►
From YouTube: Understanding Compliance: Meghan Maneval
Description
The Compliance group at GitLab is experimenting with a video series that highlights compliance as a business function and the professionals who comprise these teams. Our hope is we can highlight the value added by these teams, help shift organizational mindsets about compliance, and find opportunities for GitLab to help improve their quality of life.
Meghan is a Risk and Field Security Manager at GitLab and took some time out of her day to talk to me about what Field Security is and how her team supports the Security Compliance and Customer Success teams at GitLab.
A
B
Yeah,
absolutely
thanks
so
much
for
having
me
my
name
is
megan
manaval.
I
am
the
manager
of
risk
and
field
security
here
at
git
lab
I've
been
here
just
since
the
end
of
july,
so
a
couple
months,
so
I'm
really
enjoying
my
time
here.
So
thanks
for
for
having
me
here.
A
B
Yeah,
you
know
it's
it's
funny,
because
I
think
risk
people
don't
have
a
general
understanding
of
risk,
but
field
security
is
one
of
those
terms
that
most
people
don't
know.
We
combine
them
here
at
get
lab
to
kind
of
form,
a
holistic
team
that
handles
internal
and
external
security
risks
so
focusing
on
the
field
security
side.
You
can
kind
of
think
of
that
as
like
customer
security
or
customer
risk.
So
we
act
as
that
point
of
contact
with
our
customers
or
our
prospects
throughout
the
sales
and
renewal
processes.
B
We
know
that
our
customers
are
going
to
have
questions
about
security
and
it's
really
our
job
to
alleviate
those
concerns
and
questions
and
make
sure
that
they're
comfortable
using
git,
lab
and
contracting
with
us.
Our
second
function
is
really
sort
of
the
mirror
image
of
that
which
is
vendor
security.
So
we
look
at
the
vendors
that
get
lab
contracts
with
and
we
do
basically
what
our
customers
do
to
us.
We
evaluate
that
vendor.
We
identify
any
risks
that
might
be
associated
with
other
than
help
the
business
understand.
B
If
that
risk
is
acceptable
or
not,
and
then
our
third
main
function
really
has
to
do
with
the
internal
security
operational
risks,
so
those
are
really
more
of
like
your
tier
two
escalated
risks
and
we
identified
those
a
lot
of
times
through
just
some
ad-hoc
risk
assessments,
and
also
we
have
a
annual
risk
assessment
process
that
we
do
there.
So.
B
Yeah,
so
I
think
we
have
kind
of
two
main
avenues
for
that.
So
first
we
talk
about
our
value
to
the
greater
security
department.
We
have
a
huge
security
department,
different
teams,
security.
You
know
response
incident,
response,
vulnerability,
testing,
I
mean
you
name
it.
We
have
a
team
for
everything
and
it
would
really
be
impractical
if
other
git
lab
team
members
or
our
customers
had
to
go
directly
to
those
teams
to
get
to
get
that
information,
it
would
throw
off
their
their
whole
processes.
B
They
take
more
time
answering
questions,
so
I
would
hope
that
my
fellow
security
managers
would
agree
that
our
team
adds
value
in
that
we
act
as
sort
of
that
shield
between
those
external
requests
and
the
security
department.
So
we
try
to
answer
and
triage.
You
know,
let's
say
about
95
of
those
requests
that
come
in
and
then,
if
there's
a
couple
things
that
we
do
need
to
escalate
to
the
other
security
managers,
you
know
it's
a
much
more
reasonable
impact
on
their
teams.
B
So
hopefully
my
my
fellow
managers
agree
with
that,
but
also
for
git
lab
as
a
whole.
We
really
look
for
things
that
could
negatively
impact
our
growth
right
and
our
goals,
so
I
think
of
it.
Similarly,
to
some
of
your
cars
safety
features
right.
We
all
know
nowadays,
you
have.
You
know
your
backup
camera
your
lane
assistance.
You
have
all
these
doodads
and
stuff
that
keep
you
safe
and
that's
really
what
we
try
to
do
so
sid
is
driving
this
car.
He
wants
to
move
fast.
He
wants
to.
B
You,
know,
hit
those
curves
and
just
go
but
having
us
in
the
background
identifying
what
could
go
wrong.
We
help
make
that
car
go
faster.
So,
if
you
think
of
us,
you
know
field
security
is
like
your
insurance.
You
know
we
identify
those
new
things
that
are
out
there.
That
could
impact.
A
B
Maybe
your
third
party
security
is,
is
your.
I
don't
know
your
lane
assistance
right,
don't
go
into
this
lane
you
could
get
hit
and
and
from
operationally
inside
you
know
we're
your
shock
engine
light,
we're
the
ones
who
are
going
to
identify
that
risk
and
say
hang
on
a
second
sid.
We
got
to
fix
this.
You
know
before
you
make
that
road
trip.
You
need
to
change
your
oil,
so
I
think
that
having
us
in
the
background
allows
git
lab
to
grow
and
to
go
faster
because
we're
like
that
security
net
there.
A
Yeah,
that's
that's
perfect.
That
makes
perfect
sense
as
well.
Can
you
tell
me
a
little
bit
kind
of
on
that
note
as
a
follow-up
either
some
sort
of
anonymized
anecdotes
or
maybe
specific
examples
of
you
know
how
your
team
helped
to
maybe
shorten
the
the
sales
cycle
time
or
one
favor
with
the
customer
or
sort
of
those
outcomes.
B
Yeah
absolutely
actually,
I
think
this
is
a
really
great
benefit
of
git
lab
is
our
transparency.
I've
worked
for
companies
in
the
past
where
we
had
to
do
a
lot
more
work
on
the
field
security
side,
answering
those
customer
questions,
because
the
self-service
resources
just
weren't
there
and
we've.
Actually.
I
mean
I've
only
been
here
two
months,
but
I've
probably
heard
four
or
five
times
from
whether
it's
our
you
know
the
account
manager.
The
sa
saying
like
hey
the
customer
was
really
you
know,
excited
about
our
customer
assurance
package
right.
B
B
You
know,
here's
our
sock,
2
report
and
we've
heard
that
back
from
customers
that
it
really
speeds
up
their
due
diligence
process,
because
all
of
our
documentation
is
ready
to
go
and
in
one
place,
and
so
that's
really
where
we
like
to
hear
that,
because
that's
one
of
our
goals
is,
you
know,
increasing
that
revenue
and
supporting
the
sales
team
to
help
the
organization
grow,
so
being
able
to
hear
that
feedback
has
been
really
great,
really
solidifies.
That.
A
Gotcha-
and
so
you
you
mentioned
one
of
the
nice
things
about
gitlab-
is
the
transparency.
So
let's
talk
about
the
not
so
nice
like.
What
do
you
find
to
be
most
challenging
about
working
within
git
lab
in
this
compliance
context?.
B
Yeah,
so
it's
the
same
answer,
it's
the
transparency.
You
know,
I
think
it's
ironic,
because
it
is
a
huge
mindset
shift
when
you
come
to
an
organization
as
transparent
as
git
lab
most
organizations.
They
want
to
keep
their
security
information
close
to
the
chest.
To
avoid
you
know,
potential
downfalls,
I
love
the
model
that
has
put
in
place
and
I
love
the
fact
that
we
can
give
our
customers
those
self-service
resources
there.
B
But
I
also
think
that
you
know
it's
it's
hard
for
a
lot
of
our
customers,
security
teams
too,
to
recognize
that
they're
almost
like
they're
digging
more.
They
want
to
know
like
well,
what's
what's
the
catch?
What's
the
thing
you're
not
sharing,
and
so
sometimes
I
see
them
dig
in
a
little
bit
more
because
we're
transparent.
It's
like
that
double-edged
sword,
but
I
think
it's
really
awesome.
Also.
You
know
our
product
really
aligns
well,
so
that
our
customers,
using
our
product,
can
use
our
product
for
security.
B
A
Yeah
totally
get
that.
I
have
definitely
felt
that
pain
myself
for
different
reasons
where
it's
an
adjustment
but
then,
like
once
you
get
used
to
it.
It's
still
an
adjustment
exactly
and
so
what
you
know.
Let's,
let's
talk
about
you
as
the
professional
for
a
second,
and
so
what
are
the
types
of
things
that
you
think
about
after
work?
B
Yeah,
you
know
it's
funny,
because
I'm
definitely
one
of
those
people
who
my
mind
never
really
shuts
off.
You
know
don't
get
me
wrong.
I
do
take
my
time
to
step
away
from
work,
but
what
I
mean
is
a
lot
of
times
I'll
do
my
best
work
or
my
best
thinking
when
I'm
not
sitting
at
my
desk.
You
know
I
might
be
out
in
the
kitchen
making
dinner
and
I
think
like.
B
Oh,
I
have
a
really
great
response
for
you
know
this
question
that
I
got
or
I
have
a
really
great
idea
on
how
to
apply
this
risk
treatment
plan,
and
so
I
think
that
you
know
even
sometimes
talking
to
my
family
they'll,
give
me
a
great
idea
and
I
think
that
that's
valuable
in
your
work-life
balance.
I
also
think
the
fact
that
I'm
a
people
manager
also
carries
over
after
hours.
I
I
think
about
my
team,
you
know
often
and
what
I
can
do
to
support
them.
B
So
if
I'm
reading
a
book
or
an
article,
I
might
think
like.
Oh,
this
would
be
a
really
great
resource
for
this
person.
You
know
they
told
me
in
my
last
one-on-one:
they
were
challenged
with
this.
Let
me
help
and
figure
out
a
way,
so
I
I
do
think
about
them
a
lot.
I
think
about
my
work,
a
lot,
but
I
don't
know
that
it's
necessarily
active.
Sometimes
it's
just
passively
like
oh,
this
would
be
a
great
addition
or
a
great
you
know
resource
for
someone,
especially
hiking.
A
Yeah,
that's
relatable.
I
think
some
of
the
best
moments
of
clarity
I've
had
is
when
I've
just
finished,
prepping
lunch
and
I'm
sitting
there
just
trying
to
relax.
And
it's
like.
Oh
that
one
thing
I
just
had
an
epiphany
yeah
hiking,
I'm
usually
trying
to
like
gasp
for
air,
but
that's
a
different
issue.
So
how.
A
B
Yeah,
that's
a
really
great
question.
We've
had
a
lot
of
conversations
lately
about
some
of
the
regulated
markets,
because,
oh
my
gosh,
the
the
compliance
requirements,
it's
extremely
complex,
depending
on
the
industry
that
that
customer
is
coming
from
there
could
be
one
there
could
be
more
new
requirements
that
we
just
haven't
gotten
in
the
past.
You
know-
and
I
I
hate
to
say
that
as
a
you
know,
we've
never
been
asked
for
this,
but
to
some
degree
you
know
you
have
to
rely
on
that.
B
We
provided
compliance
information
for
the
industries
that
we
knew
our
customers
lived
in
and
we've
made
changes
over
the
last
couple
years.
I'm
sure
you've
seen
with
our
new
sock
reporting.
You
know
we're
we're
we're
making
steps
to
provide
again
that
transparent
and
self-service
information,
but
I
think
the
biggest
challenge
that
we
have
and
in
turn
our
customers
have-
is
really
identifying
what
those
requirements
are
and
then
also
recognizing
that
there's
two
sets
of
customers.
B
You
know
we
have
on-prem
and
we
have
you
know
self-hosted
on-prem,
and
then
we
have
sas
customers
and
those
requirements
are
going
to
be
different,
and
so
really
it's
just
having
those
those
conversations
with
the
customer
up
front
and
understanding.
What
is
the
requirement
for
your
industry?
What
is
the
requirement
for
your
instance?
You
know,
is
it
going
to
be
with
us?
Are
you
self-hosting
and
then
crafting
what
that
security
plan
looks
like?
B
I
don't
think,
there's
a
customer
out
there
that
has
the
exact
same
security
configurations
you
know,
but
that's
our
job
at
get
lab
is
to
help
them
meet
in
the
middle
and
figure
out.
What
are
your
requirements
and
how
can
we
support
them,
and
so
I
think
it's
just
like
I
said
having
those
conversations
early
on
with
our
customers
and
understanding
what
their
needs
are.
A
Yeah
that
that
all
makes
sense-
and
it
actually
reminds
me
of
a
follow-up
question
there,
which
is
I'm
not
sure
how
to
ask
it
so
I'll,
just
kind
of
fumble
through
it,
but,
generally
speaking
it's
I,
I
think
it's
difficult
to
delineate
between
the
requirements
that
an
organization
has
because
they're,
just
maybe
a
risk-averse
entity
and
maybe
they're
a
little
bit
more
strict
than
the
actual
compliance
frameworks
requirements.
You
know
soc2
has
generally
non-prescriptive
requirements,
and
so
that
degree
in
which
a
company
meets
that
can
vary.
B
Yeah,
that's
a
really
great
question.
I
don't
think
that
there
often
is
the
clear
line,
sometimes
because,
if
you
think
about
it,
if
you're,
let's
just
take
health
care
right,
let's
pick
hipaa,
that's
the
us
compliance
framework.
So
if
you're
an
organization
and
you're
in
healthcare-
and
you
say
we
have
to
be
hypocompliant
okay,
but
that
means
different
things
to
every
organization.
The
controls
that
that
organization
puts
in
place
to
become
hipaa
compliant
are
unique
to
that
organization.
B
Well,
that's
not
really
a
yes
or
no
question,
because
that
can
mean
different
things
to
different
customers,
and
so
that's
why
we
go
at
that
higher
level
with
the
control
frameworks
that
are
more,
I
don't
want
to
say
ambiguous,
but
they're
a
little
bit
higher
level
and
it
allows
our
customers
the
ability
to
customize
at
their
level
but
know
that
the
spirit
or
the
intent
of
the
control
is
still
being
applied
at
gitlab.
So
that's
been
our
approach.
A
lot.
B
A
lot
of
the
times
is
to
kind
of
uplevel
that
and
say
here's
how
we
address
that
particular
control
family
or
that
particular
concern,
without
necessarily
getting
into
the
weeds
of
each
and
every
requirement.
A
Gotcha
yep
makes
sense,
so
I
I
want
to
ask
you
about
just
kind
of
going
coming
back
to
our
start
of
our
conversation
about
you
as
the
professional.
So
can
you
elaborate
on
how
much
time
or
like
how
long
have
you
been
in
the
compliance
space
and
as
a
follow-on?
What
would
you
tell
someone
who's,
maybe
considering
getting
into
the
space
or
maybe
even
actually,
let's
start
with
those
and
then
I'll
have
a
follow-up.
I
don't
want
to
front-load.
B
It
too
much:
okay,
no
problem,
so
essentially
my
entire
career
I've
been
in
some
form
of
security
or
compliance
role.
I
started
right
out
of
college
as
a
I.t
auditor
for
an
insurance
company,
I'm
not
going
to
say
how
long
ago
that
was,
but
that
was
my
first
job
in
compliance.
I
then
worked
for
a
while
as
an.
A
B
B
At
one
point
I
was
the
technical
manager
for
security
for
vulnerability
management,
risk
management
functions
and
even
dabbled
a
little
bit
in
network
and
voice
configurations
at
one
point
and
leading
a
network
team,
so
a
lot
of
different
roles,
and
I
and
I
think
that
kind
of
leads
into
what
your
second
question
was-
is
kind
of
advice
for
the
new,
the
next
generation.
If
you
will
is
learn
as
much
as
you
can
about-
or
I
should
say,
learn
enough
about
a
lot
of
different
things.
B
You
don't
have
to
be
an
expert
in
every
single
control
family.
You
don't
have
to
be
an
expert
in
every
compliance
framework,
but
if
you
understand
the
intent
or
the
spirit
of
a
lot
of
those
areas,
you
know
like.
B
One
of
the
other
things
too,
that
I
would
recommend
is
finding
someone
experienced
in
the
field
and
aligning
with
a
mentorship.
I've
done
this
fairly
often
with
graduates
from
my
alma
mater,
as
well
as
just
other
folks,
within
the
industry,
shameless
plug.
If
anybody
wants
to
connect
with
me
on
linkedin,
it's
megan
mannival,
I
am
happy
to
accept
that
connection
and
help
with
whatever
questions
anyone
has,
or
you
know,
potential
mentorships
in
the
future
and
and
really
too
joining
some
of
those
like
linkedin
groups.
A
Awesome
yeah
thanks
for
all
that
background.
The
the
final
question
I
have
for
you,
which
was
the
follow-on
okay,
is
I
like
one
of
the
reasons
I
wanted
to
do.
A
These
videos
is
to
help
build
empathy,
because
I
think
oftentimes
the
stigma
holds
true,
where
non-compliance
professionals
feel
like
they're
at
odds
with
compliance
professionals,
despite
the
value
and
the
path
that
they're
both
on
to
protect
or
serve
or
or
build
value
in
the
business
right,
and
so
if
there
was
one
thing
that
you
could
you
wish
your
non-compliance,
professionals
or
peers
knew
about
your
job
that
you
felt
might
help
build
that
empathy.
What
would
you
say
to
them.
B
I
think
I
would
go
back
to
the
analogy
that
we
talked
about
earlier
with
the
car
and
just
remember
that
if
your
car
didn't
have
brakes,
you
wouldn't
be
driving
70
miles
an
hour
right.
Where
are
your
brakes?
We're
your
backup?
Okay,
we're
there
to
help
you!
So
don't
you
know,
don't
neglect
your
brakes,
get
them
to
get
your
brake
pads
changed.
You
know,
but
but
just
remembering
that,
yes,
we
do
inject
a
bit
of
friction
into
some
of
our
processes,
but
that's
intentional.
You
know
we
we
want
to.
B
We
want
to
inject
ourselves
into
that
vendor
selection
process
to
make
sure
that
we're
not
trying
to
slow
it,
but
that
everybody's
looked
at
all
of
the
risks
associated.
You
know.
Sometimes
you
get
so
excited
like.
Oh
this
vendor's
great
and
you
get
those
roses,
colored
glasses
and
you
don't
see
it
so
just
remember
you
know
we
are
here
for
a
purpose
we're
here
to
help.
You
know
we
we
we're
people
too.
So
just
remember
that,
but
no
I
I
haven't
honestly
felt
too
too
much
pushback.
B
You
know,
there's
there's
questions.
Obviously
there's
going
to
be
questions.
You
know
when
we
ask
for
things,
but
just
remember
we're
here,
to
help
and
support
get
lab
as
a
as
a
greater
organization.
A
Cool
yeah
thanks
thanks
for
that
answer.
I
think
that's
perfect,
so
yeah.
I
think
that
pretty
much
sums
it
up
for
me
any
last
comments
or
questions
for
me
before
we
close
out.
B
Well,
I
just
want
to
thank
you
so
much
for
highlighting
my
team.
You
know
I
certainly
couldn't
do
it
alone
and
for
those
of
you
at
get
lab
if
you've
had
any
interactions
with
devon
harris,
jennifer,
blanco,
steve,
trung,
they're
amazing
feel
free
to
reach
out
to
any
one
of
us.
We'd
love
to
continue
conversations
about
this,
and
thanks
so
much
for
having
me
matt.