POPULARITY
5 episodes with compliance grc
2 episodes with compliance grc
2 episodes with compliance grc
2 episodes with compliance grc
2 episodes with compliance grc
2 episodes with compliance grc
2 episodes with compliance grc
2 episodes with compliance grc
11 episodes with compliance grc
Organizations today understand the crucial need for Governance, Risk, and Compliance (GRC) functions to guarantee operational effectiveness, regulatory conformity, and risk reduction in the face of a dynamic business environment. This has led to a significant need for GRC professionals. Learning answers to typical GRC interview questions is an important part of being prepared to face a job interview in the GRC industry. Hopefully, you will be able to use the information in this article to ace your next GRC interview and land your ideal job.GRC Interview Questions and Answers
Welcome back to The Cyber Revolution Podcast!This week on The Cyber Revolution Podcast, Adam Hewitt, CEO of Cyber Revolution, is joined by Akhil George, a former warehouse worker who successfully transitioned into cybersecurity.Akhil shares his inspiring journey from working in a warehouse to landing his first role as an Information Security Consultant, focusing on Governance, Risk, and Compliance (GRC). With a small IT background from his time in India, Akhil explains how he recognized security vulnerabilities in his warehouse workplace and developed a passion for contributing to the cybersecurity industry.If you're considering a career change into cybersecurity, Akhil's story provides valuable insights and encouragement for those looking to make the leap into this rapidly growing field.What you'll learn:Akhil's motivation for transitioning from warehouse work to cybersecurityThe reality of working in GRC (Governance, Risk & Compliance) as a non-technical cybersecurity roleHow hands-on lab experience through Cyber Revolution translated to real-world skillsThe emotional journey of career transition (60% nervous, 40% excited!)The importance of continuous learning in cybersecurity and how employers support new professionalsThe job satisfaction difference between warehouse work and solving complex cybersecurity challengesWhy Australia desperately needs more cybersecurity professionals and the opportunity this presentsNetworking is crucial - Connect with industry professionals through LinkedIn, events, and training programsGet hands-on experience - Practice through virtual labs and keep upgrading your skillsFocus on your interests - You don't need to be an expert in everything; find what you enjoy and specializePut in the effort - The path is straightforward if you're willing to do the work and stay consistentEmbrace the learning journey - The industry rewards those who continuously upskill and adaptChapters:00:00 - Introduction to Cyber Revolution Podcast02:30 - From Warehouse to Cybersecurity05:12 - The Importance of Cybersecurity Today07:45 - What Attracted Akhil to Cybersecurity10:22 - Landing a GRC Security Consultant Role13:40 - The Joy of Career Transition16:05 - Warehouse Work vs. Cybersecurity Challenges18:48 - The Cybersecurity Skills Shortage21:27 - Workplace Support for New Professionals24:16 - The Rewarding Nature of Cybersecurity25:30 - Highlights from Cyber Revolution Training28:10 - Overcoming Career Change Nervousness29:35 - Top Tips for Breaking into CybersecurityConnect with Adam:Website: https://cyberrevolution.com.auFollow us on Facebook: https://www.facebook.com/cyberrevolutionausSubscribe to our YouTube channel: https://www.youtube.com/@cyberrevolutionausFollow us on Instagram: https://www.instagram.com/cybrevolution_aus/
In today's rapidly evolving cybersecurity landscape, organizations need a robust Governance, Risk, and Compliance (GRC) framework to stay ahead of security challenges. This video provides an in-depth look at CGRC (Certified in Governance, Risk, and Compliance) and RMF (Risk Management Framework) and their importance in modern enterprises. Learn how to implement effective risk management strategies, ensure regulatory compliance, and strengthen enterprise security postures using CGRC best practices. We will break down key domains of CGRC, explore how RMF helps in system authorization and security controls, and provide real-world insights into implementing these frameworks successfully. Whether you're an IT professional, security analyst, or enterprise risk manager, this guide will help you master CGRC & RMF principles to drive compliance and security excellence.
Explore how AI is transforming the Governance, Risk, and Compliance (GRC) landscape in this insightful episode featuring Raghuram Srinivas, Head of Products and Innovation at MetricStream. We discuss the critical risks and opportunities AI presents in GRC, ethical considerations like bias and data privacy, and the future of risk management in an AI-driven world. Gain valuable insights into navigating AI regulations, the evolving role of human oversight, and the skills essential for professionals to thrive in this changing landscape. Raghuram shares his extensive experience in Risk Management, Cyber Security, and Sustainability, offering actionable strategies for businesses to implement AI responsibly while enhancing efficiency and decision-making. If you're a Chief Risk Officer or a professional looking to stay ahead in the GRC space, this conversation is a must-watch. If you want to be our guest or suggest a guest, send your email to info@globalriskconsult.com with the subject line “Podcast Guest Suggestion.” Don't miss this opportunity to stay informed and inspired by leading experts in the field.
This episode of the InfoSec Beat podcast focused on careers in information security features a conversation between Accenture CISO Kris Burkhardt and Paul Kunas, who led our Governance, Risk, and Compliance (GRC) function for almost 10 years. Paul's career journey involved security roles at Accenture and other companies and ultimately a return to Accenture to formalize GRC for Information Security. The work spanned developing global strategies and building many programs to arrive at one common view of risk today. Activities center on various analyses to secure technology, updating strategies, validating approaches, instilling a common view and vision, and responding to new challenges.
Erweitere dein Wissen über digitale Sicherheit mit Cybersecurity ist Chefsache.In dieser Episode spricht Nico Werner mit Nadezhda Zhekova, Information Security Governance Delivery Manager bei DIGITALL über die Einführung und den Nutzen von GRC-Tools.
Erweitere dein Wissen über digitale Sicherheit mit Cybersecurity ist Chefsache.In dieser Episode spricht Nico Werner mit Nadezhda Zhekova, Information Security Governance Delivery Manager bei DIGITALL über die Einführung und den Nutzen von GRC-Tools.
Erweitere dein Wissen über digitale Sicherheit mit Cybersecurity ist Chefsache.In dieser Episode spricht Nico Werner mit Nadezhda Zhekova, Information Security Governance Delivery Manager bei DIGITALL über die Einführung und den Nutzen von GRC-Tools.
In the past, what happened in your car typically stayed in your car. That is no longer the case. The influx of digital innovations, from infotainment connectivity to over-the-air (OTA) software updates, is turning cars into information clearinghouses. While delivering significant customer value, these changes also expose vehicles to the seamier side of the digital revolution. Hackers and other black-hat intruders are attempting to gain access to critical in-vehicle electronic units and data, potentially compromising critical safety functions and customer privacy. In this episode, Stephen Armstrong and AJ Khan, addresses this topic. Guest Bio AJ Khan is the Founder of Vehiqilla Inc and has over 20 years of experience in Governance, Risk & Compliance, and 13 years of experience in Cybersecurity Innovation and Emerging Technologies. AJ is an ardent advocate of Cyber Security and Governance, Risk and Compliance (GRC) and in his view, there is a critical need to address Cyber Security in today's Connected and Cloud deployments and if considerable effort is not made to address this issue, corporations will incorporate considerable Security Debt that will manifest itself later in the form of major security breaches. AJ's is a published author and his book “Automotive Cyber Governance”, is focused on defining cyber governance best practices for the Connected, Autonomous and Electric Vehicles.
Send Bidemi a Text Message!In this episode, host Bidemi Ologunde spoke with Jorge (George) Flores. Jorge has been a cyber security professional for more than a decade and a half. In the most recent years of his career, George has transitioned into Governance, Risk, and Compliance (GRC) in the field of healthcare, specializing in HIPAA and HITRUST audit. He has obtained the CISSP, HCISPP, ITIL, and CEH certifications, and currently holds a Master's Degree in Computer Science from FIU. George is an active member of South Florida ISSA as well as ISACA. He recently created an educational youtube channel "GRCguy" to help with security awareness and education. George is a proponent of "work/life balance" and encourages young cyber security professionals to ensure they prioritize what matters most first, which is all aspects of health.Support the show
In this episode of Global Risk Community's podcast, we delve into AI's transformative role in Risk Management with Sumith Sagar, Associate Director of Product Marketing at MetricStream. We discussed the evolving landscape of Governance, Risk, and Compliance (GRC) as AI integrates into both financial and non-financial sectors. Sumith's expertise, honed over 15 years in risk technology, provides unique insights into AI's benefits and challenges, including improved decision-making, efficiency, and ethical implementation. If you want to be our guest or suggest someone, send your email to info@globalriskconsult.com with "Podcast Guest" in the subject line. Discover how AI is reshaping risk management, tackling cyber security challenges, and supporting sustainability efforts. Stay informed with Global Risk Community as we bring expert discussions to a broader audience, aiding Chief Risk Officers and other professionals in navigating this rapidly changing domain.
HITRUST has announced the launch of HITRUST Continuous Assurance, a new strategic evolution aimed at enhancing security sustainability and outcomes through continuous control monitoring. This initiative builds upon the proven HITRUST ecosystem, providing organizations with an efficient way to manage security and compliance risks in the face of evolving cyber threats. Traditional approaches that prioritize compliance over security are increasingly inadequate, especially in the era of generative AI and sophisticated cyber-attacks.Continuous Assurance minimizes the risk of evidence decay by enabling organizations to monitor security controls continuously, ensuring that security requirements remain relevant and reliable. Key features of this initiative include automated evidence collection, a continuous monitoring taxonomy integrated with the HITRUST CSF, and enhanced workflows in HITRUST's MyCSF platform. The system also supports integration with Governance, Risk, and Compliance (GRC) systems, ensuring streamlined risk management.HITRUST's Continuous Assurance will leverage its extensive certification framework, which has shown significant success. Notably, the 2024 HITRUST Trust Report highlighted that 99.4% of HITRUST-certified organizations did not report a breach over the past two years. Continuous Assurance offers new capabilities that further solidify HITRUST's role as a leader in information security risk management.Learn more about and stay up to date by visiting hitrustalliance.net/news.Note: This story contains promotional content. Learn more.ResourcesRead the Press Release: https://hitrustalliance.net/press-releases/hitrust-announces-continuous-assurance-through-the-proven-hitrust-ecosystemLearn more and catch more stories from HITRUST: https://www.itspmagazine.com/directory/hitrustLearn more about 2 Minutes on ITSPmagazine Short Brand Story Podcasts: https://www.itspmagazine.com/purchase-programs
HITRUST has announced the launch of HITRUST Continuous Assurance, a new strategic evolution aimed at enhancing security sustainability and outcomes through continuous control monitoring. This initiative builds upon the proven HITRUST ecosystem, providing organizations with an efficient way to manage security and compliance risks in the face of evolving cyber threats. Traditional approaches that prioritize compliance over security are increasingly inadequate, especially in the era of generative AI and sophisticated cyber-attacks.Continuous Assurance minimizes the risk of evidence decay by enabling organizations to monitor security controls continuously, ensuring that security requirements remain relevant and reliable. Key features of this initiative include automated evidence collection, a continuous monitoring taxonomy integrated with the HITRUST CSF, and enhanced workflows in HITRUST's MyCSF platform. The system also supports integration with Governance, Risk, and Compliance (GRC) systems, ensuring streamlined risk management.HITRUST's Continuous Assurance will leverage its extensive certification framework, which has shown significant success. Notably, the 2024 HITRUST Trust Report highlighted that 99.4% of HITRUST-certified organizations did not report a breach over the past two years. Continuous Assurance offers new capabilities that further solidify HITRUST's role as a leader in information security risk management.Learn more about and stay up to date by visiting hitrustalliance.net/news.Note: This story contains promotional content. Learn more.ResourcesRead the Press Release: https://hitrustalliance.net/press-releases/hitrust-announces-continuous-assurance-through-the-proven-hitrust-ecosystemLearn more and catch more stories from HITRUST: https://www.itspmagazine.com/directory/hitrustLearn more about 2 Minutes on ITSPmagazine Short Brand Story Podcasts: https://www.itspmagazine.com/purchase-programs
Welcome to another exciting episode of the Cyber Revolution Podcast, where we explore the thriving world of cybersecurity and guide you on how to start or advance your career in this ever-growing industry. This week, host Adam Hewitt, CEO of Cyber Revolution, is joined by Ross Tutin, a current Cyber Revolution student who successfully transitioned from a 17-year career in the tourism industry to landing a cybersecurity role within just a few months. Ross shares his journey, offering invaluable insights into how transferable skills, networking, and dedication to continuous learning helped him break into the cybersecurity field. Episode Highlights: Ross Tutin's Career Journey into Cybersecurity [01:15] Ross describes his extensive background in tourism and how he decided to pivot into cybersecurity, landing a role as a cybersecurity compliance partner at Gallagher within weeks of starting his studies. The Power of Transferable Skills [08:45] A discussion on how Ross utilized his business, compliance, and risk management experience to transition into cybersecurity without any formal IT background. Networking's Role in Career Shifts [14:20] Ross explains how building and leveraging personal connections helped him secure a cybersecurity job early in his studies. Non-Technical Roles in Cybersecurity [20:00] Exploring the world of Governance, Risk, and Compliance (GRC) and how non-technical professionals can thrive in this area of cybersecurity. Advice for Career Changers [27:30] Ross shares his top tips for anyone considering a career change into cybersecurity, emphasizing the importance of lifelong learning and the value of transferable skills. Connect with Adam: Website: https://cyberrevolution.com.au Follow us on Facebook: https://www.facebook.com/cyberrevolutionaus Subscribe to our YouTube channel: https://www.youtube.com/@cyberrevolutionaus Follow us on Instagram: https://www.instagram.com/cybrevolution_aus/ Key Takeaways: Transferable skills from any industry can help you succeed in cybersecurity. Networking is a critical tool for landing cybersecurity roles. Non-technical roles like GRC offer excellent entry points for career changers. Tune in to this episode to learn how Ross's journey can inspire you to take the leap into cybersecurity!
Governance, Risk, and Compliance (GRC) framework is critical for any organization. It helps align business goals with regulatory requirements while effectively managing risks. Different roles and responsibilities are assigned throughout the organizational hierarchy to achieve successful implementation of the GRC framework. This article summarizes the roles and responsibilities within the GRC framework. View More: Typical Roles & Responsibility in GRC
In today's complex financial landscape, effective risk management is critical for the stability and success of any financial institution. Governance, Risk, and Compliance (GRC) teams play a central role in this process, ensuring that organizations are well-protected against potential risks while maintaining compliance with regulatory standards. But how exactly does GRC fit into the broader picture of Enterprise Risk Management (ERM) and how does GRC differ from the Audit function? This Risk Intel episode features Cathy Jackson, Director or Implementations at SRA Watchtower, who answers four key questions to help you understand the responsibilities of the GRC and Audit teams, how they operate, and how they integrate with ERM. Give it a listen to learn more.Follow us to stay in the know!
Praj Prayag-Debis the founder of Cyberpink Advisors, offering information security consulting services to small and midsized businesses. She is an influential tech-savvy Cybersecurity and Technology risk executive and a strategic leader with a demonstrated track record of building successful Cybersecurity and Governance, Risk, and Compliance (GRC) programs from the ground up. She has 15+ years of experience in diverse and complex environments, including Big4, Top tier financial services (Bank of America, Morgan Stanley, Macquarie Bank) and Fortune 50 (Comcast).
Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society. This episode of RIMScast is proudly sponsored by Hillwood. Hillwood is a leading multinational real estate development company and part of the Perot family of companies. For more information, visit Hillwood.com. Justin Smulison interviews four guests today, SORM Executive Director, Stephen Volbrecht, SORM Division Chief of Strategic Programs, James Cox, SORM Chairman of the Board of Directors, Gerald Ladner, Sr., and DFW RIMS Chapter Board Member Penni Chambers. The discussion covers the various roles of Stephen, James, and Gerald in SORMS, the purpose and development of SORMS over the years, and how SORMS manages risks for all the state of TEXAS. They also speak of the upcoming RIMS DFW 2024 Fall Conference on September 19th at the Irving Convention Center in Irving Texas and what they will present there. Listen in for ERM wisdom and a preview of the RIMS DFW 2024 Fall Conference. Key Takeaways: [:01] About our sponsor, Hillwood. [:13] About this episode of RIMScast, coming to you from RIMS Headquarters in New York. Our guests are from the Texas State Office of Risk Management. [:37] First, let's talk about RIMS Virtual Workshops. The full calendar of virtual workshops is at RIMS.org/VirtualWorkshops. August 15th kicks off the three-part series, Leveraging Data and Analytics for Continuous Risk Management. Other dates for the Fall and Winter are available on the Virtual Workshops full calendar at RIMS.org/VirtualWorkshops. [1:01] Let's talk about prep courses for the RIMS-CRMP. The next virtual offering will be on August 7th and 8th, a RIMS-CRMP Exam Prep along with Utah Valley University. [1:13] The next RIMS-CRMP-FED Exam Prep course will be hosted along with George Mason University on December 3rd through 5th, 2024. Links to these courses can be found on the Certification Page of RIMS.org and in this episode's show notes. [1:28] Registration opened for the RIMS Canada Conference 2024 which will be held from October 6th through the 9th in Vancouver. Visit RIMSCanadaConference.ca to register. All RIMS regional conference information can be found on the Events page at RIMS.org. [1:47] We would like to extend a big “Thank You” to today's sponsor, Hillwood. Hillwood is a leading multinational real estate development company and part of the Perot family of companies. Hillwood's diverse portfolio includes industrial, logistics, corporate offices, retail, aviation, and multi-family housing developments. [2:05] Notably, Hillwood's Alliance Texas project has generated over 66,000 jobs and a $120 billion economic impact. Hillwood operates in 65 markets across North America and Europe, constantly seeking opportunities to create vibrant communities and deliver value to its partners. [2:23] Hillwood specializes in e-commerce industrial development, serving some of the world's largest retailer brands. Its residential communities division is dedicated to creating truly unique, master-plan communities. In 2023, Hillwood sold 2,141 homes in its communities and delivered nearly 1,500 lots to builders with more than 3,800 lots in the pipeline for 2025. [2:45] Hillwood is also leading the development team for Goldman Sachs's new facility in uptown Dallas. As a privately owned company, Hillwood prioritizes long-term sustainability: social, economic, and environmental. For more information, visit Hillwood.com. [3:05] Today we will be joined by leaders of the Texas State Office of Risk Management. They will participate in a panel discussion on September 19th at the DFW RIMS Annual Conference and Event. [3:18] They're a fabulous chapter and that event will be held at the Irving Convention Center in Irving, Texas. A link is in this episodes' show notes. Visit DWWRIMS.org for sponsorship opportunities and registration information. [3:31] Our guests today will discuss what it takes for the Texas State Office of Risk Management to function, how they prepared and reacted to Hurricane Beryl in July, and we'll talk ERM and how some of their military experiences have enabled them throughout their risk careers and at the Texas State Office of Risk Management (SORM). [3:55] SORM Executive Director, Stephen Volbrecht, Division Chief of Strategic Programs, James Cox, and Chairman of the Board of Directors, Gerald Ladner, Sr., welcome to RIMScast! [4:54] Stephen Volbrecht is the State Risk Manager for Texas and Executive Director of SORM. The office administers the Enterprise Risk Management Program, the Insurance Management Program, the self-insured Workers' Compensation Program, and the Continuity of Government Operations Program. Those are the four key missions of the Texas SORM. [5:58] Gerald Ladner, Sr. has been in the industry for 42 years and successfully navigated four hard markets. He has played roles with global and domestic U.S. insurance companies and is still engaged with the industry even though he's semi-retired. [6:29] Gerald has also served as a broker. He has insured prominent clients like the Coca-Cola Company, the City of Atlanta, Fulton County, and The Southern Companies. He quoted on the Boston Artery Tunnel Project, which capped the global reinsurance industry supply. Gerald's last assignment was as a Regional President at State Auto Insurance Company. [6:52] Gerald is involved today in independent board work, as well as serving his Alma Mater, and has served as Insurance Commissioner Appointee for the Texas Property and Casualty Guarantee Insurance Association, as well as the Texas Medical Liability Joint Underwriting Association. Gerald's turn as Chairman of the Board at SORM expires in 2027. [8:01] James Cox is the Division Chief of Strategic Programs at SORM. His job is to take the vision that Gerald has and the strategic view that Stephen has and make them applicable to the Texas state agencies. He does the daily work that supports their vision and mission. He has an insurance adjuster license, an agent license, a notary, and a risk manager license. [9:40] Stephen Volbrecht has been with SORM for more than 20 years in various roles. He joined in 2001, just before 9/11. The office was created in 1996 and went into operation in 1997. It was created to get workers' compensation costs under control for Texas state employees. [10:37] At that time, The Office of the Attorney General, Workers' Compensation Division, paid Workers' Compensation claims while the Department of Insurance, Division of Health and Safety, had the Texas Workers' Compensation Commission. The two agencies didn't communicate directly. [11:38] Texas combined the Attorney General's Workers' Compensation Division and the Department of Insurance's Workers' Compensation Commission and created the State Office of Risk Management. [11:49] Within two years, they had dropped Workers' Compensation costs by over $30 million, and not by denying claims or cutting corners. They paid claims more timely, stopped disputing claims, and prevented injuries from happening through risk management. [12:30] They continually put pressure on costs, even as medical inflation rises. Texas pays about $40 million a year for accidents and injuries. Because of success with Workers' Compensation, SORM now has three additional missions, the Enterprise Risk Management Program, the Insurance Management Program, and the Continuity of Government Operations Program. [13:42] SORM worked with the Federal government to design the Texas Continuity of Government Operations Program, helped the State Legislature adopt it, and then was tasked with implementing it. Gerald Ladner and James Cox use their industry knowledge to develop procedures and frameworks for the Insurance Management Program. [14:58] SORM is a fundamentally different agency than the office Stephen joined in 2001 because the scope of its mission set has expanded greatly over the 20-plus years. [15:32] SORM is a fairly large office compared to what other states might have. It's an office of specific subject matter experts over each of the domains it covers. It has a broad scope, including Enterprise Risk Management. [16:02] Gerald says SORM has a small board of five members responsible for strategic guidance, governance, innovation, leadership, risk management, stakeholder engagement, performance monitoring, and mentorship to the executive team. The board can decide quickly and anticipate the areas of risk they need to look at and how the organization will address them. [16:45] Justin takes a brief break and thanks Hillwood for sponsoring this episode. Hillwood operates in 65 markets across North America and Europe, constantly seeking opportunities to create vibrant communities and deliver value to partners. Visit Hillwood.com for more information and to seize those opportunities. [17:08] Justin also dives deeper into the RIMS DFW 2024 Fall Conference and Spa Event that will be held on September 19th and 20th in Irving Texas. Here to tell us a little bit more about it is an omnipresent force among DFW RIMS members; Penni Chambers, welcome back to RIMScast! [17:34] This episode is airing almost four years after Penni made her RIMScast debut. A lot has changed in four years! [18:20] Penni is Vice President of Risk Management at Hillwood. She is in charge of a team of two that maintains, procures, and does all things insurance for all of Hillwood and its enterprise companies, including land and cattle, oil and gas, and aviation. [18:52] Penni's role at RIMS has changed. She is serving the constituents of the RIMS chapters and members by being a proud board director. Penni is a lifelong member of DFW RIMS and a former president, serving a term in 2019. [19:30] Penni will moderate the kick-off session of the RIMS DFW 2024 Fall Conference on September 19th at the Irving Convention Center in Irving Texas. She will be moderating a panel with today's guests, from the Texas State Office of Risk Management, Stephen Volbracht, Gerald Ladner, and James Cox. There will be so much talent and knowledge on that panel! [20:09] Penni is so excited to moderate this panel. They will go through the who, what, when, where, and why for this panel. They will talk about governance and the legislative process, and how they manage and procure their liabilities and assets. Texas is huge. These gentlemen have a great responsibility. Penni is excited to get to interview them! [21:04] Besides this panel, attendees can also expect workshops, a risk managers' luncheon, and other speakers and presenters. On Friday, the 20th, they have a Spa Day. The Spa Day is one of the things that sets the DFW annual conference apart. Chill out a bit at the DFW RIMS Annual Conference. They go big on this deal! [22:04] Registration is open to members and non-members. Join the DFW RIMS for two days of fantastic events! Enticed? Go to DFWRIMS.org for more information and to register. [22:42] Penni says they are so excited to have everyone who is joining them for this event. This is going to be one of the best DFW RIMS Annual Conferences they have ever had! [22:52] Justin thanks Penni and looks forward to seeing her at the 2024 Fall Conference and Spa Event hosted by the DFW RIMS Chapter on September 19th and 20th! Visit DFWRIMS.org for more information. A link is in this episode's show notes. [23:10] Let's return to Justin's interview with the Texas State Office of Risk Management. [23:22] Gerald compares the challenges of his current position to those of the senior leadership roles he has held at insurance companies. It's an opportunity to educate and inform the public in terms of what they do to deal with the issues that emerge in a new area of risk. Gerald says that fortunately, he has been able to survive all the challenges of a very tough business. [24:02] The leadership at SORM focuses on retention, making sure that the team's service to the state is valued and that they have unique growth opportunities. SORM is essentially an insurance company with brokered services. [24:38] They have to make sure the products that are offered are current and forward-leaning, with the metrics in place for timely delivery of services for injured employees. Gerald speaks of how quickly SORM responded to the pandemic. [25:10] Stephen Volbrecht adds that it's important to understand that SORM is, at the foundation, a service organization. They exist to offer support to state agencies for their risk management concerns and objectives. SORM operates as a consultant, assessor, and advisor. SORM is not a regulatory agency, enforcement agency, or auditor. It's 100% about service. [27:13] Beryl was a Category 1 hurricane. James Cox says he joined SORM when Harvey was hitting the coast. That's where the preparedness started for Beryl. Before Beryl hit land, SORM was implementing the things they did post-Harvey. [28:05] Stephen speaks of resilience. You can't prevent an Act of God. He cites the 9/11 Commission. Their primary finding was that the most important failure was one of imagination. Leadership failed to appreciate the gravity of the threat. SORM has the approach never to underestimate what can happen. Uncertainty is at the basis of all risk. [29:41] Anticipate the worst-case scenario, prepare for that, and go from there. SORM ensures that every state entity under its jurisdiction has an updated and validated Continuity of Operations Plan. You can't prevent a disaster but you can mitigate it. There are lessons learned not just from Harvey but from the freeze events that hit Texas for three years running. [30:34] There are mitigation efforts that get put into place after we learn our lessons. Use after-action reports. What failed? Don't do that again. What succeeded? Do more of that! Texas put in dams to prevent inundation of water. They put in automated systems for dampers on air conditioning for the freeze events. [31:07] They went steps further in responding to situations based on risk management reviews and assessments to have product and service contracts and materials pre-staged for when these events happen so that you can bring up your services within hours, not weeks. That has a direct cost impact and an impact on the individuals that are being affected. [31:38] SORM has saved hundreds of millions of dollars in downtime and both direct and indirect expenses compared to where they found themselves as recently as Harvey. You can value the ROI in cost avoidance by comparing years without risk management controls and the years after risk management controls have been implemented. [32:56] James comments about Hurricane Beryl and after-action reports. An internet provider in the area went down, causing restaurants to only take cash. Agencies need the ability to switch from one carrier to another depending on if the carriers are operating. [34:04] Gerald says the board looks forward to the strategic plan that the executive director shares with them and they have the opportunity to acid-test it to make sure they are covering all the areas so they don't have a failure of the imagination. The board maintains the culture and listens to the employees. They invite employees to attend board meetings. They get a full house. [34:56] It shows the employees an alignment between the board and the leadership team. The board gives the executive performance review and the employees will hear areas of outstanding work and areas to focus on in the future. The board seeks to maintain that alignment. [35:32] It's RIMS plug time! Webinars! Servpro makes its RIMS Webinars debut on August 8th with Hurricane Preparedness in 2024: Innovations and Strategies to Protect Your Organization. On August 27th, Riskonnect returns to discuss How To Successfully Deploy AI in Risk Management. [35:57] On September 12th, Hub International returns to deliver the third part of their Ready for Tomorrow series, Pivot and Swerve Staying Agile During Shifting Market Dynamics. More webinars will be announced soon and added to the RIMS.org/Webinars page. Go there to register. Webinar registration is complimentary for RIMS members! [36:20] We would like to express our thanks to Hillwood for sponsoring this episode of RIMScast. Hillwood is a leading multi-national real estate development company and part of the Perot family of companies. Their diverse portfolio includes industrial, logistics, corporate office, retail, aviation, and multi-family housing developments. [36:43] Hillwood operates in 65 markets across North America and Europe, constantly seeking opportunities to create vibrant communities and deliver value to partners. Seize those opportunities by visiting Hillwood.com. [36:59] Let's return to my interview with Gerald Ladner, Sr., Stephen Volbrecht, and James Cox of the Texas State Office of Risk Management. [37:28] James is a veteran of the U.S.A.F. Stephen is a Captain in the Judge Advocate General Corps. Justin thanks them for their service and asks how those experiences lend themselves to effective risk management. [38:02] James says no matter the specialization in the military, the military does very well operating in high- or higher-risk environments. They drill mission and safety in equal parts. The military mindset is understanding the chain of command, codes, and standards, and what you are basing your risk on. If you don't know the accepted way to do a thing, it is a risk nightmare. [38:49] James has found that using his military background, he knows where to look for how to treat a type of risk. That background transitions easily to risk management. [39:18] Gerald's father did three tours in Vietnam. His daughter went to West Point and was in Iraq. He understands the military mindset. It reflects the strengths we now find in the SORM organization with clear chains of command but also an environment where associates can come forward and bring their issues and opportunities. [40:18] Stephen and James are on the Technical Advisory Group (TAG) for ISO 31000. Stephen says the ISO 31000 framework and other ERM frameworks are essential for SORM. Risk management is about decision-making. The ISO model is that risk is always negative. What you are trying to do is avoid the bad things. [42:43] Stephen says the effect of uncertainty on objectives can be positive, negative, or neutral, whether it's an opportunity, an obstacle, or an obligation. That's where ISO 31000 comes in. For some time, Texas was the only state to adopt ISO 31000 as the state ERM standard. They did it through the utilization of guidelines written in collaboration with contributors. [43:29] They're called the Texas Enterprise Risk Management Guidelines. They don't tell people what to do but they give people a framework for how to answer questions of risk and make decisions. The meta-framework of the guidelines is called Governance, Risk, and Compliance (GRC), developed by OCEG, the Open Compliance and Ethics Group. [44:23] The meta-framework of GRC is that enterprise risk is about critical disciplines. That's the true enterprise risk model. It deals with governance and oversight, Gerald's role; and strategy and performance, James's role. Risks and decisions, compliance and ethics, security and continuity, audit and assurance; each of these domains has to be integrated into an ERM model. [45:00] SORM uses ISO 31000 as it is sufficient to their needs, but they still pull from other standards, such as COSO or SERM. [45:58] James says it's not necessarily the brand of framework you choose that is important. It's the vocabulary that you need to understand. SORM picked ISO 31000 and all the state agencies they work with took a course in it so they all had the same vocabulary. As long as everyone understands the standard, they can apply it. [46:44] The Texas Enterprise Risk Management Guidelines are known as the TERM-G or TERM Guidelines. [47:24] Gerald has a degree in psychology. It was a soft skill that was sought when he entered the workforce. There's a lot of stress on employees and it's important for the leadership team to have the right skill set to work with stressed employees and meet some of their needs. Gerald recalls Enron and the need to make hard choices about ethical behavior. [51:03] Gerald has had an extensive relationship with RIMS. He reminisces about attending RISKWORLD many times when he was with Zurich and cutting deals on the floor. We're in a world where change is increasing and the ability to get fresh, insightful information allows organizations like SORM to think through the next round of strategies to manage the risks. [52:23] Gerald knows the value in RIMS and looks forward to participating in this upcoming panel at DFW. [52:33] Gerald, Stephen, and James will be at the RIMS DFW Conference in September. Gerald will discuss the macro forces at work that have the potential to impact loss cost for SORM, and the state of the reinsurance market which is linked to SORM's ability to get property capacity. [53:06] Gerald says they want to talk about the interplay between risk managers and the boards they report to. Boards are taking a harder look at risk managers. Boards don't like surprises. It takes quality communication with the board. There also has to be strong orientation of new board members so they can act as proactive business partners as they face the challenges. [53:56] Also, the an ongoing discussion about broadening risk appetite and tolerance. The importance of parametric insurance, understanding how the market is behaving. Capacity is being contracted in Florida and the Gulf states and there have to be additional ways of dealing with risk. SORM provides good advice-based education on the proper coverages needed. [55:09] James will talk about how, when he was a new risk manager years ago and risks were new to him, through RIMS, he was connected with a host of individuals who had seen the same risks every day and were veterans of it. RIMS is a support system for a new risk manager. [55:22] He will speak of the tools RIMS provides, like the benchmark surveys, white papers, and articles, like the Hurricane Preparedness 2024 article, that came out 15 days before Beryl was approaching across the Gulf. SORMS is similar to an insurance carrier in Texas, except they want to look at your risk model, policies, and procedures. If there's a gap, then get insurance. [56:31] SORMS is not in it for profit but for protection and what's best for the state of Texas. [56:43] Stephen will talk about the relationships with RIMS over the years the relationships established and the outstanding resources that are available. He finds the compensation report a bit of a downer, though, personally, working for the State Government! [57:32] RIMS and associations like RIMS are essential for upholding high ethical standards and integrity in the profession and are also important for self-governance. When professionals agree on high standards of operation, that keeps the government out of your business. Stephen also talks about other aspects of SORM that people may not know about. [59:41] There are big risks on the horizon that could be talked about, like climate change, cybersecurity, artificial intelligence, political risk, civil unrest, inflationary pressures, global market volatility and alternative risk financing, and the pandemic moving into endemic with massive economic and societal impacts. [1:01:20] Justin thanks Gerald Ladner, Sr., Stephen Volbrecht, and James Cox for being on RIMScast. Anyone who wants to hear more from SORM will travel out to Dallas on September 19th for the DFW RIMS Annual Meeting! Justin will be there and looks forward to seeing them in person, hearing what they have to say, and shaking their hands for a big group shot! [1:01:57] Special thanks again to all of our guests from the Texas State Office of Risk Management, Gerald Ladner, Sr., Stephen Volbrecht, James Cox, and of course, former DFW RIMS President, Penni Chambers, who was also on the RIMS Board of Directors. The DFW RIMS Fall Conference and Spa Event will be held on September 19th and on the 20th is Spa Day. [1:02:24] Visit DFWRIMS.org to register. [1:02:27] Extra special thanks to our sponsor Hillwood. Hillwood is a leading multi-national real estate development company and part of the Perot family of companies. Hillwood's diverse portfolio includes industrial, logistics, corporate, office, retail, aviation, and multi-family housing developments. [1:02:43] Notably, Hillwood's Alliance Texas project has generated over 66,000 jobs and a $120 billion economic impact. Hillwood operates in 65 markets across North America and Europe, constantly seeking opportunities to create vibrant communities and deliver value to its partners. Visit Hillwood.com for more information. [1:03:07] It's Plug Time! The RIMS App is available to RIMS members exclusively. Go to the App Store and download the RIMS App with all sorts of RIMS resources and coverage. It's different from the RIMS Events App. Everyone loves the RIMS App! [1:03:42] You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in our show notes. RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let's collaborate! Contact pd@rims.org for more information. [1:04:26] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information. [1:04:43] Risk Knowledge is the RIMS searchable content library that provides relevant information for today's risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more. [1:04:59] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management. Justin Smulison is the Business Content Manager at RIMS. You can email Justin at Content@RIMS.org. [1:05:21] Thank you for your continued support and engagement on social media channels! We appreciate all your kind words. Listen every week! Stay safe! Mentioned in this Episode: DFW RIMS 2024 Fall Conference and Spa Event | Sept 19‒20 About our sponsor, Hillwood: Hillwood.com RIMS Canada Conference 2024 — Oct. 6‒9 | Registration is open! RISKWORLD 2025 will be in Chicago! May 4‒7 RIMS DEI Council RIMS-Certified Risk Management Professional (RIMS-CRMP) RIMS Strategic & Enterprise Risk Center NEW FOR MEMBERS! RIMS Mobile App Spencer Educational Foundation — Funding Their Future Gala 2024 RIMS Webinars: Hurricane Preparedness in 2024: Innovations and Strategies | Sponsored by ServPro | Aug. 8, 2024 How to Successfully Deploy AI in Risk Management | Sponsored by Riskonnect | Aug. 27, 2024 HUB Ready for Tomorrow Series: Pivot and Swerve — Staying Agile During Shifting Market Dynamics | Sept. 12, 2024 RIMS.org/Webinars Upcoming Virtual Workshops: Leveraging Data and Analytics for Continuous Risk Management (Part I) 2024 — Aug 15 See the full calendar of RIMS Virtual Workshops RIMS-CRMP Prep Workshops Sponsored RIMScast Episodes: “Partnering Against Cyberrisk” | Sponsored by AXA XL (New!) “Harnessing the Power of Data and Analytics for Effective Risk Management” | Sponsored by Marsh “Accident Prevention — The Winning Formula For Construction and Insurance” | Sponsored by Otoos “Platinum Protection: Underwriting and Risk Engineering's Role in Protecting Commercial Properties” | Sponsored by AXA XL “Elevating RMIS — The Archer Way” | Sponsored by Archer “Alliant's P&C Outlook For 2024” | Sponsored by Alliant “Why Subrogation is the New Arbitration” | Sponsored by Fleet Response “Cyclone Season: Proactive Preparation for Loss Minimization” | Sponsored by Prudent Insurance Brokers Ltd. “Subrogation and the Competitive Advantage” | Sponsored by Fleet Response “Cyberrisk Outlook 2023” | Sponsored by Alliant “Chemical Industry: How To Succeed Amid Emerging Risks and a Challenging Market” | Sponsored by TÜV SÜD “Insuring the Future of the Environment” | Sponsored by AXA XL “Insights into the Gig Economy and its Contractors” | Sponsored by Zurich “The Importance of Disaster Planning Relationships” | Sponsored by ServiceMaster RIMS Publications, Content, and Links: RIMS Membership — Whether you are a new member or need to transition, be a part of the global risk management community! RIMS Virtual Workshops On-Demand Webinars RIMS-Certified Risk Management Professional (RIMS-CRMP) RIMS-CRMP Stories — New interviews featuring RIMS Risk Management Honor Roll Inductee Mrunal Pandit! RIMS Events, Education, and Services: RIMS Risk Maturity Model® RIMS Events App Apple | Google Play Sponsor RIMScast: Contact sales@rims.org or pd@rims.org for more information. Want to Learn More? Keep up with the podcast on RIMS.org and listen on Spotify and Apple Podcasts. Have a question or suggestion? Email: Content@rims.org. Join the Conversation! Follow @RIMSorg on Facebook, Twitter, and LinkedIn. About our guests: Stephen Volbrecht, Executive Director for the State Office of Risk Management (SORM) James Cox, Division Chief of Strategic Programs (SORM) Gerald Ladner, Sr., Chairman of the Board of Directors (SORM) Penni Chambers, former DFW RIMS president and RIMS Board Chairperson Tweetables (Edited For Social Media Use): The cheapest injury that you ever have is the one that doesn't happen. — Stephen Volbrecht Our approach is never to underestimate what can happen. Uncertainty is at the basis of all risk; not understanding what the consequences may be. So what you do is you anticipate the worst-case scenario, you prepare for that, and then you go from there. — Stephen Volbrecht No matter the specialization in the military, the military does very well operating in high- or higher-risk environments. They drill mission and safety in equal parts. — James Cox We're in a world where change is increasing and the ability to get fresh, insightful information allows organizations like SORM to think through the next round of strategies so that we can manage the risks. — Gerald Ladner, Sr.
The RSA Archer Questionnaire is a key component of the RSA Archer Suite, specifically designed to enhance an organization's Governance, Risk Management, and Compliance (GRC) processes. It empowers organizations to generate, administer, and manage questionnaires, surveys, assessments, and other data collection processes efficiently and securely.
Carlos Hoyos (https://www.linkedin.com/in/carloshoyoslde/), business advisor, coach executivo internacional, CEO/Founder do Elite Leader Institute (https://eliteleaderinstitute.com/https://eliteleaderinstitute.com/) e host do Podcast Líder de Elite, conversou ao-vivo com Tiago Martins ( https://www.linkedin.com/in/tiagomartins-compliance/), Executivo e Profissional de Certificações e Compliance. Descubra insights valiosos sobre como construir lideranças de elite e os desafios do mercado de certificações. Não perca esta oportunidade de aprender com quem entende do assunto! ◾ Trajetória pessoal e profissional de Thiago Martins ◾ Experiência e motivações na área de certificações ◾ Importância e impacto das certificações disruptivas ◾ Definição de modelos de referência e processo de certificação ◾ Exemplos de certificações compulsórias e voluntárias ◾ Diferenças entre certificações de produtos, empresas e pessoas ◾ Desafios e trade-offs em projetos de certificação ◾ Manutenção da qualidade e valor das certificações ◾ Importância de organismos de certificação independentes ◾ Vulgarização do coaching e como evitar isso ◾ Construção de um modelo de referência e certificação eficaz Para aqueles que desejam aprofundar seus conhecimentos sobre liderança e certificações, este episódio está repleto de insights imperdíveis. Ouça agora e descubra como construir um futuro mais sólido e credível para sua carreira e empresa. Não perca! Tiago Martins é Engenheiro de Produção e Pós-graduado em Finanças, Economia e Gestão da Sustentabilidade. Possui certificações como Conselheiro Consultivo no Brasil (AdCM®) e Conselheiro de Administração com Certificação Internacional (PRO.DIR™ – Canadá), além de ser Gestor de Riscos Certificado pela University of Toronto – Canadá. Também é certificado pela FIBA, em parceria com a Florida International University – College of Business, como Anti-Money Laundering Certified Associate (AMLCA). Com 25 anos de carreira, Tiago tem 20 anos de experiência como gestor e especialista em qualidade e compliance no setor de óleo e gás. Nos últimos 10 anos, fundou e liderou a BRA Certificadora ( https://bracertificadora.com.br/), uma empresa boutique focada em certificações, assessments, treinamentos e auditorias premium. A BRA Certificadora é líder de mercado em certificações de conteúdo local e produtos, e referência em Governança, Riscos e Compliance (GRC), destacando-se pelo pioneirismo e inovação em assessments e certificações em áreas como Compliance Anticorrupção e Proteção de Dados. #podcast #referência #certificação #conselho #coaching #modelos #negócios #liderança
As organizations grow, there comes a time when managing by excel spreadsheets is not longer feasible and accurate data sources, regulations, and risk need to be accurately reflected within Governance, Risk and Compliance (GRC) tools. Reporting to the board must be based upon accurate information. Join us as we discuss the important aspects of forming a GRC program. Segment Resources: Webcast: https://www.scmagazine.com/cybercast/the-regulatory-landscape-in-2030-what-you-need-to-know Podcast (Enterprise Security Weekly): https://www.scmagazine.com/podcast-segment/11416-the-rise-of-regops-the-need-for-compliance-automation-travis-howerton-esw-313 News/interview: https://www.scmagazine.com/news/generative-ai-not-just-revolutionary-but-evolutionary This segment is sponsored by RegScale. Visit https://cisostoriespodcast.com/regscale to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-182
Dottie Schindlinger is Executive Director of Diligent Institute, the global corporate governance research arm of Diligent - the largest SaaS software company in the Governance, Risk, Compliance (GRC), and ESG space. She co-authored the book Governance in the Digital Age: A Guide for the Modern Corporate Board Director, co-hosts “The Corporate Director Podcast,” and co-created Diligent Institute's Certification programs for directors and executives, including AI Ethics & Board Oversight. Dottie was a founding team member of the tech start-up BoardEffect, acquired by Diligent in 2016. She graduated from the University of Pennsylvania and is a Fellow of the Salzburg Global Seminar Corporate Governance Forum. Diligent and Bitsight recently issued an important report on corporate board oversight of cybersecurity risks. Dottie Schindlinger, Executive Director of Diligent Institute, joins Michael Volkov to discuss the important findings of Diligent's report.You'll hear Dottie and Michael discuss:Companies with advanced security ratings create nearly four times the amount of value for shareholders as companies with basic security ratings. On average, the Total Shareholders' Return (TSR) over three and five years for companies in the advanced security performance range is approximately 372% and 91% higher, respectively, than their peers in the basic security performance range.Companies with a specialized risk or audit committee had higher security performance ratings on average. Companies falling within these two categories have an average security rating of 710, whereas companies lacking both committees have an average security rating of 650.The findings also suggest that the distribution of security ratings among companies with specialized risk and audit committees tends to skew towards the advanced security performance range, whereas companies lacking either of these committees tend to skew toward the basic security performance range.Having a cybersecurity expert on the board is not enough. Integrating a cybersecurity expert into the board committee tasked with cybersecurity risk oversight makes a significant difference in an organization's performance.Merely having a cybersecurity expert on the board does not correlate to having a higher security performance rating. Highly regulated industries tend to outperform other industries in terms of cybersecurity performance. Of the companies with advanced-level security performance ratings, a full third (33%) came from the financial services sector – with an average rating of 720. The sector with the highest average rating overall was healthcare at 730. Nearly a quarter (24%) of companies with basic security performance ratings came from the industrial sector. ResourcesDottie Schindlinger on LinkedInDiligent Institute | Diligent | Board EffectThe Report can be downloaded at: Cybersecurity, Audit and the Board ReportMichael Volkov on LinkedIn | TwitterThe Volkov Law Group
Dr. Mike Brass is the Vice President Information Security, Data Privacy and Business Systems (CISO) at Ubisense. He is also the creator of the Udemy course Governance, Risk, and Compliance (GRC) (see https://www.udemy.com/course/governance-risk-and-compliance-grc/). He is the author of the upcoming book Governance, Risk and Compliance: Demystifying the Risk and Data Privacy Landscape, a book-length version of the Udemy GRC-Data Privacy course. In addition to GRC we cover a lot of topics, including elements that archaeology and information security share. --- Send in a voice message: https://podcasters.spotify.com/pod/show/virtual-ciso-moment/message
This week, Chelsea Smith, Chief Executive Officer & Information Security Consultant at CAJ Cyber Consulting LLC, joins the show. In this episode, Chelsea shares her insights on Governance, Risk, and Compliance (GRC), emphasizing information security and business process analysis. She offers tips on enhancing information security, improving communication between Internal Audit teams and SICOs, and explores use cases involving cyber analytics. Be sure to connect with Chelsea on LinkedIn. Also, be sure to follow us on our new social media accounts on LinkedIn, Instagram, and TikTok. Also be sure to sign up for The Audit Podcast newsletter and to check the full video interview on The Audit Podcast YouTube channel. Timecodes: 3:08- How a Privacy Expert Uses ChatGPT 10:21 - The Flexibility of Living Life in Sprints 14:06 - Cyber Analytics Use Case Examples 20:31 - The impact of AI on SICOs 22:25 - Improving Communication Between Internal Audit Teams and SICOs 24:21 - Sensitive Data and the Risks of AI Tools 27:27 - Mitigating Personal Risk 30:52 - How Cyber Security can be Improved with Data Analytics * This podcast is brought to you by Greenskies Analytics, the services firm that helps auditors leap-frog up the analytics maturity model. Their approach for launching audit analytics programs with a series of proven quick-win analytics will guarantee the results worthy of the analytics hype. Whether your audit team needs a data strategy, methodology, governance, literacy, or anything else related to audit and analytics, schedule time with Greenskies Analytics.
If your organization is navigating the complexities of GRC, or you need deeper insights into effective GRC strategies, do not miss this enlightening discussion with Tim Gavino. Join us as we explore how aligning GRC frameworks with business operations can serve not only to comply with necessary regulations but also to secure a competitive advantage in your industry. Today on Find Flow, we focus on the complex and ever-evolving landscape of Governance, Risk Management, and Compliance (GRC). Joined by Tim Gavino, a seasoned expert in GRC from Windward Consulting, we dive deep into the current state of GRC, the challenges organizations face, and strategies for optimal GRC implementation. Whether dealing with multinational regulatory issues or aiming to leverage GRC as a competitive advantage, this discussion sheds light on practical approaches and the necessary adaptations in today's fast-paced environments. Tim Gavino is a Senior Architect at Windward Consulting who brings a decade of dedicated experience in GRC across various platforms and industries, including energy, financial services, and technology. His extensive work with Fortune 500 companies in highly complex environments has equipped him with a unique perspective on navigating and optimizing GRC frameworks to meet rigorous compliance requirements. Tim's expertise is especially valuable in strategizing business continuity, policy compliance, and risk management to align with evolving regulatory landscapes. "Companies are recognizing that strong GRC is not just a cost center but an accelerator for business." - Tim Gavino Today on Find Flow: The rising importance of adapting GRC frameworks to handle increased and changing regulations like GDPR, CCPA, and HIPAA. Overcoming challenges in GRC by implementing a centralized platform to manage risks and ensure compliance across different geographies. The significance of strategic investments in technologies and training to enhance organizational GRC capabilities. The role of AI and data analytics in advancing GRC practices by offering more streamlined and informed decision-making processes. The necessity of continuous monitoring and assessment to maintain an up-to-date and effective cybersecurity posture. Developing an integrated GRC platform that connects risks, controls, and assets improves visibility and control. Importance of employee training and awareness in minimizing risks like phishing attacks. Aligning GRC strategies with business objectives to transform GRC from a cost burden to a competitive differentiator. Resources Mentioned: - GDPR, CCPA, and HIPAA Regulations Overview Find Your Flow in IT Operations Thanks for tuning into this week's episode of the Find Flow Podcast. If you enjoyed this episode, please subscribe and leave a review wherever you get your podcasts. Apple Podcasts | TuneIn | GooglePlay | Stitcher | Spotify | Amazon Music Please share your favorite episodes on social media to help me reach more IT Operations leaders like you. Join me on Facebook, Twitter, Instagram, and LinkedIn. For more exclusive content and information, visit our website. While you're there, don't forget to grab your free gift: The 9 Ways to Accelerate Your Service Reliability Strategy.
"I wanted to cultivate some happiness in my life because my mind was so stuck in perfectionism and performance, and I didn't do well enough. So I was like, I need some optimism and positivity. So the question is, where did I smile today?" - Melissa RauenThis week we dive into perfectionism and performance anxiety with guest Melissa Rauen. In one year Melissa changed almost every aspect of her life: she got married, bought a house, shifted her career, and transformed her approach to work and life. Melissa shares how she began separating her identity from performance in a way that has been pivotal in both her career and her life. Listen in for how she built simple, regular practices to foster gratitude, lower her stress, reduce her workload, and strengthen her mindset.Then we discuss the growing and demanding opportunities within the multifaceted Governance, Risk, and Compliance (GRC) career tracks. Hot topics from this episode:Exploring the journey of overcoming perfectionism and performance anxiety.Separating identity from performance and daily practices for shift Career opportunities within GRC, compliance, governance, and risk managementConnect with Melissa Rauen on LinkedInRelated Episodes: E51: Marcae Bryant Omosor: Clarity, Purpose and Let the World Catch Up with You; CyberSecurity, Data ProtectionE64: Clarity - Self-Concept DesignFor more information on how you can build your brave career, reach out to meCheck out my websiteJoin my mailing list for more insights, opportunities, and inspirationConnection with me on LinkedIn If you are an established woman in tech who is creating results and making an impact at work so your workload and stress just keep growing but promotions and salary bumps remain a distant dream, it is time for change. Listen, we all know the tech industry has dramatically changed. It's time your career approach did too. You don't need cookie-cutter programs or dusty advice from outdated playbooks, because what works for tech bros, won't work for you. You need individualized, bespoke support to build your brave career. One that reflects who you are as a woman in tech. I invite you to explore career coaching with me. Get all the details, including prices and client results, at TrickSteinbach.com.You can stress less, work less, and earn more. You've already earned it. Let's make it happen.
With large data breaches making headline news nearly every week, cybersecurity is a hot topic. Recently, AT&T discovered the personal information of more than 70 million current and former customers being sold on the Dark Web. Compounding this is the fact that it takes on average nearly seven months for a corporate security and compliance team to even identity that a data breach occurred in the first place. With the average cost of a data breach in the United States hitting $10 million per incident, companies are spending more than ever to defend against cyber attacks. However, despite this, the number of data breaches happening today has never been higher. In this episode of Privacy Files, we talk to Elvis Moreland, a Virtual Chief Information Security Officer at Blue Cyren. Elvis has an extensive background helping some of the largest companies in the world with their cybersecurity and Governance, Risk and Compliance (GRC) strategies. We talk a lot about the importance of implementing strong GRC frameworks and how cybersecurity tools alone are not enough to protect people, systems and data. With the recent AT&T and Change Healthcare data breaches making the news, we analyze what happened and how these can be prevented in the future. Elvis also talks about the risks of not conducting the proper due diligence during mergers and acquisitions, and how this can significantly increase a company's exposure to a data breach. Overall, Elvis provides great insight into how corporations approach cybersecurity and GRC, and how his decades of experience has impacted the way he handles his own personal data. Links Referenced: https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/cybersecurity/new-survey-reveals-2-trillion-dollar-market-opportunity-for-cybersecurity-technology-and-service-providers https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/ https://www.varonis.com/blog/data-breach-statistics https://www.npr.org/2024/03/30/1241863710/att-data-breach-dark-web OUR SPONSORS: Anonyome Labs - Makers of MySudo and Sudo Platform. Take back control of your personal data. www.anonyome.com MySudo - The world's only all-in-one privacy app. Communicate and transact securely and privately. Talk, text, email, browse, shop and pay, all from one app. Stay private. www.mysudo.com MySudo VPN - No personal information required to sign up. You don't even need a username and password. Finally, a VPN that is actually private. https://mysudo.com/mysudo-vpn/ Sudo Platform - The cloud-based platform companies turn to for seamlessly integrating privacy solutions into their software. Easy-to-use SDKs and APIs for building out your own branded customer apps like password managers, virtual cards, private browsing, identity wallets (decentralized identity), and secure, encrypted communications (e.g., encrypted voice, video, email and messaging). www.sudoplatform.com
In today's rapidly evolving digital landscape, the importance of Governance, Risk Management, and Compliance (GRC) cannot be overstated. Organizations across the globe are recognizing the need to integrate these critical functions to ensure operational resilience, regulatory compliance, and strategic alignment. InfosecTrain, a leader in cybersecurity and compliance training, is excited to host an enlightening session titled "The GRC Framework: A Practical Guide to GRC." This session is designed to demystify the complexities of GRC and provide attendees with a clear, actionable roadmap to implementing effective GRC practices in their organizations.
AI is creating an impact on privacy, security, and jobs. And this is what we discussed with our guest Jan Anisimowicz and host Punit Bhatia in this episode. We explore how technologies like ChatGPT have revolutionized data privacy practices, telling both opportunities and challenges. Analyzing the major risks AI poses to information security and the ethical concerns that arise in the wake of AI-powered systems. KEY CONVERSATION POINT 00:02:48 How has AI transformed privacy practices? 00:04:00 How is AI evolution crucial to handling volumes of data? 00:04:43 What are the major AI risks? 00:06:23 Would this create ethical concerns? 00:07:53 Is the algorithm biased? 00:11:28 What is the current state of AI regulations? 00:11:28 Are they also revolutionizing cyber security? How is it working? 00:14:38 Is there consent for data usage? What are the potential solutions to ensure transparency when it comes to data processing? 00:18:00 Is there a risk that Al would take all the jobs of the people around the world? 00:20:11 Can ChatGPT substitute auditors? ABOUT THE GUEST Jan Anisimowicz, experienced senior IT Executive with an impressive career spanning over 23 years. Jan's expertise encompasses a wide spectrum, including Governance, Risk and Compliance (GRC), Data Warehousing, Business Intelligence, and Data Analysis. Throughout his professional journey, he has contributed significantly to the telecommunication, banking, pharmaceutical, and insurance sectors, leveraging his comprehensive business and technical acumen. He is particularly skilled in orchestrating the creation and development of IT products and services tailored to suit specific business needs. His philosophy is centered around a pragmatic end-to-end product lifecycle that seamlessly integrates various aspects such as technical design, marketing, digital campaigning, sales, solution delivery, and maintenance. He is a proponent of lean, cost-effective approaches toward implementing regulatory requirements within organizations. His work also extends to the analytical evaluation and validation of the role of Artificial Intelligence (AI) in assisting auditors, particularly within Big Data and cloud IT landscapes. He is a firm believer in the potential of blockchain technology, particularly its capabilities with Smart Contracts concerning data privacy principles. Furthermore, He is an ardent supporter of Quantum Computing and AI, including LLM models supporting solutions akin to ChatGPT. His professional certifications include CISM and CRISC from ISACA, PMP from PMI, and membership with the Institute of Internal Auditors (IIA). Additionally, He is an ESG Approved Officer, a credential awarded by the Institute of Compliance. ABOUT THE HOST Punit Bhatia is one of the leading privacy experts who works independently and has worked with professionals in over 30 countries. Punit works with business and privacy leaders to create an organization culture with high privacy awareness and compliance as a business priority. Selectively, Punit is open to mentor and coach privacy professionals. Punit is the author of books “Be Ready for GDPR'' which was rated as the best GDPR Book, “AI & Privacy – How to Find Balance”, “Intro To GDPR”, and “Be an Effective DPO”. Punit is a global speaker who has spoken at over 30 global events. Punit is the creator and host of the FIT4PRIVACY Podcast. This podcast has been featured amongst top GDPR and privacy podcasts. As a person, Punit is an avid thinker and believes in thinking, believing, and acting in line with one's value to have joy in life. He has developed the philosophy named ‘ABC for joy of life' which passionately shares. Punit is based out of Belgium, the heart of Europe. RESOURCES: Websites: www.fit4privacy.com , www.punitbhatia.com Podcast: www.fit4privacy.com/podcast Blog: www.fit4privacy.com YouTube: youtube.com/fit4privacy --- Send in a voice message: https://podcasters.spotify.com/pod/show/fit4privacy/message
Navigating the intricacies of the modern business landscape places immense importance on effective Governance, Risk, and Compliance (GRC) strategies. With stringent regulatory adherence and comprehensive risk management, choosing the right GRC solutions can be a game-changer and significantly impact an organization's growth. RSA Archer and ServiceNow, two significant players in the GRC space, provide robust solutions for managing various aspects of GRC. These platforms offer various features to assist organizations in managing risk, compliance, and governance requirements. However, they have distinct features and capabilities that cater to different needs. In this article, we will examine the key differences between RSA Archer and ServiceNow to help you make an informed choice for your organization's GRC requirements. RSA Archer RSA Archer is a comprehensive GRC platform designed to help organizations manage various risk and compliance activities. It is commonly used for managing risks (financial, operational, compliance, IT security, etc.), ensuring regulatory compliance, and streamlining audit processes. It is suitable for organizations that need a holistic view of their risk landscape. ServiceNow ServiceNow is primarily known for IT Service Management (ITSM), although it offers a broader suite of tools for enterprise service management. It is often used to manage IT service requests, incidents, and projects. In the context of GRC, it is suitable for organizations that need GRC functionalities alongside robust ITSM capabilities. View More: Key Differences Between RSA Archer and ServiceNow
Craig Callé talks about third party risk management (TPRM) and cyber security. TPRM is a subset of Governance Risk and Compliance (GRC), which aims to help organizations achieve their objectives, address uncertainties, and act with integrity. TPRM is crucial as over half of all data breaches occur through insecure third parties. Companies need to understand their relationships and monitor them more carefully, which requires a variety of tools and processes. Chris explains that third party risk management includes cybersecurity, reputation management, supply chain issues, and other risk categories such as financial liability. Cybersecurity has become the primary focus due to the numerous issues it addresses. Privacy is another important risk, with regulations like GDPR in Europe, CCPA in California, and others worldwide ensuring companies have a firm grip on consumer data. Companies must follow through with privacy regulations unless they can follow data to third parties. Areas of Scrutiny in Third Party Risk Management Craig mentions that ESG and sustainability are also areas of scrutiny, as companies must ensure their third parties align with their company's goals and objectives. However, he stresses that one must also be aware of laws pertaining to sanctions around the world. Issues of reputation, child labor, anti-money laundering, and bribery, are also important to be attentive to, not just for their own company but also for third parties they work with. Defining Third Party Risk Management Chris explains that third party risk management and enterprise risk management, are all subcomponents of GRC. He mentions that the term includes outsource providers, software as a service (SaaS) apps, cloud hosts, contractors, ecosystem partners, technology partners, and counterparties. Emergency third party risk management is a broader category that includes enterprise risk management, business continuity or operational resilience, compliance, and internal compliance. Global Risk Control (GRC) includes enterprise risk management, a risk register, business continuity or operational resilience, and compliance. A risk register compiles all the potential threats that can impact a company, and it is crucial to continually build a more predictable and measurable system to achieve its objectives at the lowest possible risk. GRC Frameworks Craig adds that business continuity or operational resilience is an important aspect of GRC, as it involves a set of controls and risks in place to understand where the company is in the journey and be able bounce back when bad things happen. Compliance is another area under GRC, as it involves creating a methodology for ongoing monitoring of operations and ensuring compliance with global rules and regulations. He mentions that a lot of GRC work involves picking a framework and building a program around it; for example, in cybersecurity circles, a popular standards body would be NIST, and he mentions a few others that give leaders a roadmap apropos to achieving high standards of operation. Governance in Risk Management Strategy Craig states that, in the context of Global Risk Control, the governance aspect is a crucial part of the organization's overall risk management strategy and that it is set in the roadmaps that have been developed with a team for each area, such as compliance or continuity. The head of GRC is responsible for overseeing the system and ensuring that the organization operates within its control frameworks. For example, in a Fortune 500 company, a C-suite executive responsible for GRC would report to a Chief Risk Officer or CRO, with a solid line to the CEO and a dotted line to the board audit and risk committee.He goes on to explain various titles that may be given to the person in charge of GRC and why he believes there is a deficiency in putting all risks under one umbrella. The Director of Third Party Risk Management Role Explained The director of third party risk management might have several processes, such as onboarding new third parties, periodic audits, ongoing real-time monitoring, reporting functions, and investigating and dealing with incidents and responses. However, the responsibilities depend on the organization's level of maturity and the complexity of the process. David offers a few examples to clarify the complexity of the many situations involved that have to be taken into consideration, including the fact that risk management processes can often be seen as blockers, and additionally, offers a tip on how to overcome this issue. The Importance of Third Party Risk Management in Organizations The discussion revolves around the importance of third party risk management in organizations. It discusses the use of questionnaires and cyber risk ratings, which are non-invasive and objective tools that help triage the community of third parties and quantify vulnerability to data breaches. These tools allow TPRM professionals to compare responses on lengthy questionnaires with objective data, allowing for deeper discussions and corrective action when necessary. The discussion also touches on the need for human involvement in the processes, as automation has become increasingly popular. AI has become an important tool for parsing through voluminous data to identify central facts. However, human involvement remains an essential element in the process. Software for Third Party Risk Management Craig talks about the different types of software within the third party risk management universe. Some of the essential platforms include workflow automation platforms like Process, Unity, MetricStream, ServiceNow, LogicGate, BitSight and more. These platforms facilitate the issuance of assessments, review of responses, and routing to specific people or groups within an organization. Cyber risk ratings, which have been around for over 10 years, represent over half the market share and are now a natural complement to flow platforms. They provide easy-to-digest results that don't require an IT certification and are not based on FICO scores or letter grades. Overall, the discussion emphasizes the importance of human involvement in the third party risk management process to ensure effective and influential outcomes. Forecasting Improvements in the GRC Arena Craig believes that over the next decade, the focus of third party risk management will evolve from a risk focus within GRC to a high-electron level orchestration across CISOs, risk officers, and procurement people. This will lead to a more comprehensive view of risk and performance, ensuring that companies are not just scratching the surface when it comes to the risk aspects of third parties. Craig talks about the importance of selecting the right software for clients, highlighting the pros and cons of a best of breed approach versus a multi-module suite and a GRC-oriented suite. He explains that there are pros and cons to sharing data across modules, but there is also an opportunity for cross-sharing information across platforms. For example, if a company has a privacy module and wants to attack vendor risk, there is a natural logic to connect the data map to third parties that might pull data that needs to be aware of. However, this can be a different silo, and it can be difficult to cross-share information across platforms. He also emphasizes the need to understand the problem and inherited solutions, as well as the timeframe and budget constraints. Timestamps: 05:15 Third-party risk management and GRC 11:57 GRC roles and responsibilities in a Fortune 500 company 16:10 Third-party risk management processes and responsibilities 21:59 Third-party risk management software and techniques 27:26 Third-party risk management and platform automation 32:21 GRC and third-party risk management Links: Company Website:https://sourcecalle.com/ LinkedIn: https://www.linkedin.com/in/craigcalle/ Unleashed is produced by Umbrex, which has a mission of connecting independent management consultants with one another, creating opportunities for members to meet, build relationships, and share lessons learned. Learn more at www.umbrex.com.
Risks are evolving quickly on a worldwide scale as a result of technology and development. The number of new business opportunities in the digital economy is expanding fast but also becoming more challenging due to the rising cyber threats. Due to the complexity of business models and processes across the enterprise, Governance, Risk, and Compliance (GRC) management processes and procedures are extremely important. So, in this article, we will discuss what Governance, Risk, and Compliance (GRC) is and why it is crucial for an organization? What is GRC? GRC, or Governance, Risk, and Compliance, is an integrated approach to managing an organization's policies, procedures, and regulations. It involves aligning business activities with strategic goals, assessing and reducing risks, and ensuring compliance with laws and regulations. GRC frameworks aim to enhance decision-making, promote transparency, and prevent legal and financial setbacks. GRC helps streamline processes, reduce vulnerabilities, and foster a culture of accountability by providing a holistic view of an organization's operations. It spans various industries, enabling companies to navigate complexities, protect assets, and sustain long-term success through effective governance, risk management, and compliance measures. View More: Importance of Governance, Risk, and Compliance
In this special episode of CISO Insiders, we welcome Jason Wolpow, the head of cybersecurity recruitment at Lawrence Harvey. Jason Wolpow, together with Ben Ben Aderet, tackle key challenges while sharing key insights on the recruitment side of the cybersecurity industry. This special episode will tackle the following topics:The need for more cybersecurity practitioners.Positive and optimistic trends for the cybersecurity job market this year.Lowering and breaking down the barrier of entry into the cybersecurity industry.Encouraging professionals from all backgrounds to get into cybersecurity.Career progression in Governance, Response, and Compliance (GRC).Here are some highlights from the podcast: ”If you're listening to this and looking for your first job within cybersecurity, please don't box yourself out and limit yourself, because there's so much more.” “At the end of the day, whether you are at the very technical domain of cybersecurity or the less-technical domain, there will still be opportunities to move up and turn into a leader.” “One of the most important things in a CISO's seat is that board interaction and the executive buy-in.” “Stay persistent. It's going to be tough; it's not always going to be fun. Some people do have very high expectations. But stick with it, because it's very rewarding.”00:36 Guest Introduction and professional journey02:46 Icebreaker questions03:58 What do you do as the head of cybersecurity recruitment?05:20 Biggest failure and key learnings07:42 What is the biggest accomplishment in your career?09:01 What is your high-level view of the cybersecurity industry as of the moment?10:32 What is your view on the barrier of entry to the cybersecurity industry?13:05 What is the most common entry level position that you're able to recruit for?14:20 What are your thoughts on what would be the career path of a SOC analyst compared to an entry level position in GRC?16:38 Advice to newcomers and anyone that wants to pursue a career in cybersecurity18:21 What are some of the current trends in the cybersecurity industry?20:04 What's the most crucial skills a CISO should have?22:19 Do CISOs report to an IT organization or outside of it?25:15 What are some key characteristics that you are looking for in different roles as compared to recruiting a CISO?27:11 What is your advice to people taking their first steps into the industry?29:04 What are some helpful tips to individuals that are trying to gain a foothold in the industry?33:02 What's the best way to connect with you?33:41 Final question and closing comments - If money was not an issue, what would you do with your life? Get ahead in your professional journey and gain valuable cybersecurity insights.Follow GRSee Consulting and GRSee University on LinkedIn to stay updated.#cybersecurity #podcast #careeradvice #cybersecurityawareness #cybersecuritycommunity #cybersecurity #cybersecuritypodcast #cybersecuritysolutions #cybersecurityjobmarket #jobmarket #recruitment #specialepisode
Many organizations have fallen victim to data breaches and exposure. It is crucial to strengthen security as the rise of cyberattacks increases. What are some strong measurements to reduce the risk of data exposure? Join the RSAC 2024 Governance, Risk, and Compliance Program committee as they discuss what decision-makers need to think about from a compliance perspective. Speakers: Elliott Franklin, Chief Information Security Officer, Fortitude-RE James Lugabihl, VP Security - Governance Risk & Compliance, ADP Jamie Sanderson Reid, Director, Cyber Governance Risk & Compliance (GRC), The AES Corporation Tatyana Sanchez, Content and Programming Coordinator, RSAC Kacy Zurkus, Senior Content Strategist, RSAC
Artificial intelligence (AI) is a hot topic of discussion in nearly every industry. We are so excited that we were able to rally two experienced experts to help us dive into the world of AI, Jeff Felice and Joe Brutsche. As President of CertNexus, Jeff is responsible for advancing the company's mission of closing the emerging technology skills gap. With 25 years of experience within the training and certification industry, serving in general management and practice leadership roles, Jeff combines his passion for professional performance with technology to bring change within global organizations while improving the opportunities for individuals in emerging tech. When not working towards improving the lives of others Jeff can be found doing the same for his own as an avid reader and cycling enthusiast. Joe is a customer focused and data driven product management leader with a proven track record of successful product launches, fostering innovation and cross-functional collaboration. Driven and strategic with a unique combination of Governance, Risk and Compliance (GRC) expertise, product management leadership and passion for analytics, Joe is responsible for determining Pearson VUE's Security & Compliance, OnVUE and Analytics & Reporting product roadmaps. In addition, he leads Artificial Intelligence (AI) Governance Committe, which promotes and oversees the responsible use of AI within Pearson VUE. Before joining Pearson VUE, he was a Risk Assurance Director at PwC, and held roles of increasing responsibility in compliance, auditing, security and third-party assurance. During this episode, we learned all about the impact of AI in the world of IT and beyond. We discussed what information individuals should know about AI, including machine learning, generative AI, and ethical practices. If you're looking to dip your toes into the world of artificial intelligence, this episode with Jeff and Joe will help you take the plunge. This episode is co-sponsored by the Microsoft Certified Fundamentals and IT Specialist certification programs. Get more information about Microsoft Certified Fundamentals at www.certiport.com/mcf and more information about IT Specialist at www.certiport.com/its. Looking for more? Here are some additional resources to get you started. Check out the full webinar recording on YouTube: https://www.youtube.com/watch?v=x_W6kV0dfvE. Get other ideas for teaching AI in your classroom on our blog: https://certiport.pearsonvue.com/Blog/2022/December/Tools-for-Teaching-Artificial-Intelligence. Connect with your fellow educators in our CERTIFIED Educator Community here: https://www.linkedin.com/groups/8958289/. Don't miss your chance to register for our annual CERTIFIED Educator's Conference at https://certified.certiport.com/.
Today's guest is Gordon Hazzard, GRC Practice Lead at Wholepoint Systems. Founded in 2014, Wholepoint Systems, a ServiceNow premier partner, is new type of value added reseller to the tech industry. They are passionate about assisting customers in identifying the best new technologies for their environments and sticking with their customers throughout the entire life cycle of their investments. This means not just selling customers technology, but providing long term solutions to assist their customers in staying ahead of the rapidly changing tech landscape. Gordon brings nearly a decade of extensive experience in the consulting and implementation space, specializing in Governance, Risk and Compliance (GRC) solutions. With a track record of delivering tailored GRC solutions that not only meet but exceed client expectations, Gordon is forming an elite ServiceNow implementation team built on the dual pillars of domain expertise and technical mastery. It is their goal is to empower clients with scalable, sustainable and intuitive solutions that optimize business processes, increase transparency and reduce costs. In this episode, Gordon talks about: His journey from GRC consulting to ServiceNow Practice Lead, Wholepoint Systems' diverse ServiceNow solutions, Guiding federal agencies in ServiceNow CAM, GRC and support, How ServiceNow centralizes processes, integrates CMDB & automates for efficiency, Investing in AI to enhance GRC automation for efficiency, Hiring and growing exciting talent, and the company culture, Being a premier ServiceNow partner with holistic, client-centric solutions
Free cybersecurity GRC information security stuff: http://convocourses.net the video: https://youtube.com/live/v3zU7sartu0 In this power-packed episode of the Courses Podcast, dive headfirst into the multifaceted world of Governance, Risk & Compliance (GRC) with host Bruce. He unravels the ins and outs of Information Technology and Cybersecurity, addressing fantastic listener questions and adding valuable insights from his vast experience. Perfect for IT professionals or cybersecurity enthusiasts, it's a treasure trove of knowledge and a chance to interact with the experts. Listen to Bruce as he details the challenges of vendor risk management, spotlighting industry giants like Microsoft, Cisco, and Palo Alto. Understand how vendor relationships influence risk and learn enticing strategies for risk mitigation. Plus, explore vulnerability management, software patching, and how to tackle software weaknesses with practical insights from Bruce. Aspiring for a career in IT or Cybersecurity? Get guidance on various career paths, the importance of security frameworks like NIST 800, NIST CSF, ISO 27001, and SOC 2, plus valuable tips on certifications that can boost your career like the H.C.I.S.P.P. This episode is your comprehensive guide to the exciting and evolving world of IT and Cybersecurity. Listen to the first-hand experiences of dealing with large-scale enterprise IT systems, particularly within the Department of Defense (DoD). The discussion covers everything from insecure default configurations to skilled personnel, highlighting the complexity and challenges faced in large IT operations. Take a deep dive into the basics of Information Technology (IT) and cybersecurity, from ports and protocols to the advent of AI and quantum computing. Regardless of your experience level, this conversation offers valuable insights and will inspire continuous learning. Master the art of assessing controls and security measures in IT, learning from the best in the industry. From creating a security assessment plan to the importance of self-assessments, understand the complete picture of IT security in this informative episode. As an added bonus, gain expert book recommendations on IT and Cyber Security, learn resume-building tactics for a tough job market, and pick up hacks for maximizing your online visibility. Whether you're a seasoned IT professional or on the road to entering the IT industry, this episode of the Courses Podcast will fuel your learning journey.
More and more services and products are being cloud-delivered. This leads to a concentration of risk in the hands of a few industry players and a few jurisdictions. It means risk needs to be addressed and thought about differently. Join us as we discuss managing cloud risk from a Governance, Risk and Compliance (GRC) perspective. Fitzgerald, T. 2019. Chapter 1: Emerging Technologies and Trends in CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers, 1st Ed, pg 89-127. Fitzgerald, T. CRC Press, Boca Raton, Fl. www.amazon.com/author/toddfitzgerald. Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-156
This is a brief introduction to governance, risk, and compliance (GRC). Join my advanced readers team: https://booksprout.co/reviewer/team/35902/convocourses Join the Newletter: http://convocourses.net
Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom Fox welcomes Ryan Lougheed, Director, of Product Management at Onspring. Ryan Lougheed has over twelve years of experience in the Governance, Risk, and Compliance (GRC) field, currently serving as the director of a platform at Onspring, a SaaS GRC platform and business process automation platform. Drawing from his background in esports, Lougheed believes that teamwork and communication are crucial in both the GRC space and the world of esports. He emphasizes the importance of effective and efficient communication, especially in high-stress situations, and believes that these skills can be carried over to a compliance-focused career. In the context of esports, Lougheed explains that communication is vital in a team of five players and that professional esports organizations provide resources such as physical trainers and sports psychologists to support their players' communication skills. He also notes that the esports industry is evolving, with larger companies creating brands around individual streamers and organizations acting as agents to help grow the streaming culture. Join Tom Fox and Ryan Lougheed on this episode of the FCPA Compliance Report podcast to delve deeper into the importance of teamwork and communication in GRC. Key Highlights GRC Collaboration and Communication Streamlining compliance with Onspring's centralized platform Streamlining Communication in High-Stress Compliance Situations Leveraging Esports Skills for GRC Success Resources Ryan Lougheed on LinkedIn Onspring Tom Fox Instagram Facebook YouTube Twitter Learn more about your ad choices. Visit megaphone.fm/adchoices
Clarissa Lucas and Bill Bensing interview Justin Reock about Developer Productivity Engineering (DPE) and its role in auditing and governance. They discuss the importance of measuring engineering productivity, observing the value stream, and identifying bottlenecks and impediments to productivity. They also explore the concept of proactive risk management and the need for partnership between developers and auditors. The conversation highlights the challenges of breaking silos and the potential for DPE to reduce developer toil and improve overall software quality. They conclude by reframing auditing as a way to fight cyber criminals and protect against exploitation. The conversation explores the intersection of auditing, governance, risk, and compliance (GRC) with the tech industry. It highlights the need for empathy, partnership, and bridging the gap between developers and auditors. The toxic mentality in the tech industry is also discussed.Follow Justin:LinkedIn - https://www.linkedin.com/in/justinreock/ X (Twitter) - https://twitter.com/jreockTakeawaysDeveloper Productivity Engineering (DPE) focuses on measuring engineering productivity and addressing pain points in the software development process.DPE involves observing the value stream, identifying bottlenecks, and applying technology solutions to improve developer productivity.Proactive risk management is an important aspect of DPE, allowing organizations to prevent issues before they become problems.Partnership between developers and auditors is crucial for effective DPE, breaking down silos and leveraging each other's expertise.Reframing auditing as fighting cyber criminals can help developers see the value of auditing and governance in protecting against exploitation. There are commonalities and opportunities for collaboration between the auditing/GRC and tech industries.Empathy, vulnerability, and partnership are essential for effective auditing and GRC.Developers can bridge the gap with auditors by framing conversations as part of a fuller responsibility and recognizing the limitations of software solutions.The tech industry should overcome the toxic mentality of thinking they can solve every problem and instead embrace teamwork and collaboration.Chapters00:00 Introduction and Overview01:16 Developer Productivity Engineering (DPE)03:23 Developer Productivity Engineering (DPE) and Governance and the Value Stream04:49 The Importance of the Build System05:42 Developer Productivity Engineering (DPE) and Governance07:49 Proactive Risk Management09:03 Partnership between Developers and Auditors09:56 The Role of Auditors in Developer Productivity Engineering (DPE)11:29 The Challenge of Breaking Silos21:53 The Divide between Developers and Other Departments27:59 Reducing the Negative Side Effects of Unrestricted Development28:24 The Role of Automation in Auditing31:24 Reducing Developer Toil through Developer Productivity Engineering (DPE)34:09 Partnership and Breaking Down Silos39:07 Reframing Auditing as Fighting Cyber Criminals40:58 Exploring the Complexity of Auditing and Governance, Risk, and Compliance (GRC)42:16 Empathy and Partnership in Auditing and Governance, Risk, and Compliance (GRC)43:11 Bridging the Gap between Developers and Auditors43:40 Overcoming the Toxic Mentality in the Tech Industry44:40 Outro & Follow Justin
In today's fast-paced and dynamic business environment, organizations face a multitude of challenges when it comes to managing Governance, Risk, and Compliance (GRC). Join us on an insightful journey as we explore the crucial role of GRC in creating a robust and resilient business foundation.
Esteban Ribičić is the Founder and Project Leader at eramba. Serving thousands of companies around the world, eramba is a popular open Governance, Risk and Compliance (GRC) application. Listen to hear the story of eramba, how it was developed to solve real problems with simplicity, and how eramba's core values center on service. www.eramba.org --- Send in a voice message: https://podcasters.spotify.com/pod/show/virtual-ciso-moment/message
A.I. is promising the moon and the stars, but how do you actually make sense of all of it? Tune in today's episode to discover how! Krista Sande-Kerback is Marketing Leader for OpenPages which is IBM's platform for Governance, Risk, and Compliance (GRC). She is working on the upcoming major launch of watsonx.governance. Watsonx is IBM's recently announced generative A.I. platform that comes with a suite of tools for tuning large language models, a data store built on lakehouse architecture, and an A.I. governance toolkit aimed at mitigating risk associated with A.I. and protecting customers' privacy. Krista is a strategic advisor and marketing leader who has spent her career building and scaling marketing and transformation programs and providing critical insights to senior executives. She previously supported IBM's acquisition of Brazilian RPA provider WDG Automation in 2020, and has conducted market intelligence research on the latest technology trends, trained dozens of teams in Agile methodologies, and scaled a startup. Krista is an alumna of Dartmouth College and Columbia Business School. A former Fulbright Scholar to Germany, she serves on the Board of Directors for the Fulbright Association's New York Chapter. She is also a Council Officer for the Women in America professional development and mentoring organization where she is focused on increasing the proportion of women in the C-suite, boardrooms, and other prominent leadership roles. In today's episode, you'll discover how A.I. can help close the gender gap in addition to IBM's history with A.I., environmentally responsible A.I., the need for explainable A.I., IBM's SkillsBuild program, and IBM's industry-leading efforts when it comes to A.I. ethics and governance. You'll also hear what makes GenAI a game-changer and why creativity may be the ultimate moonshot for A.I., plus why businesses of all sizes should be investing in artificial intelligence now. EPISODE SHOW NOTES: https://creativitysquared.com/podcast/krista-sande-kerback-ibm-a-i-s-promise/ JOIN CREATIVITY SQUARED Sign up for our free weekly newsletter: https://creativitysquared.com/newsletter Become a premium member: https://creativitysquared.com/supporters SUBSCRIBE Subscribe on your favorite podcast platform: https://creativitysquared.com Subscribe for more videos: https://youtube.com/@creativity_squared/?sub_confirmation=1 CONNECT with C^2 https://instagram.com/creativitysquaredpodcast https://facebook.com/CreativitySquaredPodcast https://giphy.com/channel/CreativitySquared https://tumblr.com/blog/creativitysquared https://tiktok.com/@creativitysquaredpodcast #CreativitySquared CONNECT with Helen Todd, the human behind C^2 https://instagram.com/helenstravels https://twitter.com/helenstravels https://linkedin.com/in/helentodd https://pinterest.com/helentodd Creativity Squared explores how creatives are collaborating with artificial intelligence in your inbox, on YouTube, and on your preferred podcast platform. Because it's important to support artists, 10% of all revenue Creativity Squared generates will go to ArtsWave, a nationally recognized non-profit that supports over 100 arts organizations. This show is produced and made possible by the team at PLAY Audio Agency: https://playaudioagency.com. Creativity Squared is brought to you by Sociality Squared, a social media agency who understands the magic of bringing people together around what they value and love: http://socialitysquared.com. #IBM #IBMWatson #WomenInTechnology #WomenEmpowerment #WomenInBusiness #WomenEntrepreneurs #ArtificialIntelligence #ArtificialIntelligenceAI #WomenInTech #DigitalCreativity #ArtificialIntelligenceTechnology #MachineLearning #FutureTechnology #FutureTech #GenderEquality #TheFutureIsNow #GenderGap #TechPodcast #AIPodcast #AINews #TechWomen #DeepLearning #GenerativeModels #NeuralNetworks #NaturalLanguageProcessing #ConversationalAgents #EquitableTechnology #AITechnology
Join us in this captivating episode as we dive into the transformative world of Artificial Intelligence (AI) and digital transformation with a true industry pioneer, Anthony Stevens. As a former Partner and Chief Digital Officer at KPMG, Anthony brings a wealth of experience to the table. He is also the published author of "Chasing Digital: A Playbook for the New Economy."Anthony's journey is nothing short of remarkable. From his extensive background in both publicly listed and private businesses to founding and directing high-growth tech startups, his expertise has been instrumental in shaping the digital landscape. Today, he's the CEO of 6clicks, an AI-powered Software-as-a-Service platform that's revolutionizing risk management and compliance on a global scale.We'll also touch on his book, "Chasing Digital," which serves as a playbook for navigating the new digital economy.Anthony's passion for technology and dedication to helping businesses leverage AI is not only inspiring but also incredibly informative. Tune in for a forward-thinking conversation that's bound to reshape your perspective on the future of business and technology. Don't miss it!In this episode, we discuss:Spotlight Ant's journey – from a former Partner & Chief Digital Officer at KPMG to architecting his entrepreneurial realm.His insights on digital transformation and the power of AIHow businesses can harness these technologies to create more efficient operationsWhat governance, risk, and compliance are important to businessChallenges setting up a new businessThe Genesis of 6clicks technology and the story behind 6clicks' creation Explore how AI is reshaping the Governance, Risk, and Compliance (GRC) sectorand so much more...!To connect with Ant reach out to him here: https://www.linkedin.com/in/antpstevens/ https://www.linkedin.com/company/6clicksThank you for listening, PLEASE share or rate this episode if you enjoyed it. It helps us a lot so we know what content you enjoy most and can create more of it! #AgileIdeasThis podcast is sponsored by Agile Management Office (www.agilemanagementoffice.com) providing high-impact delivery execution in an agile era for scaling businesses.Thank you for listening to this podcast. We welcome any feedback. www.agilemanagementoffice.com/contact Make sure you subscribe to our newsletter to receive access to special events, checklists, and blogs that are not available everywhere. www.agilemanagementoffice.com/subscribe You can also find us on most social media channels by searching 'Agile Ideas'.Follow me, your host on LinkedIn - go to Fatimah Abbouchi - www.linkedin.com/in/fatimahabbouchi/
In this episode, Abinash will share his experience working in Governance, Risk, and Compliance (GRC) and answer the famous question on if you can really get a six-figure GRC job with no experience within 24 hours, like YouTube videos claim.Ask me a question: https://topmate.io/ken_underhillLearn how to be successful in job interviews in less than one hour, so you can get higher job offers.https://cyberken23.gumroad.com/l/jbilol/youtube20Schedule a mock job interview call with me at this link. https://topmate.io/ken_underhill/411153If you need cybersecurity training, here are some good resources. Please note that I earn a small affiliate commission if you sign up through these links for the training.Learn Ethical Hacking skills https://get.haikuinc.io/crk0rg6li6qdGet Ethical Hacking skills, SOC Analyst skills, and more through StationX.https://www.stationx.net/cyberlifeGRC Analyst, Governance, Risk, and Compliance Analyst, GRC Analyst job description, GRC Analyst salary, GRC Analyst certification, GRC Analyst skills, GRC Analyst responsibilities, GRC Analyst interview questions, GRC Analyst career path, GRC Analyst training, GRC Analyst job openings, GRC Analyst qualifications, GRC Analyst job market, GRC Analyst roles and responsibilities, GRC Analyst certification programs, Entry-level GRC Analyst, Senior GRC Analyst, GRC Analyst job prospects, GRC Analyst certifications, GRC Analyst remote jobsSupport this podcast at — https://redcircle.com/cyber-life/donations
In today's complex business environment, it is essential for organizations to establish robust processes to manage their Governance, Risk, and Compliance (GRC) obligations. The term GRC is widely used to describe a framework that enables companies to align their strategies, objectives, and operations with regulatory requirements and industry best practices. GRC encompasses a wide range of activities, including risk management, regulatory compliance, corporate governance, and information security management. This article will dive into what GRC is, why it is important, and how it can help organizations manage their risks and compliance obligations more effectively. View More: What is GRC?
In today's fast-paced business landscape, many organizations rely on Governance, Risk, and Compliance (GRC) platforms to streamline their management processes. A robust GRC platform is an essential tool for modern organizations to effectively manage their regulatory responsibilities, risk environment, and overall corporate governance. In a complex business environment, selecting the right GRC platform is crucial to ensure streamlined operations, regulatory adherence, and mitigation of potential risks. But what are the key attributes that make a GRC platform truly effective? This article will outline the six key attributes that make a GRC platform truly effective, which can enhance your organization's risk management strategies. What are the Attributes of a GRC Platform? Navigating the intricate landscape of Governance, Risk, and Compliance (GRC) requires a comprehensive and sophisticated approach. To help you find the best GRC platform, we have compiled a list of eight essential attributes that contribute to a well-rounded and effective solution. View More: Attributes to Look for in a GRC Platform
In this dynamic changing world of modern business, organizations face many challenges, such as complying with regulations, managing risks, and maintaining corporate governance. Successfully navigating these challenges requires implementing robust Governance, Risk, and Compliance (GRC) strategies. Governance, Risk, and Compliance (GRC) tools have emerged as essential assets for businesses seeking to streamline operations, ensure regulation adherence, mitigate risks, and maintain ethical standards. These tools include software solutions that assist organizations in aligning their processes, managing risk, and adhering to industry standards and regulatory frameworks. Best GRC Tools
Organizations today understand the crucial need for Governance, Risk, and Compliance (GRC) functions to guarantee operational effectiveness, regulatory conformity, and risk reduction in the face of a dynamic business environment. This has led to a significant need for GRC professionals. Learning answers to typical interview questions is an important part of being prepared to face a job interview in the GRC industry. Hopefully, you will be able to use the information in this article to ace your next GRC interview and land your ideal job. GRC Interview Questions and Answers
Episode #28 Compliance Tracking Ft. Rishi Agarwal, CEO - TeamLease Regtech and Sandeep Agarwal Director- TeamLease Regtech. Welcome back to MSME TALK Brand Bite. Compliances is an Integral part for businesses. Non-compliance can have serious consequences for business even for SMEs, like legal penalties, reputational damage, loss of business opportunities, and disruption of operations. Therefore, SMEs in India need to establish robust compliance systems. Almost 2 out of 5 compliances for businesses in India can send an entrepreneur to jail. In Episode 28 of MSME TALK we learn how Large corporates are managing thousands of compliances by using Technology provided by companies like Teamlease Regtech along with various case studies. This episode is equally important for Business Enterprises or professionals like CA, Lawyers , CS , directors etc who are supporting businesses in maintaining the compliances of their SME clients or running risk by non-compliances by their enterprises. Rishi Agarwal is the Co-founder and CEO of Teamlease Regtech. He has served as an advisor to Working Group of Ministers , Govt of India. He is an alumnus of IIT Varanasi, IIM Calcutta. Sandeep Agarwal Co-Founder and Director, TeamLease Regtech. Sandeep is an expert in Governance, Risk and Compliance (GRC) space. He is Chartered Accountant and Certified Information Systems Auditor (CISA) from ISACA, USA. Teamlease Regtech, subsidiary of Teamlease Services is India's leading company in regulatory technology Industry (Regtech) digitally transforming compliance management for corporate India. Company has served 1,500+ corporates, 50 + Industries and 25,000+ enterprise users. TeamLease Services is one of India's leading HR supply chain companies offering a range of solutions to 3500+ companies for their hiring, productivity and scale challenges. It is a Fortune India 500 company Happy to share MSME TALK Podcast enters Peak Ranking Chart of 15+ plus Countries in the Apple Podcast Country level Entrepreneurship Category. It's encouraging to see MSME TALK podcast making waves not only in India, but globally. If you are an expert or provide product or services to small business , msmes and startups , reach out to us connect@msmetalk.com to discuss showcase opportunity on MSME TALK podcast & social media.Click to Subscribe to MSME TALK News Letter and Alerts Spotify https://link.chtbl.com/MSME_TALK_ Dear Entrepreneurs, join MSME TALK Community on WhatsApp.Dear Experts/Product/Service provider for MSMEs, Startups please share more about yourself/your products/services to bring opportunities for you. Click to Follow us on All Social Media , Program, Podcast etc links at one place WhatsApp : Send hi - https://wa.me/918097665085 LinkedIn : https://www.linkedin.com/company/msmetalk Facebook : https://www.facebook.com/msmetalk Instagram : https://www.instagram.com/msmetalk Twitter : https://twitter.com/msmetalk Website : www.msmetalk.com Contact us : connect@msmetalk.comYour feedback, suggestions, reviews and likes motivates us. Plea...
In the dynamic realm of cybersecurity, safeguarding against threats and adhering to regulations pose paramount challenges for organizations. In this first segment of our two-part podcast episode, we're joined by Chris Strand, Chief Risk and Compliance Officer at Cybersixgill. Leveraging his extensive background as a former security auditor, Chris imparts invaluable insights into the intersection between Governance Risk and Compliance (GRC) and Cyber Threat Intelligence (CTI).Drawing a parallel to dental check-ups, Chris emphasizes GRC's significance in maintaining comprehensive cyber hygiene. No one jumps for joy at the prospect of an audit, much like visiting the dentist's office, but it's a crucial task that organizations must undertake. The key, according to Chris, is to make the audit process as smooth and painless as possible, akin to a quick dental check-up rather than a time-consuming root canal.Chris delves into practical best practices that organizations can implement to streamline the audit process. He emphasizes the pivotal role of attack surface management and threat intelligence, particularly vulnerability exploit intelligence. These practices not only ensure compliance with cybersecurity mandates but also help organizations identify areas that need protection and bridge security gaps. Furthermore, they enable effective vulnerability analyses and prioritization, justifying decision-making while providing an intelligence audit trail for stakeholders and auditors.Reflecting on the evolution of the cybersecurity landscape, Chris and Delilah discuss the shifting dynamic between risk management and threat intelligence functions within organizations. While they used to operate in separate silos, recent years have witnessed a significant increase in cooperation between these functions. This collaboration not only enhances an organization's overall security posture but also facilitates a more efficient audit process.Tune in to the first part of this engaging podcast interview as Chris Strand brings his wealth of knowledge to the forefront. Gain insights into the strategic integration of GRC and CTI, discover practical approaches to navigating audits, and learn how organizations can foster a proactive cybersecurity culture while meeting regulatory demands.Stay tuned for Part 2 of this illuminating conversation, where Chris dives deeper into the nexus of GRC, CTI, and the world of Generative AI.
In this second part of our podcast episode, join us as we delve deep into the realm of Generative AI and its intricate relationship with cybersecurity and Governance Risk and Compliance (GRC). Our guest, Chris Strand, Chief Risk and Compliance Officer at Cybersixgill, brings his wealth of expertise to illuminate the promises and potential pitfalls of Generative AI in this domain.Exploring the convergence of cutting-edge technology and security protocols, Chris and Delilah engage in a candid discussion about the profound impact of Generative AI on the cyber landscape. Unveil how Generative AI holds the potential to revolutionize cybersecurity and compliance processes, offering enhanced streamlining and optimization capabilities that empower organizations to easily navigate the audit process and bolster overall cyber resilience.Yet, with innovation comes responsibility. Tune in as Chris and Delilah dissect the challenges and vulnerabilities associated with Generative AI. Understand the intricate dance between the advancements it offers and the potential threats it poses to cybersecurity, and delve deep into how Generative AI can potentially disrupt the availability, integrity, and privacy of critical data.As the conversation unfolds, Chris and Delilah shine a spotlight on the regulatory intricacies surrounding the use of Generative AI. The dialogue traverses the complexities organizations may encounter as they navigate compliance within this rapidly evolving landscape.Cybercriminals, ever vigilant, are not far behind. Chris and Delilah share critical insights into how threat actors can exploit and manipulate Generative AI solutions, not only as a tool to optimize and accelerate their malicious operations, but as a target for the attack itself.Lastly, gain insight into the global efforts to regulate the deployment and utilization of Generative AI, and an exploration of the strategic endeavors aimed at striking a balance between innovation and security.Don't miss out on this enlightening conversation as Chris Strand and Delilah Schwartz provide a comprehensive guide to navigating the intricate landscape of Generative AI within the realms of cybersecurity and GRC. Tune in for insights, revelations, and a deeper understanding of the dynamic forces at play.
In this episode, Adam speaks with Gabriela Guiu-Sorsa. Gabriela is currently working as a GRC consultant, she is also the founder and leader of a Special Interest Group called ‘Cyber Security Champions of Tomorrow' that spans over 17 countries and aims to upskill professionals in all things Governance Risk and Compliance (GRC). She also serves as a volunteer Strategic Adviser and in the past, she served as Chapter Lead for the Australian Women in Security Network (AWSN) Queensland Chapter. Connect with her on LinkedIn to gain access to her group - https://www.linkedin.com/in/gabrielasorsa/
RSA Archer is crucial in providing a comprehensive Governance, Risk, and Compliance (GRC) platform that allows organizations to manage and mitigate risks, ensure regulatory compliance, and enhance overall security. Becoming an RSA Archer requires gaining relevant experience in risk management, compliance, and IT security and highlighting your skills and knowledge during the interview process. Preparing for an RSA Archer interview is essential to demonstrate expertise, knowledge, and readiness in effectively implementing and managing the RSA Archer GRC platform, increasing the chances of excelling in the interview. If you are preparing for an interview for a role involving RSA Archer, this comprehensive guide will equip you with essential knowledge and provide common questions to help you succeed in your interview process. Common RSA Archer Interview Questions and Answers
US Army veteran Jonathan Fisher spent his military career in aviation maintenance. When he decided to retire, he also made the decision to start his next career in the IT industry. Using SkillBridge as a launching pad to land his first role with start-up company, ByteChek, Jonathan worked as an Auditor and GRC Engineer. With financial trouble looming due to economic uncertainty, Jonathan and his coworkers unfortunately lost their jobs. However, using the power of LinkedIn and relying on his network, Jonathan was hired into a new role within a week. Jonathan is no stranger to the Lessons Learned for Vets podcast. In fact, this is his third appearance. On this episode, he brings fresh perspectives on the military transition and a realization that it continues long after retirement. Jonathan started networking and connecting with people years before he retired from the military. He reached out to organizations like Veterans2Industry, Hire Our Heroes, FourBlock and Veterati and took ownership of his transition. After making the decision to dive into the IT field, Jonathan practiced the basics through CompTIA A+ and Security+ to gain a foundational knowledge of the industry. It was only after talking with mentors that he realized his military skills gave him an edge that could help him bypass an entry-level position. His previous career in aviation maintenance had given him significant experience with risk assessment, documentation management, quality assurance auditing and problem solving – skills that lined up with Governance, Risk, and Compliance (GRC) roles in IT. Accepting his first role with start-up, ByteChek, Jonathan reflects on the experiences that allowed him to grow professionally. Being the 7th hire for the company, Jonathan influenced the work culture and had the opportunity to influence future hires as a member of the interview panel. He enjoyed the diversity in his new workplace and learned how to become more inclusive. Jonathan played a pivotal role in the standardization and building of processes at the organization. When he lost his job due to company financial problems, Jonathan leaned into his network on LinkedIn. Within 6 days of posting his availability for a new position on LinkedIn, Jonathan interviewed and was hired into a new role. While at ByteChek, Jonathan continued to build his network with people in the IT industry. Keep your connections fresh on LinkedIn and start to build your network beyond the veteran community, even when you are happily employed. To end this episode, Jonathan urges servicemembers to make time for their families. Start building good relationships with family members and don't be afraid to reach out and seek professional help on how to be a better spouse and parent. After taking a more active role in the lives of his children, Jonathan has seen improvement in these relationships. Remember, the military transition is much more than finding a job, and it involves the whole family.Subscribe to our YouTube channel at https://tinyurl.com/llforvets22.You can connect with Jonathan on LinkedIn at https://www.linkedin.com/in/jonfisher11/To learn more about how to navigate the military transition with your family, click here for Season 1 , Episode 8 with Ben Killoy.SUBSCRIBE & LEAVE A FIVE-STAR REVIEW and share this to other veterans who might need help as they transition from the military!
Enterprise Security ArchitectureMost organisations find it challenging to protect themselves against the ever-evolving list of risks and threats. The fact that most of us do this with a limited set of resources makes this even more complicated.Knowing what you should spend your time and efforts on is far from straight forward. But hopefully this episode on enterprise security architecture can give some guidance on where to start mapping out the best path for your organisation.We're joined by both Nick Murison, CISO at Ardoq, a tool for enterprise architecture that helps companies understand the interdependencies between their technology and people, and Angel Alonso, a CISO for hire and team lead for the Governance, Risk and Compliance (GRC) department in mnemonic.During their conversation with Robby, they discuss mapping and identifying an organisation's security gaps, IT cost management, and the importance of traceability in security.Related reading:https://www.ardoq.com/blog/mnemonic-enterprise-security-architecturehttps://www.mnemonic.io/solutions/enterprise-security-architecture/
The three subject matter experts in this discussion give the listener a wonderful perspective on challenges and solutions to moving to Zero Trust. The interview revolves around tools needed to audit a network, risks inherent in a hybrid cloud, a why a Zero trust platform gives an agency the flexibility it needs to deploy zero trust effectively. Every discussion about zero trust for government agencies starts with trying to determine what is on your network. Smurti Shah from Michigan notes that tools that commercial organizations can use to accomplish that task may not work in a government environment. Therefore, State and local organizations must select Governance, Risk, and Compliance (GRC) solutions that are permitted. Ian Farquhar from Gigamon brings up a fascinating issue with the “discovery” aspect of network analysis: cognitive bias. For example, a systems administrator may swear on a stack of bibles that they have documented every single item on the network. Ian mentions simple questions like: What about that copier? Does it ever have sensitive documents on it? What about the printer? If your organization allows employees to bring in devices, what kind of security implications does that bring? During the discussion, the concept of “trust” was unpacked. We know that trust applies to “who” and “what,” but what about the system itself? Ian Farquhar applies trust to logging and Cloud Service Providers (CSPs). The Solar Winds event looks like it started with the modification of the logs themselves. If you trust the logs, then you can be vulnerable to attack, one should apply zero trust to log controls. One approach to minimizing vendor lock-in is to use a hybrid cloud. This adds complexity to an already complicated situation. The CSPs certainly do a wonderful job at telling people about the security of their cloud. Be careful to apply controls to that cloud environment, offloading trust to them can put you at risk. All participants agreed that zero trust gives the flexibility to handle attacks today and in the future.
The Truth About Managing Privacy Teams - Renowned Privacy Expert Reveals AllHi, my name is Jamal Ahmed and I'd like to invite you to listen to this special episode of the #1 ranked Data Privacy podcast.In this episode, discover:3 Common Pitfalls New Managers Make And How To Avoid Them Why Expertise Isn't The Most Important Factor When Hiring Managers How To Make Privacy A Competitive Advantage For Your Business How To Use Ethical Hacking To Prevent Cyber AttacksAnd so much more... Ross Saunders is a global privacy, defensive security, and infrastructure specialist working with numerous industries to implement privacy programs and technical infrastructure controls.With a background in IT administration, software development, and Governance, Risk & Compliance (GRC), he is able to assist in a wide range of disciplines surrounding compliance, security, and privacy, regularly assisting companies with advisory, awareness campaigns, and practical implementation of recommendations.Ross holds a master's degree in the Management of Technology and Innovation, and holds designations and certifications in privacy legislation (CIPP/E), ethical hacking (CEH v10), and paralegal practice. Ross currently serves as the co-chair of the Johannesburg chapter of the International Association of Privacy Professionals (IAPP) and is a Professional member of the Canadian Association of Professional Speakers (CAPS).In 2019, Ross published a book called “This Is Not What I Signed Up For: A survival guide for first-time managers” to help technical subject matter experts move into management roles. It is available for purchase in eBook and softcover at Amazon.ca.Follow Jamal on LinkedIn: https://www.linkedin.com/in/kmjahmed/Follow Ross on LinkedIn: https://www.linkedin.com/in/rgsaunders/Get Exclusive Insights, Secret Expert Tips & Actionable Resources For A Thriving Privacy Career That We Only Share With Email Subscribers► https://newsletter.privacypros.academy/sign-upSubscribe to the Privacy Pros Academy YouTube Channel► https://www.youtube.com/c/PrivacyProsJoin the Privacy Pros Academy Private Facebook Group for:Free LIVE TrainingFree Easy Peasy Data Privacy GuidesData Protection Updates and so much moreApply to join here whilst it's still free: https://www.facebook.com/groups/privacypro
Special Thanks to our podcast sponsor, Cymulate. On this episode, Dave Klein stops by to discuss the 3 Digital Challenges that organizations face: Cyber threats evolve on a daily basis and this constant threat to our environment appears to be only accelerating The level of vulnerabilities today is 30x what it was 10 years ago. We have more IT infrastructure, complexity, and developers in our current environment. In the pursuit of digital innovation, we are changing our IT infrastructure by the hour. For Example: Infrastructure as Code capabilities (Chef, Puppet, Terraform, etc.) allow developers to deploy faster and create more opportunities for misconfigured code at scale. Breach and Attack Simulation tooling address these 3 digital challenges by focusing on Breach Attack Simulation, Vulnerability Prioritization, & Threat Exposure Management. This combined approach allows a cyber organization to ensure its security is fully optimized and its risk exposure is minimized. Key benefits of adopting Breach and Attack Simulation software include: Managing organizational cyber-risk end to end Rationalizing security spend Prioritizing mitigations based on validated risks Protecting against the latest threats in near real-time Preventing environmental drift Welcome back listeners and thank you for continuing your education in CISO Tradecraft. Today we are excited to share with you a great episode focused on Breach and Attack Simulation software. To begin we will provide a solid background on Breach and Attack Simulation then we are going to bring on our special guest Dave Klein who will give us the pro tips that help CISOs maximize the value from Breach and Attack Simulation Software. Starting from the beginning. What is Breach and Attack Simulation software and why is this needed? At the end of the day most companies are not on an island. They need to connect to clients, partners, and vendors. They need the ability for employees to visit websites. They need to host public facing websites to sell products and services. Each of these activities result in creating organizational assets such as IT equipment that has internet connectivity. Now internet connectivity isn't a bad thing. Remember internet connectivity allows companies to generate income which allows the organization to exist. This income goes to funding expenses like the cyber organization so that is a good thing. If bad actors with the intent and capability to cause your company harm can find your company's internet connected assets which have vulnerabilities, then you have a risk to your organization. So enter vulnerability assessment and penetration testing tools that companies can buy to identify and address this risk. Now sometimes you will hear the terms Cyber Asset Attack Surface Management or (CAASM). It's also commonly referred to as continuous threat exposure management. Essentially these two categories of tools are the latest evolution of vulnerability management tooling that have the additional benefit of ingesting data from multiple sources. Essentially they are designed to address key questions such as: How do we get an inventory of what we have? How do we know our vulnerabilities? and How do we know which vulnerabilities might be exploited by threat actors? Now if you want to take this line of questioning one step further, then you should consider adopting Breach and Attack Simulation software. Note Breach and Attack Simulation software overlaps with many of the CAASM capabilities, but it does something unique. Breach and Attack Simulation software allows you to pose as bad actors on your network and perform red team exercises. Essentially you learn how bad actors can bypass your cyber tooling and safeguards. This means you go from knowing where you are vulnerable to actually seeing how well your incident response activities perform. Example if I can take a normal user's laptop and spawn a Powershell Script or run a tool like MimiKatz to gain Domain Admin level privileges, then I want to know if the Cyber Security Incident Response team was alerted to that activity. I also want to know if the Incident Response team blocked or disabled this account in a timely manner. According to the 2022 Microsoft Digital Defense Report the median time it takes for an attacker to access your private data if you fall victim to a phishing email is 1 hour 12 minutes. The report also stated that the median time for an attacker to begin moving laterally within your corporate network once a device is compromised is 1 hour 42 minutes. Remember the difference to responding to these attacks in minutes vs hours can be the difference between how much files get encrypted when ransomware actors get into your environment. Another thing that CISOs need to ensure is that vulnerabilities get fixed. How do you test that? You have to replay the attack. You can think of fire drills as the comparison. If an organization only did one fire drill every 24 months, then chances are the company's time to exit the building isn't going to decrease all that much. It's likely to stay the same. Now if an organization does 8-12 fire drills over the course of 24 months, then you would generally see a good decrease in departure times as people get familiar with knowing how to leave the building in a timely fashion. The good thing on Breach and Attack Simulation tools is they have the ability to replay numerous attacks with the click of a button. This can save your penetration testing team hours over manual exploitation activities which would have to be repeated to confirm successful patches and mitigations. If we look at Breach and Attack Simulation software the tools have typically come in two flavors. One is an agent based approach. Example. A company might install an attack agent on a laptop inside the corporate environment that runs Data Loss Protection software. The attack agent might look at how much data it can exfiltrate which is not stopped by the DLP tool. The attack agent could also run similar attacks with how much malware the Antivirus detects, how much sensitive email it send outside the company despite there being an email protection solution. These attack agents can also be placed on servers to determine how effective web applications firewalls are at stopping attacks. Essentially having an attack agent on the internal side of a trusted network and one on the outside allows an organization to evaluate the effectiveness of various cyber tools. Now there's a few concerns with this type of approach. One, companies don't want to add more agents across their network because it steals critical system resources and makes things slower. Two, the time it takes to install and test agents means the value you can get out of these tools is delayed because cyber needs approvals from the desktop team, the network team, the firewall team, etc. before these solutions can be deployed. Three, by having an agent you don't always truly simulate what an attacker would do since you don't have to live off the land and gain permissions the attacker did. Your agent may not be know to antivirus or EDR tools, but using windows libraries to gain access does. Now let's compare this with an agentless approach. This approach is quite popular since labs where agents are run don't always look like a production environment. Example they lack the amount of traffic, don't possess the same amount of production data, or contain last month's versions of software. Here attacker software may start with the premise what happens if someone from the Accounting Team opens an Excel document containing a malicious macro. Let's see how we can automate an attack after that initial compromise step occurs. Then let's walk through every attack identified by the Mitre Attack Framework and see what gets caught and what doesn't. The tooling can then look at the technical safeguards in the organization that should have been applied and provide recommendations on how to increase their effectiveness. This might be something simple like adding a Windows Group Policy to stop an attack. Also breach and attack simulation tools can provide alerting recommendations to the SIEM that help identify when an endpoint attack occurred. Example: Instead of knowing that bad actors can run an attack, the Breach and Attack Simulation software actually gives you the Splunk Signature that your SOC team can leverage. That's a great add to minimize the amount of time to improve your alerting capabilities. Now when the breach and attack simulation software replays attacks each month, cyber leadership can look at how fast the Incident Response team detected and remediated the attack. It might be as simple as we stopped this attack before it could happen by applying the new Windows Group Policy or it took the team 4 hours to determine XYZ account had been taken over. These metrics allow you to know how well your Response plans work. So you get the value of a penetration test with the automation & scaling of vulnerability management tools. What's even more impressive is how these tools are evolving to meet the larger mission of cyber organizations. Example: Most Financial and Health Care organizations have to demonstrate evidence that IT controls are working effectively. Generally this is a manual process done in the Governance Risk and Compliance (GRC) team within a cyber organization. GRC teams have to ask developers to provide evidence to various IT controls such as are you monitoring and alerting to privilege activity. Now imagine if you had an automated tool that showed evidence that monitoring tools are installed on 99% of endpoints and these tools actually stopped various MITRE attacks immediately. That evidence would minimize the data call which takes time from the developer teams.
From July 26, 2022 - Anthony Scarola is an IT Governance, Risk, and Compliance (GRC) expert; has many years in cybersecurity; is a U.S. Army veteran; holds the CISSP; and is a virtual CISO. And he's writing a security book! Listen to his wisdom as it pertains to risk management and learn one mistake many may make when discussing risk with the c suite and board of directors. --- Send in a voice message: https://anchor.fm/virtual-ciso-moment/message Support this podcast: https://anchor.fm/virtual-ciso-moment/support
Governance, Risk, and Compliance (GRC) platforms can be tricky to construct. Today, we sat down with an expert in this field to talk about building and deploying secure applications in the cloud. This episode features Jeff Schlauder, Information Security Executive, from Catalina Worldwide, who provides answers and explanations to a variety of questions regarding deploying applications securely in the cloud, using AWS (amazon web services), and much more. Join us as we discuss: · Building and deploying secure applications in the cloud · The Logistics of Web Applications · Building, operating, and maintaining secure Cloud applications · Containerized vs Not-containerized applications · How to keep applications deployed secure To hear this episode, and many more like it, we would encourage you to subscribe to The Virtual CISO Podcast here. You can find all our full length and short form episodes here . Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player
Recent research revealed that 87% of board members believe market disruptions are becoming increasingly frequent, and 83% say they are increasingly impactful. At the same time, 79% believe risk management will be critical in enabling their organisations to protect and create value in the next five years. In this podcast, Dr Sabine Dembkowski, Founder and Managing Partner of Better Boards, discusses the risk environment with Zahra Cassim, CEO of Corporate Secretaries International Association (CSIA) and David Samy, Consulting Partner at EY Hong Kong."There's often not enough time on the agenda to deal with what might happen in the future"Zahra explains that there has previously been a general lack of board focus on risk oversight. Risk has tended to be driven and managed in functional silos, resulting in a lack of a structured approach to collecting and analysing risk information. This has been compounded by the underutilisation of technology and the right tools to analyse those risks. Finally, there can often be poor communication of risk from business units through senior management to the board level."What the boards need to do is to prepare for a GREATER range of disruption and risk"David believes that risk fatigue may occur in a lot of organisations. The risks are very clear, but where the board is inexperienced and there is a lack of guidance or stewardship, the board can lose focus, and be unable to give long-term risks the attention they deserve. "Risk management programmes have not caught up and have remained a very high to be static"David cites a 2020 survey of boards' confidence in their organisations' ability to counter cybersecurity threats was at around 20%, but by 2021 this had dropped to 9%. He explains that this is an alarming decline and has a lot to do with how risk and risk management programmes are being run at present. Digital modernisation has accelerated within most organisations in the recent past, but risk management programs have not really caught up. "Risks are managed in silence, and so very often not communicated to the board"Zahra explains that one of the critical tasks of the Corporate Secretary is to consolidate information, ensuring that the board is fully aware of all risks when making decisions. But they also need to ensure they integrate risks into their strategy. "There's always a solution for every situation"David offers some practical tips. First, start with driving awareness at the board level, by identifying a risk steward, a role the governance professional or Corporate Secretary can play. His second tip is unlocking the value of ongoing digital transformation by tapping into Governance Risk and Compliance (GRC) technology to create a single view of risk across all functions, leverage available data sources, and simplify the process, while enabling a common risk ecosystem and shared focus across the organisation.The three top takeaways from our conversation are:1. As trusted strategic advisors to the board, governance professionals are uniquely positioned to help the board align strategy to the regulatory landscape, technological advances, and ESG-related concerns. 2. Corporate Secretaries are increasingly approached to facilitate enterprise risk management. Their understanding of business concerns and organisational culture and their ability to be the bridge between the board and management is valuable in risk assessment and management.3. To unlock the value of technology while minimizing its risks, governance professionals must successfully build a digitally savvy and technologically advanced foundation for corporate governance.
Anthony Scarola is an IT Governance, Risk, and Compliance (GRC) expert; has many years in cybersecurity; is a U.S. Army veteran; holds the CISSP; and is a virtual CISO. And he's writing a security book! Listen to his wisdom as it pertains to risk management and learn one mistake may make when discussing risk with the c suite and board of directors. --- This episode is sponsored by · Anchor: The easiest way to make a podcast. https://anchor.fm/app --- Send in a voice message: https://anchor.fm/virtual-ciso-moment/message Support this podcast: https://anchor.fm/virtual-ciso-moment/support
In this episode of Inside Jobs, Abhik Mitra, Head of Portfolio Strategy at Code42, joins host Hillarie McClure to discuss the decades-old gap between the Governance, Risk and Compliance (GRC) committee and security, how we can bridge this gap, where Insider Risk Management can step in and help, and more. Code42 is defining data security standards for the hybrid workforce. As the needs of workforces have evolved, so has Code42's data security and insider risk management solutions. To learn more about our sponsor, visit https://code42.com/
In this episode of Hacker Valley Blue, host Davin is joined by John Stoner and Andy Piazza to talk about the current state of cyber threat intelligence. John and Andy explore the gap that exists between technical team leads and security leadership, the urgent need for more entry and junior level hires in the field, as well as their favorite CTI resources and tools. Lastly, they share their tips and advice to those interested in breaking into cybersecurity. Guest Bio: John Stoner has over 21 years of experience in the US Intelligence Community (USIC), DOD, and national security industry with 12+ focused in cybersecurity. He has experience with Cyber Threat Intelligence (CTI), instructional design, cyber counterintelligence (CI), Defense Industrial Base (DIB) engagements, NIST 800-171 & 800-53 familiarity, Advanced Persistent Threat (APT) analysis, Risk Management Framework (RMF) and Governance, Risk and Compliance (GRC). Andy Piazza is a threat management expert with experience across multiple fields of operations, ranging from high level strategic management down to tactical/technical field ops. Led diverse teams in high-stress environments world-wide, from counter-narcotics to cyber threat analysis; achieving complex mission objectives through focusing on team development and process maturation. Links: Thank you to our friends at Axonius and Uptycs for sponsoring this episode! Stay in touch with John on LinkedIn Stay in touch with Andy on LinkedIn Connect with Davin Jackson on LinkedIn and Twitter Watch the live recording of this show on our YouTube Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Blue
The goals and needs of IT and Cybersecurity are different. IT is more focused on uptime and keeping systems running. Cybersecurity is focused on reducing the risk of data breaches, ransomware and other negative impacts from threat actors. The holistic approach to balance these elements can be accomplished with effective Governance, Risk and Compliance (GRC). In this episode we discuss what benefits GRC solutions can bring to companies, how a vCISO can help, and more. Our guest is Cipher's Kevin Kurzawa, who leads GRC in the United States.For more information on Cipher's GRC services, visit www.cipher.com/grc.
Have you ever wondered what the Governance, Risk and Compliance (GRC) space looks like? We are joined by our subject matter expert, Josh Jackson, for a chat that encompasses his diverse experience - from chemistry, to policy, to teaching law and governance of technology and artificial intelligence.If you're curious about the latest with CMMC, how the cloud has shaken up the GRC space or how it impacts responsibilities on the security front, check this episode out!__________________________GuestJosh JacksonSr. Account Executive at Rackspace Technology [@Rackspace]On LinkedIn | https://www.linkedin.com/in/joshjacksonco/HostsJax ScottOn ITSPmagazine
Have you ever wondered what the Governance, Risk and Compliance (GRC) space looks like? We are joined by our subject matter expert, Josh Jackson, for a chat that encompasses his diverse experience - from chemistry, to policy, to teaching law and governance of technology and artificial intelligence.If you're curious about the latest with CMMC, how the cloud has shaken up the GRC space or how it impacts responsibilities on the security front, check this episode out!__________________________GuestJosh JacksonSr. Account Executive at Rackspace Technology [@Rackspace]On LinkedIn | https://www.linkedin.com/in/joshjacksonco/HostsJax ScottOn ITSPmagazine
Guest BioAs a technology professional, I have compliance, product, and business implementation experience with several platforms (including RSA Archer, Allgress, 6clicks, and SailPoint) across heavily regulated industries such as the financial, healthcare, technology, and manufacturing sectors primarily. My specialties encompass Product Management, Pre-Sales Engineering, Customer Implementation and Support, Regulation and Control Compliance/Mappings, Third-Party Risk Management, Policy Management, and Business Continuity. However, I have led and/or completed Governance, Risk, and Compliance (GRC) and Information Security implementations across all business use cases. I am well-versed in software development, coding, and analytics. I am passionate about bridging the gap between people and processes using technology.Main Discussion Points- Compliance- Risk Assessments- GRCTheme: Industrial CybersecurityManufacturing Hub Episode 49.Special thanks to our sponsors Phoenix Contact for the support.The mGuard family from Phoenix Contact is designed to provide cybersecurity protection and network resilience in all rugged and industrial environments. Combining features of a stateful-packet-inspection firewall, NAT Router, and an end-point security appliance, the mGuards were engineered to be both IT and OT friendly. With features such as Firewall Assistant and Easy Protect mode, the mGuards are simple to configure securely while still providing unassailable protection for your critical assets. Recommended Materials- Risky Business Podcast | https://risky.biz/- The Compliance Podcast Network | http://compliancepodcastnetwork.net/Connect with UsDr. Heather Buker | https://www.linkedin.com/in/heather-buker/Vlad Romanov | https://www.linkedin.com/in/vladromanov/Dave Griffith | https://www.linkedin.com/in/davegriffith23/Manufacturing Hub | https://www.linkedin.com/company/manufacturing-hub-podcast/Let Us Know What You ThinkIf you enjoyed the show, it would mean the world to us if you could leave us a review: https://podcasts.apple.com/us/podcast/manufacturing-hub/id1546805573#automation #industry40
Abstract: “You don't want to wait until you already know that there is a culture problem to really understand the culture of your organization. You should constantly be a student of the culture of your company, because we all know nothing can destroy an organization faster than a toxic culture.” - Dottie Schindlinger Culture is top-of-mind in the boardroom. How do you manage it and measure it? What does it look like to act decisively on culture, and what ethical implications come from those decisions? In this episode of the Principled Podcast, host David Greenberg talks about the critical role of boards in shaping ethical corporate culture with Dottie Schindlinger, Executive Director of the Diligent Institute and co-host of The Corporate Director Podcast for Diligent Corporation. Listen in as the two dig into the relationship between boards and ethics and compliance teams and discuss how that can inspire good governance. The key to success? Empathy. Additional Resources: Report: LRN Benchmark of Ethical Culture Featured guest: Dottie Schindlinger is Executive Director of Diligent Institute, the global corporate governance research arm of Diligent - the largest SaaS software company in the Governance, Risk and Compliance (GRC) space. She co-authored the book, “Governance in the Digital Age: A Guide for the Modern Corporate Board Director,” and co-hosts, “The Corporate Director Podcast.” Dottie was a founding team member of the tech start-up BoardEffect, acquired by Diligent in 2016. She is the Board Vice Chair of Alice Paul Institute and is a Fellow of the Salzburg Global Seminar. She graduated from the University of Pennsylvania, and lives in suburban Philadelphia. Dottie Schindlinger is Executive Director of Diligent Institute, the global governance research arm of Diligent Corporation. She co-authored the book, Governance in the Digital Age: A Guide for the Modern Corporate Board Director and co-hosts The Corporate Director Podcast. She helped launch and grow the start-up BoardEffect, acquired by Diligent in 2016. Dottie is Vice Chair of the Alice Paul Institute and is a Fellow of the Salzburg Global Seminar, and she is a graduate of the University of Pennsylvania. Featured Host: David Greenberg serves as Chair of the Governance and Risk Assessment Committee and a member of the Audit Committee of International Seaways (NYSE: INSW), one of the largest global crude oil and petroleum tanker companies. Mr. Greenberg's previous board experience (2006 to 2016) was as the independent director – and member of both the Audit and Compensation Committees --of APCO Worldwide, a private communications and government affairs consultancy and as a director (2013 to 2016) of Clean Tech Group, which creates opportunities for industrial companies to invest in innovative, clean technology. He also served for 5 years as Chairman of the Board of Trustees of The Keystone Center, a Colorado non-profit that brings together oil, chemical and pharmaceutical companies with leading NGOs to find solutions to complex public policy challenges at the federal and state levels. Greenberg is currently Managing Director of Cortina Partners LLC, a private equity firm that owns companies in the air medical, addiction treatment, bedding, textile and outdoor recreation industries and is CEO of Acqua Recovery, a residential drug and alcohol addiction center. He also advises boards and executive teams on strategy, compliance, leadership and culture as a Special Advisor for LRN Corporation, and from 2008 through the end of 2016 was a member of LRN's Executive Committee. For 20 years prior to 2008, Mr. Greenberg served in various senior positions overseeing government affairs, corporate affairs, communications and strategy at Altria Group, Inc. – then the parent company of Philip Morris USA, Philip Morris International, Kraft Foods and Miller Brewing – culminating in his role as Senior Vice President, Chief Compliance Officer and a member of the Executive Committee. As one of five senior vice presidents of the corporation, he served on the Management Committee, which oversaw all strategy and company operations. He was also a principal architect of the company's very successful efforts to end the ‘tobacco wars' which threatened the company's very existence. Earlier in his career, Mr. Greenberg was a partner in the Washington D.C. law firm of Arnold & Porter and also served as Legislative Director and General Counsel of the Consumer Federation of America. He attended Williams College and has JD/MBA degrees from the University of Chicago. Greenberg has testified before the U.S. Congress, the European Union, the Israeli Knesset and other governmental bodies over two dozen times and has appeared on ABC Nightline, the CBS Morning News, BBC Morning, and the PBS News Hour, and has spoken at leading events for CEOs and boards.
This week, we welcome Francesco Cipollone - CEO & Founder - AppSec Phoenix Ltd, to discuss DevSecOps, Compliance GRC, and the Future of Application Security! In the AppSec News, Mike & John talk: All about Log4Shell, Mozilla's BigFix bug and new sandbox, Rust in the Linux kernel, path traversals, reflections on the security profession, & more! Show Notes: https://securityweekly.com/asw177 Segment Resources: - AppSec Cali 19 Talk: https://www.youtube.com/watch?v=cegMUjo25Zc - ADDO19: https://www.youtube.com/watch?v=x1p3exzkTIY - Open Security Summit 20 - https://www.youtube.com/watch?v=8myMG36gq4o , https://www.youtube.com/watch?v=mh_P1C1a-CM Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
This week, we welcome Francesco Cipollone - CEO & Founder - AppSec Phoenix Ltd, to discuss DevSecOps, Compliance GRC, and the Future of Application Security! In the AppSec News, Mike & John talk: All about Log4Shell, Mozilla's BigFix bug and new sandbox, Rust in the Linux kernel, path traversals, reflections on the security profession, & more! Show Notes: https://securityweekly.com/asw177 Segment Resources: - AppSec Cali 19 Talk: https://www.youtube.com/watch?v=cegMUjo25Zc - ADDO19: https://www.youtube.com/watch?v=x1p3exzkTIY - Open Security Summit 20 - https://www.youtube.com/watch?v=8myMG36gq4o , https://www.youtube.com/watch?v=mh_P1C1a-CM Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
DevSecOps has been traditionally very people centric. It is hard to measure software security and the landscape is becoming increasingly more complex with container, cloud, and infrastructure. Driving an appsec program at scale is often an art that only few can master and the majority of organizations remain uncovered from an appsec perspective. Measuring DevSecOps and evolving risk-based vulnerability management is a must. Bringing along risk people and GRC has traditionally been challenging. Segment Resources: - AppSec Cali 19 Talk: https://www.youtube.com/watch?v=cegMUjo25Zc - ADDO19: https://www.youtube.com/watch?v=x1p3exzkTIY - Open Security Summit 20 - https://www.youtube.com/watch?v=8myMG36gq4o, https://www.youtube.com/watch?v=mh_P1C1a-CM Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw177
DevSecOps has been traditionally very people centric. It is hard to measure software security and the landscape is becoming increasingly more complex with container, cloud, and infrastructure. Driving an appsec program at scale is often an art that only few can master and the majority of organizations remain uncovered from an appsec perspective. Measuring DevSecOps and evolving risk-based vulnerability management is a must. Bringing along risk people and GRC has traditionally been challenging. Segment Resources: - AppSec Cali 19 Talk: https://www.youtube.com/watch?v=cegMUjo25Zc - ADDO19: https://www.youtube.com/watch?v=x1p3exzkTIY - Open Security Summit 20 - https://www.youtube.com/watch?v=8myMG36gq4o, https://www.youtube.com/watch?v=mh_P1C1a-CM Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw177
Abstract: “You don't want to wait until you already know that there is a culture problem to really understand the culture of your organization. You should constantly be a student of the culture of your company, because we all know nothing can destroy an organization faster than a toxic culture.” - Dottie Schindlinger Culture is top-of-mind in the boardroom. How do you manage it and measure it? What does it look like to act decisively on culture, and what ethical implications come from those decisions? In this episode of the Principled Podcast, host David Greenberg talks about the critical role of boards in shaping ethical corporate culture with Dottie Schindlinger, Executive Director of the Diligent Institute and co-host of The Corporate Director Podcast for Diligent Corporation. Listen in as the two dig into the relationship between boards and ethics and compliance teams and discuss how that can inspire good governance. The key to success? Empathy. What you'll learn on this episode: [1:52] What was on the minds of those at Diligent Institute during their recent corporate culture roundtable? [5:32] Boards' and Directors' struggles to measure culture and progress. [8:25] Underlying driving factors of conduct. [14:13] - Discussion of cancel culture and reputation preservation. [17:38] - The importance of identifying your company's purpose. [19:52] - The key ethics issues challenging boards right now. [24:28] - The looming threat of cyber crime. [27:46] - The shifting relationship between boards and ethics and compliance teams. Additional Resources: Report: LRN Benchmark of Ethical Culture Featured guest: Dottie Schindlinger is Executive Director of Diligent Institute, the global corporate governance research arm of Diligent - the largest SaaS software company in the Governance, Risk and Compliance (GRC) space. She co-authored the book, “Governance in the Digital Age: A Guide for the Modern Corporate Board Director,” and co-hosts, “The Corporate Director Podcast.” Dottie was a founding team member of the tech start-up BoardEffect, acquired by Diligent in 2016. She is the Board Vice Chair of Alice Paul Institute and is a Fellow of the Salzburg Global Seminar. She graduated from the University of Pennsylvania, and lives in suburban Philadelphia. Dottie Schindlinger is Executive Director of Diligent Institute, the global governance research arm of Diligent Corporation. She co-authored the book, Governance in the Digital Age: A Guide for the Modern Corporate Board Director and co-hosts The Corporate Director Podcast. She helped launch and grow the start-up BoardEffect, acquired by Diligent in 2016. Dottie is Vice Chair of the Alice Paul Institute and is a Fellow of the Salzburg Global Seminar, and she is a graduate of the University of Pennsylvania. Featured Host: David Greenberg serves as Chair of the Governance and Risk Assessment Committee and a member of the Audit Committee of International Seaways (NYSE: INSW), one of the largest global crude oil and petroleum tanker companies. Mr. Greenberg's previous board experience (2006 to 2016) was as the independent director – and member of both the Audit and Compensation Committees --of APCO Worldwide, a private communications and government affairs consultancy and as a director (2013 to 2016) of Clean Tech Group, which creates opportunities for industrial companies to invest in innovative, clean technology. He also served for 5 years as Chairman of the Board of Trustees of The Keystone Center, a Colorado non-profit that brings together oil, chemical and pharmaceutical companies with leading NGOs to find solutions to complex public policy challenges at the federal and state levels. Greenberg is currently Managing Director of Cortina Partners LLC, a private equity firm that owns companies in the air medical, addiction treatment, bedding, textile and outdoor recreation industries and is CEO of Acqua Recovery, a residential drug and alcohol addiction center. He also advises boards and executive teams on strategy, compliance, leadership and culture as a Special Advisor for LRN Corporation, and from 2008 through the end of 2016 was a member of LRN's Executive Committee. For 20 years prior to 2008, Mr. Greenberg served in various senior positions overseeing government affairs, corporate affairs, communications and strategy at Altria Group, Inc. – then the parent company of Philip Morris USA, Philip Morris International, Kraft Foods and Miller Brewing – culminating in his role as Senior Vice President, Chief Compliance Officer and a member of the Executive Committee. As one of five senior vice presidents of the corporation, he served on the Management Committee, which oversaw all strategy and company operations. He was also a principal architect of the company's very successful efforts to end the ‘tobacco wars' which threatened the company's very existence. Earlier in his career, Mr. Greenberg was a partner in the Washington D.C. law firm of Arnold & Porter and also served as Legislative Director and General Counsel of the Consumer Federation of America. He attended Williams College and has JD/MBA degrees from the University of Chicago. Greenberg has testified before the U.S. Congress, the European Union, the Israeli Knesset and other governmental bodies over two dozen times and has appeared on ABC Nightline, the CBS Morning News, BBC Morning, and the PBS News Hour, and has spoken at leading events for CEOs and boards. Transcript: Intro: Welcome to the Principled podcast brought to you by LRN. The Principled podcast brings together the collective wisdom on ethics, business and compliance, transformative stories of leadership and inspiring workplace culture. Listen in to discover valuable strategies from our community of business leaders and workplace change makers. David Greenberg: Culture is top of mind in the boardroom. How do you manage it and measure it? What's it look like for boards to act decisively on culture? And what are the implications of those decisions? Hello and welcome to another episode of the Principled podcast. I'm your host, David Greenberg, LRN's former CEO and now special advisor. I'm also on the board and chair the governance committee of International Seaways. Today, I'm joined by Dottie Schindlinger, executive director of the Diligent Institute and co-host of Diligent's podcast, The Corporate Director. We're going to be talking today about the critical role of boards in shaping ethical culture. We'll be touching on the relationship between boards and ethics and compliance teams and how that can promote good governance. Dottie is a real expert in this space. She brings over 20 years experience in governance related roles, including serving as a director, officer, committee chair, senior executive, governance consultant and trainer for public, private and nonprofit boards. Dottie, thanks so much for coming on the Principled podcast. Dottie Schindlinger: It's my pleasure, David. It's great to be with you. David Greenberg: Dottie, Diligent sponsored a recent round table for directors on corporate culture. What was on their minds? Dottie Schindlinger: Well, thanks for asking, David. Listen, culture has been a top issue on the minds of corporate directors for a few years now but really very much so in the past two years during this pandemic. It's been really fascinating in our conversations with directors all throughout this period of time, the word that keeps coming up over and over again is empathy. That empathy has now become a key skillset for directors and senior executives of organizations to really make good decisions. And I think corporate culture in particular has been a little bit in the crosshairs because of all the rapid change and the seismic type of change that organizations are going through. Think about back in March of 2020, when basically every company that could had to move to 100% remote operations with no advanced warning and with no planning and think of the impact that it had on corporate culture. When what seemed to be a two week hiatus from the office turned into, in some cases, an 18 month long hiatus from being together in the office. I think the directors are really watching corporate culture very closely. And then of course you have other pressures taking place, everything from ESG, what's happening in terms of our workforces, the huge talent crunch that we are under right now that the competition for talent at an all time high. Culture is definitely on the minds of corporate directors and we spent a lot of time talking about that in this round table. David Greenberg: Speaking of all the time out of the office, what are the directors saying about there are companies and boards being back in the office? Dottie Schindlinger: Well, it's very uneven. For some organizations they've been fully back in the offices for a long time. And by the way, I feel like it's really fair to point out that even during the pandemic, something on the order of 62% of jobs in the US cannot be performed remotely. And so I feel like we have to just call that out for a moment and acknowledge that being a remote worker was really kind of the reality for a privileged few in the workforce and not the many. But having said that, it's still very uneven the experience. We're seeing a lot of interest on the part of workforces when they can perform jobs remotely to continue doing so. And then we're seeing also a lot of desire from people together that they miss each other, that they miss the kind of give and take that happens when you get together physically in a space and you have the opportunity to run into somebody you haven't seen in a long time. Someone who's maybe not on your team but an adjacent team and just have those impromptu water cooler conversations that I think we all treasure. It's a very mixed experience. For some people it's better to stay remote, especially if, for example, you're the parent of young children and childcare continues to be an issue. You may want to have the flexibility that being a remote worker brings to your schedule. It's definitely not a universal and because it's not universal and because this all full disease of COVID just keeps rearing its ugly head and we have new variants happening, it's hard to plan. If you're in any position of leadership and you're having to plan, when should we go back to the office? And what should be the protocol to keep the workforce safe? These questions don't have simple answers and the answers themselves continue to evolve as the disease evolves. It definitely is requiring everyone to be a little bit creative and to stay on their toes. David Greenberg: Got it. Going back to the discussions on culture, did measurement come up? How are boards and directors struggling with trying to measure culture and make real metrics on culture so that progress can be measured? Dottie Schindlinger: Yeah, it's a hard thing to measure, isn't it, David? Trying to measure cultures a little bit like saying we're going to measure love. How do you actually approach that? But we also know that when there is a toxic work culture, it is palpable. People recognize when there's a toxic work culture, you can almost see it in the faces of the people on the team. There are some measurements that are quite helpful. I don't know if you're familiar with a project that was put together by a group called Glassdoor in combination with the MIT Sloan School, something called the Culture 500. And what they basically did was use some AI tools to investigate hundreds of thousands of submissions from Glassdoor reviews of employees to look for patterns. And then they measured companies on the S&P 500 on nine different variables trying to determine the health of culture. And kind of work, I think is really very interesting. If you haven't checked it out, I'd recommend that you look at the Culture 500 and just take a look at that website and see how they approached that. It's that kind of measurement that I think is going to make the difference. When you can really see big data sets and look with AI fueled tools for patterns and try to uncover what can we really learn from all these reviews? You're not looking at individual reviews and reacting to individual reviews but you're looking for commonalities and themes and patterns across thousands of entries. That then does give you a fairly accurate picture of what's happening with culture within a company. I think if you're a director these days, you should be paying attention to these kinds of tools. These are the kinds of things that are going to make it easier for you to provide that kind of oversight on culture, especially because that is so hard to do. I can say this from personal experience, I'm on the board of a small nonprofit organization that recently had some challenges around culture. And we've been meeting remotely for a year and a half because of COVID. We haven't been physically on site at the nonprofit organization and frankly, we didn't really have a good sense for what was happening there day to day. And so it took having some conversations with the staff to try to understand what is actually happening here? And it's just really hard to get the tools that you need to have that visibility if you're not boots on the ground every day. And frankly, that's just not the reality for board members, even outside of the pandemic. We're not boots on the ground every day at the organizations that we oversee. Having these kinds of tools that give us better insight, I think are going to be increasingly important as we start to think about how to measure culture. David Greenberg: The other thing I've seen some boards turning their attention to is kind of trying to capture some of the underlying drivers of conduct, both good and bad. Things like trust, fear, belief that management acts on its values. And if boards can get underneath the surface like that, you were talking about empathy. I think those are the kinds of things that we're going to have to be able to measure and assess because otherwise we're just asking people in engagement surveys how they're doing, whether they go out to lunch with their boss, whether they can bring their dog to work and that's not really what's driving behavior. Dottie Schindlinger: It's really true. And David, one of the recommendations that came out of this round table that I think gets at that question of trust is look, I think boards are very used to evaluating the performance of their C-suite executives and especially of the CEO and really understanding, do we have a feeling of trust with this individual and with this team? Do we have trust in their capability as leaders? But it can be incredibly powerful for the board to get some reports from skip level employees. Not the C-suite and not even their direct reports but one level down and really kind of getting a sense from that layer of the organization, how do they think the C-suite is doing in terms of whether they can be trusted to lead the organization in the right direction? That kind of an approach, sort of that 360 degree evaluation can be so helpful to understanding the culture of the organization, especially if that kind of information is coming anonymously and is done regularly. You don't want to wait until you already know that there's a culture problem to understand the culture of your organization. You should constantly be a student of the culture of your organization because let's face it, we know nothing can destroy a company faster than a toxic culture. Truly. We just see every example of that ripped from the headlines. We know that to be true. And so if you're maybe once a quarter, two times a year doing a big 360 degree pulse check of the whole company to understand the culture, really asking people culture specific questions, that's going to give you, I think, a very good sense for how things are going within the company and just it's not necessarily the only data point that you'll use but it does give you a very different view than what you're hearing just in conversation with the C-suite executives. David Greenberg: Yeah. You mentioned toxic cultures. Do you have any recent examples in your experience of a board acting decisively on corporate culture where there was a problem like that? Dottie Schindlinger: Well, there's many as you know but I'll share just one. And I feel comfortable sharing this one because it has been very widely publicized and we've also featured the executive vice president and general counsel a couple times at events that we've held at Diligent. And that's the story of Wynn Resorts. I think everybody remembers a few years ago that there was a very well publicized #MeToo campaign around Steve Wynn, who was the founder, chairman and CEO at the time and he was found to be guilty of sexual misconduct and he was ousted from the company. What may not be as widely known is as part of that process, about half of the board was also ousted from the company because as they began to do their investigation, what they learned was that it wasn't just a matter of there being one bad apple but it was truly endemic in the culture. There was a culture of intimidation and harassment almost at every level of the organization. It absolutely was the tone at the top playing out through the entire organization. And so they felt that they really needed to kind of start fresh and they brought in many more women onto the board. They brought in much more diversity onto the board and that was true throughout the leadership of the company as well. And they began to really work from the frontline employees all the way up to the top of the organization to really get to know what that culture had been like and what would be the things that they really needed to work on and correct. And one of the things I think is quite remarkable is that when we think now about what was happening during the pandemic, so all of this happened at Wynn a few years ago but then came the pandemic. And at the beginning of the pandemic, Las Vegas was shut down completely and as you can imagine for a company like Wynn Resorts, this was an existential crisis. If they couldn't operate their business at all, it might have very quickly spelled the end but because they'd been doing all this hard work around culture, they knew that one of the most important things that they could do would be to retain their workforce for as long as humanly possible. And so they made cuts every possible little place they could without cutting staff. And they actually did not furlough staff, I think, longer than any other resort or casino in the Las Vegas area. And that's really saying something. Now, eventually they did have to make some adjustments as the pandemic continued month after month. But I think they've now hired back basically everyone that they furloughed. They really just focused so much on retaining their workforce, protecting their workforce and really making sure the workforce knew how valued and how trusted they were. And I think that speaks to the hard work that they did around culture. I don't know that that would've been their priority in years past but they knew moving forward, this had to be priority number one for them and it really showed in the choices that they made. David Greenberg: Very interesting. And I'm speaking to you from one of the Wynn hotels right now, where I'm having some strategy meetings. The service is great, the place looks great so they seem to have weathered the storm. Dottie Schindlinger: That's great to hear. David Greenberg: How are you experiencing and talking to boards, their dealing with all of the issues related to reputational risk and cancel culture? Dottie Schindlinger: Yeah, it's a great question. And I think we hear about cancel culture and the concerns there. I think it certainly is a bigger concern for certain industries, rather others. If you are a consumer products company, obviously this is a huge concern for you. It's something that can absolutely spell the difference between success or failure and really on either side. You can have a social campaign go extremely well as in the case of Nike a few years ago, in terms of their support of Colin Kaepernick, that that actually ended up paying huge dividends for the company and really put them in a strong position. And it can go exceptionally poorly. I think of an example like United Airlines when the video of them dragging a passenger off the plane went viral. And quite frankly, even than three years after that incident, their stock price really was continuing to underperform their peers. You can really see how these things can light a fire and go very, very broadly. We do this report every month at Diligent Institute called the Director Confidence Index. And back in February, we were curious to know, how did directors feel about reputational risk? And in particular, we wanted to know, how did they feel about the fact that CEOs were becoming much more public faces of companies and taking to the podium to speak on issues that are kind of unrelated to corporate performance but are related more to social issues. Things that they felt might be of concern to their key stakeholders. And what we thought was pretty fascinating was that 54% of the directors we asked said that their CEO had made a public statement to address a social or political event occurring in 2020. And that was more than double the rate that we found four years ago. It is absolutely true that there is more happening around reputation management and reputation generation for corporate leaders. But only 16% of the directors that we surveyed said that they encouraged their CEO to speak publicly on any issue he or she deems appropriate. 42% say they would encourage the CEO to speak out but only to the extent that the issue relates directly to the company's mission or values. And about 32% said CEOs should always stay silent on social issues. It's clear that there's not a lot of consensus among directors about the best way to do this. What I would say is I think a lot of directors that we speak with are telling us, "Look, it doesn't matter whether you like it or not, you may have to enter the fray because to be silent can sometimes do more damage than to say something. And so you do have to really think about how are you guarding your reputation? What are you aligning your reputation too? And I think probably the best true north is how does this relate to your company's values? What are the things that you are trying to put out to market as your core values? And how does this relate to what you value? I think that's really the best way to approach when to speak out, how to speak out and who should speak out. David Greenberg: I think it also helps when companies have a clear sense of purpose, why they're on this planet and what their relationship is with society. If they can define that and understand that, then it may help them understand the issues where really there's very little choice and a lot of need to actually speak out because it connects to who they are and why they're here. Dottie Schindlinger: Well David, I completely agree. And I would say in that same survey, 57% of directors told us they're more concerned about reputational risk today than they have been in any prior year. And I think that is because there has been this pressure being placed on companies by institutional investors, by the business round table, by just societal opinion. Again, going back to the fact that we're in this talent war, you've got to attract and retain top talent. And the way to do of that is to make sure that you have a clearly stated company purpose, that that purpose of your company is tied to something broader than generating positive returns for shareholders and that it's something that your workforce, your customer base, your partners can all buy into and sort of see a role for themselves in. And I think that's just a much taller order than we've had in years past. I think that the job of a director is getting precipitously harder but if you can have that stated company purpose, it can make other things easier to say no to and make it a little clearer what you have to say yes to. David Greenberg: And one of the things that I've taken to the boardroom from my experience as a senior executive at what at the time was a Fortune 10 company, is that the truth is making a return for shareholders and all of the compensation bells and whistles that comp committees have ever created, you add all that up and it wasn't enough to get a lot of us up in the morning. If there wasn't a greater purpose to what we were doing the company was really missing something in terms of getting discretionary effort even out of its most senior leaders. Dottie Schindlinger: Yeah. I think that's very true. That connects to sort of what makes us human, doesn't it? That we're all, we're purposeful beings, human beings and we want to know that we're connecting to some broader purpose. It's not just we're doing it for the sake of doing it. And I think that's true for board members too. I think board members feel far more motivated to maybe go on a limb and tap into their personal networks and express empathy and have compassion for things that they feel they connect to. I think everybody wants to feel they belong. David Greenberg: For sure. When we drill down a little bit, what are some of the key ethics issues you see challenging boards? Dottie Schindlinger: Well, first of all, just the number of ethics issues challenging boards has exploded. There's many more things that board members have to keep their eyes on these days. I would say some of the big ones, issues around the pandemic dealing with sort of public health issues, making sure that local regulations and workplace safety are being managed correctly. Again, those are not easy issues, but they need to be thought through. Diversity equity and inclusion is a big one. I think there's been so much energy being put into this area ever since the murder of George Floyd and the many corporate commitments that were made to try to change the nature of systemic racism and really address historic inequity. And these things require ongoing attention. This is not something that gets fixed in a couple of months. We're talking about a system that goes back 500 years, so it's going to take some time to get this right but it needs for us not to take our foot off the gas, to really kind of keep going. Also issues related to sexual harassment, those continue to be things that we see plague companies and just continue to need to be addressed. Those are things I would say are really top of mind over the past couple of years but I would also add there, there's sort of a huge ethical dimension to climate change. Right now we're just finishing up the COP 26 conference that's happening in Glasgow. And there's a lot of concern out there that we're not going to be able to meet the climate commitment that we need to meet to keep the ocean temperature level down to 1.5 degrees Celsius above where it was. And I think that has huge, huge implications for every company. Everything from global supply chain, to workforce, to our ability to just conduct business in this new unknown future with bigger, more horrifying storms. And there's some ethical dimensions there. If we're not making choices that are in the best interest of the planet, not only can they be really harmful to our business and our balance sheets, but they're harmful to our own ability to exist. I would call that a bit of an ethical conundrum and that is a huge issue that I think boards are going to have to get better at addressing, frankly, just better at being able to have those conversations at a strategic level in boardrooms. It really does connect to the ability for the business to exist and thrive. We have to just get better at making sure we're talking about these things all the time. David Greenberg: You've just made a pretty good case that the issues that boards confront and discuss are changing. Do you see a related change in the profile of public company board members? Dottie Schindlinger: We've started to see that. We did a report in July called Beyond the C-suite and it was looking at the changing trends of the profile of new director hires of public companies. And what we saw is that while the vast majority of new hires of directors are still current and former CEOs, CFOs and COOs, there is year over year, a growing number of new director hires that are coming into the boardroom with different skillsets. We're talking about people that come into the boardroom with technology backgrounds, legal backgrounds, ESG, HR, sales and marketing. Just kind of nontraditional profiles for board member hires. And this is not an accident. We are seeing this wide array of areas of risk that boards are now being asked to tackle and really have no choice but to tackle. Things like cyber risk, for example. 10 years ago, I think you'd be hard pressed to find a board meeting that spent a very much time talking about cyber risk outside of a very small number of companies. Now, I think you'd be hard pressed to find a board meeting that doesn't touch on cyber risk probably at least a little bit of every board meeting at most companies. And so we're seeing this big shift in the kinds of things that directors have to deal with. And as a result, you need different talent. You need people that come from different areas of expertise and bring fresh perspective into the boardroom conversation. David Greenberg: Yeah. I can tell you that cyber risk comes up on the board at International Seaways very regularly and every time it does, it scares me to death because it's very hard to deal with. It's very hard to know and you have very good people inside and outside the company who can help but it's really fast moving and it's just one of those things that keeps you up at night. Dottie Schindlinger: And I hate to say it but probably should. Probably should keep you up at night. The terrifying numbers that I hear, I believe that now cyber crime as an industry, if you look at it as an industry, has top $6 trillion a year, which Larry Clinton who's the president of the Internet Security Alliance always has this great line, which is, "If cyber crime was a country, it would be big enough to qualify for entrance into the G7." Thinking about any individual company trying to tackle such a behemoth is kind of outrageous. I think what we need to think about is how are all of us as companies, as governments, as citizens banding together to fight this insane criminal enterprise. It's the largest criminal enterprise on earth. It's I think at this point, something like double the size of the illicit drug trade. It's massive. We all have to play our role in fighting this and none of us are going to be successful alone but of us can take our eye off the ball. We all have to pay attention. We all have to be a little bit paranoid all the time for bad things not to happen. David Greenberg: Yeah. One of the things that worries me, you've referenced the war for talent a few times and I wonder if the good side is winning the war for talent in the cyber area? Dottie Schindlinger: Not even close. Not even close, David. Right now, the estimated number of unfilled cybersecurity professional jobs globally is three million. And there's just not even a pipeline to fill that many roles. Unfortunately this is a definite area of concern. I would say any of you listening to this podcast, if you have a young person in your life who's trying to figure out what career to go into, suggest they go into cybersecurity, we need them in the fight. David Greenberg: One of the things I've seen in terms of the changing profile of directors is that I would say three years ago, you would have been hard pressed to find even one or two members of public company boards who had spent a major part of their time as working chief ethics and compliance officers and now I've identified about a dozen. There's a little boomlet in that area that I hope will continue. Dottie Schindlinger: That's a tiny little boomlet. David Greenberg: I know, I know. Well, you got to start somewhere. Dottie Schindlinger: You got to start somewhere. I would agree with you. I think that's a positive trend. I'd love for it to actually be large enough to be a trend but it's positive to see that we definitely saw that there are more individuals with legal expertise being welcomed on to boards. And hopefully that means that they come in the door with some deeper understanding of ethics and compliance issues maybe than others. And I think we definitely could see more of that because as we've been speaking through this whole podcast, the ethical and moral dimensions of business, I think are getting far more complex. And so you need people who sort of understand ethics and compliance in a real way to be able to help guide strategic decisions that have ethical and compliance dimensions to them, which I think is all of them. I think we could all do with an ethics and compliance expert on our boards. David Greenberg: Here, here. A lot of this audience listening to this podcast today, come from the ethics and compliance community so I wanted to be sure to ask how you see the relationship between boards and the ethics and compliance teams out there and whether it's changing and how it may need to change more. Dottie Schindlinger: Great question. I do think it is changing and I would be disingenuous if I said it was changing everywhere at the same pace. That's not true. It's fits and starts. But I do think that there's a greater recognition on the part of many companies that the ethics and compliance team is not the team to call in when things have already gone wrong but that in actual fact, they can be very strong strategic partners in future decision making. You can bring in the ethics and compliance team to help you think through investments that you're planning to make. You can bring them in to help you think through ways that you could potentially be greening your business to potentially add to the bottom line. You can bring them in to talk through workforce issues and the fight for talent, and retaining and attracting of top talent. What are some ways to think about that from sort of the ethical dimension? Frankly, I think it behooves you to use that team in a strategic way to just help make better, more nuanced decisions and play out in advance what are the ethical dimensions of this decision that we're going to make? Again, business now moves at the speed of a tweet. Never forget that every decision you make is going to be scrutinized and it's going to be scrutinized in the marketplace of Twitter. And so if that's going to be the case, it probably makes sense for you to check in with the ethics and compliance team about what might be some things we should be prepared for as we make this decision? And I don't know that that's been the traditional way that those teams have been leveraged. I think more so they've been brought in after the fact to help fix something that's gone wrong or they've been brought in when there's some check the box exercise around training that needs to happen. And I just think that's an under utilization of a really great resource in your company. David Greenberg: Dottie, that is a fantastic place to end today because we're just about out of time. It has been an enormous pleasure to talk with you about the evolution of boards in shaping culture, ethics and compliance and the role of boards in what is an ever changing world. Thank you for joining me on this episode and I hope we can continue our conversations. Dottie Schindlinger: Thank you so much, David. It's been such a pleasure. David Greenberg: And thank everyone out there for listening. I'm David Greenberg and we'll see you next time on the Principled podcast by LRN. Outro: We hope you enjoyed this episode. The Principled podcast is brought to you by LRN. At LRN, our mission is to inspire principled performance in global organizations by helping them foster winning ethical cultures rooted in sustainable values. Please visit us at lrn.com to learn more. And if you enjoyed this episode, subscribe to our podcast on Apple Podcasts, Stitcher, Google Podcasts or wherever you listen and don't forget to leave us a review.
InvestOrama - Separate Investment Facts from Financial Fiction
Alex Tong, Principal at Information Venture Partners brings us into a deep dive into Governance, Risk and Compliance (GRC) technology and his firm's investments in Strike Graph, a Cybersecurity Compliance SaaS. Governance, risk management, and compliance (GRC) are three pillars of cybersecurity management. They enable an organization to effectively meet compliance requirements, manage risk, and standardize across the enterprise. It is a key aspect of building trust and winning more deals with enterprise clients. TIMESTAMPS 00:23 Why Governance, Risk and Compliance is an exciting space to build and invest 04:13 The benefits of being "Certified" for building trust 05:57 How Strike Graph helps to build trust and win more deals with enterprise clients 07:22 Behind the scenes at Strike Graph - what they built 10:54 The business of abstracting complexity for your clients 12:17 Product at Strike Graph 14:23 How to approach a niche B2B market 16:10 When to get a marketer on board 17:36 Outlook on the GRC Segment CONNECT WITH ALEX TONG & STRIKE GRAPH https://informationvp.com/ https://www.linkedin.com/in/alextong/ https://www.strikegraph.com/ CONNECT WITH GEORGE ALIFERIS Instagram Twitter Linkedin Orama.tv
Deloitte Australia Partner in Governance, Regulation & Conduct Deborah Latimer, who was awarded the GRC Institute's Lifetime Member Award, talks a little about her Governance, Risk and Compliance (GRC) journey and shares a few words of wisdom for those on their own GRC pathway. ( All this is done with the sound of a cat purring in background, which is a reminder about some of the continued challenges with working from home).
MetricStream ESG Innovation CEO Bruce Dahlgren Interview Leveraging the power of AI, MetricStream is the global market leader in Governance, Risk, and Compliance (GRC) and Integrated Risk Management solutions, providing the most comprehensive solutions for Enterprise and Operational Risk, Regulatory Compliance, Internal Audit, IT and Cyber Risk and Third-Party Risk Management on one single integrated platform.MetricStream is the market leader in integrated risk management (IRM) and governance, risk, and compliance (GRC)
This week we are highlighting one of our popular episodes! First covered back in Episode 40, we covered the topic of Security Awareness Training, and wanted to revisit it again in this epsiode. Looking for a nontechnical job in Cybersecurity?! This might be a good option for you! In today's episode, we have a very special guest, Gabriel Friedlander, the founder of Wizer Security and Co-founder & CTO of ObserveIT. Join experienced hiring managers, Wes Shriner, Kip Boyle, and Gabriel Friedlander as they explore Governance Risk and Compliance (GRC) and Security Awareness and training from the Common Security Service Catalog. They will be exploring: ✅ Cybersecurity Awareness Month ✅ Required Training ✅ Behavioral Training ✅ Skills Training Loved this episode and want to learn more about Wizer?! Check out more here: https://www.wizer-training.com/ Can playing capture the flag also give you cybersecurity job hunting success on LinkedIn? Yes! Check out our step-by-step guide: https://www.YourCyberPath.com/pdf
In this episode, we take a deep dive into that four-letter word RISK. Risk is measurable uncertainty. As a component of Governance, Risk, and Compliance (GRC), risk management is an important part of a security leader's responsibility. Risk assessment is conducted for a number of reasons, and measuring risk is an important component of effectively overseeing our IT investments. We'll look at NIST and ISO standards for risk, and define the different types of risk assessments. And, because there is risk inherent in many endeavors, this episode will be continued in a part 2, because we didn't allow for the risk of running over with this much great information.
Pete Strouse has been an information security recruiter for a decade. During that time, he has had the opportunity to work with hundreds of professionals and learn what works and what doesn't when it comes to rising through the ranks of security org structures. In this episode of Tuesday Morning Grind, Pet and Christian, talk about what it takes to be successful in the security space, how to get hired, how to rise through the ranks, potential career paths, and the attributes of aspiring security leaders. About Infosec Connect: Infosec Connect helps provide recruiting and placement services for security companies with specialties in Information Security Executives, Information Security Sales & Marketing, Security Audit & Compliance (GRC), Data Privacy, Security Operation s, Offensive Security, Digital Forensics & Incident Response (DFIR), and Cloud Security. About risk3sixty: risk3sixty is a security, privacy, and compliance consulting firm that helps high growth technology organizations build, manage, and assess security and privacy programs. Offering services related to SOC 2, ISO 27001, PCI DSS, HITRUST, Virtual CISO, Privacy Programs (GDPR, CCPA, etc.), Penetration Testing, and a GRC Platform built for cloud technology companies, Phalanx. You can learn more about risk3sixty at www.risk3sixty.com/.
Looking for a nontechnical job in Cybersecurity?! This might be a good option for you! In today's episode, we have a very special guest, Gabriel Friedlander, the founder of Wizer Security and Co-founder & CTO of ObserveIT. Join experienced hiring managers, Wes Shriner, Kip Boyle, and Gabriel Friedlander as they explore Governance Risk and Compliance (GRC) and Security Awareness and training from the Common Security Service Catalog. Download the slides here: https://try.yourcyberpath.com/cyber-org Can playing capture the flag also give you cybersecurity job hunting success on LinkedIn? Yes! Check out our step-by-step guide: https://www.YourCyberPath.com/pdf --- Send in a voice message: https://anchor.fm/yourcyberpath/message
Support the show by dropping us a rating and review on Apple Podcast! Music: “Daydream” by Ash. Available on Spotify, Apple Music & Anghami. Hala Bou Alwan, is the Founder and CEO of Hala Bou Alwan (HBA) Consultancy a specialized firm in GRC advisory and training .She is a lawyer who holds 3 master's degrees in AI, Financial Crime, International Business Law and Cybersecurity from La Sagesse University Lebanon and Boston University USA. She is an experienced leader with more than 18 years' of success helping high-profile local and global organizations pave their compliance, Governance and financial crimes roadmaps. She is a thought leader on the topic ( speaker , trainer and author) of Governance, Risk and Compliance (GRC), Anti Money Laundering, Sanctions, Cyber Security, Artificial intelligence, Virtual Assets, and Counter-Terrorist Financing, among many other fields. Timestamps: [00:00 to 04:00] Introduction [04:00] Hala's Journey Starting Work at The UN [10:00] How Prison Strengthened Hala's Empathetic Skills. [15:00] Hala's Grandfather's Story "The Thief Story". [20:00] How Trauma Affects Your Professional Work Life... [24:00] "Mental Health Doesn't Impact You Alone, It Impacts Every Single Person in Your Life"... [28:00] Mental Health in the Middle East.. And How Can We Drive Change in The Region..? [32:00] How to Self-Care With An Incredibly Busy Career.. [36:00] "The First Time I went to a Psychologist I was 15 Years Old" [44:00] Fireball Segment.. [46:00] The Reflection Segment.. [48:00] The Legacy Segment.. [49:00] OUTRO - Give us a rating & review us on Apple Podcasts!! Did you enjoy today's episode? Are you subscribed to the show? I'd love to hear from you! Ps. Follow Hala Here! Twitter : @boualwanhala Instagram: https://lnkd.in/de-qrTX Linkedin: https://www.linkedin.com/in/halaboualwan/ Tune in daily and follow me here @allysalama and @empathyalwaywins for more on the show's latest updates. Show Credits Empathy Always Wins: The World's Exclusive Youth Leadership & Mental Health Podcast. © Ally Salama 2020.
© 2020-2025 Ivy Podcast Discovery LLC
