Yeah, uh welcome and thanks for joining. I know we have professionals at this conference from all different areas of expertise.So for today's talk, I will try to focus mainly on the unique ways in which Git lab does remote work and how you can apply some of our best practices in your own daily work experiences. Feel free to add any questions you may have into the Q and A and we'll try to go through questions at the end. So first introductions, my name is Julia Lake. I'm the Director of Security Assurance at GIT Lab, which is part of the broader security department. I've been with the company for just over a year and I'm based in the US in beautiful Missoula, Montana. I started my professional career in retail banking, getting audited before becoming the auditor. And I've been working in the governance risk and compliance or GRC space, focusing on information, security, quality and privacy domains for the last 10 years. A little bit of background on GIT lab to give some context if you haven't heard of the company founded in 2011. Git lab is the world's largest permanently all remote company and it has been all remote since its inception, which is what makes git lab a little bit unique.

Some may say we were a bit ahead and when I say all remote, I really mean it even our CEO works from home. We have no physical locations whatsoever. We have over 1300 team members in 67 different countries. And our leadership has been honing our remote practices and culture for over 10 years. We are so dedicated to remote work. We even have a head of remote, who has been quite popular. Over the past year, I myself have been a remote worker since 2016, previously working in a hybrid remote company. And prior to that, I was traditional in office. So I personally experienced all working styles. Git lab. The product is a complete open source dev se ops platform delivered as a single application, delivering both self managed and S A deployment options and our S A solution is hosted in GCP, which is another reason why we have no physical locations. The foundation of get lab's remote culture is based on our core values of collaboration, results, efficiency, diversity, iteration and transparency or credit. For short. These values are hierarchical with results at the top. They are ingrained in our executive team and influence everyday operations.

We even have very popular Slack emojis, which you can also see on the screen that represent each value and then anyone can nominate discretionary bonus program for team members that embody the company values in their daily work. So throughout this presentation, I'll refer back to these values often.

So you can see how they influence our work and we really do live by them on a daily basis. So now let's talk in more detail about how git lab actually does remote work successfully and what makes us unique. So our foundations for remote work are informal communication, document everything, organize your meetings, align your values, which I just mentioned with your expectations. Don't use that as a knowledge base, respect each other's time. And my personal favorite assume positive intent.

First and foremost, everybody at our company has to agree to the rules of engagement. That means that everyone from the CEO to the interns are expected to embrace and follow the foundations of remote work. But not only that everyone is also expected to evangelize those foundations.

It's not uncommon at git lab to hear an executive get called out by an engineer for operating in a Google doc instead of a git lab issue or for deploying a change without documenting her inner handbook. This behavior is encouraged as it helps the entire company stay true to our remote vision. The only way that this can be done successfully is by always assuming positive intent in both written and verbal scenarios. You'll notice also how our foundations tightly align with the credit values I mentioned earlier organized meeting support efficiency, documenting everyone, everything supports transparency, so on and so on. Here are some of the biggest epiphanies we've collected and I've experienced uh from different team members when comparing get lab's remote, remote working style to a more say traditional or in person organization, first and foremost, centralization is key for the success of a sync work.

Everyone at get lab uses GLAB which enables us to centralize information for easy dissemination and rapidly develop and deploy new features and functionality for the product. If we're using it, you can bet we're vested in improving it. Dog hooting is a big part of who we are.

Our CTO constantly reminds us it's called dog fooding because it's not supposed to be pretty. At least not at first. Next, we embrace informal communication but never at the expense of centralization. That means services like Slack and Zoom are simply communication tools with short retention periods that ensures that we don't rely on them as a system of record. There should never be approvals happening in Slack. There should never be formal feedback or decisions happening in Slack.

Lastly, obviously being an all remote organization, we spend a lot of time on Zoom meeting. Fatigue can happen. Perhaps the most unique thing about git lab is that we don't do presentations. The only time I personally do presentations is when I present at conferences like this, I've never been in a git lab meeting where I've watched someone walk through a powerpoint presentation. Instead, every meeting has an agenda for questions and objectives with linked documentation.

The expectation is that every attendee reviews collateral prior to the call at their own convenience. This enables us to use the meeting to answer questions and make decisions rapidly, therefore, avoiding extended meeting times or follow up meetings. In order to get to the end result.

We also do things like no meeting Fridays walk and learn sessions hosted by our L and D team and arguably the most popular friends and family days, which is when our entire company just takes a random day off to focus on ourselves. So how does this unique culture and foundation set impact the GRC function in terms of where we are at in our GRC journey. Our security organization as a whole has grown rapidly since 2015. The initial security compliance team was introduced in 2018, which is also when we deployed our first common control framework based on the Adobe open source common control framework. Upon initial deployment, the team heavily operated in an advisory capacity in 2020. We further matured the sub organ organization by merging security compliance and field security, which is our customer facing team under the same wing. Building out formal governance and risk management functions on boarding a third party GRC application, upgrading our common control framework to provide more coverage and ultimately obtaining our first so two type two report, which is something we were very proud of. As you can see, we still operate in an advisory capacity, but we've added layers of policy definition, risk management and compliance oversight to have data to support our advisement.

I think one of our biggest lessons learned over the last year of incredibly rapid growth is to make sure that you design a minimum of a two year road, two year road map to build against that road map should clearly align to organizational objectives, support cultural values and have clear metrics to evidence achievement of those objectives.

And it should be what you start building for day one. Once you release it, it should also clearly relate back to daily activities. So teams know what massive programs rely on their daily work. It helps build the tie and relationship doing. This should reduce the amount of large changes, making an unplanned changes more digestible for everyone to follow. Understand and accept. Today, we are heavily focused on security control, maturation across the organization through continuous auditing, continuous control monitoring.

With the ultimate goal of expanding our certification portfolio and providing our customers with assurance on our internal security practices. Perhaps the most unique thing about git lab in GLAB security specifically is that we embrace transparency. Historically, transparency and security did not go hand in hand.

Security through obscurity was a very popular approach for a very long time. But we believe in the power of community and our leadership has tasked us with being one of the most transparent security organizations in the world. We're still working towards that. One of the ways that we do this is by publishing all of our policies and procedures on our handbook page. So that way our customers and our users have the same level of visibility into what we do and how we operate security processes as our internal team members. So if you're listening to this and thinking about how you can deploy some of these practices in your own organizations or within your own teams or just for yourself personally, here's some key takeaways, structure company values to support a remote work environment. If you have remote workers, if you have more than one location, then structure your team's values around remote work styles. You don't have to be a 100% remote organization to take advantage of the benefits that come along with remote work. Next, document everything and adopt a handbook first approach for company communication. This will help give context upfront guidance and reduce questions. This means before you deploy a new process, you document it but not just the process itself, you also document the work instructions for the people that are gonna be executing the process.

And you also document the feedback mechanisms where people can provide feedback once that process is released and lastly make meetings optional, require every meeting to have an agenda, take diligent notes and record meetings for absent attendees. Make sure your meetings always have a purpose and make sure you yourself really need to be there along with all of the other attendees, employees will feel more comfortable skipping a meeting. If they are confident there will be notes they can absorb. After the fact, it removes the fear of missing out and makes team members feel more comfortable with not attending every single call, which gives them time back to focus on core deliverables in order to meet your company's intended objectives with that. That's all that I have for you today. If there's any questions, feel free to put them in the chat or the Q and A otherwise, thank you everybody for joining. I've included my contact information. If there's any of these concepts, anyone would like to discuss in more detail, one on one, feel free to reach out at any time. Um Otherwise, if you don't have any questions, I hope you all enjoy the rest of this wonderful conference.