Julia Lake - How an all remote software company approaches GRC

Automatic Summary

Demystifying GitLab's Unique Remote Work Culture

Welcome! Regardless of where you come from professionally, you'll find today's discussion about GitLab's unique remote work culture insightful. I am Julia Lake, Director of Security Assurance at GitLab, and I'll walk you through our remote work best practices and how you can incorporate our techniques into your own work routine. So, let's get started!

About GitLab's Remote Work Culture

GitLab stands out as the world's largest permanently all-remote company, with over 1,300 team members in 67 different countries. Unlike other organizations, everyone at GitLab, including our CEO, works from home. We are strongly committed to remote work and have, over the past decade, been refining our remote practices and culture.

Our remote work culture adheres to six core values: collaboration, results, efficiency, diversity, iteration, and transparency (CREDIT). Throughout this discussion, we'll revisit these values to demonstrate their influence on our work style.

GitLab's Foundations for Successful Remote Work

GitLab's remote work success largely stems from certain foundational elements. These include:

  • Effective informal communication
  • Comprehensive documentation
  • Well-organized meetings
  • Alignment of values with expectations
  • Use of GitLab as a knowledge base
  • Respect for each other's time
  • Always assuming positive intent

Furthermore, everyone in the company, from interns to the CEO, embraces and evangelizes these principles.

Major Epiphanies in GitLab's Remote Working Style

At GitLab, we use our own platform, GLab, as a centralized place for information dissemination and rapid feature development. This approach, known as 'dogfooding', has been a key to our synchronous work success.

We encourage informal communication, but never at the expense of centralization. Platforms like Slack and Zoom serve as communication tools with short retention periods, ensuring they're not used as records systems for formal decision-making.

Ironically, we do not do presentations. Instead, we set meeting agendas with linked documentation for attendees to review in advance. This approach saves time and makes meetings more productive.

Impact of GitLab's Culture on the GRC Function

Our unique work culture has heavily impacted our governance, risk, and compliance (GRC) function. Since the introduction of our initial security compliance team in 2018, we've matured significantly, adding layers of policy definition, risk management, and compliance oversight. Today, we're focused on security control maturation through continuous auditing and control monitoring, with an aim to expand our certification portfolio.

Key Takeaways from GitLab's Remote Work Culture

Are you considering introducing remote work practices into your organization? Here are some key takeaways:

  • Adapt your company values to support a remote work environment.
  • Document everything and adopt a handbook-first approach for company communication.
  • Make meetings optional but ensure they have an agenda, diligent note-taking, and recordings for absent attendees.

By integrating these practices, you'll not only enhance productivity but also create a more flexible, responsive work environment.

Reach out to me anytime for a detailed discussion on these concepts. Let's embrace the future of work through successful remote practices. Enjoy the rest of the conference!


Video Transcription

Yeah, uh welcome and thanks for joining. I know we have professionals at this conference from all different areas of expertise.So for today's talk, I will try to focus mainly on the unique ways in which Git lab does remote work and how you can apply some of our best practices in your own daily work experiences. Feel free to add any questions you may have into the Q and A and we'll try to go through questions at the end. So first introductions, my name is Julia Lake. I'm the Director of Security Assurance at GIT Lab, which is part of the broader security department. I've been with the company for just over a year and I'm based in the US in beautiful Missoula, Montana. I started my professional career in retail banking, getting audited before becoming the auditor. And I've been working in the governance risk and compliance or GRC space, focusing on information, security, quality and privacy domains for the last 10 years. A little bit of background on GIT lab to give some context if you haven't heard of the company founded in 2011. Git lab is the world's largest permanently all remote company and it has been all remote since its inception, which is what makes git lab a little bit unique.

Some may say we were a bit ahead and when I say all remote, I really mean it even our CEO works from home. We have no physical locations whatsoever. We have over 1300 team members in 67 different countries. And our leadership has been honing our remote practices and culture for over 10 years. We are so dedicated to remote work. We even have a head of remote, who has been quite popular. Over the past year, I myself have been a remote worker since 2016, previously working in a hybrid remote company. And prior to that, I was traditional in office. So I personally experienced all working styles. Git lab. The product is a complete open source dev se ops platform delivered as a single application, delivering both self managed and S A deployment options and our S A solution is hosted in GCP, which is another reason why we have no physical locations. The foundation of get lab's remote culture is based on our core values of collaboration, results, efficiency, diversity, iteration and transparency or credit. For short. These values are hierarchical with results at the top. They are ingrained in our executive team and influence everyday operations.

We even have very popular Slack emojis, which you can also see on the screen that represent each value and then anyone can nominate discretionary bonus program for team members that embody the company values in their daily work. So throughout this presentation, I'll refer back to these values often.

So you can see how they influence our work and we really do live by them on a daily basis. So now let's talk in more detail about how git lab actually does remote work successfully and what makes us unique. So our foundations for remote work are informal communication, document everything, organize your meetings, align your values, which I just mentioned with your expectations. Don't use that as a knowledge base, respect each other's time. And my personal favorite assume positive intent.

First and foremost, everybody at our company has to agree to the rules of engagement. That means that everyone from the CEO to the interns are expected to embrace and follow the foundations of remote work. But not only that everyone is also expected to evangelize those foundations.

It's not uncommon at git lab to hear an executive get called out by an engineer for operating in a Google doc instead of a git lab issue or for deploying a change without documenting her inner handbook. This behavior is encouraged as it helps the entire company stay true to our remote vision. The only way that this can be done successfully is by always assuming positive intent in both written and verbal scenarios. You'll notice also how our foundations tightly align with the credit values I mentioned earlier organized meeting support efficiency, documenting everyone, everything supports transparency, so on and so on. Here are some of the biggest epiphanies we've collected and I've experienced uh from different team members when comparing get lab's remote, remote working style to a more say traditional or in person organization, first and foremost, centralization is key for the success of a sync work.

Everyone at get lab uses GLAB which enables us to centralize information for easy dissemination and rapidly develop and deploy new features and functionality for the product. If we're using it, you can bet we're vested in improving it. Dog hooting is a big part of who we are.

Our CTO constantly reminds us it's called dog fooding because it's not supposed to be pretty. At least not at first. Next, we embrace informal communication but never at the expense of centralization. That means services like Slack and Zoom are simply communication tools with short retention periods that ensures that we don't rely on them as a system of record. There should never be approvals happening in Slack. There should never be formal feedback or decisions happening in Slack.

Lastly, obviously being an all remote organization, we spend a lot of time on Zoom meeting. Fatigue can happen. Perhaps the most unique thing about git lab is that we don't do presentations. The only time I personally do presentations is when I present at conferences like this, I've never been in a git lab meeting where I've watched someone walk through a powerpoint presentation. Instead, every meeting has an agenda for questions and objectives with linked documentation.

The expectation is that every attendee reviews collateral prior to the call at their own convenience. This enables us to use the meeting to answer questions and make decisions rapidly, therefore, avoiding extended meeting times or follow up meetings. In order to get to the end result.

We also do things like no meeting Fridays walk and learn sessions hosted by our L and D team and arguably the most popular friends and family days, which is when our entire company just takes a random day off to focus on ourselves. So how does this unique culture and foundation set impact the GRC function in terms of where we are at in our GRC journey. Our security organization as a whole has grown rapidly since 2015. The initial security compliance team was introduced in 2018, which is also when we deployed our first common control framework based on the Adobe open source common control framework. Upon initial deployment, the team heavily operated in an advisory capacity in 2020. We further matured the sub organ organization by merging security compliance and field security, which is our customer facing team under the same wing. Building out formal governance and risk management functions on boarding a third party GRC application, upgrading our common control framework to provide more coverage and ultimately obtaining our first so two type two report, which is something we were very proud of. As you can see, we still operate in an advisory capacity, but we've added layers of policy definition, risk management and compliance oversight to have data to support our advisement.

I think one of our biggest lessons learned over the last year of incredibly rapid growth is to make sure that you design a minimum of a two year road, two year road map to build against that road map should clearly align to organizational objectives, support cultural values and have clear metrics to evidence achievement of those objectives.

And it should be what you start building for day one. Once you release it, it should also clearly relate back to daily activities. So teams know what massive programs rely on their daily work. It helps build the tie and relationship doing. This should reduce the amount of large changes, making an unplanned changes more digestible for everyone to follow. Understand and accept. Today, we are heavily focused on security control, maturation across the organization through continuous auditing, continuous control monitoring.

With the ultimate goal of expanding our certification portfolio and providing our customers with assurance on our internal security practices. Perhaps the most unique thing about git lab in GLAB security specifically is that we embrace transparency. Historically, transparency and security did not go hand in hand.

Security through obscurity was a very popular approach for a very long time. But we believe in the power of community and our leadership has tasked us with being one of the most transparent security organizations in the world. We're still working towards that. One of the ways that we do this is by publishing all of our policies and procedures on our handbook page. So that way our customers and our users have the same level of visibility into what we do and how we operate security processes as our internal team members. So if you're listening to this and thinking about how you can deploy some of these practices in your own organizations or within your own teams or just for yourself personally, here's some key takeaways, structure company values to support a remote work environment. If you have remote workers, if you have more than one location, then structure your team's values around remote work styles. You don't have to be a 100% remote organization to take advantage of the benefits that come along with remote work. Next, document everything and adopt a handbook first approach for company communication. This will help give context upfront guidance and reduce questions. This means before you deploy a new process, you document it but not just the process itself, you also document the work instructions for the people that are gonna be executing the process.

And you also document the feedback mechanisms where people can provide feedback once that process is released and lastly make meetings optional, require every meeting to have an agenda, take diligent notes and record meetings for absent attendees. Make sure your meetings always have a purpose and make sure you yourself really need to be there along with all of the other attendees, employees will feel more comfortable skipping a meeting. If they are confident there will be notes they can absorb. After the fact, it removes the fear of missing out and makes team members feel more comfortable with not attending every single call, which gives them time back to focus on core deliverables in order to meet your company's intended objectives with that. That's all that I have for you today. If there's any questions, feel free to put them in the chat or the Q and A otherwise, thank you everybody for joining. I've included my contact information. If there's any of these concepts, anyone would like to discuss in more detail, one on one, feel free to reach out at any time. Um Otherwise, if you don't have any questions, I hope you all enjoy the rest of this wonderful conference.