Intro

This chapter explores nuanced approaches to managing risks in cybersecurity, highlighting the importance of flexibility and informed decision-making. Listeners are encouraged to engage in accessible cyber risk assessments using external data, emphasizing that accepting certain risks may be necessary.

Transcript

chevron_right

Play full episode

chevron_right

Transcript

Episode notes

To learn more, go to grcengineer.com

SummaryIn this episode of the GRC Engineer podcast, host Ayoub interviews Tony Martin-Vegue, a seasoned expert in risk quantification and GRC engineering.

They discuss Tony's career journey from IT to risk management, the importance of cyber risk quantification, and the interplay between governance, risk, and compliance. Tony shares insights on the benefits of risk assessments for various stakeholders, the role of AI in enhancing risk quantification, and practical tips for those looking to start their journey in cyber risk quantification.

The conversation also touches on the philosophical aspects of risk management and the need for better decision-making frameworks in organizations.

Takeaways

- Tony has conducted around a thousand quantitative risk assessments in his career.

- Risk quantification enables richer conversations with executives about trade-offs and investments.

- GRC should be seen as a business enabler rather than a checklist.

- Cyber risk quantification (CRQ) is a philosophy, while FAIR is a tool to implement it.

- Stakeholders across the organization benefit from risk assessments in different ways.

- AI can significantly reduce the time needed for data collection in risk assessments.

- Understanding the philosophy of risk is crucial for effective risk management.

- The majority of time in risk management is spent on identification and communication, not just modeling.

- Organizations should focus on better decision-making rather than just remediation.

- Security awareness training may not provide a good return on investment.

Sound bites

"FAIR gives you a package, a framework."

"We need data to make better decisions."

"Security awareness training doesn't work."

Chapters

00:00 Introduction to GRC Engineering and Guest Background

02:39 Tony's Career Journey in Risk Management

06:49 The Shift to Cyber Risk Quantification

12:27 The Interplay of GRC: Governance, Risk, and Compliance

16:32 Understanding Cyber Risk Quantification and FAIR

23:13 Stakeholders Benefiting from Quantified Risk Assessments

28:32 Balancing Remediation Bias in Risk Management

34:13 Engaging with Risk Owners

39:49 The Philosophy of Risk Management

44:48 Quantifying Risk Activities

47:33 The Role of AI in Risk Assessment

52:21 Getting Started with Cyber Risk Quantification

01:01:04 Collaboration Between GRC Engineering and Risk Analysis

01:01:43 Challenging Conventional Wisdom on Security Training

Keywords

GRC Engineering, Cyber Risk Quantification, FAIR, Risk Management, Governance, Compliance, Risk Assessment, AI in Security, Stakeholder Engagement, Risk Acceptance

The AI-powered Podcast Player

Save insights by tapping your headphones, chat with episodes, discover the best highlights - and more!

Get the app

Home Top podcasts Popular guests Top books