Joining, building, and scaling a fully remote team (Mark Stacey)

all right and we are live and we are live with mr mark stacy on joining building and scaling a fully remote team welcome sir it is all yours thank you i should be able to see the slides if someone could confirm in the discord chat but even without video or slides we should be able to have a conversation about it so uh jumping in uh we are not short at all on materials or working remotely uh kobed certainly escalated a lot of that where there are multiple uh blogs and uh you know presentations and books written about working remotely and the impacts of covid there's also a lot of good material uh if you guys can't see my screen i'll

just say it scaling teams by alexander gross and david uh loftus-ness a great book but there's a lot of material out there on building and really scaling a team as well and so i'm not looking to replace any of that great material more so add to it and really identify my own kind of lessons learned i've been working remotely for about uh 10 years uh my wife has been working remotely for six years so it's really good that we get along as well as we do and uh i recently joined dragos and when i joined i was the i think the 13th or 14th employee that was three years ago and we just hit over 200

people so trying to bring the lesson uh lessons learned that i've learned through that process here so first couple notes on building a couple initial kind of uh advisory topics generally when we talk about a small team or building a capability we're looking to start with proven experience you're looking for specifically people that can identify future issues and then build a process around that to event prevent future heroics and that is incredibly important because you're doing the work while you're building the future processes that others will do that requires not just motivation but a certain level of professionalism specifically what i look for is if people are able to remove themselves from the deliverable focus on

what the client needs uh so that the future growth of the company is not based on what one person wanted but based on what what the clientele asked for and so really the the old uh kind of stereotype message of building the plane while it's in flight certainly rings true you want to start with those kind of senior principal level folks and build it from there uh understanding that these people will also be really setting the culture for the company uh so jumping down kind of the first uh red block let's start with diversity and that translates to really establishing culture it's very easy for a company to build a culture organically based on region or some of

the first employees that come in and so really starting with diversity and making sure that it is based on uh really the the company tenants that we'll talk about as well and not a region or group is important and things like holidays uh vernacular slaying sayings all of those are really based on that so next item uh building tenants we use another good book i'd recommend the five dysfunctions of a team very quick read we used that book to build tenants for our team and then we trickled those throughout the company and where those really come in useful using an example where i had one employee come and he was complaining about another employee i kind of had that second employee come

and he was complaining about the the original employee and certainly whenever you have disagreements hey can hear me set up yeah i can hear you i just can't like meeting [Music] but i think what that does is builds a culture around potentially unnecessary escalation and so instead that's where we could use the tenants at dre ghost's their open candid transparent and honest conversation and so my advice to both employees was set up a meeting and started by saying i'm going to have an open candid conversation i'm removing myself let's focus on the output to the client and be transparent about what is working and what isn't and then the culture is when you have a

conflict address it directly with the person and be open be candid but be professional and so the tenants are incredibly important of course manage media and by that we're not short on slack skype zoom any other type of electronic conferencing out there but managing it is important uh we in the early days of of dragos our team always turned on the video if you have a five minute conversation turn on the video and we kind of i think i saw someone else mention uh we got to be known as the brady bunch because everyone would have their video uh array set up but that propagated throughout the entire company and it's especially important now when we hear

uh you know 70 to 90 percent of communication as non-verbal seeing facial expressions whether or not you fold your arms or lean into the conversation conversation all that matters and it matters when you're scaling a team and growing a lot of people quickly uh people don't understand sarcasm in written words on slack and so if you're going to have a quick conversation it may be easy to do it in text but set up a quick video call make it easy so that people understand a name with a face and and they can kind of build that rapport in that baseline because with covet they may not get it for uh another couple years um one caution because

you're hiring people quickly nobody gets excited about the term middle management but it is important and mostly i i say organizing as a requirement because you've got all of these principal senior people that are running full speed and the fastest uh path to frustration that i've seen is either duplication and work or people's output not being used and so getting on a call and having someone say i'm building this capability over here and someone else on the team says i already built that capability four months ago that's what you want to avoid and i think really that certainly a better term but the organization or the middle management really their job is to make sure that

the priorities are understood and that we're not doing those two specific uh issues or pitfalls on the joining side a couple quick notes to those joining teams that are growing quickly uh certainly identify the team's culture but bring your own style it goes back to the the diversity concept i mean bring in your knowledge but bring in your own style your own communication style your likes and dislikes and really contribute to the team life pro tip that seems straightforward but i i can't overstate it enough when you are setting up a meeting or scheduling something don't be naive to the impact of time zones and match those to the person you're scheduling it with if i'm setting up a meeting with someone

on the east coast and i propose time i'm not just going to say 10 a.m i'm going to say 10 a.m eastern time or identify my targets area that is i think a a very simple thing that we could all improve on and it really again kind of references back to that profession uh professionalism or experience working remotely uh also the ability to be agile and have some adaptability be able to understand ambiguity in the workplace is incredibly important you may be hired to do one job and the team is growing so quickly you could add a proficiency or contribute in another area and you may be asked to do that as well and that's okay the adage of

that's not what i was hired to do doesn't fit in very well with a lot of rapidly growing teams and so go in with that and see it as an exciting thing uh i under the the kind of cautions the the red blocks the two main cautions i would have is uh in the work life balance working remotely everybody wants it but people don't really understand the impacts regardless if your kids if you have them are crying or laughing you want to be out there and the adage of always being available certainly exists when i worked at doe i remember we were moving to a day remote work and it was to save money on heating

and lighting for the building and management said you know quote management said well it can't be monday because people just turn it into a three-day weekend and it can't be friday because of of the same reason so tuesday wednesday thursday and i just candidly thought putting bounds around it like that is ridiculous we're not treating employees like professionals and in every study that has come out in the past 10 years that i've read people end up working more when they work remotely because your work is always there and in a remote team it's very very true where especially international you sit down to dinner that may be the middle of the working day for australia

or europe and so when you join a team anytime you open slack or anything you're going to see a question some opportunity to contribute oh great i know the answer to that you run down to your computer and then you're down there for three hours and so the understanding that you have to leave work and where to put those separation points in i think is certainly something to consider a couple quick notes on interviewing i may come back to these if if there's time but essentially do some research understand the culture of the company understand that as you hire quickly that culture will be stressed they're not looking to uh to put hard bounds around it but maintain the

culture while growing it while adapting to what you you bring in so i'll jump over to scaling and then come back to the the blue bars here if we have time on the the scaling front i'll use uh what i do at drago's now as an example because it's it's very fresh and that is uh setting baselines i think is critical to identify what success looks like we have uh say three principal consultants and all of them do a pen test based on their own experience and all three of them you could arguably say we're very successful client was very very pleased where that comes to be kind of a stress point is when we scale

and i hire maybe a more junior employee if he does a pen test with all three of those principal analysts he'll get three different viewpoints sure maybe that's good from an experience standpoint but how he formulates his own operating plan and his career growth for him to get to that principal level is now incredibly convoluted and it's unclear how really dragos or how the team should address pentest and so while individually they seem successful having that baseline having the uh tactical and really uh the the kind of programmatic uh discipline in place for how that work is being done i think is critical and then uh very importantly have some enablement plan have if it's mentoring or knowledge base

or you stand up a learning management system to enable those kind of try not to use the word junior but the consultant or entry level staff you will do a disservice to your team if you bring in a bunch of consultant level people without acknowledging the time that they will take from your principal level staff that mentoring that enablement is critical the idea i was talking about pen testing before so going with that the idea that you're going to teach them pen testing is not there but you need to teach them the baseline you need to teach them your company's approach to pen testing so ensure you have that uh reorganized now is a good time again

we talk about mentoring to look at kind of the middle management uh and a pivot to that is the career growth plan and really the first kind of uh or excuse me the second square uh box down below there at this point your company maybe one three five seven years in you've got the original principles the original already very senior level people that came in they built the foundation they wrote the baselines uh they created the enablement and so your career plan has to have a plan for them as well you've got people very uh senior in their career scope where do we go from here and so building out not just a career plan for the immediate team but

for what what comes in the future in scale i think is something to uh uh understand and then the one caution anticipate attrition it will certainly always happen at every if it's a funding round you know a series abc or an ipo or just rapid growth attrition should be anticipated and it should be celebrated in in some regard at dragos we've had people move on and in those instances uh it is bringing on maybe someone advanced in their career but looking for more opportunity they get a lot of experience in new areas that maybe they wouldn't otherwise the contracts or legal agreements or partnerships and they really help build out a capability they're there for a couple

years and then they go on to be a director somewhere or or a vp and so celebrating the attrition and treating it like these individuals came in they advanced the team very quickly but they also advanced themselves and and moved on it doesn't have to be seen as a negative thing uh so jumping over to my one quick note and there were some great talks earlier today on uh interviewing and uh specifically skills to know for pen testing uh one quick note i would say on on that uh one i share a story when i when i left the government went into private industry i lived in washington state and the company was on the east coast

and i realized very quickly that whenever you stop work with a remote team from the time you stop work to the time you start work the team continues and work is done and so regardless of when i woke up and when i sat down to work i was always three hours behind the rest of the team on the east coast and it really took me six months to transition into that and to get over the feeling like i was constantly playing catch up i wasn't running i wasn't sprinting forward with the team i was just keeping up with the group it felt like and i caution a lot of people about that if you're not at your computer

the team is still going on work is still being done and that's okay uh the the key skill that i look for is the ability to learn quickly and that comes from previous history doing incident response i kind of think of three buckets for incident response as well as pen testing and that is network host and malware or reverse engineering you have network traffic the host forensics and then reverse engineering and i've known maybe two people in my life that are experts in all three generally people are an expert in one or strong in one and proficient in the other two but when i interview people i'm not a fan of uh like what flags will you would you use

in nmap or what does uh netstat and ob get you in my mind those are memories i'm asking you to recall a specific flag rather than base the answer on your true experience and when i uh apply that with drago's interviews a good example is i'm not going to ask them about a volatility flag or an immunity you know quick key instead i'll ask them a scenario on doing host forensics on say a turbine controller and a windmill or a roller coaster plc that they've never seen before and the specific flags are based on the technology they're irrelevant you can google those what i'm looking for is the thought process to say i would get a manual first so i don't

start plugging in rj45 cables and overriding volatile memory addresses and really understand the device first and so uh in interviewing too often i see you know those calls to specifics if you get the question translate it back to experience don't make it be a memory exercise translate it back to the process and uh try to talk through it so a whole bunch of words very very quickly uh thanks for sticking with me um checking the one note in uh the track to chat but if there are any other questions i don't have the youtube one pulled up feel free to shout those out i got nothing on youtube but you said you saw the uh the question in the

track two channel uh cool so it looks like the one question avoid burnout yeah uh it took a while to get to a good operating mode uh but to answer the question how do we how do we avoid burnout with the uh extensive work from home time uh i think it's in my mind really coming to an understanding if the kids have a dentist appointment i'll take them or i ask the wife if she can take them if the kids have some event we kind of work together and we don't default on one or the other it's an understanding that both of us will participate now the hard thing is to not have life and work

24 hours a day because you're trying to balance everything all the time and so setting some boundaries uh is is incredibly important uh to identify availability and and have the the mutual respect but i will say burnout is always a potential uh burnout uh i'll end this with a very candid statement burnout is always a potential regardless if you're working in the office or working from home or you have kids or don't have kids and when i look at employees i work with and they're always close to burning out and they're always telling me i need time off the potential is to be seen as the liability an employee who works himself into the hospital is not a good employee

an employee who is mature to identify the breaking point and communicate what is practical and set expectations on what they're able to achieve and the resources they've been given that is good so i think really there's no avoid burnout it's uh in my view understanding what your capabilities are within reason and clearly communicating those that is the best way to avoid burnout it's not uh do more with less it's what is practical and how do i communicate that to level set expectations so uh yeah and great great comment in uh track two as well set boundaries communicate those uh to your manager so i think we're about on time thank you everybody a lot of words really quickly uh hit me

up on the inter tubes or twitter or whatever if you have questions and thanks for coming uh thank you for being here uh it is very much appreciated and uh yeah we're getting the uh getting the the cutoff sign so uh thank you