The GRC Podcast

Demystifying Vulnerability Management with Ariel Shin

Nov 8, 2023

Join Ariel Shin, Twilio's Product Security Team Lead, as she simplifies the complex topic of vulnerability management in GRC. Learn about defining terms, creating a vulnerability management program, understanding zero-day vulnerabilities, and incident handling. Explore the relationship between vulnerability and risk, challenges of compliance frameworks, and the importance of building a culture of security.

42:38

Episode guests

Ariel Shin

AI Summary

Highlights

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Standardizing severity levels of vulnerabilities helps developers understand urgency and take action.

Clear communication, noisy alerting, and regular engagement are crucial to influence developers to prioritize vulnerability remediation.

Deep dives

Importance of Standardizing Severity Levels

Standardizing severity levels of vulnerabilities is crucial to ensure clear communication with developers. Providing clarity on how quickly vulnerabilities need to be fixed and their priority helps developers understand the urgency and take action.

The Importance of Communication With the Security Team

01:30

How to Succeed as an Engineering Leader

01:30

Managing Vulnerabilities with a Comprehensive Program

01:05

Introduction

2min

Defining Terms and Creating a Vulnerability Management Program

13min

Understanding Zero-Day Vulnerabilities and Incident Handling

2min

Exploring the Relationship between Vulnerability and Risk

2min

Challenges of Compliance Frameworks in Vulnerability Management

3min

NIST Peanut Butter Analogy

5min

Building a Culture of Security

15min

Join Ariel Shin, Twilio's Product Security Team Lead, as she simplifies the complex topic of vulnerability management in governance, risk, and compliance (GRC). In this podcast, Ariel helps us grasp the various roles that stakeholders play, the essentials of policy and standards documents, and how vulnerabilities, risks, and incidents are connected. She clarifies technical terms like 'zero-day' and 'exploitability' and discusses why it's crucial for companies to be open about their security practices.

We also tackle the tricky subject of meeting compliance and security standards across different industries. Ariel uses the OWASP mobile checklist to highlight the challenges of applying one set of rules to all kinds of organizations and talks about the 'NIST peanut butter' approach in security discussions. We emphasize the need to communicate compliance requirements effectively to various audiences.

In the concluding part, Ariel and I discuss how GRC and developers can work together more effectively to manage vulnerabilities. We look at the obstacles in compliance and the importance of clear communication and influence in prompting developers to fix security issues. Ariel gives valuable advice on automated reporting and the best ways to report security matters to management.

So, tune in to get a clearer picture of vulnerability management, learn strategies for engaging with stakeholders, and gain insights into building a straightforward program that connects vulnerability management, security risk, and incident response.

For show notes, please visit The GRC Podcast website.

Sign up for our Bi-Weekly Newsletter

Remember Everything You Learn from Podcasts

Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.

The GRC Podcast

Demystifying Vulnerability Management with Ariel Shin

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Importance of Standardizing Severity Levels

Building Relationships and Influencing Developers

Ownership and Accountability in Vulnerability Management

Effective Communication and Reporting

The Importance of Communication With the Security Team

How to Succeed as an Engineering Leader

Managing Vulnerabilities with a Comprehensive Program

Remember Everything You Learn from Podcasts