The Responsibility of Risk
Webinar Transcript | Air Date May 10, 2022
Watch the Webinar | Read the Blog Post
Wanda Miles:
Welcome to the Exabeam webinar on the responsibility of risk. I’m Wanda Miles, the Senior Program Manager for Security and Compliance. With me today are Tyler Farrar, our Chief Information and Security Officer and Ari Companioni, our Senior Principal Product Manager for Security and Compliance. Gentlemen, please tell everyone about yourselves. Tyler, we’ll start with you.
Tyler Farrar:
Hey, thank you, Wanda. Good morning, everybody. Tyler Farrar, as Wanda mentioned, I’m the CISO here at Exabeam, focusing both on enterprise cyber security, product security. But before that I worked at Maxar Technologies where I ran security operations, infrastructure governance, cyber assurance, and some USG program protection functions. I’ve worked at KPMG, consulted on different engagements like FedRAMP, NextGen security operations center, vulnerability management, and then lastly spent 11 years in the Navy as a Cryptologic Warfare Officer, managed lots of projects and cyber operations with US Cyber Command.
Ari Companioni:
Cool. Good morning or afternoon, everyone, depending on where you’re coming from, I’ve been at Exabeam for about a year now within the product organization. I oversee our compliance programs or privacy programs relative to our products. So things like SOC2, ISO, FedRAMP, all of those various things, also drive our compliance roadmap for new and upcoming programs. I’ve been in tech for about 20 years now, since before the.com bust. Prior to Exabeam, I worked at Microsoft, Tableau, DocuSign, doing any combination of information, security engineering and technical compliance. So at Exabeam, I focus primarily on driving that roadmap forward as Exabeam continues to push into cloud.
Wanda Miles:
Thank you, gentlemen. So today we’re going to cover four topics. First, we’re going to summarize some recent laws, directives, and governance regulations and requirements that you’ve probably read about or heard in the news. Second, we’re going to discuss how we at Exabeam address those risks. Third, we’re going to outline some best practices for committing engineering resources and setting up those compliance programs that may help. And then fourth, we hope to spend a lot of time with you answering any questions that you may have. And then in terms of takeaways, we also want to explain how Exabeam can help address the topics that we’re going to discuss today. So, Tyler, do you want to walk us through some of the latest directives?
Tyler Farrar:
Yeah, yeah. So this is based off of a white paper that Exabeam recently published. And as you can see here, there are multiple directives, laws, and governance requirements that are globally coming out. And really the big focus is how they’re going to be enforced and codified, what does privacy mean, what data needs to be protected, and how can it be better defined and then obviously who needs to do the work. And that’s all being spelled out in these various directives, laws, and governance requirements. And we’re not going to go through all of these today, certainly more that you can look into on these, but there is a common theme and I’m actually going to pass it over to Ari and we can share that today.
Ari Companioni:
Yeah. So when you look at all of these various regulations that are coming out… The ones that are coming out in the future, the ones that have recently been either modified or have been in place for a while, there’s a common theme to these, right? And at the end of the day, it’s really about trust and insurance. That’s the denominator there, right? We want to make sure that the supply chain for any particular customer is secure. Over the past decade or so, we’ve seen a number of supply chain attacks that have led to some very high profile breaches. And as a result, there’s been a lot of reactivity in terms of how do we secure that supply chain? So when data leads your environment, are your providers doing the right thing with that data, right?
Ari Companioni:
And how do you get that assurance and that trust that they’re doing what they say they do. So then you get all of these various certifications and all of these regulations that come into place that ultimately drive the things that providers like Exabeam have to then comply with to provide you, the customer, the trust and assurance that we’re doing, the things that we say we do. So at the end of the day, there’s a lot of common themes across all of these regulations and certifications. There’s only so many ways that you can say that you must do access management, that you must do incident response, that you must do changing configuration management, backup and recovery. All of these are just basic concepts that underpin any sound information security program, right? At Exabeam, our approach is, we want to make sure that we have a solid baseline that we can build from, and then any of these certifications that come out or existing ones that get modified, we can build upon that foundation, right? And we’ll talk a little bit more about that as we proceed through the presentation.
Tyler Farrar:
All right. So who owns the cybersecurity risks? The million dollar question. I have two answers for that, and I want to answer the question both at a micro level and a macro level. So at a micro level, meaning how you look inwards into the company that you work at the board. The board does own cybersecurity risk or needs to, or will play a larger role in owning cybersecurity risk. Now, the new regulations that we just flashed on one of the previous slides, you’re going to start to see these regulations require designating a qualified individual that is actually responsible for managing cybersecurity risk. So we have board level ownership of cybersecurity risk, and then I’ll call it CISO level or your VP of information security, et cetera, but that CISO level type role for management of cybersecurity risk, however, cybersecurity is definitely an enterprise conversation.
Tyler Farrar:
And so you have other stakeholders that are involved there, the board, the rest of your C-suite, your IT leadership, your business ops, your IT operations, legal risk management, obviously compliance management. And so all of these groups together, you start to fill out a bigger picture of the entire company. Everyone is responsible for mitigating cyber risk. So just to summarize there, ownership of cybersecurity risk really falls at the board level, management of cybersecurity risk falls at that CISO level, your security leader, whoever you’re going to designating, and as a qualified individual in your financial statements. And then lastly, everybody’s responsible for mitigating risk. And because of that, everyone responsible for the mitigation mindset, you start to see new roles and or functions that have emerged are going to continue to emerge based on some of these new directives and requirements, data privacy officers. If you have an insider threat investigations team, forensic specialists, particularly if you’re in the financial sector, threat hunters or threat intelligence specialists, and then finally cyber risk scandal analysts, all of these new roles have emerged or are emerging to meet these new objectives.
Tyler Farrar:
So that’s really at a micro level of what I see and what we’re going to continue to see there. At a macro level, and again, referencing the white paper that was recently published by Exabeam, the big tech commits and how they’re planning to help here, and really how should they commit to support compliance and defenses. So some of the examples that were provided in that paper was around Google and focusing on safeguarding supply chains, expanding zero trust programs. They do a lot today and I think it’s really neat of what they’re providing to customers. Microsoft, they earmarked 150 million in technical services to help both federal, local, and state governments upgrade their defenses. IBM, they’re planning to train over 150,000 people in cybersecurity over the next three years, in an already underemployed industry. And then Amazon, Amazon’s providing some of the same cyber security awareness and training that they provide their own employees.
Tyler Farrar:
So really great stuff. I think there’s a little bit more that can be done here. And some raw thoughts around this is, if I’m purchasing as a customer, let’s say a SaaS solution. I want more capabilities out of the box. I don’t want to have to pay extra for multifactor authentication. That should be a gimme. Don’t make us pay extra for security. If the intent is for big tech to beef up investments in cybersecurity, those are some of the investments that I would also like to see as a customer. The other one around like a PAAS [inaudible 00:10:05] type of provider, user trending and education’s great. It’s very important. What about more training and controls that come out of the box on an infrastructure build out? How can we limit the mistakes that an engineer or developer as an example could make just by default? And so really shifting left that customer responsibility matrix and putting a little bit more on these big tech companies would be a great commit that I could see at a more macro level. I’m going to keep shifting slides here.
Ari Companioni:
Great. That was awesome, Tyler. Now kind of building off of that, more tactically at Exabeam. When we talk about how do we build this out, we take the approach of people process technology, right? We’ve all heard that at some point. And on the people side, we really want to be able to enable and empower our staff to be security practitioners, right? The more that you enable the individuals within your organization to be a security practitioner, the safer and more secure organization will be by default, and that goes top to bottom. It’s not just the engineers, it’s not just secure development training, or role based training on how to securely operate a cloud service, but it’s really end to end, it’s HR, it’s legal, it’s customer support.
Ari Companioni:
Every person in the organization has a role to play in the implementation of some sort of security practice. We want to make sure that we encourage, empower, and enable that, right? And there’s a number of things that we do from training to consulting on development of secured practices and processes. Tyler does a lot of work in that space and his team does a lot of work in that space as well. I do a lot of that work in that space within the product organization that I’ll get into in a little bit as well. So collectively we want to make sure that we’re driving security in everything that we do, right? That has to be the message and that is our message on a consistent day to day basis. Then we get into the ownership of who’s doing what. One of the things that presents a lot of risk and I think doesn’t get a lot of attention is clearly understanding who’s doing what, right?
Ari Companioni:
With the minute you make an assumption that someone else is operating or moving part within some sort of secure process, then that’s a potential [inaudible 00:12:32] in a critical activity. So assume nothing and make sure that there’s absolute clarity and consistency in who is doing what. One of the things that we do is if we’re unsure, or if there’s multiple people involved within some sort of a complex process, we simply create a RACI for it. It’s simple, it’s effective, everyone has a very clear depiction and an understanding of who’s responsible for what, who’s accountable for what, who’s going to be consulted and informed and there’s no guessing, there’s no assumings, right? It removes the ambiguity and it makes that process consistent, and then the dovetailing off of that, then the individual teams are then empowered to create a process that upholds that RACI, right?
Ari Companioni:
And then on the tooling side, Tool bloat and Tool sprawl can be equally as detrimental as ambiguity, right? If you have too many tools and they’re not implemented or configured properly, then you can get into a scenario where there’s gaps in critical process, right? Because the tools themselves aren’t doing what they’re supposed to be doing. So from that perspective, we want to make sure that we make the most out of those tools that we have. So eliminate Tool bloat, make sure that whatever we commit to from a tooling and budgeting perspective, we implement to the fullest of its capacity, that we have the necessary resourcing to operate those tools, that we have the right visibility. And it’s all about visibility and monitoring of critical systems and events. At the end of the day, if we can maintain that, then we can make sure that we operate a secure environment and a secure cloud service.
Tyler Farrar:
All right. So the next part of the agenda is what is Exabeam doing to meet the responsibilities of risk? So one area that you may have heard me talk about before and other webinars is focusing on the key objectives. I don’t think focusing on every regulation is the right answer, but focusing on your key objectives will allow you to really dive into the underlying milestones that are going to aid you in meeting any of your security control requirements. And these are the three that we have here at Exabeam. We want to reduce the cyber attack surface, meaning prevent as much as we can. We want to then be able to identify and block any potential cyber threats, if and when they do try to get through. And then of course we want to provide cyber assurance to our customers and our partners, our third party supply chain as well.
Tyler Farrar:
And so we do that through various means. And I want to walk through a few of our programs and some of our cross-functional teams that we have employed here that make that possible and allow us to meet those objectives. One that is really a strong program here is around risk management. And we employ a network of security champions across multiple, well, not multiple, every functional area that has kind of the eyes, ears, and voice for that management and or mitigation of cybersecurity risk. We have a program around responding to emerging threats, and we partner very closely with our security research team on that. There’s actually some upcoming enhancements to that. I’ll just say that as a teaser, but stay tuned for more on our new emerging threats program. We have a cloud security center of excellence, right? And being able to manage both traditional cloud security risks, as well as application security risks. We have a data governance program and that’s really around how we appropriately handle and protect Exabeam data, Exabeam customer data, et cetera.
Tyler Farrar:
I’ve also talked about this in other webinars, but I’ll quickly hit on the convergence of two different functions. And that actually falls within my organization today. So both cyber security and IT infrastructure operations, and that’s allowed me to be a lot more flexible and autonomous to be able to make quick decisions and really shift, on a dynamic basis, the ongoing balance of that confidentiality, integrity and availability triad, and then at a management level, our executive security incident response plan is a big piece of that ensuring that our executives understand their roles when a security incident or a security breach occurs and our crisis management team to be able to effectively manage a crisis if and when one occurs. Ari, any other thoughts on this?
Ari Companioni:
Yeah, no, I think you covered it. You covered it great. We’ve done a… Made a lot of investments in making sure that there’s a lot of information out there for the folks at Exabeam to make sure that they have what they need in order to be successful in the event of a security incident, right? But also to be successful, as I mentioned, as security practitioners. So that risk program that Tyler mentioned has paid dividends for us, right? And one of the key things there has been to make sure not to position that as a program that employees are hesitant to raise risks into, because they might feel like it’s going to highlight a shortcoming in something that they’ve done.
Ari Companioni:
It’s all about promoting the idea that by having an open and transparent process, that this is not about getting anyone in trouble, but it’s about lowering the risk posture of our organization and everyone has a part to play really driving that message and Tyler’s done a great job of doing that. We’ve had a lot of folks coming from all different parts of the organization that have raised risks that we otherwise wouldn’t have known about. So we really want to make sure to keep making that a part of our, or just organically a part of our culture and Tyler and his team have done a phenomenal job at that.
Tyler Farrar:
All right. So what can your organization do? My thoughts on this is maybe it’s what you can’t do. And so you need to ask yourself, are you focusing on too much? You really want to focus on remediating areas of risk that as I’ve mentioned before, and as Neil Daswani points out in his book, Big Breaches, focus on where the major root causes of breaches could be. And again, those six are phishing and account takeovers, malware, software vulnerabilities, third party compromise, unencrypted data, and inadvertent employee mistakes. So really the takeaway there is maybe focus on less, but focus on the right things. The other one that I mentioned around cybersecurity ownership with the board is, just overall board level awareness of emerging cyber threats and ensuring they have direct involvement and determining a response to a security threat or a breach it’s really critical.
Tyler Farrar:
You don’t want to be at the last minute deciding who should be paying, if we have to pay the ransom, and who should be deciding that we pay the ransom. And so there’s some key questions that you could ask yourself. I’ll give you four of them. This is what the board should be asking, by the way, how do we move from reacting to anticipating a cyber attack? How do we make sense of the cyber threats that we do face? Is cyber a part of our strategy discussions, the board strategy discussions? And then how do we demonstrate that there’s a return on investment on our security measures? And there’s a way for the CISO or for that information security leader, to be able to provide the answers to those questions. And I talk a lot about that on the webinar and blog on the CISO’s Guide to Communicating Risk, so check that out. But those are some of the key questions that the board should be asking. The board should be asking you, especially as security leaders. Ari, anything else you want to add?
Ari Companioni:
Yeah. So when it comes to meeting the regulations programmatically, which is something that we really strive to do here at Exabeam, we want to make sure that everything that we do is compliant by design. Now that’s a term that’s pretty common in the industry. And I think a lot of folks kind of hear that and they zone out a bit, but in practice, we take that to heart, right? And that starts with understanding the practical requirements. So programs like SOC2 and ISO, which we recently got certified in earlier this year, give us a little bit of leeway in determining how to craft those controls, or really make sure that they align well with the processes that we have, right? There’s a design test to make sure that we’re not just writing our own controls, but we want to make sure that there’s alignment between our process and our control language, right?
Ari Companioni:
But then there’s programs that are a little bit more prescriptive, like PCI and FedRAMP, that pretty much tell you what needs to happen and how they want it to happen. So the message there is to truly understand what the practical requirement is, what needs to be accomplished. So once you have that, there’s going to be three pillars, like I mentioned before, there’s going to be the people process and technology that are ultimately going to feed into that to drive the implementation of those controls and the success of those controls, right? And then you have to make sure that you’re designing a process that reduces risk and meets those compliance requirements. And there’s a number of ways to do that, right? But again, it all starts with truly understanding what those practical requirements are.
Ari Companioni:
And then arguably, I think from our perspective, one of the more important parts is to automate aggressively. Anytime you have a manual process, it’s an opportunity for a control gap. So everything that has the opportunity to be automated ideally should be automated. And from the perspective of compliance, it’s really where we want to get to. You may have heard of the compliancies code is kind of a thing right now, Terraform is changing a lot of the ways that we work and how we implement configurations automatically. So we’re assessing all of these different things to make sure that when we deploy a system or a product, or we build a feature and whatever we do, we want to make sure that compliance is baked into that process, right? And as much of that can be implemented in code, we want to make sure that we get to near 100% compliance through a code as closely as possible.
Ari Companioni:
It’s very much a work in progress, for us right now, but we want to get to the point where our implementation, our validation, our remediation monitoring, and our reporting is automated as possible, right? In that way we eliminate as many manual processes, as many people touching things as possible and make sure that come audit time, we have the necessary artifacts that we need to prove compliance and further, just make sure that we have the artifacts approved to customers, that trust and assurance that I talked about earlier. So putting it all together, understanding the requirements, making sure that the people process and technology ultimately play into those requirements, and then automate everything you possibly can to make sure that you eliminate manual process. And that’s something that we’re doing very aggressively here at Exabeam.
Tyler Farrar:
Thanks, Ari. All right. So the last piece of our agenda is who is your champion? And for me, I split this into two big areas, from a technical perspective and kind of a cross and down, from our VP of product security to our security champions program and I joke, but this is real, Ari being the champion of the security champions and our security research team. The point here is culturally, our Exabeam employees are all champions and they’re really all cyber risk aware and that’s really the important step, right? We said, there’s board ownership. We said, there’s management of cyber risk at the CISO or information security leader level. But then your last step is ensuring everyone’s responsibility for mitigating cyber security risk. And that’s really about adhering to a cyber risk aware culture. Management wise, our entire executive team, our CEO, our board is my champion.
Tyler Farrar:
I mentioned before our crisis management team and our ability to actually manage and not mismanage a crisis, like we’ve seen many other companies out there do, but for you, what should you be asking yourself for asking your organization is, does your management team know what to do if the organization’s attacked? Or when it’s attacked. And so focusing on a few questions at that board level can help you quickly start to identify where those gaps are particularly within your cybersecurity strategy, and then try to encourage more of an organization wide response. So here’s a few other questions that you could potentially ask. What should your response be? How effective has your response been? Are there patterns regarding cyber attacks that make any more information assets more vulnerable at a very specific time? And then lastly, who should you be sharing threat intelligence with and do you have what you need to have an effective security operations center? All right, I think we’re going to move on and summarize here. Ari, do you want to provide anything else around how Exabeam can help with the investigation detection response piece?
Ari Companioni:
Yeah. So at its core, really, it’s two things. It’s visibility and analysis, right? You can’t secure what you don’t know exists. And from the perspective of visibility, we can take in logs from pretty much any critical system that you have in your environment and then we can process that for analysis and give you all sorts of behavior analytics to make sure that you have a consistent single pane of glass view of any potential threats within your environment, right? So from that perspective, we can cover a large swath of what you’re looking for, from the perspective of reducing risk and making sure that you have the visibility necessary to secure your environment appropriately.
Tyler Farrar:
Thanks, Ari. And with that, any questions? Wanda, kick it back over to you.
Wanda Miles:
Yes. I don’t see any in the chat right now, but while the audience is formulating any questions, I have a couple. So first, how would you recommend that someone request funding in a situation where a technical lead or a senior IT manager doesn’t support the need to mitigate the cyber risks that we discuss today?
Tyler Farrar:
Yeah. Good question. Again, I do talk about this in our CISO’s Guide to Communicating Risks. So please check that out, but you need to focus on metrics, be able to translate your metrics to tell your cyber risk story. Focus on those root causes of breaches that I previously mentioned and then when you finally get the stage and the opportunity to sit down and present your plan and request your funding, come prepared. Discuss your plan of action to remediate that risk, what’s the appropriate funding amount requested there, and then be able to provide your KPIs or your metrics, your key performance indicators that show the positive effects of risk reduction due to your implementation of your plan of action.
Wanda Miles:
And that is great advice, but what happens if you still can’t get funding at that point in [inaudible 00:28:45]?
Tyler Farrar:
Still can’t get funding? All right. So that happens from time to time, right? First and foremost, you should be looking at, are there any mitigating controls that you could put in place to potentially reduce the risk to a more tolerable level? One example would be network containing the machine. If it doesn’t work, you have to gain formal risk acceptance. That’s why a formal risk management program’s very important here, and you’re going to get more traction if you’re able to provide written correspondence that has been previously vetted through your GRC team, your security champions, basically, you’re saying, Hey, I’ve done my homework. Here’s the data and I have the people to back up what the risk is and the impact and likelihood of that risk, and then request the acceptance of the risk in writing by the appropriate senior management who now has been assigned as that risk owner.
Wanda Miles:
Nice. We have a number of use cases that we focus on here at Exabeam, and one of them are insider threats. So I have a question. Is it considered an insider threat if an employee isn’t off boarded properly?
Tyler Farrar:
That’s a good question. All right. So how we break this down at Exabeam on insider threat is really around intent and there’s two types of intent. The first one’s around an intentional insider, so that’s somebody who’s targeting data. It’s usually high value. It’s usually sensitive and they’re taking it maybe even as they move to another company, they’re probably also intentionally masking what they’re doing to avoid detection. Unintentional or your accidental insiders, they’re usually unaware that they’ve done something wrong and we classify insider threats into three key areas. So here at Exabeam, we say, maybe it’s a compromise insider. Maybe they’re a victim of an external actor and they’ve gained access to the device or those credentials through means like phishing, right? Maybe it’s a negligent insider. So it’s somebody that’s just not following proper IT procedures, or maybe it’s that malicious or deliberate insider and that’s the person who’s knowingly looking to steal information.
Tyler Farrar:
So to answer the actual question, Wanda, I’d say, look, you have an unsanctioned active account on your network and whether there is deliberate intent or not, I would still consider it and classify it as an insider threat. And then once you do, you need to ask yourself, is the account compromised or is the individual being negligent or malicious and deliberate in nature? And that’ll allow you to actually classify the insider threat and take that appropriate risk remediation action. But at the end of the day, yes, we would classify that as an insider threat.
Wanda Miles:
Thank you. So can you discuss our approach for third party security review programs? So for example, scoping risk assessments, you touched on that a little bit, critical vendors versus non-critical, risk [inaudible 00:32:12] and getting comfortable with our risk posture.
Tyler Farrar:
Okay. Yeah. At Exabeam, we classify again, across 3P areas through our third party risk management program. We do vendor risk assessments. We both review as well as answer customer security questionnaires, and then obviously through contractual terms and conditions. And so all of our Exabeam third parties and vendors are then inventoried, cataloged, and really prioritized or classified based on the criticality of the business. So at a really high level, that prioritization exercise consists of various risk calibration techniques. We need input from the business owner. We need to provide the data classification we need to talk about and define how the data’s going to be handled, and then analyze all of that data against what we call the Exabeam adverse impact table. That is how we translate and be able to speak on a common framework for risk impact, and then calibrate it all through enterprise risk calibration.
Tyler Farrar:
So through that, and again, I mentioned this on my last webinar, a risk based data centric approach, that’s how we take it through third party risk management, so higher criticality or higher priority third parties and vendors go through a deeper risk assessment. They might get a more robust security questionnaire, and we might negotiate contractual terms and conditions much tighter. And clearly, if someone’s not comfortable with the risk posture of a third party, then we have to follow our cyber risk management program. We have to calibrate the risk. We have to get input from that business owner and ultimately make a decision whether or not we’re willing to accept the risk and obviously where there’s cases that it doesn’t fall within our company risk tolerance, well, that’s when we start having those conversations again, around risk acceptance and proceeding with contract execution, despite the potential risk to the business.
Wanda Miles:
Thank you. So Ari, what is Exabeam doing to minimize risk through compliance with industry accepted certifications?
Ari Companioni:
We currently have a SOC2 type two report that we maintain and earlier this year, we’re certified in ISO 27001. And we’re also assessing, considering 27017 and 18 later this year to further add to that assurance concept right around the secure operation of our cloud service and handling of PII and in the government space, we’re actively working towards a [inaudible 00:35:08] authorization, [inaudible 00:35:09] moderate specifically. So we’re continuing to try to understand what it is that we can do to provide the assurances and that trust concept that customers are always asking us about. And we want to do as much of that through certifications as possible, right?
Ari Companioni:
Tyler mentioned we get a lot of questionnaires and just general security questions from customers. And we want to make sure to answer as much of that through a standardized certification process so that we can make sure that customers understand, hey, we have a SOC2, we have ISO, we have FedRAMP, we have whatever we have, right? And then those different things will ultimately give them the assurances they need to make sure that they can go ahead and give Exabeam their data and we’re consistently assessing more, right? It doesn’t just end at those, so it really just depends on customer demand and our regional expansion plans.
Wanda Miles:
Nice. And my final question. So how does Exabeam remain current with the growing landscape of regulations and certifications, not just locally, but globally?
Ari Companioni:
Yeah and I touched on that a second ago, right? A lot of that is it depends on the emerging trends and certifications. So one of the things I do is make sure to keep up on what are the certifications that are coming out, what are the ones that are being modified, tangibly that we need to make sure to comply with. You can think of things like CMMC and the DOD space, right? That’s going to be something that’s going to impact us at some point in the near future. So we’ll need to make sure to meet those requirements and then globally, it just depends. There’s a lot of region specific compliance requirements. There’s some compliance requirements for the Middle East, there’s in Singapore and so on and being a global company that has a global customer base.
Ari Companioni:
Obviously we get asked about a lot of these and the short answer is, we triage these on a case by case basis. And it comes down to demand and our company’s strategy. And one of the things that Exabeam that we have the benefit of… Is we have a product management led compliance organization, right? So I sit in the product organization, typically you see compliance teams either live with an InfoSec or a legal or some other entity, but by aligning the compliance function within the product management organization, we have the benefit of aligning all of these various programs and prioritizing them in parallel to engineering priorities, right? So compliance is essentially your first class citizen and it goes back to that by design and compliance as code, as I mentioned, want to make sure that we can drive as much of that under the same umbrella, the same reporting structure, so there’s no compensation or priorities.
Ari Companioni:
There’s none of that, right? All of that is treated the same. So to answer your question, Wanda, it really depends on what we’re trying to accomplish within a region and it really depends on what customers are asking for. And also the executive order, right? If something applies to us from a regulatory standpoint that we have to comply with, then I’ll partner with legal to make sure that Exabeam does whatever it needs to do to remain compliant legally. So, yeah, there’s a lot of work that goes into maintaining our certifications and making sure that our roadmap is current with what customers are asking for and a lot of that is feedback from customers themselves.
Wanda Miles:
Thank you. Well, I still don’t see any questions in the chat. We’ll give you another couple of seconds and if we don’t see anything else, we will say, thank you very much for your time. We appreciate you joining us this morning, and we look forward to having you join us at another Exabeam webinar in the very near future. Have a nice day.