The GRC Podcast

In today's episode we take a candid look at the efficacy of vendor risk management programs in the face of breaches. This time, we're reflecting on a conversation that pushed me out of my comfort zone and made me question the very fundamentals of  vendor risk management. The startling realization that the well-trodden path of best practices might not hold all the answers spurred a much-needed debate on whether it's time to disrupt the status quo and embrace a more proactive stance in managing vendor risks.We're challenging conventional wisdom, by evaluating the October 2023 breach of Okta despite the collective efforts of nearly 20,000 customers' vendor risk management programs. The episode takes you through a journey of introspection and industry critique, examining how traditional defensive strategies might not be enough and why a shift in perspective is crucial. We don't just outline the problems; we also explore what it means to safeguard against the inevitable issues and the importance of leading with the taboo in conversations that could redefine industry standards.For show notes, please visit The GRC Podcast website. Sign up for our Bi-Weekly Newsletter

Entrepreneur and founder of Amazon, Jeff Bezos, discusses the misleading nature of metrics in business decisions, sharing anecdotes and insights on balancing data-driven decisions with intuition. The podcast delves into the manipulation of data for false success and the importance of qualitative insights in GRC programs.

In this episode we unpack the often overlooked value of starting with manual routines in GRC and the strategic path to effective automation.Key Takeaways:The Value of Manual Work: Although manual work is often viewed with disdain, it holds significant value in understanding the nuances of GRC processes. Manual routines force a deeper engagement with the components of a process, leading to a more comprehensive understanding of what "better" truly looks like.Understanding Before Automating: Jumping directly to automation solutions without a clear understanding of manual processes can lead to inefficiencies and a misalignment with organizational needs. A profound comprehension of manual components is crucial before deciding on the path to automation.Incremental Automation as a Strategy: Transitioning from manual to automated processes doesn't have to be a leap. Incremental, lightweight automations, introduced step by step, can be more cost-effective and easier for teams to adapt to. This approach allows for continuous improvement and helps distinguish between mere inconveniences and actual pain points.Case Study - The Evolution of Segment's Customer Trust Practices: We delve into Segment's strategic journey from entirely manual processes towards a comprehensive spectrum of automation, culminating in the implementation of a SaaS-based Customer Trust Center. Initially reliant on manual methods, Segment incrementally integrated various technologies and automated solutions into their workflow. This gradual evolution continued until reaching a pivotal moment where the decision to build in-house versus procuring a specialized tool was reassessed. Opting for a purpose-built solution marked a significant milestone, demonstrating the effectiveness of an iterative approach to automation that not only enhanced operational efficiency but also solidified the foundation for future scalability.Practical Insights for GRC Professionals: The discussion provides practical insights for GRC professionals on balancing the desire for automation with the reality of manual processes. It emphasizes the importance of being intimately familiar with the processes before automating them and showcases the tangible benefits of incremental improvements.For show notes, please visit The GRC Podcast website. Sign up for our Bi-Weekly Newsletter

Delving into the idea that compliance doesn't equal security, the podcast explores the importance of self-governance and integrity. It discusses the conflict between innovative security practices and compliance frameworks, using relatable examples like a crosswalk. The conversation emphasizes the need for a balanced approach incorporating integrity, innovation, and compliance for effective risk mitigation.

Listen in as we tackle the gritty complexities of risk management within the sphere of Governance, Risk, and Compliance (GRC), highlighting the delicate dance between aspirational security protocols and the more achievable, pragmatic solutions. This discussion takes place through the lens of PCI DSS compliance and examines the interplay of power, liability, and practicality as companies navigate the prescriptive demands of payment card brands. This insights highlight the complex layers of risk management, unearthing the tug-of-war between what's ideal and what's doable in the world of Governance, Risk, and Compliance.This narrative goes beyond mere compliance checklists; it's a candid exploration of how risk is offloaded to merchants and service providers, and the implications that have for everyone involved. Drawing from years of experience, I dissect the underlying motives of payment card brands and the resulting security awareness inadvertently driven by the PCI SSC. We grapple with the economic and social impact of technological changes, understanding the unintentional yet significant consequences of comprehensive system overhauls. By the end of our discussion, you'll have a richer appreciation for the nuanced realities that govern our transactions and the innovative thinking required to navigate this ever-evolving landscape.For show notes, please visit The GRC Podcast website. Sign up for our Bi-Weekly Newsletter

Unlock a new perspective on GRC that intertwines innovation with customer-centric values. This segment shines a spotlight on the integral role of user experience in governance, risk, and compliance, advocating for a business approach that isn't merely beneficial but fundamentally the right thing to do. Drawing from the wisdom in Tony Fadell's book 'Build', the episode intricately examines the strategic decisions that kept Nest afloat, highlighting the broader implications for solution minded GRC professionals.Prepare to challenge the status quo of traditional GRC as we dissect the necessity of thinking like a builder rather than a blocker. Insights from Nest's legal strategies underscore the importance of agile and creative problem-solving . This episode promises to arm you with the mindset to lead and influence across all aspects of a business, ensuring that your expertise in GRC is not just a back-office function but a pivotal force in crafting products and strategies that resonate with users and stand the test of legal and market challenges. Join us for a candid exploration into the art of blending GRC savvy with a proactive business ethos.For show notes, please visit The GRC Podcast website. Sign up for our Bi-Weekly Newsletter

In this conversation, Gina Gabriel shares inside information, tips and tricks for resume building that she accrued from over a decade of tech recruiting experience. Gina and I discuss the importance of resumes in career development and growth. We explore the resume review process, including what happens once job postings go live and resumes start coming in. We debunk common misconceptions about resumes and provide tips for making resumes memorable. We also discuss the value of referrals and networking in the job search process. Gina shares success stories of transforming resumes and offers insights into the storytelling aspect of resumes. Gina and I even conduct a live review of my actual resume, highlighting changes and recommendations. Gina provides information about her consulting services and offers free resources for resume improvement.Unlock the secrets to transforming your job application from forgettable to formidable, as Gina and I share the tools you need to navigate the tumultuous waters of the job market. From uncovering the behind-the-scenes chaos of job postings to mastering the applicant tracking systems like Workday, our comprehensive chat is the beacon you've been seeking. Discover the potent combination of an impactful resume, the weight of employee referrals, and the nuanced art of tailoring your narrative to sail through the hiring process. Step into the inner circle of application strategy, where we spill the insider details on making your resume resonate with recruiters and hiring managers alike. Through a live review of my actual resume, Gina and I show you firsthand how to stand out in the interview process by selling yourself as effectively as the slickest SaaS product. You'll learn how to format your resume to tell your professional story and how to wield your job titles like a seasoned marketer, ensuring your skills and experience capture the spotlight. Concluding our journey, we explore the treasure trove of free resources that can elevate your job application toolkit to new heights, and Gina extends an open invitation to anyone seeking tailored advice for career advancement. Whether you're a fresh-faced job seeker or a seasoned professional, my conversation with Gina arms you with the strategies to not just land the interview, but to ace it and confidently step into your next career chapter. Join us, and let's turn the page together on your professional success story.For show notes, please visit The GRC Podcast website. Sign up for our Bi-Weekly Newsletter

Join us for an insightful exploration of Security & GRC hiring with Tom Alcock from Code Red Partners. Tom illuminates their bespoke recruitment strategy, expertly aligning Security organizations with candidates who are not just technically proficient but also a cultural fit. We delve into the ever-changing world of Security & GRC employment, delivering actionable strategies for both industry novices and veterans. The conversation underscores the significance of perpetual learning and the power of networking in this rapidly evolving field.Tom highlights the crucial role of community engagement in Security hiring, demonstrating how building a trusted network can open doors to extensive connections and opportunities. We discuss the pivotal moments when specialized firms like Code Red become invaluable, be it for large-scale recruitment drives or assembling foundational teams for emerging startups. This episode brims with insights for those contemplating the right time and approach to engage with recruitment experts who deeply understand the ins and outs of security organizations and the ever changing security landscape.Wrapping up, we focus on Security & GRC career progression strategies. Tom provides pragmatic guidance on role transitions, from individual contributor to managerial positions, emphasizing the advantage of maintaining hands-on involvement in certain situations. We also venture into pathways leading to senior management and C-suite roles, sharing inspiring success stories and identifying the distinctive qualities of industry leaders. Tune in for a compelling discussion about forging a triumphant career in the dynamic world of Security & GRC.For show notes, please visit The GRC Podcast website. Sign up for our Bi-Weekly Newsletter

Chris Honda, a seasoned Senior Security Analyst at Whistic, discusses the multifaceted world of GRC, including the concepts of governance, risk, and compliance. He emphasizes the importance of humanizing InfoSec and presenting on a personal level. Chris reflects on his own career trajectory in GRC and highlights the power of curiosity. He also explores the value of technical skills for GRC professionals and emphasizes the need for making a positive impact in the world.

Highlights from the podcast include discussions on the importance of understanding the 'why' behind actions, reframing GRC efforts as products, the role of personal branding in career advancement, privacy legislation and data protection, the significance of customer trust and community engagement, and upcoming topics for the next year.