GRC Engineer

Tony Martin-Vegue, an expert in risk quantification and GRC engineering at Netflix, shares his insights on navigating the complex world of cyber risk. He discusses his journey from IT to risk management and highlights the transformative power of the FAIR framework. The conversation delves into the critical role of AI in speeding up risk assessments, effective communication for decision-makers, and the importance of viewing GRC as a business enabler. Tony also introduces his new Substack and upcoming book aimed at simplifying cyber risk quantification for all.

Want more? Subscribe to the GRC Engineer newsletter for exclusive content including a detailed transcript of this episode in next week's edition: https://grcengineer.com/subscribeIn this insightful episode of the GRC Engineering Podcast, host Ayoub Fandi sits down with Ange Ferrari, SVP & CISO at Metro Group, for a deep dive into how GRC has evolved over two decades and what it takes to scale security programs globally.Our expert guest:Ange is a security leader with 20+ years experience across public sector, retail giants (Carrefour, IKEA), AWS EMEA, and now leading security for a global wholesaler operating in 36 countries.We explore the evolution and engineering of GRC at enterprise scale, covering:How GRC became the key to career growth from technical roles to CISOWhy cloud transformation shattered traditional risk frameworksThe reality of implementing controls across diverse, global technology stacksHot Take: The critical balance between prevention and detection that most missAWS insider perspective: What enterprise-scale compliance really looks likeEngineering pragmatic GRC programs that work in messy, real-world environmentsWhether you're a CISO scaling global programs, a GRC professional in traditional industries, or anyone trying to make compliance work in complex enterprise environments, Ange shares battle-tested strategies from the front lines.📋 Timestamps:00:00 - Introduction and Ange's Background02:57 - How GRC Enabled Career Growth06:34 - Evolution of GRC Practices Over Time14:52 - Common GRC Implementation Failures25:56 - Defining GRC Engineering33:01 - Where Should GRC Teams Report?39:20 - GRC Challenges in Complex Enterprise Environments49:05 - Lessons from the AWS Vendor Side59:46 - Building Technical Skills in GRC Teams01:03:39 - Hot Take: Prevention vs Detection Balance

Want more? Subscribe to the GRC Engineer newsletter for exclusive content including a detailed transcript of this episode in next week's edition: https://grcengineer.com/subscribeIn this premiere episode of the GRC Engineering Podcast Experts Panel, host Ayoub Fandi brings together three seasoned Third-Party Risk Management (TPRM) practitioners to discuss the real-world challenges and innovations in vendor security assessment.Our expert panelists:McKenna Yeakey (Netflix) - TPRM professional with previous experience at Splunk and SamsaraKristi Hoffmaster - TPRM practitioner with experience at OktaBlake Hoge (Airbnb) - TPRM professional with previous experiences at Instacart and SalesforceThey dive deep into the practical realities of TPRM, exploring:How to optimise questionnaires for different vendor risk tiersStrategies for balancing speed and thoroughness in assessmentsThe evolving value of SOC 2 and other third-party attestationsTrust Centres: genuine security resources or marketing tools?Security scoring platforms: their benefits and limitationsHow SaaS security tools can enhance TPRM programsReal-world stories from thousands of vendor assessmentsWhether you're a security professional, TPRM practitioner, or interested in understanding how companies evaluate their vendors, this episode provides valuable insights into how leading companies like Netflix and Airbnb approach third-party risk.Subscribe to the GRC Engineering Podcast for more expert discussions on governance, risk, and compliance engineering.00:00 - Introduction to the Experts Panel03:20 - Questionnaire optimisation approaches11:00 - Risk-based vendor tiering strategies18:00 - Balancing speed and thoroughness in assessments26:45 - Netflix's way of integrating TPRM30:05 - Declining value of certification and attestations37:30 - Trust Centres: helpful or just marketing?44:30 - Security scoring platforms: useful signals or noise?49:40 - Kristi pulls a reverse UNO card and asks Ayoub about TPRM disruptions52:45 - SaaS Security tools for TPRM programs58:25 - Interesting vendor assessment stories01:05:00 - Closing thoughts on TPRM's value#TPRM #VendorSecurity #RiskManagement #GRCEngineering #SupplyChainSecurity

In this groundbreaking episode of the GRC Engineering Podcast, we bring together executives from the 7 leading GRC automation platforms for an unprecedented discussion on the future of compliance automation. For the first time ever, leaders from Vanta, Drata, Anecdotes, Secureframe, Sprinto, Scrut Automation, and Thoropass share the same virtual stage to debate critical industry topics, challenge common assumptions, and share their visions for the future of GRC.Featured Guests:Jake Bernardes - CISO, AnecdotesMatt Hillary - CISO, DrataJeremy Epling - Chief Product Officer, VantaShrav Mehta - Founder & CEO, SecureframeGirish Redekar - Co-founder & CEO, SprintoNicholas Muy - CISO, Scrut AutomationAndrew Persons - VP of Product, ThoropassFrom the commoditisation debate to enterprise adoption challenges, get unique insights into how these platforms are shaping the future of GRC.Key Timestamps:00:00 Introduction and guest introductions09:00 Is compliance being commoditised? The vendor perspective32:30 Is Assurance impacted from selling compliance to non-GRC stakeholders49:30 If quality was very low, most GRC automation firms would be out of business54:30 Selling GRC automation to enterprise customers01:19:00 Working around existing legacy GRC platforms01:34:30 Risk of being replaceable as being embedded at the data layer01:38:40 Working with product feedback from non-customers01:46:45 GRC Engineering discussion01:50:00 Conclusion and key takeawaysSpecial thanks to our guests for making this historic conversation possible.This discussion represents a turning point in how we think about GRC automation and its role in modern organisations.#GRCEngineering

Akhila Chitiprolu, Head of GRC at Sierra and former leader at Stripe, Expedia, and T-Mobile, reveals her journey from engineering to GRC leadership. She discusses transforming traditional compliance into scalable, engineering-driven programs. Key insights include automating controls for efficiency, engaging auditors early to build trust, and the importance of collaboration between technical and non-technical teams. Akhila also shares practical strategies for navigating compliance challenges and the need for continuous innovation to streamline GRC processes.

To view the notes from the podcast and much more, check out the episode summary on the GRC Engineer.

Join us for the first episode of Season 2 of the GRC Engineering Podcast, featuring Justin Pagano, Director of Security Risk, and Trust at Klaviyo. Justin shares his journey through GRC, from his early days as a software engineer to being a catalyst of the GRC Engineering initiative. He discusses the limitations of traditional documentation-heavy approaches and advocates for more engineering-driven practices in governance, risk, and compliance and how GRC Engineering could be the next DevSecOps. Be warned, TPRM is taking repeated hits in this episode!

Learn more about the why behind the podcast, some info about the background of the host as well as the main objectives of the GRC Engineering podcast.

Join Akshay Finney, a GRC Engineering team lead at Zoom, as he dive into the dynamic realm of security engineering and GRC integration. Uncover the importance of translating security requirements into engineering language, the evolving role of GRC engineering, the importance taking an engineering approach to security programs and the importance of collaboration with product teams to advance the GRC objectives

Explore the evolution of compliance engineering with Vic Bhatia, CEO of Compliance Foundry, as he shares insights from his journey, including experiences at Meta. Discover the challenges and solutions in aligning compliance with engineering incentives and the future of automated compliance solutions in the cloud.