#20: Greater compliance equals greater trust with Jordan Sher, Drata

T-Mobile Representative

Breaking News T Mobile Network outperforms expectations in all sectors because T Mobile helps keep you connected from big cities to your hometown on America's largest 5G network. Switch now keep your phone and T Mobile will pay it off at the $800 per line via prepaid card. Visit your local T Mobile location or learn more@t mobile.com KeepAndSwitch up to four lines via virtual prepaid card. Last 15 days qualifying unlock device credit service port in 90 plus days device and eligible carrier and timely redemption required card is no cash access and expires in six months.

Navy Recruiter

You're pretty smart when people talk about you. Too smart comes up a lot. So why are you trying to prove them wrong? Why aren't you pushing the limits of science and powering the nuclear engines of the world's most powerful navy? If you were born for it, isn't it time to make a smart choice? You can be smart or you can be nuke smart. Become a nuclear engineer@navy.com nukesmart America's Navy forged by the Sea the Agile Brand.

Greg Kilstrom

Welcome to the B2B Agility Podcast where we look at the factors that drive success in B2B marketing with a focus on the people, processes, data and platforms that make B2B brands stand out and thrive in a competitive marketplace. I'm your host Greg Kilstrom, advising Fortune 1000 brands on martech, marketing, operations and CX, bestselling author and speaker. Before we get started, I wanted to let you know that my latest book, Priority is seven Principles for Better Strategies, Decisions and Outcomes is now available. In it, I give ideas and insights for leaders and teams that need to make meaningful progress on their priorities. After all, our priorities are what we do, not what we say we'd like to do. You can find Priority as Action on Amazon or learn more on my website greggkilstrom.com now let's get on to the show.

Jordan Scher

Data compliance and privacy are more than just legal requirements. They're critical components of customer trust and brand reputation, especially for B2B marketers. To navigate this and understand how compliance, technology and customer experience connect, we're joined by Jordan, Chair Vice President of Brand and Communications at Drata. Jordan, welcome to the show.

Thanks for having me on Greg. Very excited to talk about this.

Yeah, looking forward to it. So why don't we get started with you giving a little background on your experience and branded communications and a little bit about drata as well.

For sure. So I come to Drata with about 20 years experience in brand and communications and about 15 years experience in the startup world, working with a variety of different startups, primarily on the infrastructure and data side of the equation. At Drata, I run the overall brand management team and that would include content, design, social, but also the corporate communications, you know, so we evangelize with Drata name into the market with press. We stand for compliance, we talk a lot about privacy, and we are really brand advocates for building trust both in the startup marketplace and in the enterprise marketplace at large. You know, we really want to equate the Drata brand with the notion of trust and integrity and everything that that means to these companies who are challenged by audits all the time.

Yeah, yeah. So, yeah, we're going to talk about a few things here today, but I want to start with this concept of privacy by design. And I, I just, I love this, just off, off the bat here, just this concept and, you know, it's, it's something. And I'll, you know, I want you to explain it a little bit more, but, you know, essentially brands integrating privacy into their products and services from the ground up. So with that, could you explain a little bit, you know, what exactly does that mean, you know, when we say privacy by design? You know, how does and how does adopting this philosophy help brands in compliance efforts and as importantly, sometimes, you know, communicating their commitment to this compliance and handling customer data responsibly?

Yeah. You know, it's funny, if you would have asked me this 10 years ago, I would not have been able to foresee the brand value of privacy in the technology marketplace. Right. Like privacy has just accelerated exponentially in terms of its overall brand value, which is surprising. And it's really created this intersection between the definition of privacy by design, which I'm glad you really brought up, and the notion of both brand safety and brand advocacy as well. So let me start by talking a little bit about privacy by design. Privacy by design, or in some cases, it's also conflated a little bit with zero. Trust is this notion that when you engineer anything, if you engineer a software product, if you engineer a social media platform, if you engineer anything from the ground up, you can build with privacy in mind, trust and safety and integrity. And some of the most successful brands really start with a privacy by design approach. And so that means being proactive about identifying places where data integrity must be maintained, being incredibly transparent about the principles that guide your product decisions, or being incredibly transparent about data protection or data value or things that you're doing with customer data. Or it's as simple as, you know, adhering to GDPR regulations, and we can get into that as well, where you're giving your customer the opportunity to have more control over how their data is used. And if you start at the very beginning of the product development life cycle or the software development life cycle with privacy in mind, then you are executing on the principles of privacy by design. And so then we get to this question of, you know, ultimately how that impacts brand advocacy. And I would say that the most successful brands that have their customer in mind and really consider customer experience and make that a part of their brand should amplify the story of how they engineer with privacy by design. So it's always very interesting to me how product management and product development can intersect with brand and brand experience. And user experience in the product is one way, and engineering for privacy now is another way. And it's just become very popular over time.

Yeah, yeah, definitely. I know it's definitely been a change. And certainly I think there's efforts like GDPR and some other things in the States and other countries have certainly brought visibility as well as some guidelines to those as well. But, yeah, definitely that change in privacy as a brand value and sort of a brand asset is definitely different. And, you know, along those lines, DRATA works with a number of brands in this space. I wonder if you could explain a little bit, you know, how exactly do you support brands and implementing what you just described as privacy by design, and how does that actually work in practice?

Yeah, so I can talk a little bit about it from the DRATA perspective. I mean, as you can imagine, there are a lot of different ways to implement privacy by design. And following the core principles, following some of these very specific compliance frameworks, like ISO actually has controls, and you will ultimately need to provide evidence of these controls that you're adhering to privacy by design principles. For certain compliance frameworks, that's one way. But the other way that DRATA really focuses on is by evangelizing, helping companies to evangelize how they adhere to some of the most important auditable evidence that they are operating in a way that is compliant with some of the most popular frameworks and regulations that exist in the world. We call this presenting a trust center. And so a lot of our customers, they will make sure that they maintain some of these core principles of these different frameworks. And I can give you some tangible examples here in a moment. And then they want to promote that. And so with drata, you can put on your website that you have a trust center, and you can check, anyone can navigate to A website you or I can navigate to a website that has the Trust center badge or the Trust center URL. And you can actually see in real time how compliant are these companies within some of these privacy frameworks or customer data frameworks or any of these compliance frameworks that really matter in the regulatory environment. And they can see in real time that, you know, these, these companies are very trustworthy. So one of the core examples that we have is SOC2. SOC2 is a very popular compliance framework that most SaaS companies need to adhere to. And when you are SOC2 compliant, you are collecting evidence about your employees that they are, you know, taking the necessary trainings and adhering to certain security practices. And you need to collect evidence from a lot of your different security postures and security policies. And you present that to an auditor and an auditor checks a bunch of boxes at given intervals and says, yeah, you passed the audit and you have your SOC2 attestation. And when you have that SOC2 attestation, it's in your best interest to promote it and you promote it via a draw Dog Trust Center. And in that way, that's just one example. We have over 20 compliance frameworks. In that way, we really seek to become the currency of trust between our customers and their customers so their customers can see, all right, privacy has been engineered to my experience of this software product and I can really trust these brands. So, you know, it's funny in, in some ways it's a very technical, you know, requirement that these companies need to adhere to, but in other ways, it's a branding exercise. Right? Like I am now branding myself as trustworthy. I am now branding myself as a company that is on the side of my customers. And I feel like there's a lot of emotional value in that, particularly in a world where we don't know what's happening with our data and we don't know whether we're having private interactions online or not.

Yeah, yeah, absolutely. I think it's important on all of those fronts and that's great to understand a little bit better about how you work as well.

T-Mobile Representative

Breaking news. T Mobile Network outperforms expectations in all sectors because T Mobile helps keep you connected from big cities to your hometown on America's largest 5G network. Switch now keep your phone and T Mobile will pay it off up to $800 per line via prepaid card. Visit your local T Mobile location or learn more@t mobile.com KeepAndSwitch up to four lines via virtual prepaid card. Allow 15 days qualifying unlocked device credit service port in 90 plus days. Device and eligible carrier and timely redemption required card has no cash access and expires in six.

Navy Recruiter

You are no dummy, but you're kind of acting like one. You used to crush it in school, outsmarting opponents on the field and now, well, you're still smart, but not exactly challenging yourself. You could be advancing nuclear engineering in the world's most powerful Navy. You were born for it. So make the smart choice. You can be smart or you can be nuke smart. Become a nuclear engineer@navy.com nukesmart America's Navy forged by the sea.

Jordan Scher

So I want to move on to another topic and you know, we certainly talk about AI a lot on the show and you know, we've talked about it in a number of different ways, but you know, we're talking about privacy and compliance and so wanted to look at how AI can help here, you know, with compliance and automation of compliance and other things like that. So if you could, you know, give us a little detail on, you know, what, what is the role of, of AI and compliance and automation for, for brands and you know, what are some of the things that you're seeing whether, you know, emerging trends or other things that, that companies should be mindful of in this area?

Yeah, obviously, you know, everybody has to have a perspective on AI today. And I, I will say.

From what.

I'm, from what I've seen in the world, there are really two ways of developing with AI and having compliance in mind. There is a fast way that gives you a competitive advantage of speed in the market and you can get to the market first and you can capture on the buzzy quality of AI. Or in our mind at Drata, there's the right way. And the right way really proactively builds in an ethical perspective on building with AI. And to me, there's a stark intersection between building with AI and privacy by design. So the way that we think about it here at Drata is that there are a few different swim lanes in developing with AI that we need to pay attention to first. Number one, there's the data, you know, the data that we ingest to build a large language model. And you know, there are many different ways to ingest data. We do it in a very particular way that segments our customer data. And so our customers know when we are providing an AI feature with their data that their data is protected and their data is built on their own personal tenant, for example. So they're not, we're not mixing anybody's data with anybody else. Number one, I think that's very important. So you know that you, you not only have a good understanding about what the AI can do, but the data that the AI can build from. Number two, you know, the architect architecture of building an AI feature using a very controlled data set is really important. And so we architect with the most ethical uses of AI in mind. And so when we present a feature, if we were to present a feature in the future, it's just critical that our AI feature set is architected with the principles of privacy by design in mind. Number two. And then number three, the way that we deploy AI also has to be incredibly ethical and incredibly controlled. And so we're not here to apply AI techniques or AI engineering or AI development to any feature that we have within the Drata platform, but rather we're picking and choosing the right features to think about the use of AI so our customers can, number one, understand what they're getting out of it and have a level of dominance and control over the end product, but also, you know, kind of understand that AI is not here to willy nilly solve all compliance problems, but rather just a core fundamental set of problems that again, are the right level of problems that AI can solve at this time. And I think that that is, that's in stark contrast to some of these other AI wrappers that you see out in the world. Maybe they're using publicly available data, maybe they're not putting data on an individual tenant, maybe they're pulling just general large language models and applying them. It's just a different approach for us. And I think that our customers demand that level of scrutiny. And also we just feel like it's the right thing to do. If we want to stand for trust and integrity, we have to execute on all fronts with that in mind.

Yeah, yeah, well, and of course, you know, anyone paying attention to this space, it's, let's call it, there's, there's a lot of change, a lot of things that get added. I mean, you know, as you mentioned and you know, going, going to your site and everything, you know, you work with a lot of existing framework, you know, the, you know, CCPA in California, HIPAA for Healthcare, like all a, a lot of those different existing frameworks, but as we know, not only in the data privacy space, which is pretty fast moving, you know, even here in the States, there's a lot going on, there's especially a lot of conversations going on with AI, there's going to be more regulation soon in that. So, you know, how do you recommend that brands, you know, try to stay one step ahead of these. Obviously until something is regulated. Like I remember, you know, back in the day with gdpr, it's like we were all just trying to figure out how to interpret what that meant and stuff when the draft came out or whatever. But it's like, you know, as, as these things are, are coming out and, and shifting and, and everything like that. How does a brand try to stay one step ahead?

Yeah, it's a, it's a tremendous question and I will offer a couple things that I consider when thinking about brand evangelism and, and privacy. Number one, it's only going to get more critical. So when we think about brands and customer experience, the conversation about privacy, about data quality, about data integrity is only going to get more impactful and more important. Especially as we try to reconcile how AI is going to be used in the future and we try to reconcile how people are showing up online. There are these conversations that exist in the world now more than ever about the use of data, about kids and online and online experiences. And I think that that is only going to. Conversations like that, as a one segmented example is going to, are only going to, going to accelerate. I think the velocity of regulatory pressure is going to increase the need for companies to evangelize that they are operating within the confines of the regulatory environment. So when you think about your brand and you think about customer experience, privacy and data integrity need to be factored in, number one. Number two, when you build any sort of online interaction, I think the more that you can be transparent about how you're using that data and where that data goes and how you're storing it helps your brand. So transparency about data in the future is going to be key. If you can write about it, if you can produce white papers about it, if you can redact some of that data and show some insights that you're pulling about customer interactions, I think that is going to also be very impactful. Number three, if you can align yourself with technology and other brands that emphasize your value set, particularly when it comes to privacy and trust and integrity, I think that will be very important as well. So for example, you know, if Drata is a brand that's known for trust in the marketplace and you can present a trust center on your site that just helps in communicating the customer experience and how much emphasis and investment you put on privacy. If you look at some of these brands now that are like dealing with trust and safety violations, I think about the big ones, I think about X, I think About Facebook, I think about these social media networks, they are not putting enough of an emphasis in the right ways about trust and safety and it has long term brand value impact. So there is a story there. And I think every company that is working with data today needs to tell it and they need to remember their why. And if it is a customer experience focused business, then privacy has to be part of that customer experience.

Yeah. And building on that, totally agree with that. And it reminds me of, in the sustainability or environmental world, they call it greenwashing when it's sort of like there's a facade of, hey, a social network throws up a privacy page, but obviously there's not enough behind it. We'll just put it that way. But when an organization does have a commitment to this, to data compliance and these things that we're talking about, how do you recommend that they think about? You know, you've got to balance the, obviously you want to say we're the most secure and, and you, you know, we treat everything, you know, as, as great as possible, but you've got to balance that with realism. And consumers are, they're way more educated about this stuff, you know, and, and B2B audiences are, you know, probably a little more educated than B2C in general. And so how do you do this in a way to find that right balance of yes, this is something we value, but it doesn't feel like that equivalent of the greenwashing.

Yeah. Okay. This is a fantastic question. There is a difference between saying, here's what we are doing with your data in a privacy policy versus really putting yourself in the position of a user and asking yourself, what does the user want out of an experience of my product that will make me feel like my data is protected? And so I think in the product roadmap in the product development life cycle, that is an important question that you need to ask when you're identifying features. So if you zoom out, the best example of this is, okay, we are building a social network. And I understand that as a user I may have concerns that my kids are logging onto the social media network and they can get an account and they can start, you know, in 30 seconds they can start posting on the social network. And I care about their privacy. And so I am going to engineer features that put up guardrails that, that allow the users ultimately to be able to control who gets online at what age, what is the culpability, those kinds of controls. And so really there is a difference between a brand saying that we care about privacy and we have a 10 page long privacy policy and we have a trust center and we have the whole thing versus these are the features that we are engineering into the product that keep your data safe. These are the proof points that you know your data is going to be safe. When you log on, your data is in it. It exists in its own tenant. And here's the proof of that. You know, you're going to get the login credentials to use your own data. You're going to be able to control, you know, at all times where the data goes, who is using it, what happens to it. You're going to be able to control who gets an account. User Access Reviews, a great feature that allows you to have some control about who can log into your platform and what they can do. And if we can take that as an example of a feature that can be evangelized across all of these different software platforms and really put tight controls over User Access reviews. And all of a sudden I, as a user kind of understand, yeah, this company cares. It's not about growth as much as it is about my experience and privacy.

Yeah, yeah, I love that. Yeah, it's showing, not telling. Right.

I do think I will say one more thing. I think that there is a tension that exists in the tech world and the regulatory environment right now. The regulatory environment is there to put up guardrails or roadblocks or speed bumps in accelerated development life cycles. And I would say that if you truly want to be a brand that stands for privacy and trust that the more you embrace the regulatory environment, the more you proactively engineer privacy by design and the more you accept that these are the frameworks that we need to abide by. And so we're going to get ahead of it and we're going to, we are going to provide evidence and attestations of these compliance frameworks. Even though maybe we're not required at this time, but we think it's the right thing to do, I think that would go a long way in providing evidence of a brand's emphasis on privacy.

Yeah, I love it. Well, Jordan, thanks so much for joining the show. Before we wrap up, just one last question and maybe even just kind of a recap question here. But what do you see in the future? Obviously, as we talked about, there's a lot going on right now, but there's also a lot in development and kind of coming down the road. So what future developments do you see in this realm of data compliance, privacy and you know, how should B2B marketers prepare to adapt to these changes. So they're, you know, they not only ensure compliance but also ensure ongoing consumer trust.

Yeah, I would definitely. When we are out there building brand stories and we think about the customer, we engineer our brand stories long term to talk more about trust and integrity and trust and safety. So in any brand building exercise, that's gotta be part of the experience. And then in the future, I do see that compliance is going to be pulled earlier into the conversation at any software company. And so at its core, when we are talking about core principles and values, which is, you know, a critical part of the brand, that is also a place to start evangelizing our perspective on compliance and data and trust. So just bring it out and bring it out into the sunlight and tell that story as soon as you can.

That's great. Love it. Well, again, I'd like to thank Jordan Scher, Vice President, Brand and Communications at Drata for joining us. For more information on Jordan and drata's work, follow the links in the show Notes.

Greg Kilstrom

Thanks again for listening to the B2B Agility podcast. If you enjoyed the show, please please take a minute to subscribe and leave us a rating so that others can find the show more easily. You can access more episodes of the show at www.b2bagility.com. That's B2B agility.com while you're there, check out my series of best selling agile brand guides covering a wide variety of marketing technology topics. Or you can search for Greg Kilstrom on Amazon. Until next time, stay focused and stay agile.

Jordan Scher

The Agile Brand.

T-Mobile Representative

Breaking News T Mobile Network outperforms expectations in all sectors because T Mobile helps keep you connected from big cities to your hometown on America's largest 5G network. Switch now. Keep your phone and T Mobile will pay it off up to $800 per line via prepaid card. Visit your local T Mobile location or learn more@t mobile.com KeepAndSwitch up to four lines via virtual prepaid card. Allow 15 days qualifying unlock device credit service report in 90 plus days device ineligible carrier and timely redemption required. Card has no cash access and expires in six months.

Libsyn Ads Representative

Marketing is hard, but I'll tell you a little secret. It doesn't have to be. Let me point something out. You're listening to a podcast right now and it's great. You love the host. You seek it out and download it. You listen to it while driving, working out, cooking, even going to the bathroom. Podcasts are a pretty close companion. And this is a podcast ad. Did I get your attention. You can reach great listeners like yourself with podcast advertising from Libsyn Ads. Choose from hundreds of top podcasts offering host endorsements or run a pre produced ad like this one across thousands of shows. To reach your target audience in their favorite podcasts with Libsyn ads, go to Libsynads.com that's L I B S Y N ads.com today.