facilitate communication between leadership at headquarters and the local team performing the work. Teams are more likely to engage fully in their work and put in that extra bit of energy and effort when they feel that they have a real seat at the table.​

Communication

“Communicate, communicate, communicate” is an appropriate message for most team managers. For managers of international teams, a corollary could be added: “communicate some more.”

Sometimes, a management decision is made that affects multiple members of an international team. If word of the decision reaches only some team members, it’s likely that the uninformed members will unwittingly steer in the wrong direction. A few errant steps can be easily corrected, but if this behavior continues with­out any means for correction, the results may be wasteful at best and devastating at worst. 

One of the most effective and empowering communication practices used by our product management team at Symantec was a biweekly cross-functional team call. This call included many different stakeholder groups related to, but not limited to, my international team of direct reports. In addition to product management team members, it included representatives from sales, marketing, support, and engineering. 

I led these calls in a structured but flexible manner; each team was allowed to share recent accomplishments, next steps, issues, and risks. We briefly reviewed each team’s status, leaving enough time to dive deep into one or two issue areas. These deep dive sessions might be initiated by a team member’s question or presenting a problem to the larger team. They always resulted in engaging dialogue, because different individuals offered different ways of thinking and different perspectives. 

Together, we would share information and brainstorm approaches to gather more information, perform analysis, make decisions, and execute on solutions. Management decisions were clearly communicated and discussed, enhancing transparency and trust across the international team and empowering individuals with the information that would affect their daily work. The result was aligned improvements to the team’s products and services. 

To mitigate any information lost in translation due to different levels of mastery of the English language, meeting participants documented their status in a PowerPoint deck that was shared with the cross-functional team before and during the meeting. Additionally, we ran an ongoing Skype chat so that if anyone missed or misunderstood something on the call, they could type a question and receive a written answer to clarify exactly what was being said. 

One final communication tip for team managers: get in the habit of writing down and sharing any information on issues, risks, roadblocks, or anything else that may affect a team member’s work, even if the information seems obvious. What is obvious to you may be clarifying to team members, and it may keep incorrect information from spreading. Disinformation is disempowering.   ​

Building Trust

In 2012, Google launched an initiative to study hundreds of the company’s teams and assess the differences between high-performing teams and the rest. In his book Smarter Faster Better: The Secrets of Being Productive in Life and Business, Charles Duhigg writes about the key scenario comparison that illuminated the initiative’s main finding—psychological safety, more than anything else, is critical to making a team work.

What it all came down to, Duhigg found, is trust. Work is a part of life, which is highly imperfect and impossible to control. Managers who purposefully create an environment where team members feel comfortable sharing information about what’s going on in their lives build important if invisible communication channels that can break down walls created by secrecy and anxiety. 

And what happens in our personal lives matters in the workplace to the extent that our work is affected. Building trust builds an empowering environment, because the comfort level team members feel with each other will rub off and help create a high level of comfort in sharing and honestly discussing work-related ideas.  

Teams and the human conditions that affect their work are somewhat analogous to software and their security vulnerabilities. The imperfections will always be there, whether we acknowledge them or not. If you look for security vulnerabilities in software, then you will find out what they are, and can proceed accordingly. 

Similarly, if you create space for people to be real in the workplace, then you will find out their imperfections, which you can also work with. It’s the difference between accepting imperfection and asking for perfection and then facing the consequences when it is inevitably not delivered. 

Finally, one-to-one meetings are important. There are things that are more easily expressed in a private setting than a public one, and effective leaders know how to create a safe space and connect with their direct reports in a way that cultivates trust.

Make time for face time, if possible. There’s nothing like sharing a meal with a colleague that you talk to all the time on the phone and by email. It’s not always financially feasible to bring everyone together often, but if a manager can take the time to visit his or her international teams once a quarter or even once a year, it can make a huge difference. If you absolutely can’t meet in person, conduct video conference calls. ​

Forecast Fulfilled

In 2005, Thomas Friedman published his bestselling book The World is Flat. In it, he described the technological, cultural, and economic forces that would lead to an abundance of international teams. 

More than 10 years later, his forecast has been fulfilled, it’s easy to see the tremendous benefits of diverse, geographically dispersed teams working together. This continues to shift as the gig economy evolves the workforce to a point where the most efficient and often most effective workforce strategy in certain markets may be to hire freelancers as needed—wherever they may be located—based on their skills, performance, and reputation.

Success in today’s work environment often requires a thorough understanding of how to best empower an international team. While it might sound intimidating at first, it’s been done before and can be learned again, with the benefits replicated. It’s a worthwhile investment.

Caroline Wong, vice president of security strategy for Cobalt​, was director of security initiatives at Cigital, director of global product management for Symantec, senior manager of Zynga’s security program, and global information security chief of staff and manager at eBay.