The GRC Podcast

Get ready to redefine your understanding of GRC and security with our esteemed guest Steven Nguyen, Business Information Security Officer of Data Applications at Twilio. Promising to enlighten you with a fresh perspective, we delve into the complexities of vendor risk management and security sales enablement, all in the light of business improvement. Stephen brings his expertise to the table, discussing the importance of agility and competitive positioning, as well as how to balance operational agility with reasonable security assurance.
This conversation takes a deep dive into the practicalities of executing GRC and security risk management within a small team. We touch upon the merits of adopting a cross-functional approach and the need for redundancy within skillsets, punctuated by Stephen’s insightful take on the matter. We also unravel the art of crafting quality questions for security questionnaires, which serves as a valuable tool to assess a vendor's maturity and calculate risk.
Not one to shy away from challenging topics, we navigate through the intricacies of security collateral and vendor risk management programs. Steven and I exchange views on the delicate issue of setting boundaries with customers running scans against our systems, and the legal complexities that contracts, DPAs, and security addendums bring to the table. We wrap up our discussion by emphasizing the importance of 'shifting left' in the sales process, and the need for standardization and transparency in GRC. This episode promises to be a rich source of knowledge for anyone keen on understanding the dynamics of GRC and security risk management.

For show notes, please visit The GRC Podcast website.
Sign up for our Bi-Weekly Newsletter

Join us for an insightful exploration of Security & GRC hiring with Tom Alcock from Code Red Partners. Tom illuminates their bespoke recruitment strategy, expertly aligning Security organizations with candidates who are not just technically proficient but also a cultural fit. We delve into the ever-changing world of Security & GRC employment, delivering actionable strategies for both industry novices and veterans. The conversation underscores the significance of perpetual learning and the power of networking in this rapidly evolving field.
Tom highlights the crucial role of community engagement in Security hiring, demonstrating how building a trusted network can open doors to extensive connections and opportunities. We discuss the pivotal moments when specialized firms like Code Red become invaluable, be it for large-scale recruitment drives or assembling foundational teams for emerging startups. This episode brims with insights for those contemplating the right time and approach to engage with recruitment experts who deeply understand the ins and outs of security organizations and the ever changing security landscape.
Wrapping up, we focus on Security & GRC career progression strategies. Tom provides pragmatic guidance on role transitions, from individual contributor to managerial positions, emphasizing the advantage of maintaining hands-on involvement in certain situations. We also venture into pathways leading to senior management and C-suite roles, sharing inspiring success stories and identifying the distinctive qualities of industry leaders. Tune in for a compelling discussion about forging a triumphant career in the dynamic world of Security & GRC.

For show notes, please visit The GRC Podcast website.
Sign up for our Bi-Weekly Newsletter

In this podcast episode, we unravel the intricate world of risk management, shedding light on its role in our everyday lives and its influence on GRC (Governance, Risk and Compliance). Daniel Redding guides listeners through a comprehensive understanding of risk management, exploring how to effectively navigate and control it. They break down the complex elements of risk, including the interplay of probability and severity, and introduce the often overlooked factors that can amplify risk. This discussion brings risk management back to basics, reinforcing the importance of investing effort proportionate to the potential return on investment.
The episode also focuses on determining the criticality of security incidents and how to prioritize responses effectively. Daniel emphasizes on transforming complex elements into manageable metrics, enabling listeners to compare and analyze effectively. Key factors such as system revenue, regulatory compliance requirements, data quantity, strategic priority, and availability are discussed. Daniel underscores the importance of identifying potential system hotspots to minimize future risk, fostering a proactive approach to risk management.
Finally, the episode arms listeners with effective communication strategies to present potential risks to executives in a clear and comprehensible manner. It underscores the importance of quantifying risk using a balanced blend of data and estimates. Daniel stresses the need for making specific, actionable recommendations and assigning responsibility for risk solutions. The ultimate goal is to demystify risk management, ensuring that organizations focus on what matters most and are clear in their methods of measuring and communicating risk. Tune in to this enlightening episode and start navigating the realm of risk management and GRC with increased confidence and expertise.

For show notes, please visit The GRC Podcast website.
Sign up for our Bi-Weekly Newsletter

In this episode of the GRC Podcast, we sit down with Chris Honda, a seasoned Senior Security Analyst at Whistic, who walks us through the multifaceted world of Governance, Risk, and Compliance (GRC). With his unique journey into the world of Security, Chris sheds light on the transformative nature of cultivating GRC expertise and the value those skills can bring to the business and security landscapes.
GRC Unpacked: More Than Acronyms
Chris starts by demystifying GRC, breaking it down into its core components: Governance, Risk, and Compliance. He shares an accessible approach to explaining these concepts to non-experts, using relatable analogies like the Rosetta Stone, underscoring the importance of GRC as the lingua franca that bridges the gap between business operations and security imperatives.
The Human Element in InfoSec
Delving into the art of presenting at conferences, Chris emphasizes the need to bring one's personality into play. By humanizing InfoSec, he advocates for presentations that resonate on a personal level, which in turn fosters a more resilient and relatable security culture within organizations.
Career Trajectories in GRC
Reflecting on his own path, Chris discusses how asking the critical question "why" catalyzed his move from finance to security, highlighting the role of curiosity in driving career progression within GRC. He reassures listeners that a background in IT is not a prerequisite for a successful career in GRC, as the field welcomes diverse professional experiences.
”Technical” Redefined
Chris challenges the misconception that one must be highly technical to succeed in security. He argues that problem-solving, communication, and understanding technology as a means to exceptional outcomes are just as crucial. This broader definition of 'technical' opens doors for GRC professionals to be recognized for their strategic and enabling contributions. (but also they should strive to have developer empathy and recognize stagnation in learning will significantly limit upward mobility, salary and future employability.)
The Convergence of Security and Privacy
Exploring the nuanced relationship between security and privacy, the discussion pivots to how these disciplines intersect within GRC frameworks. Chris provides insights into how evolving privacy laws create new opportunities for those passionate about privacy and compliance, demonstrating the dynamic nature of the GRC field.
The Specialist vs. Generalist Debate
Chris shares his experiences as a GRC generalist in a smaller company, weighing in on the benefits of wearing multiple hats against the deep focus of specialists in larger firms. He advocates for the value of generalist roles, highlighting their ability to manage a broad spectrum of GRC challenges and drive comprehensive security strategies.
Giving Back and Building Community
The episode wraps up with Chris reflecting on the importance of giving back to the GRC community. By volunteering and engaging in acts of kindness, professionals can cultivate a supportive network that not only fosters personal fulfillment but also strengthens the collective knowledge and resilience of the GRC industry.
Join us in this enriching discussion that promises to inspire both personal and professional growth, whether you're new to GRC or a veteran looking to reinvigorate your career with a fresh perspective.

For show notes, please visit The GRC Podcast website.
Sign up for our Bi-Weekly Newsletter

Join us for a conversation with Leif Dreizler, a dynamic figure and avid organizer in the InfoSec industry. While Leif is a skilled practitioner, his roles as a seasoned conference organizer, insightful blogger, and engaging podcast host allow his influence to extend well beyond the traditional workspace. In this episode, he generously unpacks his extensive knowledge on brand building and community engagement, underscoring the crucial participation of everyone, from novices to seasoned experts.
Leif takes us through his unique journey, emphasizing that there isn’t a one-size-fits-all approach to career development in the industry. With a myriad of options available, professionals can carve out their own paths, selecting the avenues that align best with their individual needs and aspirations. He shares insights from his experience organizing prominent conferences, including AppSec California, BSides SF, and Loco Moco Sec, and reflects on how these endeavors have been instrumental in shaping his career.
The episode dives into the significance of community engagement and networking for security professionals. Leif shares personal anecdotes and highlights the importance of active participation in diverse community initiatives, ranging from public speaking and conference proposals to blogging and podcasting. He offers practical tips for maximizing efficiency in your work, sharing strategies for smart blogging and effective repurposing of content across talks, presentations, and podcast appearances.
However, Leif’s narrative isn’t solely about personal brand cultivation. It’s also a testament to the myriad ways individuals can contribute to and engage with the larger community. He outlines the tangible benefits of active involvement, such as network expansion and the discovery of new job opportunities, and prompts listeners to reflect on how they, too, can contribute to and glean valuable insights from the community.
Tune in to explore Leif’s story and consider how you might enhance your engagement with the security community, fostering both personal and professional growth.

For show notes, please visit The GRC Podcast website.
Sign up for our Bi-Weekly Newsletter