GRC & Chill: Kickstarting Your Risk Management with Quantification
Megan Phee: Hi, I'm Megan Phee and this is GRC& Me where we interview industry thought leaders in governance, risk, and compliance on hot topics, industry- specific challenges, trends, and more. Learn about your methods, solutions, and outlook in this space. Today, I sit down with Tony Martin- Vegue, the senior information security risk engineer at Netflix. Tony currently leads the risk quantification efforts at Netflix and today he shares with us how he initially got interested in risk quantification. He talks about how others can tactically get started and the positive business outcomes that risk quantification can provide to the business. Now the views Tony expresses today are his own. And for those watching the video version of this podcast today, things get a little wild during our conversation. So I encourage you to try to spot our interesting visitor in the background. And now here's my conversation with Tony. Welcome to the podcast, Tony. Thanks for joining us today.
Tony Martin-Vegue: Hi Megan. Thanks for having me and hi everybody out there in podcast land.
Megan Phee: Yes, I love it. We do have folks listening from all around the world. So thank you so much for sharing your experience and your insights with us today. So let's get right in. I know many of us, we, we just love to hear from other folks in this space about their own GRC journey and in particular today, we'd love to hear about your own risk journey. When did risk and risk quantification, how did this start, in your interest, tell us a little bit about your background.
Tony Martin-Vegue: So that's a great question, Megan. I think I have an interesting and unique origin story of how I found myself in the risk quantification sphere as part of my career. So I've been in IT and security for over 20 years now, I've lost count, I think after 20 years. And I'd always been really deep into security and some pretty detailed domain topics like cryptography identity and access management, stuff like that. And I was lucky enough to have a mentor early on that really started to push me toward risk management because I have a background in economics, a degree in economics, and I was able to really exercise a lot of the pieces of my brain that made me good at economics to risk management, to cyber risk management. I started out the way a lot of other people did with qualitative techniques. That's regular green, or high, medium low, because honestly that's, what's taught to us. That's what's in the CISSP materials. That's what a lot of the standards and frameworks recommend. So that's what I started with. How I got into risk quantification? So this is my origin story. So I worked for a bank. There's a regional bank here in California and I was presenting the results of some of our cyber risk assessments to some members of our board and senior executives, some C- level people. And I was in the room with everybody else that manages risk in their areas. So it was me, cyber risk, and then we had someone from liquidity risk, we had credit risk, financial risk and so on and so forth. The financial risk put a slide up on the screen and described what our financial risk exposure for this year was, I can't remember what the number was. It was a hundred million dollars of risk exposure. The credit risk person, we have 50 million of risk exposure in this area. And this is why. The liquidity risk, 20 million of risk exposure in this area. It got to me, cyber risk is red and then I got some really pointed questions about using the same denominators as other people. And what does red mean? And I see multiple reds up there. What do five reds equal? It was embarrassing because as I mentioned, I have a background in economics, so I know that this stuff can be quantified. And that's when I went back to my desk and started fiercely Googling cyber risk quantification. And here I am now.
Megan Phee: Wow. I mean, I think so many of us can relate to that story. I mean, I laugh, but you know, I know in the moment it's not laughable, but it is. You have five shades of maroon up there. What does this, what's maroon from red? How do you define that? And everybody else is speaking in one clear language, which is financial impact. And so that is really interesting that you took that as that motivation to say," I got to figure this out." And that was so how long was that? That was like a decade ago then
Tony Martin-Vegue: It was a little bit over 10 years ago. Yeah.
Megan Phee: Okay, great. And then once you started doing some research, how did you ultimately get started? And the reason I ask this question is, because I think a lot of folks listening on the line are reading about risk quant. They're obviously coming to this podcast to learn more and learn about people's experiences, but they think about," Oh gosh, where do we start on our journey?" We still have to think about our own taxonomy. We've got to still think about just understanding likelihood and impact and residual impact to the business. How do we get to that stage of risk quant and that maturity risk quant. So how did you get started? Tell us a little bit about that. What advice would you say in regards to that?
Tony Martin-Vegue: That's the number one question I get from people? How do I get started? Because you can look at the entire sphere of influence that's out there in the risk quantification world. There's all the books and the journals and the software. You can get really overwhelmed and it feels like too much. It feels like," Oh, I can't go back to school and get a master's degree in statistics." So how am I ever supposed to start this? And you really don't have to do any of that stuff. You really just want to start taking baby steps. And your whole goal in your risk management program should be to be a little bit better than you were yesterday. And the way I recommend everybody to start out with is just improve the way that you're scoping out a risk assessment. You're identifying a clear asset at risk, something of value, you're identifying a threat that can act against that asset and then the final and last thing is when that threat does act against that asset. What's the effect? It's confidentiality, availability, availability, or integrity. And if you can start scenario building with those three things in mind, one thing's going to become really obvious to you. And that is, I just identified everything I can measure. I don't need to use red, yellow, green, because I can't find data. It's just going to become obvious to you, I think. And that's where I would start is just simple scoping and then the rest of the pieces will just come naturally.
Megan Phee: I love that. And then that's very helpful and I think very practical for folks to think about. It doesn't have to be this big audacious thing. They can start in a practical way. And I love that seeking just to improve a little bit, day over day, month over month, quarter over quarter, assessment over assessment, right? And where, in your opinion, can you go, where can risk quant take you and your analysis of risk within the business?
Tony Martin-Vegue: So the biggest thing that it's unlocked for me when I'm trying to communicate with my stakeholders is the ability to perform different kinds of analysis. When you do red, yellow, green, or high, medium, low analysis, really what you're able to provide is a list of risks that are ranked. Here's the reds, here's the yellows, here's the greens. And we're going to try to turn all the reds to yellows and all the reds to greens. And that's really all you can do. And that's not enough. For me if I was an executive listening to this podcast, I think that you're settling for breadcrumbs if that's all, you're demanding your risk managers to provide you is simple ranking, I would want to see cost benefit analysis. And this is the number one type of analysis that I perform at my company. We have a risk. This is the baseline of risk today and I want to measure the influence certain controls we'll have on risk. So let's try to reduce the risk of data breach by putting in DLP or increasing security awareness training. I want to know by how much those efforts reduce risk, and as an add- on, if you know how much those projects cost, I can give you a return on investment ratio. So those are two things right there that red, yellow, green can't give you. So the first one just to repeat is how much risk reduction in dollars your investment will give you. And the second one is your return on investment ratio. That's the language of business. Your CFO is going to understand this. Your COO is going to understand this intuitively, they went to school. They know these terms. They can interpret those numbers.
Megan Phee: Yeah. I would say that's more familiar to them than the red, yellow, green, obviously, and trying to think about what that legend means to them. I think those are terms that they live and breathe all the time. And so if you can break it down, yeah. And thanks for that example, because I think that's often what we think about is just, yeah, what is the effort here in the business? Any other examples that you could share where when you've applied this, it just helps to get on a common ground, whether it's with your leadership team or other stakeholders that you've seen, their light bulb is like," Okay, now I understand what Tony's presenting to us and the opportunity that we can have if we do this, or if we do that."
Tony Martin-Vegue: I really like getting involved in departments strategic planning. So if you're in this quarter and you want to start planning the next year out, you want to plan for next year, and you think you want to ask for three additional headcount and this many dollars for software that mitigates different types of risks. What I like to do is start to do risk analysis on the risks that you think those things will reduce. So if you want to bring in three additional headcount to reduce fraud, let's go out and measure current fraud. Let's measure that today. And then let's do a hypothetical risk assessment. So those three additional headcount will do what to fraud? It'll reduce fraud by this much. Now you actually have something in your hand to bring to your leadership to ask for those headcount. More often than not that's going to get approved if you have that extra data. So that's another thing I like doing is just giving more data, more ammunition to people to bring to their leadership. Sometimes my analysis shows that three additional headcount won't reduce fraud and that's something people have to be open to, but people are actually really grateful for that because they don't want to waste money. We want to be good stewards of our company's resources. So let's go back to the drawing board and reexamine this risk and see if we can find different ways to reduce risk in certain areas.
Megan Phee: I love that you're sharing that story. I mean, I think of myself as a business leader and how it would be meaningful to someone like yourself to be an ally in that kind of business case development and just even strategic planning. We always talk about risk quantification and clear risk insights can help risk leaders and InfoSec leaders get us to get the table to help inform strategic decisions. I often, because of the space I'm in, more of a sales leader, I always think about new markets and new product lines and services, but for you it's internal business case, understanding of the risks certain decisions would make in that regard, even buying additional technology or adding new resources to our team and adding new folks to the team. So I love that. I think that's great. I think a lot of folks can take that away from you today. Not only practically just how to think about risk, quant to practically start that journey and learn more and then the impact that it could have in those opportunities to measure ROI and true analysis to the business. I guess one final question before I wrap up with a fun one is just where do you go to stay in the know, I mean, you're kind of a student of the space, which is cool. What do you do? Whether you go to events or what do you go to, or you read or listen to podcasts? What do you do just to stay kind of in the know about these market trends and ways to improve your own profession and also impact to the business?
Tony Martin-Vegue: Core saver classes. So just ignore anything in the cyber risk or information security space, because we're 20 years behind everybody else, all the other risk managers. Take a look at business forecasting, corporate finance, forecasting prediction, any class on those topics you're going to learn modeling and techniques that can be directly applied to cyber risk.
Megan Phee: Oh, thank you, Tony. That's great. And I know one of those associations is new to me, so thank you for sharing that with us all listening. So, all right. Thank you so much. And so to wrap us up today, just one final question I have for you is you and I were talking before the podcast just about our own travel for work. And, you know, even when you're out in the world, you think about risk, you go about your life kind of thinking about risk. So tell me a little bit about how you apply that cost benefit analysis into your own personal life. I know you've got a fun story to share with us and you didn't get to tell me the full story the other day. So I want to hear more about this.
Tony Martin-Vegue: So I'm an avid swimmer and an avid hiker too. I really like hiking, but I live in Northern California and Northern California's covered in poison Oak, and I'm really allergic to poison Oak. The equivalent of a grain of salt will send me to the doctor. So instead of hiking, I swim. Swimming has no poison Oak. So I'm on this stupid human trick of swimming from Alcatraz to San Francisco, a hundred times in my life.
Megan Phee: Amazing.
Tony Martin-Vegue: And I'm at 12 right now, but of course I'm a risk analyst. So I had to analyze all the different risks. The number one risk that I was worried about is sharks because that's kind of what San Francisco is known for is a lot of sharks over here. So I did a risk analysis just in my mind. And I found out through gathering data for my quantitative risk analysis.
Megan Phee: Yes.
Tony Martin-Vegue: Is that the bay is now too dirty for sharks. It didn't used to be, but now it is. So sharks don't come into the bay, which is good for me from a shark point of view, but also bad for me from obviously a pollution point of view. So I just have to think about that in the context of my own personal risk tolerance. And I've decided that the risk is worth the expected utility I get of happiness and joy.
Megan Phee: That's hilarious, Tony. I love that so much. I think that's incredible. And I do think you're right your risk of a shark attack goes down and then the increased risk of, yeah, just, I don't even know, materials in the water goes up a little bit, but that's fantastic, I love that. And kudos on an incredible goal that you have for yourself. You'll have to keep us in the know on your journey as you progress on that. Do you have a journey plan this summer to make a trip or have you already done it?
Tony Martin-Vegue: I'm planning on getting back in the water once things start to warm up. Yeah. So I don't have a date yet, but it'll come to me, usually just," Okay, this weekend I'm going to do it."
Megan Phee: Oh, that's amazing. And then I don't know how far is it to the rack to the shore?
Tony Martin-Vegue: It's about 1. 2 miles. So it's not too bad.
Megan Phee: Yes. Oh my goodness. Well, good luck to in all things risk related and thank you so much for joining us today. This is Megan Phee with GRC& Me.
Tony Martin-Vegue: Thank you, Megan. Thank you everyone.
Megan Phee: For those interested in learning more about risk quantification, along with the great resources that Tony shared today, visit logicgate. com to learn about our solution, to help you on your risk quantification journey.
When people think of GRC, generally, they tend to categorize it within the framework of financial or regulated sectors. Even the entertainment business needs GRC. In this episode, Megan Phee is joined by Tony Martin-Vegue, Senior Information Security Risk Engineer at Netflix, who shares his risk quantification journey, how to get tactically started, and how risk quantification can provide positive business outcomes.