Deep-dive on Cyber Risk Quantification and GRC w/ Tony Martin-Vegue from Netflix

To learn more, go to grcengineer.com

SummaryIn this episode of the GRC Engineer podcast, host Ayoub interviews Tony Martin-Vegue, a seasoned expert in risk quantification and GRC engineering.

They discuss Tony's career journey from IT to risk management, the importance of cyber risk quantification, and the interplay between governance, risk, and compliance. Tony shares insights on the benefits of risk assessments for various stakeholders, the role of AI in enhancing risk quantification, and practical tips for those looking to start their journey in cyber risk quantification.

The conversation also touches on the philosophical aspects of risk management and the need for better decision-making frameworks in organizations.

Takeaways

- Tony has conducted around a thousand quantitative risk assessments in his career.

- Risk quantification enables richer conversations with executives about trade-offs and investments.

- GRC should be seen as a business enabler rather than a checklist.

- Cyber risk quantification (CRQ) is a philosophy, while FAIR is a tool to implement it.

- Stakeholders across the organization benefit from risk assessments in different ways.

- AI can significantly reduce the time needed for data collection in risk assessments.

- Understanding the philosophy of risk is crucial for effective risk management.

- The majority of time in risk management is spent on identification and communication, not just modeling.

- Organizations should focus on better decision-making rather than just remediation.

- Security awareness training may not provide a good return on investment.

Sound bites

"FAIR gives you a package, a framework."

"We need data to make better decisions."

"Security awareness training doesn't work."

Chapters

00:00 Introduction to GRC Engineering and Guest Background

02:39 Tony's Career Journey in Risk Management

06:49 The Shift to Cyber Risk Quantification

12:27 The Interplay of GRC: Governance, Risk, and Compliance

16:32 Understanding Cyber Risk Quantification and FAIR

23:13 Stakeholders Benefiting from Quantified Risk Assessments

28:32 Balancing Remediation Bias in Risk Management

34:13 Engaging with Risk Owners

39:49 The Philosophy of Risk Management

44:48 Quantifying Risk Activities

47:33 The Role of AI in Risk Assessment

52:21 Getting Started with Cyber Risk Quantification

01:01:04 Collaboration Between GRC Engineering and Risk Analysis

01:01:43 Challenging Conventional Wisdom on Security Training

Keywords

GRC Engineering, Cyber Risk Quantification, FAIR, Risk Management, Governance, Compliance, Risk Assessment, AI in Security, Stakeholder Engagement, Risk Acceptance