Podcasts about GRC

Meta AI hands over Instagram account access Dutch police dismantle huge botnet RedHat packages get backdoored Get the show notes here: https://cisoseries.com/meta-ai-hands-over-instagram-access-dutch-police-dismantle-botnet-redhat-packages-backdoored/ Huge thanks to our episode sponsor, Vanta Your team just added its 67th AI tool. And unfortunately, also your 67th security blind spot.   The good news: The Vanta  [rhymes with Santa] Agent works like a GRC engineer in the background, finding every app your team uses, scoring the risk, and drafting fixes for you.   Vanta is the platform used by over sixteen thousand fast-moving companies like Ramp, Cursor, and Harvey who are shaping the future with AI, AND staying ahead of AI risk.   Get started at vanta.com/headlines. 

Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks ChatGPT share links used to host fake outage pages to deliver malware Federal audit reveals NIST's NVD problems Get the show notes here: https://cisoseries.com/cybersecurity-news-globalprotect-vpn-exploited-chatgpt-share-links-exploits-feds-criticize-nist/ Huge thanks to our episode sponsor, Vanta Your team just added its 67th AI tool. And unfortunately, also your 67th security blind spot.   The good news: The Vanta  [rhymes with Santa] Agent works like a GRC engineer in the background, finding every app your team uses, scoring the risk, and drafting fixes for you.   Vanta is the platform used by over sixteen thousand fast-moving companies like Ramp, Cursor, and Harvey who are shaping the future with AI, AND staying ahead of AI risk.   Get started at vanta.com/headlines. 

Send us Fan MailIn this episode of the B2B Go-To-Market Leaders Podcast, Vijay Damojipurapu sits down with PV Bóccasam, advisor to private equity firms and veteran operator across enterprise software, venture-backed startups, and category-defining companies, to explore a radically different way of thinking about go-to-market.PV argues that go-to-market is not about sales motions, pipeline generation, or even positioning frameworks—it's about one thing: reducing buyer anxiety and lowering the perceived risk of change.Drawing from decades of experience building and scaling enterprise software companies across identity governance, GRC, enterprise risk management, and private equity-backed transformations, PV shares how the best GTM leaders think less about “selling” and more about helping customers justify, adopt, and communicate measurable value internally.They dive into:Why GTM should focus on reducing customer risk, not maximizing seller activity.The difference between customer convictions and customer incentives—and why both matter.Why measurable proof is the only reliable way to break buyer inertia.How enterprise software companies should rethink value delivery in the AI era.Why AI should reduce operational uncertainty—not create more chaos.The evolution from product-led to sales-led to partner-led GTM motions.Why “platform” messaging fails for most enterprise SaaS companies.How modern AI-native SaaS products are becoming systems of orchestration, not systems of record.The importance of helping customers retell your value proposition internally.Why enterprise GTM leaders must become the clearest thinkers during periods of uncertainty.How private equity firms should approach AI adoption through organizational redesign, not just cost-cutting.And why long-term impact matters more than short-term velocity in building a career and a company.PV's central insight is simple but powerful:Customers don't buy software—they buy reduced uncertainty, measurable outcomes, and confidence in the future state.This episode is a deep philosophical and operational masterclass on enterprise go-to-market strategy, AI adoption, organizational design, and what it truly means to build trust at scale.Connect with Vijay Damojipurapu on LinkedInConnect with PV Boccasam on LinkedInBrought to you by: stratyve.com

In aflevering #52 van De Bedrijfsjurist spreken we met Aster Kamp, Vice President Legal & GRC bij Catawiki. Aster begon haar loopbaan op de Zuidas en werkte daarna onder meer bij Mexx, Asics en Rituals.   Bij Catawiki kwam zij binnen in een snelgroeiende organisatie waar legal nog vooral transactioneel werd ingezet. Haar opdracht: bouwen aan een afdeling die strategisch opereert. Dat heeft Aster heel bewust gedaan, niet vanuit een standaardmodel, maar vanuit de vraag wat voor Catawiki en haar investeerders echt van waarde is.   Die aanpak leverde een interessant gesprek op. Zo is legal bij Catawiki opgebouwd langs drie pijlers: transactioneel, compliance & regulatory, en ESG & risk management. Daaronder ligt nog een vierde laag: legal ops. Niet als apart project of als speeltuin voor tooling, maar als manier van werken. Steeds kijken hoe het efficiënter, slimmer en effectiever kan.   Interessant vonden we vooral hoe concreet dat bij Catawiki wordt. Met een ticketsysteem dat inmiddels waardevolle data oplevert en AI-toepassingen die helpen om patronen te herkennen en reactietijden te verkorten. En met een team waarin ook jonge juristen een belangrijke rol spelen, omdat zij nieuwsgierigheid, digitale vaardigheid en eigenaarschap meebrengen.   Wat ook bleef hangen, is haar visie op de rol van legal zelf. Niet als afdeling die overal ja of nee op zegt, maar als functie die risico's inzichtelijk maakt, keuzes helpt structureren en de business in staat stelt om bewust te beslissen.   Een aflevering over bouwen, positioneren en vooruitkijken. Die mag je niet missen!

All links and images can be found on CISO Series This week's CISO Series Podcast features David Spark, producer of CISO Series, and Andy Ellis, principal of Duha. Joining us is our sponsored guest, Jadee Hanson, CISO, Vanta. In this episode: The compliance receipt nobody reads Who signs off on the AI that wrote the code The agent that wouldn't stop The questionnaire that should not exist A huge thanks to our sponsor, Vanta Risk and regulation ramping up—and customers expect proof of security just to do business. Vanta's automation brings compliance, risk, and customer trust together on one AI-powered platform. So whether you're prepping for a SOC 2 or running an enterprise GRC program, Vanta keeps you secure—and keeps your deals moving. Learn more at vanta.com/ciso.

In this episode, we sat down with Richa Gual, CEO of Complyance, the AI-first enterprise GRC platform that recently raised a $20M Series A led by GV (Google Ventures), to dig into how legacy GRC is finally being disrupted and what role AI agents play in that transformation.We discussed why GRC has lived in the dark ages for so long, stuck in static documents, snapshot-in-time assessments, system sampling, and self-attestations while the rest of IT moved to cloud, APIs, and automation. We unpacked the credibility crisis caused by commoditized compliance and rubber-stamp audits, the limits of the first wave of GRC automation, and what genuinely changes when agentic AI takes on evidence review, vendor risk, policy drafting, and customer trust workflows end-to-end.Richa shared Complyance's perspective on building agentic AI for the most sensitive data an organization holds, why explainability and isolation matter more in GRC than almost anywhere else, and how customers like Dropbox, CVS Health, and Major League Soccer are using AI agents to cut manual GRC work by 70% without lowering the assurance bar. We closed on what the next five years look like for the GRC workforce and whether the field can finally restore credibility to the phrase “compliance equals security.”

In this episode, Chris Johnson sits down with Eric Shoemaker of Genius GRC to unpack one of the most misunderstood shifts in the MSP space: the move from tool-driven cybersecurity to standards-aligned governance, risk, and compliance programs.Eric explains why Genius GRC isn't a software platform and why that distinction matters. Together, they explore how early automation wins (like continuous access reconciliations) impressed auditors but didn't replace the need for real governance, documented reviews, and independent judgment. As the market matures, the conversation turns to a growing risk: MSPs and SMBs stacking new security tools while core systems remain misconfigured and under-governed.Chris and Eric tackle the myth of “do-it-yourself” GRC, the dangers of vibe-based compliance, and why tools only amplify expertise; they don't replace it. They also dig into the critical separation between IT operations and security leadership, making the case for advisory or independent CISO models that reduce conflicts of interest and improve risk outcomes.The discussion closes with practical, budget-conscious fundamentals, such as DNS filtering, CIS IG1, and free or low-cost controls that actually move the needle, plus hard truths about negligence versus resourcing failures and why resilience must be budgeted from day one.If you're an MSP, consultant, or business leader navigating cybersecurity maturity, this episode is a grounded, no-hype look at what actually reduces risk.

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.   In this episode, Justin interviews Jennifer McNelly, CEO of the American Society of Safety Professionals, about her wide-ranging safety career, the ASSP publishing the first U.S.-Based standard on risk assessment and management, the ASSP's Standards-Based User Groups, and how safety practices are not about worker behavior but overall organization system safety improvement. Jennifer shares her excitement about National Safety Month and the upcoming Safety Conference + Expo 2026, from June 15th through 17th in Anaheim, California. Listen for inspiration on closing the safety gap in your organization.   Key Takeaways: [:01] About RIMS and RIMScast. [:16] About this episode of RIMScast. We are releasing this episode ahead of National Safety Month in June, and our special guest is Jennifer McNelly, the CEO of the American Society of Safety Professionals, but first… [:43] RIMS Virtual Workshops. The next RIMS-CRMP Exam Prep will be held on June 9th and 10th. The next RIMS-CRMP-FED Exam Prep with AFERM will be held on June 16th and 17th. Links to registration are in this episode's notes. [:58] Webinars. On May 21st, GRC returns to present "Is Your Fire Protection Strategy Outdated? Emerging Risks Are Changing the Rules." [1:10] On May 28th, Zurich returns with "From Underwriting To Risk Management: What To Expect From The Growing Demand For Data Center Construction." Register for webinars at RIMS.org/Webinars or through the links in this episode's show notes. [1:25] Folks, RIMS is back on YouTube. Our handle is @RIMSOfficialChannel. We've got plenty of videos there, including RIMScast, RIMScast Canada video podcasts, and other informative and entertaining content from RIMS. Subscribe to the channel today! [1:43] If you plan to submit a session for the RIMS Canada Conference 2026, today, the air date May 19th, is your last day to do so. Visit RIMS Canada to submit your session. We hope to see you in Quebec City, October 18th through the 21st. [2:02] On with the Show! June is approaching, and that means National Safety Month. That is also observed in several parts of the world. Who better to speak about safety than Jennifer McNelly, the CEO of The American Society of Safety Professionals (ASSP)? [2:20] Jennifer is an accomplished executive with more than 35 years of leadership experience in associations, government, and industry. She has been the Society's CEO since 2018, leading the global organization of more than 36,000 occupational, safety, and health professionals.  [2:36] Jennifer has some new risk management standards to discuss, under the safety umbrella. I also thought we would benefit from hearing her philosophies on safety and how the ASSP encourages its members to embed safety into their organization's culture. Let's get to it! [2:55] Interview! ASSP CEO, Jennifer McNelly, Welcome to RIMScast! [3:29] Jennifer McNelly and Gary LaBranche, CEO of RIMS, run into each other often at ASAE. They have talked about connecting. Jennifer is excited to be here on RIMScast to talk about collaboration, partnership, and keeping everybody safe at work. [4:04] Jennifer asks every safety professional she connects with, "Tell me your story." She says she is an amalgamation of many stories that have led her to be the CEO of ASSP. She started in the political world. She says you've got to build strong partnerships to move things forward. [4:26] That is the foundation of the mindset Jennifer brings to the ASSP. After politics, she spent time in the U.D. Department of Labor in the capacity of public-private partnerships. That's how you move things forward. [4:41] This was followed by a deep commitment to the people in this nation who make things through leadership at the Manufacturing Institute and Global Stages. All of Jennifer's career has been at the intersection of people and the world of work, and making the world a better place. [4:58] Jennifer says now she gets to do that with unbelievable honor for those who get up and run the world's economy every day, ensuring they get to go home as they were and better than when they walked in the door. [5:11] Jennifer says that's about economic contribution, keeping everybody safe, and the commitment and heart of every safety professional. Safety brought her in the door, with a very unique lens of how we need to work together to send everybody home. [5:32] Jennifer has been with ASSP for eight years, moving into her ninth year. She brings energy, passion, and connection to what ASSP is doing. She likes to think of herself as the catalyst for impact, to make workers' safety, health, and well-being an inherent right for everybody. [6:11] Jennifer says everyone's got a safety story. Often, the thing that hits the headline is the "Somebody did …" and there was a whole set of events. [6:23] Hence, today's conversation, anchored in the importance of risk identification, risk management, and integration into thinking every day by everyone. [6:33] It's not just one thing that starts it. It can be the mindset of someone who's had a bad morning and lost childcare for their family. It can be about a system in process. It can be about a bad piece of equipment. It can be a bunch of other things, but what we hear is the headline. [6:53] Jennifer says our goal is to unpack the story and get to the root cause and improve it, for everyone. [7:00] Jennifer says the ASSP has over 35,000 members globally. A lot of the membership is in the industrial space. They have partners in insurance, and those who service as well as those who produce. ASSP calls this the Safety Ecosystem. [7:26] Justin says RIMS sees that Enterprise Risk Management is leading the way for the future of the profession. Justin asks how Jennifer sees safety risk integrating more deeply into ERM frameworks. [7:42] Jennifer said in 2019, early in her career at ASSP, her pitch to the Board of Directors was for moving safety professionals and workers from basic compliance to a complete integration of human capital, total worker health, and principles like prevention through design. [8:10] Risk Enterprise Systems are critical to that objective. ASSP just released a new standard, "ANSI/ASSP Z310.1 Risk Management — Guidelines for Assessing and Managing Risk." [8:34] It's about management systems, operating in an organizational context, and creating and documenting a comprehensive approach. It's about stakeholder engagement, culture, and inclusivity. [8:49] It also has an important mindset: Change always happens. Therefore, it's about dynamic operations, not static operations; about how you use clear and available information to lead forward, and consider culture and human factors, always with continuous improvement. [9:11] Jennifer says we can't move forward without all those factors integrated into Enterprise Risk. [9:18] The ASSP's Z310.1 Committee is comprised of 28 organizations. ASSP plays an important role in the marketplace. Its logo is a shield, and its members are guardians of workplace safety. Every one of them is a workplace superhero. [10:05] Jennifer loves all superheroes because she loves the potential of hope that each one of us has that power. [10:12] One of the things that is unique about ASSP's market position is its global-based standards. It brings companies together around the table to flesh it out. It's not a single company. [10:34] Jennifer says injuries, serious incidents, and fatalities happen in an environment that's complex, dynamic, and always changing. By bringing together those who are doing the work, we gain consensus. [10:49] Justin says there is a link to the press release in this episode's show notes. The press release mentions how ANSI/ASSP Z310.0 builds off the ISO 31000 standard. There's a lot of value in it for RIMS members. Please check out the link in this episode's show notes. [11:17] Justin notes that ANSI comes with a lot of heft. The RIMS-CRMP is ANSI-accredited. RIMS is the only globally recognized risk management program through ANSI. [11:37] Jennifer says that early in her career, she sat on ANSI's 17024 PCAC, the group that approved those kinds of standards. She is a firm believer in business driving business outcomes. They know what works. [11:54] The workers doing the work and the business conducting the business know what works. Jennifer talks about cross connections and says we should be talking and doing more together. Each of us has a critical role. [12:42] A Quick Break! There are so many other wonderful RIMS events coming up in 2026. The 2026 Florida RIMS Educational Conference will be held from July 28th through August 1st at the lovely Ritz-Carlton in Naples, Florida. A link to the event is in this episode's show notes. [13:04] Register now for the Second Annual RIMS Texas Regional Conference, to be held from August 10th through 12th at the Grand Hyatt on the San Antonio River Walk. Advance rates are available through June 5th. [13:18] The 11th Annual Chicagoland Risk Forum will return to the Old Post Office on Thursday, September 24th, 2026, in Chicago. Visit ChicagolandRiskForum.org for more information. [13:31] The RIMS Western Regional Conference will be held from October 4th through the 7th in Seattle, Washington. Registration is open, and you can also submit a session. Visit RIMSWesternRegional.com and the link in this episode's show notes for more information. [13:49] Save the dates October 18th through the 21st. We will be in Quebec City to celebrate the 50th Live RIMS Canada Conference. Booth sales are already open. The call for educational sessions has been extended to May 19th, the air date of this episode. [14:06] Submit your session today. Early-bird registration will open in June. [14:12] Visit RIMSCanadaConference.ca for more information. Also, remember to check out RIMS.org/Canada for our spinoff show, RIMScast Canada, hosted by National Conference Committee Chair, Aaron Lukoni. [14:27] The RIMS ERM Conference 2026 will be held on November 18th and 19th in Columbus, Ohio. Details will follow on RIMS.org. [14:37] Let's Return to our Interview with ASSP CEO Jennifer McNelly! [14:44] Jennifer says standards bring consensus together, but members are asking how to use the standards and what to do with them. [15:03] Members want the playbook because they are busy, underresourced, and over-expected. They have a stressful work environment. The ASSP launched Standards-Based User Groups in January of this year. [15:20] The ASSP's partners collaboratively spend close to $7 million a year investing in keeping the standards updated. How do you move the standards to market? What do you do with them? There are hundreds of thousands of companies around the world that use the standards. [15:38] To somebody who is just starting that journey, it's a challenge. The ASSP's Standards-Based User Groups dig into the company's maturity, the maturity of the safety professional, and help them move one step further. [15:59] The point of Standards-Based User Groups (SBUGs) is to make the standards accessible. Jennifer says there are a couple of unique angles to the approach they are taking. [16:29] The ASSP's Standards-Based User Groups approach starts where serious incidents and fatalities happen, fall from heights and energy controls, two things where there is a lot of technical expertise in lock-out, tag-out, and fall prevention standards. [16:51] Jennifer says there is a disruption happening in business and in safety, the impact and influence of Big Data, AI, and analytics. The third SBUG is AI and Safety. Through technology partners, by integrating the Standards, it will level up what people have access to. [17:23] The ASSP's traditional routes are through the safety professionals. By putting Standards-Based User Groups in the hands of the reporting systems they have to use every day, that is scaling in a way that has never been done before. [18:06] The focus of the Standards-Based User Groups is scaling great knowledge in a framework denied by the industry. [18:16] Justin says it becomes a strategic risk management function. Jennifer says it is built into enterprise systems to drive action and make better decisions. [18:30] Another Quick Break! The Spencer Educational Foundation's Risk Manager on Campus application period is now open, and it will close on June 30th. Grant awardees, colleges, and universities are typically notified in September. [18:51] The Course Development Grant application deadline for Interval Number 2 will be on June 15th, 2026. Award notifications will be sent out in late July. [19:06] General Grant applications will open on May 1st, 2026, and the application deadline is July 30th. Internship Grant applications open on August 15th and close on October 15th. [19:18] Links to each of these grants are in this episode's show notes. Visit SpencerEd.org for more information. [19:27] Let's Conclude Our Interview with the American Society of Safety Professionals CEO Jennifer McNelly! [19:47] Justin points out that June is National Safety Month. Jennifer thinks every day is National Safety Day! National Safety Month puts a consistent spotlight on safety. She believes safety professionals need more celebration. [20:34] Jennifer loves to tell their stories. She is grateful to any safety professional and to anybody in the ecosystem listening today. Thank you for everything that you do. [20:48] June is coming, and we are not done. Jennifer often talks about the gap. She uses the roots of ASSP and the Triangle Shirtwaist Factory Fire as a real example that the gap is always going to exist. [21:12] Jennifer speaks of the Triangle Shirtwaist Factory Fire. It is the roots of the ASSP. There remains a building on the corner of NYU where about 149 individuals perished jumping out of windows because the doors were locked. It is the foundation and grounding of safety in the U.S. [21:36] Jennifer repeats that it is a real example of the gap. A couple of years ago, the ASSP Board of Directors went to the dedication of the building. Every year, Taps is played, and the ladder goes up, and it stops at the sixth floor. [21:49] You see the bunting and the gap between where we are today and where they were then. Someone next to Jennifer said, "But it needs to go higher!" That's the point. There is always a gap because business is dynamic and ever-changing. [22:06] Our responsibility as safety professionals and associations is to fill the gap and get ahead of it. With serious incidents and fatalities, the data has been flat for 10 years. Let's do something different. [22:23] Let's think about the principles of prevention through design and crack the C-Suite decision-making. Jennifer talks about safety as good governance. How safety succeeds is about the economic decision-making process. [22:44] Jennifer says it's got to be built into business in every way, shape, and form. Safety is never a moment or a one-and-done. It is a part of every part of business decision-making. [23:07] NIOSH does tremendous research on the future of work and how dynamic it is. Every year, Jennifer calls senior executives and talks through critical things. She does that because research says one thing and the ASSP membership says another. There's a gap. [23:28] Often, in that gap, Jennifer hears the term "research to practice." That leads back to the Standards-Based User Groups. What does the research say, what does the data say, and how do you scale it?  [23:42] There are several forces at play when looking at what's shaping the world of work. There's workforce instability; a fluidity that never existed before. It's one of the biggest emerging risks Jennifer sees. [24:02] Next is the fact that safety is not a metric. Then there's the pace of change and technology, and the influence of leadership. Jennifer believes that leadership happens in every role and function. How do we empower individual and corporate leadership? [25:15] If a company is doing minimal compliance with the law, data tells us that's not enough. Jennifer said a volunteer was excited to tell her they had removed cell phones from a site. But cell phones can be used to photograph risks you hadn't seen. [25:54] First, understand what problem you are trying to solve. Is it technology looking for a problem, or a problem looking for a solution that the technology enables? That's the approach ASSP is taking. [26:13] If we continue to have individuals die every year, falling from heights, how do we solve that through technology, because somewhere in that complex system, things are not where they need to be. That's a statement of forward motion. [26:39] Jennifer says she thinks there is a huge opportunity, but it needs to be ethically used, transparent, and clear what problem we are trying to solve. AI in safety isn't new. ASSP worked with MakUSafe AI for three years as they started studying technology advancements in safety. [27:04] Jennifer says wearables have been around "forever." They're a good practice. Someone has seen the problem and identified the solution, and our challenge is replication, application, and scale. ASSP is striving toward that and how technology can enable it. [27:24] Jennifer says guardrails are something we hear from membership all the time. Jennifer wants it to be done in a way that integrates it seamlessly, not a new shiny penny. Jennifer is very careful to make sure changes are made at every level. This isn't a blame-the-worker approach. [27:53] This isn't Big Brother is watching somebody in the workplace. This is about empowerment in an era of action. How does information become a learning opportunity to understand A + B + C + D? [28:18] Jennifer says when she thinks of behaviors and actions, she thinks of the C-Suite decision-making. [28:26] What does the Board of Directors governing an enterprise know and understand about the human capital management and decision-making on the capital investment side of safety in the workplace? [28:39] Justin notes registration is open for Safety 2026, held from June 15th through 17th in Anaheim. It's the 65th Annual Conference and Expo. Jennifer calls it a Safety Revival! For Safety members, coming together to learn, connect, and grow gives a unique sense of belonging. [29:19] Jennifer calls it a battery-filling, energizing, impact like no other. It's a great opportunity to see what is on the leading edge and solve problems. The Expo is not a sales pitch. Everybody on that floor has to have a reason and something to share with safety professionals. [29:45] Jennifer describes the 200 classes. There are over 700 program applicants each year. There's too much content and not enough time. There's top-notch technical content and the opportunity to connect with someone that you know you can call and get an answer from. [30:20] Jennifer's favorite thing is to run around, hear stories, and take selfies. It truly is a welcoming and impactful event. [30:32] Jennifer says she's the reason people stop the second they walk in the door. She reminds them why they're there. Last year, she wore an ASSP pickleball outfit to show it's about not just being together but also having fun. Sometimes we forget that connection and fun. [31:14] People are going to learn, but have a great time while you're doing it! Jennifer says she will see everybody onstage! Anaheim will be the place to be! [31:29] The link to the 65th Annual Conference and Expo for Safety 2026 is in this episode's show notes. Justin says it has been such a pleasure to connect with you, finally, and get the word out for National Safety Month. We're priming for National Safety Month. [32:07] Special thanks to ASSP CEO Jennifer McNelly for joining us here on RIMScast! There are lots of links in this episode's show notes. Visit ASSP.org for more information, as well as the Safety 2026 Conference at Safety.ASSP.org. [32:27] Also in this episode's show notes are the links to RIMS coverage of Worker Safety and prior coverage of National Safety Month. A lot of this information is evergreen, so I hope you'll check it out. [32:39] Plug Time! You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in the show notes. [33:08] RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let's collaborate and help you reach them! Contact pd@rims.org for more information. [33:25] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information. [33:43] Risk Knowledge is the RIMS searchable content library that provides relevant information for today's risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more. [34:00] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management. [34:14] Justin Smulison is the Business Content Manager at RIMS. Please remember to subscribe to RIMScast on your favorite podcasting app. You can email us at Content@RIMS.org. [34:26] Practice good risk management, stay safe, and thank you again for your continued support!   Links: RIMS Canada Conference — Oct. 18‒21, 2026 | Quebec City | rimscanadaconference.ca | Submit Your Session by May 19! RIMScast on YouTube! Spencer Educational Foundation — Scholarships and Grants | Open Calls and Timelines. RIMS-CRO Certificate Program In Advanced Enterprise Risk Management | July‒Sept. 2026 Cohort | Led by James Lam 2026 Florida RIMS Educational Conference | July 28‒Aug. 1 | Register Now RIMS Texas Regional Conference 2026 | Aug. 10‒12 in San Antonio | Register Now! ChicagoLand Risk Forum | Sept. 24, 2026 RIMS Western Regional Conference — Oct. 4‒7, 2026 | Seattle, WA | Register Today and Submit an Educational Session! RIMS Risk Management Magazine | Contribute RIMS Now RIMS-Certified Risk Management Professional (RIMS-CRMP) | Insights Video Series Featuring Joe Milan! The Strategic and Enterprise Risk Center RIMS Diversity Equity Inclusion Council RIMS-CRMP Stories RIMScast Canada – Episodes Now Live RISK PAC | RIMS Advocacy www.assp.org | safety.assp.org | June 15‒17 "ASSP Publishes First U.S.-Based Standard on Risk Assessment and Management" Jennifer McNelly — ASSP Bio Upcoming RIMS-CRMP Prep Virtual Workshops: RIMS-CRMP Exam Prep | June 9‒10 RIMS-CRMP-FED Exam Prep with AFERM | June 16‒17, 2026 Full RIMS-CRMP Prep Course Schedule See the full calendar of RIMS Virtual Workshops Upcoming RIMS Webinars: "Is Your Fire Protection Strategy Outdated? Emerging Risks Are Changing the Rules" | May 21 | Presented by Global Risk Consultants "From Underwriting To Risk Management: What To Expect From The Growing Demand For Data Center Construction" | May 28 | Presented by Zurich RIMS.org/Webinars   Related RIMScast Episodes: "RIMS Risk Manager of the Year Jeff Bray" "Risk Leadership on the Construction Frontlines with Cynthia Garcia" "Rubber Meets Risk: Lessons from John Baldwin of Discount Tire" "Company Safety and RIMS Chapter Leadership with Tamieka Weeks" "Security Risks with William Sako" "Safety and Preparedness in 2024 with National Safety Council CEO Lorraine Martin" "Opioid Awareness and Workers Comp Risks with Raji Chadarevian of the NCCI"   Sponsored RIMScast Episodes: "AI-Scale, Risk Ready: Engineering Controls for the New Data Center Boom" (New!) | Sponsored by Global Risk Consultants, a TÜV SÜD Company "Facing Into Risk: Navigating the New Risk Landscape" (New!) | Sponsored by AXA XL "Secondary Perils, Major Risks: The New Face of Weather-Related Challenges" | Sponsored by AXA XL "The ART of Risk: Rethinking Risk Through Insight, Design, and Innovation" | Sponsored by Alliant "Mastering ERM: Leveraging Internal and External Risk Factors" | Sponsored by Diligent "Cyberrisk: Preparing Beyond 2025" | Sponsored by Alliant "The New Reality of Risk Engineering: From Code Compliance to Resilience" | Sponsored by AXA XL "Change Management: AI's Role in Loss Control and Property Insurance" | Sponsored by Global Risk Consultants, a TÜV SÜD Company "Demystifying Multinational Fronting Insurance Programs" | Sponsored by Zurich "Understanding Third-Party Litigation Funding" | Sponsored by Zurich "What Risk Managers Can Learn From School Shootings" | Sponsored by Merrill Herzog "Simplifying the Challenges of OSHA Recordkeeping" | Sponsored by Medcor "How Insurance Builds Resilience Against An Active Assailant Attack" | Sponsored by Merrill Herzog "Third-Party and Cyber Risk Management Tips" | Sponsored by Alliant   RIMS Publications, Content, and Links: RIMS Membership — Whether you are a new member or need to transition, be a part of the global risk management community! RIMS Virtual Workshops On-Demand Webinars RIMS-Certified Risk Management Professional (RIMS-CRMP) RISK PAC | RIMS Advocacy RIMS Strategic & Enterprise Risk Center RIMS-CRMP Stories — Featuring RIMS President Manny Padilla!   RIMS Events, Education, and Services: RIMS Risk Maturity Model®   Sponsor RIMScast: Contact sales@rims.org or pd@rims.org for more information.   Want to Learn More? Keep up with the podcast on RIMS.org, and listen on Spotify and Apple Podcasts.   Have a question or suggestion? Email: Content@rims.org.   Join the Conversation! Follow @RIMSorg on Facebook, Twitter, and LinkedIn.   About our guest: Jennifer McNelly, CEO, American Society of Safety Professionals   More from ASSP:   Standards-Based User Groups (SBUGs) News release: ASSP Announces Strategic Framework to Drive Safety Beyond Compliance; Avetta Collaboration Provides First Industry Proof Point Webpage: Standards-Based User Groups   AI white paper News release: ASSP Releases White Paper on AI and the Evolving Role of EHS Professionals White paper: AI and the Evolving Role of EHS Professionals.pdf   2026 Corporate Listening Tour report News release: ASSP Report Identifies Five Critical Themes Shaping the Future of Workplace Environmental Health and Safety Webpage (with 2026 report): ASSP Corporate Listening Tour   Production and engineering provided by Podfly.

Climate mandates, GRC strategy, and a bike metaphor that'll change how you think about controls.
 In this episode, Alyssa Zucker speaks with sustainability expert Mark Mellen on California's SB 253 soft launch—and why companies treating this year as a free pass will be blindsided in 2027. Then 25-year GRC veteran Graeme Fleming explains why governance-first programs help organizations move faster. Chapters 00:00—Intro: California, GRC, and what's at stake 01:45—Mark Mellen: California SB 253 and the soft launch 07:00—SB 261, climate risk, and the commercial case 10:00—Global mandates: CSRD, ISSB, and the fragmented web 11:30—The ESG controller and data governance 17:00—Quantifying sustainability value 20:00—Graeme Fleming: Putting the G back in GRC 22:00—AI, the EU AI Act, and GRC's strategic role 23:00—The bike brake framework
 Subscribe for new episodes! 

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.   In this episode, Justin takes the opportunity of RISKWORLD 2026 to interview on-site two session co-presenters, Sandy Avina and Angel Guerra, and a fellow podcast host, Joel Appelbaum. Sandy and Angel co-wrote a book, Riskfetti: Risk Management for the Rest of Us, which comes out on May 18th. They discuss their careers, how they came to team up to write, and why this book, now. Justin and Joel discuss Joel's career in risk, from underwriter to Chief Content Officer at the International Risk Management Institute (IRMI) and podcast host of The Edge of Risk. Listen for thought leadership on communicating risk to business professionals and translating complex risk research into media content.   Key Takeaways: [:01] About RIMS and RIMScast. [:14] About this episode of RIMScast. It was recorded live, on-site at RISKWORLD 2026, in Philadelphia. It's one of my favorite episodes of the year. We will be joined by a range of guests. But first… [:43] RIMS Virtual Workshops. The next RIMS-CRMP-FED Exam Prep Course will be on May 13th and 14th. The popular CBCP and RIMS-CRMP Exam Prep Bootcamp will be held from May 18th through the 21st. The next RIMS-CRMP Exam Prep Course will be held on June 9th and 10th. [1:02] Links to registration are in this episode's notes. [1:05] Webinars. On May 14th, Origami Risk will return with a new session, "Future-Proofing Your Risk Program: Keeping Pace with Scale, Complexity, and Visibility." [1:17] On May 21st, GRC returns to present "Is Your Fire Protection Strategy Outdated? Emerging Risks Are Changing the Rules." [1:27] On May 28th, Zurich returns with "From Underwriting To Risk Management: What To Expect From The Growing Demand For Data Center Construction." Register for webinars at RIMS.org/Webinars or through the links in this episode's show notes. [1:41] Folks, RIMS is back on YouTube. Our handle is @RIMSOfficialChannel. We've got plenty of videos there, including RIMScast, RIMScast Canada video podcasts, and other informative and entertaining content from RIMS. Subscribe to the channel today! [2:00] On with the Show! We are live on the exhibit floor at RISKWORLD 2026 at the Philadelphia Convention Center. There's a lot of great energy. That energy transferred from the stage to our booth! My first guests are from our LA RIMS Chapter, Sandy Avina and Angel Guerra. [2:23] Sandy and Angel co-presented the session on Tuesday, May 5th, "Between Truth and Trauma: Investigating the Invisible." RIMScast caught up with them right after they came off the stage to discuss the state of mental health claims and get a preview of their new book. [2:37] Sandy and Angel co-authored the book coming out on May 18th. It's called Riskfetti: Risk Management for the Rest of Us. We're going to have a lot of fun! Let's get to it! [2:44] Interview! Sandy Avina and Angel Guerra, Welcome to RIMScast! [2:58] Angel says this is her third RISKWORLD and she loves it! She last attended two years ago in San Diego. Sandy says this is her first time at RISKWORLD. She's trying to experience everything, and it's like trying to put ten pounds of sugar in a five-pound bag. She's getting there. [3:17] Sandy is The Riskfluencer on TikTok. [3:25] Angel has a business, Beauty and Beast in Business. [3:28] Together, Sandy and Angel make Riskfetti. [3:41] Angel started in the mailroom of SRS 20 years ago, moved through Claims, Operations Management, and Global Risk Management, and is now a VP at Arrowhead Evaluation, which does independent medical and risk consulting. [4:11] Angel's variety of experiences lets her see everything and gives her knowledge of risk management and the ability to manage a program well. [4:31] Right out of college, Sandy joined California's workers' compensation state fund as an adjuster. She loved it and started to learn other lines. She now works for California Schools JPA, a public risk pool supporting K-12 and community colleges. [4:54] Sandy leads the California Schools JPA claims program for property liability and workers' compensation. She loves it. [5:03] Sandy and Angel connected through LinkedIn. [5:25] Sandy and Angel presented a RISKWORLD session on developing the defense for psychological claims. Sandy says we're seeing the change in legislation for allowing mental-mental claims and not just physical-mental claims. [5:35] Dr. Ron Heredia was also on the panel. He spoke on how to crack defenses and properly investigate. There are red flags and also very truthful claims. As professionals, check your unconscious bias. Think about fact-finding without a specific agenda. [6:12] Justin points out that May is Mental Health Awareness Month in the U.S. Sandy partners wth Kind Souls Foundation, a non-profit that provides a warm, emotional support line for anybody with a work-displacing event. Sandy notes the struggles of the Sandwich Generation. [6:56] Angel says we see people are being a lot more open about mental health and self-care, but there's still a stigma to it. It's important to recognize that, not just in May, but throughout the year. [7:15] Justin mentions a guest from a couple of weeks ago who served in the Canadian military. He was very open about his Post-Traumatic Stress Disorder. They had a wonderful conversation about it. Justin doesn't want to bring it up if somebody doesn't want to talk about it. [7:40] Sandy says, when you have the conversations more often, and they're more open, people feel more comfortable bringing it up. [7:50] Sandy and Angel's session was "Between Truth and Trauma: Investigating the Invisible." Angel says a lot of people told them they were very happy with the session. They see increases in legislation that allow for more mental-mental claims, and it's a challenge to keep up. [8:11] Angel says having Dr. Ron Heredia with them gave a view of what it looks like from the employer's side. Are you investigating those claims, recognizing the importance of very clear documentation? If it's not in writing, it didn't happen. Have a doctor help with questions to ask. [8:43] Riskfetti: Risk Management for the Rest of Us is coming out on May 18th. Sandy says she and Angel both started in claims, and they found that a lot of employers they spoke to didn't know risk management. They didn't understand their coverage or insurance, or how it works. [9:12] Sandy says a lot of the education in the industry today is very academic and is meant for the risk managers. Employers are not going to go get their CPCU or take webinars on coverage or understanding endorsements. They assign someone else to do it. It's split in the organization. [9:35] Sandy says nobody is speaking to that audience from a layperson's perspective in a way they'll be receptive to. Sandy said we wanted to make that information accessible, so we created a book that is fun, engaging, and more accessible for business owners. [9:49] Angel says they used case studies, fun stories of claims they had managed or others had managed. It's very engaging. People say they've read the book and laughed. It's for HR Managers, Safety Managers, and CFOs, who don't understand insurance but have responsibility. [10:41] Angel's advice for beginning risk professionals: Find a community of individuals who are willing to support you and talk about the hard things and cheer you on when you're not sure if insurance or claims is where you want to be. It's not an easy industry, but a wonderful industry. [11:00] Sandy's advice for the young generation is to make content about this industry. If you are working in this industry, make your TikToks and post on socials. We need to hear from that generation. It democratizes the flow of information. They already do it for their personal life. [11:18] Sandy says, talk about your experience. I want to know what it's like for somebody coming into the industry right now. I know what it was like 23 years ago; I want to know what it's like now. That's the best way to get that information out there. We want to know those opinions. [11:40] Justin says, I love what you're doing. You've got a lot of great energy! Angel, Sandy, thank you so much for joining me on RIMScast. You were wonderful guests! I hope to see you again next year. [12:04] A Quick Break! There are so many other wonderful RIMS events coming up in 2026. The 2026 Florida RIMS Educational Conference will be held from July 28th through August 1st at the lovely Ritz-Carlton in Naples, Florida. A link to the event is in this episode's show notes. [12:25] Register now for the Second Annual RIMS Texas Regional Conference, to be held from August 10th through 12th at the Grand Hyatt on the San Antonio River Walk. Advance rates are available through June 5th. [12:39] The 11th Annual Chicagoland Risk Forum will return to the Old Post Office on Thursday, September 24th, 2026, in Chicago. Visit ChicagolandRiskForum.org for more information. [12:53] The RIMS Western Regional Conference will be held from October 4th through the 7th in Seattle, Washington. Registration is open, and you can also submit a session. Visit RIMSWesternRegional.com and the link in this episode's show notes for more information. [13:10] Save the dates October 18th through the 21st. We will be in Quebec City to celebrate the 50th Live RIMS Canada Conference. Booth sales are already open. The call for educational sessions has been extended to May 18th. Early-bird registration will open in June. [13:29] Visit RIMSCanadaConference.ca for more information. Also, remember to check out RIMS.org/Canada for our spinoff show, RIMScast Canada, hosted by National Conference Committee Chair, Aaron Lukoni. [13:44] The RIMS ERM Conference 2026 will be held on November 18th and 19th in Columbus, Ohio. Details will follow. [13:52] Our final guest is Joel Appelbaum, Executive Vice President and Chief Content Officer at IRMI, the International Risk Management Institute! Joel is the host of IRMI's podcast, The Edge of Risk. He was formerly a Chief Risk Officer. [14:10] We are going to talk all about our shared interests and the importance of risk management education, and some of the trends that are emerging, some that are overhyped, and what he's seeing on the risk landscape. Let's get to it! [14:23] Interview! Joel Appelbaum, Welcome to RIMScast! [14:28] Joel Appelbaum is the Executive Vice President and Chief Content Officer for IRMI. Joel says he is used to asking the questions; he says it will be really cool to be asked the questions. [14:47] Joel is the host of The Edge of Risk. When they launched, six years ago, the idea was to come up with more relevant content, quickly, by talking to leaders. In the last year, it has grown by 60%. There's a need for insurance podcasts. It's still growing. [15:24] Justin notes that Elise Farnham was a recent guest. Elise teaches for RIMS. Justin says insurance podcasts share the same space, and there's some natural crossover. Justin and Joel sat together the day before at the main stage keynote. [15:53] Justin asks Joel about his having been an Enterprise Chief Risk Officer, when Enterprise Chief Risk Officers first came into vogue. He felt there were not a lot of resources for being a good ECRM, after coming from an underwriting background with CPCU and IRMI. [16:22] It was a challenging time. Joel cites Adam Grant's theme of low ego but honestly trying to help. Joel remembers bringing up to his boss that IT could be a risk, and being yelled at by his boss for about an hour for yellow-flagging IT. [16:53] Joel loves where Enterprise Risk Management has gone. It's necessary to identify risks in a positive way and deal with them proactively. [17:06] Joel says when it started, it was a rough job. Asking people what keeps them up at night, and sharing that with the board regularly, people weren't ready for it. It's a necessary and important job, but Joel found it to be one of the most challenging, alone on an island. [17:30] Joel thinks everyone who's been an Enterprise Chief Risk Officer or Risk Officer will tell you they do it with very few resources. Joel is glad to have an organization like RIMS to help. [17:50] Joel says he was in a lot of positions that IRMI serves. He was a Product Officer, an Enterprise Chief Risk Officer, a Chief Underwriting Officer, and a Chief Actuary. He did a lot of great things with a lot of great people. None of that prepared him to be a Chief Content Officer. [18:17] Being a Chief Content Officer is about writing and deep research. Joel works with people who research all day. [18:29] Joel learned that there's a disconnect between deep research and understanding coverage and analysis well, and practical insights and thought leadership for how it works in the real world. Parsing it and putting it together, and communicating it is the challenge. [18:53] Joel says it was a bit bumpy coming in and changing the way that IRMI approached things. Joel speaks of his joy of working for Jack Gibson at IRMI. [19:15] Joel says trying to put all the research into writing, keeping it up to date, making it useful, and changing it from just research to practical insights was challenging. It's been a great challenge, and he loves it. [19:29] Joel says he loves being at IRMI and working with people in the industry every day, trying to understand what they need. [20:16] Joel says he struggled with translating research into print, CE courses, and conferences. That takes time, and they need to be updated with the times, as well. A podcast can be simple. Yesterday, Justin and Joel came up with six or seven relevant questions and were ready to go. [20:48] Joel says podcasts fill the gap for the on-demand, necessary knowledge somebody might be seeking on the go. Joel's 30-something children listen to podcasts in the car or while they're exercising. You don't have to sit. Joel likes to do 20- or 30-minute Edge of Risk podcasts. [21:35] Joel says you can cover a very specific, timely topic. It doesn't take the effort of doing a research project or writing a book. Getting it to print takes time. If something changes in war, terrorism, or cyber, you can have a new podcast out in a day. [21:54] Justin says he finds it very gratifying when a guest's words on RIMScast are cited in a white paper. Seeing a reference to something he has done is very gratifying. Joel agrees. [22:10] Joel feels like it's such an honor to meet with thought leaders in the industry, sit down with them, and ask them questions. Joel says he gets great knowledge, meeting them, and learning a little bit about them personally. [22:43] Joel says it's gratifying when young professionals come up to him saying they know him from the podcast. Justin mentions people hearing him talking in the halls at RISKWORLD or RIMS events and recognizing him as the RIMScast guy or the webinar host guy. [23:26] Joel says AI has been a little overhyped. We all need to understand how to use it, but it isn't going to provide all the answers. A guest on his podcast told him at RISKWORLD they're going all in on AI for learning. [23:55] Joel says he gets that AI can be a quick fit for the answer you need. It's the right tool for the right time, but all risk managers know you have to have a lot of tools in your tool kit. AI doesn't replace foundational knowledge. [24:16] Joel's MBA helped him understand the other disciplines in the organization, to know when he was getting good information or bad information, and how to talk the language. [24:35] Joel believes that RIMS certifications and IRMI certifications help risk managers and insurance professionals understand the foundational knowledge. Then they know if they're getting a good answer from the AI. [24:50] Joel says that AI is trained on the internet. The internet has some flaws. Joel predicts AI will hit a learning curve. You're not getting the latest and greatest insights from RIMS or IRMI just writing a white paper on a new topic. Are you getting your AI from a reliable data source? [25:25] Joel advocates for using AI on IRMI material. They have an AI agent in beta now. IRMI has ReferenceConnect for its customers. AI is a good tool, but it's overhyped as a solution for everything. It's not going to solve all the problems. [26:00] It's a great tool if you're using it to gather data. Joel went to a great session at RISKWORLD with LineSlip about bringing all your different brokers' information together so you can get real insights. AI is a great tool to be used at the right place, at the right time. [26:23] You can't have it write all your letters because it doesn't sound like you. [26:37] Justin says an issue that's top of mind for him is PFAS, forever chemicals, because we need water to live. The second our water supply is bad, we've got much bigger problems. [26:52] Joel says Marsh did a presentation at an IRMI conference talking about how widespread the PFAS problem is. It should be on everybody's risk radar. Joel has put more filters in all of his houses. [27:21] Justin says Third-Party Litigation Funding is an emerging risk for RIMS. Joel has also done several podcasts on that. Liberty Mutual likes to call it Legal System Abuse. They had a great podcast on it with The Edge of Risk. [28:04] Joel says the concerning aspects are inflated awards and nuclear verdicts. ISO has introduced a new endorsement on disclosing third-party litigation funding. We've always needed tort reform. Joel thought that as an Enterprise Risk Manager, 20 years ago. [28:39] Joel says if you look at how all the other countries do it, the United States has a problem. It's really important to solve it. Insurance is a fundamental backstop and assistance to business. If the problem continues, insurers may start declining. How do you find solutions? [29:10] Joel thinks one of the solutions is to determine the appropriate amount of an award. Does $200 million make up for something where $2 million would suffice? [29:33] Justin says that he and Joel met up at the keynote with Adam Grant. They both enjoyed the keynote. Adam Grant spoke of unpleasant truths we may not want to hear. There's a difference between being loyal and being honest. [30:26] Joel doesn't have a problem delivering the unpleasant truths, but it has not always been great for his career. Joel says that in a lot of big corporate organizations, people want their allies with them. A new Chief Officer comes in and brings loyal friends with him. [30:54] Four or five years of being coddled later, the officer is gone. Joel worked for CNA for four different CEOs. Joel learned that integrity matters. He says if you communicate out of frustration or anger, it comes across wrong. [31:35] Joel says what he loved about Adam Grant's message is that people need to deliver the truth in a way that is kind and fair, and not fake. The people who tell you what you want to hear and that you're the greatest ever are the people you need to "get rid of." [32:08] Joel tells people that the knife gets sharper against the steel. Joel wants somebody who's sharpening the skill. He has to work harder for it. That's who he likes to surround himself with. Joel has his "board of governors" he goes to for help as a sounding board. [32:58] Leaders who surround themselves with yes-people are not going to last long. Justin asks about the compliment sandwich. Joel likes it if it doesn't come off as fake. Ask AI what's a fair way to deliver this, a compassionate way to give feedback. AI can give unbiased feedback. [33:45] Justin shares an experience where he successfully used AI to shorten and change the tone of an angry email message before he sent it. He was very pleased with the result, and the response was "OK." Joel admits he has delivered a lot of career-shortening emails. [34:44] AI should be thought of as a sounding board. Justin thinks the students coming into the profession probably already do so. Joel says certain types he has worked with don't handle negative feedback well from their peers. AI might be the best way for them to respond. [35:25] Joel has been to about 10 RISKWORLDs. He says the vibe this year is awesome. He feels there's a lot more opportunity for small connections. He loves the smaller talks. The conversation pods are great. There's always lots to learn, interesting people, and friends. [36:07] I love what you do at IRMI. Thank you for joining our show, RIMScast! I think very highly of your show. We've had a lot of the same guests. You're wonderful, and I appreciate all of your support! [36:35] Thanks again to all of our guests here on this special episode of RIMScast, produced live on-site at RISKWORLD 2026. We look forward to seeing you all in New Orleans next year for RISKWORLD 2027! [36:47] Be sure to check out last week's episode of RIMScast, featuring Risk Manager of the Year, Jeff Bray of Prologis. [36:53] Plug Time! You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in the show notes. [37:22] RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let's collaborate and help you reach them! Contact pd@rims.org for more information. [37:40] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information. [37:58] Risk Knowledge is the RIMS searchable content library that provides relevant information for today's risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more. [38:14] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management. [38:28] Justin Smulison is the Business Content Manager at RIMS. Please remember to subscribe to RIMScast on your favorite podcasting app. You can email us at Content@RIMS.org. [38:40] Practice good risk management, stay safe, and thank you again for your continued support!   Links: RISKWORLD Playlists:

Link to the episode This week's Department of Know is hosted by Rich Stroffolino, with guests Jonathan Waldrop, CISO, Acoustic, and Jason Elrod, CISO, MultiCare Health System. Missed the live show? Check it out on YouTube. The Department of Know is live every Friday at 4:00 p.m. ET. Join us each week by registering for the open discussion at CISOSeries.com. Huge thanks to our sponsor, Vanta Risk and regulation ramping up—and customers expect proof of security just to do business. Vanta's automation brings compliance, risk, and customer trust together on one AI-powered platform. So whether you're prepping for a SOC 2 or running an enterprise GRC program, Vanta keeps you secure—and keeps your deals moving. Learn more at vanta.com/ciso.

PAN-OS RCE exploit under active use enabling root access and espionage Polish intelligence says hackers attacked water treatment control systems Ivanti warns of new EPMM flaw exploited in zero-day attacks Get the show notes here: https://cisoseries.com/cybersecurity-news-pan-os-rce-exploit-poland-water-hacks-ivanti-epmm-flaw/ Thanks to our episode sponsor, Vanta Risk and regulation ramping up—and customers expect proof of security just to do business. Vanta's automation brings compliance, risk, and customer trust together on one AI-powered platform. So whether you're prepping for a SOC 2 or running an enterprise GRC program, Vanta keeps you secure—and keeps your deals moving. Learn more at vanta.com/ciso.

Most internal audit functions are still operating like it's 2010. In the first episode of Embark's new GRC series, Adam Olsen is joined by Allison Bradshaw, Principal and head of Embark's GRC and Internal Audit Services practice, to make the case for a fundamentally different model. The conversation covers what modern IA looks like, how to build the right delivery structure, and how CFOs can measure real return on investment.In this episode:Why compliance-checkbox IA is leaving significant value on the table, and what a risk-based, consultative function looks like insteadCo-sourcing vs. outsourcing: a practical framework for deciding which model fits your organization's size, complexity, and risk profileHow data analytics and AI are shifting IA from sampling transactions to testing entire populations in near-real timeThe emerging demand for IT audit, cybersecurity, and AI governance capabilities, and why most teams can't hire for all of itA framework for measuring IA ROI: prevented costs, recovered value, process improvements, and stakeholder confidenceA real-world co-sourced engagement example where a single year yielded over $1.6M in identified losses and fraud

Most GRC functions were built a decade ago in response to SOX or a single risk event. The world has changed. The function often hasn't. In this episode, Embark's Adam Olsen is joined by Managing Director Allison Bradshaw to break down what it actually takes to modernize governance, risk, and compliance for the environment organizations are operating in today.In this episode:Why siloed GRC functions create blind spots, audit fatigue, and hidden costs that far exceed what shows up on a budget lineWhat an integrated GRC model looks like in practice: common risk taxonomy, shared technology, and coordinated activities across all three lines of defenseHow to make the business case for modernization, including the 20 to 30 percent cost reduction organizations typically see when duplication is eliminatedTechnology enablement beyond the platform: continuous controls monitoring, workflow automation, and real-time integration with your ERP and source systemsHow modern GRC transforms SOX from a seasonal sprint into a year-round process, with a real-world example of an $800K compliance budget getting restructuredWhere AI fits into GRC today: risk identification, anomaly detection, and compliance monitoring, plus the governance frameworks organizations need to manage AI as a risk in its own rightWhat a risk-intelligent culture actually looks like, and why most GRC transformations fail on culture long before they fail on technologyHow to start without boiling the ocean: practical guidance on sequencing a GRC modernization roadmapTo connect with Allison or learn more about Embark's GRC maturity assessment, visit embarkwithus.com.

Google Chrome installs 4GB AI model on devices Daemon Tools disk app backdoored in supply-chain attack Crypto's 'decentralised finance' sector hit by investor exodus Get the show notes here: Thanks to our episode sponsor, Vanta Risk and regulation ramping up—and customers expect proof of security just to do business. Vanta's automation brings compliance, risk, and customer trust together on one AI-powered platform. So whether you're prepping for a SOC 2 or running an enterprise GRC program, Vanta keeps you secure—and keeps your deals moving. Learn more at vanta.com/ciso.

Video game platform hit by supply chain attack Bleeding Llama could expose your data US gets more early LLM access Get the show notes here: https://cisoseries.com/cybersecurity-news-video-game-supply-chain-attack-bleeding-llama-us-gets-early-llm-access/  Thanks to our episode sponsor, Vanta Risk and regulation ramping up—and customers expect proof of security just to do business. Vanta's automation brings compliance, risk, and customer trust together on one AI-powered platform. So whether you're prepping for a SOC 2 or running an enterprise GRC program, Vanta keeps you secure—and keeps your deals moving. Learn more at vanta.com/ciso.

Instructure discloses breach amid leak threats DigiCert revokes certificates Silver Fox targets Indian and Russian orgs Get the show notes here: https://cisoseries.com/cybersecurity-news-instructure-discloses-breach-digicert-revokes-certificates-silver-fox-targets-indian-and-russian-orgs/ Thanks to our episode sponsor, Vanta Risk and regulation ramping up—and customers expect proof of security just to do business. Vanta's automation brings compliance, risk, and customer trust together on one AI-powered platform. So whether you're prepping for a SOC 2 or running an enterprise GRC program, Vanta keeps you secure—and keeps your deals moving. Learn more at vanta.com/ciso.

Telegram Mini Apps deliver Android malware CISA orders Federal agencies to patch cPanel bug by Sunday British cyber agency warns of looming 'patch wave' due to speedy AI flaw discovery Get the show notes here: https://cisoseries.com/cybersecurity-news-telegram-mini-apps-malware-cpanel-is-sorry-patch-wave-warning/ Thanks to our episode sponsor, Vanta Risk and regulation ramping up—and customers expect proof of security just to do business. Vanta's automation brings compliance, risk, and customer trust together on one AI-powered platform. So whether you're prepping for a SOC 2 or running an enterprise GRC program, Vanta keeps you secure—and keeps your deals moving. Learn more at vanta.com/ciso.

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.   In this episode, Justin interviews the RIMS 2026 Risk Manager of the Year, Jeff Bray, about his award and his career at AMB, which merged with Prologis early in his career. Justin and Jeff discuss how risk management earns a strategic seat at the table, how Jeff revived the ERM Program at Prologis, tying it to the business model, and how cross-functional risk management works at Prologis today. Jeff speaks of resilience in the face of polycrisis and climate risk, and working on what he has control over while being aware of the rest. Jeff shares his excitement for developing the next generation of risk professionals and about the amazing opportunity the risk profession holds for them today. Listen for insight on ERM, resilience, and building relationships.   Key Takeaways: [:01] About RIMS and RIMScast. [:14] We hope you are listening to this episode of RIMScast while at RISKWORLD 2026, and we are gently reminding you to download the RIMS Events App to navigate the show successfully! [:29] About this episode of RIMScast. This is our annual Risk Manager of the Year episode. We are delighted to be joined by this year's honoree, Jeff Bray of Prologis. If you are listening to this on its release day of May 4th, you might see him onstage at RISKWORLD. But first… [:59] RIMS Virtual Workshops. The next RIMS-CRMP-FED Exam Prep Course will be on May 13th and 14th. The popular CBCP and RIMS-CRMP Exam Prep Bootcamp will be held from May 18th through the 21st. The next RIMS-CRMP Exam Prep Course will be held on June 9th and 10th. [1:19] Links to registration are in this episode's notes. [1:22] Webinars. On May 14th, Origami Risk will return with a new session, "Future-Proofing Your Risk Program: Keeping Pace with Scale, Complexity, and Visibility." [1:34] On May 21st, GRC returns to present "Is Your Fire Protection Strategy Outdated? Emerging Risks Are Changing the Rules." [1:43] On May 28th, Zurich returns with "From Underwriting To Risk Management: What To Expect From The Growing Demand For Data Center Construction." Register for webinars at RIMS.org/Webinars or through the links in this episode's show notes. [1:58] Folks, RIMS is back on YouTube. Our handle is @RIMSOfficialChannel. We've got plenty of videos there, including RIMScast, RIMScast Canada video podcasts, and other informative and entertaining content from RIMS. Subscribe to the channel today! [2:16] RISKWORLD 2026 is underway in Philadelphia, Pennsylvania! If you are here or on your way, be sure to download the RIMS Events App. It is free and publicly available. This will help you set your agenda and provide ample navigation through the Philadelphia Convention Center. [2:36] RIMS has also released its RISKWORLD Playlist, available through Apple Music and Spotify. Whether you want to get in the zone before RISKWORLD or relive the energy after it, these official RISKWORLD Playlists are available to keep the energy going. [2:53] Links are in this episode's show notes. [2:57] On with the Show! This is our special Risk Manager of the Year episode of RIMScast! This year's honoree is Jeff Bray. [3:08] Jeff is the Senior Vice President and Head of Global Risk Management at Prologis, a global leader in logistics real estate, with 1.3 billion square feet across 20 countries on four continents, and more than 6,500 customers focused on moving goods around the globe. [3:24] That is a lot of responsibility for one person, but don't worry, he's got a mighty team who shoulder it with him. [3:31] We're going to learn all about his work, the leaps and bounds he's made over the last 20 years, his involvement with the Spencer Educational Foundation, and what it takes to succeed in an increasingly uncertain world. We're going to have a lot of fun! Let's get to it! [3:46] Interview! RIMS 2026 Risk Manager of the Year, Jeff Bray, welcome to RIMScast! [4:07] Justin and Jeff met recently for his profile in RIMS Risk Management Magazine. [4:14] This episode is released on Day 1 of RISKWORLD. When people are listening to this, they might be seeing Jeff onstage accepting his award. Jeff says, first and foremost, he is looking forward to RISKWORLD; the award is a nice cherry on top. [4:37] Jeff is 20 years into his career, and he has only missed a few RISKWORLDs. [4:45] Jeff joined AMB Property Corporation in 2005, not knowing anything about risk management and knowing only environmental insurance, a few weeks before Hurricane Katrina. It was trial by fire. Then, Hurricane Rita and Hurricane Wilma hit. It was a transformational year. [5:34] There were two years in a row of serious hurricanes affecting the property insurance market. The challenges AMB had experienced transformed the way the insurance and risk management program has been run ever since. [6:02] AMB merged with Prologis a few years later, following a great financial crisis that occurred in June 2011. [6:32] Jeff says Prologis is an owner of logistics real estate. They don't operate any of the buildings. Jeff's purview is the 1.3 billion square feet of real estate in 20 countries, with around 60,000 assets. [6:47] Prologis has a couple of billion dollars a year of development activity. They have a renewable energy business and a digital infrastructure. [7:32] Jeff says it's critical to see properties first-hand. Warehouses are different in different countries, and seeing them helps solve problems when they arrive. Early on, he attended a captive owners conference in Bermuda, and meeting many peers accelerated his learning. [9:03] Through serving the business, Jeff built trust with senior leaders and the board. Jeff started by figuring out what people wanted or needed and helped them achieve it. He built strong relationships with every group; he's in lockstep with legal, finance, and business teams. [10:33] Jeff's risk team has seven members. He also has two members of the corporate security team. He has worked hard to grow the team as needed. He sees an opportunity with technology to scale the team's capabilities to focus on critical tasks. He's grateful for the team's efforts. [11:49] Risk management is centralized at Prologis. They operate as a consistent global program. Jeff is in San Francisco, with team members in the Bay Area, Denver, and one in Dallas. [12:45] Jeff says he takes advantage of every crisis and pays close attention to every near-miss. It's a reminder that this is why what we do is important. Sometimes it's all hands on deck. What can we do differently next time? [13:35] One big near-miss was a fire that arose from customer operations in a building, which didn't amount to much because the sprinklers operated properly. Jeff participates in Prologis's global safety board. They pay close attention to anything like a contractor injury. [14:06] June is National Safety Month. The Head of Safety of Prologis's Development Team plans Safety Month activities. Every project and team member will be involved. It sends a good message. They make it very clear to every contractor they hire that safety is paramount. [14:49] Justin says the leader of the ASSP will soon be a guest on RIMScast. Safety should be observed every month. Jeff says in the past, safety was something they focused more on when something happened, but now it's ingrained in the way they operate. It's not treated separately. [15:44] Jeff reestablished Prologis's ERM program. His ERM Committee is a sounding board with seven or eight global leads. The members are the Head of Internal Audit, the Head of Info Security, and others, who work closely across the risk register to ask, "What are we missing?" [17:14] The challenge in reactivating the ERM committee was getting the relevance right. For the first meeting or so, they brainstormed. Now it's operating at the right frequency with the right dynamic input. It will continue to evolve in every meeting. [17:55] They meet annually with the Audit Committee, and some years they meet with the Board of Directors. It evolves from the day-to-day Risk Register, working with the business teams. The Audit Committee and the Board are very invested in what the ERM Committee does. [18:34] ERM at Prologis is tied to what's relevant to the CFO, the Chief Legal Officer, and other stakeholders. With the CFO, it's tied to earnings per share and net operating income impact. Jeff is always looking at what the business is looking to accomplish and how ERM can support it. [19:17] A Quick Break! The 2026 Florida RIMS Educational Conference will be held from July 28th through August 1st at the lovely Ritz-Carlton in Naples, Florida. A link to the event is in this episode's show notes. [19:40] Register now for the Second Annual RIMS Texas Regional Conference, to be held from August 10th through 12th at the Grand Hyatt on the San Antonio River Walk. Advance rates are available through June 5th. [19:55] The 11th Annual Chicagoland Risk Forum will return to the Old Post Office on Thursday, September 24th, 2026, in Chicago. Visit ChicagolandRiskForum.org for more information. [20:08] The RIMS Western Regional Conference will be held from October 4th through the 7th in Seattle, Washington. Registration is open, and you can also submit a session. Visit RIMSWesternRegional.com and the link in this episode's show notes for more information. [20:26] Save the dates October 18th through the 21st. That is when the 50th Annual RIMS Canada Conference will be held in Quebec City. Booth sales are already open. The call for educational sessions is open through May 8th. Early-bird registration will open in June. [20:44] Visit RIMSCanadaConference.ca for more information. Also, remember to check out RIMS.org/Canada for our spinoff show, RIMScast Canada, hosted by National Conference Committee Chair, Aaron Lukoni. [20:59] Check RIMS.org for an announcement about the RIMS ERM Conference 2026. It will be up soon! [21:07] Let's Return to Our Interview with RIMS 2026 Risk Manager of the Year, Jeff Bray! [21:24] Justin asks what Jeff loves about RISKWORLD. Jeff loves the people, the interactions in the hallways, even when racing from session to session, and meeting to meeting. There's no better place to meet people and build meaningful relationships over the years. [21:45] Jeff says there's no better place to get apprised of what's coming up in the risk industry and reconnect with our most important relationships. [22:17] Jeff says RISKWORLD is a connection point where a group of risk professionals from around the country can get together. [22:31] Jeff's team members, the Head of Risk and the Head of Claims, have attended RISKWORLD for the last few years. [23:07] Justin asks about cross-functional risk management. Jeff says that he can't imagine a problem crossing their desk that Risk Management can solve solely by themselves, figure out, and move on. Generally, they will engage Legal, HR, and the Business Teams. [23:28] Jeff says that's hugely important to be able to solve problems effectively, and in a way that enables the business. [23:55] Jeff thinks the perspective on risk has changed over time. The needs have changed over time. At the beginning of his time at AMB and Prologis, there was a focus on insurance because they were expanding to new countries and standing up a global program. [24:17] Within 90 days, Hurricanes Katrina, Rita, and Wilma hit, and Jeff was learning about disaster recovery and response. He saw the teams in action and how it can be a competitive advantage if they can get their properties up and running quicker than someone else. [24:37] That's absolutely a competitive advantage to Prologis, and that's been in their DNA ever since. [24:53] Justin asks about Jeff's dashboard. It's a Claims dashboard, created by the Claims team, so Jeff can look at the Claims activity every day. [25:16] Jeff says Prologis retains a bunch of risk itself. It's Prologis's money. It concerns not only Jeff, but also the Finance Team and others. None of them likes surprises. Jeff manages it like a business, managing actual claims against the forecast. [25:53] Jeff says it's been phenomenal. He's asking for more dashboards! [26:08] Jeff discusses the impacts of technological innovation on his role. One of the biggest pieces was onboarding Archipelago, a tool to intake Statement of Value information and other property characteristics and deliver it to an insurance company in a reliable and verifiable way. [26:33] Jeff says during that period, they went through $40 to $50 billion of acquisitions, so Archipelago was a game-changer in a way that insurance companies couldn't believe. [26:48] Prologis would bring on a portfolio in September and was ready for its December renewals with the full Schedule of Values. Jeff says it was about, "What questions am I asking myself, and how do we solve for that?" [27:03] Jeff was looking beyond the Cap Modeling results to what other information he could get out of the data, from the newness of the assets, different specifications, and different protections in place, and quantifying that in a way that was meaningful for the insurers. [27:25] When Prologis onboarded Archipelago, there weren't any other systems available to do what was needed. They were developing something that hadn't been in place yet. Prologis was part of the development team. [27:43] Jeff says the Claims dashboard is driven by Origami, which has been an important partner of Prologis. [27:55] Prologis has always been focused on the combination of good data and leveraging technologies to interpret that data. That's been very important to Prologis. [28:15] Another Quick Break! The Spencer Educational Foundation's Risk Manager on Campus application period is now open, and it will close on June 30th. Grant awardees, colleges, and universities are typically notified in September. [28:42] The Course Development Grant application deadline for Interval Number 2 will be on June 15th, 2026. Award notifications will be sent out in late July. [28:57] General Grant applications will open on May 1st, 2026, and the application deadline is July 30th. Internship Grant applications open on August 15th and close on October 15th. [20:08] Links to each of these grants are in this episode's show notes. Visit SpencerEd.org for more information. [29:17] Let's Conclude Our Interview with RIMS 2026 Risk Manager of the Year, Jeff Bray! [29:43] Jeff says the younger risk professionals are absolutely more well-versed in technology. The challenge is not to let technology become more important than understanding the basics of the business. [30:00] Jeff says you still need to understand what that policy says and what the submission process looks like, so you can get the right outcomes out of the technology. Most of the folks Jeff works with are younger than he is. [30:21] Jeff says what they're doing with AI, dashboards, and other insights is super impressive. They balance that with learning the fundamentals. [30:47] In a new risk professional, Jeff looks first for curiosity and questions. When Jeff hit stagnant parts of his career, he had stopped asking questions, so today, he asks a lot of questions. Curiosity is key to investigating what's happening in the company to solve problems. [31:18] Jeff says connecting the dots is something he still works on today. We live in a complex world. There's generally not one threat or risk that operates in a silo. Risks are connected. Someone who can understand how different risks might be interconnected will be critical. [31:43] Jeff says that being hungry, learning, and striving to do more than the person who started next to you is more important than ever. [32:06] Jeff says polycrisis is an interesting term, and he fully believes in it. He spends a fair amount of time thinking about what he has control over and what he doesn't have control over. Jeff says Prologis doesn't let the polycrisis drive its strategy on a day-to-day basis. [32:45] Jeff says awareness is key, and knowing how you can respond as an organization. [33:02] On mitigation and navigation, Jeff says, it's like being on defense versus offense. Risk mitigation works if it's a very simple solution. Putting a floodwall in a building to prevent flooding is a great mitigation.  [33:15] Most risks are not that simple, and they require navigation. They require keeping options open and multiple solutions. Navigation lends itself to how risks evolve and how we respond to those risks. [33:40] Jeff says Prologis is an owner of 1.3 billion square feet of real estate, with two to three percent of the world's GDP flowing through its buildings. Supply chain resilience is key. Prologis focuses on climate risk, but Jeff wants to look at it from more of a resilience perspective. [34:04] Jeff's perspective is about what Prologis should be worrying about, and how that affects how they build a building and how they operate an asset. Climate risk is front-of-mind to this day for many of Prologis's investors. [34:17] Investors want to know what Porlogis is doing about things and how they are looking at exposures. So Prologis has always tried to be on the front end of that discussion with investors. The decisions Prologis makes just need to make good business sense. [34:41] As long as Prologis can communicate, this is a concern, and this is how it translates into a business impact or impacts performance. That remains key, and we are in an environment that is evolving in frequency and severity. It's something Prologis pays close attention to. [35:16] Solar panels are part of Prologis's sustainability goals. Thicker rooftops are needed. Solar panels affect how air conditioning is used and the temperature levels within a building. It affects how Prologis might construct the building to have a better working environment. [35:51] Jeff says it all ties together, which comes back to a more resilient and better-performing portfolio. [36:00] Justin asks about earthquake resilience for new construction. Prologis has a lot of property on the California coast and has been focused on earthquake risk for the life of the company, doing voluntary retro-fittings and seismic upgrades. [36:33] That's not to get reduced insurance premiums but to take steps to reduce interruptions that may occur for Prologis's customers' activities when an earthquake does arise. It's about taking Prologis's objectives and aligning them with the business, not to save premiums. [37:16] Jeff is very excited by the level of abilities he sees in college students. He was recently at Old Dominion for Risk Manager on Campus. This industry has an amazing amount of opportunity. Risk is at the crossroads of finance, operations, legal issues, and HR. [38:27] Jeff's words to students and aspiring risk professionals: "There's an incredible amount of opportunity. What risk strategy means today is very different than what it meant 15 years ago. It's a hidden gem of an industry, still today." [38:44] Justin congratulates Jeff on being named RIMS Risk Manager of the Year 2026. Nobody accomplishes anything by themselves. Is there anyone you want to thank? Jeff says thanking a whole host of folks might take its own podcast. [38:59] Jeff thanks his team across Risk, Resilience, and Claims, and the deep bench of external risk advisors, from broker placement to consulting, technology partnerships, and the insurers. He couldn't do this without all of those team members. He's very grateful for it all. [39:49] Justin says, I look forward to meeting you and seeing you up onstage and cheering you on. I hope we can continue to stay in touch because you've got so much knowledge to share with the global risk community, here through RIMScast. Thank you so much for your time! [40:16] Special thanks again to Jeff Bray, the 2026 RIMS Risk Leader of the Year. We are delighted for him and congratulate him once again. Be sure to check out last week's episode, featuring RIMS Rising Risk Professional, Tyler Vaughan. [40:32] In May, we intend to have Honor Roll Awardee, Emily Buckley, back on RIMScast. Check RIMS Risk Management Magazine for the Awards Digital Edition, which also features profiles on the Chapters of the Year and other special awards. More winners will be on RIMScast in 2026. [40:55] I hope everyone who's listening in Philadelphia at RISKWORLD is having a blast! Next week's episode will feature interviews recorded live while in Philadelphia. Let's relive the magic! [41:08] Plug Time! You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in the show notes. [41:37] RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let's collaborate and help you reach them! Contact pd@rims.org for more information. [41:55] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information. [42:13] Risk Knowledge is the RIMS searchable content library that provides relevant information for today's risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more. [42:29] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management. [42:43] Justin Smulison is the Business Content Manager at RIMS. Please remember to subscribe to RIMScast on your favorite podcasting app. You can email us at Content@RIMS.org. [42:55] Practice good risk management, stay safe, and thank you again for your continued support!   Links: RISKWORLD Playlists:

This week on the Community Trust Bank Coaches Corner: Tonight we have on GRC New Head Football Coach Dane Damron.  Coach Damron takes over this year for GRC and looks to improve on their winning ways!! Join us for an action-packed episode!   Your home for passionate sports talk—from Friday night lights to the hardwood to the diamond! We shine a spotlight on local high school athlete's sports scene. If it matters to you it matters to us!! Four voices. Four communities. All sports.   Hosts - Sean Kiper, Wes Crouch, Adam Muncy, and Daron Stephens.       Follow and Like us on the following Social Media Platforms.   Support the show   Follow us on Facebook   Follow us on X   Subscribe on Youtube   Visit us on the Web  

Rich Bates shares a candid look at his 30+ year journey into cybersecurity, from early computing days to leading GRC programs and now building his own advisory practice focused on helping organizations tackle CMMC and compliance challenges. Along the way, he breaks down why these frameworks matter, the real risks businesses face if they ignore them, and how to approach security in a practical, business-focused way. Listeners will get valuable insights into navigating regulatory complexity, making smart risk decisions, and what it really takes to succeed as a cybersecurity leader or consultant. Whether you're a business owner facing CMMC requirements or a security professional looking to sharpen your approach, this episode offers real-world perspective without the fluff

What if your engineering calculations secretly sabotaged your nation's best efforts? This week, we reveal how a newly uncovered 21-year-old NSA rootkit quietly corrupted scientific research in hostile states and why it changes everything you think you know about cyberwarfare. Bitwarden's CLI hit with a supply-chain attack. Commercial routers in Iran fail shortly before the war. Meta logging all employee activity to train replacement AI. GRC's DNS Benchmark Release 5. Two miscellaneous AI thoughts. A bunch of terrific listener feedback. Unraveling the diabolical history of "fast16.sys" Show Notes - https://www.grc.com/sn/SN-1076-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: doppel.com threatlocker.com/twit material.security cyberhoot.com/securitynow guardsquare.com

What if your engineering calculations secretly sabotaged your nation's best efforts? This week, we reveal how a newly uncovered 21-year-old NSA rootkit quietly corrupted scientific research in hostile states and why it changes everything you think you know about cyberwarfare. Bitwarden's CLI hit with a supply-chain attack. Commercial routers in Iran fail shortly before the war. Meta logging all employee activity to train replacement AI. GRC's DNS Benchmark Release 5. Two miscellaneous AI thoughts. A bunch of terrific listener feedback. Unraveling the diabolical history of "fast16.sys" Show Notes - https://www.grc.com/sn/SN-1076-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: doppel.com threatlocker.com/twit material.security cyberhoot.com/securitynow guardsquare.com

What if your engineering calculations secretly sabotaged your nation's best efforts? This week, we reveal how a newly uncovered 21-year-old NSA rootkit quietly corrupted scientific research in hostile states and why it changes everything you think you know about cyberwarfare. Bitwarden's CLI hit with a supply-chain attack. Commercial routers in Iran fail shortly before the war. Meta logging all employee activity to train replacement AI. GRC's DNS Benchmark Release 5. Two miscellaneous AI thoughts. A bunch of terrific listener feedback. Unraveling the diabolical history of "fast16.sys" Show Notes - https://www.grc.com/sn/SN-1076-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: doppel.com threatlocker.com/twit material.security cyberhoot.com/securitynow guardsquare.com

What if your engineering calculations secretly sabotaged your nation's best efforts? This week, we reveal how a newly uncovered 21-year-old NSA rootkit quietly corrupted scientific research in hostile states and why it changes everything you think you know about cyberwarfare. Bitwarden's CLI hit with a supply-chain attack. Commercial routers in Iran fail shortly before the war. Meta logging all employee activity to train replacement AI. GRC's DNS Benchmark Release 5. Two miscellaneous AI thoughts. A bunch of terrific listener feedback. Unraveling the diabolical history of "fast16.sys" Show Notes - https://www.grc.com/sn/SN-1076-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: doppel.com threatlocker.com/twit material.security cyberhoot.com/securitynow guardsquare.com

What if your engineering calculations secretly sabotaged your nation's best efforts? This week, we reveal how a newly uncovered 21-year-old NSA rootkit quietly corrupted scientific research in hostile states and why it changes everything you think you know about cyberwarfare. Bitwarden's CLI hit with a supply-chain attack. Commercial routers in Iran fail shortly before the war. Meta logging all employee activity to train replacement AI. GRC's DNS Benchmark Release 5. Two miscellaneous AI thoughts. A bunch of terrific listener feedback. Unraveling the diabolical history of "fast16.sys" Show Notes - https://www.grc.com/sn/SN-1076-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: doppel.com threatlocker.com/twit material.security cyberhoot.com/securitynow guardsquare.com

What if your engineering calculations secretly sabotaged your nation's best efforts? This week, we reveal how a newly uncovered 21-year-old NSA rootkit quietly corrupted scientific research in hostile states and why it changes everything you think you know about cyberwarfare. Bitwarden's CLI hit with a supply-chain attack. Commercial routers in Iran fail shortly before the war. Meta logging all employee activity to train replacement AI. GRC's DNS Benchmark Release 5. Two miscellaneous AI thoughts. A bunch of terrific listener feedback. Unraveling the diabolical history of "fast16.sys" Show Notes - https://www.grc.com/sn/SN-1076-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: doppel.com threatlocker.com/twit material.security cyberhoot.com/securitynow guardsquare.com

What if your engineering calculations secretly sabotaged your nation's best efforts? This week, we reveal how a newly uncovered 21-year-old NSA rootkit quietly corrupted scientific research in hostile states and why it changes everything you think you know about cyberwarfare. Bitwarden's CLI hit with a supply-chain attack. Commercial routers in Iran fail shortly before the war. Meta logging all employee activity to train replacement AI. GRC's DNS Benchmark Release 5. Two miscellaneous AI thoughts. A bunch of terrific listener feedback. Unraveling the diabolical history of "fast16.sys" Show Notes - https://www.grc.com/sn/SN-1076-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: doppel.com threatlocker.com/twit material.security cyberhoot.com/securitynow guardsquare.com

What if your engineering calculations secretly sabotaged your nation's best efforts? This week, we reveal how a newly uncovered 21-year-old NSA rootkit quietly corrupted scientific research in hostile states and why it changes everything you think you know about cyberwarfare. Bitwarden's CLI hit with a supply-chain attack. Commercial routers in Iran fail shortly before the war. Meta logging all employee activity to train replacement AI. GRC's DNS Benchmark Release 5. Two miscellaneous AI thoughts. A bunch of terrific listener feedback. Unraveling the diabolical history of "fast16.sys" Show Notes - https://www.grc.com/sn/SN-1076-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: doppel.com threatlocker.com/twit material.security cyberhoot.com/securitynow guardsquare.com

Innovation occurs across many areas, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode,  host Tom visits with Jeff Kushner, a compliance and IT security leader at Allgress. Jeff talks about “compliance drift,” where external obligations such as laws, frameworks like NIST/ISO/CIS, customer and licensing requirements, fall out of alignment with internal governance policies, procedures, and contracts, creating silent gaps that surface only during audits or incidents. They discuss the added volatility from business and geopolitical changes and identify industries most exposed to hidden compliance risks, including small and mid-sized businesses, AI-focused organizations, behavioral health clinics managing many frameworks across multiple sites with drop-in audits, and small DoD contractors facing CMMC. Jeff argues that traditional spreadsheet-based or audit-centric GRC is static and point-in-time. He describes Reg Watch as a complementary regulatory intelligence layer that continuously monitors 3,000+ global standards, provides real-time alerts, explains changes in plain English, and provides sample policies and implementation steps, along with supporting documentation and follow-up validation. Key highlights: Compliance Drift Explained Volatility Beyond Regulations Why Old GRC Fails Reg Watch Intelligence Layer Documenting Actions and Proof Resources: Jeff Kushner on LinkedIn Allgress Innovation in Compliance was recently honored as the Number 4 podcast in Risk Management by 1,000,000 Podcasts.

In this episode of Run the Numbers, CJ sits down with PSG Managing Director Chris Nesbitt to unpack how great deals are actually found, how investment decisions are really made, and why narrative often matters more than most investors admit. They also dig into forecasting, boardroom authenticity, simple vs. complex models, and the roles of market, product, and leadership in driving outcomes.—SPONSORS:Brex is an intelligent finance platform that combines corporate cards, built-in expense management, and AI agents to eliminate manual finance work. By automating expense reviews and reconciliations, Brex gives CFOs more time for the high-impact work that drives growth. Join 35,000+ companies like Anthropic, Coinbase, and DoorDash at https://www.brex.com/metricsAleph is a modern FP&A platform built for teams that want more than another planning tool. By connecting your ERP, CRM, and other systems into one trusted data layer with AI workflows, Aleph helps you move faster with real-time insights. Get a personalized demo at https://www.getaleph.com/runRightRev is an automated revenue recognition platform built for teams that have outgrown spreadsheets and billing tool workarounds. It handles high-volume subscriptions, usage-based contracts, and mid-cycle upgrades, so you can scale without scrambling at month-end. For RevRec that keeps your books clean, visit https://www.rightrev.com/CJRillet is an AI-native ERP built for modern finance teams that want to close faster without fighting legacy systems. Designed to support complex revenue recognition, multi-entity operations, and real-time reporting, Rillet helps teams achieve a true zero-day close—with some customers closing in hours, not days. If you're scaling on an ERP that wasn't built in the 90s, book a demo at https://www.rillet.com/cjEY works with high-growth tech companies to navigate the messy realities of scaling—from regulatory requirements to IPO readiness. By helping teams get it right early and often, EY lets founders stay focused on building while reducing risk as they grow. Learn more at https://www.ey.com/techstartupsSpendHound is a SaaS spend management platform built for finance and procurement teams that want visibility and leverage in every deal. By tracking all your software, benchmarking pricing across thousands of vendors, and surfacing contracts and renewals, SpendHound helps you stop overpaying and negotiate with confidence. Trusted by teams at ZoomInfo and Hootsuite. Get started at https://www.spendhound.com/cj—LINKS: Mostly Talent: https://mostlymetrics.typeform.com/to/cLTxtAsNGuest: https://www.linkedin.com/in/christophersnesbitt/Company: https://psgequity.com/CJ: https://www.linkedin.com/in/cj-gustafson-13140948/Mostly metrics: https://www.mostlymetrics.com—TIMESTAMPS:0:00 Preview and intro2:44 PSG origin story4:01 Growth to 30B AUM5:07 Strategy: small software at scale5:50 Vertical SaaS treasure hunting8:10 Ministry Brands: software meets payments9:28 Sponsors — Brex | Aleph | RightRev12:46 Early M&A work and rollup strategy15:52 Sourcing is more competitive now18:28 Smoke signals and relationship sourcing21:22 Does brand get you in the room?22:15 Authenticity as a sourcing edge22:52 Sponsors — Rillet | EY | SpendHound26:09 Brand name of investor or deal partner?27:44 Investors are narrative driven animals29:18 Market, product, then execution31:26 Danger of falling in love with the narrative33:40 Operator AI pivot story: GRC company34:51 Keep it simple: one tab, five key inputs39:21 Forecasting confidence beyond 12-18 months41:51 What makes a useful board meeting45:01 Build vs. buy: the payments decision47:45 ARR vs. EBITDA multiples50:30 Lightning round50:34 Board materials: send 3 days in advance51:03 LTV to CAC and cap software debates51:32 First deal at PSG52:35 What young investors get wrong54:04 Credits

RSAC Conference 2026 is in the books, and the post-event read is familiar. More vendors, more AI-driven marketing, more noise, and a buyer-side audience that increasingly cannot tell who to trust. Michael Parisi, Chief Growth Officer at Steel Patriot Partners, joins ITSPmagazine for a quick post-event catch-up on what he walked away with, and what is quietly shifting underneath all that volume. The headline takeaway is what Michael Parisi calls the "fog of more." Marketing has done its job too well. CISOs and business leaders facing real decisions cannot tell competing solutions apart, do not know where to start, and are not sure their current stack is even the right one. Too much information has become its own information problem. What is shifting, according to Michael Parisi, is where the meaningful conversations actually happen. Closed-door, hallway, and dinner conversations have always existed at RSAC Conference, but more people are now openly recognizing that this is where the real industry decisions get made. That recognition is changing how teams plan to engage with future conferences and industry events. For Steel Patriot Partners, which describes itself as business owners first, engineers second, and security and compliance practitioners third, that is exactly the conversation they want to be in. This is a Brand Highlight. A Brand Highlight is a ~5 minute introductory conversation designed to put a spotlight on the guest and their company. Learn more: https://www.studioc60.com/creation#highlight GUEST Michael Parisi, Chief Growth Officer, Steel Patriot Partners | https://www.linkedin.com/in/michael-parisi-4009b2261/ RESOURCES Learn more about Steel Patriot Partners: https://www.steelpatriotpartners.com Steel Patriot Partners Assistance Center: https://www.steelpatriotpartners.com View all of our RSAC Conference 2026 coverage: https://www.itspmagazine.com/rsac26 Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Michael Parisi, Steel Patriot Partners, Marco Ciappelli, Sean Martin, brand story, brand marketing, marketing podcast, brand highlight, RSAC Conference 2026, RSAC, cybersecurity compliance, fog of more, vendor noise, CISO, GRC, cybersecurity advisory, FedRAMP, CMMC, HITRUST, AI security marketing, hallway conversations, post RSAC Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

Innovation spans many areas, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode,  host Tom visits with GRC expert and OCEG co-founder Carole Switzer. They highlight her new books, “Mastering GRC: The Lawyer's Guide to Success in Governance, Risk and Compliance” and “The AI-Enabled Law Firm” (co-authored with Lee Denner). Carole explains she wrote “Mastering GRC” to help lawyers applying legal skills in GRC roles move from reactive problem-solvers to proactive enterprise leaders by embedding in business objectives, asking better questions, and collaborating across audit, risk, legal, and compliance. She recounts OCEG's origins and its GRC Capability Model, certifications, and global growth. Carole discusses balancing legal oversight with business partnership, including the risks of privilege when acting in business roles. Looking ahead, she predicts rapid AI-driven change in legal practice, stressing technology and data-meaning (“semantic layer”) issues, and the need to adapt existing GRC frameworks for speed and volatility. Key highlights: Why These Two Books From Counselor to Leader Integrated Governance Mindset How OCEG Built GRC Standards Oversight vs Business Partner Future of Legal GRC and AI Managing Volatility With Frameworks Resources: Carole Switzer on LinkedIn OCEG The AI-Enabled Law Firm Mastering GRC: The Lawyer's Guide to Success in Governance, Risk and Compliance Innovation in Compliance, a multi-award-winning podcast, was recently honored as the Number 4 podcast in Risk Management by 1,000,000 Podcasts.

Today's guest is Jason Scanlon, Chief Information Security Officer & Head IT GRC at Numata Business IT. Founded in 2004, Numata is a global managed IT services provider helping small and medium-sized businesses align technology with their goals. They deliver enterprise-grade solutions, including cybersecurity, cloud services and strategic IT advisory, through a subscription model. With an international presence, Numata enables organisations to improve efficiency, reduce risk and scale effectively using smart, reliable technology.Jason is an IT Leader with over 20 years of experience across consultancy, computer services and managed services. He specialises in complex systems troubleshooting, logical problem solving and network administration. He has designed, implemented and supported network infrastructure, and has worked with multinationals and government bodies on large-scale deployments and consultancy. He later progressed to IT Manager, leading IT functions, developing strategic roadmaps and aligning technology with business goals.In the episode, Jason discusses:0:00 His career background from IT professional to service desk to CISO3:26 Why MSPs must differentiate through measurable business outcomes, not just IT support4:49 GRC is evolving, but governance gaps remain biggest organisational weakness6:43 How AI will aid cyber defence, but requires controlled adoption9:47 How AI vendor surge requires risk-based decisions and strong governance11:19 The need to focus on gradual cybersecurity maturity before pursuing ISO certification14:03 Why success as a CISO needs collaboration and strong supportTo find out more about all the great work happening at Numata Business IT, check out the website www.numata.co 

In this episode of CISO Stories, Jessica Hoffman speaks with Richard Marcus, CISO at Optro, about how organizations are securing cloud environments at scale. They discuss secure by design principles, infrastructure as code, continuous monitoring, and how GRC and security teams are working together more effectively. The conversation also explores the impact of AI on both defense and the evolving threat landscape, with practical insights for modern security leaders. Segment Resources: Optro Cyber Risk Playbook: https://optro.ai/resources/ebook/the-cyber-risk-playbook-for-the-ai-threat-era This segment is sponsored by BlinkOps. Blink Micro-Agents stop AI threats with agentic speed and precision — visit https://cisostoriespodcast.com/blinkops to see the Agentic SOC in action. Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-223

Google API keys in Android apps expose Gemini endpoints Acrobat Reader zero-day flaw exploited since December Cryptocurrency ATM company Bitcoin Depot reports cyberattack Check out our show notes here: https://cisoseries.com/cybersecurity-news-android-api-exposure-acrobat-reader-zero-day-bitcoin-depot-cyberattack/ Huge thanks to our episode sponsor, Vanta Risk and regulation ramping up—and customers expect proof of security just to do business. Vanta's automation brings compliance, risk, and customer trust together on one AI-powered platform. So whether you're prepping for a SOC 2 or running an enterprise GRC program, Vanta keeps you secure—and keeps your deals moving. Learn more at vanta.com/ciso.

On this episode of the Cliff Notes Podcast:The Midland Empire Conference announces more conference expansion.Maysville baseball picks up a pivotal GRC conference win at Putnam County. Hear from Wolverines coach Dakota Dunlap & Junior Carter Harms.Thursday Scoreboard Wanna thank all of our great year long Sponsors who make all of this possible.Tolly & Associates Little Caesars of St. Joseph John Anderson InsuranceMeierhofer Funeral Home & Crematory HiHo Bar & Grill Barnes Roofing Jayson & Mary Watkins Matt & Jenni Busby Michelle Cook Group Russell Book & Bookball 365 The St. Joseph MustangsB's Tees KT Logistics LLC Hixson-Klein Funeral Home James L. Griffith Law Firm of Maysville Toby Prussman of Premier Land & Auction Group, HK Quality Sheet Metal, Redman Farms of Maysville, Melissa WinnHenke Family Farms, Green Hills Insurance LLC., Cintas, Thrive Family Chiropractic, IV Nutrition of St. Joseph, Roth Kid Nation Serve Link Home Care out of Trenton, Barnett's Floor Renewal LLC., Balloons D'Lux, B3 Renovations, The Hamilton Bank member FDIC, Wompas Graphix & Embroidery of LibertyEllis Sheep Company of Maysville, Bank Northwest of Cameron, Akey's Catering & Event Rentals, Brown Bear of St. Joseph, Wolf Black Herefords, Rob & Stacia Studer, Annie & Noah Roseberry of Re/Max Professionals, Moseley Farms, Jake Anderson of Shelter Insurance A slice & a swirl of Maysville Adkison Barber ShopMoyer Concrete of Maysville Cody Vaughn Wealth Advisor with ThriventGallatin Truck & Tractor Grandmas Gun Shop in Agency Nash Gas in Dearborn Accurate Appraisal in St. Joseph Ryan Meyerkorth SeedB.W. Timber of Bethany Mosaic Medical Center of Maryville Exclusive P.R. of Chicago Great Than Financial Hogue Lumber Company of Albany Stifel in ChillicotheUnited Cooperates, INC out of Osborn & Pattonsburg MP and Sons Contracting in Maysville JA White Construction in Maysville BTC Bank Seth & Marcie Davis of the Fitz Group Home and LandGRM Networks Perry Plumming & Septic LLC of Rock PortCitizens Bank and Trust of Rock Port C&M Business Machines Deal Travel and Cruises LLCKovacs FireworksBray Farms of Cameron The Drug Store in Cameron Pettijohn Auto Center in Bethany Terry Implement Co., INC. Of Gallatin Re/Max Partners of Cameron- Dan & Staci Early The Bunker Club of Savannah North Central Missouri College in Trenton & SavannahCooters Plumbing in Lathrop Steven Frieden Excavating Gregg Lawn & Landscape North Mercer Athletic Booster ClubStronger Starts Now Heather Bennett AgencyLathrop Chiropractic CenterSchulenberg Contracting LLCWigfield Farms in Chillicothe

In this episode of Fraud in the Office, we break down “CashDash”—The 5-minute Fraud Loop, a $2.5 million fraud scheme that exploited DoorDash from the inside out. How many cheeseburgers would that be...probably filets?A former employee, armed with insider knowledge and stolen credentials, manipulated internal processes to trigger fraudulent payouts, turning a convenience platform into a cash machine. We unpack:How the scheme worked (and why it scaled so quickly) Where controls failed across access, processes, and monitoring Why insider threats remain one of the biggest risks in modern platformsMost importantly, we translate this real-world case into practical controls, from access governance to process configuration, to transaction monitoring that organizations can implement to prevent becoming the next headline.Because sometimes, fraud doesn't hack the system… it uses it exactly as poorly designed.Support the showFind us on all streaming platforms! Check out our sponsor 1Trooper on LinkedIn @1TrooperAnd don't forget to subscribe!

Ransomware knocks Dutch healthcare vendor offline APT28 is keeping busy  CIA quietly elevated its cyber espionage division Check out our show notes here: https://cisoseries.com/cybersecurity-news-chipsoft-popped-apt28-updates-cia-cyber-espionage-elevation/  Huge thanks to our episode sponsor, Vanta Risk and regulation ramping up—and customers expect proof of security just to do business. Vanta's automation brings compliance, risk, and customer trust together on one AI-powered platform. So whether you're prepping for a SOC 2 or running an enterprise GRC program, Vanta keeps you secure—and keeps your deals moving. Learn more at vanta.com/ciso.

Anthropic announces Project Glasswing U.S. seeks to slash CISA funding Russia-linked hackers hijack routers for passwords Check out our show notes here: https://cisoseries.com/cybersecurity-news-anthropics-project-glasswing-cisa-funding-in-doubt-routers-hijacked-for-passwords/ Huge thanks to our episode sponsor, Vanta Risk and regulation ramping up—and customers expect proof of security just to do business. Vanta's automation brings compliance, risk, and customer trust together on one AI-powered platform. So whether you're prepping for a SOC 2 or running an enterprise GRC program, Vanta keeps you secure—and keeps your deals moving. Learn more at vanta.com/ciso.

All links and images can be found on CISO Series. This week's episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining us is Hilik Kotler, svp, CISO and IT, Expedia Group. In this episode: The numbers game What makes a vendor worth your time Humanity in the loop Alignment is a prerequisite, not a nice-to-have A huge thanks to our sponsor, Vanta Risk and regulation ramping up—and customers expect proof of security just to do business. Vanta's automation brings compliance, risk, and customer trust together on one AI-powered platform. So whether you're prepping for a SOC 2 or running an enterprise GRC program, Vanta keeps you secure—and keeps your deals moving. Learn more at vanta.com/ciso.

Drift says exploit was North Korean intelligence operation GitHub used in multi-stage attacks targeting South Korea Data leak threatened after Die Linke attack Check out our show notes here: https://cisoseries.com/cybersecurity-news-drift-blames-exploit-on-north-korea-github-attacks-target-south-korea-die-linke-breach-threatens-data-leak/ Huge thanks to our episode sponsor, Vanta Risk and regulation ramping up—and customers expect proof of security just to do business. Vanta's automation brings compliance, risk, and customer trust together on one AI-powered platform. So whether you're prepping for a SOC 2 or running an enterprise GRC program, Vanta keeps you secure—and keeps your deals moving. Learn more at vanta.com/ciso.

Link to episode page This week's Department of Know is hosted by Sarah Lane, with guests Jack Kufahl, CISO, Michigan Medicine, and Adam Palmer, CISO, First Hawaiian Bank. Missed the live show? Check it out on YouTube. Huge thanks to our sponsor, Vanta Risk and regulation ramping up—and customers expect proof of security just to do business. Vanta's automation brings compliance, risk, and customer trust together on one AI-powered platform. So whether you're prepping for a SOC 2 or running an enterprise GRC program, Vanta keeps you secure—and keeps your deals moving. Learn more at vanta.com/ciso.  

36 Malicious npm packages exploited to deploy persistent implants Hundreds of millions to be cut from CISA in proposed budget Hackers exploit React2Shell in automated credential theft campaign Check out our show notes here: https://cisoseries.com/cybersecurity-news-malicious-npm-packages-cisa-budget-cuts-hackers-exploit-react2shell/ Huge thanks to our episode sponsor, Vanta Risk and regulation ramping up—and customers expect proof of security just to do business. Vanta's automation brings compliance, risk, and customer trust together on one AI-powered platform. So whether you're prepping for a SOC 2 or running an enterprise GRC program, Vanta keeps you secure—and keeps your deals moving. Learn more at vanta.com/ciso.

We talk about the Final Four and the state of Memphis and Penny with our guy Memphis Spence.Tiger Woods Sean WoodsCongrats to GRC and moreBecome a supporter of this podcast: https://www.spreaker.com/podcast/cats-talk-wednesday--4693915/support.

The episode highlights a structural shift from MSPs managing infrastructure to supplying, designing, and maintaining AI-driven agents, raising new questions of accountability and operational risk. As AI agents evolve from assistive chatbots to supervised and potentially autonomous systems, the channel faces liability transfer, governance gaps, and an increased need for systems architecture competence. Companies referenced include Klarna, which serves as a cautionary tale for poor AI design, and vendors such as OpenAI, Anthropic, and Microsoft, all of whom are engaged in moving the market toward agent-based operations. The most consequential development detailed is the shifting liability for AI-driven outcomes: agent builders and MSPs become responsible for unintended actions, errors, or hallucinations produced by deployed agents. Clarifying accountability is necessary as incidents—such as email mishandling or unauthorized decisions by AI agents—do not absolve the MSP of responsibility. Recent discussions indicate few cases where foundational technology vendors are held liable; usually, the burden falls on those who deploy and support AI agents for clients. The episode cites Klarna's experience as a failure of design thinking, emphasizing that the design of agents—beginning with the end in mind—is key to mitigating risk. Supporting developments include the segmentation of AI solutions across SMB, mid-market, and enterprise clients, with complexities scaling as MSPs attempt to transition from simple assistive AI to supervised and fully autonomous agents. The episode notes that fewer than 5% of deployed agents are fully automated, and security vendors are increasingly involved in AI governance, risk, and compliance (GRC) due to the importance of data governance in AI projects. Regulatory coverage and insurance gaps are recognized, with advice for MSPs to re-examine their E&O policies and move toward frameworks for AI trust and transparency. Operational implications for MSPs and IT service providers are concrete: providers must reconsider contract exposure, review insurance coverage, and invest in AI governance mechanisms such as agent oversight and auditing. Price-to-value methods are recommended over simplistic per-agent or per-hour billing, requiring sophisticated project scoping and market analysis. The episode underscores that MSPs cannot rely solely on vendor solutions for risk mitigation—service providers are ultimately accountable for AI outcomes delivered to clients, necessitating operational safeguards and human-in-the-loop design wherever possible. Supported by: ScalePadZero Networks

Richa Kaul breaks down the AI risk landscape for enterprises, and argues that the key to managing all of them is resisting the urge to sensationalize. Kaul offers a candid assessment of where enterprise AI governance committees are falling short, noting that many  lack the technical fluency to ask vendors the right questions, such as where customer data goes, whether it trains other clients' models, and what specific steps reduce hallucination. She suggests that market-driven security standards like SOC-2 and ISO 27001 often matter more in practice than government regulation, creating a "beautiful ecosystem" where risk management runs ahead of the law. Looking forward, she addresses the growing challenge of agentic AI systems that make decisions autonomously, offering a deceptively simple prescription: Map every action an agent can take, know where your highest risk sits, identify the critical decision points, and demand human sign-off at each one/ Richa Kaul is the founder and CEO of Complyance, an AI-native enterprise governance, risk, and compliance (GRC) platform. Before founding Complyance, she was Chief Strategy Officer at ContractPodAi, a legal technology company, and previously served as Managing Director at the Virginia Economic Development Partnership and as a management consultant at McKinsey. Transcript Complyance Raises $20M to Help Companies Manage Risk and Compliance (TechCrunch, February 11, 2026)

At RSAC Conference 2026, the noise is relentless. Vendor booths, AI pitches, and breathless marketing compete for attention at every turn. Michael Parisi, Chief Growth Officer at Steel Patriot Partners, joins Sean Martin and Marco Ciappelli on the ground in San Francisco to name what too few are willing to say out loud: most of the conversation happening on the show floor does not reflect the conversations that actually matter. The real exchanges, Parisi says, are happening backstage -- in the hallways, over coffee, between practitioners who trust each other enough to ask: does this vendor actually do what they say? That shift back to peer-driven trust is not a trend. It is a correction. Security leaders are exhausted and fragile, operating under intense pressure, and they are returning to the relationships they know rather than the research tools and AI-generated answers they do not trust. Steel Patriot Partners was built around exactly that dynamic. Their operating principle -- business owners first, engineers second, compliance and security people third -- runs counter to how most consulting firms approach an engagement. Rather than leading with frameworks or certifications, the team starts by asking what outcome the client is actually trying to achieve. Parisi is candid about how often that conversation leads them to steer a client away from the path they came in convinced they needed. That willingness to say no -- and mean it -- is what sets a trusted advisor apart from a vendor. The outcome-first philosophy shapes every engagement. As founder Jason Ford says, 80% of what Steel Patriot Partners does is a therapy session. Organizations coming in with complex compliance challenges -- FedRAMP, CMMC, HITRUST, DoD IL -- need more than a checklist. They need a partner who has lived those journeys themselves, made the mistakes, and can speak honestly about what is worth pursuing and what is not. Parisi's advice to anyone evaluating a consulting partner is pointed: ask the question up and down the team, not just of the founder. The firms that have genuinely lived what they sell -- and can talk about the failures as clearly as the successes -- are the ones worth trusting when the stakes are high. This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight GUEST Michael Parisi, Chief Growth Officer, Steel Patriot Partners LinkedIn: https://www.linkedin.com/in/michael-parisi-4009b2261/ RESOURCES Steel Patriot Partners: https://www.steelpatriotpartners.com Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Michael Parisi, Steel Patriot Partners, Sean Martin, brand spotlight, brand story, brand marketing, marketing podcast, cybersecurity consulting, compliance advisory, FedRAMP, CMMC, HITRUST, DoD IL, trusted advisor, outcome-based consulting, vendor trust, cybersecurity noise, RSAC Conference 2026, security leadership, GRC, business risk, human in the loop Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

All links and images can be found on CISO Series. This week's episode is hosted by David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining is Julie Myerholtz, CISO, Brunswick Corporation. In this episode: Your cloud, your problem Kill your sacred cows AI broke your vendor math Feedback is a gift. Open it. A huge thanks to our sponsor, Vanta Risk and regulation ramping up—and customers expect proof of security just to do business. Vanta's automation brings compliance, risk, and customer trust together on one AI-powered platform. So whether you're prepping for a SOC 2 or running an enterprise GRC program, Vanta keeps you secure—and keeps your deals moving. Learn more at vanta.com/ciso.

Meta quietly ditches encryption for Instagram chats while TikTok also backpedals on privacy, shaking up assumptions about how much big tech really values your secrets. Meanwhile, Steve Gibson reveals why CISA's free government security scans are an absolute must for businesses—plus what he learned when GRC took the plunge. The Security Now "Caption That Photo" contest. A mega social media company says "no" to strong encryption. WhatsApp to give parents more control, Consumer bandwidth proxying is becoming a big deal. Meta buys the Moltbook duo. The EU gives up and settles upon the status quo. When a ransomware negotiation is not what it seems. CISA compels federal agencies to submit their logs. Is that a VPN in your pocket or something more malicious. Be careful what you download, thinking it's AI. A super-clever and super-simple A/V scanner bypass. Will AI write code for me? Another listener discovers the Joy of AI. Steve's CISA Internet scanning experience Show Notes - https://www.grc.com/sn/SN-1070-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: joindeleteme.com/twit promo code TWIT material.security canary.tools/twit - use code: TWIT adaptivesecurity.com meter.com/securitynow