Deep-dive on Cyber Risk Quantification and GRC w/ Tony Martin-Vegue from Netflix

Jul 29, 2025

Tony Martin-Vegue, an expert in risk quantification and GRC engineering at Netflix, shares his insights on navigating the complex world of cyber risk. He discusses his journey from IT to risk management and highlights the transformative power of the FAIR framework. The conversation delves into the critical role of AI in speeding up risk assessments, effective communication for decision-makers, and the importance of viewing GRC as a business enabler. Tony also introduces his new Substack and upcoming book aimed at simplifying cyber risk quantification for all.

Ask episode

AI Snips

Chapters

Books

Transcript

Episode notes

ANECDOTE

Pivot to Quantitative Risk

Tony Martin-Vegue shared how attending a C-suite meeting highlighted the limits of qualitative risk.
This spurred his discovery of FAIR and a shift to quantitative risk for richer executive conversations.

INSIGHT

GRC as Business Enablers

GRC works best when governance, risk, and compliance unite as business enablers.
Viewing GRC merely as checklists or silos disconnects teams and weakens impact.

INSIGHT

FAIR vs CRQ Explained

FAIR is a methodology tool, while cyber risk quantification (CRQ) is the broader philosophy.
One can do CRQ without FAIR, but FAIR provides a ready-to-use framework to start quickly.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

To learn more, go to grcengineer.com

SummaryIn this episode of the GRC Engineer podcast, host Ayoub interviews Tony Martin-Vegue, a seasoned expert in risk quantification and GRC engineering.

They discuss Tony's career journey from IT to risk management, the importance of cyber risk quantification, and the interplay between governance, risk, and compliance. Tony shares insights on the benefits of risk assessments for various stakeholders, the role of AI in enhancing risk quantification, and practical tips for those looking to start their journey in cyber risk quantification.

The conversation also touches on the philosophical aspects of risk management and the need for better decision-making frameworks in organizations.

Takeaways

- Tony has conducted around a thousand quantitative risk assessments in his career.

- Risk quantification enables richer conversations with executives about trade-offs and investments.

- GRC should be seen as a business enabler rather than a checklist.

- Cyber risk quantification (CRQ) is a philosophy, while FAIR is a tool to implement it.

- Stakeholders across the organization benefit from risk assessments in different ways.

- AI can significantly reduce the time needed for data collection in risk assessments.

- Understanding the philosophy of risk is crucial for effective risk management.

- The majority of time in risk management is spent on identification and communication, not just modeling.

- Organizations should focus on better decision-making rather than just remediation.

- Security awareness training may not provide a good return on investment.

Sound bites

"FAIR gives you a package, a framework."

"We need data to make better decisions."

"Security awareness training doesn't work."

Chapters

00:00 Introduction to GRC Engineering and Guest Background

02:39 Tony's Career Journey in Risk Management

06:49 The Shift to Cyber Risk Quantification

12:27 The Interplay of GRC: Governance, Risk, and Compliance

16:32 Understanding Cyber Risk Quantification and FAIR

23:13 Stakeholders Benefiting from Quantified Risk Assessments

28:32 Balancing Remediation Bias in Risk Management

34:13 Engaging with Risk Owners

39:49 The Philosophy of Risk Management

44:48 Quantifying Risk Activities

47:33 The Role of AI in Risk Assessment

52:21 Getting Started with Cyber Risk Quantification

01:01:04 Collaboration Between GRC Engineering and Risk Analysis

01:01:43 Challenging Conventional Wisdom on Security Training

Keywords

GRC Engineering, Cyber Risk Quantification, FAIR, Risk Management, Governance, Compliance, Risk Assessment, AI in Security, Stakeholder Engagement, Risk Acceptance