Uncovering Hidden Risks 12.13.23
Ep 14 | 12.13.23

How to Master Risk and Compliance Initiatives


Erica Toelle: Hello, and welcome to "Uncovering Hidden Risks," a new podcast from Microsoft where we explore how organizations can take a holistic approach to data protection and reduce their overall risk. I'm your host, Erica Toelle, senior product marketing manager on the Microsoft Purview team. And now let's get into this week's episode. [music] Welcome to another episode of the "Uncovering Hidden Risks" podcast. Organizations today are faced with high volumes of information and increasing compliance requirements. How can we successfully execute policies and meet regulatory requirements without burdening employees? Well, today, we have a guest who will join us for this discussion. Patrick Chavez is the chief privacy officer at Edward Jones. He leads the firm's privacy efforts and develops and implements policies and processes related to preparing for and responding to cyber and privacy incidents. He also oversees the firm's Records and Information Management Program within the Legal Division and provides legal guidance and advice to the firm's business areas on matters related to eDiscovery, privacy, information and data security and protection and information governance. Patrick, welcome to the show.

Patrick Chavez: Thank you, Erica. And thanks for having me. I really am looking forward to this discussion.

Erica Toelle: Mark is the CEO of Contoural, the largest independent provider of strategic information governance consulting services, including records management, privacy, litigation readiness and employee collaboration. Contoural, an independent provider that sells no products, serves as a trusted advisor to more than 30% of the Fortune 500 plus many mid-size and public sector organizations. Welcome, Mark.

Mark Diamond: Thank you, Erica. Delighted to be part of this discussion today.

Erica Toelle: And, with that, let's dive into today's topic. Patrick, you manage risk programs such as privacy and records management, as well as provide legal advice in the data governance eDiscovery and information security spaces. How did Edward Jones end up aligning its legal support for these areas?

Patrick Chavez: Well, it was a little bit by accident and a little bit by deliberate planning and a lot of effort. We wanted to take a holistic effort to what we call information and data protection. That's what my team is here in the Legal Division. So, we already had the RIM programs, the records and information management programs, and the privacy programs. Those were already in place. They spanned the entire organization. So, our thought process was we could leverage that infrastructure that we had within RIM and privacy to influence - hopefully, greatly influence those other functional areas where I don't have direct leadership and where my team doesn't have direct leadership, but where we could, hopefully, influence their thought processes. Now, of course, that still required a lot of collaboration with those leaders. So, a lot of explaining the why, what we were trying to do, how it bettered and achieved the firm's strategic ends. But, once we got that why across, I think that we were able to get everyone on board. Everyone from there pitched in to make it happen.

Mark Diamond: So, Patrick, a question for you. Records management and privacy, eDiscovery information, security, all of these can conflict with each other. How do you manage these conflicts?

Patrick Chavez: The world of records retention says you have to save it for at least this long. And sometimes we see privacy requirements that say, "Oh, no, you can't save it longer than this." And across all these different functions, there's rifle of conflicts.

Mark Diamond: How have you managed these conflicts?

Patrick Chavez: Yeah. And it's not a matter of that they can conflict, they will. It's just we have to take that as axiomatic that they will conflict with each other. And, so, as leaders of the various functional areas, data governance, records and others, we've made a deliberate effort to recognize that first, that they are going to conflict. And we have an understanding that we have to manage through those conflicts and we have to manage through those challenges. We especially see this with data governance. But we don't look at these conflicts as adversarial. That's really the key. So, there's a tone from all of us as individual leaders that we're going to take a collaborative, a partnership approach to managing through these conflicts. And the goal is really to find the best approach and then work towards solutioning towards that approach. So, we collaboratively look at that problem and determine what's going to be the best path forward. Maybe it's a - maybe it is a privacy approach to something or a legal approach to something. Maybe it's a data governance approach. But we really examine what's going to be best for the organization, look at that path forward, try it, maybe we have to iterate because we chose the wrong path. But, really, it's more of a holistic effort, getting everyone on board, and then just finding the best approach and not having a lot of egos about what approach is going to be, quote/unquote, "best" as we look at all these.

Mark Diamond: So, I have a follow-on question of that, which is, "How many of these conflicts are really policy oriented or legal and regulatory requirements?" And, surprise, surprise, sometimes there are legal and regulatory requirements that conflict each other. On the other hand, how much of these conflicts are sort of organizational conflicts where I've got my role and I keep my role and you've just got to get different groups of people working together even though seemingly there's a conflict?

Patrick Chavez: I think many if - most are probably going to be organizational conflicts. Some of them might even be turf battles. Some of them might be just flat-out conflicts in policies. So, I'll take the conflicts in policies. That's really what I was talking about trying to be collaborative, trying to find the best approach, recognizing that there are going to be conflicts. A data retention policy is necessarily - or not necessarily, but is likely going to conflict with a records retention policy. So, we've got to figure out a way to reconcile that. And there's a collaborative way to do that if everyone is on board in trying to solve that collaboratively and not worry about the turf battle. Now, the turf battle could be personalities. Sometimes you need an escalation channel. And maybe it's appealing to whatever the senior leaders are in that area. And at least trying to recognize, at least in my view, that it's not about trying to gain turf or try to, you know, expand an empire or anything like that. It is - and I think we'll talk about this later, it is what are the strategic aims of the organization and even of the particular areas that are involved. If those are all aligned, then, you know, maybe this is Pollyannaish, then we should all be driving towards the same goal and, hopefully, those turf battles really don't arise. But that's the tougher one, when it is personality driven. The policy, I think, as long as everyone is accepting of what needs to happen and accepting of this idea that there different ways to get to the happy path, then that can be resolved.

Mark Diamond: I sense that you went after the group organizational collaboration first, and then, once you have that, I imagine the policy conflicts are much easier.

Patrick Chavez: Yeah. I would agree with that.

Erica Toelle: Mark, looking across multiple organizations, is this sort of collaborative approach the biggest barrier for organizations to get started on the bigger picture? Or are there other barriers that you see?

Mark Diamond: We actually see a lot of challenges. And, unfortunately, it's a long list. But sometimes, as we talked about, there are clearly policy conflicts, the regulations conflict each other and many times the regulations are not terribly prescriptive. A lot of times it is organizational, as we talked about, that there's one group that says, "Hey, this is my area, I think you should be part of my area," another group goes back and forth. And I think Patrick was very well spoken on how Edward Jones has approached that. I think they're one of the better models of organizations that have figured it out. But it doesn't end there. Part of it goes down to areas such as policies. I'll use an example that Patrick brought up. We see organizations with records retention schedules and we also see organizations with data retention policies. And, in some cases, they have two completely different policies which are effectively on the same thing. Our recommendation is organizations create - and we don't care what you call it, you could either call it a privacy-enabled records retention schedule or a records-enabled data retention policy. Again, don't get caught up in the aiming of this. But what we find is that if you can have a single policy that addresses both requirements, which is how long do we have to keep something and how - what's the maximum we should keep personal information, into a single policy, get it resolved at the policy level when you're putting a single policy together versus trying to have dueling policies out there. Dueling policies is just a recipe for noncompliance and conflict and lots of program - problems down the road. Other issues in terms of getting organizations together is, to be honest, many traditional organizations, the records group, for example, has been, "My job is records. All I do is records." That's records. And sometimes the privacy folks are like, "Our job is privacy." Well, no, we all have to play with one another. And if you don't actually combine all the organizations, and we're seeing a lot of organizations combine both their records and their privacy function very similar to what Edward Jones is doing, at least we have to make a conscious effort to say, "Hey, what can I do with my records program or my eDiscovery program or my privacy program," whatever program I have, and say, "Not only how do I meet the specific requirements that I have in my compliance framework, but how do I make sure that what I'm doing makes it easier for other groups?" And if you can go through this, we find a lot of organizations quickly realize, as Edward Jones did, that oftentimes there are common work streams, "Hey, if you and I work on something together, we can do the same thing that will serve you and serve me." There are many, many work streams in information governance that can be handled or managed or collaborated among multiple groups. But probably the biggest barrier is getting out of the siloed mindset saying, "Hey, we want to work together," and likewise being able to communicate that to senior management to say, "Hey, I think we could have a better structure that would allow us not only to be more compliant, more effective, but actually save time because we won't be duplicating effort and we won't be conflicting each other."

Erica Toelle: Maybe if I could just dig in a little bit more into resolving the conflicts, because this is an area I see so many organizations getting stuck. Is it simply looking at a risk-based approach of seeing what the conflicting regulation are and, you know, what is the least risky approach? Or like what are the actual aspects that go into the decision making, if you're allowed to share, Patrick?

Patrick Chavez: So, I would say it touches a little bit on what the question that Mark asked earlier about what's driving the conflict. Is it just conflict because policies were written at the - at different times or cover supposedly different things? Or is it a true regulatory conflict? The regulatory conflict might actually be the easier one because, you know, if it's two regulations and then they - you know, one says very simply keep things for two years, and the other one says keep things for five years, well, okay, if you keep things for five years, you're going to satisfy both of them. So, conflict resolved there. But that doesn't always come into play. Sometimes you've got data minimization and retain something for x number of years. There's really no way to reconcile those except to say, "Well, I do have a requirement that I've got to keep something for x number of years," recognizing that, "Okay, by data minimization principles, okay, I need to probably get rid of that thing as close as I can to x number of years because then I can then satisfy the second regulation or second obligation." So, there are ways to resolve around that, I think. And that's why I say it's probably the easier of the two. But, if we're looking at policies, that's a little bit more complicated because you've got to look at the reasons why some things are being kept for, say, data retention and records retention. Data retention, your data scientists are wanting - going to want to keep things forever because, just in case, that's going to provide an insight in some future analytic model down the road. And records retention is going to say, "Nope. I mean, you know, if it's not an official record, then you got to get rid of it in, you know, a shorter period of time." Certainly, something shorter than forever. That's where, okay, those are true conflicts and you got to figure out a way to meet, hopefully, somewhere in the middle. And maybe it's, "Well, if we de-identify the data, does that allow us to keep it for a longer period of time? Or, you know, is it true identification, is it obfuscation, do we anonymize it, do we - you know, does that change the character of the data such that the data scientists can't use it?" So, you've got to pull on all of those little strings, I think, to try to see what is the appropriate resolution for the conflict. Key is not everyone's going to get what they want. The data scientists are not going to get to keep the data for forever. And the RIM people aren't going to be able to get it - get rid of it, you know, right at the end of that retention obligation. But understanding what the conflict is, I think, helps greatly in trying to resolve what that conflict is.

Erica Toelle: Perfect. Very practical advice. I love it. Thank you. Maybe moving on to let's assume our policy conflicts have been resolved, how much of your past and current efforts were to understand compliance and other requirements? And then how much of it was actually applying technology and addressing it from an organizational perspective?

Patrick Chavez: Yeah, Erica, I'm actually going to take those in reverse order, the organizational perspective, because, at least the way I translate that, it's aligning to, in my case, the Legal Division objectives and also our firm's, our company's strategic objectives. I think that's critical. It provides that North Star, it provides that anchor. And you can anchor to something when you're asking for resources, when you're asking for support. You can show that whatever you're doing is aligned especially with the company or the firm's strategic objectives, then you're going to be able to make it a better case for resources. And resources are always a challenge. And I think we're all resource challenged. So, being able to ask for that support is dependent on how well you're aligning to the organizational perspective or, like I said, where I translate that to the strategic aims of the organization. Now, you asked about the technology. That piece might actually be, in my view, the least important part of the equation, especially if the program is new or is just getting off the ground, because I'm not sure that you really yet know what your true technology needs are. And a lot of times it's not just throwing technology at a problem, that's not necessarily the answer, because lots of times you don't know what the problem is. So, you have to figure out what the problems you're encountering are, what the challenges that you're encountering are, and then figure out what are the possible ways of addressing those challenges. Maybe it's people. Maybe it's processes. Maybe it's technology. I mean, there are technology solutions out there. But it's not just about, "Oh, flashy technology" that some vendor is saying is - you know, is the easy button, because they never are, but really evaluating what problems do you have, what are the possible solutions and maybe they are technology. You know, I am all for technology, I'm all for creating efficiencies, but I think looking at technology in a smart way and in a - and a deliberate way is really the best approach to that. And then you asked about the compliance and other requirements. I think getting to know especially the regulatory environment. I'm in a highly regulated industry. You need to know what's there, but you need to also know what's coming. You can't really build for where the puck is, you have to build for where it's headed, is another way of saying that. And, also, I do think that you have to build for more than just "check the box" compliance. And that's not because of any immoral imperative, but that should be part of it, because there will be times there's a lack of money, there's a lack of people or there's a lack of processes, there's a lack of resources, a lack of time, that you actually have to resort or you have to default possibly to "check the box" compliance. And you at least want to be at that baseline when it comes to your regulatory obligations. So, I think it's really important not just to be thinking about what's the minimum viable product for me to get compliant, because you may have to do that not because that's where you want to be, it's because that's the only place you can be for whatever reason. And that's at least at the spot you want to be at. So, I would say always, you know, shoot for more than just the minimum viable compliance in any regard.

Erica Toelle: Well, very wise words. Mark, I'd love to know your thoughts. Oftentimes, individual groups see the need for a more enterprise-wide approach to managing these challenges, but then they struggle to build support with senior management. How have you seen companies successful in building senior-level support?

Mark Diamond: That's a good question. I spent a lot of time on this exact topic. Let me talk about some things that don't work and some things that do work. Some of the things that don't work is if you, for example, take out an industry framework and say, "We should be doing this because I'm holding up this obscure esoteric industry framework." And, likewise, that same idea of, "I'm going to hold up an industry framework to show other people that this is my real estate and not your real estate." I think that's a big mistake that organizations make. That's typically not successful. One of the biggest mistakes is - when you're approaching senior management is to do it alone, is to say, "Hey, I'm just going to go as the records or the data governance or whichever group out there alone," because you're going to be a lot less successful alone. Another mistake that organizations make, and I see this a lot, is they feel like they have to use very technical or legalese language when talking to management. They'll almost repeat the actual verse of the legal and regulatory requirements, despite how obscure it sounds. So, what works? Well, first of all, you want to work with other groups of people. And if you can approach management as a team and to say, "Hey, we see this," you are going to be much more powerful than if you do this as an individual. And the sooner that you can build bridges to other organizations and explain the fact that, "We've got a lot of common interests and if we can work on the same thing, it will benefit both of us, and I'm not trying to steal real estate, I really see this as a cross-functional effective effort," you're going to be a lot better on that. The next thing I really like is be as plain spoken as possible. The more senior presentation - I'm preparing for a presentation tomorrow for the executive C-suite for a fairly large financial services company. And we're endeavoring to be as plain spoken as possible, what are we talking about, because we like to talk about information governance or data governance or privacy or, you know, different concepts and we're not effectively communicating, if we're using fancy terms, we're probably being less successful. So, the more plain spoken we can be, the more clearer spoken, that's going to be very important. Probably the most important thing out there is, when you're talking to real-world management, don't talk about what the company can do for your program, talk about what your program can do for the company. And the more - and Patrick was touching on this. The more that you can touch on what are the overall corporate objectives for the year, I mean, if you're going to read the president's letter to the CEO - or the CEO's letter to shareholders, she or he are going to distill some important points. How is your program going to help you be more competitive, more agile in different markets, higher productivity, work from home? All these issues that are impacting companies. And I will make the argument that a well thought out records program, privacy program, data governance program, eDiscovery, all these different programs, can have a very strong impact on the overall corporate objectives. But it is your job, as the practitioner, to do the translation. Don't give obscure "talk to your management" and have them figure out how this is going to help the company. The more that you can provide, "Hey, this is how records management, this is how if we do better a defensible disposition we'll get rid of clutter, make employees more productive." And, likewise, the more that you can give real-world examples in your company on how people are struggling today and say, "Hey, we've seen this struggle, we're worried about this privacy risk, we're worried about this," or paint it as a positive, "Yes, a lot of people don't like the privacy requirements," but maybe you turn it around and say, "Hey, instead of worrying about the privacy requirements, maybe we focus on how we can understand them better and be more agile. And if we can do that better than our competitors, we're going to have a market competitive advantage." So, we're not fighting the landscape, we're recognizing that landscape and realizing how we can strategize. All of these are types of messages that resonate to senior management. So, in summary, plain spoken, go as a group, show how what you're doing translates to larger corporate objectives. Doing that, you will oftentimes see some very strong surprising support from senior management.

Erica Toelle: Really good advice, Mark. Thank you so much. Patrick, maybe back to you, as you look across your programs, both in the past and current, and you're thinking of the people listening to this podcast that want to replicate some of that success, what has worked well and then what was more challenging than you expected?

Patrick Chavez: I alluded to it before. Resourcing is always a challenge. I mean, there's never enough budget, never enough people. But I think if you lean into that and recognize that - especially when it comes to resourcing, that if you've done some things to align yourselves to goals, especially at the corporate level, that you can find champions and supporters throughout the organization. I joke "by hook or by crook." You know, when I had virtually no people, that's how we got things done. And it's because people were aligned with what I was trying to do. So, they came out and they supported. And it's a little bit different when you've got a legal or regulatory hook where you can say, "Look, we really do have to do this because it's - there's a legal obligation behind it." But, if you can say - if there isn't a legal obligation behind it, if you can say, "Well, look, our customers expect it, our clients expect it," or that there's going to be some impact - a positive impact on the bottom line, because even though - I mean, I can't tell you that because of the RIM Program we've saved, you know, some exact millions or, you know, hundreds of thousands of dollars. But I can say that because of the RIM Program or the - we'll stick with the RIM Program, because of the RIM Program and our associates, our employees know where to find information and can find it quickly enough, I am saving them time, I am saving the organization's resources. Quite frankly, I rely on people like Mark to be able to help me quantify what that FTE savings might be as a result of appropriate information governance. But those are all within the mix and the types of arguments that I think we want to be able to make. And sometimes it's knowing when to be tactical, when to push on a specific thing and when to look at the more strategic aims, and trying to use those to get at the resourcing that you need. So, that's been - I wouldn't say it's a challenge that was more than I expected, but it kind of ebbs and flows. Sometimes that challenge is just - is greater than I would have liked. In my case, though, as far as things that have worked well, the buy-in and the partnership, and I've stressed that throughout everything I've been talking about because I really do think that is key. On the privacy side, I've always stressed have a great relationship with - if you're the chief privacy officer, have a great relationship with your chief information security officer and that security team, because you're two sides of the same coin. On the RIM side, have a great relationship with the data governance organization because, ultimately, there are the same ends in mind. So, there are great partnerships that are just natural, like the privacy with information security and RIM with data governance. And sometimes the partnerships you've got to work at because they aren't as natural as they might be. But, if you come at things at a cooperative way, if you're explaining your why and you're trying to understand the why of the other functional area, then that's going to be key. And especially being solutions oriented. I sit in the Legal Division. I am a lawyer. We pride ourselves in our area of being very solutions-driven, solutions-oriented lawyers. We don't want to be the stop sign or the place where ideas come to die. You know, it's easy to say that the regs are going - the regulations are going to require something. But then it's, "Okay, how can we get to satisfying those requirements?" And, many times - you know, I have an eDiscovery background. Many times, there are lots of different ways to get to that final thing that you need. And the technologists out there are going to know that, "Yeah, there are tons of different ways to get to a particular - to get to a solution," it's just a matter of, "Well, we'll try a couple and see if they work." So, that's the way I try to approach working with my business partners is what's the best way to get there where you're comfortable, where you can achieve your ends, while still being - still being regulatory and legally compliant. And sometimes it requires a bit of creativity, but that's okay, nothing wrong with being creative. I really find that most people are not trying to completely flout regulations or the legal requirements or their obligations or even policy obligations. Many times, it comes down to just not understanding what those obligations truly are. Or they think they are complying and that maybe I'm being unreasonable because it's like, "Well, it's not - that's not there, Patrick. I don't - you know, you're - what you're saying isn't in that regulation or what you're saying is not in that policy. So, you're being unreasonable and requiring me to do it." And then it's a discussion, then it's education to - maybe on my part because it's, "Well, maybe I am overreading something," or it's, "Well, yeah, it's not in the regulation, however, our regulators have said x, y and z about this." So, I think there's a lot of give and take that can happen there. And, in that case, education is the key. But, yeah, the good has been the buying and cooperation with business partners.

Erica Toelle: Mark, I'm curious. I see a lot of organizations getting stuck in analysis paralysis, where they spend a lot of time working on the program, the policies, building coalitions, but then get stuck to where they're not actually executing to realize some of this ROI that they were planning for the program. What advice do you have for organizations that are stuck in analysis paralysis?

Mark Diamond: First and foremost, don't let perfect be the enemy of good. You have to realize that sometimes we're faced with complicated regulatory requirements, we have lots of conflicts out there. That's just the nature of the field that we're in. And the good news is that, oftentimes, the courts and the regulators are not expecting perfection. What they want are reasonable, good faith efforts. They want to see that I have a plan, I'm trying to do the right thing, I'm doing it consistently and I'm checking up to see whether I did it. And, if not, I'm going back and remediating it. You're right. Too many organizations are looking for the perfect policy, the perfect schedule, the perfect approach. And that's impossible, especially in the world of, for example, privacy, or now we're looking at AI, where it is changing almost on a weekly basis. So, let's focus not so much just on the policy, let's focus on the execution, the automation. I actually do bring up technology much earlier in the process because sometimes organizations say, "Well, this isn't really doable." Well, actually, it is. Actually, there is technology out there, like Microsoft, that would allow you to significantly automate them. But people don't understand how to use the technology, the tools to be able to do it. And showing that, "Hey, we follow a rule called the five-second rule. Somebody should be able to comply with records and privacy and these all within five seconds. And if it takes longer than five seconds, they're not going to do it." Well, you can automate that today. So, we want to show it's doable. But - and then, finally, as I mentioned, the - and Patrick, we've got to get the training out there, we've got to get the behavior change management, we've got to get people to accept that not only will this help us as a company and this may - it'd be important for the company to avoid, you know, sanctions from some obscure regulation, it may be not obscure to the rest of us, but, to the employee, that may be obscure regulation. But, also, it just may make you, as an employee or as a department or as a division, more productive and more collaborative. And, so, there's a lot of wins associated with these. We have to go out there and get to the point of execution. And you're going to be much better off executing imperfectly, showing you're doing things, and then doing an audit, "Hey, where didn't it work?" And regulators like the fact that you did an audit. And we found some areas we weren't very good at and we went back and remediate it. That is compliance. That is when it - what's going to give you defensibility, not the, "Well, we never quite executed because we couldn't sync up our privacy policies with our records schedule with our information security, but we're working there. One of these days, we will." And that's where organizations get in big trouble because, while they're still in the analysis mode, that's when the regulators come in and they said, "Well, we meant to do it, but we didn't." And they are going to say, "No, we don't care." You're going to be safer if you move along farther. And then, as we've been alluding to, tie it not only to reducing the regulatory risk, but really driving the employee productivity. That's where the win is. And, so, getting that culture of moving forward, getting the mindset to say, "It's okay, we can go - and this is other organizations doing this successfully, too." That's a big driver for it.

Erica Toelle: Patrick, looking ahead to maybe 2024 and beyond, what's really top of mind for you?

Patrick Chavez: There are a whole host of privacy laws coming online, the privacy space, Mark just said it a minute or so ago, is constantly changing, seemingly by the week. AI doesn't lessen that change or, in fact, it's going to hasten the change in the privacy space. So, for me, that's one of the challenges. But it's also an exciting place to play from a legal perspective and a regulatory perspective. You know, not all the rules are written, and to the extent that maybe we can still influence some of those rules and still figure out what does compliance really mean in that space. And I think it's going to be a whole new world 2024 and, you know, for the next few years in terms of data especially, but privacy and what does it mean to be privacy compliant, and even what does it mean to be able to use data, you know, going into the future. So, yeah, for me, it's just the sheer pace and scope and privacy and then the AI overlay to that is just going to make it that much more challenging and exciting.

Mark Diamond: I'm going to add to that. I'm going to agree. We're spending a lot of time at Contoural looking at AI. And AI is going to be particularly interesting because there's going to be tremendous pressure for businesses to leverage AI. It is a tremendous productivity tool. And, likewise, there is going to be tremendous compliance, defensibility risk, ethical issues about using AI. And this is a great chance for organizations to get a step ahead of it saying, "How do we use this in a smart, compliant, ethical, defensible way? What do we start doing now knowing that the rules are going to be able change in the future, but knowing that if we align ourselves to these specific principles, no guarantees, but chances are we'll be pretty good?" And I'm going to raise one more issue on top of that, which is to say that, on one hand, if you're an information governance professional today, you look at all the stuff going on and it gives you a headache. And it does because there's all these stuff going on and it seems like we get one thing and another thing comes out there. And you throw in AI in the mix, huge information governance impact on AI. I'm going to argue that your organization needs leaders. Your organizations - there's probably nobody in your organization today that has a spot. And there's an open spot in your organization for the person or groups that can help the organizations navigate this. And, so, I would encourage professionals out there to sort of step up and say, "Hey, as opposed to worrying about how do I do this, how can I help figure it out? How can I be part of the solution? How can I help lead my organization?" And people that know how to lead their organization through these challenges, to help them leverage this, are going to be very, very valuable. And, again, there's an open position there right now. They haven't published it yet. But, I can assure you, there's going to be a need for somebody. And I would say the time to start stepping up is now.

Patrick Chavez: I would not let these challenges go to waste I think is really the takeaway. I couldn't agree more with Mark there.

Erica Toelle: Well, I feel like we could talk all day, but, sadly, we're nearing the end of our time for this episode. And we do have a tradition here on "Uncovering Hidden Risks," which is to close out with a question for both of you. So, to wrap up, I'd love to know what is your personal motto or what words do you live by. Patrick, would you like to go first?

Patrick Chavez: So, I guess it's more of a personal motto, but my goal is to be a trusted advisor and enhance the lives of my colleagues in a positive way around me.

Erica Toelle: Love it. That's a really good motto. Right? Make the world around you a better place, especially the people you work with every day. Mark, how about you? What is your personal motto or words that you live by?

Mark Diamond: Work hard, have fun. I actually enjoy working. Not that I'm a workaholic. I can be as lazy as the next person. But I really enjoy delving into tough problems. I really love the fact that I'm surrounded by some really good people who are teaching me stuff every day. And have fun. If you're having fun at what you're doing, it doesn't really feel like work. And, so, again, work hard, have fun. You know, there's a bit of a daredevil spirit in me right now just going, "Hey, let's try this or let's try that or let's do this." And that's great fun. So, yeah, sometimes I get a little tired, but, hey, let's leave it all out in the field.

Erica Toelle: Very wise words as well. Well, thank you, again, Patrick and Mark, for joining us on this episode of "Uncovering Hidden Risks." Have a really great rest of your day.

Patrick Chavez: Thank you very much.

Mark Diamond: Thank you, Erica. Had a great time. [music]

Erica Toelle: We had a great time uncovering hidden risks with you today. Keep an eye out for our next episode. And don't forget to tweet us, @msftsecurity, or email us at uhr@microsoft.com. We want to know the topics you'd like to hear on a future episode. Be sure to subscribe to "Uncovering Hidden Risks" on your favorite podcast platform. And you can catch up on past episodes on our website, uncoveringhiddenrisks.com. Until then, remember that opportunity and risk come in pairs, and it's up to you where to focus. [music]