Calculus of IT - Season 2 Episode 10 - Autonomy and Compliance Artwork

The Calculus of IT

An exploration into the intricacies of creating, leading, and surviving IT in a corporation. Every week, Mike and I discuss new ways of thinking about the problems that impact IT Leaders. Additionally, we will explore today's technological advances and keep it in a fun, easy-listening format while having a few cocktails with friends. Stay current on all Calculus of IT happenings by visiting our website: www.thecoit.us. To watch the podcast recordings, visit our YouTube page at https://www.youtube.com/@thecalculusofit.

All Episodes

The Calculus of IT

Calculus of IT - Season 2 Episode 10 - Autonomy and Compliance

May 15, 2025 • Nathan McBride & Michael Crispin • Season 2 • Episode 10

It’s the regulation episode you didn’t know you needed - but absolutely do.

After three weeks swimming in the future of AI, quantum, and edge, Nate and Mike are back with a rundown of the one thing every IT leader loves to hate: compliance. From GDPR’s wake-up call to the alphabet soup of CCPA, DORA, and CPRA, we break down how the modern regulatory landscape is reshaping not just what you do—but how much freedom you have to do it.

In this episode:
- How to build compliance into your IT DNA (and why it’s not just “a legal thing” anymore)
- The autonomy-killing dangers of compliance fragmentation (and how to avoid them)
- Why “check the box” compliance is dead - and what replaces it
- Real-world stories: compliance councils, distributed champions, and the joy of deleting every trace of someone (on request)
- The new rules of “as-a-service” and why you can’t outsource your way out of an audit
- The secret to making compliance a competitive advantage (or at least less of a migraine)
- Strategic frameworks for balancing compliance, innovation, and your own sanity

Plus: philosophical debates on rope steak, cosplay, and the eternal question - what color pill do you *really* need to take to make all this go away?

Support the show

The Calculus of IT website - https://www.thecoit.us
"The New IT Leader's Survival Guide" Book - https://www.longwalk.consulting/library
"The Calculus of IT" Book - https://www.longwalk.consulting/library
The COIT Merchandise Store - https://thecoit.myspreadshop.com
Donate to Wikimedia - https://donate.wikimedia.org/wiki/Ways_to_Give
Buy us a Beer!! - https://www.buymeacoffee.com/thecalculusofit
Youtube - @thecalculusofit
Slack - Invite Link
Email - nate@thecoit.us
Email - mike@thecoit.us

Trance Bot: [00:00:00] Our world where signal, we compute our dreams, data streams, and by make us

the.[00:01:00]

Mike Crispin: 8 45 in the morning. That's the way to do it.

Nate McBride: Yeah. That's Pax East right there for you, for anyone who's, who's listening to this tomorrow, um, well it sucks to be you 'cause you're not at PAX East, but you should get your tickets for this weekend and still get out there for Friday, Saturday, Sunday. Mike and his team will be there tomorrow.

My, not my, me and my team will be there tomorrow and then I'll be there solo. Well, actually I'll be there with my son Friday and Saturday and Sunday, as we know, as Mother's Day. Happy Mother's Day to all the moms.

Mike Crispin: Yes.

Nate McBride: And future moms and, uh, so best, best and brightest geek expo ever. In my opinion. Nothing.

Oh,

Mike Crispin: yeah's

Nate McBride: awesome. What you coplay What, what are you cosplaying as?

Mike Crispin: I'm gonna go as, um, mic Crispin from the calculus of it.

Nate McBride: How you gonna pull it off? I mean, that's complicated.

Mike Crispin: It's gonna be [00:02:00] tough. It's gonna be tough. I've done a lot of work just studying and trying to figure out how to look just like him.

Nate McBride: What if I went as you and you went as me?

Mike Crispin: That would be funny.

Nate McBride: Yeah, that

Mike Crispin: would be funny.

Nate McBride: I could get like a, uh, a latex glove and pull it over my head.

Get big wide glasses.

Mike Crispin: There you go. Big wide glasses. Um, big like blade runner.

Nate McBride: Yeah. All right. And you just have to, you have to walk around drunk. You don't have to really do much.

Oh, you're killing me. Uh, so how was New Orleans? Did you, uh, do your calculus of it research down there? Uh, pretty much.

Mike Crispin: I, I,

Nate McBride: um, what did you discover?

Mike Crispin: I attempted to do some, but [00:03:00] I didn't see much innovation.

Nate McBride: Not all Innovation. Okay. A lot

Mike Crispin: of alcohol. And a lot of food. And, uh, would you, would you say the

Nate McBride: future of autonomy in New Orleans is, is strong?

Yes. Yes,

Mike Crispin: absolutely. Okay.

Nate McBride: Was your, was your, I would say yes.

Mike Crispin: I, I think, um, a lot of, a lot of music and a lot of dancing. Uh, weather was awesome. A lot of sunshine.

Trance Bot: Okay.

Mike Crispin: And, um, a lot of good people, friendly people, and, um, people were doing what they wanted. So, yeah, I would say it was pretty, it was pretty auto autonomous,

Nate McBride: so.

So your decision making wasn't influenced by anything else external. It was purely made. All decisions were made by you and you alone? Pretty much. Pretty much, yeah. Awesome. Good for you. Way to, way to take back your self-empowerment. [00:04:00]

Mike Crispin: Yep. That's what I did. It was, um, it was freeing. It was very freeing.

Liberating. Liberating. Yeah. I like that. I like that. You liberated, you untethered. I untethered. I disconnected. Okay. It felt, um, it felt magical. It actually felt magical.

Nate McBride: Yeah. Magical. Wow. That's pretty, that's pretty awesome.

Mike Crispin: Yeah. So, um, now I'm back and I still feel somewhat magical, but it's

Nate McBride: the magic's wearing off.

Mike Crispin: The magic swearing off.

Nate McBride: You know what you can do, Zoe? You, you can, you can regain that momentum tomorrow at PAX East.

Mike Crispin: I know. It's, it's, you know, it's,

Nate McBride: we get to watch Incline Week. The Mario, Mario, Mario Brothers two World Championship speed run. Really? We get to, we get to play at, in the Car Cassan tournament.

Mike Crispin: What do you run to the second you get there? Do you have like a place that you go Right, for like

Nate McBride: the

Mike Crispin: bar? The, [00:05:00] oh, okay.

Nate McBride: No, just kidding. No, it's, uh, I get to the all 'cause all, all the big giant gaming companies have their brand newest games and on Thursday it's always a light crowd. So you've gotta get to the best game that's out there.

Yep. Um, so either be a new Final Fantasy essentially, or um, nice. It depends. I mean, I might head over to the indie games first and fart around there before all the controllers get completely poisoned with Pax flu. Ooh,

Mike Crispin: PAX Flu. I forgot. Geez. You know, it's funny you mentioned that, right? God, I didn't think of that.

Nate McBride: Yeah, I'll be, you gotta wash your hands pretty religiously.

Mike Crispin: Yeah. Oh yeah. I was just gonna try and build this unbelievable immunity.

Nate McBride: You have to go for

Mike Crispin: 15 years. Start picking my nose after every game.

Nate McBride: Yep. If you actually, you can fight back the germs with your own germs, so just cough on everything before you touch it.

And that way your germs kill what's there.

Mike Crispin: It's a, it's a neutralizer.

Nate McBride: I highly recommend some kind of like, [00:06:00] um, secretive thermos to keep your day drink in because. You can't get, they had, they had, they do have beer. It's, it's Voodoo Ranger is the bar and it's on the third floor, I think. Okay. Uh, it's not open till I think after lunchtime, but what's great about it is it's on the, it's on the free play floor for consoles, so you can go then sit in front of any console ever and rent games to play.

Okay. So we can go to like head-to-head in, uh, in, uh, Mario Kart or, I heard that there's a SMR on one of the things, maybe TikTok that of people stocking shelves and people just, you can, you can watch videos of people stocking shelves in a house. Like a, like a pantry, like putting towels away and,

Mike Crispin: wow, that sounds interesting.

Nate McBride: People listen to it as, as medi or watch it as meditative. I mean, basically it's just, it's the, we, we've reached the end of the internet, so now we're watching people put [00:07:00] towels away pretty much. That's where we're, that's where we're at.

Mike Crispin: I like the, uh, the guy who goes out camping and makes steaks and stuff out on rocks and he's got his dog running around and the wind's blowing through the camera and you kinda like, oh, it's magical.

And you can hear the, the frying and the butter melting and all that shit. Yeah. I love that. Love that. That rope

Nate McBride: steak. Rope steak of the wilderness.

Mike Crispin: Oh yeah. It's like just shooting ropes across the steak and then just let it fry on the pan, feed it to the dog. Take a few bites yourself.

Nate McBride: What's, what's the sad part about that?

Is that we're watching, I mean, I'm not doing it, but that you're watching some guy cook steak on rocks. Yeah. Or, or that you're not going out and cooking steak on rocks yourself.

Mike Crispin: Yeah. It's, it is sad. It's, uh, escapism to some extent, but it's also background. It's great way to like put things. It's not like you're really paying attention.

It's like you put [00:08:00] it in the background and.

Nate McBride: I wish it were that easy, Mike. I do. I wish it were that easy to simply,

Mike Crispin: Hey, it could be. It could be.

Nate McBride: Take the blue pill. Yeah, that's true. The aqua pill. The aquamarine pill.

Mike Crispin: Hmm.

Nate McBride: Yeah, that would be good. Why? What

Mike Crispin: the green pill does

Nate McBride: wasn't a green pill,

Mike Crispin: but what do you think a green pill

Nate McBride: would do if you took that?

If you, well, if you took the, the red, the red pill was stay right pill. Now the red pill. Pill

Mike Crispin: was, see how deep the rabbit hole goes.

Nate McBride: Right. And the blue pill was nothing changes.

Mike Crispin: Yeah. You wake up and believe whatever you wanna believe.

Nate McBride: What if the green pill was, um, you woke up and you got, how about the green pill?

Just a kick in the nuts. Just little, some little kid runs out from the side, kicks in the nuts and runs off.

Mike Crispin: Oh, should have taken the [00:09:00] green pillar. Maybe. I wanted to.

Nate McBride: Yeah, I guess that's the green pill. I think you just solve a problem. I probably have an episode on what every color pill would do. Right There is a full episode.

Mike Crispin: Hey, I just twisted my hip or something there with that, pretending that I got kicked in the nuts.

Nate McBride: There we go.

Mike Crispin: I'm feeling better now.

Nate McBride: We do not have, we do not have disability insurance on this program.

Oh crap. So you have no, you can't take time off. You have to work. Oh boy. I'm Nate McBride. With me is Mike Crispin. Kevin DNI is on assignment tonight. Um, I'm not sure exactly what assignment he's on, but he is on an assignment. Perhaps people will join us next week for episode 11. Um, so if we think back for a second, by the way, just reflecting, we, we, we had episode eight, four episodes ago.[00:10:00]

Yeah, I know. It's just math. It's just math. Uh, it's deal with me. So we did episode eight and that's where kinda like we pivoted in the season. So we talked about, so first four episodes of the season we're talking, we talked about setting the baseline for what the hell, autonomy and it means then episodes five through eight, uh, we're focused on today, like right now.

Mike Crispin: Yep. Yep.

Nate McBride: Now we're, we pivoted after episode eight talking about, uh, sort of the future start. We started going down the road of the future for autonomy and it, in which we started with episode nine, which ended up being a three part episode, um, which we cover over the last few weeks with the help of our special guests, Kevin Dni, who does not wanna come on tonight.

So we explored emerging technologies, uh, and their impact on autonomy. We went over quantum computing edge architecture, um, and how these transformative technologies are reshaping the autonomy equation for IT leaders. This week we're [00:11:00] tackling an another critical frontier in the autonomy battle, which is the regulatory landscape and compliance requirements that are reshaping how we make technology decisions.

And so for our context, Mike and I have been dealing with regulatory and compliance requirements since we started in IT in life sciences, so going all the way back to the, almost near the beginning. Yep. Um, but now with recent ones, and I'm talking recent like GDPR in 2019, well, technically 2017, but actually 2019 to Dora to CCPA and to the 22 other states that have active or pending CPA legislation.

Um, the question is how do IT leaders maintain autonomy while still calling aside the, the ever changing lines and. You know, uh, I think it's important to talk for just a second about this, but before we get into that, just some of the show notes. Yeah. Um, if you want to buy [00:12:00] us a beer, we have in our show notes access to our Bias at Beer Portal.

We have access to our invite, to our Slack board. We have access to our merchandise store. Um, if you listen to this on any particular medium, you can give us all the stars, um, just five or whatever the maximum is you can give them to us, which is cool. Uh, tell your friends about the podcast. Of course, you don't get any referral fee.

You just get the good, uh, karma from having spread the word about the show. All right. So that being said, um, last week again, we talked about the autonomy aware futurist. This is the person who balances speed with autonomy, builds knowledge and independence, maintains technol technology sovereignty, and governs for autonomy in an increasingly AI driven world.

So, as I said, we're shifting our focus to regulatory landscape tonight and how it's reshaping [00:13:00] autonomy for IT leaders today. Uh, and in the future we'll discuss the evolution of compliance, um, how to manage risk when everything becomes as a service or has become for years now, but is becoming even more so with AI as a service, et cetera.

And the delicate balance between, um, cybersecurity automation and the human judgment. Two things often left on the draft board. So, so far we've been talking about finding that sweet spot, balancing sort of the four pillars, uh, risk, innovation, productivity, and um, innovation. Sorry, risk, innovation, productivity, and autonomy.

Sorry. Um, while preserving the things that lead it, leaders make strategic decisions that truly benefit their organizations. So the regulatory landscape adds only another more layer of complexity to the balancing act. It doesn't matter what industry you're in, um, whether you're in software development, gaming, um, life sciences, [00:14:00] banking, finance, um, insurance, you have compliance regulations.

And unfortunately, the closer you get to the money, more regulations and compliance you have, but everyone's got them. Um, if you sell something on the internet or you purport to sell something or you make something that people will ingest, touch, wear, smell, feel, um, chances are good you have compliance. So before we get into any of this stuff tonight, and jump right in, I'm gonna ask you, Michael Yeah.

What, uh. In the last few years, what one compliance impact has had, what one compliance framework has had the biggest impact on your autonomy as an IT leader?

Mike Crispin: Oh boy. Um, I think all I'd say probably the regulatory compliance in being the industry we're in has created the most guardrails. I mean, because the systems that are so important to the company are [00:15:00] often under that guise, um, and under those regulations, and it takes more time, it takes more people, it takes a lot of translation and agreement and partnership with your quality and regulatory organizations, right.

To get that correct. So it takes a lot of time. We talk about GDPR. Really depends in some respects or becomes more difficult when you are a commercial company, but still you need to deal with, to deal with it and make sure you are able to outline what type of personal information you have and how you can give it back, or how you can destroy it or make it visible at and on command.

So I think that each one of those, uh, creates challenges, but I would say the regulatory, um, [00:16:00] and GXP or G-M-P-G-C-P type compliance is what limits the freewheeling autonomy that you'd like to have in some of these systems that have such a huge impact. For example, you might put GXP or have a GXP system.

That you actually could make run better with a little more flexibility and you really don't have that option.

Nate McBride: Yeah. I tend, I tend to think of what you're saying sort of in the terms of, if we use the zero one calculation, the most decisions related to compliance have to be zero decisions. They have to be more status quo based.

You have to sort of follow the leader. You can't really go off and be rogue. Yes. And do, do, do, you can't usually, you actually can't do what's technically best Yeah. To do what's technically worst or least mm-hmm. In order to achieve these. But that's, that's the, um, the marching orders. I mean, for me it ha it was GDPR because up until that moment, even though we [00:17:00] had sox, we had 4 0 4 B, and because we live in mass, we had mass 2 0 1.

But even though we had requirements around protecting people's data. Or data about people, sort of that whole PII mm-hmm. Uh, grouping. It was always relatively easy to maintain. You had some access controls in place. You encrypted your data at rest, you know, no big. Then GDPR comes along and it says, well, none of that's even closest sufficient.

And whether you have somebody who's a customer or employee in the EU today or, um, will be tomorrow, you still have to be compliant and

Mike Crispin: yes. Yep. And it

Nate McBride: was one of those amazing frameworks where when you step back and you looked at articles 17 to 21, which are really the ones that most people only care about, this idea that somebody who come along to your company and say, remove everything about me and prove it.

Yep. Um, it turned sort of the sense of autonomy on its head. 'cause just when you thought you were in a position of being able to start getting back [00:18:00] some decision making, you know, moving, moving more towards one decisions for how you were going to, uh, respond to GXP and regulatory compliance, now all of a sudden you had to step back and say, okay, holy shit.

Like, what's the rest of the business do, what's the rest of the industry doing right now? And I have to do that because there is no, there is no precedent. Mm-hmm. There's no sort of benchmark for this. Now, obviously since then, companies have figured out novel and unique ways Yeah. To comply and, but GDPR was actually a good framework for to come along because it made everyone step back and say, holy crap.

Like, I couldn't do this right now. If someone walked in right now and asked me to remove their data, I couldn't do it. Yeah. And you know, here's why. And then it enforced a lot of organizations to actually sit down and map their data flows for the first time and realize just how little control they had.

I mean, it was a pretty big wake up call, but I think that waking up moment, uh, it's kind of had a dual, had [00:19:00] dual effect. On the one hand it made you realize, okay, here's all the things that everyone else is doing. So let's look at the precedence. Let's look at the industry and see what people are doing.

Follow the best example. But it also gave companies a chance to pause and say, actually, you know what, no, no, no. Um, we're gonna do, we're gonna follow the industry, but we're also gonna make our own guidelines for how we want to execute this. And, um, and the reason is because the guidance for for GDPR and for Dora

Trance Bot: mm-hmm.

Nate McBride: And for many of the CPA regulations in the United States anyway, is the word reasonable word reason Yep. Exactly. Goes up everywhere. And so that word reasonable is such a wonderful. Um, balm, there's a word for you. Balm for autonomy. I like that. I see the word reasonable. I'm like, oh, cool, okay, so here comes all my one decisions to, to satisfy the reasonable approach, right?

Yep. So that's, that's a help. But still, you know, outside of the [00:20:00] word reasonable, there was a framework to attend to. So I think it was GDPR, but you know, GDPR isn't going away. Um, more and more regulations are coming out all the time. Of course, obviously we have, um, a government that doesn't know its asked from.

Its, uh, its nose. So we're gonna see a lot of conflicting regulations potentially coming out in the next few years. Uh, on the state level, we're gonna see conflicting state regulations. So you might have two different states that have completely different viewpoints and you have to satisfy both. So, um, we'll get into that, but I.

So I wanted to give an example. So I have a friend of mine, uh, you've been to some of these dinners with me, but I have a friend who I made at one of these CIO dinners who left a, and actually he was in my Sloan MIT thing, but he left a midsize FinTech company and he had created a compliance council, which I guess if your company's large enough, you can create something like a compliance council.

I don't think I'd have enough staff at my current company to do that, or people [00:21:00] that cared. Yeah. Yeah. Not that they, not that not people don't care about compliance, but they're so busy with like everything else they're doing. So it's not just, and it's not just legal and it, it's representatives from every business line Yes.

Who meet on a monthly basis to discuss regulatory changes. Um, so what they did at this company is they distributed compliance awareness throughout the organization rather than treating it as an it or legal problem or even quality problem. Um, it's kinda like what companies do now with ERM. So do you guys do ERM?

Yeah.

Mike Crispin: M Yeah. Enterprise rights management. Which, which ERM risk enter Enterprise Risk management? Oh, enterprise risk management. Yeah. Um, I would say we, we do, but it's not a formalized council. Yeah.

Nate McBride: I mean, it's more just documentation, right? Right. I mean, we're at, we're at the same place, but formalized ERM is kind of like the same problem, but ERM is more sort of a global holistic perspective.

And generally what comes out of an ERM council is, you know, compliance gaps and mitigation [00:22:00] plans, et cetera. Yes. Mitigation plans. This is, this, what he was telling me about was like, this is a different plan. And this was actually championed by legal and his company, but it came on board. Um, they had embedded compliance champions and these people were people that were not compliance officers by any means, but regular team members who got extra training on regulations and served as sort of.

The first line of compliance and awareness for their teams. So like, um, if you were look at like a box folder structure and you had a data custodian for an N one structure, yeah. That person's not necessarily like an IT data management guru, but they know everything that's happening inside that structure and they have the custodian, well, same principle.

Um, you take one of these people that's a compliance champion and you put them in a functional line and they're the ones who are able to say, Hey, listen, we actually can't do that and here's why. Sure. Um, so, so what I found interesting about that company is that, and that, and other companies that are similar in terms of [00:23:00] forward thinking aren't seeing compliance as a cost center or a restraint.

They're turning into competitive advantage. Um, sure. And they're building com. They're building compliance capabilities. I would love to do this, and someday I hope to, um, that go beyond checkbox exercises and create business value through increased trust and reduce risks. So basically automating the compliance and there are platforms that will automate compliance on a regulatory level.

Sure. But I'm talking about the whole company. So any thoughts on that? You mean from an automation perspective? Just from a, just from a, your perspective on whether or not you can turn the management of compliance into a competitive advantage.

Mike Crispin: Yeah. I mean, I guess you, you, you could if you are really good at it, but I, Hmm. I don't know. I don't know if I, I [00:24:00] agree with that or not at this point. I think it's, I. A competitive advantage of being better at risk, I guess is true across the board, but it's hard to quantify.

Nate McBride: Well, not so much risk, though, more, more compliance than risk.

So yeah, if, if I have, if I have, if I have adherence to compliance built into all my processes Yep. Instance, say I'm going to develop a new, uh, web, web form. Yep. And compliance is one of the key pieces of mine in terms of that development. Sure. As opposed to a, as opposed to a post hoc kind of, uh, assessment.

Yep. Well, obviously the time to complete this, not obviously, but in most cases the time to complete this, uh, sprint or this development cycle would be reduced because you're already building it from scratch through an innate process that automatically takes into account, um, compliance framework.

Mike Crispin: I think compliance that's baked into the culture of the company is the best.[00:25:00]

One of the best ways to sort of make it so that it's more of a automatic priority for each person in the company that that's just built into their DNA is how they operate. I think that provides some competitive advantage, but I think also if you, if you have, uh, compliance as a company be as, as, as a, as a corporate goal, I think a lot of companies do.

A lot of our companies certainly would, um, as a top priority. It's always gonna be a, like a lot of IT projects whenever they're compliance related or needing to com to adhere to compliance or build in compliance, they always are a must do. Um, so that's why I am like, I'm not sure if it's a competitive advantage or not.

'cause I think everyone's aspiring to be, um, compliant in any way they can. I guess to the point I. Can they do it faster? Can they make it more automatic, [00:26:00] more get outta your way? It's just gonna happen by itself. I think that's a competitive advantage. Um, if it's possible. I'm not sure how to do that yet, but, um, well that's definitely, I think you hit, sorry, go ahead.

Nate McBride: Well, I was gonna say, you think you hit the nail on the head there. I mean, building it in as a, um, I don't wanna say a cultural just element, but building it in as a matter of how the business runs Yeah. Is part of that DNA rather than treating it as like this thing we have to do that's annoying. Yeah.

And, and terrible and all that stuff. You just build it in as a matter of this is we do business in a compliant way, we are compliance. Yeah. Then it's a whole, I think that's a much different way to approach it.

Mike Crispin: It gets a lot easier. I, I think for many employees, when they know why it's important, like when, sure.

The history behind it, why these compliance, um, [00:27:00] rules and regulations are in place, what brought them on, why it's important. Then people usually understand. It's, I think the, it's the smaller details that people get confused on, like when and what, and why do I need to do this component and how does this little thing that I do really affect the bigger probability of risk that I'd create if I didn't do it?

It was like, oh, I'm in a rush. I gotta get this done. Why do I have to do these nine extra steps? Well, if you're doing nine extra steps, then it may not be the best process, but Right. At the same time, I think that's. Just clarity as to why it needs to be done and yeah, taking a little risk. I think with compliance, we, you've gotta follow the certain set of rules, but I think you and I have both been at companies where we look at the [00:28:00] compliance, at least from a, a, probably a GXP perspective and go, okay, that's not what I'm used to seeing.

Or yeah, wow. We're not doing that. Wow. I feel like we're way behind. And there, it just depends on the, uh, uh, philosophy of kinda the compliance leadership in the company as to how much of this you wanna bite off. And that's an enterprise risk discussion and decision the company needs to make. Um, you always hear like, you know, they'll pull on a thread.

I always hear that right? Pull on that thread, but it. You gotta have a big thing at the top that's, that's gonna start the thread being pulled and what's the probability of the thread being pulled far enough to see something that a certain employee is in charge of or doing. And that all needs to be calculated.

'cause you can't do everything all the time. 20 people.

Nate McBride: Lemme ask you, let me ask, lemme ask you this kind of far out question, but something I I, I thought about as I was putting together this [00:29:00] episode Yeah. And actually something that I, we thought about, I talked thought about last season too, which is compliance and don't, don't, don't, don't choke on your water, but compliance as a distributed function or compliance as a service within the func within the building.

So Right. We talked last year about decentralized it.

Mike Crispin: Oh yeah. Yeah.

Nate McBride: It should be distributed. Everyone should be a champion of it. Exactly. But, but more almost formal is what I'm thinking now. Like what if you had. What if you had a compliance person in all of your key areas of the company? Not, not, not a person who's walking around with a clipboard, like, ah, ah, that's not good.

Yeah. But they're, they're, they're seeking, they're actually doing the opposite. They're trying to find ways to optimize Sure. And, and go beyond compliance, but not like, you know, oh, you, you can't put that on that table because it will tip or something. You know, not, not like that kind, that level [00:30:00] of, um, micromanagement.

I was thinking that would be pretty damn cool to have distributed compliance or decentralized compliance. Much like decentralized it as a function. Um, I don't know. I mean, if I had somebody in it who was solely focused on compliance all the time, and I mean, they'd, they'd want to kill themselves after a week 'cause it'd be so boring.

But if you said to them, okay, listen, if. We want you to understand every single bit of compliance and figure out how we can optimize what we're doing so that we don't have to think about compliance. There's the, there's the puzzle you need to solve.

Mike Crispin: Yeah. And I think as you get to be, um, you, you get to have the resources, um, that you need.

And this is actually one of the hires I was looking at for this year is really to have a GRC person. Yeah. And often GRC person can take cybersecurity. They can take GXP, they can take GDPR, they can take even a, a small PMO type role. 'cause [00:31:00] they're really in charge of the governance structure of it across the, the, the groups.

And they go out and they work with each function and maybe they build duplicates of themselves or that type of mindset across different. Different groups as you as, as that

Nate McBride: role grows, um, that role would have to be a perfect in order for that role to work, in my opinion. Yeah. It would've to have such an amazing eq because if they turned into a compliance police

Trance Bot: mm-hmm.

Nate McBride: No, it be, they'd be, they'd be, I mean, they'd be pitchforks out your door, Mike. I mean, honestly, this person would have to be the, Hey, so how are you guys doing stuff? And that's awesome. Yeah. I think I can actually help you do it better. And I think there's,

Mike Crispin: I, I think there's an outcry from a lot of business functions for someone in IT who speaks that language and can execute on some of the tasks that they want executed on as an extension of their team.

So [00:32:00] kind of a distributed, not someone who's. Look, it's not, you're not a good governance person. If you're someone who's holding the clipboard and saying you're doing that wrong, that's, yeah.

Nate McBride: Right, right. That's any

Mike Crispin: role. But you hire someone like that, it's not gonna be a fit. Right. But I think if it's someone who's an enabler and they always say like, don't say governance, say enablement.

You know? Um, because that's what it is. I think in summary, you know, governance in itself, which sounds scary, is just making sure we're doing the same thing each time. Yeah. That's really what governance is. And a lot of people love that. They're like, look, if it's governance, oh my God. But if it's like, you tell me this easy thing, this easy process to get this done, and I know what I have to do so that I can make sure I put enough time aside to do it the way that the company wants me to do it, they're like, great.

But because of so much ambiguity in business process at companies, they're like, ah, which system do I use and when do I have to do that again? And [00:33:00] because it's not great. Governance and really that governance enables the, the company as much as, as things move forward. But it's a bad word. Data governance scares people, but data enablement is a good thing.

Yeah. Cool. But that's where the, the leadership of that role has to come through and be really powerful is this sort our front wheel leader. Um, and it, they're hard to find because a lot, I think a lot of them are, uh, gone through a lot of horror stories where maybe the, the organization didn't come along for the ride and they're trying to rebuild sort of that role, you know, as they're that job, as they're going to get, go on interviews and whatnot.

So I think they're very hard to find if they exist. And then there's some people put more, um, of the cybersecurity elements in the GRC bucket as well, and less in the IT realm and saying that's, that's a, that's a huge column of governance, risk and compliance. [00:34:00] And if you just look at the software stacks that have come out, uh, in the last five years or so, all the GRC platforms cover all the areas we're talking about right now.

Right? You go buy a one, like a OneTrust, for example. Yeah. All those columns are all the things we're talking. GDPR, you know, privacy, GXP, cybersecurity, data governance, data catalog, all these things. It's like, oh, I want someone who could do all that shit.

Nate McBride: That'd be

Mike Crispin: great.

Nate McBride: But, but you're getting into the compliance fragmentation problem, which is Oh yeah, definitely.

So, so, so the guy I was talking to in the FinTech space, he and I took a list. I think I got most of 'em, but he had GDPR in Europe. CCPA in the us Yep. Well, CCPA is California, but CCPA in the US CPRA in California, LGPD in Brazil, PIPL in China, Dora in the EU for financial services and. I mean, obviously I didn't, I didn't track all the acronyms.

There's more, [00:35:00] but, and the list keeps growing. So each has their own unique requirements. Mm-hmm. Enforcement mechanisms, penalties. And these penalties in themselves are abstract. It's a hundred thousand dollars per incident. What the fuck is an incident? Um, or, or a leak or something. Right. So, or inability to comply.

But the inability to comply if you're, if you're served with a notice of compliance, you still have a, a buffer period to comply. And so, I don't know. It's just, it's, it's, it's, it's it's compliance regulations without proper means of enforcement.

Mike Crispin: But gimme your philosophy on sort of, so we have acceptable use policies, right.

And we dictate the privacy rules of the company to some extent, because of how systems are used and how data is stored.

Nate McBride: I think every a UP is different, but in, in, in essence, I think you're correct.

Mike Crispin: But if you, if, if you've, if you've outlined that as a company policy and [00:36:00] someone dumps a bunch of PII into a system somewhere, uh, that's their banking records, let's just say

Nate McBride: Yeah.

Mike Crispin: You know, is that, are you supposed to know about that and just have something that detects it all? Or is that person in violation and can be held accountable if they ask for a a, a Right to destroy data request? So they dumped all their stuff somewhere that they're not supposed to. They, they've broken the a UP and now they come in and say, Hey, you didn't delete all my bank records that I saved.

Nate McBride: Right. Um, well that's,

Mike Crispin: that, that's kind of a, one of those things where does policy really help

Nate McBride: this type of issue or not? Policy doesn't help so much as the reaction to policy and even more than that. The, uh, the trick to any of these things, uh, from an action perspective is creating an attestation that you've done it.

How can you prove to anybody that you don't have a thing? Yes. Um, it, it's, [00:37:00] it's one of the dumbest, sort of most obsequious arguments to make. Okay. Here's a letter that says, I don't have any more stuff about Mike. Well, now Mike has the burden of proof to prove I still have something about Mike. Yeah. So how You can't do it if I say I don't have it.

There's no way to prove, unless you did a full forensic analysis of every single bite of data I have in my company.

Mike Crispin: It, you know what else would be really interesting statistic? There's no way to do that is how many of these requests come into companies whose product I, I know that it's obviously we all need to follow the regulations and the rules, but from a risk and probability perspective.

How many, let's say, just from an employee perspective? Yeah. You know, not even from, not from, I mean, look, I mean, if you're doing clinical trials, it's a whole other ball game, and that's [00:38:00] happening with a, probably with a, a specific vendor and a specific data set. Then you've got, you've, you've got, you've got certain things that you need to control internally, obviously.

But from a, I know, I know in just talking to peers and others, that there's compute, there's, there's concern about employees. I mean, how many employee requests really have come into companies like ours that says, Hey, I want you to destroy everything.

Nate McBride: Yeah.

Mike Crispin: That, that, that I've saved, or that's about me. I mean, I, I've never even heard of one.

I know they exist, but I've never, ever heard of one after all this time.

Nate McBride: I've never been exposed to one, but I can certainly see how one might come out of Yeah. A PA punitive response to say, oh, termination or whatever. Okay. Fucking delete every single thing about me in the company and prove it. Yep, yep.

Because this person might know that you can't. Yeah. And then they can just go ahead, I mean, contact the local CPA enforcement agency and bring the dogs, so, [00:39:00] yeah. Oh, definitely. That's a great point. Well, well, let's assume, let's assume the worst of human humanity. It's not so hard sometimes, but let's also assume some of the best, especially when it comes to our i, our fearless IT leaders who are facing the autonomy battle.

Um, yeah. Um, this is all these re requirements that governments put out without a whole lot of forethought and all these penalties and enforcement mechanisms. Even if you're only dealing with one of them, it creates a fundamental tension. On the one hand, technology and business are basically global and borderless.

On the other hand, regulations are generally local and specific, um, and getting worse. So especially in nation states, like, um, like what we're dealing with here in the us So software doesn't necessarily re naturally respect geographic boundaries. Regulations absolutely do. Even, even more important is that look at who makes the software you use.

If I look at my software vendors [00:40:00] and I was to sort of line up where they're geographically based, less than half are in the us. So, um, that's problematic. Um, so this creates a kind of different, like what I talked about before, compliance fragmentation is the issue where different parts of your technology stack have to meet different regulatory requirements depending where they operate or whose data they process.

Yeah. So, so how do sort of, how does our Fearless IT leaders sort of maintain autonomy in this landscape? Well, first they focus over principles, over check boxes, and we keep using that checkbox term, but that's basically what we're talking about here. Stop, you know, put away the check checkbox list, put away the clipboard, and, uh, think about principles of what you're doing.

So instead of building separate processes for each regulation, just identify the common principles, like for instance, data minimization. Why do we need this person's nickname? Can we just get their name? [00:41:00] Why do we need their. X, y, z bit of information. Their home phone and their work phone. Can we just get their work phone?

That's, that's key Purpose limitation. So why is it that we're collecting this? Do we actually need any of this information? I love when I sign up for like a website and they don't ask me what my job title is and how many, how old my company is, how many, how many employees work there. I look at these forms and I'm like, why is it, why does this matter?

Just 'cause you're gonna sign me to some sales rep. Sales rep, you just got out of college. So I fill it out with always garbage information. I always pick the maximum. So here's my little secret, I'm gonna expose this now whenever I sign up for a software trial, whatever the maximum amount is, you know, it's like, what's your company's revenue?

9.9 billion a year. How many employees? 10,000 plus. Like I go right down the list and then I get the email from the guy who's like slobbering. He's like, oh my God, we've got a live one here. And I'm, he's like, oh yeah, how can we do, like, how many licenses do you [00:42:00] want? I'm like, oh, just three. We're just gonna go with three.

We have a, we have a small pilot. Sorry. Then they look at my website and they're like, oh, forget it. So, so, so anyway, there's that. And then lastly, security by design. Whatever you're going to take in, you had better sure as shit, obviously secure all of it. Um, and you just build these into everything, every single thing that you do.

You think these, these three, if, if nothing else, you think about these three principles. And if you just do that, oh my god, life is so much simpler. Your forms become simpler. The way that you process teeter becomes simpler. No problem. Then you have compliance flexibility, which is you need to have the ability to adjust policies, controls, and processes based on jurisdiction without rebuilding the whole system.

And how do you do that? You create a generic baseline that is essentially, um, a. Almost like, almost like a zero trust format or a lease [00:43:00] privileged format where you start off with like, what's the bare minimum that would satisfy everybody. And this might require a charter, some columns or stuff. And that's where you start from.

And then you only make adjustments that are absolutely critical and necessary. 'cause you can always fall back to the baseline. And this is, oh my God, it does so much to reduce work if you try to come up with a compliance guidance. Remember when Sunshine came out, by the way? Yep. What, what year was that?

That was uh, 2014.

Mike Crispin: I think it was even earlier than that. I think it was like 2012 or something like that.

Nate McBride: And what did everyone do? Everyone lost their fricking mind to try and update their CRMs and their, their patient data. They didn't have to. They didn't have to. Yeah. They had already spent a ton of money too.

Yeah, exactly. If they had already had a baseline for how to intake. Only the necessary parts of a doctor's visit and only show up for a doctor and pay the, the minimal amounts and do all the other things. It would not have been a problem. [00:44:00] But everyone got caught with their hands in the, in the fire, so to speak, at the same time.

So companies spent Oh, so much money and time trying to get compliant with that, that act is it, I wonder if it's still, I wonder if it still exists, um, which say I wonder if it still exists. It's gotta still exist. Yeah, it does. Yeah. It's probably even, probably even worse. And it was great about that Sunshine Act was that there were some states that were different than others.

Like I, I think there was, like Maine, you can only spend $25 in an office visit, but like in West Virginia it was $50 and, and, and, and I learned more about NPI numbers during that time than I ever want to learn in the rest of my life. Um, NPI numbers,

Mike Crispin: oh my goodness.

Nate McBride: Yep. Yep. Uh, so then we have compliance intelligence, which is the ability to monitor the landscape.

So it's not just about subscribing to legal updates, you know, it's about building relationships to regulators, um, participating, participating in industry [00:45:00] groups, and sometimes even helps shaping regulations themselves. Now the latter is generally reserved for people that come out of, um, regulatory or compliance based roles, but I've seen many opportunities where I've gotten invites to things to talk about, um, reg regulatory compliance and workshops where there's experts who are looking for feedback on how companies work in their particular industries.

So you have to stay fluent Yep. In compliance and getting caught saying, oh, I, I didn't know that there was a compliance for that thing Is never gonna work in your favor.

Mike Crispin: Nope.

Nate McBride: Um. So basically what we get to through all those is it's not just the legal risk issue, it's a core capability.

Trance Bot: Mm-hmm.

Nate McBride: That directly impacts technological autonomy.

If you treat compliance as a box check exercise that happens after the decisions haven't already made, you're effectively seeding [00:46:00] control of your technology strategy to whoever drafted those regulations. I mean, you're like, oh, well, uh, we gotta comply with GDPR, so turn off that and turn off that and let's go ahead and go put in this Microsoft stack and be compliant.

So be it. That's not the way to go, obviously. No, no, no. Don't let it change the technology. Rhetorical.

Mike Crispin: Yeah. I don't need to change the technology decisions. It's mostly a process related change. Yeah.

Nate McBride: So when CCPA came along, which was uh, not too long ago, a couple years ago, um, everyone sort of freaked out 'cause oh my God, California's coming in with this big wave and all these companies in Silicon Valley, everyone's gotta comply with this.

But it actually, if you were already taking some general best practices, best practices that have been out there for a while, either from GDPR or from general best practice, then CCPA didn't affect your company. But then what happened is the other states started coming along and [00:47:00] issuing their own mandates again with their different types of fines, et cetera.

And if you had used GDPR as a baseline, and then if you had used CCPA as a baseline or an adjusted baseline, you would've been fined for every other state in the union. Now, if you're scrambling to sort of meet the requirements of every state, you're screwed. So now you have to sign of, go back to the beginning and figure out what's my baseline for compliance and how, how do I want that affect my technology decisions?

So it's the architectural compliance part. So you're preserving autonomy by basically building compliance capabilities into the core stack. Um, again, that meet that sort of baseline effect. So think about this for a second, if we have to integrate compliance requirements into an IT strategy, like if I think about, and I haven't really written my 2026 or 20 to [00:48:00] 27 plan yet, but if I had to write in compliance as a strategic strategic initiative for the design of that plan, I have a pretty good idea how I would do it.

Um, and I, I'll let you go first unless you want me to go first, but I'm interested to hear how you would write, uh, this into your strategic plan for it. Would, would you keep it as a separate, separate. Strategic item, would you incorporate into all of your other, um, big, big bucket items?

Mike Crispin: Yeah. Every, every, every project that we do is needs to be done in a compliant manner and following the existing IT business processes.

But over overall, what we are trying to achieve is kind of one of our goals for the year each year is just to maintain a compliant infrastructure, a compliant operating model, and an operating environment [00:49:00] that's built in pretty much to everything we do by default. Now, separate goal perhaps, is to create a more efficient compliance apparatus, if you will, and to better scale and improve that is, is a, is a different type of project.

Often we're able to. Work with and abide by the existing policies and help develop the policies. Depends on when and the process you come in. But if you're trying to make the compliant process of the company better, that's a separate project or separate initiative. Yeah. Um, I think if you're following the existing processes, yeah, there's some loss of autonomy by doing those.

But you've also got weigh how good is the company at compliance? What is the company's risk management strategy and where they want to focus. Um, they're often relying on IT leader as making sure the IT [00:50:00] systems are compliant in a sort of FDA inspection scenario and partnership with quality, that the systems are secure, that your data model is intact, that you can prove data integrity, that all that is done.

And that's just, in some ways, it's part of your job. Um, as opposed to Well, can

Nate McBride: I, can I pause you right there for a second? Yeah. So. Part of your job part. When you say that, I know what you mean. Yeah. But just the way that it's phrased makes it sound as if we don't have a say in how to Yeah. Um, affect how we respond to it.

Mike Crispin: I think I, I think we are entrusted with the best approach for our sort of the digital and IT domain as to be it you're entrusted that you are creating a compliant environment. That you are building a secure environment. They there, I [00:51:00] think there's even to go as far as assumptions that you are. So, you know, I think that's what I mean, kind of as part of your, part of the job of an IT leader is that.

That, that's not like, look, I made things compliant. Look what I did. No, no. That, that's what you do. You, you're supposed to run a secure operation. You're supposed to, um, be, uh, follow, if there is existing process and policy to, to follow that and sign off and train on that and, and do it in an appropriate way.

But additionally, you're supposed to introduce process that helps you to make your systems compliant, often working very closely with the quality organization on how to ensure data integrity across all the systems that you've built and support, um, that, that you need, you need to do that. Uh, the company usually has a compliance goal and you can align all these goals up with that just from a corporate goals [00:52:00] perspective.

Yeah, but I think this is also a problem with cybersecurity, right? I mean, I think there are at least, maybe not so much anymore, but a few years ago. Was, if it is silent on cybersecurity, the assumption is that it's secure and great. You know, everything's great. So, well what if, go ahead. Sorry. I mean, I think, no, I'm just gonna say I think that you can, I think you'd have, um, continuous improvement or, um, operational excellence or those type of things built into your IT strategy.

As, as goals, you're trying to go above and beyond and make things continuously improve and make things better. Yep. But from a, from a, do we have compliance systems? Do we have processes that are sound and safe? I think that should just be baked into the job description, uh, and the role, the responsibilities and goals of the

Nate McBride: [00:53:00] department.

So, lemme I agree with all of that. I'm gonna challenge one thing I'm gonna ask. Sure, sure. Yeah, yeah, yeah, yeah. Couple things. But, so we talk about the role of the IT leader having to obviously consider, um, compliance with their decisions both on an operational and strategic level, uh, day to day basis and long term payment.

Yep. But they're also, that's, that's in an ideal world where I'm not influenced by outside the pressures to be more compliant or Sure, that's true. To not, not be so compliant that we can't achieve this objective for the company, et cetera, et cetera. So yeah, that's

Mike Crispin: gonna happen. Absolutely. I mean, I'm with you a hundred percent.

Nate McBride: So, so then I think that to even expand on what you were saying, yeah. Yes. As part of the job description, you know, you must understand and adhere to compliance X, Y, ZA, B, C, but this should be another line to that, which is you also must be intelligent enough to know when to be flexible. Sure. And [00:54:00] to, to tr uh, reasonably translate or retranslate the definition of compliance, not so as the suit the needs of the business.

But, and this is actually, you wouldn't write all this, but so as to Yeah, go ahead.

Mike Crispin: I was just saying in fairness that, to to that statement, it, part of your responsibility is you're, you're being entrusted with. The, the compliant components of, of the data and let's say from a data privacy perspective. Yeah.

Got, you. Could have, uh, a, a, a, a legal department or just maybe overall just from an enter, uh, from an enterprise, I'm sorry. Uh, an executive team perspective saying this GDPR thing, let's say a few years back, just came up. We gotta do all these things and you're gonna, we're gonna go over the top, even though, 'cause we talked to some other general counsel and we're gonna, we have to do all these things.

And I do think that from, especially from a technology and from a data perspective, [00:55:00] that they are expecting you as an IT leader to push back a little bit and ask questions and say, is this, what, is this the best path for us to move forward? Is this what we actually need to do?

Nate McBride: Sure.

Mike Crispin: And ask those important questions to find out, you know, whether or not it's a fit for the.

Architecture for the technology and data model that you have as a company because they, you are the, you as the IT leader are the expert in that, and that's why they're gonna bring it to you. Now, you are right. They might say, you may have people come in and put pressure on to do all these things, we must do them.

But that's what being a leader is, is being able to, you have your area of expertise and you need to make sure that's known and your concerns, and even in some respects, be able to tell people that they might be misguided. Um, and you should be able to do that as a, as a leader. It's not easy sometimes, definitely.

But yeah, you should have the ability to do that and say, [00:56:00] look, this is overkill for, for what we need this. You often have different nuggets of information and experience that they don't and vice versa. Okay. So it's important to be able to do that as, as a leader. Conflict isn't a bad thing. Nope.

Nate McBride: But, okay, so our IT leader.

Comes into the company and they have a extraordinary background and yeah. Understanding compliance and, and sort of legal risk frameworks. Yeah. You know how it applies to technology. They got all that, but upstream from them, there is a functional team that does not understand it as well. And let's assume that there's no compliance counsel, et cetera.

And then upstream from them is a finance team that is not doing compliance at the procurement level. Mm-hmm. There is a legal team that is not doing it. Technology compliance at a legal level. Yeah. There is, there, there are several other checks and balances. And so to this, this IT leader that we're talking about, do they [00:57:00] have, is it, is it within their responsibility spectrum to.

Ensure that all those checks and balances along the way before it gets to them have been addressed or, or are they somehow in front of all that? So lemme give you an example. Like if you have a standard IT steering committee and a company or IT prioritization committee, whatever you call it, well, someone wouldn't be able to come forward to the business with a new proposition for some kind of technological change without going through this committee.

That being said, at that committee, you could suss out whether or not there were any compliance requirements and had they been mitigated in terms of the implementation. Sure. That's one way to do it, I think, to answer that question. But yeah, absent that group, I feel like the IT leader is sometimes gonna get blindsided by, [00:58:00] I'm trying to think of an example that happened to me recently.

Um, I can't think of one off the top of my head, but I had examples in my career where someone's come to me and said, oh, we're ready to buy this platform. And I'm like, you gotta be kidding. This is so uncompliant like this, this helps you. It's absolutely, but sets the business backwards.

Mike Crispin: Sure. Um, oh, I think there's a number of those where you've got to, and I mean, hopefully Yeah, absolutely.

People would say, this is what we're going to do this based on this risk that we heard from a, a compliance perspective. We, let's say OneTrust is a great example. We're putting in OneTrust. I heard that, da, da da da da as OneTrust, and we're gonna open this giant platform. Or Why don't we have ServiceNow for GRC?

Why don't we have that all these other companies have it? We gotta do this. Right. And we both know how big of a bear service now is. Right? Oh

Trance Bot: God. Believe it. So

Mike Crispin: I think that, that you as a leader have to, and some of it is relationship [00:59:00] building and trust and nuance and compromise and working through some of it, you know, with, with leadership, you've gotta build those relationships.

You know, we talked about in season one, like these are the type of things we're talking about when these things come up. Sure, sure. And you've got a different perspective than maybe the ERM group at the top has made all these decisions and they're coming down and just sort of dictating what needs to be done.

I mean, this is, you should be in the ERM group.

Nate McBride: Maybe, maybe, maybe this Compliance council's not such a bad idea then. Because you know, what will happen is, um, you will have those key stakeholder interviews. You will Sure establish, establish parity with regards to all of the executive teams and the managers about what good compliance looks like, et cetera, et cetera.

And you'll have rules and process and policy, but they'll leave. Sure. They'll, they'll leave the company and new people will come in and, um, you know, we already know that you're supposed to have follow up key stakeholder interviews with new folks, et cetera. But if you already had a baseline in place, [01:00:00] if you already had baseline governance in place, it makes the conversation so much easier.

Oh, yes. We only put it in platforms that achi, you know, hold to X, y, and Z standards, by the way. Or we only transmit data through this one particular protocol. Like whatever it might end up being. You've already established these compliance safeguards in place, um, well before you have a human intervention.

Obviously it require alignment from humans to make these things happen, but that would be the, the net effect. Um, you mentioned something earlier too, about operational excellence, continuous improvement. Yep. Um, but let me back up a second. So when I asked you about where you would put this in your Strat plan, you sort of mentioned Yeah.

That you would put it into the bigger, you'd put it into all of the big bucket items. So if you had say, yeah, six strategic goals for next year, a security goal, service [01:01:00] goal, whatever you would Yep. Have an items in there for compliance, would you also budget for that? Because, and this will, this will lead into the con continuous improvement operational excellence question I'm gonna ask next, but would you actually set aside cash in your budget for compliance, some sort of compliance adherence process module time effort, or, or is it just that, does it just show up?

Yeah, and I, and I asked the question because I don't actually have an answer myself. I've, I've never actually in any budget I've ever written in my life, and there's been a lot of them, um, I've never written a line that said. 50 grand for activities related to compliance adherence or something because it's been this, like this tacit effect that it is just making shit compliant.

Mike Crispin: Yeah, and I think that's [01:02:00] where your alignment with, like if we're talking GDPR perspective, your alignment with the general counsel and the legal team is, okay, what, what regard do you hold this at? Is this, do we have bigger fish to fry here? I mean, we obviously have some process in place. How, where, where does it need to be?

And make sure you're having that, that relationship, that discussion with, with, uh, the legal leadership, realizing that that's one piece of it, but that there's sort of an understanding that what we're doing is, is good enough or it needs to be better and that, that needs to be budgeted for if you're going to.

Need to provide that picture. Right. And then I think with, on the, the, the GXP and sort of the, um, you know, um, EU regulatory compliance and the US regulatory compliance, just what exactly where we, where are we from a quality systems perspective and strategy [01:03:00] that's kind of joint owned in a lot of companies and, and aligning with that, and that's gonna help you to prioritize your goals.

I mean, it's not, the, the more I've over my career is realized that I'm sort of a decision maker, but also a moderator. And we are working between different groups that have different levels of ownership. Yeah. And it's not always a hundred percent on it to have all the answers, but to help nuance and sort of curate the solution between the groups.

Compliance is another example of that. So are you losing autonomy? Not, not in the respect that you are helping to facilitate the discussion and helping them to provide the solution? Yeah, I think that's where your autonomy needs to stay loose in terms of the company's actual policy on some of these things, you, there's some things that you're going [01:04:00] to absorb and you are going to do, and others you're gonna need to push back on in order to move the company at the pace you wanna move with that.

Nate McBride: I, I, I think this is really where we're gonna get to the crux of the argument because everything, again, agree with what you're saying and I would say it the same way, but I don't think we can say it this way in this, in the scope of this bigger discussion. We can't say that it's assumed, it's part of what we do.

It's, it's these other elements we have to. Approach this now from a, okay. In the in Mike Crispin's future, Nate McBride's future in terms of strategic design, how exactly precisely are we factoring in, um, compliance, adherence, and also at the same time not seeding any more autonomy than we have to, to achieve those compliance adherences?

And you mentioned compli. Uh, continuous improvement and operational excellence. Two of my most favorite [01:05:00] things in the world. And seriously, I love ci. I could do CI all the time. I wish I was a full-time job. Um, continuous improvement. It comes from multiple angles. There's continuous improvement to make things cheaper, continuous improvement to make things faster.

There's not, all the time though, continuous improvement to make things more compliant. More compliant is like, yeah, maybe I. Third or fourth down the list, uh oh yeah, we're gonna do CI this year to make this more compliant. Well, yeah, you're gonna certainly try to keep it as compliant as you can, right?

Yeah. Maybe it's not the, the primary driver, but, um,

Mike Crispin: so some of it is just is, is policy and policy enforcement and policy adherence. I mean, that's a challenge unto itself. Like, okay, here's the policy. We're so, so how do you do policy?

Nate McBride: How, but how do you do policy adherence? Let's just take that one for example.

Yeah, it's tricky. I mean, I, training, I have a, I have a wonderful policy, but [01:06:00]

Mike Crispin: yeah, it's, it's a real struggle. I mean, it's a real struggle to get any policy implemented and understood if, well, that's the p that's the key point. Point is when people don't understand why the policy needs to exist, I think that's when, when it falls off or it's forgotten, um.

I've been through some good legal driven trainings around GDPR and just using that one. Yeah. And CCPA that, that, you know, for better or worse, scared the shit out people and go, oh, oh my God. Hold on. Second. I, I, no idea i's right there.

Nate McBride: I, let me just dive, I wanna dive into that statement because you attended trainings that legal held Yeah.

Presumably legal in this instance Yeah. On these topics. And did you walk away saying, okay, that was a mandate for me, I now have to adhere to, or that was eyeopening and now I'm going to take the initiative [01:07:00] for it to go ahead and effect my world to adhere?

Mike Crispin: I, I was part of the policy development. Okay. So I, I was part of that process and a big part of privacy.

Uh, when, when you, when you look at the GDPR initial requirements was that you have a wisp place. And, uh, information security standard in place that includes privacy. Right. So you're, you're kind of a jointed at that respect. Um, by default. Yeah. But even if that, even if that wasn't the case and legal sort of gave that training and I'm like, oh my goodness, like we've done nothing on privacy.

Why we're gonna have to do something about this. It's just blindsided me. I had no idea there's these regulations or whatnot. Um, then it's, go back and do your homework and make sure you, you know, what this is all about and raise the risk perhaps to legal at, you know, go [01:08:00] have a little bit of transparency and say, look, we don't have some of these things.

You just put in the policy and we're gonna need to do them, or. You're crazy. We actually don't need to do these things. And you know, here's, here's a few things we can do right now, and it, it may maybe we should think of, maybe you should have talked to us first, you know, um, because we should all be working on it together.

Nate McBride: So in the, in the, in the perspective of maintaining autonomy, what, yeah. One or two. What one, two or three things would you say are key? Because you, you walked into Yeah. Cardian and you sat down and you helped to design the wisp and you helped to create a process by which Sure. Um, these things were designed with you.

Like what, what were the sort of two or three things that you did that were most critical to make that happen?

Mike Crispin: I, at, at Cardian largely that's, I think one of the reasons I was [01:09:00] hired was, tell us what we need. Tell us what we need to do. Here are some of the things that were already. Working on, we have a good baseline.

Mm-hmm. We feel like what we've got is, is, is strong, but we're a growing company. We're gonna be doing a lot of exciting things. We wanna make sure that these systems work, they're secure and that we are taking policies we already have, you know, in hand as we're building those. And also take a look at all of 'em and tell us what you think.

Do we need to do some of these things? Do we, so I think when you come in as a, at, at sort of a leadership level, maybe you're, like, we talked about like the first employee, um, who's on the management team is you, are, you are largely being hired to, and I think this is true in the larger companies too. You, you're, you're coming in because they need someone like you to lead.

They don't need someone to come in [01:10:00] and just follow someone else's playbook or just kind of say yes to everything. The, the, hopefully in the interview process, it's come across that you are going to try and do what's best for the company, but also challenge some of the things that already exist, um, within the company.

And I think with the larger companies, you come in as an SVP or a CIO or whatnot, there's often a lot of things to kind of take a more introspective look at the department and the groups, and they're looking for you to make change to where it's needed and to, to lead and to challenge things, uh, to make them better.

That's largely why you're there. So in a compliance perspective, I think that holds very true. Um, and you should leverage the autonomy you've been granted that first a hundred days, especially to, to, to really give your report on [01:11:00] what needs to be done. I. I can see

Nate McBride: that, I can see that autonomy like eroding.

If after a hundred days you haven't achieved this goal yet, where you're going to be pressed more, I think this actually goes for any level of autonomy, really. Absolutely. More, more and more into a

Mike Crispin: credibility and trust. Right. I

Nate McBride: mean, if

Mike Crispin: you're not building those credits, a warm

Nate McBride: body and a seat.

Mike Crispin: Yep.

Nate McBride: Yeah.

Mike Crispin: You're, you're gonna be more reactive than proactive, so you gotta really grab that right away. And it is hard to maintain because things are gonna add up. There's gonna be more and more that needs to be done. There's more and more employees that come into the organization, have different expectations of the big company that they came from before and why they can't have all those things that accompany of 30 people.

And it's, you know, there's a tidal wave that's coming as if you're an early hire.

Trance Bot: Yeah. Of

Mike Crispin: all new people, starting with new expectations. I think the benefit and probably some of the companies you've worked with, uh, as well, is when there are very [01:12:00] strong and good hires that are good culture fits for the company that live in the compliance function, that live in the legal function, um, you do it together, but if they hire people who are gonna come in and slam the sledgehammer on anyone who you know Right.

That, that's, that's it. That can break apart a, a culture of trust when you hire people like that, which is a whole other discussion. But I mean, it all comes together, you know, in terms of you as leadership and how you're gonna, how you're gonna maintain autonomy if there's other forces, like you said earlier in the discussion at work Yeah.

That you need to manage.

Nate McBride: You and I both know somebody who walked into a company that continuously changed its strategy like every quarter, um

Trance Bot: mm-hmm.

Nate McBride: For a very long period of time until finally it became too much. Uh, sure. Individual, fortunately for, for themselves is moving on outta that decrepit state of affairs.[01:13:00]

Um, so never

Mike Crispin: fun.

Nate McBride: That's never fun. When I was thinking about this, like, so how would you put this into a strategy? I went all the way back to the very beginning of this podcast, which is to say the beginning of the calculus of IT book, um, the Life Science IT Leader Survival Guide. And it comes back to the basics as Mike was just talking about, which is that first 90 to 180 days.

There's a couple steps that you can do, and this applies to a lot of things, but when it comes to compliance, in order to maintain autonomy or at least hold fast as much as you can, first thing that you can do is you can assess your current state, right? And this is just something that you need to do anyway.

So add this into the mix. First of all, do a regulatory exposure assessment. So whatever industry you're in, you should be very verbose and fluent in the regulatory landscape for that industry. So what regulations apply to you? Where and how might they evolve? Or are they today? Are they all in [01:14:00] litigation?

Are they all pending? Are they all actually bonafide and have been in place? If they have, are there precedents? Has anybody actually been fined, et cetera. Then, um. After you've mapped your regulatory landscape, then an analyze your vulnerabilities. And you don't need to necessarily to publish this document, by the way.

I recommend actually not doing that. But at least understand where your current gaps are, where's the greatest risk, and then which most constrain your autonomy in order to to resolve them. And then third, identify any compliance opportunities. So where could a more strategic compliance approach, um, enhance your capabilities or give you any kind of leverage?

So that's number one. Regulatory, regulatory assessment. Number two is compliance capability analysis, which is again, and this is going back to, I mean many, many episodes ago, but basics, assess your compliance capabilities. How mature are your policies? Do you even have a fricking policy? How mature are your control?

That's, that's

Mike Crispin: key po even how have a policy, even [01:15:00] even a, a policy that you can adhere to. I think that's a big thing. You pe people write these policies and they're like. Oh shit, we can't do that.

Nate McBride: Yeah, well, yeah, that's the one's ever gonna do that. And that's worst. The realistic versus aspirational argument.

Well, well that policy sounds really good. Of course no one in the fucking world could ever do that, so we're not gonna use it. But great policy anyway. Exactly. It looks good. Good download. Uh, then there's, so you have to evaluate your capabilities. You have to evaluate your architecture. So how well does your architecture actually support in compliance?

Does it not? Is it impossible to, uh, so that's a key. And then you have to analyze your ecosystems and that includes the people that you really don't know yet. 'cause you just walked into the company, your vendors, your partners, your functional lines partners, and all the vendors that they've been talking to all these years before you got there.

And then all the other third parties that are out there sort of sitting in the wings. [01:16:00] Basically reselling your data to somebody else. So you have to analyze all that, and you have to real, I'm not talking like, like, like make a phone call. I'm talking like analyze, make a chart, make a grid, come up with a risk, risk matrix criteria, and then go ahead and analyze all these people.

So once you've assessed your whole state date, and this isn't very fast activity, but it's necessary. And once you've got it done, it only really needs some care and feeding over the rest of your career there at that company. Next thing you do is you develop your autonomy preservation strategies. So compliance, governance, or as Mike likes to call it, enablement, compliance enablement.

Update your enablement frameworks to balance compliance. Autonomy preservation, but don't say autonomy preservation. You don't have to write in order for me to preserve autonomy. No. You're just updating the governance frameworks to ensure autonomy preservation, not actually [01:17:00] stated. You want to build in oversight mechanisms that are appropriate to your automation.

Automated compliance systems don't be aspirational, be realistic. And then lastly, develop principles for maintaining appropriate control. We talked about the principles before, but if you have a vendor relationship, so a couple things about vendor relationships. One, there are things called, um, data transfer agreements or DTAs, and they're pretty common.

It doesn't have to be a formal legal policy, but you, you just should have something in place about where data goes, how it comes into your company, what they can do with it, et cetera. They can be formal. Some companies will make them formal, but DTAs are in place. You should also have though compliance agreements.

Like, I mean, and I'm talking like beyond their general terms of service. If it's data that you care about, you should develop a compliance agreement. Then you need to have the compliance architecture transformation. So after you just, and the assessment [01:18:00] found all your gaps, you might have to redesign your whole architecture.

That's a possibility. Mm-hmm. You might have to implement evidence generation capabilities. And so for instance, um, in our backup environment we have a g, there's A-G-D-P-R module built into it that allows us, 'cause it has this evidence generation capability to produce a report on any instance of any work, any person or slash keyword.

And years and years of backups, isolate every single instance of those. And then I can not only delete them, I can provide a report, an attestation report of those, it's evidence generation capabilities. Then you have to build in cross vendor compliance verification. So this is especially important if you have two vendors working together.

For instance, let's say you have an ERP vendor and then you have a vendor that supports that ERP vendor. They are not the same vendor. You must have cross vendor compliance verification that they are both complying with each other [01:19:00] independently of you. That is fricking hard, but it's good to do. Then you have your compliance capability development, which is what skills do we lack and we have to build for autonomy critical, uh, preservation.

We have to have compliance, inte intelligence gathering capabilities, and then we need, we need expertise across all the domains. Yep. These are all idealistic. Let me just once again caveat this. You're not gonna get all of this in the beginning, but you need to plan for it. Then you lastly need a economic strategy.

So I asked Mike before about his budget, it certainly doesn't exist in my budget. How could you even put something like this in a budget? But it is good to, to at least annotate your budget to indicate that in order to achieve X, there will have to be essentially some amount of monies spent on ensuring compliance.

It could be [01:20:00] hiring, uh, FTE, all the way down to implementing some kind of like SIM platform to check in whether something's happening or not. Sure. So now that you've developed all these strategies. Guess what you get to do now? You get to actually create your roadmap, and that's the last piece. So you do all the ones that are easy, a, k, a, a quick wins, get those done.

It shows you have compliance, it shows you have autonomy over your compliance. No problem. Minimal disruption, everyone's happy. Then from a longer term perspective, you gotta parlay those, those quick wins into the longer term programs. So I'm gonna move, okay? So we're all gonna become now compliant for, um, uh, ensuring that all PHI now only exists in this one corner of our collaboration environment.

Okay? That's quick win. That's easy to do. Now the next step is long term. [01:21:00] How do we ensure that any bit of PHI that comes into my company always ends up there? Yeah. Okay. Yep. That's hard, right? It doesn't, it doesn't go rogue. It doesn't end up as an attachment only in someone's email or something. And then you need longer term programs for, for, um, fundamental capability building.

You have to work with hr, potentially all the managers on this, which is to say every time you hire somebody, at least ask the question in the interview. If not, take it even further than that. Do you have a clue as to what compliance is? Maybe don't say that question, but something like that. And

Mike Crispin: so when I, when I, you know, I said it, it's hard with the PHI discussion, I, maybe I should have rephrased it.

It's, it seems like it's sometimes hard to hold people accountable when they don't do it. Do these things right. And I think that's where, [01:22:00] you know, um. From a privacy perspective, like being you, you mentioned sort of, um, metrics and Yeah. Having the, the ability to show where we're at, that's where you can add the, some real value is to be able to, so look, there, there was, there's a number of these information outside the scope and here's how it happened and this is how we can make sure it doesn't happen again.

And that someone broke this policy that was put out and are we gonna do anything about it or not? Because, you know, to, to the, to, to the point of, um.

To the point of whole, you know, people not being held accountable for breaking policy. I mean, that's a whole other thing, but I guess that's where people have to be, show it has to be seen how important it is that a company will actually adhere to these policies, and when it doesn't [01:23:00] work out that there's, there's consequences.

Nate McBride: That's the la the very last piece is the trigger based actions. I mean, basically you have to define specific responses to, um, regulatory changes, compliance events, or, uh, lack of adherence internally to compliance. You have to have a. Responsive mechanisms in place documented that show if we don't adhere to A-G-D-P-R request, if we don't adhere to a CPA request from some state, like if we, or if we can't, et cetera.

Like here's all the things that we would have to do in those cases. It's like any good business continuity sort of situation. Um, okay, lights go out, here's what we do. Same principles apply. That's, that's the response to a, what you asked earlier, if someone brings in all their stuff, puts on your servers, and then wants you to remove it, um, yeah.

You would've had to already come up with a, a [01:24:00] technological mechanism that would, as soon as they put it on, would identify and move it off. Yep. Or isolate it somehow, right? You'd have to, you'd have to already have that in place, otherwise they would've been forced to reconcile with some of these responsive, responsive trigger based actions.

I mean, I think the key through all of these is to be proactive versus Yep, exactly. Yep. And think about all of the shit that you gotta deal with in the first, I mean, not even 90 days, the first year of being a new company. Where does compliance fit into that priority list? I mean, unless they hired you, because the company is sort outta compliance.

They're about to become, you know, not long, no longer a company, and they hired you for that purpose. Compliance is probably not on top of your list, but this is the perfect time to get in front of compliance and reestablish how it's going to be. And you might find very tough customers in the quality world.

There are people that still very, very hardcore [01:25:00] believe in a 30-year-old. Pre precedent for computer system validation. It's so old, it references floppy disks. They still believe that as being the golden rule, the sovereign standard, when in fact the industry has moved past them. So you might encounter those folks or folks that believe that things should be printed in duplicate and then stored in file cabinets as well as on servers.

You have to figure out ways to educate, train, and update what's going on. Um,

so just wanted to sort of sum it all up. Uh, basically if you have an autonomy advantage in place, obviously you can adapt faster regulatory changes, and just in the last two years, we've seen 22 states in the United States anyway. Um, either [01:26:00] become CCPA compliant or, uh, come to almost near the conclusion of their CPA regulation with about, I think it's 15 other states currently working on CPA regulation.

And guess what? None of these are the same. They all sort of look the same, and they have small variations, but they're not the same. So if you haven't already made your world adaptable to these changes, it could be bad. The, even the FDA is been moving glacially from CSV to CSA as a standard, but CSA is translated as very reasonable.

Um, it's a reasonable approach. So again, it's one of those things where if you're still living by every single tiny little change, if you walk into the IT department in a new fart, you have to log it as a change management event that's not going to go well for your ability to adapt. You have to be more reasonable than that.

Um, [01:27:00] this will allow you as a company to pivot to new markets pretty, pretty sweetly. It'll allow you to build more trust with customers and partners, um, and employees. It'll optimize the economics and compliance. If you do in fact, start to talk about compliance in, in the terms of dollars to be compliant equals x to be non-compliant equals y you can get into the economic elements of wow compliance is actually an important thing.

And then to turn it into a strategic differentiator.

Mike Crispin: Sure.

Nate McBride: Um, so any last thoughts on, on this? I mean, I think from, I'll, I'll tell, I'll just say that from my perspective. Like, when it comes to autonomy based decisions, yes, we're influenced by a lot of things I'm influenced by, um, I'm influenced by what [01:28:00] the employees, well, we'll work best for the employees, of course.

What, um, who recently had a major breach, who's been bought by who, who has, you know, some sort of huge economic change in their licensing schema. I mean, I have been influenced by all kinds of decisions that make me think about what direction I'm going to go. Um, but I'm, I'm also, I mean, for a long time now, in either in the back of my mind or in the front of my mind have been influenced by compliance.

And I like to think that. I have, you know, there's a lot of lessons from this. A lot of this, what we, what I talked about tonight, by the way, is wishlist items. For me, these are not necessarily in practice today. Um, I don't necessarily have an environment that a lot of these things can be put into practice, but there are what I call an idealized solution where you are talking about the impact of compliance on your preservation of autonomy.

I can tell you that compliance is one of the areas where I am conceding autonomy. [01:29:00] Right now, I am not on the positive side of autonomy for, for compliance.

Mike Crispin: I, and I mean there is a part of me, Nate, that is, if there is one area where autonomy isn't as common, it's when you are dealing with compliance, because I mean, you're essentially supposed to comply.

Compliance. That's what it's all about. And yeah,

Nate McBride: that's right.

Mike Crispin: And not to say the obvious, but I guess that there's an element, like if there are other ways, there are other areas to really leverage more autonomy and compliance. You should certainly be a leader. And when there's too much compliance and there, it's really getting in the way of the company being successful, you should be able to push back.

You should be able to build a strategy that makes compliance better and more modern and more seamless and more reliable. Sure. Absolutely. Sure. But there's also, I think, you know, sometimes where someone who comes [01:30:00] in the organization who's an expert at compliance is this very strong background. You know, that's it.

It's not so much to think of it as, Hey, I'm just gonna give in. But we're like, okay, this person knows what they're doing. Let me leverage that expertise. Sure. And, and. They fo follow along and you know, it, we will get it done and it'll make my job easier and I'll be successful as well. There's definitely elements in the, in the compliance framework where it's like those rules are put in place for a, a reason, and they're, they might be harder to, to put off and to bend.

Um, so I, I think it's like if this is an area where, you know, maybe the more conservative approach is more common than the progressive, but,

Nate McBride: but Mike, if someone comes into you and says, like, let's use socks as an example. So 4 0 4 B is a wonderful example. Yeah, sure. You must, you must be able to show evidence that changes were controlled.

That's it. That like, [01:31:00] that's the, the, at the end of the day. Sure. Sure. That's what you have to adhere to. How you get there is entirely your choice. That's right. Absolutely. Yeah. Oh, a hundred percent. So, so when it comes to compliance using sort of financial public guidance, I feel like I have a lot of autonomy because yes, I have to give you this stupid document that actually proves nothing, but that you insist on having, uh, or actually 12 documents that are stupid and prove nothing.

But I'm gonna give these to you. But, and how I generated them however, is, is alchemy. It's magic. How I did it is my way that I chose to do, to generate this for you. But it is truth. It is, it is it adheres, it's what we have, right? Other situations? I can, I can I get it? Like with, uh, G 21 CFR Part 11 and CCPA and GDPR, there's not a lot of translatability up to that point, but there still are all these things that you can do.[01:32:00]

For instance, GDPR, you can put in mechanisms. You do have the control and the autonomy over selecting the mechanisms that you want, which will allow you to achieve the result of remediating, you know, a Article 17 request from GDPR in a very short period of time using almost no resources. Because you've already implemented all you, you've already figured out the, the math behind how you would do that.

And you've put in a process that will do it. Now, if you were like gonna be an autonomy, like boss level, boss monster, kind of like, you would not only figure out how to achieve that result of providing the data, you would make it so flexible that it's GDPR changed and it won't, you would be able to pivot right away.

True, true. But, but I guess even to and, and to, to just. Let me fi finish this point. I know it's long-winded, but ultimately, and if you're really [01:33:00] even like more boss monster than that, like sort of speed run world champion on that boss monster solution, you would be able to figure out how to reuse that framework for everything else as well.

It would be almost a singular compliance framework that was, that solved every problem. Sure. And that you might have to make some small, you know, nuance based decisions and changes along the way for very specific cases. But the baseline compliance framework that you decided to build as the IT leader had the buy-in from the business, had the key stakeholders aligned with, and it was best of breed from a baseline perspective, um, almost like a.

People proofing it. Like it doesn't matter what happens. We always have this baseline. It'll never go below the baseline. No one's ever gonna say, ah, fuck it. We're not [01:34:00] compliant anymore. No, they're only gonna get more compliant. So you just have this baseline that you can always build off of. Wouldn't it be nice to have all these?

Wouldn't it be nice? Wouldn't it be nice? It would be so nice if only I could hire somebody. Oh wait, I can't, 'cause I'm hiring an alchemist who's gonna just absolutely be let go to ruin compliance, not make more compliance. You're really gonna hire somebody to as A GRC, that's what you really wanna do. I mean, that's awesome.

But I am, no, no.

Mike Crispin: I mean, that was one of, I'm supremely jealous. One of the roles, one of the roles I was gonna look at and try and build a cybersecurity element into that as well. But I don't, I don't think it's something for this year. I think it'll be something for next year. Who's gonna do it? So if you add the

Nate McBride: cybersecurity part to that, I can see that being, or even like going a little bit further and adding in Yeah.

Full en enablement, using a crisp term, that'd be a pretty kick ass role.

Mike Crispin: It's a, it's sort of got a [01:35:00] data architecture realm to it. Like building that data catalog is a sure is a, is a big leg in the GRC stool. And I think that's where you find someone who's got a little bit of an analytics and a data architect background and they naturally, if they're from a, have a data governance background, they're gonna understand the semblance.

So the importance of cybersecurity and can probably manage the right vendor to help with that or they have the background themselves. But yeah, just the thought, I mean, it's something definitely at the last place we were working on, uh, last company and it was too hard. They couldn't find the right people.

I mean, it just wasn't the didn't exist. Uh, and the people out weren't out there that had a strong enough cybersecurity background.

Nate McBride: Cybersecurity.

Mike Crispin: We don't need it. Yeah. Just what's a big deal, you know? Oh, you know, we have ai Now you can just, everyone that's gonna, that's gonna do everything,

Nate McBride: just do everyone, give everyone, give everyone like a, [01:36:00] a secondhand signal app to communicate over and we'll, no problem.

We'll be good. That's right. So everybody, Mike's gonna be hiring next year for this kick ass role, this dream job. Yep. I'm hiring right now for, um, sorry. I'm chewing a Twizzler, I'm hiring right now for a director, associate director of Digi Digital Alchemy. And your, your job is to be a complete disruptor, chaos creator.

Um, you know, immediate, like always make code changes in production type person. Basically somebody that I can be jealous of all the time. And then share a brain with. And then, um, maybe we both hire, maybe somehow through this podcast, we'll both hire these roles. Wouldn't that be crazy? That would be amazing.

Mike Crispin: All right. All, it'll all be worth it. Right? [01:37:00]

Nate McBride: If we have Pax East this weekend, look for Make Eye, we'll be in the ai af shirts. Are you wearing that shirt tomorrow? Are you wearing something else?

Mike Crispin: I'll have to find it. Maybe. Yeah. Perhaps wear that tomorrow.

Nate McBride: We could be cosplay AI wannabes.

Mike Crispin: Well, we got, we don't get thrown out because of the back of the t-shirt.

Nate McBride: A ask me about ai. I'll just say that's to be our shirt. Ask me about ai.

Mike Crispin: Can you tell me something about ai? Yes,

Nate McBride: like him. Um, and, uh, we're down to, well minus the jort that we might do three episodes left after this.

I dunno what I'm gonna do without [01:38:00] you, Mike,

Mike Crispin: we're gonna keep it going. We're gonna keep going. We're gonna go, we're gonna go total,

Nate McBride: total futurist. So well a after. So this, so next week, well, let's put it this way. The last three episodes look like this. Um, building long-term resilience. Okay, that's episode 11. Yeah. Episode 12 is shaping the future of technology adoption.

Yeah, this is gonna be good because I have two test subjects. Uh, a 19-year-old, uh, daughter of mine and a 22-year-old son who are the future of technology adoption. And then episode 13, I had to put this in there. We are going to talk about Industry 5.0. Okay. We're gonna close with that as a topic. It's probably gonna be a multi parter, but we are going to get into this a hundred percent.

Mike Crispin: I, I think that will be an awesome discussion.

Nate McBride: I think that'll be great. I [01:39:00] cannot wait and every single, like, we're getting, we're, we keep pushing towards this inevitable end, so I can't wait to get there. Um, we'll have a jort, at least one more jort in there. So yeah, we're, we're winding down this discussion about your preservation of opinion, decision making, autonomy, strategic design.

All these things are threatened. And I'm not talking like FUD level threatened like, you know, tech week or CIO magazine, level of shitty article threat threatened. I'm talking like actual. You could just like be pulling a lever in three years if you're not careful. And don't ever let somebody see you pulling a lever.

Mike Crispin: It's very real. That's the industry 5.0. Discussion will be, will, will be in. Incredible. Because it leaves very little. [01:40:00]

Nate McBride: Yeah. Here's what we do have, I just had an

Mike Crispin: idea. Very little room for humans.

Nate McBride: What if we do, what if we do episodes 11 and 12? 'cause they're, they're fantastic episodes. Yeah, absolutely. We, we do the JT on tokens.

Yeah. And then we do, which isn't an autonomy discussion, but it sets the context on tokens. 'cause it will be, that will be a big discussion then we close off with, with Industry 5.0 and uh, that sounds great. Just scare the shit outta everybody. Go full wally. Level one. With that one. Sounds good. Sounds great to me.

All right. I will see you tomorrow, my friend at Pax. Prepared to video game your Heart Out brings Bring, bring some snacks. By the way. It's another, I'm planning

Mike Crispin: on learning a lot about gamification and [01:41:00] how I can apply it to my IT strategy.

Nate McBride: So you're gonna expense the day expense, the everything. I'm not gonna

Mike Crispin: expense it, but I'm gonna use this as a, well, I might gamify the expense,

Nate McBride: so you should, well, we have to go to MJ O'Connor's for lunch and you can expense lunch because you're doing gamification research on ai.

Mike Crispin: I'm gonna get one of those delicious grilled cheese sandwiches that they have.

If I'm gonna expense it, I'm gonna get a grilled cheese sandwich. Okay. I think, yeah, that's because I want that to be on the itemized receipt. That I got a grilled cheese sandwich because I want to follow the compliant policy.

Nate McBride: Yes.

Mike Crispin: Itemized receipts.

Nate McBride: You're so

Mike Crispin: compliant. Grill cheese sandwich. Grilled cheese sandwich, man.

Nate McBride: Yeah, you're so

Mike Crispin: compliant. And I might ask if they have fruit punch as well. [01:42:00] Fruit punch. And actually as an appetizer I'll have chicken nuggets. Chicken nuggets, grilled cheese sandwich with the side of fruit punch. A nice drink.

Nate McBride: I bet there's almost no fat in that meal.

Chicken nuggets and grilled cheese. Okay, well I'm just gonna have a sip of sunshine or three. Okay. And uh, that'll be my meal. And it was, do you think they would make me a, go ahead. Sorry. I'll say show up. My receipt is sip of sunshine X three.

Mike Crispin: Mike, what's a hurricane? What is that $14 drink? It was more than your grilled cheese sandwich. Oh,

Nate McBride: you just tell him it's a, it's a new variation of rope steak.

Mike Crispin: Oh, rope steak's expensive. Yeah, it is very expensive. It's a lot of production value. Right? See, that's your t-shirt, rope steak,[01:43:00]

sad salads and rope steaks. All right, we got it. Can we get that printed by tomorrow?

Nate McBride: I'm printed. No, I'm not. I'm not. Uh, I, I lost my, my printing press is broken at the moment. Sorry

Mike Crispin: to bring it full circle. It'll be possible in Industry 5.0

Nate McBride: if you pay for it. Oof. With tokens. Tokens. Okay, everybody. Don't be a dick. Don't be a dick to it. People. Be nice to old people. Have your pet spa or neutered. Don't tailgate. Sp sp uh, school buses. Um, don't pass people in non passable lanes. It's five 30 in the morning 'cause you're late for work. Just, it's okay.

Get it a little earlier. [01:44:00] Um, give us all the stars in the universe. Buy us a beer. Go to yeast and meet us, um, next year. Wish you, we'll be

Mike Crispin: speaking on a panel.

Nate McBride: We'll be on a panel about, um, the top 10

Mike Crispin: podcasters

Nate McBride: from the, from the, from Boston. All right, dude. Good one. Thank you. I'll see you tomorrow. Chip Chop.

Bright and early. Be good party

Trance Bot: on binary whisper in night flashing screens that glow so bright in the, we take flight within our side.

We

the,[01:45:00]

through the cyber paths, we glide in the circuits, we fight. No restraints, no need to hide in the system. We.[01:46:00]

In.

One, we control that it's binary. Whisper in the night flashing screams bright in the we,

[01:47:00] the.

People on this episode

The Calculus of IT