Cloudflare TV

📺 CFTV Anniversary: Security Team Series: Recruiting in APAC

Presented by Jacqueline Keith, Joe Sullivan, Matt Gallagher, Priscilla Li
Originally aired on 

The Security Team is expanding into APAC. This segment interviews Matt Gallagher and Priscilla Li, hiring managers, on what it's like to work on the security team and what can be expected with this new regional expansion.

CFTV Anniversary

Transcript (Beta)

Hi everyone. My name is Jackie and I lead security engagement at Cloudflare. We have a special announcement and Cloudflare TV session for you today.

The Cloudflare security team is expanding into the APAC region and I am interviewing Joe Sullivan, our Chief Security Officer, on this team expansion strategy, as well as Priscilla Li, Detection and Response Security Engineering Manager, and Matthew Gallagher, Customer Security Compliance Manager.

Priscilla and Matt are the hiring managers for the roles that we currently have open.

Joe, why are we expanding into APAC?

That's a good question. We're expanding into APAC because we're a global company.

We support customers all over the world and as a team we need to be where our customers are and where the rest of the company is.

Cloudflare is, I guess, more than a decade old as a company but we've been a public company for less than two years and we've only had more than a thousand employees for less than a couple of years and as we're growing and expanding around the world we're trying to be able to support our customers 24 hours a day, seven days a week, no matter what time zone they are in and security needs to be wherever the business is.

So we made a commitment as a team to focus on hiring outside of the United States in 2021.

So we've done a bunch of hiring in Europe and we're focusing on hiring in Asia now.

Yeah, I think one of the conversations that we have quite often is about quality talent pools and these hubs all around the world and trying to tap into that and get really different backgrounds experiences so that we can keep the company and the Internet more secure.

It's pretty exciting. I think we're all excited to go to the region, eat a lot of the food.

That's, I have to say, the thing I'm the most excited about and I think it's important to put us on the map all around the world so that we are becoming more of a regularly known brand in the tech industry.

So what's a previous experience that you all have managing employees in region?

If you don't have any experience that's okay but if you do it would be really cool for people watching this to know what can they expect from you.

What's your background and what makes you qualified to hire in region?

Yeah, I think I'll start first.

So I think in terms of Singapore, it has a very rich and diverse culture.

So based on my past managing experience, the people there are really resourceful and very driven.

So I'm also amazed by how adaptable and the way that technologies changes or this thing is really fast.

And the way they, you know, when they deliver is really is fast and reliable.

They're very committed in whatever they're doing.

So I'm really looking forward in, you know, building the team over there, looking at the diverse group and talent pool that we have in this region.

So Priscilla, you worked there for a while, right? Yeah. So you have, I mean, the real in-country experience.

You actually know what's going on in the ground and will be able to empathize.

Yeah, I think I'm from Singapore and I moved there about seven years ago.

And so much has changed, especially in terms of the engineering space, the security space, but how, you know, the company and the government is towards going to a security focus.

So I will see this as a really great opportunity to go into this region right now to expand our team.

And yeah, like what you mentioned, the food is great, diversity as well as the culture.

I remember the first time I mentioned that a team meeting a while back, I think we should start focusing on expanding and hiring in Singapore.

And I'll be looking for volunteers to travel there and spend some time both during the interviewing process and after we get new employees on boarded to train them up.

And Priscilla was the first person to say I'm available to go.

Yeah, I think I did too. So it will be a, it'll be a date.

Yeah, it will be a good connection back, you know, to to the people that I worked with before, as well as to help Codeplay expand the team.


Matt, what about you? You've told us some war stories, I think, in the past of all of your global experience, which you have a ton of.

Anything APEX specific?

Well, mainly my experience has been with working remote teams in India at either subcontractors or subsidiaries.

So, you know, exactly opposite the clock to the west coast of the US, which, you know, leads you to some inventive scheduling and, you know, a cadence of contact, I think is really important.

So it I learned to do this sort of remote management, you know, before COVID.

And it's it's a skill set that, you know, everybody has to develop.

I'm glad to see that a lot of folks are catching on pretty quickly.

Yeah, I think that you make a really good point.

This is my fourth company where we've where I've been part of the team that's been expanding to make the team fully global.

I started at eBay and hired people in Singapore and across Asia, did the same thing at PayPal, which was part of eBay then.

But then I built the security team from scratch at Facebook and in many ways and hired our team in the region, including people in Singapore.

And then I did the same thing at Uber as well.

So I think when I look back on those experiences, one of the things, Matt, that you pointed out is critical to supporting the team that's local.

It's understanding and respecting that we're all in different time zones.

And some tech companies have a very West Coast of the United States centric approach, which is like all the meetings should be between 9 a.m.

and 6 p .m.

our time. And that just simply does not work. And that's because the team teams that are around the world will not feel supported.

I think Cloudflare is different and committed to to kind of embracing and respecting global time zones because of a few different things.

Number one, we've always been a multi-continent company.

Our CTO has been based in Europe since the beginning, and we have a large engineering center outside of the United States in Europe and are building a second one in Europe.

And so we've always been used to working in very different time zones.

And I think the word we use a lot is asynchronous communication. We document things really well.

We write things down. We make them available so that people can consume them on their own time.

And that stood us really well as a during covid when we were when we were all outside the office, we could we were all still able to be effective, even though we diversified out into even more time zones.

And I would say in particular in in the last six months or so, as we've embraced growing in Asia, we have become even more sensitive to that.

So, for example, this Monday morning, I got up really early California time to have our leadership meeting for the company.

So with the CEO, CFO and the heads of technology, we all meet once a week to kick off the week.

And we did it at six thirty Pacific time, my time zone to be respectful and include our colleagues in Singapore, because we have one member of the management team based in Singapore right now.

And we want and so we do that every third week.

We we inconvenience the majority of us who are in California just to be respectful and inclusive of the different time zones.

Yeah, I think managing global teams is one area where my night owlness always is a benefit because I don't mind taking a call at eleven, twelve at night sometimes if I'm just awake.

And that's been really beneficial when needing to interact region folks.

Yeah. And I think one thing that we as a company have become a lot more flexible in general is the word I like to use.

And and so I remember at other companies when I had to take those 11 p.m.

meetings with Singapore, it would feel like I still had to work the full day and then I was doing the meetings in the evening because we're all kind of kind of managing our own schedules a lot more now.

I like I did on Monday this week, I got up early and I did those meetings with teams outside of the United States really early.

But then I took a couple hours off in the middle of the day to go for a run and have make food for my family and do things like that.

And so we have that flexibility built into our and trust of each other built into our schedules now that allows us to to have the balance we need while still supporting global teams.

Yeah. So as we have two roles that are open and Matt and Priscilla putting you in the hot seat as you hire these first two folks into our team and in the region, what do you think that experience is going to be like for them?

Yeah, I think for the role that we're hiring, we're hiring a senior detection response engineer.

So this person will really be the first security engineer in the region, spearheading the security initiative, have the ability to and opportunity to liaise across different teams to understand the different areas that every team is working on and also being the security SME in the region, helping us to look at the various opportunity to tighten our security posture.

Yeah, nothing replaces that time in office next door to somebody and they're there just to ask questions.

So this is going to be really cool to have a technical expert there.

Yeah. Now, what do you think? Well, the role we have posted is for security compliance specialist and that's for our Cloudflare customers.

We are a security service company.

We offer security services as well as CDN. And our customers want to be able to trust that what we do is secure, that we're holding what data we do have on them appropriately.

We're taking the right actions.

It's not simply about compliance, but delivering the entire security message to our customers.

And so that is sort of an external facing voice, a security subject matter expert.

And it includes a large spoonful of GRC and also being able to understand how our services work.

So we're looking for somebody who's got a portfolio of skills and we can't expect everything, but this person will be a focal point for a lot of information, especially as the size of the security team is really just a seed at this point.

And that's going to grow and this person will be integral to communicating that information, helping others find it, solving problems about identifying information.

So it's an interesting job, a little bit of a detective, a little bit of a librarian and a lot of security mixed in there.

Yeah. I mean, the expectation is that they're going to be the face of us, right?

And in a lot of cases, they may even be working with Priscilla's role to explain a lot of things that are going on.

We have to explain this stuff to people who aren't living and breathing it every day, but they have to get it so they can make better decisions so they can trust Cloudflare.

And so the expectation is really all of the above, plus being able to be polished in front of customers, which is really important, right?

Since we're so customer focused and trying to grow in the region.

I mean, you're not going to if you don't have somebody that can speak their language and their culture and make them believe.

Yeah, those are great points.

I think that's exactly right, that the first members of the security team, these two people that we hire are going to be in some ways representatives of all the teams within security and all of us doing security globally, because anytime someone else in the region from any other team is thinking about security, the first person they're going to start with is going to be one of these two people.

And so these roles have like a little special something extra about them.

And I think I would actually say there's three parts to this something special extra.

The first thing is that they have to learn and be a connector for the rest of security.

The second is they're going to help us build out a team for the future.

They're not going to be the only two people, but they are going to be the people doing the interviewing and helping us to define a culture for a team in a region and to help us build that team and play a role.

We have a lot of people on our team who are the first or one of the first people in a new office or new region for us.

And they kind of play that special extra role of like being not an office manager, but like a center of excellence leader for us in that space.

And then the third thing is the rest of us aren't going to be in the region and we don't know the region as well as we should.

The reality is, you know, we call it APAC or something like that, but it's 100 plus different countries with people speaking hundreds of different languages and very different cultural ways of doing business.

And in many ways, there are going to be some fundamental differences that the rest of us need to better understand and appreciate.

Even our product needs feedback on, okay, what works in the United States and Europe doesn't always work across the rest of the world.

So I think that's a critical role that these new members of our team are going to play.

They're the ones who are going to contact, you know, our head of IT security and say, hey, you know, that strategy for rolling out and the way laptops work, connecting to, you know, Cloudflare access just technically doesn't work in these five countries because of the way the Internet is configured and the way traffic gets routed through the ISPs here.

Whatever it is, our local team has to help the rest of the company grow and understand the region better.

Yeah, that's a good point. And we probably need to make sure that both of our ears are open and we're absorbing that and being empathetic to what we receive from them, right?

Because it's really easy to say, okay, we've got these people hired, you know, let's just start moving on our initiatives or let's start hitting metrics and things like that.

But we have to be really, really aware of, we might learn some things that we need to readjust our policy or our strategy based on what we learn from them.

Right. Yeah, I've seen it over and over when U.S.

tech companies expand into different regions of the world, there's a general assumption that like, oh, whatever worked in, you know, where we originally launched is going to work everywhere else.

And it's very much not the case.

And so we have to be thoughtful and like take each, not just country, but like region of country and cultural aspects of the different communities and integrate them into our product and the way we do business.

Yeah. Priscilla, when you were there and you were in Singapore, was there another country that you worked with more or anything that you observed in the region that was like, wow, these are really, really different experiences, even with you being in Singapore.

So like maybe working with Australia or, you know, we just moved into Japan recently as a company.

Yeah. I know a lot about that. Did you have any of that similar experience there?

Yeah, I think I work with various like Japan, China, Vietnam, all of them have very different working culture, the way, in the way that they communicate the work habits, everything is different.

So I think having someone in the region, it really helps us to understand how the entire region works together, what's the best practices over there.

And, you know, being the, you know, the pivot in that region with anyone with any security questions, this team will be able to help us to keep an eye on and also set a standard.

Yeah. Yeah. Matt, did you have any unique experiences there understanding how countries are different?

You know, as Americans, we're thinking of everything, you know, North Americans, one large country, but most of it is US, you know, have you had the same experience?

Well, you certainly have to adjust to, you know, cultural and local customs.

You know, the work start time can be a different thing in a different culture, right?

If you're expecting somebody to be in the office at 830, or nine o'clock in the morning, you might be surprised, right?

But then you might also be surprised that they're also there until eight or nine o'clock at night.

So there's, you know, there, the minor differences can be overcome, just by, you know, being flexible and, you know, having, you know, some respect and sensitivity.

But I think that the alluding to both what what Joe and Priscilla were talking about, our ability to have somebody local and provide that, you know, external face for the company is competitive, competitive edge.

And depending upon how well we do that translating, not only those sort of, you know, customs of work, but also this, you know, the sensitivities for things about data, or, you know, data protections, or just the way that a deal gets done, right, our, our team has to, you know, interface with many different regulatory requirements, but also contractual processing is different country to country, even in the West, and, you know, in Europe, the way they run a contract in France is different than the way they run one in the UK.

So, and those are things currently that we're not very good at in Asia Pac understanding from the headquarters.

And I think that's becomes competitive advantage when we're there locally, we have folks who understand how things get done, things will happen much more fluidly, and will be an advantage for us.

Yeah, we just brought on a fabulous head of APEC region, Jonathan Dixon, I just, I just love working with him.

He's fairly new to the company.

He's, he's making some changes in region, and I found him to be great to work with.

And I'm looking forward to learning more from him. And I hope that the people that we hire will also learn from him.

Because it's just looking up, it's just looking great.

Yeah, it's really been a fantastic experience spending more time with them.

And I'm going to mention the food a second time, because I'm super excited about this, you guys have no idea.

Yeah, it's gonna be, it's, it's been fun seeing the company's growth in the region.

We definitely have seen, I mean, generally speaking, globally, we've seen a lot more interest from larger enterprises in using Cloudflare, you know, historically, Cloudflare started out serving smaller businesses and giving away a free product as well.

But we've seen such huge demand from large enterprises globally. And like, we have no choice but to expand in the region, because the customers are there, and they want to work with us.

And so it's exciting to see all of our teams across Cloudflare growing in the region.

So it's definitely an exciting time. All right. So coming up on our last major question, so how do you plan to ensure that the regional employees feel connected to the global team?

So we've talked a lot about being in region, experience in region, the expectations of the person, what are we doing, because we are all actually San Francisco based, what are we going to do to make sure that the people we hire feel connected to us feel connected to the wider team and the company?

At this point, I think, what almost a third or, you know, half of the company has never actually been in an office, because they've been hired since the beginning of COVID.

So once this kind of, you know, changes, what are we going to do to make sure that they feel just as much a part of us as they do to their local team?

Yeah, I think we've touched on a few of those things.

And the most important thing is that we need to be intentional and respect the different time zones that all of our employees are in.

We've, I think, gotten a lot better at that because of COVID.

In terms of, like, scheduling meetings with people, we respect when they block off time in their calendar, it says do not schedule meetings, we don't schedule meetings.

We, if we need to find a time where we need to bring together people from three different continents, we'll coordinate and figure out, like, where people have flexibility and where they don't.

And then we'll all make sacrifices for each other.

We won't just ask the people in one region to make, you know, sacrifices on time for everyone else.

Like I mentioned, we'll adjust the calendar so that, you know, it's inconvenient for us in California sometimes, so that it can be convenient for people in other regions.

And we'll consistently do that.

We've started doing that with our team meetings. As a company, we've also started to record a lot more things so that people can view them at a convenient time for them.

We kind of divide meetings into different types. There's the type where we have conversations and make decisions, we need to all be in the same meeting at the same time.

But there are a lot where there's just information being shared, and those can be recorded and consumed at a flexible time.

And the next thing is we're going to travel. As we bring new people on, we'll ask them to come and visit other offices to experience how we do things in different places and to take back ideas for the new offices.

But we'll also go and spend time in those regions.

You know, I'm looking forward to being able to get back to traveling, to meeting a lot of members of our team who we've hired in the last year.

And I know like probably all four of us on this call will probably be spending time in Singapore before the end of the year.

And, you know, assuming that COVID -19 recovery continues to progress in the direction it's going right now, we'll embrace travel like that, spend time with each other.

So I think that we're going to, and then we're also going to need the people in the region to tell us other things to do.

Like I, we've empowered our European team members to raise their hand and say, hey, that meeting time is no good for us.

What are you doing there? And sometimes we just have to develop awareness and the way we're going to develop is by our local team members reminding us.

Yeah, I think we push transparency and a really positive feedback loop.

A lot of this company, I feel very empowered to speak my mind, whether I agree or don't agree with something, knowing that there's not going to be any kind of repercussion.

And I think it's important that we make sure that our teammates that are going to come on know that they also have that right.

Right. If something's really not working for them, we want to know, we don't want them to just say, just, you know, grin and bear it.

Let's talk about it. Let's get through something just because we want everyone to feel included and, you know, inclusive work means diverse work.

And that means being able to state when something's not working for you.

Yeah, Jack, I think, oh, sorry, go ahead, Priscilla.

Yeah, I think I just want to echo what Joanne, Jack was mentioning in terms of how thoughtful Cloudflare as a company, when we arrange meeting, all this is like, we think about other region, we think about the time zone that we are in and how in terms of connection, all this thing, but how flexible Cloudflare has become in terms of the work we accommodate as well.

So I think about being connected with other team member in Singapore, I feel that that would be something that we will definitely succeed in, in terms of being thoughtful, arranging the meeting one on one, definitely, and also our weekly team meetings.

Yeah, I think for me, since I like nighttime.

Well, I mean, people should also understand a little bit about the team they'd be joining.

This is a, like, I'm very proud to be part of this security team at this company, because I think there's some things that make it unique.

We have a real commitment to diversity, even as we were just hiring, even when we were just hiring in the United States, initially, we really focused on building a diverse team.

And we recognize that a diverse team needs to have a culture of communication and openness because we come from such different backgrounds experiences and cultures, we have to be comfortable speaking up and pointing out our different perspectives.

That's how we get to the best decisions, is we have a diversity of ideas, we debate them.

And then we try and pick the best ones. And so culturally, we have a team that's comfortable with with anybody on the team raising their hand and stating a different opinion on how to do something.

And we, I think that's helped us as we've grown and expanded around.

Now, I think it's one of the gratifying things to about working in security is you get to work with smart people who have often have a strong opinion about, about things.

And you get a lot of that interaction.

And you learn things from your teammates. And that's it in a healthy environment.

That's very positive. Yeah. Yeah. So we only have a few minutes left.

So I want to thank Joe, Priscilla and Matt for being here today. As for our viewers, if you or someone you know, might be interested in the roles that we've discussed, you can apply on the Cloudflare careers website, or you can reach out to Priscilla, Matt, or I on LinkedIn.

And we can maybe start some conversations, talk a little bit more about what we have.

Right, it's perfect that we're ending on our diversity note, because we are actively seeking candidates with different backgrounds, different experiences to kind of round us out.

Any final thoughts from anybody?

I would add that these aren't going to be the only roles that we're hiring in the region.

So for people who might be watching who are interested in a security career at Cloudflare, just because these roles might not fit with your experience doesn't mean you shouldn't keep an eye on our careers page.

We're definitely committed to these being the first of many hires that we do in the region over time.

And so we're going to be looking for people who can can support all of our teams, whether it's enterprise IT system security, product security, infrastructure security, governance, risk and compliance, we're going to be looking for people who can help us navigate the certifications that are most valued in the region.

And we need your feedback on what certifications we should aim for next that will help us grow and succeed in from a business standpoint in the region.

So we're definitely open to hearing from people who don't necessarily fit the roles we have right now, because we're going to be growing a lot in the time.

I see we have 30 seconds left of the session.

So we think we can all just wrap up by saying, thank you to everybody who joined us.

And we look forward to seeing your resumes. Yes.

Thanks, everyone. All right. Happy applying. Transcribed by