5 Essentials of Global LeadershipAdvice from Leaders: Think Global, Manage Local
Thompson co-manages an IT security team of around 200 members spanning regions such as Latin America Central America, the Caribbean, Great Britain, India and the Far East.
"It shouldn't matter from where the enterprise security services are deployed," says Thompson, an ISC2 advisory board member. "We need to just make sure as a team we are consistently closing the vulnerabilities and risk gaps."
Managing IT security services for the entire organization, across 90,000 work stations worldwide, requires Thompson to address and manage a spate of systems, security controls and issues, including antivirus, intrusion detection programs, network vulnerability scanning, application security, forensics investigation and email recovery.
Example: The antivirus deployment for the bank is implemented, controlled and maintained at one end in Canada, but has a global reach, and the entire organization benefits from its availability, contract terms and pricing.
Thompson's attitude toward leading a global team: "Management in such a situation is about creating personal touch points and being in their face daily."
A World of ChallengesThe biggest challenge of global management is communicating risk from a business perspective, Thompson says.
For instance, the definition of IT risk control is very different in North America vs. Mexico, where the bank operates in areas dominated by drug cartels. There, the focus is heavy on physical security along with the need to constantly close gaps in control breakdowns.
For Mark Lobel, senior partner at PricewaterhouseCoopers and a member of ISACA's external relations committee, the real challenge is training and motivating his team across the U.S., Europe and Asia. In addition, he must manage his team to serve multi-national clients often representing different industries.
As an example, he finds the healthcare sector driven by personalized information around patient data, while banking institutions are very results focused and demanding on any security process being implemented.
"At times the client does not have a clear vision of what they want, and that creates issues with team alignment," Lobel says.
Also, cultural and time differences set in, and often it is hard to conduct straight business talk with global teams. For instance, in Central America and the Caribbean countries it is customary to initiate a personal conversation with the individuals before plunging into a business discussion.
"The challenge at times for a leader is to understand its people more closely," says Malcolm Harkins, chief information security officer at Intel Corp. "It is about getting the consistency of purpose on issues involving IT risk and security." His team of 215 security professionals is spread across different locations in the U.S., Malaysia, Costa Rica, Ireland and United Kingdom.
5 Essentials for Managing a Global Team
To overcome these challenges, global team leaders recommend the following tactics:
- Online Collaboration -- Both Harkins and Thompson rely heavily on communication and information technologies such as their companies' internal social networks, online forums, team conference calls, e-mail, video conferencing, and various groupware applications to make their team function like traditional teams.
At Scotia Bank, Thompson's team is connected using Tandberg's technology for telepresence and video conferencing that offers powerful infrastructure and management tools to communicate face-to-face with teams outside their organization. In addition, the global IT security team is very savvy and active on their internal social network called Face Forward. "My day starts with chat messages and constant message alerts on my Blackberry," says Thompson.
- Constant Communication -- A good part of Harkins' time goes to meetings with different groups needing his attention. He spends approximately 40% of his day interacting with direct reports or coordinating IT security efforts from the architecture or engineering team. He is also a big believer in one-to-one meetings and has around 12-13 meetings per week with key Individual contributors in different global regions. These discussions range from review of new technologies such as consumerization, cloud computing, understanding the risk elements involved in assessing the status of IT risk for different governance and compliance activity.
"The effectiveness of managing a virtual team totally relies on how much communication and coordination there is between key contributors, Harkins says.
- Establish a Reporting Structure -- At Intel, the organization manages employees from top to bottom by setting quarterly objectives for each role identified by their manager. A security professional's objective may include conducting a set number of risk or vulnerability assessments and appropriate investigation into security incidents and response. Each employee further is required to submit monthly status reports on how things have worked. What IT security activities have they been engaged in? What challenges have they encountered? What have been their main achievements? "Such a structure helps the team to not regress in merely addressing the basics," Harkins says.
Lobel's team follows a similar practice and needs to submit weekly status reports with their clients. "Through these reports, we connect and know what's happening on the other end," Lobel says.
In the case of Scotia Bank, all nine vice presidents serving within IT have a balanced scorecard to maintain based on how well they and their team deal with IT risk and security issues such as external ethical hacking, vulnerability scanning, risk assessment and incident response. "This data is out there for scrutiny by top executives and creates an internal pressure among the SVPs to perform," Thompson says.
- Training and Education -- At Scotia Bank, Thompson frequently sends consultants from Canada to different locations to help in communicating the business goals and team purpose, as well as to educate and train the local professionals on IT security processes and compliance requirements. Their internal social network features regular blogs and articles on emerging IT security issues that are often discussed in their meetings. Also, Thompson encourages his team to participate and reach out to local and international associations such as ISACA, ISC2 and SANS Institute for furthering their security awareness. "We want everyone to think on the same lines when we speak about IT risk," he says.
Lobel's team is trained through frequent news feeds and training sessions, and professionals are highly encouraged to get certified in their areas of expertise.
At Intel, in addition to the blogs, internal social networking and annual training sessions, the company also hosts frequent 'web jams' on various security topics. These sessions are open for the entire local and international population to discuss and debate on.
- Frequent Travel -- Harkins is out for at least 90 days per year visiting different global locations to ensure his team is maintaining the integrity of IT security. He averages a visit to each site three to four times a year. He values these trips, as he gets the opportunity to see and know his team members more personally.
For effective global team management, a leader has to understand the value of communication. "What is communicated and how it is communicated via a particular technology to his team," says Harkins, "this still remains the most critical factor in virtual management."