The GRC Podcast

In this episode of our podcast, we sit down with Alex Bovee, the CEO and co-founder of ConductorOne, to explore the crucial problem of identity and access management, a problem that is rapidly gaining complexity in the modern digital landscape. We delve into the potential risks and vulnerabilities that surface when companies fail to manage access efficiently. From dormant accounts of contractors off-boarded years ago to the worrying trend of over permissioning, Alex takes us on a deep dive into the spectrum of issues that underline identity management and discusses how they escalate as a company grows.During our insightful conversation, Alex also illuminates how fundamentally, this problem is non-human scale, explaining why manual solutions simply don't cut it in a sprawling digital environment. By discussing the importance of an identity orchestration layer, scalable visibility, and making the secure option the path of least resistance, he emphasizes the necessity for modern, automated solutions for identity and access management, but at the same time, focusing on the need for these tools to be customizable to a company's specific pain-points. Balancing robust security with the demand for fast, efficient workflows forms the core backbone of Alex’s views. Furthermore, our discussion veers towards future trends in identity management and how these trends will shape a new generation of identity security solutions. We examine the possible implications of creating composable building blocks of identity, catering to diverse users, enhancing user experiences, and leveraging emerging artificial intelligence technologies. Guiding us through ConductorOne's approach to these emerging challenges, Alex illuminates how companies can better navigate this critical, ever-evolving field of digital security.For show notes, please visit The GRC Podcast website. Sign up for our Bi-Weekly Newsletter

Join Ariel Shin, Twilio's Product Security Team Lead, as she simplifies the complex topic of vulnerability management in GRC. Learn about defining terms, creating a vulnerability management program, understanding zero-day vulnerabilities, and incident handling. Explore the relationship between vulnerability and risk, challenges of compliance frameworks, and the importance of building a culture of security.

Join the discussion on bridging the gap between Governance, Risk, and Compliance (GRC) and security engineering with insights from Jeevan Singh. Learn about the pivotal roles of active listening, clear communication, mentorship, and collaboration. Gain valuable perspectives on rotational programs, vendor security assessments, threat modeling, diversity in security, and the evolving landscape of GRC.

Join us for a conversation with Leif Dreizler, a dynamic figure and avid organizer in the InfoSec industry. While Leif is a skilled practitioner, his roles as a seasoned conference organizer, insightful blogger, and engaging podcast host allow his influence to extend well beyond the traditional workspace. In this episode, he generously unpacks his extensive knowledge on brand building and community engagement, underscoring the crucial participation of everyone, from novices to seasoned experts. Leif takes us through his unique journey, emphasizing that there isn’t a one-size-fits-all approach to career development in the industry. With a myriad of options available, professionals can carve out their own paths, selecting the avenues that align best with their individual needs and aspirations. He shares insights from his experience organizing prominent conferences, including AppSec California, BSides SF, and Loco Moco Sec, and reflects on how these endeavors have been instrumental in shaping his career. The episode dives into the significance of community engagement and networking for security professionals. Leif shares personal anecdotes and highlights the importance of active participation in diverse community initiatives, ranging from public speaking and conference proposals to blogging and podcasting. He offers practical tips for maximizing efficiency in your work, sharing strategies for smart blogging and effective repurposing of content across talks, presentations, and podcast appearances. However, Leif’s narrative isn’t solely about personal brand cultivation. It’s also a testament to the myriad ways individuals can contribute to and engage with the larger community. He outlines the tangible benefits of active involvement, such as network expansion and the discovery of new job opportunities, and prompts listeners to reflect on how they, too, can contribute to and glean valuable insights from the community. Tune in to explore Leif’s story and consider how you might enhance your engagement with the security community, fostering both personal and professional growth.For show notes, please visit The GRC Podcast website. Sign up for our Bi-Weekly Newsletter

Have you ever thought about how customer trust and security are intertwined in business?  Monica Smith, Head of Security, Risk and Compliance at Asana shares insights from Asana's innovative strategies to equip you with practical tools for building unwavering customer trust and designing effective enablement programs. Monica, with her extensive experience, enlightens us about the various terminologies, processes, and programs that Asana incorporates to instill trust.We embark on an enlightening journey exploring how customer trust can streamline the vendor risk assessment process. Monica elaborates on the significance of sculpting a trust center that resonates with a broad audience, highlighting security while also double as a marketing tool. She highlights how the roll out of such a tool can aid a GRC program in  optimizing resources to minimize time spent on triaging and responding to custom questionnaires. Monica also discusses the pivotal role of metrics collection, through trackable trust center metrics, in demonstrating value, securing budget for GRC teams, while also bolstering customer trust.This episode is a treasure trove of robust strategies to build trust and maintain strong customer relationships. Join us for this insightful conversation with Monica and redefine your approach to customer trust and enablement.For show notes, please visit The GRC Podcast website. Sign up for our Bi-Weekly Newsletter

Welcome to the first episode of the GRC Podcast! Join host Mark Graziano as he introduces himself and takes you on a journey through his career in governance, risk, and compliance (GRC) from starting at an IT help desk to creating this very podcast. In this introductory episode, Mark opens up about the ups and downs of his career and the lessons he's learned along the way.In the first chapter, Mark reflects on his initial years in the IT industry and his transition into the GRC space. He discusses his realization of the need to contribute more effectively to the industry and how that led him to create the GRC Podcast. Mark candidly talks about the challenges he faced and how he plans to use the podcast to challenge the GRC industry stereotype.In the next segment, Mark talks about the importance of understanding business needs in GRC and the necessity of bridging the gap between engineers and C-level executives. He emphasizes the importance of focusing on outcomes rather than processes, and gives a sneak peek into the topics that will be discussed in future episodes, such as building a successful security team and the role of AI in automating tasks.The final chapter is an open invitation for all GRC professionals and security leaders to join the community-first podcast. Mark shares his vision of the podcast as a platform for sharing insights and experiences, addressing common issues faced by GRC professionals, and exploring ways to improve programs across different organizations.Key Takeaways:- Mark's journey from IT help desk to creating the GRC Podcast.- The critical role of understanding businesses needs in GRC.- The importance of focusing on outcomes rather than the process.- The potential of AI in automating tasks in the GRC space.- Invitation to join the community-first podcast for GRC professionals and security leaders.For show notes, please visit The GRC Podcast website. Sign up for our Bi-Weekly Newsletter

Daniel Redding, an expert in risk management, guides listeners through a comprehensive understanding of risk management and its influence on GRC. They discuss the interplay of probability and severity, factors that amplify risk, determining criticality of security incidents, transforming complex elements into manageable metrics, and effective communication strategies for presenting potential risks to executives. Proactive risk management and prioritizing vulnerabilities are also highlighted.

Get ready for a dynamic conversation with our expert guest, Jake Bernardes, as we delve into the often ambiguous territory of privacy legislation. Ever considered how data collection could impact you or the younger generation? We deep-dive into this pressing topic, examining how businesses are collecting data, and the significant impact it may have on all of us. We highlight how the changing nature of data and its accessibility emphasize the vital role of privacy laws in our evolving digital landscape.Join us as we traverse the labyrinth of privacy laws across different countries and uncover the complexities businesses navigate to avoid certain regulations. We discuss the implications of the Patriot Act in the U.S., and the hurdles faced in passing privacy laws due to lobbying and the influence of large corporations. Jake offers enlightening perspectives on protecting ourselves from not just the collection but also potential misuse of our data. Lastly, we venture into the realm of AI and the implications it brings for personal data privacy. We consider the risks AI poses, the need for robust privacy programs, and the importance of understanding new AI security standards. What would a global privacy framework look like and how can businesses demonstrate compliance? Our conversation concludes by emphasizing the urgency for an international approach to privacy, and the necessity of businesses to build trust with consumers in this new age of data privacy. This conversation is one you won't want to miss!For show notes, please visit The GRC Podcast website. Sign up for our Bi-Weekly Newsletter

Ready to reframe your perspective on team management? Join us as we chat with Patrick Ayertey, Business Security Lead at Twilio, who shares his journey from being an individual contributor (IC), to a manager. Patrick's unique philosophy of leadership, deeply rooted in empathy and recognizing individual personalities within a team, might just inspire you to rethink your own approach. Our conversation with Patrick is not just about leadership; it's a deep dive into the essence of human connection in a professional setting. Drawing upon his cultural background from Ghana and his experience as a music director, Patrick seamlessly blends these diverse perspectives into his management style. We unpack the importance of transparency and trust in manager-employee relationships and how understanding business dynamics can bolster career growth. Patrick also shares some interesting strategies he uses to build relationships within his team. Finally, we explore Patrick's progressive strategies for working cross-functionally with high-level executives and in tailoring requirements to the business context. Patrick emphasizes the need to understand the 'why' behind regulations and requirements. We conclude the episode with a fascinating look into Patrick's personal projects, like teaching cloud engineering and creating music as an expression. This engaging conversation with Patrick ultimately challenges leaders to focus more on people than outcomes for team success.For show notes, please visit The GRC Podcast website. Sign up for our Bi-Weekly Newsletter

Get ready to redefine your understanding of GRC and security with our esteemed guest Steven Nguyen, Business Information Security Officer of Data Applications at Twilio. Promising to enlighten you with a fresh perspective, we delve into the complexities of vendor risk management and security sales enablement, all in the light of business improvement. Stephen brings his expertise to the table, discussing the importance of agility and competitive positioning, as well as how to balance operational agility with reasonable security assurance.This conversation takes a deep dive into the practicalities of executing GRC and security risk management within a small team. We touch upon the merits of adopting a cross-functional approach and the need for redundancy within skillsets, punctuated by Stephen’s insightful take on the matter. We also unravel the art of crafting quality questions for security questionnaires, which serves as a valuable tool to assess a vendor's maturity and calculate risk.Not one to shy away from challenging topics, we navigate through the intricacies of security collateral and vendor risk management programs. Steven and I exchange views on the delicate issue of setting boundaries with customers running scans against our systems, and the legal complexities that contracts, DPAs, and security addendums bring to the table. We wrap up our discussion by emphasizing the importance of 'shifting left' in the sales process, and the need for standardization and transparency in GRC. This episode promises to be a rich source of knowledge for anyone keen on understanding the dynamics of GRC and security risk management.For show notes, please visit The GRC Podcast website. Sign up for our Bi-Weekly Newsletter