Mustapha Kebbeh, CISO at Brinks, shares his deep insights on the intersection of governance, risk management, and compliance (GRC). He emphasizes that strong governance practices are essential for meaningful GRC programs. Without effective leadership, achieving compliance becomes challenging. The discussion covers how actionable and accountable policies drive successful outcomes and the significance of integrating stakeholder perspectives for cohesive risk management. Discover how prioritizing governance can help organizations navigate the complexities of cybersecurity.
27:16
forum Ask episode
web_stories AI Snips
view_agenda Chapters
auto_awesome Transcript
info_circle Episode notes
volunteer_activism ADVICE
Effective GRC Implementation
Focus on actionable, accountable, and achievable GRC requirements.
Align the CISO's agenda with the GRC program for better harmony.
insights INSIGHT
Meaningful Governance and Enforcement
Governance and policies are useless without enforcement, requiring alignment with the tech stack.
Make risk meaningful to stakeholders by shaping behavior and guiding actions, not forcing compliance.
volunteer_activism ADVICE
Policy and Procedure Documentation
Keep policy documents concise and high-level to encourage understanding and avoid overwhelming readers.
Separate detailed procedures from high-level policy for clarity and easier implementation.
Get the Snipd Podcast app to discover more snips from this episode
Your policy should rarely change. But your ability to achieve that policy is found in procedures or governance that should inform, steer, and guide your team. Those procedures should change often and others should follow. Are they?
Check out this post for the basis for our conversation on this week’s episode which features me and Allan Alford. Our guest is Mustapha Kebbeh (@mustaphake), CISO, Brinks.
Thanks to this week's podcast sponsor, CyberArk.
AtCyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls.
On this episode of Defense in Depth, you’ll learn:
By leading with governance, how do you make a governance, risk, and compliance (GRC) program meaningful?
Without the right governance it will be hard to accomplish the bigger picture.
GRC requirements have to adhere to the three A's: actionable, accountable, and achievable.
GRC programs require strong leaders. Without them, nobody will follow a governance effort.
There was debate on whether risk or governance should lead the GRC effort. But everyone appeared to agree that leading with compliance is very dangerous.
A list of rules, or governance, is completely pointless if it's not enforced. Enter risk, compliance, and a good leader and you've got the opportunity for enforcement.
Governance that's not tied to risk will probably be ignored and therefore useless.
The argument to lead with risk is because it has applicability to the business where it's questionable with governance and compliance. But for the purpose of this episode's argument, we were making a case for governance leading the conversation.
The main argument for governance over risk is that you can't truly understand the risk if there isn't some type of structure to understand what you're dealing with.
Defense in Depth