►
From YouTube: Handling Security Audits Q&A
Description
Devin Harris, Senior Security Analyst for the Field Security Team answers questions about how to handle security audits and some of the new processes
A
B
Thanks
for
all
your
help,
by
the
way,
I
just
wanted
to
comment
a
little
bit
about
meetings,
especially
you
know,
meetings
with
customers
and
I'm
gonna
comment
from
enterprise
standpoint,
most
of
the
times
like.
Well,
we
have
customers
reaching
out
that
what
a
meet
to
you,
they
are
gonna,
be
your
peers.
We
generally
don't
have
you
know
big
relationships,
they're,
not
the
guys,
we're
selling
to
so
they're,
usually
a
team.
B
That's
you
know
just
like
you
that
are
you
know
doing
a
security
question
years
on
the
customer
side,
that's
sort
of
the
point
out
yeah
they
are
your.
There
are
your
peers
pretty
much.
You
know
it
should
be
a
little
easier
to
talk
to
them,
because
maybe
you
guys
are
speaking
the
same
language
there.
So.
A
That's
super
helpful
feedback
to
have
thank
you
for
that.
Pete
I
didn't
even
think
about
that
angle,
like
a
super
regimented
structure,
where,
like
your
cell
cycles,
engaged
in
a
business
fire
and
then
there's
like
the
backend
office
that
we're
getting
put
in
contact
with
so
yes
there's,
probably
a
little
bit
of
a
difference
with
how
we
can
treat
that,
but
definitely
for
SMB.
We
don't
want
to
be
talking
to
the
buyer
and
shoot
you
in
the
foot
with
with
you
know,
saying
something
that
went
against
what
you
told
them,
or
just.
C
To
add
to
that
comment,
and
that's
that's
very
helpful.
What
I
found
is
in
any
especially
initial
calls
that
I've
had
with
a
costume
or
prospect
is,
is
that
they
will
have
somebody,
you
know
they're
their
champion.
You
know
somebody
internal
along
with
their
security
people,
so
we've
got
you
know
on
our
side.
We'll
have
you
know
the
COR
account.
You
know
the
account
rep
or
the
si+
one
of
either
Devin
or
I
on
their
side
will
have
you
know,
counterparts
at
different
tiers.
You
know
going
forward.
C
A
D
E
F
So
just
real,
quick
there
Devon
to
that.
This
is
actually
very
well
lined
with
kind
of
what
one
of
the
things
I
want
to
bring
up
here
and
the
reality
is
it
takes
much
longer
than
two
and
a
half
minutes
for
an
essay
to
do
that
right
because
we're
not
doing
these
every
day
and-
and
we
don't
have
a
single
source
of
truth
to
go
to
for
any
answers
at
all
right.
F
So
it's
each
individual
essay
doing
their
each
individual
assessment
and,
depending
on
how
many
they've
done,
they
may
have
some
background
in
knowing
some
these
answers.
They
don't
they're,
starting
like
as
if
you
were
a
brand
new
field
security
analyst
jumping
into
this
every
single
time
right.
So
it's
much
longer
than
five
I
mean
I'd,
say
double
that
minimum
and
I
mean
in
the
extreme
cases
which
you
got.
F
Everyone
is
Devon
and
I
know
you
guys
are
all
aware
of
with
you
know
the
plaintiff
boughs
right,
for
example,
you
know
I
know
that
Ron
and
r11
we
talked
about
today
that
he
said
that
was
somewhere
in
the
range
of
40
hours
for
him
to
do
that
and
I
believe,
probably
similar
in
your
guys's
side
as
well
right.
So
we're
looking
at
an
80
hour
conversation
here
about
a
customer
who's,
not
even
a
new
prospect.
This
is
a
existing
customer
with
no
I
see
the
attached
to
it
at
all
right.
F
This
is
just
status
quo,
and
so
that's
an
extreme
end
right
and
I.
Think
that
that's
that's
that
we
can't
we
have
to
figure
out
something
around
that
I
I,
guess
Mike!
My
question
is
I
wonder:
if
would
it
be?
I
was
just
reading
through
your
initiative,
which
I
think
hits
on
this
for
the
most
part
around
that
the
compliance
deflection
package
issue
you've
created,
which
is
around
it
sounds
like
sounds
like
it's
around
kind
of
compiling
some
of
these
common
requests
into
a
cotton
in
a
single
place.
F
Where
we'll
have
that
to
go
to
feels
like
if
we
focused
on
that
piece
of
it
right
now
more
than
then,
you
know
kind
of
getting
having
to
jump
into
all
these
things,
and
it's
taken
all
of
your
time.
You
know
trying
to
just
get
ahead
of
what's
out
there
and
in
it
and
I
believe
the
big.
The
big
change.
That's
happened,
you
know,
I
would
say
in
the
last
year
year
and
a
half
is
that
more
people
are
looking
at
calm
right.
F
Self
managed
questionnaires
are
relatively
easy
because
90%
of
its
not
not
applicable
to
us
right,
the
dot-com
ones
are
much
more
complex
and
right,
and
then
we
get
constantly
ask
questions
around
like
where
do
I
find
this?
Where
do
I
find
these
penetration
reports?
What
happens
with
backups?
How
do
we
handle
recoveries
like
all
these
kind
of
things,
that
there
are
sparse
documentation
throughout
their
site
that
we
go
and
search
for
and
spends
a
lot
of
time
with
there?
F
A
That's
something
we
would
love
right
now,
that's
something
we're
trying
to
do.
We've
recently,
just
switched
to
where
Todd
and
I
each
have
a
single
day
during
the
week
to
work
on
project
work.
But
that's
the
issue
right
now
is:
you
know,
talk
about
how
long
those
questionnaires
take
there
are
more
questionnaires
in
our
queue
than
we
have
time
if
Todd
might
wear
work
ten
hours
a
day
every
day
and
so
trying
to
get
that
package
together,
while
we're
also
trying
to
meet
customer
demands
is
taking
us
a
little
bit
longer
than
we
would
like.
F
F
So
if
we're
just
wondering
if
there's
an
opportunity
for
us
to
accelerate
that
piece
of
it,
because
you
know
we
need
to
get
to
that
place
for
this
to
scale-
and
it's
only
gonna
get
worse
for
you
guys
only
getting
it
worse
for
us
because
we're
getting
more
and
more
of
these
every
day
and
the
questions
are
not
and
we're
and
we're
going
starting
fresh
every
single
time
right.
It's
like
okay
got
a
new
questionnaire.
Don't
have
a
place
to
go
to.
F
A
A
Any
hope
you
guys
want
to
give
us
would
be
great,
not
that
we're
asking
for,
but
yeah
it'll
be
good
when
we
get
there
when
I
was
at
duo,
we
measured
compliance
requests
coming
in
for
security
questionnaires
prior
to
having
a
deflection
package
and
after
a
total
volume,
dropped
by
35%
yeah,
and
then
the
total
volume
of
questions
that
came
in
from
customers.
That
said,
like,
yes,
your
package
is
good,
but
we
still
want
extra
questions
had
reduced
by
like
75%
the
volume
of
questions,
so
it
helped
us
at
time.
A
F
A
F
I
think
that
would
reduce
our
time
exponentially
and
your
time
as
well
on
top
of
that
right.
So,
let's,
let's,
let's
shoot
for
something
like
that.
I
think
the
bigger
initiative
you
have
here
is
fantastic
and
much
more
thorough
and
what
we're
going
to
need
ultimately,
but
and
in
the
interim
just
this
you
know,
so
you
guys
can
catch
up.
So
you
can
actually
work
on
that.
F
A
To
circle
back
to
Yolanda,
real
quick
to
her
and
I
had
a
quick
conversation
which
I
think
this
is
kind
of
what
this
is
deriving
from
I
didn't
know.
There
was
a
difference
between
Tam's
and
SAS
other
than
one
was
pre-sales,
and
one
was
post
sells
and
I
think
that's
kind
of
what
Yolanda
was
driving.
That
says
that
what
you're
going
for
there
well.
E
C
E
I
might
be
making
a
lot
of
Tamsin
mad
by
saying
this,
but
I
think
that
we
could
help.
Also
we
do
we
give
him
the
first
pass.
Then
we
send
it
over
the
SA
and
then
they'll
either
thumbs-up
it
and
then
send
it
over,
but
I
think
if
we
could
cut
out
some
if
we
could
help
in
that
way
and
then
also
Devin
I
was
actually
gonna
reach
out
to
you,
because
that
without
one
assessment
that
I
put
in
y'all's
queue
has
I.
Think
like
every
question
under
the
Sun.
E
This
question
here
is
the
hell
is
think
you
know.
That
might
be
a
good
example
to
post.
As
here.
Here's
where
you
find
this
question
once
you
give
it
a
pass
of
course,
because
Steve
and
I
looked
at
it
and
hopefully
it's
we
got
as
much
as
we
could
done,
but
we
stopped
it
like
I,
don't
know,
I,
think
60%
of
it.
Maybe.
A
Some
of
the
some
of
these
are
very,
very
painful,
yeah
and
ya.
Know
I
mean
this
has
been
great.
Cs
is,
in
my
opinion,
our
number
one
customers
filled
security,
I
mean
we
have
other
responsibilities,
but
really
our
job
is
to
do
everything
we
can
to
enable
you
all
to
crush
it
when
it
comes
to
anything
to
do
with
the
security
department,
and
you
guys
have
been
fantastic
partners.
Yolanda
and
I
have
worked
on
multiple
things.
Pete
and
I
have
worked
on
multiple
things.
A
Some
of
you,
I
haven't,
had
the
experience
to
work
with
yet,
but
I
have
not
had
bad
experiences
with
your
team.
So
thank
you
very
much,
both
Brian
and
Yolanda.
For
that
feedback
and
then
Tim
for
the
feedback
you
gave.
All
that
is
gonna,
be
super
helpful
and
aligning
what
we're
providing
to
what
you
need.
I
also.
C
Want
to
point
out,
actually
we
have
a
broader
base
than
just
even
the
essays
and
towns.
We've
got
Julie
we've
got
Miguel,
you
know
from
you
know,
contracts
who
are
also.
You
know
willing
participants
in
this.
You
know
this
first
past,
so
you
know
we
really.
It
should
really
be
a
much
more
general.
You
know,
scope
and
then
illuminate
you
know,
then
then
saying
essays,
I
think
that's
sort
of
a
historical
thing.
The
the
triage
board
actually
still
says
compliance
on
it,
even
though
your
compliance
hasn't
been
involved
in
these
things.
For
quite
some
time,.
A
A
C
Thanks
I'm
gonna
sort
of
ask.
This
is
kind
of
a
thought,
question
kind
of
a
general
thing.
You
know
you
know
as
we
go
forward.
You
know
we
will
have
you.
We
have
this
20k
threshold
on.
You
know
the
work
that
we
want
to
do,
but
if
we
kind
of
step
back
here,
do
we
want
to
say
that
in
general
I
mean
there's,
there's
a
lower
limit
that
we
will
look
at
these
at
all,
I
mean
you
know
if
it's
a
twenty
thousand
dollar
deal
or
less
than
that,
is
it
even
worth?
C
You
know
the
you
know
unless
it's
a
you
know
a
ten
question
you
know
survey.
Is
it
really
mean?
Is
it
really
worth
you
know
the
an
sa
Tam?
You
know
somebody
doing
it
at
all.
You
know
we
often
find
that
there
are
very
few
things
that
that
you
know
that
they
really
care
about,
and
if
we
can
get,
you
know
get
them
to
focus
on
the
handful
of
items
that
really
do
concern
them
rather
than
you
know,
they've
grabbed
this
off
the
shelf.
You
know
InfoSec
questionnaire
and
they
throw
all
400
questions
at
us.
C
When
you
know,
when
they're
really
only
interested
in
about
twenty
anyway,
the
point
is,
you
know,
there's
a
there's
a
the
lower
limit
at
which
we
shouldn't
be
doing
these
at
all.
You
know
for
for
anybody
ever
you
know,
and
as
we
you
know,
as
our
you
know,
the
incoming
opportunities
grow.
That's
going
to
become
even
more
important
that
we
don't.
You
know
we
don't
waste
our
time
on
small
deals.
While
you
know,
while
these
you
know
these
big
ones,
you
know
start
to
pile
up
and.
A
I
see
a
question
on
the
channel
from
Julie
about
the
20k
limit.
That's
a
great
question
that
I
don't
have
a
very
solid
answer
to
is:
is
it
tied
to
an
opportunity
or
total
account
value
joël
if
you're
on?
Could
you
maybe
chime
in
there
from
what
I
understand
this
came
from
a
conversation
from
Robin
Joel
around
like
minimum
threshold
for
opportunity,
engagement,
yeah,.
G
It's
actually
much
bigger
than
than
me,
but
it
comes
down
to
just
the
the
20k
threshold
that
we
have
for
Tamsin
commercial
20
K
for
command
plans,
all
those
kind
of
things,
we're
kind
of
sinking
on
the
20k
thing
and
then
try
and
use
the
proactive
approach
to
fend
off
everybody
else
as
much
as
possible.
Just
due
to
time
limitations
right.
The
amount
of
people
asking
for
massive
amounts
of
time
for
really
small
opportunities
is
becoming
problematic,
so
or
I.
A
G
We
certainly
can
the
problem
we
have
right
now
is
we're
also
working
on
a
good
way
to
understand
what
the
total
opportunity
of
an
account
is.
The
total
account
value
over
time
that
may
become
a
more
prevalent
driver
when
we've
got
a
better
calculator
on
it,
but
for
right
now,
I
know
that's
something
that
we're
we're
still
working
through
awesome.
A
Thank
you
for
that.
Joel
I
know
what
started
the
conversation
and
filled
security
was.
We
realized,
there's
a
huge
backlog
of
questionnaires
we
didn't
know
about,
and
so
we
went
to
go
prioritize
them
by
account
value,
and
there
was
a
questionnaire
that
took
us
about
six
hours
to
do.
That
was
for
a
345
total
dollar.
It's
like
three
hundred
forty-five
dollars
total
account
value
that
that's
when
Rob's
like.
We
should
probably
go
talk
and
make
sure
that,
like
this
is
something
we
want
to
do
you.
G
You
I
think
you
know
the
other
thing
to
point
out.
There
is,
if
there's
an
exception
to
that,
if
you
have
a
smaller
opportunity,
but
you
see
a
whole
lot
of
future
opportunity
there
and
we've
got
some
drivers
toward
that.
We
need
to
make
an
exception.
Let's
build
that
case
as
it
comes.
The
reality
is,
you
know,
total
account
value
is
the
most
important
driver
there,
but
if
we
just
have
one
team
buying
it
in
a
large
named
account.
A
E
A
A
Yeah,
so
originally
something
that
when
we
were
trying
to
figure
all
this
out
filled,
security
was
going
to
be
pre
sells
and
compliance
was
gonna,
be
post
sells.
Since
then,
we've
resolved
that
filled
security
is
going
to
remain
completely
involved.
The
customers.
Compliance
is
gonna,
stay
where
they
are
so
you're
not
gonna
have
to
work
with
other
people,
it'll
be
us
Yolanda
and.
F
E
D
Going
once
going
twice,
alright
far,
be
it
for
me
to
be
League
at
the
point.
I've
documented
every
question
and
answer
here
in
the
document.
If
you
think
of
questions
later
on,
please
feel
free
to
add
them
in
to
the
document
and
we'll
circle
back
with
Devin
and
Todd
to
make
sure
that
we
get
those
answered
special.
Thank
you
to
Devin
and
Todd
for
joining
us
today.
I
know
this
was
a
very
hot
topic
and
I
think
you've,
given
us
what
we
need
to
move
forward
with
this
process.