Reckless Compliance

The Role of a Chief Legal Officer with Steven Dimirsky

SHARE EPISODE

The podcast features Steve Demersky, the Chief Compliance Officer and Chief Legal Officer at 1010 Data. He discusses the importance of legal and compliance officers in the cybersecurity and risk management field. Data privacy is a major concern for SaaS companies, and they need to ensure they are handling client data safely and in compliance with regulations. The podcast also touches on the use of SOC audits and the need for credible auditors who can identify and address organizational flaws.

Topics we discuss:

  • Role of Legal at 1010 Data
  • Risk Management
  • SaaS Security Compliance
    • Supplier Risk
    • Certifications & External Attestations
  • Improving SOC 2, FedRAMP and similar compliance initiatives

Max’s Bio

Max is the CEO of Ignyte Assurance Platform and a Data Security and Compliance leader delivering DoD-tested security strategies and compliance that safeguard mission-critical IT operations. He has trained and excelled while working for the United States Air Force. He maintained and tested the InfoSec and ComSec functions of network hardware, software, and IT infrastructure for global unclassified and classified networks.

Max Aulakh on LinkedIn

Ignyte Assurance Platform Website

 INTRO 

Welcome to Reckless Compliance Podcast, where we learn about unintended consequences of federal compliance, brought to you by ignyteplatform.com . If you’re looking to learn about cyber risk management and get your product into the federal market, This podcast is for you. Or if you’re a security pro within the federal space looking for a community, Join us. We’ll break down tools, tips, and techniques to help you get better and faster to get through the laborious federal accreditation processes.  It doesn’t matter what type of system or federal agencies you’re dealing with.  If you’ve heard of confusing terms like ATOs, FedRAMP, RMF, DISA Stigs, SAP SARS, or newer terms like CATO, Big Bang, OSCAL, and SBOMs,  we’ll break it down all one by one. And now here’s the show.  

 

Max Aulakh: [ 00:00:47 ]

Hello, everyone. Welcome to this episode of Reckless Compliance, where we learn unintended consequences of compliance.Today, we’ve got Steven Dimirsky, one of my colleagues who I’ve worked with at 1010, we’ll hear from him. Steve has played a role of chief compliance officer, chief legal officer. And no matter where you are in terms of cybersecurity, information, security, risk management. You can’t do this type of work without input of a legal officer who typically reports up to the board or CEO.  So with that, I’d like to introduce Steve. Steve,  if you don’t mind, tell us a little bit about yourself, your role at 1010. And just a little bit of your background in terms of  your legal background and what not. 

 

Steven Dimirsky: [ 00:01:32 ]

You know, I’m Senior Vice President and Chief  Corporate Counsel for 1010 Data.  I’ve been here for about three and a half years.  I’ve been in SAS now for about 15 years and have various legal positions.  Involved always with our data privacy and information security apparatus. and compliance, and audit structure.  As I said, they go hand in hand.  Most contracts call for some sort of compliance. Most contracts with clients,  I should say, call for, you know, some adherence to some sort of security protocol, and that’s where the overlap usually starts.  It’s not where it ends, but it’s where it starts. And, you know, we go from there. But, as you said, you know,  I report to our CEO.  I do have exposure to our board.  And, you know, any happenings on security side of the house,  you get informed through those channels by me, typically, as well as our other board members. C suite members who are involved,  CTO as well, so.

 

Max Aulakh: [ 00:02:31 ]

So Steve, thank you again for coming on the show.  And I think your role is incredibly critical. I know when Igyite worked with 1010,  there was a lot of different concerns you had with the risk management, SOC 2, those kinds of things.  From a legal and account general counsel perspective,  What are some big things when it comes to a SaaS company? In context of risk management, you know, not just cyber,  What other kinds of issues are you typically dealing with when it comes to SaaS firms?  

 

Steven Dimirsky: [ 00:03:02 ]

Data privacy is, you know, the chief concern that I have and the different regulations that have, you know, arisen, over the last decade, let’s say. What data we have of our clients and what we do with it, how it’s treated, how it’s handled, you know, bears a direct line to 1010’s liability to those clients. and whether that be, some sort of statutory liability, that exists in a legislative scheme or contractual liability that exists from our contracts with them. We need to know what we’re doing, We need to know that what we’re doing is, safe and we need to know that what we’re doing can be demonstrated to any party that asks,  that has a right to ask. And when I joined 10 10 as well, at the same time as our then CTO, we had only our stock audit to rely on as far as an outside audit of what 10 10 was or wasn’t doing appropriately. You know, you looked at a couple of years of the report and it read very much like a cookie cutter report that was produced from year to year.   Said 1010 was great and perfect.  No organization is perfect. Organizations can certainly be great, but knowing what we did know about 1010 at the time the CTO and myself could not really believe that we were that great of an organization and we were certainly not perfect when we started poking our nose into the sock that we got. And talking to the auditor that we used, we found that their process was very cursory, flawed in many ways, and really did not attempt to find out what 1010 was or wasn’t doing right.  But more importantly, where our gaps were,  which is really the usefulness of the SOC. in my opinion, clients may call for a sock to be done every year, and there are contracts with us. We produce it, we submit it to them.  I would say generally speaking, most clients, depending on the size of your organization depending on the importance of your organization to the client,  it’s generally a check the box kind of thing, you know, we got the sock.  They did it. It’s it’s current, it’s annual. Maybe they get a bridge letter to you know, cross between the dates of the sock and when they submit the sock to the client, but.  Very few questions at the companies I’ve worked at have ever arisen from the audit report itself, but the usefulness of a good SOC audit is to guide and instruct the organization on how to improve itself.

 

Max Aulakh: [ 00:05:32 ]

Yeah and Steve, to your point. 

 

Steven Dimirsky: [ 00:03:02 ]

Yeah, when you get a report that says you’re perfect.  There’s  build on, there’s nothing to move on from and our, the CTO and I just could not trust the auditor.  We could not trust the report.  So we sought out a new auditor that would dive deeply into 10 ten’s operations and tell us where we had flaws, because we knew we had flaws. We just couldn’t identify them. And that’s where Ignyte came in.  We selected you after, you know, a series of RFPs and audits, interviews that we went through with various auditors.  We landed on Igyite and, you know, the process really helped generate a report that we could rely on, that we could trust and was instructive in how we move forward as an organization. And, you know, that alone, you know, made the, I’m not going to cost is the wrong word,  but the effort expended to find a new auditor.  Worthwhile, you know, having a software that internally we can rely on whether our clients find it useful or not, you know, we have to do it, but we should get something out of it. 

 

Max Aulakh: [ 00:06:39 ]

Steve, I really appreciate that, but I think on our side, we hear that a lot on security where it’s just check the box and it’s, you know when you look at it strategically, it’s such a waste of resources. Like, why are we doing this unintentionally, you know, the SOC audits can range from 30 to a hundred thousand dollars, depending on the size of the organization. And that’s a expensive marketing exercise,  right? So, I appreciate you selecting us and even on our side, Steve, what we found, cause we’re not a SOC 2 audit shop, right?  We know how to, how to look at those controls and assess those control and go way deeper thiing value out.  We actually had to work with quite a few SOC 2 auditors and assess if they have the ability to really look at. An organization and go at the tactical depth and also at the management death and correlate those two things because I think a lot of times what we’re seeing out there is, um, you know, there’s this need to just. Just get through it very quickly, which efficiencies are important in the market, but it almost feels like you’re just generating paperwork, right? And that is the opposite of data security, data privacy, risk management. So I think having a general counsel way in is critical because without it, we would be left to just a bunch of compliance check boxes that don’t mean anything. So we appreciate that, Steve. And, um, In terms of SaaS security compliance, I know that a lot of people are building SaaS solutions nowadays compared to 10 years ago, we had this whole thing about desktop applications and things like that.And then, of course, with the onset of AI, where do you see supplier risk going, right? Because we’re going to be connected to a lot more suppliers. Downstream, you know, things that get baked into our entire application. Where do you see kind of that going in the role of the council there? 

 

Steven Dimirsky: [ 00:08:41 ]

Yeah, you know, so it’s always amazed me, especially at 1010 where clients focus contractual risk and they want a lot of identification,  but they don’t really focus on the warranty and the warranty is really where 1010 makes its assurances to I’m giving away our secrets. 1010 makes its assurances to our clients, about what we do and don’t do with, with data. And, you know, I’m always stunned at how little attention is paid to the warranty section of our contracts. And the focus for most of our clients is on the overall limit on liability. And it’s interesting to me because when we’re buying services and when we’re acquiring acquiring services,  What I’m interested in is what are the warranties that we get from our vendors about what they’re doing with our data, what they can do with the data, uh, or what they can’t do with the data, where the data is being stored, how it’s being stored. Most of that is embodied in the warranty that we get, not in an indemnification section. I mean, it can be, but it usually isn’t. And that’s the important part to us because.  We make warranties to our clients and we need to make sure that those warranties aren’t naked obligations that 1010 has that have no cover from our downstream vendors. And it stuns me that most clients, most clients who buy CES don’t pay attention to that. But that’s, I don’t want to say it’s immaturity, because it’s not immaturity, it’s not, you know, a lack of, of sophistication in legal departments, I think it’s a lack of familiarity with how SaaS companies operate that, you know, there’s, there’s like that misdirect, right? They, focus on the, the large piece, that, that, that overall number and cap on liability. That’s the prize, but the real prize is knowing what’s going on with the data. That’s what you should be focused on. 

 

Max Aulakh: [ 00:10:37 ]

So Steve, let me, let me ask you this.  For those that are listening in that are not attorneys, right? And they’re kind of playing attorneys because we sometimes get thrown at fixing clauses and those kinds of things. What’s the difference between the warranties section and all the other clauses that we see? Why is that area kind of like you mentioned, the secret sauce or nobody’s paying attention to?

 

Steven Dimirsky: [ 00:11:01 ]

So typically the way contracts are constructed as general, very, very broadly speaking, warranties will establish what the responsibilities of. The company providing the service are right.  That warranty section will lay out, you know, what we guarantee our service will and will not do the indemnification language limits on liability. We’ll talk about things like. Direct damages, indirect damages, a cap on liability, how the cap is structured and there’s a lot of complexity in indemnification and limits on liability clauses.  That are very, very vitally important to how risk is assessed and managed in the contract,  but don’t get to the heart of what are the actual obligations that anyone is owed or guaranteed. You want to look to that warranty section because it’ll, it’ll establish, you know, what that provider is going to be doing. Right. Are we going to say, we will not sell your data to someone else, you know, anonymized, aggregated, whatever it may be. If we don’t say we’re not going to do it, there’s not a lot saying we can’t do it. And you want to know that as a, an acquirer of services, especially, you know, when your obligations as a purchaser of those services run, not only to your shareholders, your board.  But to your clients for whom you hold their data, whether that be an individual, whether that be another corporation, that’s where your risk lies. You want to know that the SAS provider providing you service isn’t going to establish new open ended obligations that you don’t have any cover for, right? So that’s where the warranties really come into play. And that’s where, you know,  I think a lot of focus should be not on what the overall cap on liability is because. It’s a million dollar cap, two million dollar cap, unlimited liability.  If I don’t have the obligation in the first place, there’s no liability established for which you can claim a damage anyway, right?  That misdirect, the prize is the number versus what the obligation is. 

 

Max Aulakh: [ 00:13:05 ]

But the actual, yeah, and you, you’re right. You have to explicitly lay out what is allowed and what is not allowed.  So Steve, where do you see Uh, typically, you know, the reason why you guys had to do this, and even for us, we, we’ve had to do it because it’s a contract clause. We have to have some sort of external assurance, ISO 27, 000, FedRAMP, SOC 2, you name it, there’s like 30 of them out there, right? These are the primary three.  Where do you think that’s going to, you think that’s going to do you see that as an uptake on contract language or do you see it differently where you can get warranty coverage? 

 

Steven Dimirsky: [ 00:11:01 ]

I think it depends where you operate as a company.  So Europe, as an example now, you know,  after Brexit, I’m talking primarily about continental Europe, you have GDPR that still rules and is there. Post Brexit, UK has their version of it. But it’s a unified front, right?  So no matter where you operate in the European market, you know, you’ve got one set of guidelines, essentially, that you can look to that establish what the rights of individuals are, et cetera, and what your obligations are as a processor of data. In the U. S., you know, we have the issue of no single piece of legislation that You know, guides you,  you’re left with this patchwork of states laws, some federal laws, whether it be, you know, HIPAA,  you know, you’ve got a patchwork of, 

 

Max Aulakh: [ 00:14:37 ]

yeah, you got like 30 to, well, 50, you could say one for each state almost

 

Steven Dimirsky: [ 00:11:01 ]

Almost right, and then, you know, just Columbia, you know, whatever it is. But there’s so many different things. It’s actually very similar to how Europe was before GDPR went into effect, where you had each country having their own data privacy law, and then you had a directive from the EU that sort of Tried to unify, and then GDPR, the regulation, came through. I think it depends on whether there’s any federal action on data privacy that will determine whether or not, you know, do we go the road of GDPR in the United States and have a single overarching piece of legislation that guides and creates uniformity, or do we continue to let the states iterate their own laws and create potentially conflicting obligations? and responsibilities that make it more challenging to provide services across the country. And it’s really anyone’s guess. 

 

Max Aulakh: [ 00:15:30 ]

Yeah

 

Steven Dimirsky: [ 00:15:32 ]

I don’t know. I honestly couldn’t tell you. 

 

Max Aulakh: [ 00:15:34 ]

Yeah, I mean my take is, Steve, I always see us kind of bottom up country.  Yeah, where the rights are distributed to the people, then to the states and then at the federal level. So it’s going to be difficult to change that pattern in tech.  I mean, I could see it in other areas where it’s much more catastrophic if we don’t, but here,  I think we’re going to continue to see, that’s just my guess. 

 

Steven Dimirsky: [ 00:16:01 ]

Yeah, I mean, you know, I know there’s draft pieces of legislation floating around that try and do certain things, but there’s nothing, nothing overarching, nothing on the level of GDPR  on the horizon and for  good or for bad, uh, you know, it makes some things more complicated and make some things easier.  You know it just depends on, it really depends on where in the market you sit.  That depends, you know, where in the process you sit also. Right. So, you know,  but time will tell, right.  And it could go, could go either way. 

 

Max Aulakh: [ 00:16:30 ]

It really could. Now Steve, your experience as a counsel for a SAS company, you had to get SOC too, but you had other choices, FedRAMP, ISO. How was that decision made? Why did you guys go with that? 

 

Steven Dimirsky: [ 00:16:45 ]

It’s really the clientele. So, you know, my last company,  we dealt, we’re a European based company with, you know, a branch in the United States. So we had clients globally. Outside of the United States, ISO really is, is the king, right?  2701, 27018, you know, those are primarily what Clients will look to and look for you to have, uh, in the United States, you know, if you said you were ISO 2701 compliant,  I think most clients would have no idea what you’re talking about. Just they just don’t, uh, it’s, it’s a really very foreign concept, you know, that ISO certification. 

 

Max Aulakh: [ 00:17:24 ]

I mean, cybersecurity people know, but when it comes to contractual matters, I don’t really see it.  

 

Steven Dimirsky: [ 00:18:29 ]

And, you know, I think that they both are very useful in their own way. They attack the same problem in different modes. I think it’s a good way to look at the difference between a SOC And having gone through both, I can tell you that, you know, the auditors also are very, very different people.  You know, the ISO auditors are very, very rules driven, very, very fact specific, and will, you know, they want to see the evidence, they want to see, you know, you show them it now, or you don’t get the certification. The SOC auditor is always much more of a conversation to be had, um, And there is, you know, the control, but the controls are purposefully not exact, right? It is a statement about the control. And there are modifications that can be made in the report. You can have explanations, you can have responses from the management of the company. So the SOC is much more of a conversation about your controls and your stance on controls and your adherence to the controls. Whereas ISO is much more yes or no it’s a very, I don’t know, black and white is the wrong.

 

Max Aulakh: [ 00:18:35 ]

But it’s more constrained because  you can, you can define it, but definitely to your point. There’s these degrees of auditor knowledge that’s out there in the universe, right? And I think that’s what makes it difficult. And it unfortunately turns it into a checkbox.  And I know in our community, we’ve been working towards, we call it harmonization, essentially same intent as unifying the language. But man, it’s difficult. It’s so difficult. And it’s kind of a pie in the sky goal. I would say, I mean, we do it with a little bit of artificial intelligence and,trying to get to the intent of what it’s written,  but the level of rigor changes. 

 

Steven Dimirsky: [ 00:19:18 ]

Yeah, and you know, I mean again, I think there’s, I think there’s an intent.  On the part of the AI CPA, uh, about how they construct the definitions of the controls that permit that flexibility in the auditor itself. And, you know not to, you know, belittle or denigrate SOC auditors, but it allows companies to shop around for the SOC auditor that matches what their needs are.  You know, you can find if you want, just check if you just want to check the box again,  you know, your 30, 000 marketing piece, you can find that order without question, right?  You can find that that person. But if you want to find what you’re doing wrong, or what you’re doing, right? You can find that order too. And it’s a very simple process to discover that, right?  And you have it. One or two short conversations with the auditor about their philosophy and their principles and how they conduct their audits, and you know, what you’re going to get, it’s as simple as that. So, you know, as an organization, the choice is yours, right? You define what you want and you go and you get what you pay for. Yeah. Right. 

 

Max Aulakh: [ 00:20:26 ]

Yeah. And I think,

 

Steven Dimirsky: [ 00:19:18 ]

ISO is not the same, right? Yeah. ISO is very much, you know, everyone, you get, you have an ISO certification, everyone’s the same, right? You can be assured that everyone adheres to that standard because it is a standard, right? SOC’s not a standard per se. 

 

Max Aulakh: [ 00:20:41 ]

So a lot of this came out of just what the clients are requesting. You got socked to because of that, but previously you worked at ISO and then of course, you know, I remember 10 years ago, the goal was, Hey, we don’t want the client to ask us anything. We just want to be proactive and create our own thing and, and it just kind of fell apart. I don’t think anybody, I think Deloitte and some of the larger shops were trying to do that and it just kind of fell apart primarily because of the language confusion, right?  it’s, uh. Nobody could agree to terminology. And so this is kind of where we are. What were your thoughts as a general counsel I know you’re not in the weeds as a security professional would.  How do we, how do we improve this? Right?  Because there are so many overlapping initiatives.is it even possible to improve especially information security?  Let’s say you had a company and they had to go through SOC 2 and then all of a sudden they got to do this government thing, FedRAMP, which is. Terrible, right?  It’s a terrible process. It could take years.  

 

Steven Dimirsky: [ 00:21:43 ]

Probably the only way to get to a harmonization is to adopt something like a standard, right? and whether or not that happens again,  I think it is anyone’s guess. I think, again, it may depend on where legislation goes. If suddenly there is You know, an overarching guiding data privacy standard or data security standard that that rules, maybe that’s where the focus then goes is how do you adhere to the now standard? If that doesn’t happen, then I think you continue along the process network where everyone has their own definition. Everyone has their own, you know, method of getting there and it doesn’t matter.  Because, you know, like I said, for outside of, you know, a couple of examples, most of our clients don’t read our report, right? And again, not that 1010 is doing anything wrong, not that 1010 is doing anything bad.  Again, we, you know, we, we are as an organization trying to improve.  That was the, you know, the reason why we changed our order. But, you know, we have faults, right?  We have. You know, things to work on as any organization does no one’s perfect, right? And that’s that’s the important part and that you know,  I think that that gets lost, right? There’s no such thing as a perfect organization, right?  There’s always the technology is changing faster than any legislation could possibly keep up so organizations are changing again faster than any legislation could keep up and To put out this this painting to your clients that you’re perfect It’s just sort of incentive, right?

 

Max Aulakh: [ 00:23:22 ]

Yeah, it is. It’s disingenuous, but like you, but like you also said 

 

Steven Dimirsky: [ 00:21:43 ]

Nothing’s a hundred percent, right? You can’t write. That’s a lie.  Like we are, we do this a hundred percent of the time. You have to question that, right?  That statistic just can’t bear out. In fact, so buyer beware, I guess is always, you know.

 

Max Aulakh: [ 00:23:46 ]

But also, I think there’s a education part. So sophisticated teams know there’s no 100%, right? But then there’s also businesses that are like, if you can’t, if you’re not 100%, we will not procure. And that’s unrealistic. 

 

Steven Dimirsky: [ 00:24:00 ]

That’s the danger for a small company where you’re trying to improve yourself. And you get a report that says you have, you know, these two or three issues and you have a procurement department or a buyer and a small client who’s like, well, you’re not perfect. I can’t go with you anymore. 

Max Aulakh: [ 00:24:21 ]

I can’t go with you. Yeah.

 

Steven Dimirsky: [ 00:24:22 ]

You just lost out on the sale because you’re trying to improve yourself, but not because you’re trying to improve yourself, but because the buyer. Isn’t educated enough to realize that no one can be perfect. Right.  But they see your competitor go forward with a report that says they’re a hundred.  Perfect. And I don’t blame them, right?  Like, you know, they’re, but they’re buying something that’s illusory. 

 

Max Aulakh: [ 00:24:46 ]

Yeah. Something that’s disingenuous and, and how far off is that? Who knows? Right. So yeah, we see that a lot. We see that a lot when it comes to. Just, you know, both sides where one side is receiving all of this supplier risk questions, and they’re not doing anything.  They’re not reviewing it. They’re not making any risk decisions.  Definitely not making any contract changes. Or the flip side, I want you to be perfect.  And then I will renew or, uh, you know, maintain the contract or sign the contract. And, uh, man, I think it’s just such a big disconnect between.

 

Steven Dimirsky: [ 00:25:23 ]

and that’s always a struggle. And especially with smaller companies, right? When we’re buying our, from our suppliers, you know, we’re a legal team of one. We have a data privacy officer, a CTO, you know, there’s only so much rigor that can be imposed on a system without grinding the company to a halt.  So, you know, but again, sometimes you have to accept  their face value representation that maybe not they’re perfect, but that, you know, they’re doing everything they can and doesn’t mean anything because again, we’re being audited too, right? So our audit shows our flaws and that’s encompassing all of our suppliers as well.  So I’m not sure what the right answer is, but there’s understanding what all of the, the audit.  audit reports mean benefits any organization, right?  Because otherwise  you can easily be misled. You can easily be buying something that doesn’t exist. And then you’re passing that on to your clients too. Um, so yeah, I think, you know, like you said, being educated about this. Is probably the most important thing for any procurement department and the legal department and the technology department that’s acquiring services or reviewing, uh,  servicers that you’re, you know, potentially buying services from, uh, I can say services 1 more time. That’d be great. You know, understanding what, what the, all their audits mean  is probably the best tool you have at discriminating which, which companies you should be buying from, which companies you shouldn’t be buying from. 

 

Max Aulakh: [ 00:26:56 ]

And I think Steve, to your point, you know, even the, some of the largest companies we work for, the legal department is usually like not more than 10. Like that’s like a good size department. Unless 

 

Steven Dimirsky: [ 00:27:10 ]

You are focused on, on data privacy or data security or procurement, right? Like maybe one or two in the department of 10, right? So, you know, the, the, the resources just are not there. And maybe that’s where AI comes in and helps everyone out. I don’t know.

 

Max Aulakh: [ 00:27:26 ]

Well, I think we’ll see that. I know, I know I saw some headline the other day where with the IRS, they’re starting to use AI to detect fraud.  You know, I imagine a world where to accelerate and find risk, we’re going to have to inspect clauses and intent using artificial intelligence and what not.  I can see that happening because You know, the onus of risk management falls on legal a lot of times. If this, if the CISO is not reporting to the CTO or CIO, you know, sometimes you’ll have a, yeah, or the board. Sometimes you’ll have a risk officer. If they just don’t want to deal with that, they’ll be like legal. It’s your problem. You take care of  it. 

 

Steven Dimirsky: [ 00:28:09 ]

Or you’re not big enough to have a CISO or, or, you know, a compliance officer. And the only person you have with any sort of. Obligation like that is the legal department, right? That’s usually how it winds up, right?  That you’re just not a big enough organization, but you have an attorney.  Uh, and it’s like, yeah, you know, just give it to Bill. 

 

Max Aulakh: [ 00:28:27 ]

But I think Steve, in even the big organizations, they’re trying to, they’re always trying to figure out where do I put this new weird CISO role? That’s like partially legal, a lot of IT, both of that impacts finance.  And they all just talk about risk.  And  they don’t know what to do with this person.  So I see them bouncing a lot of times in big organizations too, where it’s like legal officer, you know how to speak to the board, you take care of this person. Hey, they kind of sound like you, IT, firewalls, you refer to IT.  But I see the role of legal expanding because it all ends up with some sort of a liability on the books. 

 

Steven Dimirsky: [ 00:29:08 ]

It goes back to the, you know, what’s, what’s a legal clause and what’s a non legal clause in the contract. And that’s the eternal argument I’ll always have internally, right? Lawyers really say that it’s, everything’s a legal clause because it ultimately gets interpreted, uh, if there’s a controversy and, uh, you know, you want to make sure the language is right, but you’ll have a sales team that says otherwise, you’ll have an IT team that says otherwise, but I’m a lawyer, so I’m always going to, you know, side on the fact that everything is a legal clause.

 

Max Aulakh: [ 00:29:37 ]

Awesome. Well, I know we’re coming up on our time. I wanted to thank you for just kind of giving your perspective as a, as a general counsel. So I’ll, I’ll ask you this last question because I think this will help a lot of our audience. So for, for those that have never worked with a legal counsel and they come from a highly technical background, a chief security officer, How should they prepare, right? How should they prepare to work for a legal counsel or with a legal counselor in a partnership role to improve the posture? What are some of the key takeaways? 

 

Steven Dimirsky: [ 00:30:08 ]

Oh, that’s a good question. Um, I think it depends on the legal counsel, uh, you have. Uh, legal departments vary greatly in how they interact with their organizations. Are they deeply and intimately involved in the strategy, in the product development, in the sales process, in the marketing department, uh, in marketing efforts, or are they simply, you know, an organization that makes sure that the contracts are all signed and everything is dotted and crossed? Um, you know, the latter instance, I think, you know, maybe the less information you give the better and just stick to facts in the former example, you’re going to have an attorney or a legal department that is curious that is going to ask you pointed questions. And I think you shouldn’t be afraid to disclose details, schematics, you know, data maps, data flows.  Because the lawyer is going to want to understand how things work, and that’s a good lawyer to have, because that curiosity will help tailor everything toward protecting the interests of the company, ultimately. And while it may seem like, you know, you’re exposing things that could slow down a process, the end point  is to better the organization, whether that’s better protect the organization, uh, or improve the organization. And I, you know that’s the lawyer that I would, that’s that I want to be. And I think that, you know, most enterprises ultimately want to work with that kind of lawyer versus the lawyer that just wants to check the box. Um, I, you know, there’s, it’s hard to protect the business if you don’t know what’s going on in the business, I think is, is, is my philosophy on this. So, you know, but you need to know your way, right?  You need to know who your legal department is and what their personality is to, to understand what. Did you want to tell them what you should tell them, what you can tell them? Uh, and I think it’s very, very fact specific, unfortunately.  

 

Max Aulakh: [ 00:32:11 ]

Well, Steve, it was a pleasure working with you. I’m sure we’ll get to work together again. 

 

Steven Dimirsky: [ 00:32:17 ]

Yep. No, I appreciate it, man. 

 

Max Aulakh: [ 00:32:18 ]

Yeah. And I like what you said, which is bring the details because I think a lot of technology professionals, they want to figure out how to simplify things, which I think is important. It’s important to synthesize and make it simple.  Buy You’re a hundred percent right. If you don’t know the business and they’re involved in the business, they need to understand the details of how information flows from sales, marketing, engineering, all of that. So you can, you can build a kind of a tailor fit protection scheme for the company. So with that, I just want to thank you, Steven. I think this is going to be a fantastic episode for those that are listening in. But man, I really appreciate your time and acknowledgement of the works, some of the work we got to do together. 

 

Steven Dimirsky: [ 00:33:00 ]

Yeah, no, and, and thank you. It was a great benefit to our organization, uh, ultimately.So, uh, we’ll, you know, future collaborations for sure. And, uh, we’ll see what happens from now.  

 

Outro

Thank you for tuning in. If you enjoyed the podcast, head over to ignytteplatform.com slash reckless. You’ll find notes, links, and additional content. Head over to iTunes to subscribe, rate, and leave a review.