Podcasts about GRC

Meta quietly ditches encryption for Instagram chats while TikTok also backpedals on privacy, shaking up assumptions about how much big tech really values your secrets. Meanwhile, Steve Gibson reveals why CISA's free government security scans are an absolute must for businesses—plus what he learned when GRC took the plunge. The Security Now "Caption That Photo" contest. A mega social media company says "no" to strong encryption. WhatsApp to give parents more control, Consumer bandwidth proxying is becoming a big deal. Meta buys the Moltbook duo. The EU gives up and settles upon the status quo. When a ransomware negotiation is not what it seems. CISA compels federal agencies to submit their logs. Is that a VPN in your pocket or something more malicious. Be careful what you download, thinking it's AI. A super-clever and super-simple A/V scanner bypass. Will AI write code for me? Another listener discovers the Joy of AI. Steve's CISA Internet scanning experience Show Notes - https://www.grc.com/sn/SN-1070-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: joindeleteme.com/twit promo code TWIT material.security canary.tools/twit - use code: TWIT adaptivesecurity.com meter.com/securitynow

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly look the recent hack of McKinsey's AI tool Lilli.  Tom and Matt discuss a Financial Times report that a white-hat hacker, Paul Price of one-person firm Code Wall, exploited flaws in McKinsey's internal AI tool “Lilli” to access millions of internal chat messages, view sensitive client-related file names, and see the model weights used to train the system; McKinsey patched the vulnerabilities after disclosure. They argue the incident highlights emerging AI risks beyond traditional cybersecurity, including AI agents autonomously scouting for targets, the possibility of attackers altering models to change outputs and create hard-to-detect “drift,” and confusion over who inside organizations owns AI security and governance. The episode also explores the messy, inconsistent disclosure landscape for AI-related incidents and urges compliance and GRC leaders to slow AI adoption, pressure-test systems, clarify accountability, ensure kill-switch/manual fallback capabilities, and consider reputational fallout.  Key Highlights  ·      McKinsey AI Hack Overview ·      Three Big Implications ·      Model Drift and Tampering ·      GRC Playbook for AI Risk ·      Accountability and Kill Switches  Resources Matt in Radical Compliance   Tom   Instagram Facebook YouTube Twitter LinkedIn   A multi-award winning podcast, Compliance into the Weeds was most recently honored as one of a Top 25 Regulatory Compliance Podcast and a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred a Davey, Communicator and w3 Award, all for podcast excellence.  Learn more about your ad choices. Visit megaphone.fm/adchoices

How do you build trust in a business environment where security reviews, compliance demands, and vendor risk checks can slow everything down just when companies are trying to move faster? In this episode, I sit down with Adam Markowitz, CEO and co-founder of Drata, to talk about why trust has become one of the most important business conversations in tech. Adam brings a fascinating perspective to the table. Before building Drata, he worked on NASA's space shuttle program, and today he leads a company that has grown rapidly by helping organizations rethink compliance, governance, risk, and assurance through automation and AI. What stood out to me in this conversation was how clearly he framed the real issue. Compliance may have been where many companies started, but trust is the bigger story. In a world shaped by cloud services, third party vendors, and constant security scrutiny, old point in time audits and reactive processes are starting to look painfully outdated. We also talked about Drata's acquisition of SafeBase and what that says about the direction of the market. Adam explained how security and GRC teams have too often been treated as back office functions, expected to stay quiet and keep the company out of trouble. But he sees things very differently. He argues that these teams can actively help close deals, accelerate revenue, and remove friction from the buying process. That shift matters because trust now plays a direct role in business growth. If customers can quickly get answers to security questions and understand how a company manages risk, sales cycles move faster and security teams stop being bottlenecks at the final stage of a deal. Another part of the conversation that really stayed with me was Adam's view on AI. He sees it as both a tailwind and a test. AI is helping automate highly manual GRC workflows, improve continuous compliance monitoring, and support newer frameworks tied to AI risk itself. At the same time, he is realistic about the pressure this puts on businesses. AI may introduce fresh concerns, but it also shines a harsher light on issues that have been around for years, things like access creep, weak controls, and data integrity problems. That honesty gave this discussion a lot of weight because it moved beyond hype and focused on what companies actually need to do. We also touched on Drata's momentum as a business, from opening a new San Francisco headquarters to expanding globally and moving further into the enterprise market. But even there, Adam kept coming back to culture, discipline, and a deep understanding of the customer problem. For me, that was the thread running through the whole episode. Trust is not a side issue. It is part of how modern companies grow, compete, and prove they can be relied on. If your business still sees compliance as a checkbox exercise or a cost center, this conversation will give you plenty to think about. Where do you see the relationship between trust, security, and growth heading next, and what did this episode make you question about the way your own organization handles compliance? Share your thoughts with me.

As RSAC 2026 approaches, Michael Parisi of Steel Patriot Partners sits down with Marco Ciappelli and Sean Martin to talk about what it means to show up to the world's largest cybersecurity conference with a business-first mindset. For Parisi — a 20-plus year veteran of professional services, federal compliance, and cybersecurity — RSA is less about the show floor and more about the quiet corners where real conversations happen.   Steel Patriot Partners operates on a simple but powerful premise: business owners first, engineers second, compliance professionals third. That philosophy shapes everything from how they engage clients to how they show up at industry events. At RSAC, Parisi's calendar is already full — and intentionally so. The value isn't in the booths. It's in the bilateral trust that forms between peers who cut through the noise to share what's actually working.   And the noise, this year, is particularly loud. AI dominates the conversation in ways that create as much anxiety as excitement — especially for federal cybersecurity professionals whose institutional knowledge feels suddenly uncertain. Parisi addresses this head-on: the question isn't just whether AI will replace jobs, it's whether leaders are having honest conversations with their teams about what's changing and why. The fog of marketing has thickened into what he calls a "fog of truth" — a marketplace where it's increasingly hard to know who actually delivers versus who just pitches well.   This conversation is a preview of what Steel Patriot Partners will be listening for, talking about, and connecting around at RSAC 2026 — from retaining trusted people amid AI disruption, to whether tried-and-true solutions still hold their own against the wave of AI-native platforms. Parisi and the SPP team will also be sitting down with Marco and Sean live on the floor for a deeper follow-up conversation.   Loved this conversation? Share it with someone heading to RSAC 2026 and make sure to connect with Michael Parisi and the Steel Patriot Partners team in San Francisco.   GUEST Michael Parisi Chief Growth Officer, Steel Patriot Partners https://www.linkedin.com/in/michael-parisi-4009b2261/ https://www.steelpatriotpartners.com   RESOURCES Steel Patriot Partners: https://www.steelpatriotpartners.com RSAC Conference 2026: https://www.rsaconference.com   ✨ A special thank you to our sponsors and supporters: https://itspm.ag/telecom-ts630   _____________________________   Are you interested in telling your story?

Archer is redefining what it means to manage governance, risk, and compliance in an environment defined by constant change. Steve Schlarman, Senior Director at Archer, has spent nearly two decades helping organizations understand why their traditional GRC approaches are falling short and what it takes to close the gap. The forces challenging organizations today are well known: velocity of change, volume of change, and the uncertainty that compounds both. What makes the problem acute is timing. Annual audit cycles and quarterly risk assessments produce reports that reflect a reality that has already shifted by the time decision makers see them. The result is drift between what GRC functions can see and what leadership actually needs to know, and every gap in that visibility carries potential exposure. Schlarman explains that this reactive posture is exactly what Archer is working to change. Rather than treating risk and compliance as periodic checkboxes, the goal is to build a program that runs continuously, projecting forward as the business expands into new jurisdictions, launches new products, or encounters emerging risks. What are the compliance obligations? How does exposure shift? Archer Evolv is designed to answer those questions in real time, keeping GRC moving alongside the business rather than scrambling to catch up. Central to Archer's strategy is AI applied with intention. Rather than deploying generic agents, Archer is building what Schlarman calls AI operators: focused, guardrailed tools designed specifically to solve GRC problems. That distinction matters because the complexity of risk and compliance work demands precision, not just automation. This is a Brand Highlight. A Brand Highlight is a ~5 minute introductory conversation designed to put a spotlight on the guest and their company. Learn more: https://www.studioc60.com/creation#highlight GUEST Steve Schlarman, Senior Director, Archer | https://www.linkedin.com/in/steveschlarman/ RESOURCES Learn more about Archer and the Archer Evolv platform: https://www.archerirm.com Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Steve Schlarman, Archer, Sean Martin, brand story, brand marketing, marketing podcast, brand highlight, GRC, governance risk and compliance, adaptive GRC, integrated risk management, Archer Evolv, AI in GRC, risk management, compliance automation, enterprise risk, risk and compliance strategy Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

A structural shift is occurring in the managed IT services landscape as AI capabilities are rapidly embedded across enterprise applications, with oversight and risk management functions increasingly separated out and monetized as add-on services. Vendors, including Microsoft and OpenAI, are deploying AI agents in essential tools such as Outlook, Teams, and Excel, then selling governance, security, and compliance capabilities as additional paid layers. The core mechanism is the transfer of operational and liability risk downstream to IT service providers and their clients, while ownership of the control plane and margin on risk mitigation remain with the vendors. The episode highlights consequential findings regarding AI reliability and adoption. A Nature Medicine study found that OpenAI's ChatGPT Health underestimated emergency severity in 51.6% of cases, prompting concerns about overreliance on AI for critical decisions. Additionally, Confluent's UK executive survey indicated that 62% of organizations are already shifting decision-making to AI, but only 7% have a company-wide AI strategy, and fewer than half of executives and employees agree on actual daily AI usage. Most leaders receive little formal AI training yet are second-guessing their own judgment in favor of AI output. Further reinforcing the governance gap, Microsoft is launching Agent 365 and new enterprise security tiers, while OpenAI's acquisition of Promptfoo signals a focus on AI reliability testing and compliance monitoring. Funding for GRC platforms like IntelliGRC demonstrates capital flowing into third-party oversight solutions. The recurring pattern is vendors first pushing broad agent adoption, then introducing and monetizing governance as a discrete add-on, often outside the default package. Operationally, MSPs and IT leaders face increased liability exposure if they rely on vendor-native governance without independent audit or measurement capability. The absence of industry-standard reliability metrics for AI, combined with the perception and usage gaps inside organizations, calls for MSPs to lead in auditing, documenting, and independently measuring AI usage and performance. Failing to proactively manage these controls can result in silent risk absorption and unfavorable positioning as vendors bundle compliance and pass residual risk downstream to service providers. Three things to know today 00:00 AI vs. Judgment                            02:35 Agents vs. Oversight 04:04 AI Reliability Gap 05:15 Why Do We Care?  Supported by:  ScalePad 

AI is evolving faster than our traditional security systems can keep up, and the risks are becoming increasingly psychological. In this episode, we dive deep into the hidden world of cognitive biases within AI models and why they represent the next frontier of risk management. Join host Boris Agranovich as he speaks with Avi Pilser, CEO of Ultra Deep Tech, about the critical intersection of psychology and artificial intelligence. While most people focus on social discrimination bias, Avi explains why cognitive biases like anchoring and confirmation are the true roots of AI hallucinations and manipulation.  KEY TOPICS IN THIS EPISODE

ITP-141  Caryn Pelletier joins the International Teacher Podcast to share her 25-year international teaching journey across Egypt, Ghana, Italy, Tanzania, Qatar, Vietnam, Nigeria, and Bahrain. She talks about moving overseas as a teaching couple, navigating international school recruiting through Search Associates and GRC, and the realities of hardship postings, expat life, school contracts, and cultural adjustment. The episode also features memorable stories about safaris, police shakedowns, international school life, and how teaching abroad can lead to a life full of travel, resilience, and unexpected opportunity.Chapters:(00:00) Introduction and New Developments(03:01) The Journey of Teaching Abroad(04:53) Caryn's Transition into Education(07:47) Experiences in Egypt(10:59) Life in Ghana(13:47) Teaching in Italy(16:57) Adventures in Tanzania(19:48) Safari Stories and Reflections(25:06) The Lion Encounters(29:36) Adventures in Africa(32:07) Cultural Experiences in Qatar(37:12) Teaching Challenges in Egypt(39:07) Life in Vietnam(40:49) Navigating Nigeria(43:14) Transitioning to Bahrain(44:09) Exploring GRC Recruitment(50:34) Interviewing in Unique Spaces(51:22) The Evolution of Recruitment Tools(52:36) Navigating Job Offers and Interviews(54:21) Reflections on International Teaching Experiences(55:15) Essentials for Feeling at Home Abroad(57:16) Police Encounters in Foreign Lands(01:01:11) Advice for Aspiring International Teachers(01:04:51) The Journey of Writing and Publishing Books-more information-The International Teacher Podcast is a bi-weekly discussion with experts in international education. New Teachers, burned out local teachers, local School Leaders, International school Leadership, current Overseas Teachers, and everyone interested in international schools can benefit from hearing stories and advice about living and teaching overseas.Additional Gems Related to Our Show:Greg's Favorite Video From Living Overseas - ⁠https://www.youtube.com/watch?v=UQWKBwzF-hw⁠Signup to be our guest  ⁠https://calendly.com/itpexpat/itp-interview?month=2025-01⁠Our Website⁠ -  ⁠https://www.itpexpat.com/⁠Our FaceBook Group - ⁠https://www.facebook.com/groups/itpexpat⁠⁠JPMint Consulting Website  - ⁠https://www.jpmintconsulting.com/⁠Greg's Personal YouTube Channel: ⁠https://www.youtube.com/playlist?list=PLs1B3Wc0wm6DR_99OS5SyzvuzENc-bBdO⁠Books By Gregory Lemoine:⁠International Teacher Guide: Finding the "Right Fit" 2nd Edition (2025)⁠ | by Gregory Lemoine M.Ed.⁠⁠"International Teaching: The Best-kept Secret in Education"⁠⁠ | by Gregory Lemoine M.Ed.Apps by Greg:https://apps.apple.com/app/6755244840  1. Who's That? Name & Face Trainer  Nov 21, 2025https://apps.apple.com/app/6756509803   2. Facetag | Memory Trainer   Dec 16, 2025

This International Women's Day, meet Kate Jones, the CEO of the Digital Regulation Cooperation Forum, where she's been busy turning regulation into a superhero for innovation! With a background rich in international law and human rights, Kate brings a unique perspective to the digital landscape. She's tackled everything from aviation to human rights and is now ensuring that tech evolves responsibly. Join us as she shares her fascinating journey, how collaboration can drive innovation, and why the future of regulation should be about embracing creativity, not stifling it! SHOW NOTES02:52 Overview of the Digital Regulation Cooperation Forum (DRCF) 04:41 Kate's Career Journey: From Diplomacy to Digital Regulation 07:00 Taking Risks: Key Moments in Kate's Career 20:49 The Role of Regulation in Enabling Innovation 32:21 The Future of Tech Governance and Challenges Ahead   Transcript and more GRC content: https://www.riskywomen.org/2026/03/podcast-s9e6-digital-regulation-with-kate-jones/

Au printemps de 1879, un autochtone du nom de Ka-Ki-Si-Kutchin ― que les colons surnomment Swift Runner ― rentre au village de Saint-Albert (Alberta). Sa femme, lui et leurs six enfants ont passé l'hiver dans un camp installé plus au nord. Les villageois sont surpris de le voir seul. Lorsqu'ils l'interrogent sur sa famille, Swift Runner répond que l'hiver a été rude ; que ses enfants sont morts de faim et que sa femme s'est suicidée. Son histoire en laisse plus d'un sceptique. Les enquêteurs de la Police des Territoires du Nord-Ouest (l'ancêtre de la GRC) ouvrent une enquête. Les recherches vont mettre à jour une série de crimes épouvantables. Mais est-ce Swift Runner qui a commis ces meurtres ou son dangereux alter ego : le Wendigo ? Voir https://www.cogecomedia.com/vie-privee pour notre politique de vie privée

Jack Hirsch, vice president of product at Okta The rise of AI in the workplace is creating a new kind of risk for organizations: shadow AI. Employees can now spin up AI agents that connect directly to emails, files, and business systems—often without IT oversight. These agents can access sensitive data, and without proper controls, they become prime targets for cyberattacks. In this episode of the podcast, we're joined by Jack Hirsch, vice president of product at Okta, to explore what shadow AI is, why it matters for Canadian organizations, and how IT partners can help their customers manage it. Jack discusses Okta's latest tools, which provide real-time visibility into AI agents and their permissions. These capabilities make it easier for security teams to discover unmanaged agents, understand their access, and quickly bring them under identity-based controls. We also touch on regulatory implications, including Canada's proposed Bill C-8, which heightens expectations around cyber risk accountability, access controls, and transparency. As legislation moves forward, organizations will need to prove they understand not just who has access to sensitive systems—but which AI agents do as well. For MSPs and IT resellers, this emerging landscape represents both a challenge and an opportunity. Jack shares insights into how partners can position themselves as trusted advisors for clients navigating AI risk, turning a potentially complex problem into a service opportunity. Tune in to hear why identity management is becoming central to securing the agentic enterprise—and what your customers will need to stay ahead of shadow AI risks. Read Full Transcript Hello and welcome to the ChannelBuzz.ca podcast, bringing news and information to the Canadian IT channel for the last 16 years. I’m Robert Dutt, editor of ChannelBuzz.ca, and as always, your host for the show. Okta has announced a new set of capabilities designed to help organizations uncover and manage a fast-growing risk: shadow AI. As AI tools become easier to use, employees are increasingly creating their own AI agents, connecting them to emails, files, SaaS apps, and internal systems to get work done faster. The problem is that many of these agents are created without security oversight, governance, or clear ownership. Once they’re connected to sensitive systems, they can quietly gain broad access to data, making them attractive targets for attackers and a potential liability for organizations. Okta’s new solution is designed to address that gap. It gives security teams real-time visibility into AI agents across the enterprise, showing which agents exist, what they can access, and what permissions they’ve been granted. Just as importantly, it allows organizations to quickly bring unmanaged or risky agents under identity controls, treating them more like digital employees than anonymous tools. That visibility matters even more in Canada, where proposed legislation like Bill C-8 is raising expectations around cyber risk accountability, access controls, and transparency. As AI becomes embedded into everyday workflows, organizations will be expected to know not just who has access to what sensitive data, but what machines and agents do as well. To unpack what shadow AI really means, why identity has become central to managing AI risk, and what all this creates in terms of opportunity for Canadian IT partners, I’m joined today by Jack Hirsch, Vice President of Product at Okta. Let’s dive in. Robert Dutt: Jack, thanks for taking the time. I appreciate it. Jack Hirsch: My pleasure. Thank you for having me. Robert Dutt: It feels like this is a topic that a lot of folks in the channel have been through with different flavors in the past. When you say “shadow X,” it certainly brings up memories of transitions past, but just to level set and set the parameters here, can you give me a quick definition on shadow AI? I almost said shadow IT. Can you give me a quick definition on shadow AI, and why it’s becoming both a security and governance issue? Jack Hirsch: Sure. Well, look, it’s no secret now that AI is changing the shape of how work gets done in the modern era. You have these non-deterministic entities running around, and fundamentally, they’re exciting, they’re interesting on their own, but where they really light up in value, where you start to see efficiency and effectiveness gains from your carbon-based workforces, is when you start connecting them to tools. They need resource access to be truly productive. So AI agents need resource access, and that’s when it can start to get scary, and that’s when shadow AI starts to create a ton of risk for modern organizations. We know that the point of authentication is now much stronger with phishing-resistant auth. However, post-auth security is the primary breach vector for the vast majority of cybersecurity incidents now, meaning the session token’s been cut. There’s access out in the ecosystem, and that’s why shadow AI is terrifying. Unfortunately, the options available to the ecosystem to secure AI and to build it quickly have been not good enough, to put it bluntly. This leaves security leaders with this very, very difficult challenge of moving fast and potentially breaking things and giving away the keys to the kingdom to OpenClaw, or whatever it is that you want to do, or potentially stifling innovation. That’s a really, really difficult spot for security leaders to be in. So yeah, shadow AI is everywhere. The challenges are greater. The stakes have never been higher. Robert Dutt: Yeah, so that’s sort of the problem space. So when employees spin up AI agents and connect them to emails, to files, to internal data, to systems, whatever it may be, I presume most of the problems emerge from unintended consequences, as is so often the case in technology. But what are some of the common ways that sensitive data ends up exposed without anyone really necessarily realizing it, or is that the nature of the problem? Jack Hirsch: Well, look, I think there’s sort of the naive answer, and not to say that it’s easy or trivial. I don’t want to trivialize this, but the naive answer is, “Oh, prompt injection, data leakage, data poisoning. Oh yeah, who knows what the LLM will spit out?” But the actual scarier risk is around inadvertent access and the standing credentials that need to be given to AI agents for them to be productive. If Rob, you and I work at Acme Corp, and we’re working on a project together and we want to spin up an AI agent, whose permissions do we give it? Most of the time now, a security leader is not going to be able to jump in front of every single moving train and slow them. They’ll just say, “Oh yeah, give it a set of static credentials. Give it an API key, but don’t give it Rob’s access. Don’t give it Jack’s access. Give it super user access, and we’ll trust it to do the right thing.” And so you’re giving this untrained, very influenceable, non-deterministic entity the keys to the kingdom. And that’s really the primary risk vector here. And so it’s all an identity and access management problem. Fundamentally, these are identities that need to be discovered. They need to be controlled. They need to be governed. And their access needs to be managed in the same way that their carbon-based peers, us as humans, need to be governed as well. Robert Dutt: So with that framing, it sounds like maybe identity is more important than traditional network or endpoint controls in terms of security in this world, where there are all these agents running around and doing whatever it is, hopefully, we want them to do and potentially what we don’t want them to do. Jack Hirsch: I think this is where the traditional model of endpoint or network or identity-based detection and response falls flat. You can’t keep up with the incredible volume of AI agent activity out in the ecosystem to detect it all. Every single, even approved platforms are now starting to put AI sprinkles throughout their products. And so it’s sort of fighting an uphill battle there. And so the reason this is truly an identity-centric problem is because, again, all those agents need access to resources inside of organizations. And the way that AI grew, and we saw this with how OpenAI and Anthropic and even Google with Gemini, their sort of growth paths were primarily consumer driven. And in a consumer world, it’s really easy. I’m spinning up, I’m literally sitting next to a machine that has a Claude bot spun up in a fully isolated environment, but I’m an individual user in that scenario. And so if I want to give it access, I can just OAuth myself. It’s super easy. And so the authorization mechanism wasn’t really thought about in an enterprise context. And then when you get into an enterprise context, you have individuals that want to do exactly the same thing and access corporate resources. So it really is a new type of identity. We can talk about some of the differences between human and AI agent, but it’s fundamentally an identity and access management problem. These are digital identities, non-human identities that need access to resources within an organization. And you actually see this being recognized by broader standards bodies. So for example, Cross App Access was something that we’ve been working on. It’s a new standard, it’s an extension of the OAuth protocol. And it’s something that we’ve been working on for years, two, three years now at this point. And we reintroduced it to the ecosystem this past summer, summer of 2025. And we introduced it first to ISVs and the people that were sort of around the Okta ecosystem had heard about it before. But then the rest of the ecosystem, the adoption was wild because MCP had become a thing and people were trying to deploy MCP servers and AI agents into their enterprises. And no one, not at the time Anthropic or OpenAI or any of the big model providers, had taken on the challenge of enterprise authorization for AI agents. And so this standard that had been sort of latent and sitting somewhere in an IETF draft for a while got picked up and started gaining a ton of steam. And just in November, right before Anthropic split off MCP and gave it away to the open ecosystem, it got merged into the MCP repo as the new default enterprise authorization mechanism for MCP. And so this isn’t something that’s Okta owned, it’s just a standard that we developed because we are independent. And as such, we are the sort of standard-bearer for the open security ecosystem. We believe that we need to be the rising tide that lifts all ships. And that’s why we develop open standards like Cross App Access. So now, really excited, we’ve taken our own engineers and pushed this authorization code out into the open ecosystem so that many applications start picking up this capability, this new OAuth extension. Robert Dutt: So at a high level, when you talk about the products that you guys are bringing to market, the solutions to address this, at a high level, what kind of new visibility or new insights are you giving organizations that are using these tools that they simply didn’t have before when it comes to discovering AI agents, the privileges they have, and what they’re up to? Jack Hirsch: Yeah. So, I mean, maybe if I can even blow it up further and say, let’s talk about maybe three steps: discovery, then control, and governance. So on the discovery side, there are many ways to discover, let’s date ourselves, shadow IT. There are many ways to discover, right? You can have a browser extension, you can have some sort of endpoint monitoring, you can have network monitoring. You can also check the resources themselves for access. And so we took a, initially, we’re taking a multi-pronged approach to doing the discovery, but we’re doing what we do best, which is integrating into over 8,000 ISVs and checking for resource access. And so who’s accessing these resources? Are they carbon-based? Are they digital-based? And so the first phase of discovery with our ISPM product is being able to see who’s accessing these resources and why. And so that extended very, very nicely to AI agents. And it doesn’t really matter where the AI agents exist, right? It doesn’t matter if they’re part of a larger platform with something like Salesforce and Agentforce, or whether they’re homegrown, built off in some skunkworks team off to the side. Ultimately, when they get access to the resource, we see it. And then you get into the control plane. So that’s just the discovery. Within the control plane, we want to meet our customers where they are. And we know that the vast majority of these things are going to be granted access via static credentials, just the god-mode tokens. And for those, we can harden them. We can effectively bring them under management. We can bring those credentials under management. We can observe them. We can rotate them. We can observe for anomalous behavior, et cetera. And so that’s like what you would consider a traditional PAM use case or maybe a modern IGA use case. But then also with control, we give Cross App Access, which is a new mechanism that extends the amazing innovation that was OAuth and OAuth scopes, basically extending that to say, instead of checking with the end user for access to this resource, we can set policy. Now the IDP can set policy to control access to those resources. And then to close the loop, there’s governance. And so standard governance flow, and actually I don’t even want to say standard governance flow because governance historically has this GRC compliance lens, but it’s very much a security-forward technology here. When you get to the state where you need to govern these identities and their access, we can run access certs in the exact same way based on whether or not they’re human or non-human. And so every one of those agentic identities gets pulled into Okta’s Universal Directory. All of their access is controlled. All of it is governed. We still gather the same risk signal and risk pattern behavior from the Identity Threat Protection product. And that’s, I wish I could say that 10 years ago, we knew we were building an identity security fabric, this new category of product that’s going to cover every identity use case, every resource type, and every user type. However, that was the strategy, not knowing that AI agents were going to be born in the 2020s. And it just makes it so that we are really well positioned to capitalize on this opportunity. And it gives us a very novel approach to how we secure AI in a way that, it’s because we have this unified identity security fabric. A basket of tools that don’t talk to each other, if you have a disparate IAM and IGA and PAM set of tools, in theory, you could stitch it all together, but you end up with higher costs and worse security outcomes. And so we actually took a much harder approach to market. And this is many years ago. Again, this predates the rise of AI agents, but we decided that we were not going to take an acquisitive strategy where we just bolt on a bunch of things and call them a “platform” in air quotes. And your order form would look like a drugstore receipt. And so you’re not buying a list of products that happen to be on the same order form because we want to satisfy a CFO. We’re taking an approach that we want to drive end-to-end identity security outcomes for CISOs and IT leaders. So we’re doing the hard work deeply integrating these products across the fabric so that we can truly secure every identity, every use case, and every resource type. Robert Dutt: Close to home here in Canada, we have a proposed Bill C-8 on the table. It’s raising expectations around visibility, around access control, accountability, risk, all of these things. I know there are similar ideas out there in terms of government around the world. How does legislation along these lines change the conversation for IT leaders, especially around the topic of shadow AI? Jack Hirsch: So look, I am such a fan of this type of regulation because it pushes… When we enter highly regulated markets, regardless of where they are, and we can talk about C-8, I think it really does align with our identity security fabric narrative and what we’re angling for. But fundamentally, what we’re talking about is trust. If I’m not mistaken, C-8 talks about resilience and reliability. Okta has industry leading availability and resilience. We proudly espouse our four nines of availability, but in reality, it’s much higher. And we target much higher. With the launch of our cell in Canada, and we can talk about the nature of that launch, but with the launch of our cell in Canada, we not only get multi-region disaster recovery, but we get Enhanced Disaster Recovery, which is a product that I really wanted to call Instant DR, because it’s a DNS flip, but the lawyers didn’t like that. So it’s Enhanced Disaster Recovery. And so when you’re talking about resilience and reliability and running critical infrastructure, fundamentally, identity is critical infrastructure. We support governments, financial services, militaries, supply chain logistics with organizations like FedEx, healthcare. And so maybe bringing it back to C-8, data residency, check, highly invested, especially with de-globalization pressures around the world. Supply chain governance, super, super important for us to maintain our independent posture here and to say, look, it doesn’t matter whether you’re buying from a monolithic platform or an independent provider of identity security. We are invested in making sure that your entire enterprise is secure. And so just the same way FedRAMP was a standard-bearer and STIGs in the US were standard-bearers, or IRAP was pushing us in the right direction in Australia, or ISMAP in Japan, I think C-8 is a very, very welcome change. I think it highlights the need for robust identity security and it should put identity at the foundation of every security leader’s agenda this year. Robert Dutt: Well, these pieces of legislation are still in the process and we can look forward. This is likely to see the light of day in some shape or another, but there’s still that sort of sense of maybe we should wait and see. I guess what I’m getting at is what’s the danger or the risk involved in waiting until regulations are finalized, on the books and in place, before starting to take action? Jack Hirsch: So let’s just say at a personal level, I am not into promoting scare tactics. I know that it is very common in the security space for colors to be red. Our colors are blue. That’s not our vibe at Okta. And so look, every organization has their own risk barometer. What I can say is the vast majority of breaches stem from some form of attack on identity. The vast majority of breaches, the implications of having a data breach, oftentimes they go, I think the average time to detection for a data breach is somewhere just shy of 300 days. And so you’re talking about millions of dollars in damages, huge reputational hit. And there are scenarios, and I will not point to any recent security incidents that might have impacted large swaths of the industry, but not Okta. But I’ll just say the reason is because we believe strongly that having a lower risk profile should be easier, should be more elegant. People come to Okta not because of the, “Oh, you get it all done by the CLI.” Yeah, you can, but it’s elegant. It’s intuitive. It’s easier to use. It de-complexifies the world of identity security. I’m sitting in front of my notepad here to take notes, and one of our product principles is productizing best practices. And so we want to make it easier for organizations to reduce their risk profile and make the end user experience elegant and memorable when it needs to be, and disappear into the background when it shouldn’t be memorable. And so with that, look, I would advise everyone go down the rabbit hole. Just look at recent breaches. Look at how widely pervasive these breaches are. Look how easy it is to go after a phish, to buy a phishing kit on the dark web, and see the types of organizations that get hit by these and it’s everyone. And so whether you’re waiting for legislation to be imposed to drive the standards or you are just looking to have an appropriate barometer of risk for your organization, you shouldn’t have to choose between ease of use and cost and lower risk and greater security. And so I would just say everyone’s going to be on their own journey. I’m not a salesperson. I’m on the product team. But I fundamentally think that identity is one of the pillars of Zero Trust. I believe that it should be. It’s foundational. It is the foundation. If I had nothing else to do, if I were starting my own company today and I wanted to build a security practice for my company to manage our organizational risk, it would start with identity, 110%. Robert Dutt: We’ve taken sort of a general market-wide view of the technology problem and now of the regulatory side of things. This is a podcast for IT solution providers. So sort of going with that “if I were starting a business today” line that you just started there, for MSPs and resellers, where do you see the biggest opportunity to help customers get ahead of shadow AI, both in terms of reducing customer risk and in terms of new services, new types of services that they can bring to market? Jack Hirsch: I’ll take it in two parts. One is just you can’t control what you don’t see. And so for VARs and MSPs and sort of operators in the technology ecosystem, I would say look at Okta’s ISPM product. It is amazing what you learn by wiring it. And it’s not just for Okta as an IDP. It’ll wire into any IDP. It will wire into multiple IDPs. It’ll wire into over 300 SCIM-based apps because it’s wired into the Okta Integration Network, and there’s a large set of SCIM apps that work natively with ISPM. And just see what you can find. I optimized my life, my product world for hugs and high fives. And I’ll never forget, I’m sure this person knows exactly who they are. It was a security leader in Australia, ran out of their office after trying ISPM during a merger and they used it to reduce risk during the merger as they were establishing a trust relationship between their organizations. And it basically made this person look like a superstar in front of their C-suite and board because it was like the entire risk burndown chart for their entire M&A transaction to establish the technical risk barometer. So I would just say ISPM is an incredible starting point. A+, highly recommend. You can’t control what you can’t see. And then I think on the second part, of course ISPM will discover AI as well. And then the second part is just, I wouldn’t lose sight of the experience. And so making sure that you’re creating an elegant experience by your choice of products, not only for the admins that you might work directly with or the leadership that might be engaging with you, but also for the end users. And knowing when tools should be elegant, easy to use, easy to configure, and when they should just sort of fade into the background. That’s ultimately what we work on at Okta. It’s our strong conviction from a product standpoint, that it needs to be an absolutely elegant, unmatched user experience for partners, for admins, for end users, and for customers. Robert Dutt: I think we’ve gone over a lot of the territory that I wanted to go over, but just to kind of bring things home, looking ahead over the balance of 2026 or into the first half of next year, what do you think are going to be the biggest mistakes that organizations might make when it comes to agents and identity? And what can solution providers be doing now to make sure their customers don’t make those mistakes? Jack Hirsch: This is an easy one. I think there’s sort of two categories of mistakes. One is getting worried because everything is moving so fast, getting that sort of analysis paralysis to say, “I’m going to see where it shakes out. How important is this AI thing?” Or even if you’re an AI bull, waiting to see who the winners and losers are before you establish any sort of program around it. That’s, I think, one big category of things not to do. I would say, go after it immediately. The capabilities you need are already out there. They might be newer. They might feel a little bit less familiar. But again, ultimately, these are identities that need access to your corporate resources. So I think that is one big category. The other big category is, I would not look at point solutions for this. Anyone that is saying, “We’re going to secure your AI.” That’s great. But what is an AI? It’s an identity. It can be a resource in some scenarios, right? With agent-to-agent, agents acting as resources, but ultimately they’re just identities. That’s for the identity nerds. Sorry. Just as a caveat for the identity nerds out there like myself. But fundamentally, you need a unified platform that gives you that unified view of core access management, core governance, core privileged access, brings all of those identities, whether it be human or non-human, into a single directory and can discover them, can control them, can govern them. And it shouldn’t matter whether they were built by your users, by third parties, by partners, by your supply chain contractors. That unified identity security fabric will deliver comprehensive security and it should be deeply orchestrated into any technology stack. And those products already exist, and it just so happens that Okta is building a reference implementation. Robert Dutt: Works out well for you then, doesn’t it? Jack Hirsch: It does. Robert Dutt: I appreciate your taking the time, Jack. It’s been an interesting conversation and it’s a fascinating and ever-evolving area. Jack Hirsch: Thank you very much. All right. Thanks, Rob. And thanks everyone. Appreciate the time. There you have it, a look at shadow AI through an identity lens with Jack Hirsch from Okta. I’d like to thank Jack for joining us for the show and thank you for listening today. The podcast will be back in your feed tomorrow as we take a look at the launch of Lexful, an AI-first documentation tool for MSPs that boasts, if you can believe it, a robotic channel chief. We’ll find out all about that tomorrow. You’ll want to be sure to catch that, so please subscribe to or follow the podcast in your podcast app of choice. And if it allows you to do so, please consider leaving a rating or review of the show. Until tomorrow, I’m Robert Dutt for ChannelBuzz.ca and I’ll see you in the channel.

Meet Kim Jablonski, the former Chief Compliance and Ethics Officer at Bristol Myers Squibb, where she navigated the complex world of pharmaceutical ethics. With nearly her entire career at this global giant, Kim juggled legal challenges, corporate responsibilities, and raising three kids. Join us as she shares her journey, insightful lessons, and why ethical decision-making is more than just a checklist—sometimes, it's a bit of a balancing act! SHOW NOTES 00:44 Career Journey: From Law to Compliance Leadership 04:33 Creating Impact in Compliance and Ethics 07:32 Emphasising Good Decision-Making Practices 13:01 Navigating Challenges in the Biopharma Industry 22:21 Innovations and Cultural Insights in Global Teams Transcript and more GRC content: https://www.riskywomen.org/2026/02/podcast-s9e5-leading-with-integrity-in-pharma-and-at-home-kim-jablonski/

This week, we talk about how tariffs, sanctions and geopolitical uncertainty disrupt global supply chains, and how companies can improve visibility, ensure compliance and build resilient, de-risked global trade operationsDownload the ⁠⁠⁠⁠⁠⁠⁠episode transcript===== In this episode, we unpack how tariffs, sanctions, regulations and geopolitical tensions are reshaping global trade and supply chains. We explore the role of data and technology in managing risk, improving compliance, and designing more resilient global networks for the future ===== Guest: Kevin McCollom, Vice President of Go to Market, ArchLynkKevin McCollom is an experienced enterprise software leader with a long track record in ERP, finance, and global trade. He previously served as Global VP for SAP Cloud ERP and Finance Lines of Business and held strategic leadership roles across SAP's Finance and Risk organization. He now serves as Vice President of Go to Market (GTM) at ArchLynk, helping guide global supply chain and trade solution strategy.Guest: Nilesh Shimpi, Associate Director, ArchLynkNilesh Shimpi is an accomplished solution architect with extensive experience in global trade and supply chain management. He has successfully led numerous projects involving SAP Global Trade Services. Currently, he serves as the Associate Director at ArchLynk, where he plays a key role in guiding the development of global supply chain and trade practices.Guest: Thomas Frenehard, Senior Manager, SAPThomas is Senior Manager within the Governance, Risk, and Compliance Product Marketing team at SAP where he focuses on International Trade Compliance and Enterprise Risk and Compliance topics. He is also a regular contributor on social media (SAP GRC Tuesdays & LinkedIn) and presenter at various SAP and non-SAP conferences on GRC matters.Host 1: Richard HowellsRichard Howells has been working in the Supply Chain Management and Manufacturing space for over 30 years. He is responsible for driving the thought leadership and awareness of SAP's ERP, Finance, and Supply Chain solutions and is an active writer, podcaster, and thought leader on the topics of supply chain, Industry 4.0, digitization, and sustainability.===== Show Links:Supply Chain Management: SAP Supply Chain Management SAP Insights: Supply Chain https://archlynk.com/Follow Us on Social Media : Richard Howells: ⁠LinkedIn⁠SAP Digital Supply Chain: ⁠LinkedIn⁠ Please give us a like, share, and subscribe to stay up-to-date on future episodes!  ===== Chapters: 00:00:00: Intro00:01:00: Guest introduction00:02:19: How tariffs, sanctions, and regulations are reshaping supply chains00:08:40  What risks are companies facing from an operational perspective? 00:12:27: How are companies turning these challenges into opportunities?00:15:53: Role of technology and data in managing global trade00:18:26: What should leaders prioritize to stay ahead of the global trade risks 00:20:39 What's the future of the supply chain?00:22:24: Outro

What happens when nearly half of organizations admit they have no AI-specific security controls, yet AI-driven data leaks are accelerating at the same time? In this episode of Tech Talks Daily, I spoke with Aayush Choudhry, CEO and co-founder of Scrut Automation, about what he sees as a blind spot in the cybersecurity industry. While much of the market continues to design tools for Fortune 500 enterprises with deep pockets and large security teams, Aayush argues that the real existential risk sits with the 99 percent of businesses that cannot survive a serious breach. Aayush brings a founder's perspective shaped by firsthand pain. Before launching Scrut, he and his co-founder experienced the grind of managing compliance and security as a cloud-native startup trying to sell into enterprises. They were outsiders to GRC and security at the time, forced to learn from first principles. That experience became the foundation for Scrut Automation, a modern GRC platform built specifically for small and mid-sized companies that cannot afford six-month implementations, armies of consultants, or half-million-dollar tooling budgets. We explore why treating compliance and security as separate functions increases risk for smaller organizations. In the mid-market, the same small team is often responsible for both. When compliance is handled as a box-ticking exercise and security as a separate technical discipline, gaps emerge. Scrut's approach converges governance, risk, and security signals into a unified layer that translates hundreds of technical alerts into context-aware risks that actually matter to the business. Our conversation also tackles AI complacency. Using the classic confidentiality, integrity, and availability framework, Aayush outlines what minimum viable AI security hygiene looks like in practice. That includes ensuring AI agents are not over-privileged compared to the humans they represent, placing guardrails around sensitive data fed into models, and extending supply chain security thinking to agentic integrations. For resource-constrained teams, these are not theoretical concerns. They are daily realities. Perhaps most compelling is his view that AI can act as a force multiplier for small teams. By embedding accumulated expertise into agents trained on anonymized patterns and edge cases, Scrut aims to democratize security know-how that would otherwise require multiple full-time analysts. The goal is simple but ambitious: make enterprise-grade security outcomes accessible without enterprise-grade headcount. If you are leading a small or mid-sized business and wondering how to balance growth, compliance, and AI risk without breaking the bank, this conversation offers a candid look from the trenches.

Managed Service Providers are being pushed to “get compliant fast.” In my discussion with Bruno Leqoc, we reframe the challenge. Compliance isn't security, and lasting compliance depends on security maturity first. Highlighting how AI policy can extend existing governance frameworks, why Microsoft Secure Score is a practical readiness indicator, and why foundational controls (MFA, patching, device management/remote wipe) must come before certifications and GRC tooling. In this episode, we also explore MSPs' expanding responsibilities in data privacy and governance amid fragmented U.S. state laws and why client alignment and continuous maintenance are the true costs of compliance.

Send a textWant a clear path from CISSP to top-tier pay without getting lost in buzzwords? We break down five high-income specialties that pair perfectly with CISSP leadership: modern GRC, cloud security as code, AI ethics and governance, advanced identity, and software supply chain security. Along the way, we unpack how AI reasoning tools like Claude Code Security are reshaping AppSec by cutting false positives and detecting logic flaws scanners miss, and we translate that shift into concrete workflows, better guardrails, and faster delivery.We start with the career pivot many leaders are making—moving from generalist security management to “decision architect.” That means pairing risk fluency with hands-on understanding of Terraform, Kubernetes, and CI/CD gates, then proving value through resilient architectures and evidence-driven dashboards for boards. You'll hear why GRC is exploding under new enforcement trends, how to automate continuous evidence to beat audit fatigue, and where vCISO opportunities command premium rates when strategy meets measurable outcomes.From there, we get practical. We walk through cloud guardrails that stop drift before it hits prod, share how to navigate shared responsibility with AWS and Azure, and outline identity-first zero trust that tames API key sprawl and enables passwordless access. On AI, we go deep on shadow AI containment, prompt-injection red teaming, model transparency, and data loss prevention tuned for embeddings—governance that accelerates, not blocks. Finally, we turn to software supply chain security: SBOM mandates, signed artifacts, dependency risk, and the DevSecOps policies that keep pipelines moving while raising assurance.If you're mapping your next move, we also compare salary bands across roles and highlight bridge certifications—CISM for program leadership, AI governance credentials for compliance depth, and CISA for audit rigor—to level up fast. Subscribe, share this with a teammate plotting their niche, and leave a quick review to tell us which specialty you're pursuing next.Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

Have you ever wondered why "compliance" still gets treated like a slow, spreadsheet-heavy chore, even though the rest of the business is moving at machine speed? In this episode of Tech Talks Daily, I sit down with Matt Hillary, Chief Information Security Officer at Drata, to talk about what actually changes when AI and automation land in the middle of governance, risk, and compliance. Matt brings a rare viewpoint because he lives this day-to-day as "customer zero," running Drata internally while also leading IT, security, GRC, and enterprise apps. We get practical fast. Matt shares how AI-assisted questionnaire workflows can turn a 120-question security assessment from a late-afternoon time sink into something you can complete with confidence in minutes, then still make it upstairs in time for dinner. He also explains how automation flips the audit dynamic by moving from random sampling to continuous, full-population checks, using APIs to validate evidence at scale, without hounding control owners unless something is actually wrong. We also talk about what security leadership really looks like when the stakes rise. Matt reflects on lessons from his time at AWS, why curiosity and adaptability matter when the "canvas" keeps changing, and how customer focus becomes the foundation of trust. That theme runs through the whole conversation, including the idea that the CISO role is steadily turning into a chief trust officer role, where integrity, transparency, and credibility under pressure matter as much as tooling. And because burnout is never far away in security, we dig into the human side too. Matt unpacks how automation can reduce cognitive load, but also warns about swapping one kind of pressure for another, especially when teams get trapped producing endless dashboards and vanity metrics instead of focusing on the few measures that actually reduce risk. To wrap things up, Matt leaves a song for the playlist, Illenium's "You're Alive," plus a book recommendation, "Lessons from the Front Lines, Insights from a Cybersecurity Career" by Asaf Karen, which he says stands out for how it treats the human side of security leadership. If you're thinking about modernizing compliance in 2026 without losing the human element, his parting principle is simple and powerful: be intentional, keep asking why, and spend your limited time on what truly matters. So where do you land on this shift toward continuous trust, do you see it becoming the default expectation for buyers and auditors, and what should leaders do now to make sure automation reduces pressure instead of quietly adding more? Share your thoughts with me, I'd love to hear how you're approaching it.

Innovation spans many areas, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode,  host Tom Fox interviews Matt Kunkel, CEO and Co-Founder at LogicGate, about the company's governance, risk, and compliance (GRC) platform and current market trends. Matt recounts his path into regulatory risk and compliance work that led to founding LogicGate and launching its Risk Cloud platform in 2015. A major focus is AI governance. Tom and Matt explore how and why senior management is asking compliance teams to provide governance frameworks despite the absence of a single standard (e.g., NIST/ISO/SOC). Matt explains organizations need scalable processes to triage and route large volumes of AI usage requests, apply guardrails based on data sensitivity and criticality, and avoid becoming a bottleneck to innovation. He emphasizes training and culture to address employee misuse, highlighting risks of exposing proprietary data and the need to define what information is acceptable to input into AI models. The discussion turns to LogicGate's culture and how it has been sustained during rapid, organic growth (no acquisitions). Matt outlines LogicGate's six values: Be as One, Embrace Your Curiosity, Empower Customers, Raise the Bar, Own It, and Do the Right Thing. For evaluating AI and modernizing compliance programs, he frames value in three outcomes: making money, reducing costs, or reducing risk, and describes LogicGate's value realization framework that translates efficiency and ROI into business terms. He also describes Risk Cloud as an orchestration layer for compliance programs and anticipates more “intentional AI” and selective use of agentic capabilities rather than fully autonomous end-to-end program execution. Key highlights: From Consulting to GRC: Coding, Madoff Investigation, and Founding LogicGate Why AI Is Supercharging the “G” in GRC LogicGate's Culture Playbook: Values That Scale with Hypergrowth How to Evaluate AI Tools in Compliance: Proving Value, ROI, and “Intentional AI” Cybersecurity in 2026: AI-Powered Social Engineering, Deepfakes, and Risk Mapping What's Next for GRC by 2030: Agents, Responsible AI, and Tech as the Glue Resources: Matt Kunkel on LinkedIn LogicGate Innovation in Compliance was recently ranked Number 4 in Risk Management by 1,000,000 Podcasts.

Le 12 avril, c’est dans trop longtemps! Voici comment aller en Floride sans voler avec Air Transat. Tuerie en Colombie-Britannique: des actes déplorables de la GRC… La rencontre Dutrizac-Dumont avec Benoit Dutrizac et Mario Dumont. Regardez aussi cette discussion en vidéo via https://www.qub.ca/videos ou en vous abonnant à QUB télé : https://www.tvaplus.ca/qub ou sur la chaîne YouTube QUB https://www.youtube.com/@qub_radioPour de l'information concernant l'utilisation de vos données personnelles - https://omnystudio.com/policies/listener/fr

On this episode:Polo & Trenton split a GRC conference Doubleheader header. Hear from Polo boys coach Josh Junco & Trenton girls coach Steve Richman. Wednesday Scores Wanna thank all of our great Sponsors who make all of this possible.Tolly & Associates Little Caesars of St. Joseph John Anderson Insurance, Meierhofer Funeral Home & Crematory HiHo Bar & Grill Barnes Roofing Jayson & Mary Watkins Matt & Jenni Busby Michelle Cook Group Russell Book & Bookball 365 The St. Joseph MustangsB's Tees KT Logistics LLC Hixson-Klein Funeral Home James L. Griffith Law Firm of Maysville Toby Prussman of Premier Land & Auction Group, HK Quality Sheet Metal, Redman Farms of Maysville, Melissa WinnHenke Family Farms, Green Hills Insurance LLC., Cintas, Thrive Family Chiropractic, IV Nutrition of St. Joseph, Roth Kid Nation Serve Link Home Care out of Trenton, Barnett's Floor Renewal LLC., Balloons D'Lux, B3 Renovations, The Hamilton Bank member FDIC, Wompas Graphix & Embroidery of LibertyEllis Sheep Company of Maysville, Bank Northwest of Cameron, Akey's Catering & Event Rentals, Brown Bear of St. Joseph, Wolf Black Herefords, The KCI Basketball Podcast Jacob Erdman - Shelter Insurance of Rock Port, Rob & Stacia Studer, Green Family Chiropractic , Annie & Noah Roseberry of Re/Max Professionals, Moseley Farms, Jake Anderson of Shelter Insurance A slice & a swirl of Maysville Adkison Barber ShopMoyer Concrete of Maysville Cody Vaughn Wealth Advisor with ThriventGallatin Truck & Tractor Grandmas Gun Shop in Agency Nash Gas in Dearborn Accurate Appraisal in St. Joseph Ryan Meyerkorth SeedB.W. Timber of Bethany Mosaic Medical Center of Maryville Exclusive P.R. of Chicago Great Than Financial Hogue Lumber Company of Albany Stifel in ChillicotheUnited Cooperates, INC out of Osborn & Pattonsburg MP and Sons Contracting in Maysville JA White Construction in Maysville BTC Bank Seth & Marcie Davis of the Fitz Group Home and LandGRM Networks Perry Plumming & Septic LLC of Rock PortCitizens Bank and Trust of Rock Port C&M Business Machines Deal Travel and Cruises LLCKovacs FireworksBray Farms of Cameron The Drug Store in Cameron Pettijohn Auto Center in Bethany Terry Implement Co., INC. Of Gallatin Re/Max Partners of Cameron- Dan & Staci Early The Bunker Club of Savannah North Central Missouri College in Trenton & SavannahCooters Plumbing in Lathrop Steven Frieden Excavating Gregg Lawn & Landscape Wigfield Farms in Chillicothe

On this episode:South Harrison picks up a doubleheader sweep over Stanberry in a GRC vs GRC West matchup. Hear from South Harrison coaches Kale Watson & Aaron Fitzpatrick.Monday Scoreboard Wanna thank all of our great Sponsors who make all of this possible.Tolly & Associates Little Caesars of St. Joseph John Anderson Insurance, Meierhofer Funeral Home & Crematory HiHo Bar & Grill Barnes Roofing Jayson & Mary Watkins Matt & Jenni Busby Michelle Cook Group Russell Book & Bookball 365 The St. Joseph MustangsB's Tees KT Logistics LLC Hixson-Klein Funeral Home James L. Griffith Law Firm of Maysville Toby Prussman of Premier Land & Auction Group, HK Quality Sheet Metal, Redman Farms of Maysville, Melissa WinnHenke Family Farms, Green Hills Insurance LLC., Cintas, Thrive Family Chiropractic, IV Nutrition of St. Joseph, Roth Kid Nation Serve Link Home Care out of Trenton, Barnett's Floor Renewal LLC., Balloons D'Lux, B3 Renovations, The Hamilton Bank member FDIC, Wompas Graphix & Embroidery of LibertyEllis Sheep Company of Maysville, Bank Northwest of Cameron, Akey's Catering & Event Rentals, Brown Bear of St. Joseph, Wolf Black Herefords, The KCI Basketball Podcast Jacob Erdman - Shelter Insurance of Rock Port, Rob & Stacia Studer, Green Family Chiropractic , Annie & Noah Roseberry of Re/Max Professionals, Moseley Farms, Jake Anderson of Shelter Insurance A slice & a swirl of Maysville Adkison Barber ShopMoyer Concrete of Maysville Cody Vaughn Wealth Advisor with ThriventGallatin Truck & Tractor Grandmas Gun Shop in Agency Nash Gas in Dearborn Accurate Appraisal in St. Joseph Ryan Meyerkorth SeedB.W. Timber of Bethany Mosaic Medical Center of Maryville Exclusive P.R. of Chicago Great Than Financial Hogue Lumber Company of Albany Stifel in ChillicotheUnited Cooperates, INC out of Osborn & Pattonsburg MP and Sons Contracting in Maysville JA White Construction in Maysville BTC Bank Seth & Marcie Davis of the Fitz Group Home and LandGRM Networks Perry Plumming & Septic LLC of Rock PortCitizens Bank and Trust of Rock Port C&M Business Machines Deal Travel and Cruises LLCKovacs FireworksBray Farms of Cameron The Drug Store in Cameron Pettijohn Auto Center in Bethany Terry Implement Co., INC. Of Gallatin Re/Max Partners of Cameron- Dan & Staci Early The Bunker Club of Savannah North Central Missouri College in Trenton & SavannahCooters Plumbing in Lathrop Steven Frieden Excavating Gregg Lawn & Landscape Wigfield Farms in Chillicothe

CISO Jadee Hanson shares how Vanta "drinks its own champagne," running on NIST CSF with quarterly baseline reviews and using Vanta's GRC platform to turn every release into live UAT for privacy, governance, and compliance. We rethink third-party management—why point-in-time risk scores are fading and how AI drives continuous monitoring and outcome-based assurance. Bottom line: don't just audit—instrument your controls and prove trust in real time. Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-221

Meet Roosa Rosti, our latest Risky Women Write competition winner! With a master's degree in data protection and privacy law, Roosa is a senior consultant at Deloitte, where she navigates the wild world of AI and internet regulation. She's not just a risk management guru; she's also a wellness enthusiast who's passionate about femtech. Think of her as the superhero fighting to ensure that women's health tech doesn't just dress up old biases with shiny new algorithms. Join us as she shares her journey, her insights on ethical AI, and why mentoring the next generation is her true superpower! SHOW NOTES 01:11 Roosa's Career Journey: From Law to Deloitte 02:48 Navigating Challenges: The Decision to Return to Education 04:08 Building a Culture of Mentorship 08:35 Femtech: Navigating Opportunities and Risks 14:04 Implementing Governance by Design Transcript and more GRC content: https://www.riskywomen.org/2026/02/podcast-s9e3-female-oversight-with-roosa-rosti/

Discover how identity and access management (IAM) is reshaping cybersecurity in cloud ERP, enabling businesses to be safer, faster, and more compliant with clarity in roles and responsibilities.=====In this insightful episode of the Future of ERP podcast, Aditya Thakurdesai from Infosys dives deep into the vital topic of identity and access management (IAM) in cloud ERP environments. He explains why understanding "who owns what" in IAM is non-negotiable to ensure security, compliance, and operational efficiency amid today's complex hybrid IT infrastructures. Aditya shares compelling customer stories- rom a global pharmaceutical company safeguarding sensitive research data to a large retailer accelerating seasonal workforce onboarding - highlighting how the shared responsibility model brings clarity and confidence in managing cloud security. The discussion further explores how AI is revolutionizing IAM, with intelligent threat detection, adaptive access control, and proactive governance transforming traditional security roles. This episode is a must-listen for any business navigating cloud security risks and looking to leverage AI for smarter, faster, and safer ERP management. Tune in and learn how to stay ahead in the evolving cybersecurity landscape.⁠⁠⁠Download Episode Transcript⁠⁠⁠Useful Links:Learn how the shared responsibility model for SAP Cloud ERP Private defines roles, streamlines operations, and improves security and compliance: Operate your cloud ERP with confidence and control SAP Cloud ERPInfosysFollow Us on Social Media!⁠⁠⁠SAP Cloud ERP - LinkedIn⁠⁠⁠=====Guest: Aditya Thakurdesai, Director – Enterprise Security , InfosysAditya is a seasoned SAP Security and GRC professional, currently serving as Director – Enterprise Security at Infosys. With nearly two decades of experience, he has delivered transformative security solutions that seamlessly integrate deep domain expertise with emerging technologies. In his current role, Aditya heads the Manufacturing and Communications, Media & Technology segments within Infosys' Enterprise Risk Management Services group. He also drives strategic Centre of Excellence initiatives focused on security transformation, intelligent automation, and AI innovation. His current passion lies in Agentic AI, where he has developed pioneering solution that introduce new levels of agility, compliance, and scalability to enterprise security operations.Host 1: Richard Howells, SAPRichard Howells has been working in the Supply Chain Management and Manufacturing space for over 30 years. He is responsible for driving the thought leadership and awareness of SAP's ERP, Finance, and Supply Chain solutions and is an active writer, podcaster, and thought leader on the topics of supply chain, Industry 4.0, digitization, and sustainability.Follow Richard Howell on ⁠⁠⁠LinkedIn⁠⁠⁠ and ⁠⁠⁠X⁠⁠⁠Host 2: Oyku Ilgar, SAPOyku Ilgar is a marketer and thought leader specializing in SAP's digital supply chain and ERP solutions since 2017. As a marketer, blogger, and podcaster, she creates engaging content that highlights innovative SAP technologies and explores key topics including business trends, AI, Industry 4.0, and sustainability.She holds dual bachelor's degrees in Finance & Accounting and English Translation, along with a master's degree in Business Administration and Foreign Trade, specializing in marketing. With her background in digital transformation, Oyku communicates technology trends and industry insights to help professionals navigate the evolving business landscape.Oyku's LinkedIn and SAP Community=====Key Topics: Identity Management, Access Management, Cloud ERP, Shared Responsibility, Compliance, Security, Artificial Intelligence, AI, Threat Detection, Case Studies

Rob Hughes — CISO at RSA and Champion of a Passwordless FutureNo Password Required Season 7:  Episode 1 - Rob HughesRob Hughes, the CISO at RSA, has more than 25 years of experience leading security and cloud infrastructure teams. In this episode, he reflects on his unconventional career path, from co-founding the original Geek.com and serving as its Chief Technologist during the early days of the internet, to leading security and systems design at Philips Home Monitoring.Jack Clabby of Carlton Fields, P.A. and Kayley Melton welcome Rob for a wide-ranging conversation on identity, leadership, and the realities of modern cybersecurity. Rob currently leads RSA's Security and Risk Office, overseeing cybersecurity, information security governance, and risk across both RSA's products and corporate environment.Rob explains his dream for a passwordless future. He unpacks why passwords remain one of the largest sources of cyber risk, how real-world incidents and password-spraying attacks have accelerated change, and why phishing-resistant technologies like passkeys may finally be reaching a tipping point.  The episode wraps with the Lifestyle Polygraph, where Rob lightens the conversation with stories about gaming with his kids, underrated horror films, and classic cars.Follow Rob on LinkedIn: https://www.linkedin.com/in/robert-hughes-816067a4/Chapters: 00:00 Introduction to No Password Required01:43 Meet Rob Hughes, CISO at RSA02:05 The Role of a CISO in a Security Company05:09 Transitioning to the CISO Role08:00 The Early Days of Geek.com12:14 Launching a Startup During the Dot Com Boom14:30 The Push for a Passwordless Future18:21 Tipping Point for Passwordless Adoption20:20 Ongoing Learning in Cybersecurity26:09 Managing Stress in High-Pressure Environments33:46 The Lifestyle Polygraph Begins34:15 Career Insights in Cybersecurity36:08 Dream Cars and Personal Preferences39:58 Underrated Horror Films41:19 Creating a Cybersecurity Monster

This week on That Tech Pod, Laura and Kevin chat with Richa Kaul, founder and CEO of Complyance, for a blunt conversation about what governance, risk, and compliance actually are, and why so many companies pretend it's something else.Richa walks us through how she really landed in GRC, including the moment she realized compliance isn't about forms or frameworks. It's about power, incentives, and who takes the fall when systems fail. Drawing on her time in legal tech, enterprise systems, and AI, she makes the case that much of today's compliance model is quietly broken, and that organizations know it, even if they won't admit it.  We dig into why GRC has such a credibility problem, the comforting lies companies tell themselves about being “compliant,” and whether compliance should be about control or trust, and why so many leaders default to the wrong one. Richa also weighs in on whether “move fast and break things” is actually gone, or just better disguised in the age of AI. We close with a forward-looking conversation on AI risk, including the uncomfortable questions boards avoid, why training alone won't fix reckless AI use, and what organizations should be paying attention to next if they want governance that actually works.Richa Kaul is the founder and CEO of Complyance, an AI-powered GRC platform helping enterprises navigate governance, risk, and compliance with ease. She previously held leadership roles in legal and compliance technology, including helping scale global solutions at ContractPodAI. Richa focuses on how companies can move beyond checkbox compliance to build systems that actually support better decisions, accountability, and trust as AI becomes more embedded in the enterprise. She is passionate about the future of compliance, the role of AI in governance, and the challenges of scaling a company in enterprise tech. Her innovative approach combines deep technical expertise with strategic business acumen, making her a sought-after thought leader in the GRC space.

In this engaging episode of MSP Business School, host Brian Doyle is joined by Sam Glynn—a notable figure in the GRC landscape—to pull back the curtain on the intricacies of compliance within MSPs. Sam Glynn shares his wealth of expertise from a career that has advanced from IT management in financial services to becoming a specialist in cybersecurity and compliance. Listeners are introduced to the significance of GRC, particularly how MSPs can align themselves with increasing regulatory demands while fostering profitability and customer satisfaction. The episode delves into the hurdles MSPs face when confronted with compliance audits and assessments. Sam explains how MSPs can view these assessments as opportunities to strengthen client relationships and increase revenues rather than as adversarial encounters. With an emphasis on understanding the framework alignment and the nuanced art of risk management, the conversation underscores the importance of embracing these challenges to enhance services and outcomes. The episode wraps up with a focus on Sam's advisory role, offering a perspective that's both realistic and strategic for organizations striving to improve their security posture. Key Takeaways: Understanding GRC: Sam Glynn illustrates how MSPs can navigate Governance, Risk, and Compliance to achieve compliance while maintaining profitability and improving service delivery. Partnering for Success: Enlisting experts like Sam can transition an MSP's role from a mere service provider to a strategic partner capable of advising clients on risk management and compliance. Framework Alignment & Risk Management: Embrace the interpretive nature of risk management processes, focusing on impacts and likelihoods to develop robust and tailored security strategies. Regulatory Insights: Compliance is not solely about meeting regulatory requirements; MSPs must also consider best practices for comprehensive security that addresses today's threats. VCISO Clarity: The role of a virtual Chief Information Security Officer (VCISO) extends beyond IT technicalities to include governance, risk management, and strategic alignment with organizational objectives. Guest Name: Sam Glynn LinkedIn page: https://www.linkedin.com/in/samglynnie/ Company: Secure and Assure Website: https://secureandassure.com/ Show Website: https://mspbusinessschool.com/ Host Brian Doyle: https://www.linkedin.com/in/briandoylevciotoolbox/ Sponsor vCIOToolbox: https://vciotoolbox.com

Meet Susannah Hammond, a trailblazer in governance, risk management, and compliance (GRC) with over 30 years of experience in financial services and technology. A chartered accountant and a distinguished fellow of the Chartered Institute for Securities and Investment, Susannah is a powerful voice in her field. As the recent winner of the Risky Women Write competition, her groundbreaking article on embedded supervision is set to revolutionize compliance. She champions a bold vision where regulators gain direct access to firms' systems, transforming the regulatory landscape into a more efficient and collaborative process. With her insights, Susannah is paving the way for a future where technology enhances compliance, saves costs, and builds trust—an evolution that could change the game for GRC forever! SHOW NOTES01:32 Career Journey 10:48 Embedded Supervision and Its Potential 16:07 Data Governance and AI in Compliance 21:02 Chat Bankman-Fried? 25:36 Predictions and Future of GRC Get transcripts, links, and read her winning article: https://www.riskywomen.org/2025/12/podcast-s8e14-embedded-supervision-with-susannah-hammond/

This week on Simplifying Cyber, Aaron Pritz and Cody Rivers sit down with Jax Scott — combat veteran, podcast host (Two Cyber Chicks), and VP of Cybersecurity at Pearson — for a conversation that's equal parts leadership, risk reality, and “why is everyone still confused about BISOs?”Jax shares her unconventional path into cybersecurity (perfume sales → special operations → NATO cyber strategy → Mandiant → Capital One → consulting → Pearson), then breaks down what BISOs/CISOs do when done right:The “single point of contact” that connects business teams to security outcomesWhy risk management is the glueWhy the best security leaders aren't always the most technical (and how technical instincts can backfire)Then we go headfirst into the AI debate:Where automation helps most in compliance (evidence collection, mapping, reducing manual slog)Where humans stay essential (judgment calls, accountability, trust-building)The uncomfortable truth: if we outsource all thinking to AI, we may literally get worse at thinkingWe wrap with practical guidance on:Handling volatile regulatory changes (like DR/IR requirements) with flexible plans + frequent testingThe reality of CMMC: why it's not “new,” why enforcement matters, and why last-minute scrambles burn everyone outHow to lead teams through chaos with transparency, empathy, and real talkAnd finally: Jax drops a fun fact that honestly explains a lot about her calm energy.Listen now wherever you get your podcasts.Key topics coveredWhat a BISO/VISO is (and how to explain it to non-security leaders)Critical thinking + EQ as security superpowersAI in compliance/GRC: automate the boring, keep the human judgmentIR/DR planning for shifting rules and requirementsCMMC realities for the defense industrial baseLeadership during change fatigue

A devastating new React vulnerability earned a "perfect 10" for risk, letting attackers remotely run code on a million-plus servers with a single HTTP request. Find out what happened, how fast attackers moved in, and why this bug changes everything for web security. France's VanityFair face a stiff fine over cookies. GrapheneOS pulls out of France over coercion worries. The EU adds to the pile-on over underage social media. India mandates the tracking of all smartphones. Apple says no. India abandons its smartphone tracking mandate. India requires all encrypted messaging to be SIM-tied. Scattered Lapsus$ Hunters --becomes--> SLH. AI demand has driven RAM pricing sky high. GRC's DNS Benchmark is finished and available. Cisco may talk a good game, but they're still Cisco. Browsers to ask users for local network access permission. React: The worst remote code exploit in a LONG time. Show Notes - https://www.grc.com/sn/SN-1055-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/securitynow veeam.com bigid.com/securitynow zscaler.com/security hoxhunt.com/securitynow

A devastating new React vulnerability earned a "perfect 10" for risk, letting attackers remotely run code on a million-plus servers with a single HTTP request. Find out what happened, how fast attackers moved in, and why this bug changes everything for web security. France's VanityFair face a stiff fine over cookies. GrapheneOS pulls out of France over coercion worries. The EU adds to the pile-on over underage social media. India mandates the tracking of all smartphones. Apple says no. India abandons its smartphone tracking mandate. India requires all encrypted messaging to be SIM-tied. Scattered Lapsus$ Hunters --becomes--> SLH. AI demand has driven RAM pricing sky high. GRC's DNS Benchmark is finished and available. Cisco may talk a good game, but they're still Cisco. Browsers to ask users for local network access permission. React: The worst remote code exploit in a LONG time. Show Notes - https://www.grc.com/sn/SN-1055-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/securitynow veeam.com bigid.com/securitynow zscaler.com/security hoxhunt.com/securitynow

A devastating new React vulnerability earned a "perfect 10" for risk, letting attackers remotely run code on a million-plus servers with a single HTTP request. Find out what happened, how fast attackers moved in, and why this bug changes everything for web security. France's VanityFair face a stiff fine over cookies. GrapheneOS pulls out of France over coercion worries. The EU adds to the pile-on over underage social media. India mandates the tracking of all smartphones. Apple says no. India abandons its smartphone tracking mandate. India requires all encrypted messaging to be SIM-tied. Scattered Lapsus$ Hunters --becomes--> SLH. AI demand has driven RAM pricing sky high. GRC's DNS Benchmark is finished and available. Cisco may talk a good game, but they're still Cisco. Browsers to ask users for local network access permission. React: The worst remote code exploit in a LONG time. Show Notes - https://www.grc.com/sn/SN-1055-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/securitynow veeam.com bigid.com/securitynow zscaler.com/security hoxhunt.com/securitynow

A devastating new React vulnerability earned a "perfect 10" for risk, letting attackers remotely run code on a million-plus servers with a single HTTP request. Find out what happened, how fast attackers moved in, and why this bug changes everything for web security. France's VanityFair face a stiff fine over cookies. GrapheneOS pulls out of France over coercion worries. The EU adds to the pile-on over underage social media. India mandates the tracking of all smartphones. Apple says no. India abandons its smartphone tracking mandate. India requires all encrypted messaging to be SIM-tied. Scattered Lapsus$ Hunters --becomes--> SLH. AI demand has driven RAM pricing sky high. GRC's DNS Benchmark is finished and available. Cisco may talk a good game, but they're still Cisco. Browsers to ask users for local network access permission. React: The worst remote code exploit in a LONG time. Show Notes - https://www.grc.com/sn/SN-1055-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/securitynow veeam.com bigid.com/securitynow zscaler.com/security hoxhunt.com/securitynow

A devastating new React vulnerability earned a "perfect 10" for risk, letting attackers remotely run code on a million-plus servers with a single HTTP request. Find out what happened, how fast attackers moved in, and why this bug changes everything for web security. France's VanityFair face a stiff fine over cookies. GrapheneOS pulls out of France over coercion worries. The EU adds to the pile-on over underage social media. India mandates the tracking of all smartphones. Apple says no. India abandons its smartphone tracking mandate. India requires all encrypted messaging to be SIM-tied. Scattered Lapsus$ Hunters --becomes--> SLH. AI demand has driven RAM pricing sky high. GRC's DNS Benchmark is finished and available. Cisco may talk a good game, but they're still Cisco. Browsers to ask users for local network access permission. React: The worst remote code exploit in a LONG time. Show Notes - https://www.grc.com/sn/SN-1055-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/securitynow veeam.com bigid.com/securitynow zscaler.com/security hoxhunt.com/securitynow

A devastating new React vulnerability earned a "perfect 10" for risk, letting attackers remotely run code on a million-plus servers with a single HTTP request. Find out what happened, how fast attackers moved in, and why this bug changes everything for web security. France's VanityFair face a stiff fine over cookies. GrapheneOS pulls out of France over coercion worries. The EU adds to the pile-on over underage social media. India mandates the tracking of all smartphones. Apple says no. India abandons its smartphone tracking mandate. India requires all encrypted messaging to be SIM-tied. Scattered Lapsus$ Hunters --becomes--> SLH. AI demand has driven RAM pricing sky high. GRC's DNS Benchmark is finished and available. Cisco may talk a good game, but they're still Cisco. Browsers to ask users for local network access permission. React: The worst remote code exploit in a LONG time. Show Notes - https://www.grc.com/sn/SN-1055-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/securitynow veeam.com bigid.com/securitynow zscaler.com/security hoxhunt.com/securitynow

A devastating new React vulnerability earned a "perfect 10" for risk, letting attackers remotely run code on a million-plus servers with a single HTTP request. Find out what happened, how fast attackers moved in, and why this bug changes everything for web security. France's VanityFair face a stiff fine over cookies. GrapheneOS pulls out of France over coercion worries. The EU adds to the pile-on over underage social media. India mandates the tracking of all smartphones. Apple says no. India abandons its smartphone tracking mandate. India requires all encrypted messaging to be SIM-tied. Scattered Lapsus$ Hunters --becomes--> SLH. AI demand has driven RAM pricing sky high. GRC's DNS Benchmark is finished and available. Cisco may talk a good game, but they're still Cisco. Browsers to ask users for local network access permission. React: The worst remote code exploit in a LONG time. Show Notes - https://www.grc.com/sn/SN-1055-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/securitynow veeam.com bigid.com/securitynow zscaler.com/security hoxhunt.com/securitynow

A devastating new React vulnerability earned a "perfect 10" for risk, letting attackers remotely run code on a million-plus servers with a single HTTP request. Find out what happened, how fast attackers moved in, and why this bug changes everything for web security. France's VanityFair face a stiff fine over cookies. GrapheneOS pulls out of France over coercion worries. The EU adds to the pile-on over underage social media. India mandates the tracking of all smartphones. Apple says no. India abandons its smartphone tracking mandate. India requires all encrypted messaging to be SIM-tied. Scattered Lapsus$ Hunters --becomes--> SLH. AI demand has driven RAM pricing sky high. GRC's DNS Benchmark is finished and available. Cisco may talk a good game, but they're still Cisco. Browsers to ask users for local network access permission. React: The worst remote code exploit in a LONG time. Show Notes - https://www.grc.com/sn/SN-1055-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/securitynow veeam.com bigid.com/securitynow zscaler.com/security hoxhunt.com/securitynow

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.   In this episode, Justin interviews Andréia Stephenson, BSc SIRM, Enterprise Risk Analyst at London Metal Exchange, about her shift from a Bachelor of Science in biology to a risk analyst and risk professional. Andréia speaks of her passion for data and the importance of communicating at all levels of your organization. She regards working for different organizations with good leaders as a way to learn risk frameworks and gain foundational knowledge. She shares views on how risk analysts can influence risk culture. She also tells how she uses AI as an assistant. Listen for thoughts on building a risk-aware culture by asking leaders the right questions.   Key Takeaways: [:01] About RIMS and RIMScast. [:17] About this episode of RIMScast. Our guest today is Andréia Stephenson, BSc SIRM, Enterprise Risk Analyst at London Metal Exchange. She will discuss her career and the evolving role of the Risk Analyst. But first… [:43] RIMS-CRMP and Some Exam Prep Courses. From December 15 through the 18th, CBCP and RIMS will present the RIMS-CRMP Exam Prep Boot Camp. [:53] Another virtual course will be held on January 14th and 15th, 2026. These are virtual courses. Links to these courses can be found through the Certification page of RIMS.org and through this episode's show notes. [1:07] During the interview with Andréia, you will hear her reference the RIMS CRO Certificate Program in Advanced Enterprise Risk Management, which is hosted by the famous James Lam. Andréia is an alum of the program. [1:23] You can enroll now for the next cohort, which will be held over 12 weeks, from January through March of 2026. Registration closes on January 5th. Or Spring ahead and register for the cohort held from April through June of 2026. Registration closes on April 6th. [1:39] Links to registration and enrollment are in this episode's show notes. [1:46] Justin shares that RIMS suffered a tremendous loss in December. Chief Membership Experience Officer, Leslie Whittet, with RIMS for almost three years, tragically passed away due to injuries she sustained in an accident. She was walking her dog when she was struck by a truck. [2:18] Some of the RIMS staff, including CEO Gary LaBranche, knew Leslie from years prior. We are all shocked and saddened. Leslie was a remarkable association leader with 30 years of experience. [2:33] Gary LaBranche had the privilege of working alongside Leslie Whittet at the Association for Corporate Growth for nine years. For the last three years, Justin has had the pleasure of working with her at various RIMS events and seeing her weekly on our remote calls. [2:50] Leslie was always a source of positivity, inspiration, and creativity. She was just a wonderful person who will be deeply missed. Her memory is certainly a blessing. [3:03] RIMS will celebrate her memory at the Chapter Leadership Forum in Orlando in January. If you have any questions, please contact Josh Salter, jsalter@RIMS.org. Tributes are pouring in on LinkedIn and various networking groups. [3:22] If you have memories and photos you'd like to share, we encourage you to do so to honor her memory. [3:29] It wasn't easy to speak these words or read them, so I want to take a brief moment of silence to honor Leslie before we go any further. [3:44] On with the show! Our guest today is Andréia Stephenson. She comes to us all the way from London, where she's an Enterprise Risk Analyst for the London Metal Exchange. [3:57] You may know her a little bit from some promotional videos we've done on social media, promoting the James Lam CRO Certificate Course. In getting to know her, I was struck by how enthusiastic she was about her role as a Risk Analyst for years. [4:14] Many risk professionals begin as risk analysts; others, like Andréia, can make a thriving career of it. She's here to share some tips on how to do that, where ERM fits into the mix, and where she believes the role of the risk analyst will be going in the near future. Let's get started… [4:36] Interview! Andréia Stephenson, welcome to RIMScast! [4:47] Andréia may sound familiar to you because she did a testimonial on LinkedIn for RIMS for the James Lam CRO Certificate course. Justin says she was great to work with. That's how she and Justin met, and that's why she's here. [5:19] Justin notes that his voice is lower from "shouting" during the ERM Conference. Andréia looks forward to the RIMS ERM Conference 2026. [6:09] Andréia shares an overview of her career. She started at O.R.X., an operational risk data exchange association, where she learned all the principles of risk management. It gave her a strong background in operational risk. [6:36] From there, she went to London to go into a second-line risk management function as an analyst at a wealth management investment firm, then she went to a small investment bank, then to another wealth management firm, and now, to the London Metal Exchange. [7:00] They were all analyst roles, primarily operational risk, but also enterprise risk management. Risk has been part of her life for the last 10 years. The foundation was set by O.R.X. She holds the company close to her heart. [7:28] Andréia loves data. It's incredibly important for driving analysis. She says any analyst who doesn't love data is not an analyst! Data structure and data quality are very important for risk analysis, or any analysis. You need to love data to be able to do good risk management. [8:13] Andréia says that working in different organizations is important for risk management. It helps you connect the dots between the components of a risk management framework. [8:28] When Andréia started at O.R.X., she understood all the components, but she didn't join the dots until she went into the industry, hands-on, in the deep end, trying to figure out an RCSA, a KRI, or a KPI. Then, all the components of risk management started to make a bit more sense. [8:53] Andréia has always been fortunate to have worked with several exceptional leaders, each of whom had a kind of superpower in risk management that influenced her approach and understanding of risk. [9:07] Andréia's first manager at O.R.X. was tough and meticulous. She had a deep understanding of corporate governance and the boundaries between the risk types: strategic, financial, and non-financial. [9:22] At the time, Andréia didn't really appreciate how valuable the discipline was. She didn't understand yet. In hindsight, it gave her a strong foundation. Another CRO she worked with taught her the importance of communication in risk. [9:46] Aside from his technical ability, he understood stakeholder management at every level of the organization and how to translate the risk concepts for different audiences and build alignment. [10:00] Then she had a head of risk who was incredible with data, with an exceptional ability to quantify risk using analytics and evidence. Having a science degree, numbers were not Andréia's strongest area, but working with someone who pushed her helped her to become stronger. [10:25] Andréia thinks that working in risk in different organizations can help you build those thoughts. [10:32] Andréia has a Bachelor of Science degree in biology from the University of Bath in England. She's happy she decided not to pursue biology and took the risk road, instead. [10:55] Justin tells of recently having Kellee Ann Richards-St. Clair on the show. She's on the RIMS Strategic and Enterprise Risk Management Council. Kellee Ann started in Chemistry.l She moved into Energy and Power and became the de facto ERM Manager for her organization. [11:15] Kellee Ann and Andréia channelled other areas of knowledge to apply them to risk. For Andréia, the statistical side of biology has been helpful in risk management. James Lam states in his CRO Certificate program that risk is probability and statistics. Risk management isn't easy. [12:19] Andréia believes that legacy tools and practices fall short when they are disconnected from the organization's purpose, vision, mission, and strategic objectives. GRC systems have different modules: an RCSA module, a budding issue module, and an incident module. [12:49] Andréia hasn't seen a system that can connect the dots well. Risk practitioners don't always know how to connect the dots, either. An RCSA becomes isolated from the risk itself because people don't understand the context of those risks. [13:17] Working with business senior leaders to understand the context of your organization will help you to provide more valuable use of those tools and practices. [13:32] Andréia explains RCSA. It stands for Risk and Control Self-Assessment. It's a thought process. You sit down to understand what's most important to you, how much you care about it, and what you have in place to protect what's most important to you. [13:55] Andréia says the way we try to document that thought process is quite heavy. The industry requires that process to be complicated. Andréia recommends simplifying it. [14:20] To simplify it, have a process that's more sensible. The industry requires you to do assessments for inherent risk and residual risk. First, determine if a risk is important to you. If it's not important, why are you assessing it? [15:09] Andréia thinks the industry makes it difficult by requiring organizations to assess risks in a certain way, when it doesn't actually make sense. Managers have to have the courage to say it doesn't make sense for the organization, let's try a simpler approach. [15:34] Andréia uses screens, but sometimes pen and paper will do. Having that brainstorming session with the business really helps in trying to understand the purpose of what you do for your organization and where you fit in the strategic purpose of the firm. [15:51] What is most important to you, as opposed to thinking of everything that could go wrong? Risk is not only about negative outcomes but also about opportunities. [16:09] Quick Break! RISKWORLD 2026 will be held from May 3rd through the 6th in Philadelphia, Pennsylvania. RISKWORLD attracts more than 10,000 risk professionals from across the globe. It's time to Connect, Cultivate, and Collaborate with them. Booth sales are open now! [16:31] General registration and speaker registration are also open right now! Marketplace and Hospitality badges will be available starting on March 3rd. Links are in this episode's show notes. [16:44] Let's conclude our Interview with Andréia Stephenson! [17:14] Beyond documenting risk, Andréia thinks a risk analyst can shape an organization's risk-aware culture by asking questions. The quality of the questions they ask helps drive culture. [17:31] When an analyst consistently probes assumptions, highlights all the inconsistencies they find, or asks what this means in practice, that behavior encourages others to think more critically about risk and about what they are doing. [17:50] Good questions change behaviors. They prompt people to pause and reflect rather than to operate in autopilot, which we all sometimes do. [18:04] Andréia says analysts can contribute by making risk information simpler, clearer, and more accessible, looking for ways to simplify their reports and focusing on the most important things, day-to-day, for their objectives, and having a less bureaucratic process. [18:41] Andréia suggests having the courage to speak up when processes don't make sense in the second line of defense to help as much as possible the first line. [18:51] Risk analysts can influence and change behavior by building truthful and meaningful relationships with people, caring about the business, listening to the business units, taking their feedback to heart, and helping them to change the difficulties they encounter in risk. [19:19] Andréia works in the second line of defense. She works with a lot of first-line business units. For them, it's a burden when the risk team, the CRO, or the processes change. The risk analyst needs to help them minimize that burden. It's important to be conscious of that. [19:57] Andréia says when she goes into a new organization, the first thing she does is to understand the current state. What risk practices do they have? How do they operate? After a month, she has figured out how the organization is and how they make decisions. [20:17] When she has a suggestion, Andréia puts herself on the line for it. More often than not, it has worked out positively because she had good managers who could listen to her ideas for improvement. [20:41] If something doesn't make sense, you have to be true to yourself and say this process is lengthy, or this document is enormous; let's try to simplify it. Never be afraid of providing views for improvements, so long as you have one and have thought about it. [21:16] Andréia believes in passion for what you do. You need to be passionate, and if you're not, find your passion. For Andréia, it has always been to be a professional analyst and risk professional. That passion, in turn, drives your curiosity. [21:40] Look for ways to improve and learn. Working hard is really important, even with AI. Working hard drives good results. Data literacy is very important. Understand the basic principles of data and the basic tools that allow you to do data analysis. [22:04] Think, pause, and reflect. What does that data mean? What do those patterns mean? [22:10] Andréia stresses communication. She says she's still working on her communication skills. She is very direct at work. Sometimes that directness can seem abrupt. If something doesn't make any sense, she will put her hand up and say, This doesn't make any sense! [22:41] Having the soft skill to be able to communicate at all levels of the organization is important. That will set an analyst apart. [23:33] Andréia says AI is everywhere. She uses AI all the time for work and for her personal life. In her experience, AI is most powerful as a sounding board, a thought partner, and a colleague. It helps you explore ideas, structure problems, and challenge assumptions. [24:07] The analyst is the one who provides context and judgment. AI can help you generate lots of possibilities, but it can't decide what makes sense for your organization or for you. A critical mindset is very important. [24:25] Analysts need to treat AI as an extension of their thinking process, not as a replacement for it. You are the Quality Control. You are always the one accountable for the output. AI doesn't understand your business, your culture, or your strategic priorities, but you do. [24:48] There's always the risk that if you rely on AI without applying your own insight, the output will sound sort of right but not add any value. It may be technically correct, but contextually useless. [25:12] If analysts don't know how to extract, refine, and apply what the tool gives them, it won't move the needle in a meaningful way. [25:21] Analysts should work in different places, understand what a good framework is, get certifications, work with risk professionals, work to think about problems you haven't come across before, use critical thinking, and use AI to help perform the mechanical parts of your job. [25:51] Always rely on your judgment, your relationships, and your understanding of the business you are in. [26:04] Justin shares that philosophy. He uses AI as a sounding board, to help him if he's stuck on an idea, to help him expand it. If he likes it, he'll go with it. He takes the output as a template and refines it. [26:31] Andréia says it's almost like having an assistant. If it gives you something different than what you asked for, you can restate your question. [26:41] Justin's daughter is getting into advanced math in middle school. He doesn't remember a lot of it. He's asked ChatGPT to help him come up with math questions for his daughter. It has been invaluable for that. [27:20] Andréia uses it for formulas in Excel. She says, You still have to know what you want. You can prompt it to help you remember how to do something. Justin says you need the foundational knowledge. [27:45] Andréia says foundational knowledge is what will set people apart in their profession, whatever profession it is. She would much rather know what she knows than have AI do something and not feel comfortable with it. The foundation is really important. [28:08] Special thanks again to Andréia Stephenson for joining us here on RIMScast! Keep an eye out for her on LinkedIn in those super cool CRO Certificate Program promotional videos. [28:21] Remember, we have two more cohorts coming up, one in January and one in April. Links are in this episode's show notes.  [28:29] Plug Time! You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in the show notes. [28:57] RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let's collaborate and help you reach them! Contact pd@rims.org for more information. [29:15] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information. [29:33] Risk Knowledge is the RIMS searchable content library that provides relevant information for today's risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more. [29:49] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management. [30:03] Justin Smulison is the Business Content Manager at RIMS. Please remember to subscribe to RIMScast on your favorite podcasting app. You can email us at Content@RIMS.org. [30:15] Practice good risk management, stay safe, and thank you again for your continuous support!   Links: RIMS-CRO Certificate Program In Advanced Enterprise Risk Management | Jan‒March 2026 Cohort | Led by James Lam RIMS-Certified Risk Management Professional (RIMS-CRMP) RISKWORLD 2026 Registration — Open for exhibitors, members, and non-members! Reserve your booth at RISKWORLD 2026! The Strategic and Enterprise Risk Center RIMS Diversity Equity Inclusion Council RIMS Risk Management magazine | Contribute RIMS ERM Special Edition 2025 RIMS Now RISK PAC | RIMS Advocacy | RIMS Legislative Summit SAVE THE DATE — March 18‒19, 2026 Statement on the passing of RIMS Chief Membership Experience Officer Leslie Whittet Upcoming RIMS-CRMP Prep Virtual Workshops: "CBCP & RIMS-CRMP Exam Prep Bootcamp: Business Continuity & Risk Management" December 15‒18, 2025, 8:30 am‒5:00 pm EST, Virtual RIMS-CRMP Exam PrepJanuary 14‒15, 2026, 9:00 am‒4:00 pm EST, Virtual Full RIMS-CRMP Prep Course Schedule See the full calendar of RIMS Virtual Workshops   Upcoming RIMS Webinars: RIMS.org/Webinars   Related RIMScast Episodes: "James Lam on ERM, Strategy, and the Modern CRO" "RIMS ERM Global Award of Distinction 2025 Winner Sadig Hajiyev — Recorded live from the RIMS ERM Conference in Seattle!" "Presilience and Cognitive Biases with Dr. Gav Schneider and Shreen Williams" "Risk Rotation with Lori Flaherty and Bill Coller of Paychex" "Energizing ERM with Kellee Ann Richards-St. Clair" "Talking ERM: From Geopolitical Whiplash to Leadership Buy-In" with Chrystina Howard of Hub "Tom Brandt on Growing Your Career and Organization with ERM" "Risk Quantification Through Value-Based Frameworks"   Sponsored RIMScast Episodes: "Secondary Perils, Major Risks: The New Face of Weather-Related Challenges" | Sponsored by AXA XL (New!) "The ART of Risk: Rethinking Risk Through Insight, Design, and Innovation" | Sponsored by Alliant "Mastering ERM: Leveraging Internal and External Risk Factors" | Sponsored by Diligent "Cyberrisk: Preparing Beyond 2025" | Sponsored by Alliant "The New Reality of Risk Engineering: From Code Compliance to Resilience" | Sponsored by AXA XL "Change Management: AI's Role in Loss Control and Property Insurance" | Sponsored by Global Risk Consultants, a TÜV SÜD Company "Demystifying Multinational Fronting Insurance Programs" | Sponsored by Zurich "Understanding Third-Party Litigation Funding" | Sponsored by Zurich "What Risk Managers Can Learn From School Shootings" | Sponsored by Merrill Herzog "Simplifying the Challenges of OSHA Recordkeeping" | Sponsored by Medcor "How Insurance Builds Resilience Against An Active Assailant Attack" | Sponsored by Merrill Herzog "Third-Party and Cyber Risk Management Tips" | Sponsored by Alliant   RIMS Publications, Content, and Links: RIMS Membership — Whether you are a new member or need to transition, be a part of the global risk management community! RIMS Virtual Workshops On-Demand Webinars RIMS-Certified Risk Management Professional (RIMS-CRMP) RISK PAC | RIMS Advocacy RIMS Strategic & Enterprise Risk Center RIMS-CRMP Stories — Featuring RIMS President Kristen Peed!   RIMS Events, Education, and Services: RIMS Risk Maturity Model®   Sponsor RIMScast: Contact sales@rims.org or pd@rims.org for more information.   Want to Learn More? Keep up with the podcast on RIMS.org, and listen on Spotify and Apple Podcasts.   Have a question or suggestion? Email: Content@rims.org.   Join the Conversation! Follow @RIMSorg on Facebook, Twitter, and LinkedIn.   About our guest: Andréia Stephenson, BSc SIRM, Enterprise Risk Analyst, London Metal Exchange   Production and engineering provided by Podfly.

SummaryIn this episode, Sean M Weiss engages with Richa Kaul, CEO of Compliance with a Y, discussing the critical role of governance, risk, and compliance (GRC) in today's data-driven world. They explore the mission behind the organization, the importance of risk assessments, and the challenges posed by rapid advancements in AI technology. Richa emphasizes the need for ethical considerations in AI development and the necessity of human intervention in AI processes. The conversation highlights the balance between innovation and regulation, particularly in the context of data privacy and security.TakeawaysCompliance with a Y focuses on protecting consumer data through enterprise security.Risk assessments are crucial for both large and small organizations.GRC stands for Governance, Risk, and Compliance, and is increasingly important.AI technology is evolving rapidly, outpacing current regulations.Ethical AI development requires human oversight and intervention.Organizations must prioritize security over mere compliance.The healthcare sector is a significant focus for Compliance with a Y.AI can enhance risk visibility but should not replace human judgment.Regulations need to adapt to the fast-paced changes in technology.Integrity in business practices is essential for long-term success.

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance. In this episode, Tom welcomes Nicole Di Schino, Principal Compliance Services Consultant at Diligent's Spark Compliance Group to consider how to best harness AI for your compliance regime into 2026 and beyond.   Nicole and Tom discuss the critical importance of AI governance, compliance, and modern GRC. They cover practical steps for developing comprehensive compliance programs, emphasizing the necessity for AI risk assessments, the establishment of AI governance committees, and the implementation of human oversight in AI processes. Nicole highlights the intrinsic risks associated with the use of AI, including privacy concerns and AI bias, and shares her personal experiences with AI's impact in educational settings. Tom underscores the role of compliance education, advocating for the broader view of compliance as an ambassadorial and educational function. This session also explores the integration of AI into compliance workflows and the essential role of board and committee oversight.  Resources Nicole Di Schino on LinkedIn Diligent Website   Tom Fox Instagram Facebook YouTube Twitter LinkedIn Learn more about your ad choices. Visit megaphone.fm/adchoices

All links and images can be found on CISO Series. This week's episode is hosted by me, David Spark, producer of CISO Series, and Mike Johnson, CISO, Rivian. Joining us is John Barrow, CISO, JB Poindexter & Co. In this episode: Building unicorns, not hunting them Cold War frameworks for modern threats Trading dollars for stories Mirror, mirror on the wall Huge thanks to our sponsor, Vanta Vanta automates key areas of your GRC program—including compliance, risk, and customer trust—and streamlines the way you manage information. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. Get back time to focus on strengthening security and scaling your business at vanta.com/ciso

Join us for a timely and insightful live discussion on the evolving role of artificial intelligence in governance, risk, and compliance. Host Dave Bittner from N2K | CyberWire is joined by Kayne McGladrey from Hyperproof, Matthew Cassidy, PMP, CISA from Grant Thornton (US), and Alam Ali from Hyperproof to explore the current state of artificial intelligence in governance, risk, and compliance. The panel will discuss what AI is truly doing well today, the risks and challenges organizations need to watch for, and how AI is poised to influence the future of GRC. They will also share practical insights and real-world guidance for teams looking to adopt AI responsibly and effectively. Don't miss this timely conversation as our experts break down what's real, what's risky, and what's next in AI for GRC. Learn more about your ad choices. Visit megaphone.fm/adchoices

In this JCO Precision Oncology Article Insights episode, Natalie DelRocco summarizes "Genomic Risk Classifiers in Localized Prostate Cancer: Precise but Not Standardized" by Góes et al. published on September 10, 2025. TRANSCRIPT Natalie DelRocco: Hello and welcome to JCO Precision Oncology Article Insights. I'm your host, Natalie DelRocco, and today we will be discussing the editorial "Genomic Risk Classifiers in Localized Prostate Cancer: Precise but Not Standardized." This editorial by Góes, Li, and Chehrazi-Raffle, and Janopaul-Naylor et al. describes genomic risk classifiers, or GRCs, for patients with localized prostate cancer. Like any risk prediction model, GRCs are intended to help identify groups of patients that may benefit from less intense or more intense anticancer therapy. Risk prediction tools can be difficult to bring into clinical practice; they require a lot of validation. And as the authors describe, GRCs in localized prostate cancer are no exception. The authors of this editorial contextualize an article by Janopaul-Naylor et al., which attempts to retrospectively explore the clinical use of three available GRCs for localized prostate cancer: Decipher, Oncotype DX, and Prolaris. Each of these three GRCs is being used in clinical practice currently. In the original article, all three GRCs were associated with less intense therapy being prescribed in practice. However, the editorial authors note that this is likely selection bias due to the observational nature of the study design. It is conceivable that GRCs were more likely ordered to make decisions for patients who were already thought to be good candidates for less intensive therapy. Another weakness of the retrospective study design is that patient level covariates known to be associated with clinical prognosis in localized prostate cancer, such as staging, Gleason score, prostate specific antigen, were unavailable. The authors note that sampling bias may also be an issue. Uninsured patients are not included in the original article, and therefore may impede the ability to make conclusions about the association of GRC use with income level. The editorial authors highlight important study findings as well as these limitations, such as the heterogeneity of interventions following GRC result return. The Prolaris GRC was found to be associated with more surgical interventions, while the Decipher GRC was associated with more androgen deprivation therapy plus radiation. Additionally, patients with active surveillance were more likely to have a GRC in general ordered. While these conclusions are very interesting, the editorial authors note that further exploration and validation, given the retrospective study design and limitations outlined, are needed to fully understand the impact of GRCs in the practice of treating localized prostate cancer. Thank you for listening to JCO Precision Oncology Article Insights. Don't forget to give us a rating or a review and be sure to subscribe so that you never miss an episode. You can find all ASCO shows atasco.org/podcasts. The purpose of this podcast is to educate and to inform. This is not a substitute for professional medical care and is not intended for use in the diagnosis or treatment of individual conditions.  Guests on this podcast express their own opinions, experience, and conclusions. Guest statements on the podcast do not express the opinions of ASCO. The mention of any product, service, organization, activity, or therapy should not be construed as an ASCO endorsement.

Christine Lowthian, Head of Regulatory Compliance at HSBC, on her career journey, the importance of seizing opportunities and building a supportive network. She highlights her experience leading global teams, particularly in commercial banking and the U.S., and the challenges of managing multicultural teams. Lowthian stresses the role of technology, particularly AI, in enhancing compliance efficiency but noted the need for clean data. She advises aspiring leaders to embrace opportunities, maintain open communication with boards and regulators, and focus on strategic thinking and continuous improvement. SHOW NOTES 02:12 Career Journey 05:46 Leading Global Teams 08:50 Managing Multicultural Teams 16:27 Skills for the Compliance Officer of the Future 17:57 Engaging with Boards and Regulators 26:29 Handling Challenging Personalities 29:05 Advice for Women Starting Out Transcript and more GRC content: https://www.riskywomen.org/2025/11/podcast-s813-leading-global-teams-managing-with-impact-christine-lowthian/

Today we're launching Risky Women Academy, where we empower women in governance, risk, and compliance to advance in their careers! I'm Kimberley Cole, and I'm excited to share that we offer a range of courses from various providers, covering everything from trade and industry topics to essential soft skills. Bringing you new ways to learn from experts in the GRC industry, you'll also find discounts and special offers on courses right here. Discover the tools and knowledge you need to excel in your career! Check out Risky Women Academy now and be part of a community that champions your success. Are you part of an organization eager to showcase your valuable content? We invite you to collaborate with us! Reach out at info@riskywomen.org to explore how we can elevate the conversation together. Let's keep building on our super powers for even greater success!

All links and images can be found on CISO Series. This week's episode is hosted by David Spark, producer of CISO Series and Andy Ellis (@csoandy), principal of Duha. Joining them is our sponsored guest, Nathan Hunstad, director, security, Vanta. In this episode: Metrics that matter Testing for real AI as an assistant Intelligence without context Huge thanks to our sponsor, Vanta Vanta automates key areas of your GRC program—including compliance, risk, and customer trust—and streamlines the way you manage information. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. Get back time to focus on strengthening security and scaling your business at vanta.com/ciso

In this episode of The Digital Executive, host Brian Thomas welcomes Yakir Golan, CEO and Co-founder of Kovrr, a global leader in cyber and AI risk quantification. Drawing from his early career in Israeli intelligence and later roles in software, hardware, and product management, Yakir explains how his background shaped his holistic approach to understanding complex, interconnected risk systems.Yakir breaks down why quantifying AI and cyber risk—rather than relying on subjective, color-coded scoring—is becoming essential for enterprise leaders, boards, and regulators. He explains how Kovrr's new AI Risk Assessment and Quantification module helps organizations model real financial exposure, understand high-impact “tail risks,” and align security, GRC, and finance teams around a shared, objective language.Looking ahead, Yakir discusses how global regulation, including the EU AI Act, is accelerating the need for measurable, defensible risk management. He outlines a future where AI risk quantification becomes a board-level expectation and a foundation for resilient, responsible innovation. Through Kovrr's mission, Yakir aims to equip enterprises with the same level of intelligence-driven decision making once reserved for national security—now applied to the rapidly evolving digital risk landscape.If you liked what you heard today, please leave us a review - Apple or Spotify.See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.

All links and images can be found on CISO Series. This week's episode is hosted by David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining us is our sponsored guest, Khush Kashyap, senior director, GRC, Vanta. In this episode: Skip the Sermon When to coach versus command Making risk quantification useful Recognizing a distinct discipline   Huge thanks to our sponsor, Vanta Vanta automates key areas of your GRC program—including compliance, risk, and customer trust—and streamlines the way you manage information. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. Get back time to focus on strengthening security and scaling your business at https://www.vanta.com/landing/demo-grc?utm_campaign=new-way-grc&utm_source=ciso-series-podcast&utm_medium=podcast&utm_content=banner  

Cisco's routers just exposed more than two million networks thanks to a "security optional" SNMP setup that's being actively exploited—Steve and Leo break down why this is a worst-case scenario for the industry and how easily it could have been avoided. Gmail's spam filtering false-positive spree. iOS 26's Safari randomizes its fingerprint by default. Cisco's SNMP stands for "Security Not My Problem". Windows' "stuck" Extended Security Updates (ESU). Europe complains, gets 1-year of ESU with no strings. Where to get $6 TLS certs (really) while they last. The lessons to learn from Jaguar Land Rover's mess. The NEON app: get paid to have your voice recorded. Bluesky's age verification, now coming to Ohio. What is "Kids Web Services" for age verification. More than 10K Ollama instances publicly exposed. GRC's DNS Benchmark reaches "release candidate" Show Notes - https://www.grc.com/sn/SN-1045-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: vanta.com/SECURITYNOW 1password.com/securitynow Melissa.com/twit threatlocker.com/twit zapier.com/twit

Cisco's routers just exposed more than two million networks thanks to a "security optional" SNMP setup that's being actively exploited—Steve and Leo break down why this is a worst-case scenario for the industry and how easily it could have been avoided. Gmail's spam filtering false-positive spree. iOS 26's Safari randomizes its fingerprint by default. Cisco's SNMP stands for "Security Not My Problem". Windows' "stuck" Extended Security Updates (ESU). Europe complains, gets 1-year of ESU with no strings. Where to get $6 TLS certs (really) while they last. The lessons to learn from Jaguar Land Rover's mess. The NEON app: get paid to have your voice recorded. Bluesky's age verification, now coming to Ohio. What is "Kids Web Services" for age verification. More than 10K Ollama instances publicly exposed. GRC's DNS Benchmark reaches "release candidate" Show Notes - https://www.grc.com/sn/SN-1045-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: vanta.com/SECURITYNOW 1password.com/securitynow Melissa.com/twit threatlocker.com/twit zapier.com/twit