GRC & Me Podcast

Crisis management is at the core of business resilience. Unfortunately, most organizations take a reactive approach when an incident occurs. But taking a proactive approach to head off crises or — even better — a preemptive approach that anticipates them and bakes resiliency into the business as a whole can have a big payoff. Hear how Howard Mannella, Senior Staff of Global Business Continuity and Security at Udemy stays ahead of risks by focusing on their impact and how organizations of all sizes can evolve their GRC programs.

Highlights include:
- The difference between reactive, proactive, and preemptive crisis management
- How organizations can preemptively improve business resilience
- Why you should focus on the impact, not the cause

Making things easier and less paper-bound through digital technology is a top priority for many organizations, especially when it comes to their GRC initiatives. Listen as Proxis Founder and Managing Director Tina Chugani talks about the concept of process digitalization and trends that she is seeing within her region.

Highlights include:
- How process digitalization is driving efficiencies
- How to improve compliance and automate the ingestion of new regulations
- The benefits of working smarter with new infrastructure

Security and compliance isn’t just about checking boxes to avoid fines and penalties: Implementing a holistic GRC program can be a key factor in driving success for your business. James Bundy, Practice Director at Optiv, discusses how organizations can build or enhance GRC programs that meaningfully contribute to the business.

Hear how to:
- Assess and understand the value of risk management processes
- Approach GRC from a business-outcomes perspective
- Turn compliance requirements into business enablers

With prices increasing across the board, it's getting harder to avoid inflation risk and a potential recession. Hear John Hotchkiss, Fairway Independent Mortgage Company's Chief Risk Officer, discuss how inflation will affect the risk landscape and how best to prepare.

Highlights include:
- What and how to prepare for what's to come in the global economy
- The existential risks crucial for risk managers to understand and prepare for
- The true importance of a risk department

From the pandemic to inflation to increasing cyber attacks, volatility appears to be the new normal. That means business continuity plans have never been more important. It’s time for businesses across all industries to look for opportunities to improve their resilience. Listen as Jason Wang, Chief Risk Officer at Synergy Credit Union, explains how to enhance your business continuity plans during these uncertain times.

Topics include:
- The three phases of a business continuity plan and how to navigate them
- How to educate your employees to be resilient towards threats
- What leadership needs to do to create a risk aware culture throughout your organization

Hear LogicGate CEO Matt Kunkel and GRC expert Michael Rasmussen discuss the past, present, and future of GRC spending and take a deep dive into creating a business case for investing in GRC technology by proving its cost-saving impact.

Listen to discover how to:
- Build a business case for upgrading to the latest and greatest in GRC
- Communicate accountability to engage risk owners
- Engage frontline employees to protect the business effectively

Properly measuring risk is the most important ingredient in effectively communicating risk, and communicating risk leads to a richer risk culture at your organization. Hear OKTA’s Director of Security Risk Management, Anthony Riley, discuss best practices for measuring and communicating risk.

Listen as Andy Ruse, LogicGate’s President of Field Operations, sits down with Cooley’s Mike Santos, Director of Security and Information Governance, to discuss his five-layer maturity model for building effective GRC programs, the different things a risk practitioner has to consider in decision making, and his own recommendations for maturing any risk program.

Getting everyone on the same page about the risks your organization is facing is a crucial part of effectively managing organizational risk. Unfortunately, it’s also one of the hardest parts about effectively managing risk. Tune in to hear Dimitrios Stergiou, Director of Information Security at Wayflyer, explain how risk quantification and proper use of standard frameworks can help you build a common language for understanding risk across your organization, break down organizational silos, and get buy-in for your programs.

Highlights include:
- Why risk quantification is the "holy grailf" for communicating risk impact
- What frameworks to use to get everyone on the same page about risk management
- How to put it all into practice

Listen as Regulatory Data Manager Mike Curl discusses how he flipped the traditional way of measuring compliance on its head, leading to happier employees, better decisions, and improved compliance.

You'll learn:
- The benefits of building dashboards from the bottom up
- How to get organizational buy-in when it comes to change management
- Mike's unique culinary approach to executive reporting

In just a few months, artificial intelligence went from a fringe technology to full-speed ahead with the public release of ChatGPT. This fascinating technology has the potential to revolutionize how we automate our businesses, but there are numerous reasons to give pause before integrating it into your organization’s operations. On this episode of GRC & Me, Dorian Cougias, Co-Founder and CEO of United Compliance Framework and Chris Clarke sit down to discuss the risks and rewards of embracing AI-driven automation, corpora management, data ownership, and the necessity of double-checking everything generative AI spits out.

With information and cybersecurity incidents growing in frequency and severity, regulators in the European Union are hard at work devising new rules designed to incentivize organizations to harden their cyber defenses.

On this episode of GRC & Me, Megan Brown sits down with Wizz Air’s Andras Szabolcs, Cyber Risk Expert, and Peter Szigetvari, Operational Risk Expert, to break down the similarities and differences between two of these new European Union regulations — the Digital Operational Resilience Act, or DORA, and Network and Information Security Directive 2, or NIS2 — how they could affect nearly every company despite their official scope, and how organizations can prepare to comply with them using modern GRC technology.

Cybersecurity programs involve lots of moving parts, and they only grow more complex over time as technology becomes more advanced and cyber threats become more numerous and sophisticated. Cyber risk quantification can be a crucial tool for keeping up with shifting cybersecurity landscapes.

On this episode of GRC & Me, Chris Clarke is joined by Protiviti’s Daniel Stone, Director, and Tim Kelly, Associate Director, to discuss how cyber risk quantification can lead to better risk decision-making, how to beat analysis paralysis when you’ve got reams of risk data in front of you, and the best ways to use risk quantification to reduce reactivity and improve communication across your organization.

Oftentimes, cyber risk teams are viewed as reactive “audit police,” swooping into projects to flag risks and forcing changes at key points. This approach can generate a resentful — even toxic — risk culture. There’s a better way to build healthier risk cultures: Taking a more collaborative, embedded approach to cyber risk management by positioning cyber risk leaders as advisors and partners, working side-by-side with project teams from the start.

On this episode of GRC & Me, Chris Clarke is joined by GEICO's Former Head of Cybersecurity Risk and current Cyberpink Advisors Founder & Owner, Praj Prayag-Deb, to discuss how to shift your organization’s risk culture toward this new approach, her formula for building successful cyber risk programs from scratch, how leveraging the right technology makes it all possible, and why adopting a growth mindset is critical for every cyber risk leader.

When doing business with the federal government and its myriad agencies, organizations are bound to run into plenty of mandates, regulations, and other requirements. Navigating them all can cause a headache for even the most detail-oriented compliance managers.

On this episode of GRC & Me, Chris Clarke is joined by Intel Federal’s Compliance Program Manager, John Griffin. Griffin draws on his decades of experience in federal contracting and working with government agencies at companies like Honeywell and Boeing to explore methods for better managing product development and performing diligence on third-party vendor relationships while operating under strict and stringent government standards and requirements. Plus, learn a few of Griffin’s more creative methods for determining how risky a particular organization might be to work with.

One of the most high-profile risk events of the last year was the swift collapse of Silicon Valley Bank and other regional banks amid spiking interest rates. Part of the problem? The lack of a complete, comprehensive view of the risks these banks were facing — in particular, liquidity risk.

Allstate Canada's Chief Risk Officer Jason Wang has spent his career assessing and analyzing risk in the financial services space, dedicated to anticipating and mitigating risks just like the one that sank SVB. On this episode of GRC & Me, Jason joins LogicGate’s Chris Clarke to discuss the importance of building a holistic risk register, how to position risk management as a strategic enabler instead of a “revenue prevention” department, why it’s critical to include your chief risk officer on the executive team, and more.

Few careers involve managing as much risk as one where you’re responsible for launching humans riding gigantic rockets into outer space. That’s exactly what Barrios Technology Chief Strategy Officer Ginger Kerrick did during her three-decade career working for NASA.

On this episode of GRC & Me, Ginger joins LogicGate’s Chris Clarke to discuss methods for developing methodical, standardized thought processes for risk decision-making in high-stakes scenarios, how NASA employees are trained to separate logic from emotion, how disasters can inform future mitigation planning, and why the most important part of managing risk is having the right leaders in place.

They say it takes a thief to catch a thief, so why not a hacker to catch a hacker?

That was the premise behind Ted Harrington’s Independent Security Evaluators, a company dedicated to poking holes into other companies’ cyber defenses — for the right reasons, of course. On this episode of GRC & Me, Ted takes LogicGate’s Chris Clarke on a journey down the benevolent hacker’s rabbit hole, where they discuss:

• The difference between white box and black box testing (and which is better.)
• Why carrying these exercises out can build trust and become a competitive advantage in third-party risk assessment.
• Why it’s important to shift your mindset from one that views security as an obstacle to one that views it as an opportunity.
• Uncovering the unknown unknowns in cybersecurity.
• How “defense in depth” strategies can put security teams a step ahead of threat actors.
• The four traits that lead hackers to be successful, and why thinking like one can be an effective way to bolster your cyber defenses.

Switching from traditional risk analysis methods like ordinal lists or red-yellow-and-green charts to more modern approaches like risk quantification requires a paradigm shift in how you think about measuring risk, but the increased accuracy, specificity, and reliability you’ll gain by doing so pays dividends.

On this episode of GRC & Me, Netflix’s Tony Martin-Vegue joins LogicGate’s Chris Clarke to explore the best ways to navigate this transition, how to learn and leverage popular risk quantification frameworks like Open FAIR, and why you shouldn’t completely throw your colored charts out the window just yet.

Historically, GRC was viewed as one line in a budget sheet, but that is rapidly changing.

GRC practitioners are elevating their programs with tools and technologies that aggregate data and story-tell situational risk, security, compliance changes and more, so businesses can make risk-based decisions to move the needle forward. LogicGate Co-Founder and CEO, Matt Kunkel, and CISO, Nick Kathmann, will share:

• Why good security pays for itself
• The role GRC plays in the boardroom
• How to connect GRC programs to business impact

We’re excited to explore the ever-changing landscape of banking compliance including best practices for staying audit-ready amidst constantly evolving regulations.

LogicGate's Meghan Maneval, Senior Director of Product Marketing, and Stephenie Southard, Chief Security Officer at Baxter Credit Union, will discuss:

• Compliance requirements, from NCUA mandates to state-specific privacy laws, PCI 4.0, and more
• AI in banking, along with third-party and vendor risks
• The challenges and best practices in navigating compliance complexities across the industry

Join us in the latest episode of GRC & Me as host Meghan Maneval and Michael Rasmussen, GRC Analyst & Pundit at GRC 20/20 Research, discuss vendor risk management and the differences between third, fourth, and fifth-party risks.

They discuss:

• Essential regulations and standards in the financial and banking sectors, highlighting how they vary
• Best practices for effectively building, managing, and staying current with a comprehensive vendor risk management program
• The role of automation and AI in enhancing vendor risk programs, as well as their limitations
• 2025 regulatory predictions and their potential impact on vendor risk strategies in the financial services