Building Robust Risk Cultures Through Collaborative Cyber Risk Management

Media Thumbnail
  • 0.5
  • 1
  • 1.25
  • 1.5
  • 1.75
  • 2
This is a podcast episode titled, Building Robust Risk Cultures Through Collaborative Cyber Risk Management. The summary for this episode is: <p>Oftentimes, cyber risk teams are viewed as reactive “audit police,” swooping into projects to flag risks and forcing changes at key points. This approach can generate a resentful — even toxic — risk culture. There’s a better way to build healthier risk cultures: Taking a more collaborative, embedded approach to cyber risk management by positioning cyber risk leaders as advisors and partners, working side-by-side with project teams from the start.</p><p>On this episode of GRC &amp; Me, Chris Clarke is joined by Cyberpink’s Founder &amp; Owner, Praj Prayag-Deb, to discuss how to shift your organization’s risk culture toward this new approach, her formula for building successful cyber risk programs from scratch, how leveraging the right technology makes it all possible, and why adopting a growth mindset is critical for every cyber risk leader.</p>

Chris Clarke: Hi, welcome to GRC& Me, a podcast where we interview governance, risk and compliance thought leaders on hot topics, industry- specific challenges and trends to learn about their methods, solutions and outlook in this space, and hopefully have a little fun doing it. I'm your host, Chris Clarke. With me is Praj Prayag- Deb. She has over 18 years of IT audit, risk and compliance experience at Big Four and top tier financial services companies. And we're excited to talk a little bit about building a culture of risk, what cyber risks keep Praj up at night and the growing sophistication of cyber risks. Praj, do you mind telling us a little bit more about yourself? What's been your journey in GRC?

Praj Prayag-Deb: Yep, absolutely. Thanks, Chris. Good morning, everybody. I'm happy to be here and I'm Praj, like Chris said. I have had a pretty long and interesting journey in GRC. I do have a computer science background, so I started my career within the technology and technology audit space and I spent the first half, which is now growing shorter as I spent more of my second part of my career in risk. But I spent the first few years in technology audit solidifying that audit compliance mindset across Big Fours and that was the era of SOX and everything was about SOX right. So it was that. And then I jumped over into technology risk and now it's evolving into obviously cybersecurity risk and GRC. So I have about 18 years in this field and I've spent the last seven, eight years in leadership roles. I spent the last five years at my last company, which was Horizon Media, building up their entire GRC program from scratch, which was a very interesting and satisfying challenge. So that's a little bit about me. I live in the North Jersey, Manhattan, close to New York City Metro area and I have a seven- year- old boy and a husband who also works in tech but also has a band in the city.

Chris Clarke: Very cool. Thanks for sharing that. I think your background's so interesting in just the way the IT audit, but the way it's kind of naturally evolved with this technology. This is something I'm interested in, but for someone either who is in their career in GRC, I'd be interested, what's your top piece of advice for a GRC professional?

Praj Prayag-Deb: Right. So I think, look, I'll answer that question while I'll touch a little bit on what you said about the IT audit, right? I think that being across audit is a little bit more rigid than being across risk or GRC, but if you do it in the beginning of your career, I think it's really helped solidify your understanding of controls compliance, risk definitions, and the knowledge around all of that. So I think that my advice for people who are getting into the GRC field or aspiring to be in the GRC space is spend some time strengthening your fundamentals. Whether those fundamentals are a deeper understanding of technology, whether those fundamentals are a deeper understanding of compliance, that of controls, that of kind of the basics of auditing. Based on your educational background and what experience you've had and where you are in your career you'll be able to identify those, but I think it's very important to strengthen those fundamentals because when you are in a GRC program, there's a lot of room for innovation. So you're in the right space with the right people, I think there is scope to become a thought leader at every level. You don't necessarily have to be a director or a VP to be a thought leader in the GRC space because it's such an evolving space, it's growing, it's branching out, kind of interfacing with so many different areas. And I think there is so much hope for us to add value to our technology goals and our strategic goals as an organization, even business goals, not just technology goals through the GRC program and move away from the whole cost center mentality. So I think it really helps to send them your fundamentals across those areas and talk the talk with your technology leaders and your business leaders and your auditors.

Chris Clarke: That's awesome. I love that. Now I need to go brush up on my fundamentals right after this. So we've got a great bunch of great topics on cyber risk, but I always like to start with this concept of risk management in your daily life. So I live in Texas, we're going through a heat wave right now, so it's 115 degrees outside, but one thing that I've started doing is I recently bulk bought sunscreen and I've started, there's a very high risk of sunburn now everywhere we go. And I have a two- year- old, so for them as well, I just try to be hyper on top of it, but I've actually started hiding sunscreen bottles in all the different bags that we have just because you never know. So it's in the car, it's in our diaper bag, it's in my backpack, anytime now where we go. And the goal of that is we have a pretty high sunburn risk, but I'm mitigating my forgetfulness by putting things where they naturally are. So that's my daily risk management, but I'd be interested in if you have any examples of how you think about risk management in your day- to- day or outside of work?

Praj Prayag-Deb: Yeah, I know that's a very interesting question and I think risk management is very embedded into our lives, but it's very dramatically different based on your personality. And I think some people are more like, " I'll deal with it as it comes and that's not going to happen and the likelihood of that happening is almost zero, I don't want to think about it." And some people are, "Well, I want to be prepared just in case." So I think both of those can play interesting roles in your GRC career, both of those personalities. But I am one of those that is always, I would like to be prepared in case that happens. So yeah, I do a lot of what you just said. It's when we are traveling, we have checklists and me and my husband are sharing the checklist a week before and just doing little tasks daily, because we're both busy and we don't want to find out the day before we are leaving that, " Oh my god, we're missing 10 things on this list." And so I'm a huge planner. Anytime we go to... So we went to Disney World last year and last spring and it was, I think pre-COVID it was a little easier, but post- COVID, they had so many reservations and now there's a fast pass system. It's all a little bit different and complex and I think it overwhelms some people and then they land up standing in line. So I think my husband says like, " You won Disney." Because I planned it to such a tee that we didn't stand in a single line. We obviously have fast passes and stuff everywhere, but even then there's a method to it, there's an app and there's a reservation system. So it overwhelms a lot of people, but I made sure to study it and make sure that we were going there with my then, I guess my son was five then and we did not want to have whining standing in lines in the Florida heat. So yeah, we basically didn't have to stand in a single line and we did every single ride on our list. And I think that was because of planning and because of that risk mitigation mindset that, " Okay, in the event that there is a line and we have to stand in it, how do I plan this and structure this in a way that this becomes an enjoyable experience for us? That we are focused on enjoying what the rides are giving us rather than the pain of standing in lines and going through the heat and all of that." Because I think that takes away from the enjoyment that everybody comes out like, "Oh my God, I need a vacation after this. This was crazy, blah, blah blah." So I personally think that planning and risk mitigation in your personal life gives a lot of comfort and gives a lot of foresight into what can happen and especially as you have children, but that doesn't mean that's the only way to live. There is also a lot of, I think maybe overkill that comes with it. So I do appreciate the other personality that doesn't go so far down that road as well.

Chris Clarke: I love that. And I mean you're using risk as a strategic advantage. You planned it out, you maximized your enjoyment coming up, benefiting from that fast pass. And it's interesting that you say that, we could probably do a whole podcast episode on difference in risk appetite thresholds between partners.

Praj Prayag-Deb: Exactly.

Chris Clarke: Because similar to you where if I'm going on a trip I'm packing the night before, I'd say there's a checklist, I literally will go top up, I choose everything that I could wear. My wife will wake up 30 minutes before we're going to leave, and that's when she packs everything. And then I'm like, " How can you live like that? How could you sleep going into that?" So I love that example. So I guess jumping now, the example you gave is a little bit about culture of risk, but you've been a part of a lot of different organizations of different sizes. And as an auditor, probably an individual contributor, the director level, how have you built a culture of risk in these organizations that you've been a part of?

Praj Prayag-Deb: So look, there's no one short answer to that question, but I think that overall, and again, your contribution obviously does depend on your level, but I think overall it is very important to have senior leadership buy- in into building a culture of risk. They're going to want to do it. So it needs to be done at a few different levels. So at the C- level, you need to have the C- level's believe that mitigating the risk, managing the cyber risk or information risk, creating a GRC program is something that's going to benefit your organization. Now you also as a leader of the GRC organization need to strategically align your goals to that of technology and business. And I don't mean one- on- one, that's not going to happen, but you need to create a strategy such that you're enhancing their strategy, you are helping them, you are driving their growth rather than pulling them down. But at the same time, you need to get their buy- in on making sure that they do embed risk management practices as a part of their culture. So there's the reactive part of it and then there's the proactive part of it. So a lot of times companies get very caught up in the reactive part of it, and I think that speaks volumes about how leadership has looked at it. I think good leaders need to take time to take a step back and build a proactive strategy for risk that is embedded into their culture. So they need to talk to their technology teams and leadership about risk. They need to make sure that everyone's aware of what's coming, everyone understands its value, there's enough security awareness, there's enough training, and they need to remove the busy work from managing risk and focus on building relationships and understanding and building that strategic value together as a team. So I think all of these can be done at various levels, but I think the buy- in is definitely key and it's important, but once you do have the buy-in, I think you need to do it at various levels. So just kind of giving you an example, let's say you're an individual contributor and you're managing risk and there's a risk that comes your way, instead of taking a more policing approach and leading with fear saying, " If you don't remediate this, these are the consequences." Which you do have to set up consequences. That's a part of accountability. You have to set up tracking and all of that and dates. However, there's also another aspect to it where you as a risk analyst partner with your technology organization to find a solution that works because your technology organization doesn't understand risk. You are supposed to understand the risk, the likelihood, the impact, the analysis, and you are supposed to guide them into what is the solution that enables our business to achieve their goals while mitigating or lowering this risk. Now that doesn't mean this is not a unicorn where every time you'll have that solution, but that needs to be your approach and that's how you'll spread that culture of accountability because then they will rely on you as their advisors in order to make sure that they're doing that. And eventually a very mature risk program across an organization needs to include risk advisors in their daily business solutions. You're building a new application, you need to have risk advisors from your GRC team that will guide you into implementing those controls before your application is built. You don't have to wait for the application to get built and then for someone to go in and do an assessment, then you point out 15 different things that you need to mitigate, which is now you've wasted everybody's time. So I think that's the goal and these are the steps that we need to take from each level. Most organizations are not there, they are in that sort of mature space to where we can embed risk into everyday decisions because it's a relatively new field. But I think I have seen organizations take some tremendous strides on creating that accountability culture by continuous partnership, continuous innovation growth, continuously believing in the risk organization, giving them the autonomy to buy tools, to build the program, to build relationships, to understand that and drive that.

Chris Clarke: I loved all of that. I feel like I'll oftentimes, as you're going through these programs, you're going to hear exactly what you said. It's really tough to get the business to buy in on the risk management piece. And so much of that I think tends to be because compliance and risk can be seen as kind of the stick or the enforcer rather than the carrot of how... And so the part that you mentioned around there's goals at the top that the senior and aligning those, that's such a powerful shift in thinking that I think really could benefit just organizations.

Praj Prayag-Deb: I absolutely agree. I think that shift in thinking is absolutely needed as we grow from our whole world was SOX, like I said, 20 years ago. As we shift from that to a more sort of sophisticated, mature, embedded risk culture and a GRC program that's based on that, I think that culture shift is needed because we don't want to be the cost center. The CISO organization I think plays a very pivotal role. There's a huge push now to get even cybersecurity advisors on the board. So I think that that itself is an indicator that people are now thinking about embedding risk culture from the board level all the way down to an individual contributor level. And like I said, organizations are in different spaces and a lot of them are just stuck in the traditional mindset, but I think that cultural shift is very significant and I think that it is going to lead to some great waves in the way that GRC programs are built and going to lead to some easy collaboration. I've seen this even in some top tier banks that I worked with where they had an advisory section of their technology risk program where anytime technology leaders were undertaking a significant change or a significant project, they were coming to the technology risk organization to understand the risks and be proactive about it. And I think that's fantastic. So it definitely needs to get out of that policing audit mindset where it's like, " You got to do this because I'm telling you to do it." That only takes you so far. And I think as more and more modern organizations with a more collaborative and flatter culture emerge, I think this approach is going to be significant.

Chris Clarke: And it's interesting that that shift in mindset is then seeing the results of having people added to the board. And along those lines, I'd be interested, as someone who is technical and working in this tech risk space, how do you communicate those kinds of technical risks to people who aren't technical?

Praj Prayag-Deb: Yeah, that's always a challenge. And I think the important thing to focus on is what are we helping them achieve? So I believe in, there's a word that circulated everywhere that I'm a servant leader. I don't particularly like that word, but I think what it means is that as a leader, you are here to enable your team to succeed and enable your organizational leadership to achieve their goals. So I think it's important to understand what is it that you're expecting from them and what's the value add to them from this, right? Are you just telling them, " I want you to fix this risk because I'm in this position and I can tell you to fix this risk." That typically doesn't fly. So I think you need to, as a leader, or even as obviously definitely as an individual contributor, you need to, A, understand the impact. Impact analysis, of a risk is very significant most of the time because every risk will have a different impact on the business. And if your risk that you're asking them to spend, I don't know, maybe 15 or 25 hours of their staff's time to mitigate has zero organizational impact on their team's goals, then no matter how much you explain it to them, you're not going to be able to get them to justify spending that time on mitigating that risk. So I think that business impact of the risk, of the technology risk is very important. And then to be able to translate that impact on what it means to them on a daily basis. So for example, you have data retention risk or business continuity risk, rather than kind of framing it out that way, you need to show them what productivity impact that might have on their business. Maybe try to quantify it for them based on the application that you're talking about. So you don't want to necessarily silo them into a compliance or an expectation, although that's necessary if your organization is subject to fines and stuff, that is a part of the impact. But I think it is also important to paint that picture for them and understand how it would matter to their audit, their team, their goals. And I think that's where the translation is key. So I mean leaders do understand technology, but they understand it as a user, they understand it in a way that, "What does this technology do for me to achieve my business goals?" And that's how you should talk the talk with them. And that helps tremendously I think, because they're not looking for you to say, " Oh yeah, this change doesn't do according to this compliance, according to this standard blah blah, blah. You're trying to do this." And they're looking to see, " Okay, what does this mean to me? Is my productivity going down? Are my people going to get locked out of the system? Can people steal my data? Can this affect my clients? Can this affect my reputation?" So I think that analysis, far too many organizations spend time creating busy work around the risk management and not doing enough analysis on them. And I think that's where efficient tools come into picture where you reduce some of that burden and create a more proactive approach. And your staff needs to spend less time entering information and tracking things rather than they need to spend more time actually analyzing what that means for your organization and then help drive the mitigation of that risk or acceptance. I mean, however it works out from the appetite perspective.

Chris Clarke: Yeah, that's so fascinating. To your point, so much of this technology, it's just a tool. It's just a way to achieve some other goal. It's a facilitator rather than the end all be all of it. So helping understanding that what you're doing impacts that technology, but the technology impacts, there's always a, " So what?" question following that and helping leaders and just anyone who needs to help understand, that's really powerful.

Praj Prayag-Deb: Yeah, exactly.

Chris Clarke: That's cool to hear about from how risk can achieve those things, I'd be interested in then, how do you report on the health of what you've achieved? Are there types of reports that you find are powerful to show to the board or to communicate the outcome of that risk program?

Praj Prayag-Deb: Yeah, no, that's an interesting question and I think it's an ever evolving one. So I think as a community we are still trying to figure that out. But I think metrics or reporting, it varies tremendously at each level. So as a leader of the risk score, I'm more interested in operational metrics to understand what volume we're handling and how is that impacting my team's productivity and how much of that reactive versus proactive are we doing and how much process change is helping and where do we need to fix challenges and problems. But I think when you start talking about the board and the C- level, it's very important to focus on trending I think for the C- level and for the board, right? Because they're not interested in the details of how many risks we've mitigated last month. What they're interested in is are we evolving as an organization? Are we growing? Are we better this month than we were last month? Or maybe month is an overkill, last quarter, are we better this quarter than we were last quarter? And they're not interested in the operational methods that we've used to get us to that space. I mean, in a good way, obviously good leadership is interested in what you've done, but not at the detail level. So I think it's very important to show the trends and show the organizational impact of the trends. So I think that an easy win for a risk management organization is always the security awareness training and phishing and all that because all of the C- suite boards and everything is against it. But I think that if we can short trending on how we help lower the risk of our top tier applications, how did we help our organization get certified for certain compliances because we had a proactive risk approach and made sure that we did a self- assessment and fix those risks before the external regulators came in to evaluate us. They're interested in that sort of stuff. Are there any critical gaps that we've identified that technology leaders are now working on that could have led to data loss or breaches? Or how are we protecting our information assets and how is the risk organization proactively helping the technology organization manage their resources, manage their funds, manage their time in order to protect our information assets? And how we are doing better on that this quarter than last quarter? Should be the theme of what we're presenting to the board. I think that's what they're interested in the most. So I think that's where analysis at every level is helpful because you want to make sure that, again, the proactive approach and analysis to all of your metrics, that you have tiered metrics where you have the ability to analyze that trend that... For example, sometimes you have a bunch of critical risks come up one quarter and then they disappear the next quarter and then you have more critical risk the quarter after. So it goes up and down, but there's always a story to be told behind that. And I think that we need to present that story, if applicable, to the board in a way that we're translating it into organizational impact. And I think that's the key.

Chris Clarke: And when you say organizational impact, have you found that turning that into dollars and cents has been the best of the story? Is there a metric or number that helps with that or does it tend to differ based on the type of risk and the type of problem that is arising?

Praj Prayag-Deb: So look, metrics and numbers always help with the board and C- level, but I think that risk can also be subjective. So I think it's not always possible to quantify risk. It's possible to quantify the compliance piece of it. If we want compliance, this was our fine and this is what we were subjected to and this is the regulation and then this is how we became compliant. From a risk perspective purely outside of the compliance umbrella, I think sometimes you can't quantify it. So I think then it's important to understand the organizational impact on the business. Did it help us get more clients? And again, you can't quantify and claim that all of the money that you've gotten through clients because of the risk cost, so you can't quantify, but has it helped you get clients? So for example, clients expect organizations to have a stable third party risk program if they're allowing you to handle their data. So how robust is your third party risk program? And if that has been robust and it has been alternatively kind of getting to a very mature space, then that's one way you can show organizational impact where it's helping you drive business. Because when clients come and ask your business teams like, " Hey, we are actually giving you data and you are on vendors," and if you are subcontracting that to 10 different vendors, how stable is your program and what do you do from it? And then how do you manage the risks from it?" That goes back to having a risk register and having that program stable. So I think that sort of impact, not necessarily in terms of dollar amounts, but that sort of impact is significant on an organization or your CIO, you can help the CIOs drive, like I said, budget and projects pretty significantly. So like, " Okay, you had critical risk across these two applications and there wasn't enough people there or there wasn't enough funding and there was some things that were preventing us from mitigating those risks and we worked out solutions from them or we lowered that risk from critical to low by fixing half of the things and now the data that decides in those applications is secure and we've reduced the possibility of a data breach or we've created efficiency in change management or our application development lifecycle because of the fact that we've embedded risk while we are implementing the change." Stuff like that. These are just examples, but there is a lot of qualitative analysis that you can do surrounding risk that the board would be interested in. But I think that the program has to be a little bit more mature for that because in order for us to get to that point, we have to have a strong operational program. Which again, I go back to this, I had spoken at Agility about the building a high value risk program and my method, it talks about this people, process, technology method where neither of those can actually build a strong risk program in entirety by itself. You can't just have people and have them do busy work and not give them the right tools, that's not going to give you anything. You can't just have a tool and not the right people to actually use that tool and you can't have an inefficient process that you've built into the tool or have the people work. So I think that if you build your risk program with the combination of these three, and I won't go down super into detail on that because I think I'm kind of digressing from your question, but I think if you build that in a certain level of strength in terms of its foundation and then you build on that into a mature program, then you will be able to assess that risk and present the larger organizational impact, whether that's quantified or more of a qualitative opinion, but it'll be there.

Chris Clarke: Yeah, I mean it makes a ton of sense, to go back to the one thing you said at the beginning of there's this top- down approach of risk of building that culture, but in the same way when you're going back up, you need to start with the basics. That foundation of people, processing, technology and it's almost a bi- directional approach to risk management because the tone's at the top, but it's a bottom up escalation of risk that helps tell the story of what the team is doing and what they need to know from a risk perspective. One thing I'd be interested in is what always makes me worried is this concept of unknown unknowns of if you're not aware of a risk then you can't really mitigate it. But I'd be interested in what keeps you up at night around your risk management program, what are you worried about?

Praj Prayag-Deb: So I mean that differs from organization to organization because challenges occur, but I think I'll answer a question more as a risk professional, not really specific to organizations. So I think as a risk professional, what would keep me up at night is really what you said, the unknown, which is not having enough avenues to identify risk because I get that you don't know what you don't know, but I think that a huge part of a stable mature risk program is making sure that you identify every avenue to identify risk. I apologize for the double identify there, but there's no better way to put it, is that you need to make sure that you understand where your technology risk comes from and make sure that all of that is assessed and analyzed. So it can come from your vendors, it can come from pen tests, it can come from vulnerability assessments, it can come from audits, it can come from your control self- assessments, it can be self- reported, it can come from your application development life cycles, it can come from technology orgs, it can come from architecture, it can come from application security orgs. And I think the size of that can be so overwhelming for some organizations or even the inclusion process of that can be so overwhelming that people never get there. They just kind of have a few streams going into a risk register or a risk program and the others are just floating. They're just kind of like, " Oh yeah." So there is a lot of risk in that specific theme or org, but nobody's ever tracking it. It doesn't matter whether... I mean, it does matter whether you're mitigating or accepting, you don't obviously want to accept all the risks, but there will always be certain amount of risks that you're accepting. And that's where your risk tolerance comes into picture if you have an ERM program, like an enterprise risk program. But I think what is scarier is to not know where that risk exists and where that risk sits. And I think for that, it is very important. Again, I go back to the people, process, tools thing because it's not possible to do this manually. So it's very important to have the right tooling in place where the tool is able to capture all that risk. And either that's automated through interfaces, self- reported, whatever you erect, I think it's very important for us to capture that and analyze that and then have the resources from a people perspective to actually help us figure out the treatment of that risk. So I think that unknown is what, as a risk professional, would keep me up. And then the cliche things or the phishing attacks and stuff that everyone talks about, that's always there and that's never going away. But from a purely sort of GRC technology risk perspective, I think this is what organizations struggle with the most that can have the largest impact on their organization.

Chris Clarke: That's so fascinating. Yeah, just knowing where the risk can come from is such a big piece. I guess, asking for a friend, can you send me that list whenever you get a chance? Then I can have it. But I appreciate you sharing that. One thing building off of that, that I think would be interesting is technology is accelerating at such a rapid pace. How do you recommend risk professionals keep up with that?

Praj Prayag-Deb: That definitely is a challenge, and especially now since we moved on from on- prem and mainframes to cloud and cyber and now we're talking about AI, and so it's always very rapid. I think in the last 20 years, technology has moved at break neck speed, and I think that it is a continuous challenge for professionals to keep up with it and we're never going to be fully ahead of that challenge because technology is going to keep evolving. I think what is important too is to have a growth mindset. This is something that my now seven- year- old's kindergarten class taught him, and I thought it was so interesting. They told him about a still mindset and a growth mindset and about how a growth mindset is very important in life to overcome challenges. So from their perspective, obviously it meant not having tantrums if their pencil breaks and stuff like that. But I think it was profound and I actually adapted it and talked to my team about it when he learned that because I think that while we can't ever get ahead of that technology, I think having that growth mindset means that we're close to the technology business as an org, to understand where they're adopting the technology? How are we moving as an organization to meet our business needs by changing our technology? And then as a CISO org or as a tech risk org, how are we staying abreast of those changes and making sure that we are increasing our knowledge and adapting our risk practices to incorporate those changes? So I think that's sort of a mindset that we need to have in every organization that we work as risk professionals. That necessarily may not mean taking a training course or a certification. It may mean so in some situations and that's great if it's laid out there like that. But in some situations it simply means building those relationships to stay abreast of those changes, to stay ahead of those changes, to understand what's coming, to understand what's going to happen if those changes were to materialize, what's the business impact? How do we change our processes and our procedures to be applicable to that? So if we use the same kind of set of questions as we did for our on- prem applications for our cloud ones, it's just going to create our unnecessary busy work. Some of it may apply, but some of it just won't make sense. So I think just kind of staying ahead of that curve in your organization and abreast to that, I think goes a long way. I mean, there's always going to be, like I said, certifications and training classes and I value them tremendously. So I think they will help, but the ultimate goal is to have that mindset that we are going to grow with organizational change. And then in turn, I think... I'm not a CISO, but, and I've worked with a fantastic CISO in Horizon Media, and I know a bunch of inspirational CISO. So I will speak from that mindset as to a good leader will always make sure that that organizational changes is communicated and make sure that the pace matches and make sure that he's empowering his own leadership. Or as a risk leader, I'm empowering my team with the tools that they need to be able to scale to that change. And then that's why even in terms of GRC tools, I place a great deal of attention or place a great deal of... What's the right word I'm looking for? Basically, importance to scalability of a tool because as organizations adapt and they go through change, if you have a tool that doesn't allow you to quickly change, if your tool takes six months of 20 professional services, professionals and a whole ticketed change management process and blah, blah, blah, blah, blah, to make a change to the tool because of a change, your organization's changing again in those six months. So I mean, not that I am not undermining the controls behind change management, but I think that it's important for your risk program to be scalable in terms of tools, in terms of process, in terms of making sure that process changes can be quickly adapted into the tool. People can be trained quickly as technology evolves. I think that's how we keep ourselves at pace with that change. Even though technically we cannot ever outpace technology change, we can at least make sure our program remains current and relevant and adds equal amount of value as we go through that change.

Chris Clarke: I love the growth mindset piece. I think there's so much... Well, I don't want to say growth, but value that becomes unlocked when you stop thinking of learning and development as something you do after your job, but start thinking of it as a core piece of what you're supposed to be doing every day. And it almost takes away the guilt of that in some ways in approaching that in your day to day because, to your point, it's helping manage those risks, it's helping address those technologies, it's helping adjust to change. That's so powerful. To maybe use a real example with emerging technology, what should risk professionals be thinking about with AI or artificial intelligence?

Praj Prayag-Deb: Yeah, I mean that's certainly the topic of the hour. It seems to be discussed everywhere. So I think AI does have tremendous usage in a risk program. I think especially in things like policy management, third party risks. So I did a couple of brainstorming sessions with some startups and even some researchers in Stanford that approached me on LinkedIn to brainstorm about usage of AI in risk management. And I think that it does have tremendous potential. So I'll give you an example. With your third party program, there is so much that you need to read documents and populate. So you're reading policies, you're reading SOX reports and stuff, AI can read that for you and pre-populate the fields. In terms of controlled self- assessments, if people are again providing you their procedure documents within the organization, let's say you're doing a self- assessment over a change management process and you have your five controls laid out and a team gives you their procedure document, you can identify the controls and map your control activities, control objectives there. I think that there is a lot of reading and feeding data work that AI can do for you in risk management. And I think that needs to be embedded as risk management tools or GRC tools evolve and that space evolves. I think the ones that come out at the top and the ones that I think keep abreast of this will be the ones that incorporate AI as a part of their offering. So AI shouldn't be like an additional thing like, " Oh yeah, let me add AI." It's not like that. I think we have to adapt our process to include AI in that, right? So it's a part of the growth of the process that my aim has always been to automate and create efficiency and reduce busy work. And I think I have stood by that literally since I've started working in risk management. I was at Comcast and I remember I had an amazing leader there and I had a little downtime and I went to her and I said, " I have some downtime and I'm going to re- engineer our..." We had ACDA at that point for GRC. " I'm going to re- engineer our process in our GRC tool." And that became a full- blown project that saved us a million dollars just because of the way it was configured. So I think that that's how I look at AI. It's a part of that process, re- engineering is a part of that. It needs to be embedded in the tools. Obviously we're not there yet, but that's what people and tools need to start looking at that how are we making this process more efficient with the help of AI and embedding that as a part of our offering. Where I think we need to be very careful is to not take away that analyst mind and give that to AI. I think that is where a risk expert and the subjective analysis and experience of people comes into picture. So I think that AI can be of immense benefit to create more automation, more efficient processes, reduce that overload of scanning through documents, managing policies, and then that leaving us more time for analysis. So hopefully organizations that are looking to go from a huge scale of maturity can hopefully get there faster because now your tool is doing more busy work that's allowing you to actually empower your people to focus on risk analysis, focus on building relationships, focus on being more proactive, focus on embedding yourself in that risk culture that I talked about earlier. So it doesn't mean that I'm looking for AI to replace people, which seems to be the common fear and going down the inaudible, "AI is going to take my job, AI is going to take my job." I think AI is just one of the tools that we have for something that we should be doing on an ongoing basis anyways. We should be looking at growth, we should be looking at automation, we should be looking at reducing our busy work, and we should be looking at replacing that with more analysis, more embedding, more advisory work within the organization, more integration into your business practices. And for that, we need strong people. So I think that contrary to popular belief of AI taking over jobs, I think that it's a very clear distinction between what AI can do for you, at least in the risk field and how it can enable people to do better and make your risk program a better success for the organization.

Chris Clarke: I love that. And what you just said is, it's been a theme of what you've talked about of technology is a tool and it's a tool to help people do their work better, to do their jobs and make their lives better and easier. And it's such a mindset shift from this almost fear approach of like, " Oh, a new technology is coming, I can't do anything with it." To tying it back to the growth mindset of, " Oh, a new technology is coming, how can I use that to make my day better? To make our company better?"

Praj Prayag-Deb: Exactly.

Chris Clarke: So those are kind of all the risk questions that I had. We like to end on this section called risk or that, which is just a goofy approach of your other... So my first one, you work for Geico. The Geico gecko or the Geico caveman?

Praj Prayag-Deb: Gecko.

Chris Clarke: Favorite mascot. Gecko?

Praj Prayag-Deb: Yeah. Look, I've only recently moved to Geico, so I don't have too much emotional involvement in either of the mascots, but I have been a consumer of Geico Insurance for a long time and I love to get contacts.

Chris Clarke: Okay, all right, good. I remember the caveman commercial of them in an airport just riding on this little escalator and I just always laugh at that. A more real one now is when you think about your cyber risk landscape in your organization, do you think most cyber risks tend to originate from actions taken by people within your organization or outside of your organization?

Praj Prayag-Deb: That's a great question. So again, I'll answer that in a more generic way and not to point to any specific organization, but I think externally is a bigger threat than internal in terms of cyber risk because I think that with the internal... I mean it certainly is something we need to assess and address as well, but I think that there's a solution for the internal ones in terms of strengthening our control environment, staying ahead of that in terms of assessments and technology. And we've discussed some of those things before. But in terms of external, I think that's an ever-changing landscape. I think phishing attacks, the hackers are becoming increasingly sophisticated and I think that organizations are, for the most part, most organizations, I don't want to use the word struggling because it doesn't mean that they're all subject to data breaches or anything like that. They're not struggling from that sense, but most organizations are needing to invest in resources to combat that. And I think that there's the vulnerability piece of it, there's the securing parameters, like ops piece of it, and then there's the security education piece of it. There's the phishing monitoring piece of it, simulation piece of it. There's so many pieces and they're ever- changing. And I think that definitely remains to be a threat to the organization and will continue to be one because there's so many different pieces that have to fall into place that only fall into place after an attack occurs. Like you said earlier, you don't know what you don't know. So I think once an attack occurs, we learn from it, we release a patch, we update our tools and increase our training and have more examples for a phishing simulation, but that's only an aftermath. So I think that... And that doesn't mean I want to paint a negative picture of it. I think there's some tremendous work being done across organizations in terms of just awareness, just that you would be surprised how much impact just security awareness creates on organizations. So I think there's certainly tools there that can help us, but that definitely remains to be a bigger threat in my opinion.

Chris Clarke: No, I appreciate that. That's awesome. This isn't in the risk or that, but one thing that I wish I had asked during the growth mindset piece is what books do you recommend to people just to learn? And it can be from just general professional development, I'd just be kind of personally interested in what I should read next.

Praj Prayag-Deb: Yeah, no, that's a great question. So I actually was a avid reader, but I have to admit that I have reduced my reading since my son was born simply because being a working mom and a leader and everything has taken up all of my time. So there's quite a few books that are on my radar, and I do listen to some podcasts as well, but I love listening to inspirational leaders or reading about inspirational leaders. So I do read a lot of stuff about Barack Obama and just kind of strategizing, and this isn't meant to be a political statement, his thought process as a leader and understanding how he tackles problems and how he reacts to certain circumstances or situations when something happens in the country and how he reacts to it. I also love reading about business leaders just in biographies and in podcasts and TED Talks and stuff. So that's been more of my thing lately than books, although I do want to eventually get back into reading more books. I still do read fiction books. My son's just started reading, and I think now that's become a thing where it allows him to sit in one place for half an hour and mom gets to read a book for half an hour on the beach. So I think those I do keep up with, but I think I also love reading books on a positive mindset, like anything that is encouraging you to be strong and positive and tenacious because you are going to meet hurdles in your journey, in your career. And I think problem solving is a big part of how you can be successful and how you can handle those problems. So I think books on that I highly recommend. I also, and this isn't kind of a book and isn't what you asked, but it's a tool nevertheless. My husband does a daily meditation and I need to do it, I need to commit to it, but I have to admit that I haven't been as regular with it as he has, but it's been something that I'm experimenting with and aiming to make it a more regular practice. And I think it really drives your mindset tremendously, way more than you think. So I think it really drives, your problems are not going away, your challenges are not going away, but how are you looking at them? How are you tackling them? And giving you that clarity of thought, I think is very, very important, especially as you work in areas where there's always stuff happening and there's always a new problem to solve. So I think that clarity of thought really helps. So I think that's a great tool as well. So anything positive, anything sort of growth mindset. I stay away from books that almost project like type A success on people. I think it's very important to embrace diversity in leadership and growth. And when I say diversity, I don't necessarily mean racial or ethnic or language, diversity of thought is what I mean. So I think I don't necessarily... I'm not a fan of books that make you feel like you have to be a certain way and then if you're a certain way and do certain things, you are going to be successful and you're going to be a millionaire. It's not like that. I think it's embracing who we are as humanity and it's embracing different thoughts and different ideologies. And taking them together as a leader, I think our success lies in evolving our mind to understand how these different thoughts and different personalities and different people have a positive effect on your department, on your team, on your leadership style, on your strategy. So I've seen books and talks that kind of embrace that ideology, and I know other leaders that I've worked with that embrace that and they've been very inspirational to me. So I didn't quite answer completely just books, but I just wanted to go down that path of what inspires me and what do I recommend.

Chris Clarke: No, I appreciate that and for sure things that I'm going to start to explore. It's part of my career, so thank you.

Praj Prayag-Deb: That's good.

Chris Clarke: Those were all the questions I had. Any last thoughts for our listeners?

Praj Prayag-Deb: No, I think this was a fantastic discussion and I encourage anybody that's trying to get into the GRC space to be open, learn, grow. I think it's a very exciting space. I'm also open to mentoring. I have mentored people on LinkedIn, so if I'm on LinkedIn Praj. P, look me up. I'm happy to mentor any folks that are trying to get into the GRC space or not necessarily from a job perspective, although I can do that as well, but just also from a career growth perspective and stuff like that. And I think it's a very exciting field. I think that it's a very balanced field. It's got a lot of scope for innovation, so I'm excited to see where it goes for the future and I'm learning as it grows as well.

Chris Clarke: Awesome. Well, thank you so much, Praj. We've loved having you. And thanks for everyone listening. That's our show.

Praj Prayag-Deb: Yeah, thank you. It was my pleasure to be here. Thanks so much, Chris.


Oftentimes, cyber risk teams are viewed as reactive “audit police,” swooping into projects to flag risks and forcing changes at key points. This approach can generate a resentful — even toxic — risk culture. There’s a better way to build healthier risk cultures: Taking a more collaborative, embedded approach to cyber risk management by positioning cyber risk leaders as advisors and partners, working side-by-side with project teams from the start.

On this episode of GRC & Me, Chris Clarke is joined by Cyberpink’s Founder & Owner, Praj Prayag-Deb, to discuss how to shift your organization’s risk culture toward this new approach, her formula for building successful cyber risk programs from scratch, how leveraging the right technology makes it all possible, and why adopting a growth mindset is critical for every cyber risk leader.