Considering Security, Compliance and Revenue with David Grazer

Hello everyone and welcome to SecureTalk. I'm your host, Justin Beals.

Charlie Munger said that trust is one of the greatest economic forces on earth. My guest today opens his LinkedIn profile with that line, and after our conversation I understand why. Most of us treat trust as something soft, the kind of thing you talk about but never put a number on. David Grazer argues the opposite. Trust is a figure you can find on your balance sheet, and the place to look for it is customer retention.

Here is the argument. A compliance framework gets you in the door. It is a customer acquisition tool. You earn the certification, you clear the security review, you win the deal. But a certification is a point in time. It is an attestation about a single moment. The trust that keeps a customer with you for years is something you have to prove continuously. It shows up in the way your support team talks to a worried user, in the data you choose not to collect at onboarding, and whether the first time a customer hears about your security practices is during an incident or long before one ever happens.

David has spent his career on both sides of that equation, building products and then running the security and privacy programs that protect them. We talk about why frameworks are the beginning and not the end, why customer churn might be one of the most honest security metrics you have, and why the controls we bolt on for safety, like multi-factor authentication, so often fail the very people who need them most.

David Grazer is a Principal and vCISO at Steadfast Partners with over 15 years of experience building and leading security, privacy, and trust programs for high growth technology organizations. With a product driven background, David specializes in integrating security into fast moving environments that support innovation while maintaining strong controls and customer trust.

David brings deep expertise in Trust by Design programs, enterprise identity and access management, fraud prevention, privacy program development, and ISO 27001 readiness and certification. He has led security and privacy initiatives for a two billion dollar creator platform, supported regulated fintech environments, and partnered closely with product and engineering teams to deliver secure, compliant, and enterprise ready capabilities.

At Steadfast Partners, David serves as a fractional security leader, helping organizations navigate complex security reviews, unblock enterprise deals, and translate technical risk into clear business decisions without the overhead of a full time executive.

Join me in welcoming David to SecureTalk.

—-

Justin Beals: David, thanks for joining us today on SecureTalk. We really appreciate it.

David Grazer: Thanks for having me. Appreciate the time.

Justin Beals: Excellent. All right, well, we always enjoy a good origin story on SecureTalk. All of our paths are a little twisted in how we got to our current professional space. Maybe you'll tell us a little bit about how you first found your way into privacy and security.

David Grazer: Sure, yeah, I've been thinking about this. So I mean, I grew up watching, my dad introduced me very early to James Bond and Indiana Jones. I was, I love Iron Man, but I was a Batman kid and so, Star Wars. So I always kind of had this view of building and using technology to kind of help people. So there was some, something in there, I think. And then my dad was, my dad was in like the hardware tech startup spaces and was, you know, fairly techie. So kind of it was in the ether and so, you know, spent a lot of time as a kid playing, playing sports. And then I was making movies and was trying to like make my own Star Wars or like these kind of, you know, unique things. So a lot of my tech experience actually was in how do you make certain things work? So that was kind of how I did it, which I think is a little different than a lot of folks in security, but in privacy. then, know, kind of fast forward, I ended up in, you know, tech startups and was in, in early days, I was more so like on the growth hacking side. like, to actually get fairly good at OSINT, which is interesting.

And then hopefully they'll be okay with me saying this. And then my eldest niece was born and I had two cousins who I'm very close to who were kind of coming online at the same time. And it was like, I think it could be better for them. And so that kind of motivated me to transition from more of the growth and that side of things on the tech, in the tech world to security and privacy foundationally. And I've kind of moved between the security and the privacy teams and the product teams kind of for a variety of, for a bunch of years now. So a little older than I look.

Justin Beals: We don't often hear about a path where someone, you I think of growth hacking as like a marketing expertise, maybe even sales. Yeah. We don't often hear about that transition into wanting to build the product. First off, because as someone told me early in my career, if you want to make the most amount of money, Justin, go sell. Don't build things. So it's not that often that you see someone move the other direction.

David Grazer: Yeah. I don't, I, yeah, I don't have a good explanation for it. I mean, we're still built. Yeah. It's all, it's all building, and you know, I work for a consulting firm now. So we're, we are selling all the time, and you know, that's part of it. But, yeah, I think when you're doing it, at least for me, when you're doing growth hacking really well, I mean, you're seeing a lot of, think where we thought it would go is.

Justin Beals: That's great.

David Grazer: Now with like the GTM engineering pieces and all of that, it's, was always fairly technical. all about data flows and connecting them and trying to get things to work. And, you know, it's just kind of advanced from there. So it was a good training ground and, Yeah, kind of, I It was creative. And again, the OSINT piece of it is very interesting to me. You start learning a lot about how people get motivated to do certain things.

Justin Beals: When you say OSINT, then would it end that motivation? that including like crime or issues or vulnerabilities or how people are engaging from the other side?

David Grazer: At that time it wasn't necessarily about that, was more so what are they doing, how can you create, how can you put the right messaging in front of people at the right time? But then as I made that transition, it was always about the way, when I would go into engagements with folks and do an assessment, it wasn't always about a certain framework or whatever we were doing at the time, was you know, I would kind of think about what is the actor going to try to do at your company? What's the, what's the risk or threat landscape for you? And you kind of start trying to build around there. So.

Justin Beals: Tell us about your early career at Tavora. You were privacy practice lead and that was during the run up to GDPR. A lot was changing in the market from a privacy perspective.

David Grazer: Yeah. I mean, was, it was a lot. had a really great mentor. And she, I mean, she, she was an incredible mentor to many. But I, I kind of came in with this idea that the way that we were data really was the new oil and the way we were going to use data. And that's how companies were going to create a lot of moats and economic value.

And there was that information asymmetry that people talk about all the time. And that kind of led to that, us starting and growing that practice. It was interesting, because I think it was fairly legal. mean, at the time, we were one of the few firms who were technical first, business second, and then kind of we brought the legal end of it. That's how we kind of tried to construct the product, you know, the practice. Then I think that was, yeah, so was kind of trying to, do you build these technical systems around this, this new regulation and also contend with how businesses are making money, and how they're creating value for their customers. So, it's

It was an interesting time and I think we're still, you know, that to me is the sneaky element of this new, if we're calling it an AI world, I mean, I think you can say, go with whatever direction you want to go with that, but that's privacy and the privacy engineering piece in particular, I think is going to be very, we still got some work to do.

Justin Beals: The consultative nature of your work, where you're working with a particular customer and really crafting either some particular initiative that they're trying to achieve, you seem to have really enjoyed that and built businesses in that modality, starting with work at Tevora. Tell me how you see the relationship in the larger ecosystem as a consultative effort in security. There's a lot of other players. Are, there's platforms, there's technologies, there's assessors. It's pretty vibrant ecosystem.

David Grazer: That's good question. So I think the way I look at it is I've spent, actually, if you, if I've done them a couple of times, I've spent more time inside of companies than I have in the startups than I have on the consulting side. But I think that that's kind of where I've seen the best consultants. One, most of them can pick up the picking up the tech piece, they're just curious by nature. So if they don't understand it, they haven't built with it. They're going to go build with it. That's AI just like has rapidly enabled that for folks who may have had time constraints over time. But I think that is kind of, it's like the learning is just massive and rapid at the same time. The other piece is that I think for me, and you know, this isn't a plug for

our business steadfast or anything.

But I think one of the big benefits is I've been inside and outside. I think you have to, the best consultative engagements that I have is one, we can work in the nuance because a lot of these programs to build like high quality risk, intelligent security and privacy programs, which to me is really what you need to do, you can, you have to be able to see the gray areas.

You have to understand not just the technical system, but the human element around the system, how the decisions get made in that system. You have to know like where in an incident who can actually make a decision. And if you haven't been, I think what is tough for some is they've never actually had to be in that seat. They've never gotten the 2 a.m. call. They've never had to take an executive off of a channel because they're not allowed to be inside during a privacy or security incident or whatever. And those are big decisions you have to make in real time.

And I think that's how I try to set myself apart, is I empathize with the pain you're going through, and these are the technical things we really need to get right. And early and think about, you know, the usability of the controls and all of that. And then this is how we pressure test it. And this is how you keep, building on it. Cause it's, it's continuous and.

Justin Beals: Yeah. Every customer is unique is something we always say. Do you agree with that? Like I think that's part of the reason consulting has been such a massive market in security, privacy, and now as we get into compliance more heavily. Yeah.

David Grazer: Yeah, I think it's...I grew up in a family that was a lot of finance, a lot of financial views. So I always kind of go back to it's, it's two things first. It's how does the company make money? What's your top-line revenue? How does that happen? And then what's the data and the systems that kind of underpin that? And then from there you can kind of go, but you have to be very clear about how you're making money because what's always an interesting conversation is, we have all this, you're in these regulations, and you have all these different scopes, and you have to apply these frameworks because you've collected all this data, and that's fine, but you don't make any money with this kind of data, or it doesn't help your business grow in any way, shape or form.

So how can you kind of peel some of that off or be very cognizant about we have this and it's for this reason should put a revenue stream around it at some point. Then it makes sense. So I would just kind of try to come back to that. And that makes every company slightly different, and where they're actually finding value, and they're able to pull their margins up, etcetera.

Justin Beals: Yeah, speaking of the economics, your LinkedIn opens with a quote from Charlie Munger: " Trust is one of the greatest economic forces on earth” . And, you know, I think you line that up a little bit. You've written about how Cloudflare is built on a trust mode by publishing its security practices openly. Yeah, let's dive in there a little bit. What do you mean by trust as a measurable economic asset? It's oftentimes talked much more esoteric.

David Grazer: Yeah. So there are people in this space, there are academics and experts in it. I would point to Rachel Botsman, and Edelman does a really good work with their trust barometer. So if folks want to dig in more to the academics of it, I would kind of go there. for me, it's more about and the essence, think what Mr. Munger was talking about was say what you do and have the receipts to say that. I think you're seeing a lot of that with a lot of the chatter around GRC engineering and continuous compliance. know you talk about it, Strike Graph, know, it's happening in all different walks.

And I think it's more so saying, If you do this, you can show it at any point in time and prove to customer and users, which are slightly different, that you are doing the things that you say. And I think there's, know, there's an unfortunate byproduct that's happened, which is a lot of folks just look at the, certification stamp and they think that everything's okay. But really that's just, you know, it's a point in time and they're attestations. And in a lot of cases of something but security teams talking to one another, customers investing heavily in your product or your company, that has to be continuous daily in milliseconds, right? And to me, that's where you kind of have to get to. it's also, there's a lot of, with Cloudflare in particular, what I was kind of getting at was,

they've always been very good about being consistent with their communication. Melanie Ensign talks about this a lot. it's the first time a customer hears about your security and your privacy practices should not be during an incident. It should be way before that. And you can do that with the continuous compliance and, you know, starting, you know, going there, showing the receipt, showing how you're making decisions.

Um, but it's also in like, you going back to very specifically, my privacy work is to collect the data you need when you actually need it. Not necessarily collecting all the data upfront. Like you don't need an address during onboarding, then don't go collecting it necessarily. You can, but it's these little like micro intentions that build trust. And then I think what I've been trying to talk to a lot of folks about, it's not a perfect metric.

But it's more so about you have frameworks to me are about customer acquisition. And that's great. That's the first element, but real great businesses are built on the value that you create over time. That's more retention. So you have the great programs. You want to get your program focused more on the retention pieces. So a good metric for that can be customer churn. So how many, how often are customers churning away from you and you can; it's those little pieces that you can do.

And it's not just everything that the security and the privacy teams do. It's how even the support teams talk to the customers. Mean, that's at least for me, when I've been inside as a leader, talking to the customer success teams or the support teams and how they're communicating. Like turn on MFA or, know, whatever it is and how they help you through some of those problems. Those things build trust and then, you can see that in the customer retention, and that customer retention has a direct revenue, a revenue line. And I think that's kind of where you can start to go.

Justin Beals: Isn't that really intriguing? I do tell, especially our customers, but folks that I talk to, I don't like framing just cybersecurity a lot of times. I get that you're looking at a particular technical problem to solve. It's certainly intriguing to me. But I think one of the things you're describing is that security is a very broad practice at a company. It involves almost everyone on some level.

It's funny, the only other thing I can think that touches every part of the business that way is finance or like budget in a way. And I think it's the second pillar now in this modern era that has to be available in the business. was started with articles in corporation, started with a balance sheet. And now you have to ask yourself, what is resilience and security look like? Please.

David Grazer: Yeah, I was, yeah. I was just going to say, was literally talking to a CFO, a good friend of one of my partners and he was, we were all like, we were both decided like we were trying our pitches out on each other, just like randomly. And what his pitch was exactly the same as ours, just swapping finance for security and privacy. And I think that you're, you see a lot of that people are talking about it's this like translation, like speaking more in the business language, but it's even a little bit more than everyone's just really addressed trying to solve the same problem, just using completely different language. And I think that's, it's that empathy, right? It doesn't, that that's how you can make sure that everyone knows like, Hey, you do have a part to play in this.

Cause in a lot of, in a lot of in the tough times, security and privacy teams can't always make some of the containment choices. It's not on them, it's the partners. And everyone has to kind of be involved in that and understand their part. And you have to figure out these like translation layers.

Justin Beals: Yeah, yeah. Let's talk a little bit about your last operational role then. You were at Wrapbook, product manager. You built identity and data stewardship for entertainment payroll. So was a very entertainment industry gig,

A lot of maybe risk in the data that you guys stored. Were there any, how did you approach this new role? What's some of the first steps? Because as we mentioned, each company is unique, right? So there's some analysis up front, I'd imagine.

David Grazer: Yeah. Um, I mean, I will, I will say I also had a really great, um, counter counterpoint who oversaw, you know, fraud as well. So it was kind of a dual effort, but yeah, I mean, rap book, what is there, they're solving, you know, it's really the financial services area of the entertainment space and they're doing, you know, I'm obviously biased because I was, I was there doing a really good job of that.

And it's a complex, it's more complex than people think behind the scenes. There's a reason that the credits are so long on a movie. And so, and it's also, it's the original gig economy in a lot of cases, or the, I guess, the more modern gig economy outside of the studio system.

And so a lot of people are freelancers and they can hold dual roles, you know, they can be a grip and a camera operator, they can be a, you know, a production assistant or, whatever on the same, same week, different days, same, same movies and TV show, same commercial. and it just, so, you know, I think for, for us, it was about really just being very clear about the personas and trying to kind of declutter what was going on.

And then, kind of with that very key understanding of that's how, how the money moves, then you can start kind of building the right guard rails around who someone is. And, know, I, I won't get into some of the specifics of it necessarily, but it was, you know, we had two sides of it. There was the business, the business folks, the production companies, et cetera, who are

bringing the movie or the project to scale. And then there's the folks that were helping, you know, they were working on the project. And so it's kind of separate identities. There's more of like an enterprise type of account element. And then there's the more freelance kind of side of it. And you had to kind of, you kind of marry both and it's a lot of fun.

kind of problems to work with and it's a great group that continues to work on it.

Justin Beals: The business person in me thinks about this. Yeah, what an interesting set of complexities. Like, I am from Atlanta. I have a lot of friends that work in film, help on set quite a bit. And even the companies are ephemeral. They'll stand one up and film something and then that disappears. That makes identity management really challenging. We don't even think about it in that way in most of our systems, yeah.

David Grazer: Yeah.It's interesting. I always kind of said that movies are, I think films and commercials kind of lend themselves best to this, even TV shows, I guess, but they're all like, they're very like startups, right? They're all kind of the same. They're like these little worlds that have to exist, and they spin up and then, you know, hopefully they spin up for a long time.

Right? Then, but then even in a movie, there's an end part to it. Right? So that's always kind of the way I've looked at it.

Justin Beals: Now you're at Steadfast presently, and they describe one of your specialities as trust by design for product and AI teams. And so we talked a little bit about your work on the product side, privacy and security. Let's crack open the AI space. Maybe we'll just start with, know, did you have a lot of prior background in data science and machine learning in your other product roles or have you been coming into the environment a little bit?

David Grazer: I have experience in the data science and the machine learning pieces, in, different roles and in different kinds of ways. But yeah, so, I mean, that has been kind of the growth of it. Then it's kind of just continued to expand, I guess. I think we're still early days and it's exciting, and I'm cautiously optimistic. I think about where we're going. I think it's going to be very interesting. think, you know, I'm a parent, so I have both sides of the hat on. I think about it from a technology perspective, it's really interesting.

And then you think about it as a parent and, you know, focusing on like the core fundamentals of things that your children need to learn. But yeah, we're continuing to evolve in that space. But I think what keeps coming back, what we keep coming back to is it's the fundamentals still for a lot of companies. It's just, it's really honing in, you know, like I was saying before, it's honing in on how the revenue piece, how are you making money as a business?

And if you, as you implement AI, whether you're going to host something and build your own model, you're going to go in that direction, or you're going to go at it from using some of the foundational models that are out there today, you just have to be really clear about what you're doing, what you intend your outcome to be. Then you can structure everything around there and start putting your own governance or guardrails around it in the code or in the way that you just operate as a business.

Justin Beals: Yeah, I think, you know, it could explode like shadow IT. We certainly I cap that, but I think you're expressing a sense of intentionality into, you know, where to layer it in and to look back at the business for the risk areas or rewards from those decisions, right? Yeah.

I wanted to get to the VC, so model a little bit. It's what you're working on lately. And, you know, I think you guys probably started steadfast as somewhat of a critique against solutions that are in the marketplace or in some form differentiation. You know, tell me a little bit about what you see as some things you want to improve in the VC So marketplace, habits that you don't think are as beneficial as could be, or maybe even delatorious to an outcome.

David Grazer: Yeah. Critique is, critique's an interesting way of looking at it. I think it's more so that we've, all of us have been in this space for a while. So, you know, I think when you collectively look at it, it's, I don't know, 30 plus some odd years, which I think makes all of us feel a little bit older than we thought we were, but different conversation.

But we really think that there's an opportunity for companies to get ahead of some of the tough questions that they're going to face. that's really what we tried to do. with the experience that we've had, all of us have been inside. So all of us have, in some way, shape, form, been inside a company that has to come comply or think about data risks, however they kind of show themselves. And that's really the way that we tried to approach it. And we also, I've spent a lot of my career in this, you know, the startup world, so younger companies, and there's things that we did well and things that we could have improved upon.

And we can now, looking back say, we could have made this decision earlier and that would have made it easier for us to get into this new market. Or we miscalculated on this and cost us too much money or there's a variety of little nuances that you kind of play with and that's more. So, again, I'm not sure it's necessarily a critique, but that's more so how we kind of present ourselves is we've been in your shoes and we're going to help you make the best choices so that you're focused, you know, get you to that compliant level that helps you get into the game. It helps with the buy-in, doesn't necessarily, but then you're not necessarily worried about every new regulation, every new market and every new threat because you're making more risk-based decisions. You're improving your decision quality around how you make money now and in the next six months and 12 months or whatever it may be and how you can kind of, and we can coach around those problems and apply the right technology in the right place.

Justin Beals: So 30 years, the industry has been around a little bit. I'm newer to it, right? I've been working at Strikecraft now for six years plus, but has it changed the part of your conversations that are about compliance when you think broadly about the marketplace? Or has it always been a big part of the discussion? Sometimes I imagine that it's gotten more a part of the discussion recently.

David Grazer: I think it is. think there's, yeah, it's become more a part of the conversation. And, you know, I think there's a variety of folks online who have kind of re-reminded me of the reason we came to all these frameworks, which is it was to attest to the programs that we built. And I think that's the piece that it gets glossed over a little bit.

I think everyone has really good intentions with the way they're approaching it, but it's, it's interesting that it's frameworks first in a lot of conversations versus we're building this product and we have this data and we need to make sure that we're doing the right things so that we can get an attestation to help us get into these markets or work with these partners.

But we also want to build 50 year company, 100 year company, we want to be the, you know, whatever unicorn level you want to be like, those things come beyond just kind of your foundations. You have to build on the foundations.

But I do also in kind of that compliance conversation being very heavy, you're also seeing it kind of flip to what it means to do compliance now, which I think is really great that more folks on the GRC side of things are being asked to embrace more like DevOps-style workflows. That will, one, helps them have more empathy for how things are working in the infrastructure, which is just so crucial.

But also it will make compliance live at a level that it can really live, which is there is confidence at that compliance level, but you have to show continuously to make that confidence. If you go back to trust, trust is typically earned. You have to earn that trust and show that by living up to what you're saying you're doing.

Justin Beals: Yeah. One of the common misconceptions I see is people imagine that a framework or a set of requirements will tell them what to do. I find that to be very rare. know, a lot of the people that wrote these sets of requirements, as I read them, I find them to be very smart in dealing with a challenging problem that they want to maximize the use of the content they're writing. And that can make it very generic in the way they write it.

David Grazer: Yeah. It's there. mean, there's a lot of nuance in the implementation. I think, yeah.

Justin Beals: Which probably brings us full circle to why it's nice to have someone that knows the business and someone that's an expert in implementation making some of those decisions. Yeah.

David Grazer: Yeah, there's a lot of, I think the great thing about the security and the privacy community, and I look at it, I'm not the only person, but I look at it very broadly, right? I think there have been people in my experience who are just, they level up your view of what high quality is. And I've, in particular, in the last like five years, I have met some incredible DevOps engineers or infrastructure liability engineers. And these folks just raised the bar on security, and they don't align themselves and don't call themselves security folks.

But I can tell you that the great ones it's embedded. It's just, It's a part of the cake. It's the ingredient. It is by design that you want. And that I think is, you know, just that continues just to bring everything up a level. So, yeah.

Justin Beals: Now you describe yourself, I think it's some of the background work that we did as an independent researcher. done some great work in the intersection of technology, people, society, and responsible AI. So I'm just a little curious about what's interesting you today. Like what are you enjoying looking into? Where is your curiosity leading you?

David Grazer: Yeah, it goes all over the place. But I mean, I think there's two areas. I think broadly speaking, where digital and physical meet. So I think those experiences are just gonna continue to be very prevalent. And they're gonna be increasingly astounding. And there's gonna be some unique questions around privacy and security in there. And so I think a lot about that.

right now and that convergence. I think the term that a lot of people use is fidgetle, so I think about that piece a lot.

Justin Beals: To say I haven't heard of Fidgetle. So would you describe it for us? Okay. That's good.

David Grazer: Yeah, I always feel like I'm its physical and digital. It's yeah, it's a lot in the retail space. But that yeah, that's that's where I've been thinking a lot. And then because technology, I think the great experiences to come, you know, there's a of great experiences today. But when you get to the physical and the embodied AI, and you kind of add the spatial computing that

we're seeing advance. Those new experiences, those new physics around that are just going to be so interesting. And the way that the data flows is just going to be something to think about. And then I'm always very interested in Heidi Trost is a great focus on usable security and privacy.

And I've been thinking about that for a long time, but in particular around, you know, folks that have, you know, different types of abilities around technology. we. Something as simple as, know, multi-factor is not necessarily accessible or inclusively designed for everyone. And we try to bolt it on. And for me.

That is something we have to continue to think about. There's a lot of, there's nuance in the way we apply MFA. Yes, you should. It's incredibly helpful, but you have to also think about the personas that live inside your user base, your customer base. And I continue to think about that as kind of a research problem. And I think that will expand, you know, obviously was as AI becomes, you know, more of an avatar and autonomous agent for certain folks.

Justin Beals: Yeah, I have to say lately, especially, I've been really disappointed with the MFA implementations. It is so confusing and I use computers. I feel like a lot of the time I programmed them myself. I've set up, you know, identity management systems and some of the software that we've built over the years. And it's like, I've got 15 different choices, six of them commercial that, you know, require a subscription. None of them, a thing that I carry around with me everywhere. and it gets really like frustrating. I complain that we left too much room for the commercial in the MFA work. I think we needed almost like a standard methodology. It was the same all the way around. And, you know, it's almost like we left too many different lanes for the implementation possibilities. Yeah.

David Grazer: Yeah, mean, there's a variety. I mean, there's a bunch of protocols that are, you know, there we have our tried and true protocols that we use under the hood to do it. So I think that's, that's fair. I also contend that we thought about very specific groups of folks and you know, this isn't accessible. It's, it's very difficult. And, you know, even like the complex, the complexity requirements. And that has been in my head for years now.

And, so I kind of go back to that piece is there also needs, there needs to be, I agree, there needs to be maybe less choices, the paradox of choice, but there also needs to be a lot of flexibility in the way that some of that gets delivered to certain segments in your users.

Justin Beals: Wow, I love that area of investigation. I spent a lot of time in the education space and certainly had to deal with the 501c3 work and making sure that systems were useful for a really broad population with differing sets of needs. Yeah, absolutely. Well, David, I really appreciate you joining us today on SecureTalk and sharing your expertise with our audience.

David Grazer: Of course, this is a lot of fun. Thank you, Justin.