Podcasts about GRC

This week on That Tech Pod, Laura and Kevin chat with Richa Kaul, founder and CEO of Complyance, for a blunt conversation about what governance, risk, and compliance actually are, and why so many companies pretend it's something else.Richa walks us through how she really landed in GRC, including the moment she realized compliance isn't about forms or frameworks. It's about power, incentives, and who takes the fall when systems fail. Drawing on her time in legal tech, enterprise systems, and AI, she makes the case that much of today's compliance model is quietly broken, and that organizations know it, even if they won't admit it.  We dig into why GRC has such a credibility problem, the comforting lies companies tell themselves about being “compliant,” and whether compliance should be about control or trust, and why so many leaders default to the wrong one. Richa also weighs in on whether “move fast and break things” is actually gone, or just better disguised in the age of AI. We close with a forward-looking conversation on AI risk, including the uncomfortable questions boards avoid, why training alone won't fix reckless AI use, and what organizations should be paying attention to next if they want governance that actually works.Richa Kaul is the founder and CEO of Complyance, an AI-powered GRC platform helping enterprises navigate governance, risk, and compliance with ease. She previously held leadership roles in legal and compliance technology, including helping scale global solutions at ContractPodAI. Richa focuses on how companies can move beyond checkbox compliance to build systems that actually support better decisions, accountability, and trust as AI becomes more embedded in the enterprise. She is passionate about the future of compliance, the role of AI in governance, and the challenges of scaling a company in enterprise tech. Her innovative approach combines deep technical expertise with strategic business acumen, making her a sought-after thought leader in the GRC space.

In this engaging episode of MSP Business School, host Brian Doyle is joined by Sam Glynn—a notable figure in the GRC landscape—to pull back the curtain on the intricacies of compliance within MSPs. Sam Glynn shares his wealth of expertise from a career that has advanced from IT management in financial services to becoming a specialist in cybersecurity and compliance. Listeners are introduced to the significance of GRC, particularly how MSPs can align themselves with increasing regulatory demands while fostering profitability and customer satisfaction. The episode delves into the hurdles MSPs face when confronted with compliance audits and assessments. Sam explains how MSPs can view these assessments as opportunities to strengthen client relationships and increase revenues rather than as adversarial encounters. With an emphasis on understanding the framework alignment and the nuanced art of risk management, the conversation underscores the importance of embracing these challenges to enhance services and outcomes. The episode wraps up with a focus on Sam's advisory role, offering a perspective that's both realistic and strategic for organizations striving to improve their security posture. Key Takeaways: Understanding GRC: Sam Glynn illustrates how MSPs can navigate Governance, Risk, and Compliance to achieve compliance while maintaining profitability and improving service delivery. Partnering for Success: Enlisting experts like Sam can transition an MSP's role from a mere service provider to a strategic partner capable of advising clients on risk management and compliance. Framework Alignment & Risk Management: Embrace the interpretive nature of risk management processes, focusing on impacts and likelihoods to develop robust and tailored security strategies. Regulatory Insights: Compliance is not solely about meeting regulatory requirements; MSPs must also consider best practices for comprehensive security that addresses today's threats. VCISO Clarity: The role of a virtual Chief Information Security Officer (VCISO) extends beyond IT technicalities to include governance, risk management, and strategic alignment with organizational objectives. Guest Name: Sam Glynn LinkedIn page: https://www.linkedin.com/in/samglynnie/ Company: Secure and Assure Website: https://secureandassure.com/ Show Website: https://mspbusinessschool.com/ Host Brian Doyle: https://www.linkedin.com/in/briandoylevciotoolbox/ Sponsor vCIOToolbox: https://vciotoolbox.com

Meet Susannah Hammond, a trailblazer in governance, risk management, and compliance (GRC) with over 30 years of experience in financial services and technology. A chartered accountant and a distinguished fellow of the Chartered Institute for Securities and Investment, Susannah is a powerful voice in her field. As the recent winner of the Risky Women Write competition, her groundbreaking article on embedded supervision is set to revolutionize compliance. She champions a bold vision where regulators gain direct access to firms' systems, transforming the regulatory landscape into a more efficient and collaborative process. With her insights, Susannah is paving the way for a future where technology enhances compliance, saves costs, and builds trust—an evolution that could change the game for GRC forever! SHOW NOTES01:32 Career Journey 10:48 Embedded Supervision and Its Potential 16:07 Data Governance and AI in Compliance 21:02 Chat Bankman-Fried? 25:36 Predictions and Future of GRC Get transcripts, links, and read her winning article: https://www.riskywomen.org/2025/12/podcast-s8e14-embedded-supervision-with-susannah-hammond/

This week on Simplifying Cyber, Aaron Pritz and Cody Rivers sit down with Jax Scott — combat veteran, podcast host (Two Cyber Chicks), and VP of Cybersecurity at Pearson — for a conversation that's equal parts leadership, risk reality, and “why is everyone still confused about BISOs?”Jax shares her unconventional path into cybersecurity (perfume sales → special operations → NATO cyber strategy → Mandiant → Capital One → consulting → Pearson), then breaks down what BISOs/CISOs do when done right:The “single point of contact” that connects business teams to security outcomesWhy risk management is the glueWhy the best security leaders aren't always the most technical (and how technical instincts can backfire)Then we go headfirst into the AI debate:Where automation helps most in compliance (evidence collection, mapping, reducing manual slog)Where humans stay essential (judgment calls, accountability, trust-building)The uncomfortable truth: if we outsource all thinking to AI, we may literally get worse at thinkingWe wrap with practical guidance on:Handling volatile regulatory changes (like DR/IR requirements) with flexible plans + frequent testingThe reality of CMMC: why it's not “new,” why enforcement matters, and why last-minute scrambles burn everyone outHow to lead teams through chaos with transparency, empathy, and real talkAnd finally: Jax drops a fun fact that honestly explains a lot about her calm energy.Listen now wherever you get your podcasts.Key topics coveredWhat a BISO/VISO is (and how to explain it to non-security leaders)Critical thinking + EQ as security superpowersAI in compliance/GRC: automate the boring, keep the human judgmentIR/DR planning for shifting rules and requirementsCMMC realities for the defense industrial baseLeadership during change fatigue

AI has become inescapable over the past years, with the technology being integrated into tools that most people use every day. This has raised some important questions about the associated risks and benefits related to AI. Those developing software and services that include AI are also coming under increasing scrutiny, from both consumers and legislators, regarding the transparency of their tools. This ranges from how safe they are to use to where the training data for their systems originates from. This is especially true of already heavily regulated industries, such as the financial sector. Today's guest saw the writing on the wall while developing their unique AI software, that helps the financial sector detect fraud, and got a jump start on becoming accredited to the world's first best practice Standard for AI, ISO 42001 AI Management. In this episode, Mel Blackmore is joined by Rachel Churchman, The Global Head of GRC at Umony, to discuss their journey towards ISO 42001 certification, including the key drivers, lessons learned, and benefits gained from implementation.    You'll learn ·      Who is Rachel? ·      Who are Umony? ·      Why did Umony want to implement ISO 42001? ·      What were the key drivers behind gaining ISO 42001 certification? ·      How long did it take to implement ISO 42001? ·      What was the biggest gap identified during the Gap Analysis? ·      What did Umony learn from implementing ISO 42001? ·      What difference did bridging this gap make? ·      What are the main benefits of ISO 42001? ·      The importance of accredited certification ·      Rachel's top tip for ISO 42001 Implementation   Resources ·      Umony ·      Isologyhub   In this episode, we talk about: [02:05] Episode Summary – Mel is joined by Rachel Churchman, The Global Head of GRC at Umony, to explore their journey towards ISO 42001 certification. [02:15] Who is Rachel?: Rachel Churchman is currently The Global Head of GRC (Governance, Risk and Compliance) at Umony, however keen listeners to the show may recognise her as she was once a part of the Blackmores team. She originally created the ISO 42001 toolkit for us while starting the Umony project under Blackmores but made the switch from consultant to client during the project. [04:15] Who are Umony? Umony operate in the financial services industry. For context, in that industry every form of communication matters, and there are regulatory requirements for firms to capture, archive and supervise all business communications. That covers quite a lot! From phone calls, to video calls, instant messaging etc, and failures to capture that info can lead to fines. Umony are a compliance technology company operating within the financial services space, and provide a platform that can capture all that communications data and store that securely. [05:55] Why did Umony embark on their ISO 42001 journey? Umony have recently developed an AI platform call CODA, which uses advanced AI to review all communications to detect financial risks such as market abuse, fraud or other misconduct. This will flag those potential high-risk communications to a human to continue the process. The benefit of this is that rather than financial institutions only being able to monitor a very small set of communications due to it being a very labour intensive task, this AI system would allow for monitoring of 100% of communications with much more ease. Ultimately, it's taking communications capture from reactive compliance to proactive oversight. [08:15] Led by industry professionals: Umony have quite the impressive advisory board, made up of both regulatory compliance personnel as well as AI technology experts. This includes the likes of Dr.Thomas Wolfe, Co-Founder of Hugging Face, former Chief Compliance Officer at JP Morgan and the CEO of the FCA. [09:00] What were the key drivers behind obtaining ISO 42001 certification? Originally, Rachel had been working for Blackmores to assist Umony with their ISO 27001:2022 transition back in early 2024. At the time, they had just started to develop their AI platform CODA. Rachel learned about what they were developing and mentioned that a new Standard was recently published to address AI specifically. After some discussion, Umony felt that ISO 42001 would be greatly beneficial as it took a proactive approach to effective AI management. While they were still in the early stages of creating CODA they wanted to utilise best practice Standards to ensure that the responsible and ethical development of this new AI system. When compared to ISO 27001, ISO 42001 provided more of a secure development lifecycle and was a better fit for CODA as it explores AI risks in particular. These risks include considerations for things like transparency of data, risk of bias and other ethical risks related to AI. At the time, no one was asking for companies to be certified to ISO 42001, so it wasn't a case of industry pressure for Umony, they simply knew that this was the right thing to do. Rachel was keen to sink her teeth into the project because the Standard was so new that Umony would be early adopters. It was so new, that certification bodies weren't even accredited to the Standard when they were implementing the Standard. [12:20] How long did it take to get ISO 42001 certified? Rachel started working with Anna Pitt-Stanley, COO of Umony, around April 2024. However the actual project work didn't start until October 2024, Umony already had a fantastic head start with ISO 27001 in place, and so project completion wrapped up around July of 2025. They had their pre-assessment with BSI in July, which Rachel considered a real value add for ISO 42001 as it gave them more information from the assessors point of view for what they were looking for in the Management System. This then led onto Stage 1 in August 2025 and Stage 2 in early September 2025. That is an unusually short period of time between a Stage 1 & 2, but they were in remarkably good shape at the end of Stage 1 and could confidently tackle Stage 2 in quick succession. The BSI technical audit finished at the end of September, so in total from start to finish the Implementation of ISO 42001 took just under 12 months. [15:50] What was the biggest gap identified during the Gap Analysis? A lot of the AI specific requirements were completely new to this Standard, so processes and documentation relating to things like 'AI Impact Assessment' had to be put in place. ISO 42001 includes an Annex A which details a lot of the AI related technical controls, these are unique to this Standard, so their current ISO 27001 certification didn't cover these elements. These weren't unexpected gaps, the biggest surprise to Rachel was the concept of an AI life cycle. This concept and its related objectives underpin the whole management system and its aims. It covers the utilisation or development of AI all the way through to the retirement of an AI system. It's not a standalone process and differs from ISO 27001's secure development life cycle, which is a contained subset of controls. ISO 42001's AI life cycle in comparison is integrated throughout the entire process and is a main driver for the management system.   [19:30] What difference did bridging this gap make? After Umony understood the AI life cycle approach and how it applied to everything, it made implementing the Standard a lot easier. It became the golden thread that ran through the entire management system. They were building into an existing ISMS, and as a result it created a much more holistic management system. It also helped with the internal auditing, as you can't take a process approach to auditing in ISO 42001 because controls can't be audited in isolation.   [21:30] What did Umony learn from Implementing ISO 42001? Rachel in particular learned a lot, not just with ISO 42001 but with AI itself. AI is new to a lot of people, herself included, and it can be difficult to distinguish what is considered a risk or opportunity regarding AI. In reality, it's very much a mix of the two. There's a lot of risk around data transparency, bias and data poisoning as well as new risks popping up all the time due to the developing technology. There's also a creeping issue of shadow IT, which is where employees may use hardware of software that hasn't been verified or validated by the company. For example, many people have their own Chat GPT accounts, but do you have oversight of what emplyees may be putting into that AI tool to help with their own tasks? On a more positive note, there are so many opportunities that AI can provide. Whether that's productivity, helping people focus more on the strategic elements of their role or reduction of tedious tasks. Umony is a great example of where an AI has been developed to serve a very specific purpose, preventing or highlighting potential fraud in a highly regulated industry. They're not the only one, with many others developing equally crucial AI systems to tackle some of our most labour-intensive tasks. In terms of experience with Implementing ISO 42001, Rachel feels it cemented her opinion that an ISO Standard provides a best practice framework that is the right way to go about managing AI in an organisation. Whether you're developing it, using it or selling it, ISO 42001 puts in place the right guardrails to make sure that AI is used responsibly, ethically, and that people understand the risks and opportunities associated with AI. [26:30] What benefits were gained from Implementing ISO 42001? The biggest benefit is having those AI related processes in place, regardless of if you go for certification. Umony in particular were keen to ensure that their certification was accredited, as this is a recognised certification. With Umony being part of such a regulated industry, it made sense that this was a high priority. As a result, they went with BSI as their Certification Body, who were one of the first CB's in the UK to get IAF accredited, quickly followed by UKAS accreditation. [27:55] The Importance of accredited certification: Sadly, a new Standard creates a lot of tempting offers from cowboy certification bodies that operate without a recognised accreditation. They will offer a very quick and cheap route to certification, usually provided through a generic management system which isn't reflective of how you work. Their certificate will also not hold up to scrutiny as it's not accredited with any recognisable body. For the UK this is UKAS, who is the only body in the UK under the IAF that is able to certify companies to be able to provide a valid accredited certificate. There's are easily available tools to help identify if a certificate is accredited or not, so it's best to go through the proper channels in the first place! Other warning signs of cowboy companies to look out for include: ·      Off the shelf Management system provided for a fee ·      Offering of both consultancy and certification services – no accredited CB can provide both to a client, as this is a conflict of interest. ·      A 5 – 10 year contract It's vital that you use an accredited Certification Body, as they will leave no stone unturned when evaluating your Management System. They are there to help you, not judge you, and will ensure that you have the upmost confidence in your management system once you've passed assessment. Umony were pleased to have only received 1 minor non-conformity through the entire assessment process. A frankly astounding result for such a new and complex Standard! [32:15] Rachel's top tip: Firstly, get a copy of the Standard. Unlike a lot of other Standards where you have to buy another Standard to understand the first one, ISO 42001 provides all that additional guidance in its annexes.   Annex B in particular is a gold mine for knowledge in understanding how to implement the technical controls required for ISO 42001. It also points towards other helpful supporting Standards as well, that cover aspects like AI risks and AI life cycle in more detail. Rachel's second tip is: You need to scope out your Management System before you start diving into the creation of the documentation. This scoping process is much more in-depth for ISO 42001 than with other ISO Standards as it gets you to understand your role from an AI perspective. It helps determine whether you're an AI user, producer or provider, it also gets you to understand what the management system is going to cover. This creates your baseline for the AI life cycle and AI risk profile. These you need to get right from the start, as they guide the entire management system. If you've already got an ISO Standard in place, you cannot simply re-use the existing scope, as it will be different for ISO 42001. If you're struggling, CB's like BSI can help you with this. [35:20] Rachel's Podcast recommendation: Diary of a CEO with Stephen Bartlett. [32:15] Rachel's favourite quote: "What's the worst that can happen?" – An extract from a Dale Carnegie course, where the full quote is: "First ask yourself what is the worst that can happen? Then, you prepare to accept it and then proceed to improve on the worst." If you'd like to learn more about Umony and their services, check out their website.   We'd love to hear your views and comments about the ISO Show, here's how: ●     Share the ISO Show on Twitter or Linkedin ●     Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

In this episode, Cheri Hotman sits down with Joe Kodali, a fellow CPA turned cybersecurity and GRC leader, to have a blunt, practitioner-level conversation about what is actually broken in modern cybersecurity programs and why compliance theater is making organizations less secure, not more.They unpack the unique value CPAs bring to cybersecurity, not because of accounting, but because of how auditors are trained to understand entire businesses, ask uncomfortable questions, and tie controls back to real risk and return on investment. From there, the discussion goes deep into the widening gap between executives and cyber teams, the failure of checkbox audits, and how GRC tools and low-quality SOC 2 practices have created a dangerous false sense of security.Cheri and Joe challenge the industry's obsession with compliance over governance and risk, calling out poor scoping, copy-paste controls, and the misuse of frameworks that were never meant to be treated as templates. They also address the hard truth that tools do not fix broken programs, people and discipline do.The conversation closes with a candid discussion on why governance is the most overlooked and undervalued part of GRC, how boards should be asking better questions, and what it actually takes to build a cyber program that protects the business rather than just passing audits.This episode is required listening for CISOs, security leaders, GRC practitioners, auditors, and executives who want real security outcomes instead of green checkmarks.

A devastating new React vulnerability earned a "perfect 10" for risk, letting attackers remotely run code on a million-plus servers with a single HTTP request. Find out what happened, how fast attackers moved in, and why this bug changes everything for web security. France's VanityFair face a stiff fine over cookies. GrapheneOS pulls out of France over coercion worries. The EU adds to the pile-on over underage social media. India mandates the tracking of all smartphones. Apple says no. India abandons its smartphone tracking mandate. India requires all encrypted messaging to be SIM-tied. Scattered Lapsus$ Hunters --becomes--> SLH. AI demand has driven RAM pricing sky high. GRC's DNS Benchmark is finished and available. Cisco may talk a good game, but they're still Cisco. Browsers to ask users for local network access permission. React: The worst remote code exploit in a LONG time. Show Notes - https://www.grc.com/sn/SN-1055-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/securitynow veeam.com bigid.com/securitynow zscaler.com/security hoxhunt.com/securitynow

A devastating new React vulnerability earned a "perfect 10" for risk, letting attackers remotely run code on a million-plus servers with a single HTTP request. Find out what happened, how fast attackers moved in, and why this bug changes everything for web security. France's VanityFair face a stiff fine over cookies. GrapheneOS pulls out of France over coercion worries. The EU adds to the pile-on over underage social media. India mandates the tracking of all smartphones. Apple says no. India abandons its smartphone tracking mandate. India requires all encrypted messaging to be SIM-tied. Scattered Lapsus$ Hunters --becomes--> SLH. AI demand has driven RAM pricing sky high. GRC's DNS Benchmark is finished and available. Cisco may talk a good game, but they're still Cisco. Browsers to ask users for local network access permission. React: The worst remote code exploit in a LONG time. Show Notes - https://www.grc.com/sn/SN-1055-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/securitynow veeam.com bigid.com/securitynow zscaler.com/security hoxhunt.com/securitynow

A devastating new React vulnerability earned a "perfect 10" for risk, letting attackers remotely run code on a million-plus servers with a single HTTP request. Find out what happened, how fast attackers moved in, and why this bug changes everything for web security. France's VanityFair face a stiff fine over cookies. GrapheneOS pulls out of France over coercion worries. The EU adds to the pile-on over underage social media. India mandates the tracking of all smartphones. Apple says no. India abandons its smartphone tracking mandate. India requires all encrypted messaging to be SIM-tied. Scattered Lapsus$ Hunters --becomes--> SLH. AI demand has driven RAM pricing sky high. GRC's DNS Benchmark is finished and available. Cisco may talk a good game, but they're still Cisco. Browsers to ask users for local network access permission. React: The worst remote code exploit in a LONG time. Show Notes - https://www.grc.com/sn/SN-1055-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/securitynow veeam.com bigid.com/securitynow zscaler.com/security hoxhunt.com/securitynow

A devastating new React vulnerability earned a "perfect 10" for risk, letting attackers remotely run code on a million-plus servers with a single HTTP request. Find out what happened, how fast attackers moved in, and why this bug changes everything for web security. France's VanityFair face a stiff fine over cookies. GrapheneOS pulls out of France over coercion worries. The EU adds to the pile-on over underage social media. India mandates the tracking of all smartphones. Apple says no. India abandons its smartphone tracking mandate. India requires all encrypted messaging to be SIM-tied. Scattered Lapsus$ Hunters --becomes--> SLH. AI demand has driven RAM pricing sky high. GRC's DNS Benchmark is finished and available. Cisco may talk a good game, but they're still Cisco. Browsers to ask users for local network access permission. React: The worst remote code exploit in a LONG time. Show Notes - https://www.grc.com/sn/SN-1055-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/securitynow veeam.com bigid.com/securitynow zscaler.com/security hoxhunt.com/securitynow

A devastating new React vulnerability earned a "perfect 10" for risk, letting attackers remotely run code on a million-plus servers with a single HTTP request. Find out what happened, how fast attackers moved in, and why this bug changes everything for web security. France's VanityFair face a stiff fine over cookies. GrapheneOS pulls out of France over coercion worries. The EU adds to the pile-on over underage social media. India mandates the tracking of all smartphones. Apple says no. India abandons its smartphone tracking mandate. India requires all encrypted messaging to be SIM-tied. Scattered Lapsus$ Hunters --becomes--> SLH. AI demand has driven RAM pricing sky high. GRC's DNS Benchmark is finished and available. Cisco may talk a good game, but they're still Cisco. Browsers to ask users for local network access permission. React: The worst remote code exploit in a LONG time. Show Notes - https://www.grc.com/sn/SN-1055-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/securitynow veeam.com bigid.com/securitynow zscaler.com/security hoxhunt.com/securitynow

A devastating new React vulnerability earned a "perfect 10" for risk, letting attackers remotely run code on a million-plus servers with a single HTTP request. Find out what happened, how fast attackers moved in, and why this bug changes everything for web security. France's VanityFair face a stiff fine over cookies. GrapheneOS pulls out of France over coercion worries. The EU adds to the pile-on over underage social media. India mandates the tracking of all smartphones. Apple says no. India abandons its smartphone tracking mandate. India requires all encrypted messaging to be SIM-tied. Scattered Lapsus$ Hunters --becomes--> SLH. AI demand has driven RAM pricing sky high. GRC's DNS Benchmark is finished and available. Cisco may talk a good game, but they're still Cisco. Browsers to ask users for local network access permission. React: The worst remote code exploit in a LONG time. Show Notes - https://www.grc.com/sn/SN-1055-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/securitynow veeam.com bigid.com/securitynow zscaler.com/security hoxhunt.com/securitynow

A devastating new React vulnerability earned a "perfect 10" for risk, letting attackers remotely run code on a million-plus servers with a single HTTP request. Find out what happened, how fast attackers moved in, and why this bug changes everything for web security. France's VanityFair face a stiff fine over cookies. GrapheneOS pulls out of France over coercion worries. The EU adds to the pile-on over underage social media. India mandates the tracking of all smartphones. Apple says no. India abandons its smartphone tracking mandate. India requires all encrypted messaging to be SIM-tied. Scattered Lapsus$ Hunters --becomes--> SLH. AI demand has driven RAM pricing sky high. GRC's DNS Benchmark is finished and available. Cisco may talk a good game, but they're still Cisco. Browsers to ask users for local network access permission. React: The worst remote code exploit in a LONG time. Show Notes - https://www.grc.com/sn/SN-1055-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/securitynow veeam.com bigid.com/securitynow zscaler.com/security hoxhunt.com/securitynow

A devastating new React vulnerability earned a "perfect 10" for risk, letting attackers remotely run code on a million-plus servers with a single HTTP request. Find out what happened, how fast attackers moved in, and why this bug changes everything for web security. France's VanityFair face a stiff fine over cookies. GrapheneOS pulls out of France over coercion worries. The EU adds to the pile-on over underage social media. India mandates the tracking of all smartphones. Apple says no. India abandons its smartphone tracking mandate. India requires all encrypted messaging to be SIM-tied. Scattered Lapsus$ Hunters --becomes--> SLH. AI demand has driven RAM pricing sky high. GRC's DNS Benchmark is finished and available. Cisco may talk a good game, but they're still Cisco. Browsers to ask users for local network access permission. React: The worst remote code exploit in a LONG time. Show Notes - https://www.grc.com/sn/SN-1055-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/securitynow veeam.com bigid.com/securitynow zscaler.com/security hoxhunt.com/securitynow

Hello tout le monde!Aujourd'hui, on reçoit Alain Olivier, un Québécois qui a survécu à l'un des pires cauchemars possibles : une condamnation à mort en Thaïlande, suite à une fausse accusation de narcotrafic impliquant une opération policière truquée avec la GRC.Pendant 9 ans, il a vécu l'enfer : torture, corruption, 40 livres de chaînes aux pieds, etc.Son histoire a inspiré le film « Target Number One » et le livre « Good Luck Frenchie ».Dans cet épisode, il raconte son histoire en grand détail, sans aucun filtre.

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.   In this episode, Justin interviews Andréia Stephenson, BSc SIRM, Enterprise Risk Analyst at London Metal Exchange, about her shift from a Bachelor of Science in biology to a risk analyst and risk professional. Andréia speaks of her passion for data and the importance of communicating at all levels of your organization. She regards working for different organizations with good leaders as a way to learn risk frameworks and gain foundational knowledge. She shares views on how risk analysts can influence risk culture. She also tells how she uses AI as an assistant. Listen for thoughts on building a risk-aware culture by asking leaders the right questions.   Key Takeaways: [:01] About RIMS and RIMScast. [:17] About this episode of RIMScast. Our guest today is Andréia Stephenson, BSc SIRM, Enterprise Risk Analyst at London Metal Exchange. She will discuss her career and the evolving role of the Risk Analyst. But first… [:43] RIMS-CRMP and Some Exam Prep Courses. From December 15 through the 18th, CBCP and RIMS will present the RIMS-CRMP Exam Prep Boot Camp. [:53] Another virtual course will be held on January 14th and 15th, 2026. These are virtual courses. Links to these courses can be found through the Certification page of RIMS.org and through this episode's show notes. [1:07] During the interview with Andréia, you will hear her reference the RIMS CRO Certificate Program in Advanced Enterprise Risk Management, which is hosted by the famous James Lam. Andréia is an alum of the program. [1:23] You can enroll now for the next cohort, which will be held over 12 weeks, from January through March of 2026. Registration closes on January 5th. Or Spring ahead and register for the cohort held from April through June of 2026. Registration closes on April 6th. [1:39] Links to registration and enrollment are in this episode's show notes. [1:46] Justin shares that RIMS suffered a tremendous loss in December. Chief Membership Experience Officer, Leslie Whittet, with RIMS for almost three years, tragically passed away due to injuries she sustained in an accident. She was walking her dog when she was struck by a truck. [2:18] Some of the RIMS staff, including CEO Gary LaBranche, knew Leslie from years prior. We are all shocked and saddened. Leslie was a remarkable association leader with 30 years of experience. [2:33] Gary LaBranche had the privilege of working alongside Leslie Whittet at the Association for Corporate Growth for nine years. For the last three years, Justin has had the pleasure of working with her at various RIMS events and seeing her weekly on our remote calls. [2:50] Leslie was always a source of positivity, inspiration, and creativity. She was just a wonderful person who will be deeply missed. Her memory is certainly a blessing. [3:03] RIMS will celebrate her memory at the Chapter Leadership Forum in Orlando in January. If you have any questions, please contact Josh Salter, jsalter@RIMS.org. Tributes are pouring in on LinkedIn and various networking groups. [3:22] If you have memories and photos you'd like to share, we encourage you to do so to honor her memory. [3:29] It wasn't easy to speak these words or read them, so I want to take a brief moment of silence to honor Leslie before we go any further. [3:44] On with the show! Our guest today is Andréia Stephenson. She comes to us all the way from London, where she's an Enterprise Risk Analyst for the London Metal Exchange. [3:57] You may know her a little bit from some promotional videos we've done on social media, promoting the James Lam CRO Certificate Course. In getting to know her, I was struck by how enthusiastic she was about her role as a Risk Analyst for years. [4:14] Many risk professionals begin as risk analysts; others, like Andréia, can make a thriving career of it. She's here to share some tips on how to do that, where ERM fits into the mix, and where she believes the role of the risk analyst will be going in the near future. Let's get started… [4:36] Interview! Andréia Stephenson, welcome to RIMScast! [4:47] Andréia may sound familiar to you because she did a testimonial on LinkedIn for RIMS for the James Lam CRO Certificate course. Justin says she was great to work with. That's how she and Justin met, and that's why she's here. [5:19] Justin notes that his voice is lower from "shouting" during the ERM Conference. Andréia looks forward to the RIMS ERM Conference 2026. [6:09] Andréia shares an overview of her career. She started at O.R.X., an operational risk data exchange association, where she learned all the principles of risk management. It gave her a strong background in operational risk. [6:36] From there, she went to London to go into a second-line risk management function as an analyst at a wealth management investment firm, then she went to a small investment bank, then to another wealth management firm, and now, to the London Metal Exchange. [7:00] They were all analyst roles, primarily operational risk, but also enterprise risk management. Risk has been part of her life for the last 10 years. The foundation was set by O.R.X. She holds the company close to her heart. [7:28] Andréia loves data. It's incredibly important for driving analysis. She says any analyst who doesn't love data is not an analyst! Data structure and data quality are very important for risk analysis, or any analysis. You need to love data to be able to do good risk management. [8:13] Andréia says that working in different organizations is important for risk management. It helps you connect the dots between the components of a risk management framework. [8:28] When Andréia started at O.R.X., she understood all the components, but she didn't join the dots until she went into the industry, hands-on, in the deep end, trying to figure out an RCSA, a KRI, or a KPI. Then, all the components of risk management started to make a bit more sense. [8:53] Andréia has always been fortunate to have worked with several exceptional leaders, each of whom had a kind of superpower in risk management that influenced her approach and understanding of risk. [9:07] Andréia's first manager at O.R.X. was tough and meticulous. She had a deep understanding of corporate governance and the boundaries between the risk types: strategic, financial, and non-financial. [9:22] At the time, Andréia didn't really appreciate how valuable the discipline was. She didn't understand yet. In hindsight, it gave her a strong foundation. Another CRO she worked with taught her the importance of communication in risk. [9:46] Aside from his technical ability, he understood stakeholder management at every level of the organization and how to translate the risk concepts for different audiences and build alignment. [10:00] Then she had a head of risk who was incredible with data, with an exceptional ability to quantify risk using analytics and evidence. Having a science degree, numbers were not Andréia's strongest area, but working with someone who pushed her helped her to become stronger. [10:25] Andréia thinks that working in risk in different organizations can help you build those thoughts. [10:32] Andréia has a Bachelor of Science degree in biology from the University of Bath in England. She's happy she decided not to pursue biology and took the risk road, instead. [10:55] Justin tells of recently having Kellee Ann Richards-St. Clair on the show. She's on the RIMS Strategic and Enterprise Risk Management Council. Kellee Ann started in Chemistry.l She moved into Energy and Power and became the de facto ERM Manager for her organization. [11:15] Kellee Ann and Andréia channelled other areas of knowledge to apply them to risk. For Andréia, the statistical side of biology has been helpful in risk management. James Lam states in his CRO Certificate program that risk is probability and statistics. Risk management isn't easy. [12:19] Andréia believes that legacy tools and practices fall short when they are disconnected from the organization's purpose, vision, mission, and strategic objectives. GRC systems have different modules: an RCSA module, a budding issue module, and an incident module. [12:49] Andréia hasn't seen a system that can connect the dots well. Risk practitioners don't always know how to connect the dots, either. An RCSA becomes isolated from the risk itself because people don't understand the context of those risks. [13:17] Working with business senior leaders to understand the context of your organization will help you to provide more valuable use of those tools and practices. [13:32] Andréia explains RCSA. It stands for Risk and Control Self-Assessment. It's a thought process. You sit down to understand what's most important to you, how much you care about it, and what you have in place to protect what's most important to you. [13:55] Andréia says the way we try to document that thought process is quite heavy. The industry requires that process to be complicated. Andréia recommends simplifying it. [14:20] To simplify it, have a process that's more sensible. The industry requires you to do assessments for inherent risk and residual risk. First, determine if a risk is important to you. If it's not important, why are you assessing it? [15:09] Andréia thinks the industry makes it difficult by requiring organizations to assess risks in a certain way, when it doesn't actually make sense. Managers have to have the courage to say it doesn't make sense for the organization, let's try a simpler approach. [15:34] Andréia uses screens, but sometimes pen and paper will do. Having that brainstorming session with the business really helps in trying to understand the purpose of what you do for your organization and where you fit in the strategic purpose of the firm. [15:51] What is most important to you, as opposed to thinking of everything that could go wrong? Risk is not only about negative outcomes but also about opportunities. [16:09] Quick Break! RISKWORLD 2026 will be held from May 3rd through the 6th in Philadelphia, Pennsylvania. RISKWORLD attracts more than 10,000 risk professionals from across the globe. It's time to Connect, Cultivate, and Collaborate with them. Booth sales are open now! [16:31] General registration and speaker registration are also open right now! Marketplace and Hospitality badges will be available starting on March 3rd. Links are in this episode's show notes. [16:44] Let's conclude our Interview with Andréia Stephenson! [17:14] Beyond documenting risk, Andréia thinks a risk analyst can shape an organization's risk-aware culture by asking questions. The quality of the questions they ask helps drive culture. [17:31] When an analyst consistently probes assumptions, highlights all the inconsistencies they find, or asks what this means in practice, that behavior encourages others to think more critically about risk and about what they are doing. [17:50] Good questions change behaviors. They prompt people to pause and reflect rather than to operate in autopilot, which we all sometimes do. [18:04] Andréia says analysts can contribute by making risk information simpler, clearer, and more accessible, looking for ways to simplify their reports and focusing on the most important things, day-to-day, for their objectives, and having a less bureaucratic process. [18:41] Andréia suggests having the courage to speak up when processes don't make sense in the second line of defense to help as much as possible the first line. [18:51] Risk analysts can influence and change behavior by building truthful and meaningful relationships with people, caring about the business, listening to the business units, taking their feedback to heart, and helping them to change the difficulties they encounter in risk. [19:19] Andréia works in the second line of defense. She works with a lot of first-line business units. For them, it's a burden when the risk team, the CRO, or the processes change. The risk analyst needs to help them minimize that burden. It's important to be conscious of that. [19:57] Andréia says when she goes into a new organization, the first thing she does is to understand the current state. What risk practices do they have? How do they operate? After a month, she has figured out how the organization is and how they make decisions. [20:17] When she has a suggestion, Andréia puts herself on the line for it. More often than not, it has worked out positively because she had good managers who could listen to her ideas for improvement. [20:41] If something doesn't make sense, you have to be true to yourself and say this process is lengthy, or this document is enormous; let's try to simplify it. Never be afraid of providing views for improvements, so long as you have one and have thought about it. [21:16] Andréia believes in passion for what you do. You need to be passionate, and if you're not, find your passion. For Andréia, it has always been to be a professional analyst and risk professional. That passion, in turn, drives your curiosity. [21:40] Look for ways to improve and learn. Working hard is really important, even with AI. Working hard drives good results. Data literacy is very important. Understand the basic principles of data and the basic tools that allow you to do data analysis. [22:04] Think, pause, and reflect. What does that data mean? What do those patterns mean? [22:10] Andréia stresses communication. She says she's still working on her communication skills. She is very direct at work. Sometimes that directness can seem abrupt. If something doesn't make any sense, she will put her hand up and say, This doesn't make any sense! [22:41] Having the soft skill to be able to communicate at all levels of the organization is important. That will set an analyst apart. [23:33] Andréia says AI is everywhere. She uses AI all the time for work and for her personal life. In her experience, AI is most powerful as a sounding board, a thought partner, and a colleague. It helps you explore ideas, structure problems, and challenge assumptions. [24:07] The analyst is the one who provides context and judgment. AI can help you generate lots of possibilities, but it can't decide what makes sense for your organization or for you. A critical mindset is very important. [24:25] Analysts need to treat AI as an extension of their thinking process, not as a replacement for it. You are the Quality Control. You are always the one accountable for the output. AI doesn't understand your business, your culture, or your strategic priorities, but you do. [24:48] There's always the risk that if you rely on AI without applying your own insight, the output will sound sort of right but not add any value. It may be technically correct, but contextually useless. [25:12] If analysts don't know how to extract, refine, and apply what the tool gives them, it won't move the needle in a meaningful way. [25:21] Analysts should work in different places, understand what a good framework is, get certifications, work with risk professionals, work to think about problems you haven't come across before, use critical thinking, and use AI to help perform the mechanical parts of your job. [25:51] Always rely on your judgment, your relationships, and your understanding of the business you are in. [26:04] Justin shares that philosophy. He uses AI as a sounding board, to help him if he's stuck on an idea, to help him expand it. If he likes it, he'll go with it. He takes the output as a template and refines it. [26:31] Andréia says it's almost like having an assistant. If it gives you something different than what you asked for, you can restate your question. [26:41] Justin's daughter is getting into advanced math in middle school. He doesn't remember a lot of it. He's asked ChatGPT to help him come up with math questions for his daughter. It has been invaluable for that. [27:20] Andréia uses it for formulas in Excel. She says, You still have to know what you want. You can prompt it to help you remember how to do something. Justin says you need the foundational knowledge. [27:45] Andréia says foundational knowledge is what will set people apart in their profession, whatever profession it is. She would much rather know what she knows than have AI do something and not feel comfortable with it. The foundation is really important. [28:08] Special thanks again to Andréia Stephenson for joining us here on RIMScast! Keep an eye out for her on LinkedIn in those super cool CRO Certificate Program promotional videos. [28:21] Remember, we have two more cohorts coming up, one in January and one in April. Links are in this episode's show notes.  [28:29] Plug Time! You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in the show notes. [28:57] RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let's collaborate and help you reach them! Contact pd@rims.org for more information. [29:15] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information. [29:33] Risk Knowledge is the RIMS searchable content library that provides relevant information for today's risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more. [29:49] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management. [30:03] Justin Smulison is the Business Content Manager at RIMS. Please remember to subscribe to RIMScast on your favorite podcasting app. You can email us at Content@RIMS.org. [30:15] Practice good risk management, stay safe, and thank you again for your continuous support!   Links: RIMS-CRO Certificate Program In Advanced Enterprise Risk Management | Jan‒March 2026 Cohort | Led by James Lam RIMS-Certified Risk Management Professional (RIMS-CRMP) RISKWORLD 2026 Registration — Open for exhibitors, members, and non-members! Reserve your booth at RISKWORLD 2026! The Strategic and Enterprise Risk Center RIMS Diversity Equity Inclusion Council RIMS Risk Management magazine | Contribute RIMS ERM Special Edition 2025 RIMS Now RISK PAC | RIMS Advocacy | RIMS Legislative Summit SAVE THE DATE — March 18‒19, 2026 Statement on the passing of RIMS Chief Membership Experience Officer Leslie Whittet Upcoming RIMS-CRMP Prep Virtual Workshops: "CBCP & RIMS-CRMP Exam Prep Bootcamp: Business Continuity & Risk Management" December 15‒18, 2025, 8:30 am‒5:00 pm EST, Virtual RIMS-CRMP Exam PrepJanuary 14‒15, 2026, 9:00 am‒4:00 pm EST, Virtual Full RIMS-CRMP Prep Course Schedule See the full calendar of RIMS Virtual Workshops   Upcoming RIMS Webinars: RIMS.org/Webinars   Related RIMScast Episodes: "James Lam on ERM, Strategy, and the Modern CRO" "RIMS ERM Global Award of Distinction 2025 Winner Sadig Hajiyev — Recorded live from the RIMS ERM Conference in Seattle!" "Presilience and Cognitive Biases with Dr. Gav Schneider and Shreen Williams" "Risk Rotation with Lori Flaherty and Bill Coller of Paychex" "Energizing ERM with Kellee Ann Richards-St. Clair" "Talking ERM: From Geopolitical Whiplash to Leadership Buy-In" with Chrystina Howard of Hub "Tom Brandt on Growing Your Career and Organization with ERM" "Risk Quantification Through Value-Based Frameworks"   Sponsored RIMScast Episodes: "Secondary Perils, Major Risks: The New Face of Weather-Related Challenges" | Sponsored by AXA XL (New!) "The ART of Risk: Rethinking Risk Through Insight, Design, and Innovation" | Sponsored by Alliant "Mastering ERM: Leveraging Internal and External Risk Factors" | Sponsored by Diligent "Cyberrisk: Preparing Beyond 2025" | Sponsored by Alliant "The New Reality of Risk Engineering: From Code Compliance to Resilience" | Sponsored by AXA XL "Change Management: AI's Role in Loss Control and Property Insurance" | Sponsored by Global Risk Consultants, a TÜV SÜD Company "Demystifying Multinational Fronting Insurance Programs" | Sponsored by Zurich "Understanding Third-Party Litigation Funding" | Sponsored by Zurich "What Risk Managers Can Learn From School Shootings" | Sponsored by Merrill Herzog "Simplifying the Challenges of OSHA Recordkeeping" | Sponsored by Medcor "How Insurance Builds Resilience Against An Active Assailant Attack" | Sponsored by Merrill Herzog "Third-Party and Cyber Risk Management Tips" | Sponsored by Alliant   RIMS Publications, Content, and Links: RIMS Membership — Whether you are a new member or need to transition, be a part of the global risk management community! RIMS Virtual Workshops On-Demand Webinars RIMS-Certified Risk Management Professional (RIMS-CRMP) RISK PAC | RIMS Advocacy RIMS Strategic & Enterprise Risk Center RIMS-CRMP Stories — Featuring RIMS President Kristen Peed!   RIMS Events, Education, and Services: RIMS Risk Maturity Model®   Sponsor RIMScast: Contact sales@rims.org or pd@rims.org for more information.   Want to Learn More? Keep up with the podcast on RIMS.org, and listen on Spotify and Apple Podcasts.   Have a question or suggestion? Email: Content@rims.org.   Join the Conversation! Follow @RIMSorg on Facebook, Twitter, and LinkedIn.   About our guest: Andréia Stephenson, BSc SIRM, Enterprise Risk Analyst, London Metal Exchange   Production and engineering provided by Podfly.

SummaryIn this episode, Sean M Weiss engages with Richa Kaul, CEO of Compliance with a Y, discussing the critical role of governance, risk, and compliance (GRC) in today's data-driven world. They explore the mission behind the organization, the importance of risk assessments, and the challenges posed by rapid advancements in AI technology. Richa emphasizes the need for ethical considerations in AI development and the necessity of human intervention in AI processes. The conversation highlights the balance between innovation and regulation, particularly in the context of data privacy and security.TakeawaysCompliance with a Y focuses on protecting consumer data through enterprise security.Risk assessments are crucial for both large and small organizations.GRC stands for Governance, Risk, and Compliance, and is increasingly important.AI technology is evolving rapidly, outpacing current regulations.Ethical AI development requires human oversight and intervention.Organizations must prioritize security over mere compliance.The healthcare sector is a significant focus for Compliance with a Y.AI can enhance risk visibility but should not replace human judgment.Regulations need to adapt to the fast-paced changes in technology.Integrity in business practices is essential for long-term success.

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance. In this episode, Tom welcomes Nicole Di Schino, Principal Compliance Services Consultant at Diligent's Spark Compliance Group to consider how to best harness AI for your compliance regime into 2026 and beyond.   Nicole and Tom discuss the critical importance of AI governance, compliance, and modern GRC. They cover practical steps for developing comprehensive compliance programs, emphasizing the necessity for AI risk assessments, the establishment of AI governance committees, and the implementation of human oversight in AI processes. Nicole highlights the intrinsic risks associated with the use of AI, including privacy concerns and AI bias, and shares her personal experiences with AI's impact in educational settings. Tom underscores the role of compliance education, advocating for the broader view of compliance as an ambassadorial and educational function. This session also explores the integration of AI into compliance workflows and the essential role of board and committee oversight.  Resources Nicole Di Schino on LinkedIn Diligent Website   Tom Fox Instagram Facebook YouTube Twitter LinkedIn Learn more about your ad choices. Visit megaphone.fm/adchoices

All links and images can be found on CISO Series. This week's episode is hosted by me, David Spark, producer of CISO Series, and Mike Johnson, CISO, Rivian. Joining us is John Barrow, CISO, JB Poindexter & Co. In this episode: Building unicorns, not hunting them Cold War frameworks for modern threats Trading dollars for stories Mirror, mirror on the wall Huge thanks to our sponsor, Vanta Vanta automates key areas of your GRC program—including compliance, risk, and customer trust—and streamlines the way you manage information. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. Get back time to focus on strengthening security and scaling your business at vanta.com/ciso

La Gendarmerie royale du Canada limite l'usage de ses 973 drones chinois (soit 80 % de sa flotte) aux opérations non délicates, invoquant des « risques élevés pour la sécurité ». Le remplacement de ces appareils jugés à risque par la GRC coûterait plus de 30 millions $.

Join us for a timely and insightful live discussion on the evolving role of artificial intelligence in governance, risk, and compliance. Host Dave Bittner from N2K | CyberWire is joined by Kayne McGladrey from Hyperproof, Matthew Cassidy, PMP, CISA from Grant Thornton (US), and Alam Ali from Hyperproof to explore the current state of artificial intelligence in governance, risk, and compliance. The panel will discuss what AI is truly doing well today, the risks and challenges organizations need to watch for, and how AI is poised to influence the future of GRC. They will also share practical insights and real-world guidance for teams looking to adopt AI responsibly and effectively. Don't miss this timely conversation as our experts break down what's real, what's risky, and what's next in AI for GRC. Learn more about your ad choices. Visit megaphone.fm/adchoices

Today's episode is hosted by Chris Hackett and they are joined on the podcast by Christopher Bosch, CISO at Evolved Aerospace and Elisia Chessel, Senior Security Architect at Klarna. The conversation explores how organisations can strengthen their approach to security and GRC by effectively engaging senior leadership. Through a broad discussion on communication practices, cultural alignment and strategic visibility, the episode highlights why embedding robust frameworks early is essential for building long-term resilience. The guests also reflect on how leadership teams can better understand evolving risks and support wider operational goals. The exchange highlights practical methods for integrating security into core decision-making, ensuring GRC principles are not treated as optional but as foundational to sustainable growth. By examining shifting expectations, the episode considers how modern enterprises can foster a proactive mindset and ensure that security and GRC continue to shape organisational maturity.

In this JCO Precision Oncology Article Insights episode, Natalie DelRocco summarizes "Genomic Risk Classifiers in Localized Prostate Cancer: Precise but Not Standardized" by Góes et al. published on September 10, 2025. TRANSCRIPT Natalie DelRocco: Hello and welcome to JCO Precision Oncology Article Insights. I'm your host, Natalie DelRocco, and today we will be discussing the editorial "Genomic Risk Classifiers in Localized Prostate Cancer: Precise but Not Standardized." This editorial by Góes, Li, and Chehrazi-Raffle, and Janopaul-Naylor et al. describes genomic risk classifiers, or GRCs, for patients with localized prostate cancer. Like any risk prediction model, GRCs are intended to help identify groups of patients that may benefit from less intense or more intense anticancer therapy. Risk prediction tools can be difficult to bring into clinical practice; they require a lot of validation. And as the authors describe, GRCs in localized prostate cancer are no exception. The authors of this editorial contextualize an article by Janopaul-Naylor et al., which attempts to retrospectively explore the clinical use of three available GRCs for localized prostate cancer: Decipher, Oncotype DX, and Prolaris. Each of these three GRCs is being used in clinical practice currently. In the original article, all three GRCs were associated with less intense therapy being prescribed in practice. However, the editorial authors note that this is likely selection bias due to the observational nature of the study design. It is conceivable that GRCs were more likely ordered to make decisions for patients who were already thought to be good candidates for less intensive therapy. Another weakness of the retrospective study design is that patient level covariates known to be associated with clinical prognosis in localized prostate cancer, such as staging, Gleason score, prostate specific antigen, were unavailable. The authors note that sampling bias may also be an issue. Uninsured patients are not included in the original article, and therefore may impede the ability to make conclusions about the association of GRC use with income level. The editorial authors highlight important study findings as well as these limitations, such as the heterogeneity of interventions following GRC result return. The Prolaris GRC was found to be associated with more surgical interventions, while the Decipher GRC was associated with more androgen deprivation therapy plus radiation. Additionally, patients with active surveillance were more likely to have a GRC in general ordered. While these conclusions are very interesting, the editorial authors note that further exploration and validation, given the retrospective study design and limitations outlined, are needed to fully understand the impact of GRCs in the practice of treating localized prostate cancer. Thank you for listening to JCO Precision Oncology Article Insights. Don't forget to give us a rating or a review and be sure to subscribe so that you never miss an episode. You can find all ASCO shows atasco.org/podcasts. The purpose of this podcast is to educate and to inform. This is not a substitute for professional medical care and is not intended for use in the diagnosis or treatment of individual conditions.  Guests on this podcast express their own opinions, experience, and conclusions. Guest statements on the podcast do not express the opinions of ASCO. The mention of any product, service, organization, activity, or therapy should not be construed as an ASCO endorsement.

Christine Lowthian, Head of Regulatory Compliance at HSBC, on her career journey, the importance of seizing opportunities and building a supportive network. She highlights her experience leading global teams, particularly in commercial banking and the U.S., and the challenges of managing multicultural teams. Lowthian stresses the role of technology, particularly AI, in enhancing compliance efficiency but noted the need for clean data. She advises aspiring leaders to embrace opportunities, maintain open communication with boards and regulators, and focus on strategic thinking and continuous improvement. SHOW NOTES 02:12 Career Journey 05:46 Leading Global Teams 08:50 Managing Multicultural Teams 16:27 Skills for the Compliance Officer of the Future 17:57 Engaging with Boards and Regulators 26:29 Handling Challenging Personalities 29:05 Advice for Women Starting Out Transcript and more GRC content: https://www.riskywomen.org/2025/11/podcast-s813-leading-global-teams-managing-with-impact-christine-lowthian/

The Explosion of Security Data & Modern Detection with Joshua Scott | DailyCyber 280 ~ Watch Now ~In this episode of DailyCyber, I sit down with Joshua Scott, VP of Security at Hydrolix, a leader with nearly 30 years of hands-on experience across enterprise security, cloud architecture, GRC, risk, IR, compliance, detection engineering, and product security.Joshua has built and led security programs in every major function — from enterprise GRC and security engineering to cloud security, DevSecOps, threat detection, incident response, IAM, and data governance. Today, he leads security for Hydrolix, a platform built to help organizations query terabytes to petabytes of security data at speed.This episode is for CISOs, vCISOs, architects, analysts, SOC leads, and anyone trying to navigate today's overwhelming security landscape. 

Today we're launching Risky Women Academy, where we empower women in governance, risk, and compliance to advance in their careers! I'm Kimberley Cole, and I'm excited to share that we offer a range of courses from various providers, covering everything from trade and industry topics to essential soft skills. Bringing you new ways to learn from experts in the GRC industry, you'll also find discounts and special offers on courses right here. Discover the tools and knowledge you need to excel in your career! Check out Risky Women Academy now and be part of a community that champions your success. Are you part of an organization eager to showcase your valuable content? We invite you to collaborate with us! Reach out at info@riskywomen.org to explore how we can elevate the conversation together. Let's keep building on our super powers for even greater success!

All links and images can be found on CISO Series. This week's episode is hosted by David Spark, producer of CISO Series and Andy Ellis (@csoandy), principal of Duha. Joining them is our sponsored guest, Nathan Hunstad, director, security, Vanta. In this episode: Metrics that matter Testing for real AI as an assistant Intelligence without context Huge thanks to our sponsor, Vanta Vanta automates key areas of your GRC program—including compliance, risk, and customer trust—and streamlines the way you manage information. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. Get back time to focus on strengthening security and scaling your business at vanta.com/ciso

In this episode of The Digital Executive, host Brian Thomas welcomes Yakir Golan, CEO and Co-founder of Kovrr, a global leader in cyber and AI risk quantification. Drawing from his early career in Israeli intelligence and later roles in software, hardware, and product management, Yakir explains how his background shaped his holistic approach to understanding complex, interconnected risk systems.Yakir breaks down why quantifying AI and cyber risk—rather than relying on subjective, color-coded scoring—is becoming essential for enterprise leaders, boards, and regulators. He explains how Kovrr's new AI Risk Assessment and Quantification module helps organizations model real financial exposure, understand high-impact “tail risks,” and align security, GRC, and finance teams around a shared, objective language.Looking ahead, Yakir discusses how global regulation, including the EU AI Act, is accelerating the need for measurable, defensible risk management. He outlines a future where AI risk quantification becomes a board-level expectation and a foundation for resilient, responsible innovation. Through Kovrr's mission, Yakir aims to equip enterprises with the same level of intelligence-driven decision making once reserved for national security—now applied to the rapidly evolving digital risk landscape.If you liked what you heard today, please leave us a review - Apple or Spotify.See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.

Guest article by Paul Dongha . Co-author of Governing the Machine: How to navigate the risks of AI and unlock its true potential. Artificial Intelligence (AI) has moved beyond the realm of IT, it is now the defining strategic challenge for every modern organisation. The global rush to adopt AI is shifting from a sprint for innovation to a race for survival. Yet as businesses scramble to deploy powerful systems, from predictive analytics to generative AI, they risk unleashing a wave of unintended consequences that could cripple them. That warning sits at the heart of Governing the Machine: How to navigate the risks of AI and unlock its true potential, a timely new guide for business leaders. Governing the Machine The authors, Dr Paul Dongha, Ray Eitel-Porter, and Miriam Vogel, argue that the drive to embrace AI must be matched by an equally urgent determination to govern it. Drawing on extensive experience advising global boardrooms, they cut through technical jargon to focus on the organisational realities of AI risk. Their step-by-step approach shows how companies can build responsible AI capability, adopting new systems effectively without waiting for perfect regulation or fully mature technology. That wait-and-see strategy, they warn, is a losing one: delay risks irrelevance, while reckless deployment invites legal and reputational harm. The evidence is already visible in a growing list of AI failures, from discriminatory algorithms in public services to generative models fabricating news or infringing intellectual property. These are not abstract technical flaws but concrete business risks with real-world consequences. Whose problem is it anyway? According to the authors, it is everyone's. The book forcefully argues that AI governance cannot be siloed within the technology department. It demands a cross-enterprise approach, requiring active leadership driven from the C-suite, Legal counsel, Human Resources, Privacy and Information Security teams as well as frontline staff alike. Rather than just sounding the alarm, the book provides a practical framework for action. It guides readers through the steps of building a robust AI governance programme. This includes defining clear principles and policies, establishing accountability, and implementing crucial checkpoints. A core part of this framework is a clear-eyed look at the nine key risks organisations must manage: accuracy, fairness and bias, explainability, accountability, privacy, security, intellectual property, safety, and the impact on the workforce and environment. Each risk area is explained, and numerous controls that mitigate and manage these risks are listed with ample references to allow the interested reader to follow-up. Organisations should carefully consider implementing a Governance Risk and Compliance (GRC) system, which brings together all key aspects of AI governance. GRC systems are available, both from large tech companies and from specialist vendors. A GRC system ties together all key components of AI governance, providing management with a single view of their deployed AI systems, and a window into all stages of AI governance for systems under development. The book is populated with numerous case studies and interviews with senior executives from some of the largest and well-known origanisations in the world that are grappling with AI risk management. The authors also navigate the complex and rapidly evolving global regulatory landscape. With the European Union implementing its comprehensive AI Act and the United States advancing a fragmented patchwork of state and federal rules, a strong, adaptable internal governance system is presented as the only viable path forward. The EU AI Act, which has now come into force, with staggered compliance deadlines in the coming two years, requires all organisations that operate within the EU, to implement risk mitigation controls with evidence of compliance. A key date is August 2nd 2026, by which time all 'Hig...

RadioPirate LIVE édition du 11 novembre 2025 avec ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Jeff⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Fillion⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ 0min00 - ⁠Jeff⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠, ⁠⁠Gerry⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ et ⁠MisterWhite⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ essaient de comprendre ou s'en va notre PM François Legault. (Partie 1) 17min19- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Jeff⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠, ⁠⁠⁠⁠Gerry⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ et ⁠⁠MisterWhite⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ essaient de comprendre ou s'en va notre PM François Legault. (Partie 2) 33min36 - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Une histoire incroyable dans la Boîte à ⁠⁠⁠⁠⁠⁠⁠⁠⁠Gerry⁠⁠⁠⁠⁠⁠⁠⁠⁠. ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Substack du ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Gerry⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ici https://gerrypizza.substack.com/⁠ 47min05 - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Le spectaculaire ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Jo Hamel⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ fait le tour de l'actualité économique et politique d'ici et d'ailleurs avec ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Jeff⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ et ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Gerry⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠. 1h12min30 - ⁠⁠⁠⁠⁠⁠Jeff⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ et ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Gerry⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ reçoivent Alain Pharand qui a travaillé pendant 19 ans à la GRC comme policier puis par la suite en finance. Il a écrit un livre d'affaire en 2021 et vis au Mexique a Playa Del Carmen depuis ou il aide les gens qui s'y intéresse à y inverstir et s'installer. (Podcast intégral sur le PRIME) Consulter son site ici : https://playahere.com/fr/ Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode, we're joined by Jakob Lilholm, Co-founder & CEO at Formalize, the Danish-based compliance SaaS that went from a single-point whistleblowing tool to a multi-product GRC platform used by 8,000+ customers across ~80 countries. Jakob shares how his team timed EU regulatory tailwinds, built whistleblowing software, and then layered products on top, shifting from high-volume transactional sales to a focused, consultative motion for regulated industries. Fresh off announcing a €30M Series B, Jakob walks through the internal rewiring it took: carving out an innovation pod with its own OKRs, resisting flattering false positives from the existing base, and proving platform demand with new-logo sales first, going from ~€100k ARR on the platform to >50% of company revenue in a year.  Here are some of the key questions we address: When do you expand from a point solution to a platform? We discuss the timing model Formalize used (EU roadmap + S-curve “next wave” before the first peaks). What's the right ICP for a platform? Why did they end up narrowing their ICP and say “not yet” to others? How do you avoid false positives when you already have thousands of customers? Jakob explains why he decided to validate platform fit with new logos first. What org design supports a second act like this? How do you shift GTM, pricing, and messaging? What is the process moving from low ACV sales to higher-ACV, consultative deals without breaking the engine? Which metrics matter in the first year of a platform bet? How do you prove value creation, track conversion quality, and know when to re-inject the core team?

Today's guest is Annette Muldowney, Vice President - ServiceNow Manager at MidWestOne Bank. Founded in 1934, MidWestOne Bank is a relationship-driven community bank that provides comprehensive financial solutions, including personal and business banking, lending, trust services and wealth management. Guided by values of integrity, teamwork and impact, MidWestOne Bank aims to generate meaningful outcomes for both their customers and communities.Annette is a resourceful and innovative leader with over 20 years of technical management, project implementation and customer experience expertise across private, public and Fortune 500 sectors. As a ServiceNow Platform Owner, Annette oversees roadmap creation, governance and adoption strategies to ensure seamless user experiences and measurable results. She is recognized for a collaborative leadership style, commitment to excellence and ability to deliver impactful, technology-driven organizational change.In the episode, Annette talks about:0:00 Driving financial innovation with ServiceNow for efficiency, transparency3:06 Her role driving service management transformation at MidWestOne3:52 Focusing on FSO, CSM, and emerging GRC initiatives5:32 How her team is leveraging partners to manage ServiceNow implementation8:02 Driving a phased ServiceNow implementation using crawl, walk, run approach10:56 How Executive support and right vendor critical for ServiceNow success13:12 Why building personal connection with vendors, fit and vision matter most14:35 Advice to lead by example, stay fact-based, and measure what matters18:03 The need to deeply understand the business to drive long-term platform success

Parliament convened in September, but a familiar face from the previous term wasn’t there. Progress Singapore Party’s secretary-general Leong Mun Wai was a notable presence as a Non-Constituency MP during the 14th term of Parliament, sometimes having heated exchanges with ministers and PAP MPs. But he and fellow party member Hazel Poa did not retain their NCMP spots following the General Election in May. Their PSP team for West Coast-Jurong West GRC lost to the PAP slate, which won the five-man GRC with 59.99 per cent of the vote to PSP’s 40.01 per cent. In this episode of The Usual Place, I speak with Mr Leong about steering the party in its next phase post-GE2025 and the challenges of not being in Parliament. How will PSP evolve its practices and policy communications without a Parliamentary presence, and remain relevant? Highlights (click/tap above): 4:06 Increasing online presence to explain party positions 6:05 Mr Leong on heated exchanges as NCMP 10:45 How PSP will explain its policy ideas to the public post-GE2025 19:19 What will PSP really stand for "after Dr Tan Cheng Bock"? 20:20 Wanting to lead national conversation on economy 22:55 How does PSP stand out differently from other parties? 25:00 Will PSP move beyond the electro west? 28:00 "I learnt a very hard lesson about the powerful PAP machinery": Mr Leong Read Natasha Ann Zachariah’s articles: https://str.sg/iSXm Follow The Usual Place podcast on IG: https://www.instagram.com/theusualplacepodcast Follow Natasha on LinkedIn: https://str.sg/v6DN Filmed by: Studio+65 Edited by: Teo Tong Kai and Chen Junyi Executive producers: Danson Cheong, Elizabeth Khor & Ernest Luis Editorial producer: Lynda Hong Follow The Usual Place Podcast and get notified for new episode drops every Thursday: Channel: https://str.sg/5nfm Apple Podcasts: https://str.sg/9ijX Spotify: https://str.sg/cd2P YouTube: https://str.sg/theusualplacepodcast Feedback to: podcast@sph.com.sg SPH Awedio app: https://www.awedio.sg --- Follow more ST podcast channels: All-in-one ST Podcasts channel: https://str.sg/wvz7 Get more updates: http://str.sg/stpodcasts The Usual Place Podcast YouTube: https://str.sg/4Vwsa --- Get The Straits Times app, which has a dedicated podcast player section: The App Store: https://str.sg/icyB Google Play: https://str.sg/icyX -- #tup #tuptrSee omnystudio.com/listener for privacy information.

All links and images can be found on CISO Series. This week's episode is hosted by David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining us is our sponsored guest, Khush Kashyap, senior director, GRC, Vanta. In this episode: Skip the Sermon When to coach versus command Making risk quantification useful Recognizing a distinct discipline   Huge thanks to our sponsor, Vanta Vanta automates key areas of your GRC program—including compliance, risk, and customer trust—and streamlines the way you manage information. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. Get back time to focus on strengthening security and scaling your business at https://www.vanta.com/landing/demo-grc?utm_campaign=new-way-grc&utm_source=ciso-series-podcast&utm_medium=podcast&utm_content=banner  

In this episode of GRC Chats, we explored vital mindset shifts for GRC professionals navigating crisis situations. Caroline Stokes, leadership coach and author of "Aftershock to 2030: A CEO's Guide to Reinventing in the Age of AI, Climate, and Societal Collapse," shares her expertise on fostering resilience and mental health in risk management, cyber security, and governance. Discover how these tireless professionals can prioritize self-care without compromising their mission-critical roles. We discussed the challenges faced by Chief Risk Officers, cyber security leaders, and sustainability advocates, including burnout, work-life balance, and career development. Caroline highlights strategies, including the importance of taking moments to reset, leveraging coaching, and rethinking systems for long-term success. Her insights are essential for anyone in risk management, governance, or defense industries. Aftershock to 2030 book: Amazon: https://www.amazon.co.uk/dp/B0FB5BKFGL Thinkers 50 Leadership Award announcement: https://www.linkedin.com/posts/ocarolinestokes_thinkers50-leadership-regeneration-activity-7378448096940298240-iXXs?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAD7q70Bk40-vywCY4O_4l7zVHq6e1LRqpE If you want to be our guest or suggest a guest, send your email to info@globalriskconsult.com with the subject line "Podcast Guest Inquiry.

CISO Roles, Talent Crisis & AI Tools | DailyCyber 276 with Michael Reichstein ~ Watch Now ~In this episode of DailyCyber, I'm joined by Michael Reichstein, a global cybersecurity executive with more than 20 years of experience leading security programs across multiple continents. His journey spans military service, enterprise GRC integration, and Fortune 500 leadership. Michael brings a people-first perspective to security, emphasizing communication, culture, and aligning security with business goals. 

In episode 156 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager are joined by Stephanie Gass, Sr. Director of Information Security at Center for Internet Security® (CIS®), and Angelo Marcotullio, Chief Information Officer at CIS. Together, they explore how CIS practices what it preaches by using CIS products and services internally, which includes implementation of the CIS Critical Security Controls® (CIS Controls®) and CIS Benchmarks®, automation, and alignment to compliance frameworks. Their discussion highlights how CIS builds a strong cybersecurity foundation while adapting to evolving threats and regulatory requirements.The conversation dives into practical applications, cultural alignment, and the importance of repeatable processes for scaling security across new products and services. It also touches on the role of privacy regulations, cyber risk quantification, and the community-driven approach that underpins CIS best practices. Here are some highlights from our episode:01:12. Why CIS “drinks its own champagne” when it comes to cybersecurity02:56. Three ways the CIS Controls help modern enterprises defend against threat actors04:02. The importance of pulling together security lessons learned in a way that's translatable10:03. Our use of the CIS Controls to align to SOC 2, ISO 27001, and other frameworks12:01. How governance, risk, and compliance (GRC) engineering works with automation to help build repeatable processes22:43. The role of collaboration and communication in building a cybersecurity program27:17. Privacy regulations as a catalyst for security innovation30:24. The CIS Community Defense Model and evidence-based practices32:40. How CIS leverages lessons learned to improve our security best practicesResourcesEpisode 146: What Security Looks Like for a Security CompanyImplementation Guide for Small and Medium-Sized Enterprises CIS Controls IG1How to Construct a Sustainable GRC Program in 8 StepsMapping and Compliance with the CIS ControlsCIS Completes SOC 2 Type II Audit Using CIS Best PracticesEpisode 74: The Nexus of Cybersecurity & Privacy LegislationCIS Community Defense Model 2.0Episode 121: The Economics of Cybersecurity Decision-MakingEpisode 77: Data's Value to Decision-Making in CybersecurityCIS CommunitiesIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In this episode of Resilient Cyber, I sit down with Founder & CEO of Paramify, Kenny Scott, to unpack the evolution of the FedRAMP program, FedRAMP 20x, and discuss what the public sector cloud compliance looks like moving into the future.Kenny and I dove into a lot of topics, including:What FedRAMP is and why it mattersWhat FedRAMP 20x is and what longstanding challenges associated with FedRAMP and public sector cloud and compliance it is addressingThe various aspects of FedRAMP 20x, including its phased rolloutChanges via FedRAMP 20x when it comes to Key Security Indicators (KSI), and how they differ from “controls”FedRAMP's modern vulnerability management approach and how it changes from the way vulnerability was historically handled under FedRAMPThe importance of automated assessments, machine-readable artifacts, real Continuous Monitoring (ConMon), and more for practical GRC EngineeringThe role of GRC platforms when it comes to modernizing GRCWhat are the implications of FedRAMP 20x for other public sector compliance programs, such as DoD's SWFT, SRG, and RMFSubscribe now

Cisco's routers just exposed more than two million networks thanks to a "security optional" SNMP setup that's being actively exploited—Steve and Leo break down why this is a worst-case scenario for the industry and how easily it could have been avoided. Gmail's spam filtering false-positive spree. iOS 26's Safari randomizes its fingerprint by default. Cisco's SNMP stands for "Security Not My Problem". Windows' "stuck" Extended Security Updates (ESU). Europe complains, gets 1-year of ESU with no strings. Where to get $6 TLS certs (really) while they last. The lessons to learn from Jaguar Land Rover's mess. The NEON app: get paid to have your voice recorded. Bluesky's age verification, now coming to Ohio. What is "Kids Web Services" for age verification. More than 10K Ollama instances publicly exposed. GRC's DNS Benchmark reaches "release candidate" Show Notes - https://www.grc.com/sn/SN-1045-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: vanta.com/SECURITYNOW 1password.com/securitynow Melissa.com/twit threatlocker.com/twit zapier.com/twit

Cisco's routers just exposed more than two million networks thanks to a "security optional" SNMP setup that's being actively exploited—Steve and Leo break down why this is a worst-case scenario for the industry and how easily it could have been avoided. Gmail's spam filtering false-positive spree. iOS 26's Safari randomizes its fingerprint by default. Cisco's SNMP stands for "Security Not My Problem". Windows' "stuck" Extended Security Updates (ESU). Europe complains, gets 1-year of ESU with no strings. Where to get $6 TLS certs (really) while they last. The lessons to learn from Jaguar Land Rover's mess. The NEON app: get paid to have your voice recorded. Bluesky's age verification, now coming to Ohio. What is "Kids Web Services" for age verification. More than 10K Ollama instances publicly exposed. GRC's DNS Benchmark reaches "release candidate" Show Notes - https://www.grc.com/sn/SN-1045-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: vanta.com/SECURITYNOW 1password.com/securitynow Melissa.com/twit threatlocker.com/twit zapier.com/twit

Cisco's routers just exposed more than two million networks thanks to a "security optional" SNMP setup that's being actively exploited—Steve and Leo break down why this is a worst-case scenario for the industry and how easily it could have been avoided. Gmail's spam filtering false-positive spree. iOS 26's Safari randomizes its fingerprint by default. Cisco's SNMP stands for "Security Not My Problem". Windows' "stuck" Extended Security Updates (ESU). Europe complains, gets 1-year of ESU with no strings. Where to get $6 TLS certs (really) while they last. The lessons to learn from Jaguar Land Rover's mess. The NEON app: get paid to have your voice recorded. Bluesky's age verification, now coming to Ohio. What is "Kids Web Services" for age verification. More than 10K Ollama instances publicly exposed. GRC's DNS Benchmark reaches "release candidate" Show Notes - https://www.grc.com/sn/SN-1045-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: vanta.com/SECURITYNOW 1password.com/securitynow Melissa.com/twit threatlocker.com/twit zapier.com/twit

Cisco's routers just exposed more than two million networks thanks to a "security optional" SNMP setup that's being actively exploited—Steve and Leo break down why this is a worst-case scenario for the industry and how easily it could have been avoided. Gmail's spam filtering false-positive spree. iOS 26's Safari randomizes its fingerprint by default. Cisco's SNMP stands for "Security Not My Problem". Windows' "stuck" Extended Security Updates (ESU). Europe complains, gets 1-year of ESU with no strings. Where to get $6 TLS certs (really) while they last. The lessons to learn from Jaguar Land Rover's mess. The NEON app: get paid to have your voice recorded. Bluesky's age verification, now coming to Ohio. What is "Kids Web Services" for age verification. More than 10K Ollama instances publicly exposed. GRC's DNS Benchmark reaches "release candidate" Show Notes - https://www.grc.com/sn/SN-1045-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: vanta.com/SECURITYNOW 1password.com/securitynow Melissa.com/twit threatlocker.com/twit zapier.com/twit

Cisco's routers just exposed more than two million networks thanks to a "security optional" SNMP setup that's being actively exploited—Steve and Leo break down why this is a worst-case scenario for the industry and how easily it could have been avoided. Gmail's spam filtering false-positive spree. iOS 26's Safari randomizes its fingerprint by default. Cisco's SNMP stands for "Security Not My Problem". Windows' "stuck" Extended Security Updates (ESU). Europe complains, gets 1-year of ESU with no strings. Where to get $6 TLS certs (really) while they last. The lessons to learn from Jaguar Land Rover's mess. The NEON app: get paid to have your voice recorded. Bluesky's age verification, now coming to Ohio. What is "Kids Web Services" for age verification. More than 10K Ollama instances publicly exposed. GRC's DNS Benchmark reaches "release candidate" Show Notes - https://www.grc.com/sn/SN-1045-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: vanta.com/SECURITYNOW 1password.com/securitynow Melissa.com/twit threatlocker.com/twit zapier.com/twit

Cisco's routers just exposed more than two million networks thanks to a "security optional" SNMP setup that's being actively exploited—Steve and Leo break down why this is a worst-case scenario for the industry and how easily it could have been avoided. Gmail's spam filtering false-positive spree. iOS 26's Safari randomizes its fingerprint by default. Cisco's SNMP stands for "Security Not My Problem". Windows' "stuck" Extended Security Updates (ESU). Europe complains, gets 1-year of ESU with no strings. Where to get $6 TLS certs (really) while they last. The lessons to learn from Jaguar Land Rover's mess. The NEON app: get paid to have your voice recorded. Bluesky's age verification, now coming to Ohio. What is "Kids Web Services" for age verification. More than 10K Ollama instances publicly exposed. GRC's DNS Benchmark reaches "release candidate" Show Notes - https://www.grc.com/sn/SN-1045-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: vanta.com/SECURITYNOW 1password.com/securitynow Melissa.com/twit threatlocker.com/twit zapier.com/twit

Cisco's routers just exposed more than two million networks thanks to a "security optional" SNMP setup that's being actively exploited—Steve and Leo break down why this is a worst-case scenario for the industry and how easily it could have been avoided. Gmail's spam filtering false-positive spree. iOS 26's Safari randomizes its fingerprint by default. Cisco's SNMP stands for "Security Not My Problem". Windows' "stuck" Extended Security Updates (ESU). Europe complains, gets 1-year of ESU with no strings. Where to get $6 TLS certs (really) while they last. The lessons to learn from Jaguar Land Rover's mess. The NEON app: get paid to have your voice recorded. Bluesky's age verification, now coming to Ohio. What is "Kids Web Services" for age verification. More than 10K Ollama instances publicly exposed. GRC's DNS Benchmark reaches "release candidate" Show Notes - https://www.grc.com/sn/SN-1045-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: vanta.com/SECURITYNOW 1password.com/securitynow Melissa.com/twit threatlocker.com/twit zapier.com/twit

What happens when governance, risk, and compliance (GRC) collide with the everyday realities of the healthcare supply chain? On this episode of Power Supply, we're joined by David Williams, a healthcare supply chain leader with deep expertise in finance, risk, and compliance, to explore how cybersecurity, finance, procure-to-pay, and AI are all connected under the GRC umbrella. From process risks hiding in daily workflows to the growing urgency of cyber hygiene and AI governance, David explains why alignment across supply chain, finance, and IT is critical to protecting both operations and patient safety. Whether you're in the C-suite or working on the loading dock, this conversation breaks down what GRC really means for supply chain—and how to balance the equation for a smarter, safer future! Once you complete the interview, jump on over to the link below to take a short quiz and download your CEC certificate for 0.5 CECs! – https://www.flexiquiz.com/SC/N/ps15-07 #PowerSupply #Podcast #AHRMM #HealthcareSupplyChain #SupplyChain #GRC #Risk #Compliance #Governance #Cybersecurity

Meter: Visit https://meter.com/itcareer to book a demoCybersecurity is changing faster than ever — and the jobs of the future may not look like the ones you picture today. Everyone talks about hacking, red teaming, and pen testing, but there's a side of cybersecurity that's just as critical and often overlooked: GRC (Governance, Risk, and Compliance).In this episode, I sit down with  @UnixGuy  (Abed Hamdan) to talk about the future of cybersecurity, why GRC might be the biggest hidden career opportunity, and what it really takes to break into the field. We'll cover who should consider GRC, the skills you need to succeed, and how AI and automation are reshaping the industry.Whether you're brand new to tech or looking to pivot your career, this conversation will give you insider knowledge most people miss.

All links and images can be found on CISO Series. This week's episode is hosted by David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining us is Jason Loomis, CISO, Freshworks. In this episode: Making organizations take their security medicine Building CISO support systems Holding the door for humans Underappreciated risks: beyond the headlines Huge thanks to our sponsor, Safe Security SAFE is the category leader in Cyber Risk Quantification (CRQ) and the first vendor to deliver fully autonomous Third-Party Risk Management.We help CISOs, GRC, and TPRM leaders continuously and efficiently quantify, prioritize, and mitigate cyber risks across their entire attack surface — enabling digital growth and resilience. Learn more at tprmdemo.safe.security.  

All links and images can be found on CISO Series. This week's episode is hosted by David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining them is Jennifer Swann, CISO, Bloomberg Industry Group. In this episode: Vulnerability management vs. configuration control Open source security and supply chain trust Building security leadership presence AI governance and enterprise risk Huge thanks to our sponsor, Vanta Vanta's Trust Management Platform automates key areas of your GRC program—including compliance, internal and third-party risk, and customer trust—and streamlines the way you gather and manage information. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. Get started today at Vanta.com/CISO.

All links and images can be found on CISO Series. This week's episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis (@csoandy), principal of Duha. Joining us is Gary Chan, CISO, SSM Health. Be sure to check out Gary's security mentalism website: https://www.gschan2000.com. In this episode: Decision-making with incomplete information Translation beats technical expertise Influence trumps authority for CISOs Technical prowess creates adversaries Huge thanks to our sponsor, Vanta Automate, centralize, & scale your GRC program with Vanta. Vanta's Trust Management Platform automates key areas of your GRC program—including compliance, internal and third-party risk, and customer trust—and streamlines the way you gather and manage information. And the impact is real: A recent IDC analysis found that compliance teams using Vanta are 129% more productive. Get started at Vanta.com/ciso.