Artwork

Content provided by Mark Graziano. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Mark Graziano or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.
Player FM - Podcast App
Go offline with the Player FM app!

Vendor Risk Management and Customer-Centric GRC Principles with Steven Nguyen

1:11:03
 
Share
 

Manage episode 365276273 series 3471650
Content provided by Mark Graziano. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Mark Graziano or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

Get ready to redefine your understanding of GRC and security with our esteemed guest Steven Nguyen, Business Information Security Officer of Data Applications at Twilio. Promising to enlighten you with a fresh perspective, we delve into the complexities of vendor risk management and security sales enablement, all in the light of business improvement. Stephen brings his expertise to the table, discussing the importance of agility and competitive positioning, as well as how to balance operational agility with reasonable security assurance.
This conversation takes a deep dive into the practicalities of executing GRC and security risk management within a small team. We touch upon the merits of adopting a cross-functional approach and the need for redundancy within skillsets, punctuated by Stephen’s insightful take on the matter. We also unravel the art of crafting quality questions for security questionnaires, which serves as a valuable tool to assess a vendor's maturity and calculate risk.
Not one to shy away from challenging topics, we navigate through the intricacies of security collateral and vendor risk management programs. Steven and I exchange views on the delicate issue of setting boundaries with customers running scans against our systems, and the legal complexities that contracts, DPAs, and security addendums bring to the table. We wrap up our discussion by emphasizing the importance of 'shifting left' in the sales process, and the need for standardization and transparency in GRC. This episode promises to be a rich source of knowledge for anyone keen on understanding the dynamics of GRC and security risk management.

For show notes, please visit The GRC Podcast website.
Sign up for our
Bi-Weekly Newsletter

  continue reading

Chapters

1. Vendor Risk Management and Customer-Centric GRC Principles with Steven Nguyen (00:00:00)

2. Two GRC Blogs (00:03:23)

3. Both Sides of the Fence: Customer and Vendor (00:04:32)

4. Scalability of Manual Questionnaires (00:07:31)

5. Embracing GRC Tooling and Workflow Automation (00:08:41)

6. GRC Program Betterments - Focus on Business Processes (00:10:18)

7. The Dreaded Monolithic Questionnaire Spreadsheet (00:12:04)

8. Cross-Functional GRC vs. Specialization (00:14:07)

9. Striking a Balance: Resource Spent vs Security Assurance Gained (00:16:43)

10. The Quality of Questions Matters (00:18:02)

11. Red Flag: Perfect Responses (00:19:55)

12. Levels of Assurance: Third Party Audit Reports vs Self-Assessment (00:23:50)

13. READ the Compliance Reports (00:25:18)

14. Other Security Sales Collateral (Pen Tests) (00:27:40)

15. Unreasonable Security Sales Collateral Requests (00:28:52)

16. Network Scans and Application Context (00:31:02)

17. Third Party Pen Tests and Bug Bounty (00:33:58)

18. Security Contract Negotiation & Risk Consideration (00:40:35)

19. GRC Guard Rails: Assessing Vendors, Contract Language (00:43:48)

20. Let Legal and Sales Self-Serve (00:46:35)

21. Security Engagement Late in the Sales Process (00:48:45)

22. VRM Betterments (00:55:20)

23. Security is a Relationship-Based Business (00:56:09)

24. Customer-Centric GRC (01:02:48)

25. Net Promoter Score (NPS) (01:07:40)

21 episodes

Artwork
iconShare
 
Manage episode 365276273 series 3471650
Content provided by Mark Graziano. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Mark Graziano or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

Get ready to redefine your understanding of GRC and security with our esteemed guest Steven Nguyen, Business Information Security Officer of Data Applications at Twilio. Promising to enlighten you with a fresh perspective, we delve into the complexities of vendor risk management and security sales enablement, all in the light of business improvement. Stephen brings his expertise to the table, discussing the importance of agility and competitive positioning, as well as how to balance operational agility with reasonable security assurance.
This conversation takes a deep dive into the practicalities of executing GRC and security risk management within a small team. We touch upon the merits of adopting a cross-functional approach and the need for redundancy within skillsets, punctuated by Stephen’s insightful take on the matter. We also unravel the art of crafting quality questions for security questionnaires, which serves as a valuable tool to assess a vendor's maturity and calculate risk.
Not one to shy away from challenging topics, we navigate through the intricacies of security collateral and vendor risk management programs. Steven and I exchange views on the delicate issue of setting boundaries with customers running scans against our systems, and the legal complexities that contracts, DPAs, and security addendums bring to the table. We wrap up our discussion by emphasizing the importance of 'shifting left' in the sales process, and the need for standardization and transparency in GRC. This episode promises to be a rich source of knowledge for anyone keen on understanding the dynamics of GRC and security risk management.

For show notes, please visit The GRC Podcast website.
Sign up for our
Bi-Weekly Newsletter

  continue reading

Chapters

1. Vendor Risk Management and Customer-Centric GRC Principles with Steven Nguyen (00:00:00)

2. Two GRC Blogs (00:03:23)

3. Both Sides of the Fence: Customer and Vendor (00:04:32)

4. Scalability of Manual Questionnaires (00:07:31)

5. Embracing GRC Tooling and Workflow Automation (00:08:41)

6. GRC Program Betterments - Focus on Business Processes (00:10:18)

7. The Dreaded Monolithic Questionnaire Spreadsheet (00:12:04)

8. Cross-Functional GRC vs. Specialization (00:14:07)

9. Striking a Balance: Resource Spent vs Security Assurance Gained (00:16:43)

10. The Quality of Questions Matters (00:18:02)

11. Red Flag: Perfect Responses (00:19:55)

12. Levels of Assurance: Third Party Audit Reports vs Self-Assessment (00:23:50)

13. READ the Compliance Reports (00:25:18)

14. Other Security Sales Collateral (Pen Tests) (00:27:40)

15. Unreasonable Security Sales Collateral Requests (00:28:52)

16. Network Scans and Application Context (00:31:02)

17. Third Party Pen Tests and Bug Bounty (00:33:58)

18. Security Contract Negotiation & Risk Consideration (00:40:35)

19. GRC Guard Rails: Assessing Vendors, Contract Language (00:43:48)

20. Let Legal and Sales Self-Serve (00:46:35)

21. Security Engagement Late in the Sales Process (00:48:45)

22. VRM Betterments (00:55:20)

23. Security is a Relationship-Based Business (00:56:09)

24. Customer-Centric GRC (01:02:48)

25. Net Promoter Score (NPS) (01:07:40)

21 episodes

All episodes

×
 
Loading …

Welcome to Player FM!

Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.

 

Quick Reference Guide