The GRC Podcast - Vendor Risk Management and Customer-Centric GRC Principles with Steven Nguyen

Vendor Risk Management and Customer-Centric GRC Principles with Steven Nguyen

06/05/23 • 71 min

Get ready to redefine your understanding of GRC and security with our esteemed guest Steven Nguyen, Business Information Security Officer of Data Applications at Twilio. Promising to enlighten you with a fresh perspective, we delve into the complexities of vendor risk management and security sales enablement, all in the light of business improvement. Stephen brings his expertise to the table, discussing the importance of agility and competitive positioning, as well as how to balance operational agility with reasonable security assurance.
This conversation takes a deep dive into the practicalities of executing GRC and security risk management within a small team. We touch upon the merits of adopting a cross-functional approach and the need for redundancy within skillsets, punctuated by Stephen’s insightful take on the matter. We also unravel the art of crafting quality questions for security questionnaires, which serves as a valuable tool to assess a vendor's maturity and calculate risk.
Not one to shy away from challenging topics, we navigate through the intricacies of security collateral and vendor risk management programs. Steven and I exchange views on the delicate issue of setting boundaries with customers running scans against our systems, and the legal complexities that contracts, DPAs, and security addendums bring to the table. We wrap up our discussion by emphasizing the importance of 'shifting left' in the sales process, and the need for standardization and transparency in GRC. This episode promises to be a rich source of knowledge for anyone keen on understanding the dynamics of GRC and security risk management.

For show notes, please visit The GRC Podcast website.
Sign up for our Bi-Weekly Newsletter

Previous Episode

GRC Essentials: From the Basics to Mastery with Dustin Bailey

Get ready for a fresh perspective on GRC as we invite Dustin Bailey, the former Security Lead at Twilio Segment, to share his expertise. Listen in as we explore how Dustin fell into GRC - or as he puts it, how GRC chose him - and how he manages to prioritize ruthlessly to extract the most value from his GRC program. Hear how he navigates the challenges of aligning GRC with the various departments, understanding their products and culture, and designing security controls that are widely accepted.
In our chat, Dustin also enlightens us on how GRC intersects with everyday life, using his own experiences during a power outage as an example. We draw parallels between customer calls at Twilio Segment and cost-benefit evaluations he makes when considering risk. Hear how Dustin has had to alter his risk management strategies as data loss risks change with the shift to cloud computing.
Dustin's journey from consulting to an internal resource role offers unique insights into GRC implementation. We discuss the importance of aligning GRC with sales and strategic goals, and how his consulting experience has underscored the need for simple, value-added products. We also touch on the process of getting Twilio Segment's first SOC 2 certification, and how stakeholder involvement is crucial in designing controls. Tune in as we wrap up with a discussion on the importance of stakeholder relationships in GRC, and how Dustin applies GRC principles in real estate investing.

For show notes, please visit The GRC Podcast website.
Sign up for our Bi-Weekly Newsletter

Next Episode

Security Leadership and People Management with Patrick Ayrtey

Ready to reframe your perspective on team management? Join us as we chat with Patrick Ayertey, Business Security Lead at Twilio, who shares his journey from being an individual contributor (IC), to a manager. Patrick's unique philosophy of leadership, deeply rooted in empathy and recognizing individual personalities within a team, might just inspire you to rethink your own approach.
Our conversation with Patrick is not just about leadership; it's a deep dive into the essence of human connection in a professional setting. Drawing upon his cultural background from Ghana and his experience as a music director, Patrick seamlessly blends these diverse perspectives into his management style. We unpack the importance of transparency and trust in manager-employee relationships and how understanding business dynamics can bolster career growth. Patrick also shares some interesting strategies he uses to build relationships within his team.
Finally, we explore Patrick's progressive strategies for working cross-functionally with high-level executives and in tailoring requirements to the business context. Patrick emphasizes the need to understand the 'why' behind regulations and requirements. We conclude the episode with a fascinating look into Patrick's personal projects, like teaching cloud engineering and creating music as an expression. This engaging conversation with Patrick ultimately challenges leaders to focus more on people than outcomes for team success.

For show notes, please visit The GRC Podcast website.
Sign up for our Bi-Weekly Newsletter

The GRC Podcast - Vendor Risk Management and Customer-Centric GRC Principles with Steven Nguyen

Transcript

Mark Graziano (00:01.645) Steve, welcome to the GRC podcast. This is really fun for me. For listeners who don't know, I actually found Steve in segment based on a blog post that he did and it was an interview. So it's really fun for me to be able to do the same for you and interview you personally.

Steven Nguyen (00:15.734) I appreciate it, Mark. Thanks for having me as a, as a guest. And, uh, yeah, it was pretty cool that, uh, we were able to, uh, indirectly recruit you at the time by,