Prioritizing trust and transparency: Q&A with Karen Server, Delinea’s Vice President, GRC & Regulatory Compliance
Robert Sawyer
In the latest interview with Delinea’s leadership team, we sat down with Karen Server to understand her perspective on data privacy and the latest ways Delinea is streamlining security communications with customers. Read on to see how Delinea’s new Trust Center makes it easier to self-serve security and privacy information.
Q: Tell me about your team. What are you and your team responsible for?
The GRC (Governance, Risk and Compliance) team has a wealth of experience in data protection, cybersecurity and highly regulated industries, including government, payments, and financial services. This team understands the security and regulatory challenges our customers face.
As a cybersecurity SaaS provider, we also understand that we are an extension of our customer’s security and compliance environments, so it's not just Delinea’s risk appetite we have to account for, it’s theirs. This means our customers need to trust how we protect and secure their data.
One of our main GRC functions is to build policies and implement controls that align with regulatory compliance requirements and security frameworks. This requires close internal collaboration between product security, IT, information security, security compliance, and my team. We work daily cross-functionally to build and maintain the processes that enable us to map the security controls, collect evidence of the controls, monitor, and conduct assessments—both internal and independent.
We also collaborate with product and R&D teams to understand how the security controls are applied and how customers use our products so we know where personal data exists and how it is processed and secured. GRC is a significant and long-term commitment for the company.
Q: What do customers want to know?
Data protection and security are paramount for our customers and the data they entrust to us. They want to know: Who processes my data? How is it stored? How is it secured? How long is it retained? We need to ensure security and privacy controls are documented and can be communicated in a clear and transparent way. We are always looking for ways to improve how we communicate this information to customers, including through our new Trust Center (more on that below).
Q: What innovations are impacting the GRC function?
Where possible, we're deploying automation for greater accuracy and efficiency. We’re implementing more intelligent scanning that helps us identify and monitor different data elements at the source data level. This enables us to know where personal data is stored, where it goes, and who receives it. We now map the data elements and dataflows continuously and in real time. We aren’t relying on a snapshot that can become outdated. This is real automated intelligence.
We’re also implementing tools that will help better automate the GRC functions. On the compliance side, we can collect evidence once and apply it to many different certifications, controls, and regulatory requirements. This helps keep the different cross-functional teams informed and working efficiently. Doing things in a repeatable, automated way—that's a primary goal.
Q: How are you communicating security and privacy information via the new Delinea Trust Center?
The Trust Center is also a collaborative effort. We launched it in March of this year and received great feedback from customers and internal teams. It’s a resource that helps us build trust with our customers and makes important security information more accessible and transparent. Instead of requesting information and waiting, customers can now self-serve information about Delinea’s data privacy and security practices on their schedule.
The Trust Center includes a public-facing section with information on Delinea’s security controls and a confidential section with more sensitive information behind a click through NDA. The secure section lets us protect confidential information important to our customers and includes materials like our SOC 2 report and Code of Conduct. This balances the need for transparency while maintaining the confidentiality of more sensitive information.
Q. How has the Trust Center improved communication with customers?
In addition to having access to privacy and security information on their own schedule, customers can subscribe and receive notifications when we update the content. Through the Trust Center, we can also more effectively communicate security updates or vulnerability notices so customers can understand how we’re addressing them. This allows us to communicate quickly on key updates that are important to our customers or that can generate a lot of questions and concerns for customers.
They want to understand the possible impact so they can take appropriate action and keep their teams informed. Through the Trust Center, we can address the questions proactively and provide updated information on status, impact, and actions.