Deep-dive on Cyber Risk Quantification and GRC w/ Tony Martin-Vegue from Netflix

https://is1-ssl.mzstatic.com/image/thumb/Podcasts221/v4/6e/41/d8/6e41d8e8-60a1-2cfa-dbe0-4fe8872a8f1d/mza_11900190343883545400.jpg/600x600bb.jpg

GRC Engineer

Ayoub Fandi

17 episodes

4 days ago

The podcast for practitioners applying systems thinking and engineering principles to GRC. We speak with GRC leaders, security engineers and practitioners transforming legacy GRC through automation, orchestration, and architectural thinking. Learn how to design scalable systems, build better workflows and solve coordination challenges. GRC Engineering works everywhere: from spreadsheets to enterprise platforms, AI startups to Fortune 500s. It also works for you! Hosted by Ayoub Fandi, founder of GRC Engineer, co-author of the GRC Engineering manifesto and leading GRC Engineering at GitLab.

Technology

RSS

All content for GRC Engineer is the property of Ayoub Fandi and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

Technology

https://d3t3ozftmdmh3i.cloudfront.net/staging/podcast_uploaded_episode/39449802/39449802-1753721593045-964f5dce426e7.jpg

Deep-dive on Cyber Risk Quantification and GRC w/ Tony Martin-Vegue from Netflix

GRC Engineer

1 hour 2 minutes 1 second

3 months ago

Deep-dive on Cyber Risk Quantification and GRC w/ Tony Martin-Vegue from Netflix

To learn more, go to grcengineer.com

SummaryIn this episode of the GRC Engineer podcast, host Ayoub interviews Tony Martin-Vegue, a seasoned expert in risk quantification and GRC engineering.

They discuss Tony's career journey from IT to risk management, the importance of cyber risk quantification, and the interplay between governance, risk, and compliance. Tony shares insights on the benefits of risk assessments for various stakeholders, the role of AI in enhancing risk quantification, and practical tips for those looking to start their journey in cyber risk quantification.

The conversation also touches on the philosophical aspects of risk management and the need for better decision-making frameworks in organizations.

Takeaways

- Tony has conducted around a thousand quantitative risk assessments in his career.

- Risk quantification enables richer conversations with executives about trade-offs and investments.

- GRC should be seen as a business enabler rather than a checklist.

- Cyber risk quantification (CRQ) is a philosophy, while FAIR is a tool to implement it.

- Stakeholders across the organization benefit from risk assessments in different ways.

- AI can significantly reduce the time needed for data collection in risk assessments.

- Understanding the philosophy of risk is crucial for effective risk management.

- The majority of time in risk management is spent on identification and communication, not just modeling.

- Organizations should focus on better decision-making rather than just remediation.

- Security awareness training may not provide a good return on investment.

Sound bites

"FAIR gives you a package, a framework."

"We need data to make better decisions."

"Security awareness training doesn't work."

Chapters

00:00 Introduction to GRC Engineering and Guest Background

02:39 Tony's Career Journey in Risk Management

06:49 The Shift to Cyber Risk Quantification

12:27 The Interplay of GRC: Governance, Risk, and Compliance

16:32 Understanding Cyber Risk Quantification and FAIR

23:13 Stakeholders Benefiting from Quantified Risk Assessments

28:32 Balancing Remediation Bias in Risk Management

34:13 Engaging with Risk Owners

39:49 The Philosophy of Risk Management

44:48 Quantifying Risk Activities

47:33 The Role of AI in Risk Assessment

52:21 Getting Started with Cyber Risk Quantification

01:01:04 Collaboration Between GRC Engineering and Risk Analysis

01:01:43 Challenging Conventional Wisdom on Security Training

Keywords

GRC Engineering, Cyber Risk Quantification, FAIR, Risk Management, Governance, Compliance, Risk Assessment, AI in Security, Stakeholder Engagement, Risk Acceptance