►
From YouTube: Understanding Compliance: Liz Coleman
Description
The Compliance group at GitLab is experimenting with a video series that highlights compliance as a business function and the professionals who comprise these teams. Our hope is we can highlight the value added by these teams, help shift organizational mindsets about compliance, and find opportunities for GitLab to help improve their quality of life.
Liz is a Sr. Security Analyst, Compliance at GitLab who came from a background in external, independent auditing and now supports GitLab's mission to achieve various compliance certifications.
A
So
cool
so
liz
thanks.
So
much
for
joining
me
on
the
call
today,
I
don't
know
if
you've
seen
the
video
with
jeff,
but
I'd
like
to
go
through
a
similar
experience
here
with
you,
where
I
just
want
to
pick
your
brain
as
a
security
compliance
person
professional
here
at
get
lab
has
been
with
your
background
as
a
former
auditor
and
in
the
compliance
space.
Try
to
give
you
the
platform
to
build
some
empathy
and
educate
non-compliance
professionals
about
what
it
is.
A
B
B
Probably
now
at
this
point
in
time,
as
you
mentioned,
I
was
an
external
auditor
prior
to
this
specific
and
kind
of
it
audit
and
assurance,
and
then
I've
held
a
number
of
kind
of
compliance
risk
and
compliance
kind
of
type
of
roles
throughout
my
career
up
until
here
at
gitlab.
Now
I'm
a
security
analyst
in
the
compliance
space,
so
yeah.
A
Cool
thank
you
for
that.
So
I
want
to
just
start
by
having
you
describe
for
me.
Some
of
the
common
themes
you've
experienced
across
those
jobs
in
terms
of
you
know
the
challenges
that
you
would
face
in
trying
to
do
your
job,
either
as
an
auditor
or
in
those
grc
type
roles,
or
even
here
at
gitlab.
Like
you
just
kind
of
tell
me,
what's
what's
the
most
challenging
thing
about
the
day-to-day.
B
Yeah
sure
so
my
job
usually
like
the
kind
of
foundational
pieces
are
controls
and
control
frameworks
and
obtaining
sort
of
certain
certifications
or
maintaining
certain
certifications,
and
I
think
some
of
the
most
challenging
pieces
of
that
position
or
that
job
is
the
kind
of
constant
evolution
of
evidence.
Collection,
ensuring
you're
keeping
up
to
speed
with
current.
B
And
then
kind
of
documenting
them
and
evidencing
in
them
and
providing
them
to
external
auditors
or
to
kind
of
external
parties,
so
biggest
biggest
challenge
would
be
to
constantly
manage
that
evolution
and
kind
of
evidence
piece.
As
you
know,
corporations
mature
and
and
grow
their
compliance
objectives.
B
Yeah
sure,
so
it's
something
that
all
corporations,
I'm
sure
have
to
deal
with
from
an
evidence
and
a
compliance
perspective
or,
let's
say
like
user
access
reviews
right.
So
those
aren't
things
that
are
really
static,
they're,
changing
all
the
time
and
and
so
you're
always
having
to
keep
up
with
collecting
like
a
current
list
of
users
to
a
system
list
of
users
and
validating
that
those
are
online
and
that
terminated
users
are
actually
being
terminated
and
that
new
users
that
are
being
onboarded
kind
of
match
their
level
of
access
within
certain
systems.
B
Yeah,
a
quick
win
that
we've
had
recently
is
we're
starting
to
automate
things
or
we're
looking
into
automating,
as
as
many
things
as
we
can
in
that
space.
So
we
have
here
at
gitlab
we
work
with
opta
as
our
single
sign-on,
and
so
we
were
able
to
automate
that
kind
of
octa
user
access
list
and
kind
of
have
that
subset
kind
of
at
the
ready
in
terms
of
being
able
to
validate
that
against
other
evidence
for
maybe
other
specific
systems.
B
A
B
A
That's
really
cool,
and
so
before
you
were
able
to
automate
that
were
other
people
involved.
Besides
you
or
was
it
just
you
having
to
comb
through,
like
you
know
the
comparison
of
lab
versus
octa
and
the
profiles,
or
can
you
maybe
walk
me
through
a
little
bit
about?
Did
anyone
help
you
before
and
what
did
that
process?
Look
like
before
a
little
bit
more
detail.
B
A
Yeah
yeah,
absolutely
oh,
and
I
think
that's
that's
a
common
challenge
too
right
is
that
the
the
compliance
team
are
not
the
sole
people
working
on
these
things.
It
usually
requires
other
people
be
involved
in
participating,
and
I
just
wanted
to
highlight
that
because
I
think
that's
an
important
thing
and
I
don't
want
to
circle
back
to
it
here
in
a
second,
but
so
just
just
for
clarity.
What
I
understood
is
that
previously
you
would
have
to
take
a
list
of
let's
say:
git
lab
team
members
find
out
the
list
of
systems
or
resources.
A
B
A
Let's
call
it
three
or
four
hours
a
month
supporting
you
on
this,
and
maybe
that's
a
really
conservative
estimate,
but
in
aggregate
now
you're
talking
about
like
dozens
of
collective
people
hours
to
do
this
one
particular
control
and
that's
only
the
one
control
right.
So
I
really
appreciate
you
painting
that
full
picture-
and
I
don't
know
if
you'll,
if
you
necessarily
know
the
answer
to
this
one,
but
I'd
be
curious.
What
your
sense
is,
for
you
know
the
old
process
versus
the
new.
A
You
mentioned
that
the
these
other
teams
no
longer
had
to
be
involved.
So
what
what
was
the
the
process
like
working
with
these
other
teams
to
figure
out
hey?
I
need
this
thing.
I
need
your
help
to
get
it
and
then
that
conversation
evolving
into
like
well.
How
do
we
automate
this
to
then
make
this
easier
for
all
of
us
in
the
future.
B
A
A
Where
you
see
opportunity
for
some
of
or
actually
let
me,
let
me
take
that
back.
Let
me
let
me
ask
you
something
asked
jeff
as
well,
because
I
think
maybe
you
have
some
more
direct
experience
here,
which
is
what
is
something
that
you
don't
feel
is
done,
particularly
well
by
any
application
in
service
of
grc
functions
like
is
there
something
that
I
wish
this
product
or
service
existed,
because
it
would
make
this
part
of
my
job
so
much
better
or
anything
like
that.
B
B
Evidence
and
controls
kind
of
go
hand
in
hand,
yet
they
also
blur
together
right
so
depending
on
kind
of
the
category
within
the
control
and
the
various
types
of
evidence
that
they'd
be
put
that
it's
pointing
to.
There
could
be
a
lot
of
overlap
and
I've
always
found
it
kind
of
difficult
evidence
comes
in
all
sorts
of
different
ways
and
types.
B
A
Well
so
I
know,
we've
talked
about,
you
know,
challenges
and
difficulties
and
kind
of
the
the
struggle
there,
but
maybe
we
can
flip
it
now
to
talk
about
some
of
your
favorite
parts
of
the
job
like
what
is
it
you
enjoy
most
about
what
it
is
you
do
and
that
could
be
specific
to
doing
it
at
get
lab
or
in
previous
roles
or
both.
But
I'd
like
to
hear
a
little
bit
about
that.
B
A
Yeah-
and
I
I
appreciate
you
sharing
that
I
I
agree
with
all
of
that-
it's
a
good
segue
into
another
question
I
have
tied
to
that,
which
is
you
know,
I've
heard
professionals
describe
it
this
way.
I
subscribe
to
this
philosophy
that
compliance
is
a
mindset.
I
think
it's
also
used
to
describe
security
security
as
a
mindset,
and
so
you
know
a
do.
A
You
agree
with
that
and
b
what
what
have
you
found
if
anything,
to
be
one
of
the
more
valuable
or
effective
ways
to
help
shift
that
paradigm
from
oh
gosh,
like
compliance,
is
just
ruining
my
life
and
disruptive
to
hey,
like
I
recognize
that
they
are
our
guardian
and
our
safety
blanket
and
they're
here
to
support
me.
Hopefully
that
makes
sense.
B
Yeah
it
does,
I
don't
know
I
feel
like
it
it.
It
comes
down
to
kind
of
building,
trust
and
relationships
with
kind
of
stakeholders
and
people
both
on
the
external
audit
side
and
on
the
kind
of
kind
of
internally
within
the
organization,
and
then
once
you
actually
start
going
through
audits
right,
I
feel
like
you
can
like.
The
folks
within
the
organization
can
see
that
that
that
buffer
is
actually
there
and
three
quarters
of
the
work
is
being
done
and
and
handled
by
the
compliance
team.
B
Because
of
all
the
other
back
work
that
we've
we've
we've
worked
out.
So
no
one's
hair
is
on
fire
right,
there's,
there's
no
bar
and
burners
out
there
and
and
it's
a
kind
of
a
much
smoother
and
easier
flow,
because
all
of
the
information
has
been
kind
of
tracked
and
worked
through
over
the
course
of
time,
and
then
we're
able
to
kind
of
be
that
buffer
and
that
deliverable
piece
and
then
minimize
impact.
So
I
feel
like
once
you
actually
see
that
and
go
through
that.
B
A
Yeah,
no,
I
agree
with
you
and
I
think
too.
It's
also.
I
guess
the
typical
growing
pains
of
you
know
gitlab
is
was
not
formally
certified
or
audited
against
these
frameworks.
Up
until
recently,
I
believe
with
with
sock,
2
type
1,
and
so
it's
that
compounding
pressure
of
not
only
are
we
kind
of
like
learning
how
these
processes
should
work
here
at
gitlab,
but
then
we
also
have
these
like
looming,
like
large
demands
of
being
the
first
time
going
through
these
processes.
A
B
B
So
it
can
be
kind
of
self-serve,
but
that
also
can
be
a
negative
in
a
sense
that
information
is
not
always
updated
or
it's
hard
to
kind
of
know,
maybe
the
single
source
of
truth
for
for
various
pieces
of
information
or
processes.
So
I
would
say
a
little
bit
of
a
blessing
and
a
curse
there
and
then
sometimes
with
the
async.
It's
maybe
difficult
to
kind
of
reach
out
or
or
have
conversations
with
specific,
let's
say:
control
owners
or
stakeholders.
A
B
And
then
I
also
feel
like.
So
on
the
back
end.
The
compliance
group
is
kind
of
starting
to
work
hard
at
document,
documenting
processes
and
procedures
and
then
kind
of
presenting
that
to
the
control
owners
or
stake
stakeholders
to
kind
of
review
and
approve
in
a
sense
so
that
we
can
use
it
as
kind
of
self-serve
tools
to
external
auditors
or
other.
B
You
know
other
compliance
related
activities
moving
forward.
So
it
kind
of
saves
them
time
in
the
end
and
then
it
also
kind
of
ropes
them
into
the
process
to
some
degree.
And
so
we
found
that's
helpful
so
that
when
they're
moving
forward
or
changing
processes
on
on
their
end,
the
stakeholder
or
control
owner
end,
they
tend
to
loop
in
security
compliance
a
little
more
and
just
either
ask
for
feedback
or
just
a
heads
up,
hey
we're
we're
changing
this
approach.
B
Is
that
going
to
you
know,
cause
any
issue
from
a
compliance
or
security
perspective.
So
we've
definitely
seen
that
happen
as
we've
continued
to
kind
of
build
our
our
compliance
effort
and
kind
of
make
our
voice
heard
here
at
get
lab.
So
that's
been
a
really
positive
experience.
Positive
thing,
that's
come
out
of
it
all.
B
I
think
you
hit
the
nail
on
the
head
there.
I
I
would
say
it'd,
probably
be
the
customer
success,
team
and
whomever
else
kind
of
supports
customers
in
such
a
way
that
they
need
verification
of
our
kind
of
security
and
compliance
efforts
and
kind
of
what
our
roadmap
looks
like
from
a
compliance
perspective
and
where
we're
trying
to
focus
and
pursue.
A
B
I,
I
honestly
don't
know
exactly
so.
We
have
now
a
new
kind
of
field
and
security
team
that
is
kind
of
handling
all
of
the
kind
of
that
day-to-day
work,
and
I
I
guess
often
enough
that
we
have
now
a
whole
field
and
security
team
to
kind
of
manage
all
of
the
requests
and
asks
from
that
from
that
perspective,
so
which
is
now
for
four
team
members
strong,
so
I
mean,
I
would
say,
the
volume
is
is
fairly
substantial
quantify
I
couldn't.
I
I'm
not
really
no
officer.
A
Sure,
no,
that's
that's
fair
enough.
So
I'll
actually
not
ask
the
next
question
because
I
think
it's
along
that
same
line
where
it'd
probably
be
better
for
like
field
security
or
customer
success.
But
my
point
in
asking
those
is:
I
really
want
to
drive
home
the
point
that
the
security
compliance
team
is
valuable
and
like
without
people
like
yourselves
serving
this
really
important
function.
A
You
know
internally,
here
at
git,
lab
whenever
we
would
get
those
requests
from
a
customer
to
say
hey
like
what
are
your
controls
for
this
or
how
are
you
meeting
this?
How
are
you
securing
our
data?
We
wouldn't
be
able
to
provide
anything,
or
at
least
not
in
nearly
as
an
efficient
time
frame
or
manner,
is
what
you
and
your
team
do.
So
I
just
wanted
to
try
to
highlight
that
with
some
of
those
questions,
but
I
think
this
call
has
been
great
for
that
anyway.
So
thanks
for
taking
the
time.