Deep-dive on Cyber Risk Quantification and GRC w/ Tony Martin-Vegue from Netflix

In this episode of the GRC Engineer podcast, Ayoub interviews Tony Martin-Vegue, a seasoned risk quantification expert from Netflix, about his career journey and insights on cyber risk management. Tony shares his background in IT and economics, leading him to risk management and quantitative risk analysis using the FAIR framework. The discussion covers the importance of viewing GRC as a business enabler, the distinction between CRQ and FAIR, and the benefits of quantified risk assessments for various stakeholders, including executives and risk owners. Tony emphasizes the need for flexibility in risk management, considering options beyond mitigation, and leveraging AI to streamline data collection for CRQ. He also provides practical tips for beginners interested in CRQ, recommending Doug Hubbard's book and the IRIS report, and shares his contrarian view on security awareness training.

Outlines

Sign in to continue reading, translating and more.

Continue

GRC Engineer

Introduction to Risk Management and Tony Martin-Vegue's Background

The Origin Story of Quantitative Risk at a Regional Bank

GRC as a Concept and its Practical Application

Cyber Risk Quantification vs. FAIR

Beneficiaries of Quantified Risk Assessments

Balancing Remediation Bias with Risk Ownership

Enabling Risk Owners to Make Informed Decisions

Domain Expertise and Technical Skills for Risk Analysts

Quantifying Risk Identification and Triage

The Impact of AI on Cyber Risk Quantification

Getting Started with Cyber Risk Quantification

The Synergies Between GRC Engineering and Cyber Risk Quantification

A Hot Take: Security Awareness Training

Where to Find Tony Martin-Vegue and Closing Remarks

Deep-dive on Cyber Risk Quantification and GRC w/ Tony Martin-Vegue from Netflix

GRC Engineer

00:00Introduction to Risk Management and Tony Martin-Vegue's Background

Introduction to Risk Management and Tony Martin-Vegue's Background

06:32The Origin Story of Quantitative Risk at a Regional Bank

The Origin Story of Quantitative Risk at a Regional Bank

10:25GRC as a Concept and its Practical Application

GRC as a Concept and its Practical Application

15:02Cyber Risk Quantification vs. FAIR

Cyber Risk Quantification vs. FAIR

20:28Beneficiaries of Quantified Risk Assessments

Beneficiaries of Quantified Risk Assessments

25:27Balancing Remediation Bias with Risk Ownership

Balancing Remediation Bias with Risk Ownership

30:33Enabling Risk Owners to Make Informed Decisions

Enabling Risk Owners to Make Informed Decisions

35:29Domain Expertise and Technical Skills for Risk Analysts

Domain Expertise and Technical Skills for Risk Analysts

40:56Quantifying Risk Identification and Triage

Quantifying Risk Identification and Triage

44:51The Impact of AI on Cyber Risk Quantification

The Impact of AI on Cyber Risk Quantification

49:24Getting Started with Cyber Risk Quantification

Getting Started with Cyber Risk Quantification

53:04The Synergies Between GRC Engineering and Cyber Risk Quantification

The Synergies Between GRC Engineering and Cyber Risk Quantification

57:30A Hot Take: Security Awareness Training

A Hot Take: Security Awareness Training

59:33Where to Find Tony Martin-Vegue and Closing Remarks

Where to Find Tony Martin-Vegue and Closing Remarks