GRC & Chill: Kickstarting Your Risk Management with Quantification


Table of contents

When you think about the types of companies that need GRC programs, what comes to mind? Do you envision banks and financial institutions? Or healthcare companies and other heavily regulated sectors? The truth is, GRC applies to everyone, like the online streaming entertainment businesses. In this episode of GRC & Me, Megan Brown (Phee) talks to Netflix's Senior Information Security Risk Engineer, Tony Martin-Vegue. Tony recounts his risk quantification journey, how to get tactically started, and how risk quantification provides positive business outcomes. Like all great Netflix series, we had some twists and turns during the taping — check out the video version of the episode to see a special cameo appearance! The views expressed by Tony in this episode are his own. 

In this episode you’ll hear:

  • How Tony’s background in economics, an influential mentor, and interest in security got him to where he is today.
  • An all too familiar situation for many risk and information security professionals, when Tony was starting out, he found himself needing to present his company’s financial risk exposure to upper management and the board. Qualitative terminology and techniques were only able to get him so far, and after a bit of embarrassment, he researched what quantitative methods were out there.
  • Tony's advice for getting started with risk quantification:
    • Books, journals, and software can get overwhelming. Start by taking baby steps.
    • A worthy goal to shoot for in your risk management program is to be a little bit better than you were yesterday.
    • Use a scenario-based approach that ensures all your data classification levels are correctly applied.
    • Work toward being able to know how much your efforts can reduce risk. Knowing how much projects cost, you can come up with Return on Investment (ROI) ratios.

Check out the full podcast episode and hear what else Tony had to say here:

Related Posts