The GRC Podcast Mark Graziano

In today's episode we take a candid look at the efficacy of vendor risk management programs in the face of breaches. This time, we're reflecting on a conversation that pushed me out of my comfort zone and made me question the very fundamentals of  vendor risk management. The startling realization that the well-trodden path of best practices might not hold all the answers spurred a much-needed debate on whether it's time to disrupt the status quo and embrace a more proactive stance in managing vendor risks.

We're challenging conventional wisdom, by evaluating the October 2023 breach of Okta despite the collective efforts of nearly 20,000 customers' vendor risk management programs. The episode takes you through a journey of introspection and industry critique, examining how traditional defensive strategies might not be enough and why a shift in perspective is crucial. We don't just outline the problems; we also explore what it means to safeguard against the inevitable issues and the importance of leading with the taboo in conversations that could redefine industry standards.
For show notes, please visit The GRC Podcast website.

Sign up for our Bi-Weekly Newsletter

Ever found yourself in a tug-of-war between hard numbers and gut instinct? Brace yourself for a candid journey into the world of data, as we uncover the truth behind the numbers that drive our decisions. This episode is not just another number crunching monologue; it's a story-rich exploration of how metrics can mislead and the power of anecdotal evidence, as demonstrated in a memorable moment with Jeff Bezos and Lex Friedman.

With a dynamic blend of personal anecdotes and professional insights, we uncover the double-edged sword of metrics. Dissecting the manipulation of data to fabricate success and the unintended consequences of metric-driven incentives, it’s a reality check for any business professional. And for those grappling with measuring the success of a GRC program, get ready for a thought-provoking discussion that will leave you reevaluating your approach. No graphs or spreadsheets needed—just a healthy dose of skepticism and a reminder that sometimes, the stories behind the stats are the real gold.
For show notes, please visit The GRC Podcast website.

Sign up for our Bi-Weekly Newsletter

In this episode we unpack the often overlooked value of starting with manual routines in GRC and the strategic path to effective automation.
Key Takeaways:
The Value of Manual Work: Although manual work is often viewed with disdain, it holds significant value in understanding the nuances of GRC processes. Manual routines force a deeper engagement with the components of a process, leading to a more comprehensive understanding of what "better" truly looks like.Understanding Before Automating: Jumping directly to automation solutions without a clear understanding of manual processes can lead to inefficiencies and a misalignment with organizational needs. A profound comprehension of manual components is crucial before deciding on the path to automation.Incremental Automation as a Strategy: Transitioning from manual to automated processes doesn't have to be a leap. Incremental, lightweight automations, introduced step by step, can be more cost-effective and easier for teams to adapt to. This approach allows for continuous improvement and helps distinguish between mere inconveniences and actual pain points.Case Study - The Evolution of Segment's Customer Trust Practices: We delve into Segment's strategic journey from entirely manual processes towards a comprehensive spectrum of automation, culminating in the implementation of a SaaS-based Customer Trust Center. Initially reliant on manual methods, Segment incrementally integrated various technologies and automated solutions into their workflow. This gradual evolution continued until reaching a pivotal moment where the decision to build in-house versus procuring a specialized tool was reassessed. Opting for a purpose-built solution marked a significant milestone, demonstrating the effectiveness of an iterative approach to automation that not only enhanced operational efficiency but also solidified the foundation for future scalability.Practical Insights for GRC Professionals: The discussion provides practical insights for GRC professionals on balancing the desire for automation with the reality of manual processes. It emphasizes the importance of being intimately familiar with the processes before automating them and showcases the tangible benefits of incremental improvements.For show notes, please visit The GRC Podcast website.

Sign up for our Bi-Weekly Newsletter

In this episode, we delve into a widely accepted notion within the industry: the idea that compliance is not equivalent to security. While I don't disagree with this perspective, our discussion draws attention to the fact that compliance frameworks didn't just appear out of nowhere; they were developed in reaction to recurring detrimental effects on consumers.
We explore this concept further using one of my favorite analogies—the shopping cart theory—to underscore the importance of self-governance and the critical role integrity plays in our actions. Whether it's the simple act of returning a shopping cart as an individual or the complex responsibility of protecting customer data as a business, integrity lies at the heart of both.
However, the necessity for compliance brings with it a plethora of challenges. We delve into the ongoing conflict between the innovative spirit of information security and the perceived rigidity of compliance frameworks. Through relatable examples, such as navigating a crosswalk, I illustrate the intricate balance of risk mitigation, control design, and enforceable rules that shape our approach to maintaining both secure and ethical business practices.
This conversation goes beyond mere adherence to a checklist. It's about acknowledging that, although there is no singular approach to risk mitigation, a balanced integration of individual integrity, innovation, and compliance is crucial for the protection of our products and data.
For show notes, please visit The GRC Podcast website.

Sign up for our Bi-Weekly Newsletter

Listen in as we tackle the gritty complexities of risk management within the sphere of Governance, Risk, and Compliance (GRC), highlighting the delicate dance between aspirational security protocols and the more achievable, pragmatic solutions. This discussion takes place through the lens of PCI DSS compliance and examines the interplay of power, liability, and practicality as companies navigate the prescriptive demands of payment card brands. This insights highlight the complex layers of risk management, unearthing the tug-of-war between what's ideal and what's doable in the world of Governance, Risk, and Compliance.

This narrative goes beyond mere compliance checklists; it's a candid exploration of how risk is offloaded to merchants and service providers, and the implications that have for everyone involved. Drawing from years of experience, I dissect the underlying motives of payment card brands and the resulting security awareness inadvertently driven by the PCI SSC. We grapple with the economic and social impact of technological changes, understanding the unintentional yet significant consequences of comprehensive system overhauls. By the end of our discussion, you'll have a richer appreciation for the nuanced realities that govern our transactions and the innovative thinking required to navigate this ever-evolving landscape.
For show notes, please visit The GRC Podcast website.

Sign up for our Bi-Weekly Newsletter

Unlock a new perspective on GRC that intertwines innovation with customer-centric values. This segment shines a spotlight on the integral role of user experience in governance, risk, and compliance, advocating for a business approach that isn't merely beneficial but fundamentally the right thing to do. Drawing from the wisdom in Tony Fadell's book 'Build', the episode intricately examines the strategic decisions that kept Nest afloat, highlighting the broader implications for solution minded GRC professionals.

Prepare to challenge the status quo of traditional GRC as we dissect the necessity of thinking like a builder rather than a blocker. Insights from Nest's legal strategies underscore the importance of agile and creative problem-solving . This episode promises to arm you with the mindset to lead and influence across all aspects of a business, ensuring that your expertise in GRC is not just a back-office function but a pivotal force in crafting products and strategies that resonate with users and stand the test of legal and market challenges. Join us for a candid exploration into the art of blending GRC savvy with a proactive business ethos.


For show notes, please visit The GRC Podcast website.

Sign up for our Bi-Weekly Newsletter