Regulatory Compliance

Regulatory Compliance
If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

Top Answer: Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.

Is the Chief Data Officer (CDO) role the same from company to company?

Top Answer: I see the role as a conduit for data regulations. But I've talked to CDOs in other organizations, and the CDO role is different in different companies. In some places it's mostly data stewardship; in other companies, it's mostly data governance and policy stuff. In some cases it's just the role that works with analytics and comes up with analytics products to figure how to monetize the data.  I was fortunate enough to have previously worked at a mid-size bank. It was big enough to have regulatory oversight and we had enough customers and money to make those aspects important; but it was small enough that they didn't have the luxury of having someone do the data function role across verticals. We had people in marketing that did analytics, but I had to be the conduit across all of these different areas. So in that context, my role was about bringing those things together, which meant I had to understand what InfoSec’s concerns were while also understanding what marketing’s strategy was, what they were trying to do, and how I could enable them. Oftentimes, InfoSec folks just want to say, “Stop marketing. They can't do that.” That’s when the CDO has to explain that if we don't market, we're not going to get new customers, or more products out of the customers we have — that’s the challenge. The core of what a CDO does is about helping people leverage the data that the business has in a safe way.

Related Tags
What are the biggest challenges that Chief Data Officers (CDOs) face?

Top Answer: A lot of it has to do with keeping up with current regulations around the world. The most challenging aspect of being a CDO is that you act as the conduit from various regulatory bodies to the IT organization. A lot of IT organizations have different perspectives on how to interpret those laws and in many cases, there's no upside for someone to not be conservative. If I'm in risk and compliance, or InfoSec, it looks bad on me if data is breached or lost because someone had access to it. So there's little incentive to be able to allow free access to data even though it could mean helping the business do things. As the conduit between these groups, being a CDO is about helping the business find a balance by measuring the level of risk to make informed decisions with appropriate levels of materiality. In some cases it’s not just about saying “no,” it's getting people to all align on what is permissible, and what the right balance of risk is for us to operate as an organization.

Related Tags
What data protection and privacy regulations do finance Chief Data Officers (CDOs) have to navigate in the US?

Top Answer: First, you need to know the regulations that apply to you. There’s the Gramm-Leach-Bliley Act (GLBA) and the California Consumer Protection Act (CCPA), which was the state side version of GDPR, the European Union customer privacy regulation. There's a new release of CCPA coming out, which is the California Privacy Rights Act (CPRA). Then you have states like Vermont that are heavily consumer-oriented from a personal rights perspective. Virginia's passed their own regulations around customer data and there are various states that have their own regulations, which are all at different stages of negotiation on the hill.  The second thing that you need to know is that you may have contractual arrangements. For example, when a company buys a portfolio of accounts, mortgages or credit cards, there may be contractual arrangements attached to that portfolio which dictate what you can and can't do. If you're providing services for another organization, you have access to a lot of data and you may have very thin permissible use in terms of how you can legally use it. It’s critical to know the rules of the road and what you're required to protect by law.  Then you need to know what your corporate protections are. In the financial services industry, we're required by the overseeing regulatory bodies to understand who we're doing business with, by adhering to Know Your Customer (KYC) policies and the Bank Secrecy Act (BSA). Beyond that, there are anti-money laundering (AML) policies we follow because we have to be able to prove that we're not laundering money. There’s also the Office of Foreign Assets Control (OFAC), which helps you understand if you’re doing business with a terrorist. Governments and regulatory bodies require you to capture all that data; in that respect, your company’s possession of this data is protected because you need it to be in business. But we’re not only allowed to have that data, we're required to keep it. In some cases there are retention requirements: even after the relationship is over and the accounts are closed, you may need to retain that data for five, seven, or even 10 years, depending on the situation. You have to be able to prove that you’ve retained it, so you need to know what your protection controls are as an organization. The CCPA, for example, gives people in California the legal right to request information about the data you hold about them. If a person has a relationship with your organization, and your company meets the regulation’s business size requirements, a customer can say, “You need to tell me what data you have about me and what you're doing with it. Are you selling it to anyone?” You need a process in place to respond to that request. This is especially critical when a customer asks to have their data deleted, because you have to be able to prove that you did so in case you get audited — that can be a complex thing to do in large organizations. If you don't have something like that in place, you won’t be able to answer questions like: Where are all the systems that have my data? What type of data is it? Where is it? Is it protected, or not? Do I even need to protect it? Putting all that in place can’t be done with a quick turnaround.

Are cybersecurity regulations going towards a Sarbanes Oxley model?  

Top Answer: What exactly do you mean by a Sarbanes Oxley model?

Related Tags
What is the CDO-CIO relationship like?

Top Answer: I've played both roles; I was the CIO for a nationwide insurance company. From that perspective, the CIO is responsible for all things IT but they can't be everywhere at once and be an expert in everything. They need to be able to trust the subject matter expertise of the people they work with to make sure that we're protecting the organization and making the right decisions. The Chief Data Officer (CDO) is the person who needs to understand and protect the rules of the road in regards to customer data. The CIO should know that the CDO understands what we can and cannot do with customer data.  The CDO needs to be a conduit with other key departments within the organization. As a CDO, I’m the conduit between legal, compliance risk, InfoSec operations and the business. For marketing in particular, the CDO educates to ensure those departments understand what they can and can’t do. That includes making sure we have the appropriate controls in place, because data flows across all aspects of the organization. So it’s critical to make sure that people understand, and we have consistent behavior in how we manage customer data in that regard. A CIO also needs the CDO to handle data architecture, so that it can scale. You want to avoid data duplication and replication. I use the concept of “source once, consume many” so that you have multiple processes consuming the same version of truth. That’s so you don't have discrepancies where a system shows one version of data that's different from the others. And it needs to be able to think through the concept of online transaction processing (OLTP) and online analytical processing (OLAP). In many cases, application development is structured on the processing of data, systems and applications, but we don't always think through the aspects and the downstream impacts of OLAP, which is the analytics reporting and model building. Those things need to be as in sync as possible in the way that they're viewing and consuming data. Those are the things that the CIO relies on the CDO for.

How would you describe cybersecurity regulation in the US as of today?

Top Answer: Sthe issue with the regulations that exisit is the auditing is nearly non existent for them. So no one follows them, making them worthless.

What is life like for an IT leader after the company goes IPO?

Top Answer: Being an IT leader is always challenging and after an IPO there are new challenges to deal with. I always enjoy resolving business problems through technology automation. We are still trying to do a lot in one or two quarters, because we now have to produce more detailed metrics as a public company and meet all our goals on time, while also passing compliance audits. There is a lot of internal pressure on the sales and marketing teams, so I'm trying to prioritize critical business process automation in order to figure out how quickly I can enable them, as well as how quickly we can address the technical debt. That's the core focus now. We’re also working on improving the infrastructure to drive a better employee experience: What can we do to enable our employees, so they can work with our customers at speed? What automations can I put in place now to scale the organization to the next level and how can we make the company more profitable through tech stack optimization.

What was it like for your team leading up to your company’s IPO?

Top Answer: It was an incredible experience and a big Aha moment. I led these systems implementations multiple times from quote to cash, including CPQ and billing, revenue recognition, putting a new ERP system in place along with procurement automation, and automating our customer provisioning.  A unique challenge we had at UserTesting was that we had to do all these things in an eight-month timeframe while also evolving processes and creating enablement materials. It was a lot of pressure for sure. We were working with multiple implementation partners at the same time to ensure we didn’t miss any timelines, which was a risk as they all had to align on the deliverables. But we were also laser-focused on not compromising on quality, which was a big challenge and huge accomplishment. I had to focus on my team's blockers and motivate them to deliver the projects successfully while working closely with our executive team to get their buy-in on decisions fast. We had to be sure we were giving them the right visibility into where we are on the projects, the risks we were seeing and how I planned to remediate those issues. That was critical. Every week, we sent reports to the executive team to get their alignment. If some things had to shift, then I’d put that plan into motion very quickly because there was no room for missing our deadlines. Ideally, as an IT leader, you can provide a business justification if you do miss a deadline and then still go on with your work. But this time we did not have that option, because we could not go IPO unless I put these systems in place. The executives and board members were not ready for the IPO timeline to change, so there was a lot of pressure. But in the end it was all worth it because we accomplished a major milestone for the organization and added huge business value by optimizing the deal process and reducing financial close time.

What is it like to be an IT leader at a company that just went public?

Top Answer: It's a great thing. A couple years ago we were around 500 employees and now that we’ve gone public we are almost at 1K employees. So we have doubled our headcount and many employees joined during COVID. Now our two main focus areas are growing in our current landscape and expanding our markets. Heading IT in this situation is a lot; we had to transform our systems fast because they were extremely manual and a lot of things were done using Excel. We went through a digital transformation to implement major business systems in less than one year, so that our sales, marketing, operations and finance teams would be enabled to quickly close their deals and financial quarters. That was key because we needed to provide key KPIs and help the executive team make data-driven decisions in order to run as a public company. We also had to implement SEC Compliance, so putting those systems and processes in place for that purpose was another big thing. As a public company, it’s so important to provide all the slices of information we can, which enables the business to answer any questions and show how we are progressing as well. The other challenge I had was having to build my team from the ground-up. When I joined, it was a very small team. Even now I still feel like there is a lot we are trying to accomplish in a short amount of time, so I keep looking for ways to enable my leadership team and business partners quickly. Prioritizing is a big thing for me because there are 100 things we are trying to focus on. Within those 100 things, finding the top 30 that we wanted to prioritize and deliver is critical for both my team’s success and enabling our internal users.