How does compliance act as a catalyst for a robust risk management program?

In our last Super Cyber Friday, "Hacking the Value of GRC: An hour of critical thinking of how compliance can kickstart your risk program," we talked about making risk a shared organizational concept, starting points for choosing a GRC solution tailored to specific organizational needs, and differentiating factors in GRC programs. Joining us for this discussion, were Kim Elias , senior compliance specialist, Vanta , and Norman Hunt , deputy CISO at GEICO .

HUGE thanks to our sponsor, Vanta

Watch the full video here:

Join us THIS Friday, May 17th, 2024 for the Capture the CISO Season 2 Finale.

>> Register for the Capture the CISO Season 2 Finale (05-17-24) << ?

Subscribe to our events calendar

Visit our events page to subscribe so you can stay up to date on Super Cyber Friday and other CISO Series content.?

Best quotes from our guests

“if you're going to integrate compliance into your risk program, you should do a really good job of documenting your risk register so that you can show it to an auditor” - Kim Elias, Vanta

“There are standalone risk register tools. We've all seen them and experienced them. In my opinion, it works better when you have a risk register tool that incorporates your broader GRC program. So you're able to tie the controls that you have for your compliance frameworks to your actual risks, literally in the same tool.” - Kim Elias, Vanta

“From a security point of view, of course we want to know where the risks are. For other people in the organization, I think they worry a lot about putting risks in the light and actually spending time to find them… If you're not doing the right types of training with your employees, risk can be a very scary concept.”? - Kim Elias, Vanta

“Individuals?that are contributing to the mission of the organization can't be responsible for understanding what the overall risk appetite is for the organization, and what their tolerance levels are. So it has to come from the top.” - Norman Hunt, GEICO.

“Unfortunately, when we're talking about GRC especially, people say ‘Oh, I do a compliance framework. I have to have a risk register. That's what I need to show my auditor.’ And they do it one time, and they say, 'Look, I have a risk register. Isn't that nice?/ In a mature organization, it evolves. You're looking at your risk. You're tracking your risk. It might even be a daily thing for you.” - Kim Elias, Vanta

Quotes from the chat room

“Run multiple audits at the same time, to avoid duplication of effort for similar compliance regimes.” - Aman S. , cybersecurity business engagement, vp, 爱思唯尔

“Don't start with compliance, complete your risk program and execution of that will feed your compliance. Stop doing it backward.” - Jeff Reich

“Quick & dirty ROI on risk remediations to prioritize which we want to do first.” - Andrew Aken, PhD, CISSP , CIO/vCISO, DocDrew, LLC

“When building your risk acceptance processes, confirm the person accepting the risk has the authority to actually accept risk on behalf of the organization.” - Jonathan Waldrop , CISO, The Weather Company

“Don't focus on GRC until you have established with owners/officers what the policy aims of the organization are. From that policy, the GRC program can 'flow'. Otherwise, you'll always be in an antagonistic position with the rest of the org.” - Phillip Miller, MA, CISSP , vp, CISO, Qurple