Ep. 03

Martin Rues,

CISO at Outreach

Oct 06, 2020

Find out how Martin thinks about building privacy that’s easy for his customers to handle and how Outreach uses privacy as a differentiator among competitors in the SaaS space.

Text Transcription

Daniel Barber  0:15  

What an amazing month for outreach number six on LinkedIn top 50 startups. Bessemer’s cloud 100. And taking the leader position in the Forrester wave report. Today, we’re thrilled to welcome Martin Rues, chief information security officer at Outreach, the leading sales engagement platform. Welcome Martin.


Martin Rues  0:35  

Thank you, Daniel, it’s good to be here.


Daniel Barber  0:37  

Super excited to chat with you today, as we just talking about you being a big believer since day one. And I would certainly love to just, you know, give a bit of introduction into your background and how you got to Outreach. And you know why you’re passionate about security, and privacy.


Martin Rues  0:51  

I’ve been in information security for well over 20 years, in various capacity and professional services with Ernst and Young and Microsoft for 10 years in their infrastructure team. And then I joined Outreach in 2015, it was my first opportunity to to build a security program from the ground up, take from all those lessons learned of the past, and, you know, try not to make the same mistakes. And a really interesting place to do it, given the value prop of Outreach and the data that we handle on behalf of our customers.


Daniel Barber  1:27  

Yeah. So I mean, you’ve seen this kind of market evolve, you’ve seen the landscape evolve, prior to going into GDPR, right in 2018. Just curious sort of your observations and some of your experience, as GDPR started to take place in 2016, and 17. And now we have California’s regulation, obviously, you know, going into effect this year. Just curious kind of what you saw starting that trend and what you’re experiencing,


Martin Rues  1:56  

I think the trend started and got a lot of attention when Safe Harbor was invalidated. That was right around the time, I joined Outreach. And as I looked at Outreach’s  business, I thought, we’re gonna have to figure out a privacy program and a good story. And, you know, thankfully, Privacy Shield came along and so we hopped on that. I already knew that GDPR was was on the docket, it was gonna be coming down the pipe and so we had plenty of time to prep for that. And we did, and we got through it. And, you know, we were one of the few, not every company went and did this, there is no certification for GDPR but we decided to go get a third party attestation for our performance against its requirements because I thought that was important for our customers to know how we were thinking about it, and that we actually put real controls and processes in place to meet those requirements. And then, and then there comes CCPA is on the list and all these others. 


And I started to talk to our team about how it is what it’s like to run a business that’s regulated, while sales and marketing isn’t officially regulated, like, you know, credit cards and PCI, or healthcare and HIPAA, I think that these regulations are tacit to sales and marketing being a regulated business, you know, those businesses thrive on personal connection, and being able to get in touch with individuals to help them solve pain and, and sell them a product for that. And so to navigate that is a challenge and you got to figure out how do I comply with the law, but still enable a business. 


So we’ve been going down that path and, and one of the ways to do that is to just build it into the product and so that’s where a large focus for us has been. Yes, we have to meet all the controls and the requirements and I’ve been in compliance for a long enough time that, you know, we know how to build a framework and implement controls for the business. 


But I think in order to make it real, you have to figure out how are you going to build that into your product? Right? How are you going to demonstrate that to customers enable your customers to comply with is it’s not enough for us to be Yeah. Especially given what we do enable our customers to be able to do that as well.


Daniel Barber  4:20  

so, you know, you’re perusing the internet, you’re perusing the forums, the communities and the different places. Where do you go, right, what are your sort of top three sources as a security pro?


Martin Rues  4:31  

Yeah, I mean, as a security pro, I really like dark reading in front post. I pay attention to those quite a bit. In fact, we have a Slack channel for security news, one of the first things I did when I got to got to Outreach, and I put those two in there. 


After that I rely on relationships. And there’s plenty of other articles and posts that I read, but where I get some of the most valuable information is through my peers and through relationships, I try and keep in touch with them as much as possible, ask what they’re experiencing, what their thoughts are on how to best address it. You know, then I take that back and compare it to our strategy and I figure out what works best for our business, because it’s going to be different for everyone.


Daniel Barber  5:18  

Agreed. You know, shifting gears a little bit. What do you see the risks across the landscape, specifically, maybe to b2b or just in general?


Martin Rues  5:28  

I think clarity of purpose, meaning, what’s the intent behind the regulation? Right? Let’s start there and figure out how to incorporate that into our business. And then, again, clarity on when does this apply b2b versus is the intent really to protect consumers is the intent really, b2c type businesses, and that individual, which I think most of these are focused on, but that’s not super clear in the written law, in articles in some of the lawsuits that are being brought against breaches for some company, but if  you look at GDPR enforcement tracker. But you know, when you look at the list, it’s primarily b2c companies. 


And that doesn’t mean we shouldn’t be concerned, I think we have to treat it the same as any company. But gaining that clarity is going to be important over time, because it’s challenging to have the conversations internally with the rest of the business that’s trying to grow and set a strategy, as well as then when you look at your control framework and the processes that you have to build out. How do we how do we think about those? If it doesn’t apply to b2b do even do the work?


DataGrail   6:56  

makes a lot of sense. So where do you see the opportunities for privacy? Obviously, there’s opportunities for Outreach, but just in particular, for privacy, where do you see companies or folks able to capitalize on that opportunity?


Martin Rues  7:09  

I think my answer’s, probably a pretty classic one. And that is, I think, early adopters of this, have an opportunity to sell it as a differentiator. And I think right now, the prime example is Apple They have, it’s on billboards up on the freeway, commercials, Facebook Live, see, when has privacy ever been a sexy feature, leave it to Apple to make privacy sexy and put it into a commercial about their product, you know, not to build them up too much but it is something to look at for companies that handle a lot of personal data for which that personal data is is crucial to the success of that product, or the value that that company is selling. 


There are companies now that are that are starting to figure it out and sell it as a differentiator. So I think that’s the key opportunity. I think the opportunity for Outreach exists in giving that control over the data, that outreach syncs with and processes directly to our customers, they should be able to pull all the levers and turn all the switches to obfuscate and retain and deal with their data, the way they see fit, and that complies with your policies and their controls as they try and meet these same regulations.


Daniel Barber  8:25  

Yeah, I mean, what you’re really talking about there is sort of that transparency and control kind of construct, right, of just giving the ability for the user to decide and then getting the controls to actually take action on that.


Martin Rues  8:38  

Yeah, the user and you know, in the case of a b2b, the business, I think, yeah, you know, the business hat, there’s going to have a set of policies, they’re going to be looking to comply and anytime we can make that compliance easier. 


I think that’s where there’s a there’s an advantage for outreach, and we are building something right now that will help our customers do that. I think, you know, our integration with DataGrail, we’ve already got a few customers doing that process, self servicing a bunch of data subject requests every month. So yeah, we’re already doing and we’re just going to continue to build on top of it.


Daniel Barber  9:13  

That’s awesome. Well, look, love the conversation, man. Thank you for for taking the time out of your very busy schedule. And yeah, I look forward to obviously chatting again soon. And folks listening in. Thank you for listening to the GrailCast. I look forward to seeing you soon.


Martin Rues  9:30  

Thank you for having me. Daniel. This is a lot of fun. You bet.