►
From YouTube: Understanding Compliance: Liz Coleman
Description
The Compliance group at GitLab is experimenting with a video series that highlights compliance as a business function and the professionals who comprise these teams. Our hope is we can highlight the value added by these teams, help shift organizational mindsets about compliance, and find opportunities for GitLab to help improve their quality of life.
Liz is a Sr. Security Analyst, Compliance at GitLab who came from a background in external, independent auditing and now supports GitLab's mission to achieve various compliance certifications.
A
So
cool
so
liz
thanks.
So
much
for
joining
me
on
the
call
today,
I
don't
know
if
you've
seen
the
video
with
jeff,
but
I'd
like
to
go
through
a
similar
experience
here
with
you,
where
I
just
want
to
pick
your
brain
as
a
security
compliance
person
professional
here
at
get
lab
has
been
with
your
background
as
a
former
auditor
and
in
the
compliance
space.
Try
to
give
you
the
platform
to
build
some
empathy
and
educate
non-compliance
professionals
about
what
it
is.
A
B
Yeah,
absolutely
my
name
is
liz
coleman
and
I'm
a
senior
security
analyst
in
the
compliance
group
here
at
get
lab.
I've
been
with
glad
boom
about
nine
months
or
so,
but
I've
been
in
the
compliance
space
for
a
little
a
little
over
10
years.
B
Probably
now
at
this
point
in
time,
as
you
mentioned,
I
was
an
external
auditor
prior
to
this
specific
and
kind
of
it
audit
and
assurance,
and
then
I've
held
a
number
of
kind
of
compliance
risk
and
compliance
kind
of
type
of
roles
throughout
my
career
up
until
here
at
gitlab.
Now
I'm
a
security
analyst
in
the
compliance
space,
so
yeah.
A
Cool
thank
you
for
that.
So
I
want
to
just
start
by
having
you
describe
for
me.
Some
of
the
common
themes
you've
experienced
across
those
jobs
in
terms
of
you
know
the
challenges
that
you
would
face
in
trying
to
do
your
job,
either
as
an
auditor
or
in
those
grc
type
roles,
or
even
here
at
gitlab.
Like
you
just
kind
of
tell
me,
what's
what's
the
most
challenging
thing
about
the
day-to-day.
B
Yeah
sure
so
my
job
usually
like
the
kind
of
foundational
pieces
are
controls
and
control
frameworks
and
obtaining
sort
of
certain
certifications
or
maintaining
certain
certifications,
and
I
think
some
of
the
most
challenging
pieces
of
that
position
or
that
job
is
the
kind
of
constant
evolution
of
evidence.
Collection,
ensuring
you're
keeping
up
to
speed
with
current.
B
And
then
kind
of
documenting
them
and
evidencing
in
them
and
providing
them
to
external
auditors
or
to
kind
of
external
parties,
so
biggest
biggest
challenge
would
be
to
constantly
manage
that
evolution
and
kind
of
evidence
piece.
As
you
know,
corporations
mature
and
and
grow
their
compliance
objectives.
A
Yeah-
and
I
know
that's
a
pretty
broad
topic
too,
when
we
talk
about
like
evidence
and
and
the
collection
of
it,
can
you
maybe
give
me
just
one
example
of
how
you're
currently
collecting
evidence
today
for
a
particular
control
and
where
you
see
opportunity
to
improve
that
that
would
make
your
life
a
bit
easier.
B
Yeah
sure,
so
it's
something
that
all
corporations,
I'm
sure
have
to
deal
with
from
an
evidence
and
a
compliance
perspective
or,
let's
say
like
user
access
reviews
right.
So
those
aren't
things
that
are
really
static,
they're,
changing
all
the
time
and
and
so
you're
always
having
to
keep
up
with
collecting
like
a
current
list
of
users
to
a
system
list
of
users
and
validating
that
those
are
online
and
that
terminated
users
are
actually
being
terminated
and
that
new
users
that
are
being
onboarded
kind
of
match
their
level
of
access
within
certain
systems.
B
So
that's
an
ongoing
challenge
that
we're
we're
working
through
here
at
gitlab
and
just
something
that
will
always
be
the
case
for
let's
say,
user
access,
review,
control
or
something
like
that.
A
Yeah
and
and
so
kind
of
still
in
that
in
that
particular
example
are
there,
you
know
quick,
wins
or
or
things
that
you
find
you've
been
able
to
or
or
or
build
processes
around,
that
have
made
it
a
little
bit
easier
or
like
tell
me
a
little
bit
about
how
you're
finding
the
those
those
quick
wins
or
those
improvements.
B
Yeah,
a
quick
win
that
we've
had
recently
is
we're
starting
to
automate
things
or
we're
looking
into
automating,
as
as
many
things
as
we
can
in
that
space.
So
we
have
here
at
gitlab
we
work
with
opta
as
our
single
sign-on,
and
so
we
were
able
to
automate
that
kind
of
octa
user
access
list
and
kind
of
have
that
subset
kind
of
at
the
ready
in
terms
of
being
able
to
validate
that
against
other
evidence
for
maybe
other
specific
systems.
B
A
B
Boy,
that's
a
good
question.
I
would
say.
B
Yeah,
absolutely
we
have
a
lot
of
systems
and
you
know
with
octa
being
kind
of
the
the
main
pass-through.
It's
been
a
lifesaver
for
sure.
A
That's
really
cool,
and
so
before
you
were
able
to
automate
that
were
other
people
involved.
Besides
you
or
was
it
just
you
having
to
comb
through,
like
you
know
the
comparison
of
lab
versus
octa
and
the
profiles,
or
can
you
maybe
walk
me
through
a
little
bit
about?
Did
anyone
help
you
before
and
what
did
that
process?
Look
like
before
a
little
bit
more
detail.
B
Yeah
sure
yeah,
so
we
had
to
work
with
kind
of
a
number
of
different
teams
like
the
ite
ops
team
was
played
a
big
big
role
in
that,
then,
of
course,
from
a
compliance
perspective,
we
had
to
look
through
once
we
kind
of
obtained
lists.
B
We
were
looking
through
issues
and
user
access
requests,
and
you
know
kind
of
one-off
things
in
order
to
validate
certain
pieces
of
that
information
and
then
you're,
working
directly
with
managers
of
engine
of
of
the
individual
themselves
to
kind
of
ensure
that
certain
access
levels
are
actually
appropriate
or
what
they
have
noted
as
access
matches,
role
and
job
responsibilities.
B
So
yeah,
you
really
kind
of
they're
kind
of
a
number
of
groups
that
get
involved
to
kind
of
validate
these.
These
lists
and
kind
of
roles
and
responsibilities
within
the
list
themselves.
So
yeah
did
that
answer
your
question.
A
Yeah
yeah,
absolutely
oh,
and
I
think
that's
that's
a
common
challenge
too
right
is
that
the
the
compliance
team
are
not
the
sole
people
working
on
these
things.
It
usually
requires
other
people
be
involved
in
participating,
and
I
just
wanted
to
highlight
that
because
I
think
that's
an
important
thing
and
I
don't
want
to
circle
back
to
it
here
in
a
second,
but
so
just
just
for
clarity.
What
I
understood
is
that
previously
you
would
have
to
take
a
list
of
let's
say:
git
lab
team
members
find
out
the
list
of
systems
or
resources.
A
They
had
access
to
cross-reference,
that
with
the
managers
and
what
actions
or
artifacts
they
created
to
grant
those
access
privileges,
and
you
were
working
with
it-
sounded
like
two
or
three
different
departments,
or
teams
within
gitlab
to
construct.
All
of
this
data
is:
is
that
correct
so
far.
B
B
We
can
spin
up
the
the
access
list
kind
of
whenever
we
need
to
on
the
fly
and
then
we're
starting
to
automate
other
systems
user
lists
as
well,
and
so
that
eliminates
the
need
to
reach
out
to
system
owners
and
request
lists
that
way
we
still
have
to
kind
of
validate
on
the
back
end,
any
access
that
we
find
that
might
not
necessarily
align
with
job
roles
or
responsibilities
or
just
verify
that
information,
but
yeah
pulling
the
list
themselves
really
through
automation,
eliminates
the
need
to
kind
of
reach
out
to
additional
groups.
A
Yeah
and
it's
it's
a
really
important
detail,
because
you
know
we
talk
about
how
you
saved
you
know,
maybe
six
to
eight
hours
a
month,
but
that
doesn't
factor
in
the
you
know
x,
number
of
people
across
y
number
of
teams
that
were
also
participating,
and,
let's
just
assume
for
the
sake
of
argument,
they
were
also
spending.
A
Let's
call
it
three
or
four
hours
a
month
supporting
you
on
this,
and
maybe
that's
a
really
conservative
estimate,
but
in
aggregate
now
you're
talking
about
like
dozens
of
collective
people
hours
to
do
this
one
particular
control
and
that's
only
the
one
control
right.
So
I
really
appreciate
you
painting
that
full
picture-
and
I
don't
know
if
you'll,
if
you
necessarily
know
the
answer
to
this
one,
but
I'd
be
curious.
What
your
sense
is,
for
you
know
the
old
process
versus
the
new.
A
You
mentioned
that
the
these
other
teams
no
longer
had
to
be
involved.
So
what
what
was
the
the
process
like
working
with
these
other
teams
to
figure
out
hey?
I
need
this
thing.
I
need
your
help
to
get
it
and
then
that
conversation
evolving
into
like
well.
How
do
we
automate
this
to
then
make
this
easier
for
all
of
us
in
the
future.
B
Yeah,
it's
a
good
question
and
I
have
to
be
honest.
I
didn't
play
a
very
large
role
in
kind
of
the
automation
piece,
but
nick
on
the
team
would
be
a
great
resource
to
get
some
additional
information
on
that.
I
don't
know
if
I
can
answer
that
and.
A
A
Where
you
see
opportunity
for
some
of
or
actually
let
me,
let
me
take
that
back.
Let
me
let
me
ask
you
something
asked
jeff
as
well,
because
I
think
maybe
you
have
some
more
direct
experience
here,
which
is
what
is
something
that
you
don't
feel
is
done,
particularly
well
by
any
application
in
service
of
grc
functions
like
is
there
something
that
I
wish
this
product
or
service
existed,
because
it
would
make
this
part
of
my
job
so
much
better
or
anything
like
that.
B
Yeah,
it's
a
good
question.
I
feel
like
something
that
I've
struggled
with
in
multiple
roles
from
the
compliance
spaces
is
probably
just
the.
B
Evidence
and
controls
kind
of
go
hand
in
hand,
yet
they
also
blur
together
right
so
depending
on
kind
of
the
category
within
the
control
and
the
various
types
of
evidence
that
they'd
be
put
that
it's
pointing
to.
There
could
be
a
lot
of
overlap
and
I've
always
found
it
kind
of
difficult
evidence
comes
in
all
sorts
of
different
ways
and
types.
A
Yeah
fair
enough-
and
I
I
know
what
you're
talking
about,
I
think,
because,
as
somebody
who
is
on
the
ris,
the
receiving
end
of
an
audit-
I
guess
you
know,
even
when
we
get
access
to
a
portal,
we're
told
to
upload
evidence,
but
that
user
access
report
might
service
six
different
controls,
even
though
it's
the
one
file
and
so
trying
to
map
those
together
in
a
way
that
lets
you
very
easily
go
in
and
find
these
different
things
that
can
appreciate
as
being
a
very
difficult
part
of
that
job.
B
A
Well
so
I
know,
we've
talked
about,
you
know,
challenges
and
difficulties
and
kind
of
the
the
struggle
there,
but
maybe
we
can
flip
it
now
to
talk
about
some
of
your
favorite
parts
of
the
job
like
what
is
it
you
enjoy
most
about
what
it
is
you
do
and
that
could
be
specific
to
doing
it
at
get
lab
or
in
previous
roles
or
both.
But
I'd
like
to
hear
a
little
bit
about
that.
B
Yeah,
I
think
the
thing
that
keeps
me
happy
in
this
kind
of
compliance
space
is,
I
feel
it's
really
kind
of
a
a
helping
role.
B
In
a
sense,
not
only
you
know,
I
know
compliance
might
not
have
like
the
best
wrap
and
people
look
at
it,
maybe
as
additional
work,
but
I
I
feel
like
I
appreciate
my
job
in
a
sense
that
I
feel
like
it's
helpful
to
many
layers
of
an
organization,
and
I
really
feel
like
compliance
is
kind
of
that
kind
of
blanket
or
layer
between
kind
of
external
auditors
and
external
requirements
and
what's
kind
of
happening
and
functioning
on
the
inside,
and
so
I
like
being
able
to
kind
of
protect.
B
B
A
Yeah-
and
I
I
appreciate
you
sharing
that
I
I
agree
with
all
of
that-
it's
a
good
segue
into
another
question
I
have
tied
to
that,
which
is
you
know,
I've
heard
professionals
describe
it
this
way.
I
subscribe
to
this
philosophy
that
compliance
is
a
mindset.
I
think
it's
also
used
to
describe
security
security
as
a
mindset,
and
so
you
know
a
do.
A
You
agree
with
that
and
b
what
what
have
you
found
if
anything,
to
be
one
of
the
more
valuable
or
effective
ways
to
help
shift
that
paradigm
from
oh
gosh,
like
compliance,
is
just
ruining
my
life
and
disruptive
to
hey,
like
I
recognize
that
they
are
our
guardian
and
our
safety
blanket
and
they're
here
to
support
me.
Hopefully
that
makes
sense.
B
Yeah
it
does,
I
don't
know
I
feel
like
it
it.
It
comes
down
to
kind
of
building,
trust
and
relationships
with
kind
of
stakeholders
and
people
both
on
the
external
audit
side
and
on
the
kind
of
kind
of
internally
within
the
organization,
and
then
once
you
actually
start
going
through
audits
right,
I
feel
like
you
can
like.
The
folks
within
the
organization
can
see
that
that
that
buffer
is
actually
there
and
three
quarters
of
the
work
is
being
done
and
and
handled
by
the
compliance
team.
B
Because
of
all
the
other
back
work
that
we've
we've
we've
worked
out.
So
no
one's
hair
is
on
fire
right,
there's,
there's
no
bar
and
burners
out
there
and
and
it's
a
kind
of
a
much
smoother
and
easier
flow,
because
all
of
the
information
has
been
kind
of
tracked
and
worked
through
over
the
course
of
time,
and
then
we're
able
to
kind
of
be
that
buffer
and
that
deliverable
piece
and
then
minimize
impact.
So
I
feel
like
once
you
actually
see
that
and
go
through
that.
B
B
You
know
reaction
or
you
know
one
major
push
kind
of
thing,
so
I
think
that's
helpful.
A
Yeah,
no,
I
agree
with
you
and
I
think
too.
It's
also.
I
guess
the
typical
growing
pains
of
you
know
gitlab
is
was
not
formally
certified
or
audited
against
these
frameworks.
Up
until
recently,
I
believe
with
with
sock,
2
type
1,
and
so
it's
that
compounding
pressure
of
not
only
are
we
kind
of
like
learning
how
these
processes
should
work
here
at
gitlab,
but
then
we
also
have
these
like
looming,
like
large
demands
of
being
the
first
time
going
through
these
processes.
A
So
I'd
be
curious
from
your
perspective,
do
you
find
that
the
all
remote
environment
or
the
gitlab
culture,
or
anything
about
being
a
git
lab,
has
made
it
easier,
has
made
it
more
difficult
or
like
how
does
that
play
into
it?
With
your
experience
in
these
paradigms,.
B
Yeah,
it's
a
good
question.
I'd
say
a
little
of
both,
so
you
know
I
get
a
lot
because
we're
a
sync
it's
it's
great,
because
that
means
everything
is
really
documented
and
we're
really
hard
at
documenting
information.
B
So
it
can
be
kind
of
self-serve,
but
that
also
can
be
a
negative
in
a
sense
that
information
is
not
always
updated
or
it's
hard
to
kind
of
know,
maybe
the
single
source
of
truth
for
for
various
pieces
of
information
or
processes.
So
I
would
say
a
little
bit
of
a
blessing
and
a
curse
there
and
then
sometimes
with
the
async.
It's
maybe
difficult
to
kind
of
reach
out
or
or
have
conversations
with
specific,
let's
say:
control
owners
or
stakeholders.
B
Just
due
to
you
know,
distance
and
and
time
zones
and
just
kind
of
the
async
nature
of
of
how
we,
how
we
choose
to
work,
but
nothing
that
can't
be
overcome
is
it
just
sometimes
might
require
a
little
more
elbow,
grace
or
a
little
more
planning
but
yeah
I'd
say
those
are
some
some
things
that
have
been
challenges.
A
A
So
I
think
one
of
the
things
I
want
to
unpack
a
little
bit
more
because
I
I
don't
know
if
we
explored
it
too
much,
but
are
there
things,
maybe
maybe
on
the
tail
of
that
last
answer,
but
working
at
gitlab
have
you
found
that
there
has
been
any
particular
process
or
experience
that
you
felt
really
was
a
positive
for
shifting
that
mindset
where,
if
somebody
was
previously
a
bit
resistant
to
participating
or
supporting
a
compliance
task
or
program
that
you
did
some
thing
or
had
some
experience
and
now
they're
more
receptive
to
that
supporting
role
or
anything
like
that.
B
Yeah,
I
would
say
so
so
I
think
kind
of
going
conducting
walkthroughs
in
a
sense
with
certain
stakeholders,
so
maybe
really
kind
of
setting
that
expectation,
kind
of
a
face-to-face
or
a
person-to-person
meeting,
so
that
they
can
ask
questions
and
we
can
ask
questions
and
maybe
have
a
better
understanding
of
where
some
of
these
requests
and
things
are
coming
from
versus
just
creating
an
issue
and
asking
for
something.
B
And
then
I
also
feel
like.
So
on
the
back
end.
The
compliance
group
is
kind
of
starting
to
work
hard
at
document,
documenting
processes
and
procedures
and
then
kind
of
presenting
that
to
the
control
owners
or
stake
stakeholders
to
kind
of
review
and
approve
in
a
sense
so
that
we
can
use
it
as
kind
of
self-serve
tools
to
external
auditors
or
other.
B
You
know
other
compliance
related
activities
moving
forward.
So
it
kind
of
saves
them
time
in
the
end
and
then
it
also
kind
of
ropes
them
into
the
process
to
some
degree.
And
so
we
found
that's
helpful
so
that
when
they're
moving
forward
or
changing
processes
on
on
their
end,
the
stakeholder
or
control
owner
end,
they
tend
to
loop
in
security
compliance
a
little
more
and
just
either
ask
for
feedback
or
just
a
heads
up,
hey
we're
we're
changing
this
approach.
B
Is
that
going
to
you
know,
cause
any
issue
from
a
compliance
or
security
perspective.
So
we've
definitely
seen
that
happen
as
we've
continued
to
kind
of
build
our
our
compliance
effort
and
kind
of
make
our
voice
heard
here
at
get
lab.
So
that's
been
a
really
positive
experience.
Positive
thing,
that's
come
out
of
it
all.
A
I
think
the
the
final
question
I
have
for
you
is:
who
would
you
say,
I'm
assuming
it'll
be
like
a
team
or
something
but
like
who
is
the
top
requester
of
information
or
some
sort
of
output
from
you
on
the
security
compliance
team
and,
for
example,
I
would
imagine
that
customer
success
would
often
come
to
you
and
say:
hey
like
what
is
get
labs,
certification
on
or
or
like
status
with
sock2,
or
what
are
our
security
controls
in
place
for
this
thing
that
an
enterprise
customer
is
concerned
with
with
us
as
a
vendor.
B
I
think
you
hit
the
nail
on
the
head
there.
I
I
would
say
it'd,
probably
be
the
customer
success,
team
and
whomever
else
kind
of
supports
customers
in
such
a
way
that
they
need
verification
of
our
kind
of
security
and
compliance
efforts
and
kind
of
what
our
roadmap
looks
like
from
a
compliance
perspective
and
where
we're
trying
to
focus
and
pursue.
A
Okay,
so
I
lied
two
more
quick
questions
so,
along
that
same
line
of
thinking,
if
you
had
to
kind
of
guesstimate
and
quantify
it
in
some
way,
what
is
the
volume
of
these
requests
like
x,
number
a
week
or
a
day
like?
How
often
are
you
receiving
these.
B
I,
I
honestly
don't
know
exactly
so.
We
have
now
a
new
kind
of
field
and
security
team
that
is
kind
of
handling
all
of
the
kind
of
that
day-to-day
work,
and
I
I
guess
often
enough
that
we
have
now
a
whole
field
and
security
team
to
kind
of
manage
all
of
the
requests
and
asks
from
that
from
that
perspective,
so
which
is
now
for
four
team
members
strong,
so
I
mean,
I
would
say,
the
volume
is
is
fairly
substantial
quantify
I
couldn't.
I
I'm
not
really
no
officer.
A
Sure,
no,
that's
that's
fair
enough.
So
I'll
actually
not
ask
the
next
question
because
I
think
it's
along
that
same
line
where
it'd
probably
be
better
for
like
field
security
or
customer
success.
But
my
point
in
asking
those
is:
I
really
want
to
drive
home
the
point
that
the
security
compliance
team
is
valuable
and
like
without
people
like
yourselves
serving
this
really
important
function.
A
You
know
internally,
here
at
git,
lab
whenever
we
would
get
those
requests
from
a
customer
to
say
hey
like
what
are
your
controls
for
this
or
how
are
you
meeting
this?
How
are
you
securing
our
data?
We
wouldn't
be
able
to
provide
anything,
or
at
least
not
in
nearly
as
an
efficient
time
frame
or
manner,
is
what
you
and
your
team
do.
So
I
just
wanted
to
try
to
highlight
that
with
some
of
those
questions,
but
I
think
this
call
has
been
great
for
that
anyway.
So
thanks
for
taking
the
time.
B
Yeah
absolutely
yeah
the
more
certifications
we
get
the
easier
it
is
to
kind
of
present
that
information
and
you
know
not
fill
out
kind
of
one-off
requests
and
things
like
that.
So
yeah,
absolutely
anytime,.