►
From YouTube: Understanding Compliance: Dennis Dayman
Description
The Compliance group at GitLab is experimenting with a video series that highlights compliance as a business function and the professionals who comprise these teams. Our hope is we can highlight the value added by these teams, help shift organizational mindsets about compliance, and find opportunities for GitLab to help improve their quality of life.
Dennis is an industry veteran in the digital communications space. He's a Chief Privacy Officer who has built or managed several compliance programs, primarily in the data privacy and security space.
A
Cool,
so
I'm
here
with
dennis
damon
he's
a
chief
privacy
officer.
I
met
him
in
the
during
my
time
in
the
email
industry,
but
he's
certainly
got
experience
beyond
that.
So
dennis
wants
you
give
a
much
better
introduction
of
yourself
to
kind.
B
B
As
matt
said,
I've
been
a
chief
privacy
and
security
officer
for
a
number
of
years,
actually
starting
my
career
to
be
honest
here
in
dallas,
where
I
helped
start.
What
we
now
know
is
att
internet
back
in
the
mid
90s
and
for
those
that
remember
that
time
period
it
was
when
we
didn't
have
high-speed
internet.
We
had
dial-up,
and
so
I
got
an
opportunity
to
sort
of
watch
the
internet
grow.
If
you
will
into
it's
it's
it's
form
that
it
it's
in
today.
B
You
know
we
were
still
back
then
using
you
know,
use
net
news
groups,
but
you
know
over
time.
You
know
you
know.
Things
have
changed
where
email
became
that
mainstream
media,
but
did
that
for
a
number
of
years
here
in
dallas,
between
18t
and
verizon,
and
then
decided
actually
to
flip
over
to
a
different
side
of
the
fence
and
digital
communication,
and
that
was
the
sending
side
and
that
was
working
with
email,
service
providers
and
technology
providers
on
helping
marketers
and
brands
and
build
technologies.
That
would
help
reach
the
consumer.
B
And
so
I
had
helped
with
a
company
called
strongmail
which
was
sold
to
celegent
several
years
later,
where
we
created
the
first
commercial
mta
for
for
brands
and
then
actually
was
a
part
of
a
team
that
took
over
a
company
called
eloqua
in
which
we
spent
about
five
or
six
years.
B
If
you
will
developing
and
coining
the
term
marketing
automation
where
we
took
the
company
public
in
august
of
2012
and
then
larry
ellison
from
oracle
bought
that
from
us
in
december
that
same
year,
and
so
I
spent
about
a
year
or
so
working
with
oracle
development
of
their
marketing
cloud
as
the
chief
privacy
chief
security
officer
coming
out
of
eloqua
and
then
actually
joined
a
company
that
I
had
been
associated
with
for
a
number
of
years
as
an
advisor
stockholder.
B
If
you
will
company
called
return
path
which
had
been
around
for
a
number
of
years
and
a
leader
in
the
space
and
became
their
chief
privacy
and
chief
security
officer
for
about
five
years
building
some
programs
up
on
you
know
consumer
intelligence
and
anti-spam,
which
we
then
we
sold
that
company
last
year.
B
Actually,
so
you
know,
that's
actually
put
me
in
a
really
good
spot,
like
I
said
to
kind
of
understand,
technology
and
watch
how
the
internet
has
changed
and
be
able
to
take
this
topic
of
compliance
and
apply
it
towards
sort
of
what
we're
dealing
with
today.
B
Interestingly
enough,
as
as
matt
knows,
you
know,
matt
and
I
have
had
an
opportunity
to
work
together
over
the
last
several
years
in
the
startup
world,
where
we
help
mentor
and
advise
startups
here
in
the
dallas
fort
worth
area
on
things,
and
you
know
that
can
be
from
how
to
build
your
company,
how
to
do
project
management
stuff
like
that,
but
also
comes
into
the
compliance
arena.
For
me,
where
I
help
them
build
in
privacy
or
security
by
design
and
then
about
three
years
ago
as
well.
B
I
was
appointed
by
the
dhs
secretary
to
be
a
on
a
committee
that
helps
direct
and
work
on
problematic
issues
that
dhs
has
to
work
on
when
it
comes
to
privacy.
It
is
a
special
government,
employee
or
an
appointed
position.
So
that
gives
me
another
opportunity
to
touch
not
just
on
the
consumer
side
where
you
and
I
work
matt,
but
also
on
the
government
side
as
well.
A
Cool
thanks
so
much
for
sending
that
background.
I
think
it's.
It
should
be
clear
to
anyone
why
I
asked
you
to
participate
in
this
series
about
compliance
and
my
mind.
First
goes
to
the
comment
about
dial
up,
because
I
would
remember
we
would
connect
and
then
somebody
would
call
or
disconnect
you
just
hear
like
the
hello.
You've
got
goodbye
right.
A
All
that
time
but
cool,
so
I
I
want
to
definitely
pick
your
brain
about
your
experience
in
the
compliance
space
in
particular
and
I'm
not
sure
the
best
place
to
start.
Maybe
we
can
start
with
return
path,
because
that
was
that's
the
thing
that
I'm
most
familiar
with
in
terms
of
your
time
there.
But
could
you
tell
me
a
little
bit
about
what
were
the
certifications
or
the
specific
programs
that
you
were
building
or
managing
there
and,
let's
maybe
start
there.
B
Yeah,
so
you
know
return
path
for
some
of
those
who
may
not
know
what
the
company
is.
It
was
a
20
year
old
company,
but
it's
it's
real
big,
strong
suit
in
in
its
product
line
was
a
couple
different
tools,
one
of
the
ones
from
the
email
perspective
people
knew
about
was
email,
certification,
so
you'd
come
in
apply.
We
would
look
at
all
your.
You
know,
processes
around
whether
you
spam
or
not
spam,
you
know,
are
you
within
the
bounds
of
the
law
or
not
best
practices
that
sort
of
stuff?
B
And
then,
if
you
were,
then
we
would
whitelist
your
ip
addresses
and
any
you
know,
receiver,
isp
or
mailbox
provider
receiving
email
from
you.
If
those
ips
were
on
that
list,
then
you
know
you
would
skip
some
filters
or
go
right
to
the
inbox
images
turned
on
and
some
providers
and
things
like
that
and
then
the
other
product
line
that
was
the
oldest
one
as
well
was
a
mailbox.
You
know
management
system,
so
you
could
test
your
content
for
spamminess.
You
know
spam
scores.
B
You
could
see
whether
it
was
going
to
go
to
the
inbox
versus
the
junk
box.
You
know
get
a
better
idea
as
a
marketer,
how
you
could
you
know,
increase
those
opens,
and
those
clicks
by
you
know
getting
the
right
message
put
together
in
the
right
way.
B
Interestingly
enough,
when
I
joined
the
company
officially
as
an
employee,
the
company
was
looking
at
creating
a
going
to
coin
it
as
a
marketing
intelligence
tool
right
where
we
and
other
vetted
companies
you
know
in
our
in
our
partnerships,
you
know
within
our
ecosystem,
would
build
tools.
They
could
be
mobile
apps.
They
could
be
other
tools
that
you
could
use
on
your
mailbox
and
it
was
things
for
you
to
make
your
life
much
easier.
B
You
know
like
as
an
example,
I'm
waiting
for
a
package
any
moment
now
from
apple,
and
I
don't
know
where
it's
at
right
now
I
just
haven't
had
a
chance
to
look
it
up
on
the
website,
but
you
know
apple
did
send
me
a
tracking
number
and
what
one
of
these
apps
would
do
is
it
would
always
monitor
my
email
and
yank
out
tracking
numbers
and
put
it
into
a
phone
app,
and
it
would
let
me
know,
what's
going
on,
those
are
free,
apps
right.
B
Those
are
apps
that
we
allow
you
to
use
things
to
help.
You
even
help
you
unsubscribe
from
all
the
emails
that
might
be
in
your
inbox
if
you're
just
tired
of
it
all,
and
there
is
a
return
on
that
right,
while
you're
getting
free
access
to
those
services,
you
are
signing
an
agreement
that
basically
allows
us
to
also
take
a
look
at
not
the
interpersonal
emails
between
matt
and
I
right,
but
the
emails
that
you
may
be
getting
from
amazon
like
hey.
B
You
bought
this
right
and
we
would
create
a
a
somewhat
of
a
profile
not
ever
really
identifying
you
as
an
individual
but
telling
brands
that
a
certain
person
in
a
certain
area
might
be
buying
x,
y
and
z,
and
that
maybe
that
brand
should
be
doing
more
advertising
around
that
in
that
area.
You
know
like
with
it
getting
colder
and
it's
you
know,
beginning
to
rain
here,
a
little
bit
more
in
texas,
maybe
you're,
buying
more
galoshes,
maybe
you're
buying
coats
right.
B
So
maybe
the
brands
want
to
know
that,
but
we
never
told
them
who
you
are
so
it
again
was
an
intelligence
arena,
and
then
there
was
another
anti-spam
technology
as
well
that
we
had
built
that
required.
A
lot
of
data
from
individuals
as
well-
and
you
know
as
as
matt
and
I
have
discussed-
and
maybe
some
of
you
guys
have
heard
before
you
know
privacy-
is
the
currency
to
play
in
the
ecosystem
that
we're
in
today.
B
You
know
nothing
comes
for
free
right
and
at
the
same
time
we
all
want
it
for
free
right.
You
know
everything
has
been
subsidized
right,
whether
you
use
youtube
or
you
get.
You
know:
free,
music
and
whatnot,
it's
free
to
some
extent
and
again
the
privacy
that
you
have
the
data
that
you
have
depending
on
how
much
you
give
up.
Then
it
determines
what
sort
of
free
access
do
you
have
to
be
subsidized,
free
services
and
whatnot,
and
so
for
us
a
return
path
and
go
right
to
your
question.
B
Matt
is
that
you
know
me
joining
the
company.
You
know
the
company
was
always
doing
very
well
in
that
arena,
but
going
into
these
two
new
arenas,
we
had
to
really
make
sure
that
you
know
we
were
crossing
the
tees
and
dotting
the
eyes
when
it
came
to
using
that
information,
because,
let's
face
it,
email
is
a
personal
thing
right.
B
You
don't
want
me
looking
at
your
inbox
and
I
don't
want
you
looking
at
my
inbox,
you
know,
and
so
we
had
to
make
sure
that
we
were
doing
the
right
things
when
it
came
to
promising
people
that
we
were
not
going
to
sell
their
identity,
but
we
might
sell
a
persona
about
them,
but
not
that
it
was
matt,
gonzales,
right,
buying,
galoshes
or
something
on
amazon,
so
yeah,
so
part
of
that
job
is
to
make
sure
that
we
put
the
right
privacy
protections
in
place,
but
also
the
security
ones
too.
A
Yeah,
that's
that's
perfect,
I
mean
certainly
makes
all
sense
to
me
and
it's
a
much
clearer
picture
and
I'm
sure
that
that
context
will
certainly
help
people
who
watch
this.
So
so,
thanks
for
sharing
that
I
so
so
we
typically
talk
about
compliance,
at
least
in
where
I'm
at
now
right
with
git
lab
in
terms
of
sock
to
hipaa
socks.
A
Iso
standards
nist
those
kinds
of
things,
and
I
think
those
typically
focus
on
tell
me
what
you
say:
you're
doing
as
an
organization
in
terms
of
your
company
policy
show
me
how
that's
implemented
and
then
provide
evidence
over
some
period
of
time.
Maybe
so
it
sounds
like
here
we're
talking
about
primarily
data
privacy,
which
is
primarily
gdpr.
Maybe
things
like
ccpa
out
of
california
and
I
think
brazil
was
it
launched.
A
Kind
of
like
a
gdpr
regulation,
so
I'd
like
to
understand
from
you,
you
know
how
much
overlap
is
there
between
something
like
these,
we'll
call
them
industry,
certifications
and
something
like
a
data
privacy
regulation
in
terms
of
what
some
entity
is
going
to
look
for
and
then
we'll
maybe
unpack
that
a
little
bit.
B
Well,
you
know,
interestingly
enough,
so
you
know,
starting
in
this
thing
20
25
years
ago.
It
was
all
about
best
practices,
I
mean
even
when
we
did
att
internet
and
I
actually
worked
for
another
non-profit
sort
of
company
called
maps
which
was
the
first
email
blacklist
ever
made
under
paul
vixi's
management.
You
know
that's
literally
like
at
the
time
we
were
a
self-guiding,
self-sustaining
sort
of
industry.
You
know
we
all
wrote
our
own
rules
and
regulations,
my
network,
my
rules,
so
at
18
team
at
verizon
you
couldn't
do
x,
y
and
z.
B
You
couldn't
spam,
that's
right!
We
would
block
you
right
when
companies
or
businesses
would
get
business.
Email
accounts
from
us,
we'd
say
hey
by
the
way.
Here's
our
acceptable
use
policy.
You
know
you
can't
do
these
things
right.
If
you
do
you're
going
to
lose
your
access
or
your
account
or
your
web
page
as
we
kind
of
built
them
out,
but
over
time
right
that
changed,
because
the
internet
itself
changed.
B
It
went
from
something
a
little
smaller
to
something,
much
much
more
massive
and
and
really
the
amount
of
interconnecting
networks
and
agreements
and
stuff
like
that
became
really
difficult.
I
think
to
to
manage
and
so
yeah
what
you
started
to
see
was
organizations
that
would
then
come
out
and
say
hey.
You
know
we
from
a
holistic
point
of
view,
will
help
create
standards
and
technologies,
not
technologies,
standards
and
processes.
B
I
should
say
to
help
you,
you
know,
make
sure
that
you're
doing
what
you
like,
you
just
said,
you're
doing
what
you
say
that
you're
doing
and
a
part
of
that
is
both
in
privacy
and
security,
and
so
we
see
that
quite
a
bit.
You
know
the
other
aspect
of
it
too.
B
For
me
as
a
professional
is
why
I
would
love
to
say
that
you
know
when
matt
and
I
had
a
chance
to
work
together
quite
a
bit
at
another
company,
I'm
not
sure,
I'm
supposed
to
say
the
company
name
here
or
not,
but
you
know
matt
and
I
actually
worked
together.
B
B
You
know
it's
it's
sort
of
like
the
idea
of
who's
watching
the
watcher,
even
though
that
matt
was
the
watcher
for
us
right
who's
watching
math.
Is
it
me
or
is
it
somebody
else
you
know
within
the
company?
Are
we
looking
out
for
our
own
interest
or
the
consumer's
interest,
and
so
by
bringing
in
these
third
parties?
And
you
talked
about
sock,
2
audits,
27001,
27018,
iso
audits.
B
It
is
allowing
somebody
else
to
come
in
and
test
you
to
make
sure
that
you've
done
the
right
things
and,
to
be
honest,
I
mean
companies
like
return
path
and
eloqua.
Whenever
we
went
through
our
audit
processes.
I'll
be
honest,
there
were
some
things
that
we
missed.
There
were
some
things
that
we
thought
were
kosher
and,
unfortunately,
they
weren't,
and
so
these
you
know,
groups
of
people
come
in
they
test
us.
B
They
look
at
everything
and
they
found
problems
and
when
they
find
those
problems,
then
they
give
them
back
to
us
and
say
all
right,
go
and
fix
these
and
get
back
to
us
and
we'll
test
them
again
and
hopefully
they're
fixed
and
here's
your
certification
right
and
so
it
it.
It
helps
us
get
our
jobs
done.
It's
not
something
to
be
fearful,
it's
okay,
to
fail
the
test.
B
If
you
will
right,
because
you
want
to
learn
from
that,
then
for
customers
right,
it
makes
it
easier
for
them
to
then
do
their
due
diligence
right.
What
we're
seeing
is,
as
people
are
adopting
all
of
our
platforms,
they
want
to
know
like,
what's
going
on
with
security,
they're
more
hyper
aware
of
the
data
breaches,
because
I
mean:
let's
face
it
folks,
you
know
every
single
day
that
we
get
up
right.
We
turn
these
devices
on
right
to
read
the
news.
B
We
read
facebook,
we
open
up
a
newspaper,
you
know,
for
those
who
don't
know
a
newspaper
was
it's
a
piece
of
paper
with
everything
in
it
right,
but
it
always
screamed
of
a
data
breach,
and
so
we
now
have
hyper-aware
consumers
and
hyperware
companies
that
want
to
know
what
you're
doing
now,
with
their
data,
and
so
by
being
able
to
take
these
certifications
and
present
that
to
them
and
say,
hey,
we've
done
everything
that
we're
supposed
to
do
right.
It
makes
them
feel
better
about
it.
B
A
Yeah,
I
think
those
are
a
lot
of
great
points,
particularly
about
hyper
awareness
when
it
comes
to
particularly
data
privacy,
these
days,
which,
of
course,
is
certainly
interwoven
with
security,
but
I
want
to
I
want
to
pull
it
back
now,
a
little
bit
and
talk
about
you
know,
as
you
were,
implementing
these
types
of
programs
or
managing
them.
What
were
some
of
the
challenges?
Challenges
that
you
often
faced,
whether
that
was
internal
or
maybe
like
an
external
perspective,.
B
B
We
normally
could
keep
it
around
fifty
grand
for
some
of
these
audits
and
especially
when
you're
doing
two
types
of
audits
right,
because
there
are
there's
a
different
types
of
them
and
you
wanna
get
as
many
as
you
can
so
cost
is,
is
one
of
the
biggest
things
and
you
have
to
be
able
to
go
to
your
board
and
your
executive
staff,
and
you
have
to
be
able
to
say
top
down
mentality
but
explain.
B
But
if
we
don't
do
this
right,
I
could
have
missed
something
and
we
could
have
a
data
breach
and
if
we
did,
then
that's
going
to
cost
us
money
in
pr
fines.
Everything
else.
I
think
the
second
point
to
it
would
be
getting
the
buy-in
from
everybody
within
the
company
to
realize
that
privacy
and
security
should
not
be
feared
right.
I
remember
lots
of
companies,
you
know
as
you're,
walking
down
as
the
security
guy
right
down
the
hallway
people
like.
Oh,
my
gosh
like
here
comes
a
security
guy.
What
did
I
do
wrong?
B
You
know
no
one
likes
it
when
security
shows
up
right,
that's
not
always
a
bad
thing
right,
and
so
what
you
want
to
do
is
you
want
to
explain
to
them
that
you
know
that
they're,
a
part
of
the
solution
that
you're
not
there
to
be
the
bad
guy
right
but
you're
there
to
protect
the
business,
to
protect
their
jobs
right
to
protect
the
income
for
the
company,
and
so
getting
people
to
buy
into
that
process
is
a
very
important
one
because
it
takes
a
village
to
actually
do
the
work.
B
I
t
looking
at
the
application
processes
that
would
fall
under
production
and
the
list
goes
on
hr
and
so
forth,
and
so
you
have
to
be
able
to
sell
and
get
buying
from
all
the
folks
who
say
that
this
is
a
good
thing
and
just
because
they're
testing
us
and
that
you
may
have
a
problem
doesn't
mean
that
you
failed
and
I'm
not
going
to
hold
that
against.
B
You
know
that
buy-in
from
everybody
and
making
them
be
a
part
of
that
solution,
and
I
think
once
you
do
that,
then
there's
a
sense
of
pride
right
that
goes
into
the
work
that
they're
putting
in
moving
forward
because
they're
willing
to
think
a
little
bit
more
about
privacy
and
security
by
design
and
building
it
in
during
the
building
of
the
products
or
services,
and
that
bolting
it
on
after
that
fact.
So
it
would
probably
be
those
sorts
of
things
I
think
would
be
cost.
B
You
know
you
know
again,
looking
at
sort
of
you
know
getting
that
buy-in
from
you
know
from
your
staff,
I
think,
are
probably
the
two
biggest
ones.
I
think
right
now.
A
Yeah,
no
that's
great.
I
think
it
was
even
you
who
helped
helped
me
realize
that
compliance
is
a
mindset,
not
necessarily
a
program
or
some
other
description
right
and
for
that
reason,
is
that
you
need
everyone
to
participate
and
if
even
one
person
doesn't
buy
in
or
isn't
doesn't
have
this
mindset,
then
therein
lies
a
you
know:
weak
link,
not
in
terms
of
incompetence
or
blame,
but
like.
If
you
have
that
that
in
the
armor,
then
you
know
that
is
going
to
be
a
gap
during
the
audit
yeah.
A
So
I'd
be
curious
to
hear
from
you.
If
there's
a
story
you
could
share,
you
know
how
you
rationalize
or
justified:
hey
we
gotta
go,
spend
this
50k
plus,
you
know
six
months
or
however
long
of
people
time
on
this
particular
audit
and
then
and
then
a
step
further
like
what
were
the
other
benefits
you
saw
for
the
business
in
terms
of
you
know
faster
sales
cycles,
better
customer
trusts.
You
know
those
types
of
things.
B
So
I'd
love
to
say
I
wish
it
was
done
in
six
months.
It's
usually
12
to
18
months.
It
can
be
even
longer,
depending
on
how
big
your
business
is.
So
we'll
just
get
that
one
out
of
the
way.
You
know,
I
think
the
you
know
the
thing
that
that
we
had
to
sort
of
look
at
was
not
just
kind
of
shoving.
All
this
down
everyone's
throat.
All
at
once
and
saying
hey
here
comes
the
audit.
B
To
be
doing
this,
you've
heard
me
mention
the
term,
you
know
security
or
privacy
counsel,
and
I
think
that's
an
important
thing
for
companies
to
build
into
their
into
their
companies.
Because
again
you
don't
want
to
have
security,
and
then
I
t
and
production
and
hr
and
sales
right.
B
It
has
to
be
again
a
team
or
village
effort,
and
so
one
of
the
things
that
we
did
to
begin
with
in
any
one
of
these
processes
is
we
begin
that
security
council
we
meet
as
many
as
many
times
as
we
can
no
less
than
once
a
quarter,
and
what
that
does
is
that
basically,
is
telling
everybody
it's
sort
of
like
a
board
right,
yeah
sure,
there's
a
chairman
of
the
board,
if
you
will,
but
everybody
has
a
say,
everyone
has
a
vote
right
that
I
don't
want
my
customers
and
when
I
send
my
customers,
I'm
talking
about
the
internal
teams
right.
B
Those
are
my
customers
and
I
have
to
have
to
meet
their
needs
and
their
wants
right
by
bringing
them
onto
that
council.
That
gives
them
a
say
in
terms
of
what
needs
to
happen
and
what
it
needs
to
happen.
It
also
gives
them
the
ability
to
expose
if
you
will
timelines
critical
timelines
and
pressures
that
they
have
that.
B
I
need
to
understand,
and
vice
versa,
where
I
have
to
explain
things
that
I
need
them
to
do
from
a
security
or
privacy
standpoint
and
what
those
pressures
and
timelines
are
and
you'll
find
that
your
agreement
right,
you
begin
to
smile
a
little
bit
more
because
you're
respecting
each
other
right,
and
so
I
think
it
really
sort
of
begins
there,
and
that
part
of
that,
then,
is
explaining
why
the
audit's
important,
what
it's
going
to
take,
how
much
it's
going
to
cost
and
what
it's
going
to
do,
and
I
think,
as
people
begin
to
see
that,
then
they
realize.
B
Oh,
that
you
know
there
is
a
you
know
a
huge
benefit
to
it.
When
you're
managing
the
audit.
There
is
a
couple
different
ways
that
this
comes
in
again.
It
also
depends
on
how
much
money
you
pay,
sometimes
on
the
cheaper
side
of
these
audits.
Yeah
you
get
an
auditor
that
comes
in
and
and
they
can
give
you
a
bunch
of
documents
and
say:
hey,
go,
fill
all
this
out
and
go
test
all
this
or
go
play
with
the
stuff
and
and
give
it
back
to
me
and
and
and
hopefully
you
did
it
right.
B
So
you
get
to
manage
the
project,
then
the
higher
the
the
cost
perspective
is
the
more
people
you
get
from
them
and
you
will
get
project
management,
people
right,
people
whose
job
is
basically
to
bother
you
to
get
everything
done
and
to
make
sure
that
you're
doing
it
right,
and
so
you
know
I
tend
to
like
those
because
I'm
busy,
I
have
other
things,
that's
also
going
on
as
well,
so
I
don't
mind
paying
the
extra
dollars
to
have
them
come
in
because
it
also
kind
of
speeds
the
process
up
a
little
bit,
but
once
you
sort
of
get
that
person
to
get
all
the
information
back
what's
going
to
end
up
happening
at
some
point,
is
that
you
know
well
one
to
begin
with.
B
B
That's
one
of
those
things
where
they
come
out
for
a
week
and
spend
time
on
your
site
and
what
you
have
to
do
is
say:
hey
engineering
in
about
six
weeks,
these
guys
are
coming
out.
I
need
to
get
one
or
two
team
members
to
be
in
this
meeting
with
us
and
spend
a
couple
of
hours
with
us,
and
you
help
you
know,
schedule
that
balance
that
time
out
and
show
that
I
don't
want
to
waste
your
time
so
hey.
I
only
know
that
I'm
only
going
to
need
you
on
day,
one
for
six
hours.
B
So
if
you
can
give
me
somebody
just
for
that
one
day,
perfect
end
of
story
and
you
move
forward
and
again
you're
being
respectful
and
again
it's
a
game
of
being
respectful.
It's
it's
the
tragedy
of
the
commons
right,
sort
of
sort
of
mentality.
We
don't
want
to
screw
the
entire
thing
up
for
everybody,
but
we
want
everyone
to
have.
You
know
use
of
the
land
or
use
of
the
process
in
a
way
that
that
benefits
them
and
then
somebody
else
can
come
in
and
get
their
benefit
and
and
so
forth
and
so
forth.
B
A
Yeah,
that's
that's.
A
great
point
certainly
depends
on
organization
size
and,
I
think
also
it'd,
be
it'd,
be
interesting
to
see
how
these
programs
or
audits
evolve,
as
as
maybe
more
companies
start
going
fully
remote
or
hybrid
remote
and
having
that
factor
in.
B
Well,
that's,
that's,
actually,
a
good
segue
into
the
second
part
of
your
question,
right
which
is
about
then.
What
does
this
do
for
you
right?
As
as
a
company
and
like
I
mentioned
earlier
right,
you
know
when
they,
basically,
you
know,
come
in
and
all
of
a
sudden
like
you
know,
you
have
a
customer
that
goes
hey.
You
know,
tell
me
about
your
security,
and
you
can
go
here.
Is
our
certification
here
is
a
signed
certification
by
somebody
from
the
outside,
and
it
says
all
the
things.
B
This
is
the
maze,
so
it
kind
of
might
look
like
an
audit,
but
it
gives
them
that
that
good
feeling
right
that
somebody
else
sort
of
came
in
and
did
this
and
what
ends
up
happening
as
well,
is
that
you
know
you're,
preparing
your
sales
team
right
and
your
marketing
team
to
use
marketing
sorry
to
use
privacy
and
to
use
security
as
a
marketing
perspective
right,
we're
finding
that
that's
becoming
a
very
powerful
thing
today
and
it
becomes
very
powerful,
especially
when
you
get
it
out
in
the
front
and
done
quicker
than
at
the
end
of
it.
B
It
used
to
be
what
the
sales
guy
would
go
in
and
say:
hey,
you
know
we
have
this
great
widget,
it
comes
in
all
these
colors
and
and
you
can
go
forward
and
reverse
with
it,
and
here
buy
it
right
and
then
the
client
would
buy
it
and
go
well.
Does
it
go
left
and
right?
Oh
well,
no,
it
doesn't
sorry,
you
know,
but
you
can
pick
it
up
and
turn
it.
It'll
go
left
and
right
then,
but
you
know
it
it's.
B
You
know
it's
it's
a
situational
issue
where
it's
a
it's
a
post
problem,
and
so
by
allowing
marketing
and
sales,
then
have
these
certifications
and
saying
hey
by
the
way.
As
we're
talking
about
this,
let
me
be
up
front
like
we
take
privacy
and
security
seriously.
In
fact,
our
privacy
policy
actually
has
a
signed
letter
from
our.
B
A
Well,
that's,
okay!
I
I
think
it
pretty
much
covered
it
there.
I
do
have
a
one
follow-up,
that's
related,
which
is-
and
I
don't
know
if
you'll
have
this
answer,
but
I'd
love
to
know
because
one
of
the
biggest
challenges
for
a
compliance
team
is,
you
know,
proving
our
value
right
like
how
do
we
prove
that
we're
valuable
and
adding
you
know
dollars
or
some
metric
of
positivity
to
the
company
rather
than
just
taking
money
and
spending
money
and
like
costing
money
right?
That
was
the.
A
What
it
is
so
I'd
love
to
understand
if
you
have
some
past
example,
where
you
had
to
quantify
this
and
say
like
hey
this,
this
program
that
we're
managing
particularly
for
data
privacy
and
security,
like
here's,
the
bottom
line,
here's
what
we're
adding
to
the
actual
bottom
line
or
here's
some
way
that
we've
quantified.
That
can
you
talk
about
that.
B
Yeah,
actually,
usually
what
I
do
with
a
lot
of
companies.
Is
we
actually
bringing
bring
in
examples
where
we
were
going
to
lose
business
right?
I
can't
necessarily
say
the
company,
but
let's
just
say
it
was
a
big
production,
studio
company
that
might
have
been
hacked
a
couple
years
ago,
but
you
know
after
that
situation
for
them
right.
B
B
You
know
that
your
priority
is
a
little
different
than
mine,
but
we
get
it
and
at
some
point
they're
like
well,
if
you
don't
get
this
fixed,
you
know
we're
gonna
walk
away
and
it
was
a
you
know,
six
to
seven
digit
sort
of
deal
at
times,
and
you
have
to
come
back
and
think
a
little
bit
outside
the
box
right
or
not
even
bring
the
box
in
the
room
and
go
all
right.
Fine,
all
right!
You
want
us
to
agree
to
this
stuff.
Well,
I
can't
make
those
changes
today
or
tomorrow
or
next
week.
B
It's
going
to
take
about
six
months.
It's
it's
a
big
change,
but
as
such
here's,
what
we're
going
to
do
like
we
will
sign
an
agreement
with
you
that
basically
says
that
if
we
don't
have
this
fixed
to
your,
you
know
satisfactory
within
a
certain
time
period,
you
can
walk
out
of
the
contract.
I
mean
you'll
still
pay
us
for
what
you
owe
us,
but
we'll
break
your
contract
and
you
can
leave
and
you'd
be
very
surprised.
A
lot
of
companies
are
willing
to
then
do
that
they're.
B
That
they'll
sacrifice
a
little
bit
more
security.
If
you
will
for
convenience,
which
I
still
don't
understand,
but
but
you
begin
to
say
that,
okay,
if
I
was
working
on
a
fifty
thousand
dollar
audit-
and
this
is
a
seven
digit
deal-
we
already
can
see
the
value
in
that
already
right.
B
Just
that
one
deal
pays
for
that
immediately
now
you
and
I
had
worked
on
a
couple
of
deals
where
same
thing
was
happening
like
they
wanted
to
know
what
we
were
going
to
be
doing,
and
we
made
some
assertions
to
them,
saying
that
we
would
get
the
audit
done
and
that
it
would
close
the
deal,
and
it
was
well
worth
it
because
they
bought
so
much
more
from
us
as
a
company,
and
so
that
that
value
is,
is,
you
know?
Definitely
there
right.
B
So
when
the
when
the
production
teams
and
the
sales
teams
and
everybody
else
involved
in
this
audit
goes
oh
okay.
This
eventually
affects
the
bottom
line
right,
because
we're
bringing
in
more
deals
makes
us
more
valuable.
You
know,
you
know
when
eloqua
happened
as
an
example
when
we
got
acquired
by
oracle.
I
remember
the
day
that
we
got
the
call,
and
I
was
asked
to
immediately
jump
into
a
legal
due
diligence
process.
I
was
expecting
days
upon
days
upon
days
of
you
know,
being
you
know,
reviewed
and
discussed.
B
I
was
actually
at
an
event
at
a
conference.
I
couldn't
leave
the
event
because
it
would
have
looked
fishy
but
ended
up
in
a
hotel
conference.
Room
for
about
three
or
four
hours
and
literally
was
able
to
walk
legal
through
all
the
things
that
we
did
from
a
privacy
perspective,
whether
it
was
gdpr
related
or
you
know,
regulatory
related.
B
I
should
say
all
the
way
towards
the
certifications
that
we
had
received
from
a
security
perspective
and
those
due
diligence
processes
already
being
in
place
actually
made
the
deal
move
a
lot
faster
and
the
legal
due
diligence
process
around
security
and
privacy
was
done
in
just
a
couple
of
hours
versus
days
upon
days,
and
so
we
were
sort
of
also
preparing
ourselves.
For
that
you
know
we
knew
at
some
point.
We
could
be
acquired
and
wanted
to
be
acquired,
but
you
know
getting
that
also
done
made.
B
The
other
company
feel
good
about
their
purchase
and
they
that
they
weren't
going
to
be
purchasing
problematic
issues
and
things
like
that
as
well.
So
yeah
I
mean
you
can
sell
this
off
quite
a
bit
and
say
hey.
It
can
go
towards
the
deals
that
we're
going
to
be
able
to
close
quicker.
It
can
go
towards
the
deals
where
we're
going
to
maybe
be
acquired
and
they
want
to
make
sure
that
we're
secure
and
that
they're
not
buying
problems
and
stuff.
B
Like
that
it
really,
you
know,
you
know
the
cost
perspective
of
not
just
the
audit
itself,
but
the
people
and
the
time
and
the
effort
that
they've
got
to
put
into
it.
It
pays
off
and
when
people
begin
to
see
that
they're
willing
to
do
it
because
again,
the
company
gets
sold,
guess
what
we
all
make
money.
A
Yeah,
that's,
that's!
That's
the
perfect
answer.
I
appreciate
it.
I
I
think
that's
probably
all
we
have
time
for
because
I'm
trying
to
keep
them
a
little
bit
easier
to
digest
at
like
the
25
or
so
minute
mark,
but
I
would
love
to
have
a
follow-up
at
some
point
because
I
think
this
is
a
really
good
conversation.
B
Yeah,
like
I
think
you
know
the
thing
that
I
said
at
least
once
or
twice
in
this
is
don't
fear,
privacy
and
security,
but
embrace
it
as
matt
knows,
you
know,
matt
wasn't
into
compliance
the
first
day
I
met
him,
but
he
completely
fell
in
love
with
it,
like
a
lot
of
us
will,
because
we
all
love
to
see
police
cars
and
firefighters
right,
that's
just
how
we
are
as
as
human
beings,
but
I
would
embrace
privacy
and
security
and
also
understand
that
it
isn't
the
responsibilities
of
the
mats
or
you
know,
of
the
dentists
that
are
out
there
or
the
chief
privacy
or
the
chief
legal
officers.
B
It
is
everyone's
responsibility.
We
are
all
data
stewards,
whether
we
know
it
or
not
in
any
part
of
your
job.
You
are
touching
pii
that
has
been
entrusted
to
you
by
the
consumers
that
you're
servicing,
whether
you're
in
sales,
whether
you're
in
marketing,
whether
you're
in
hr,
whether
you're
the
janitor
right.
Everyone
at
some
point
is
going
to
be
responsible
for
that
pii,
because
if
the
janitor
doesn't
close
the
front
door
to
the
office
and
someone
gets
in
and
steals
a
computer,
you
have
a
data
breach.
B
Everybody
is
responsible
for
this,
so
think
of
yourselves
as
data
stewards
and
think
of
that,
as
you
do
your
own
personal
life
thinking,
I
lock
my
doors
at
my
home
and
I
password
my
my
devices.
You
know
I
keep
things
safe
here.
Your
job
is
to
do
the
same
thing,
regardless
of
what
your
job
title
is,
how
much
you're
paid
and
whether
or
not
you've
been
a
certified
compliance
person,
don't
fear
privacy
and
security,
but
embrace
it
and
be
a
data
steward.