Sign up to save your podcasts
Or
Share Rethinking Risk: Data-Driven Decisions for Modern CISOs ft Tony Martin-Vegue
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Rethinking Risk: Data-Driven Decisions for Modern CISOs ft Tony Martin-Vegue
In this episode, Raj Krishnamurthy speaks with Tony Martin-Vegue, seasoned risk practitioner, speaker, and co-chair of the FAIR Institute San Francisco chapter. Tony shares decades of lessons learned from leading cyber risk management at Netflix, Gap, and other major enterprises—showing how to move from qualitative heat maps to quantitative insights that drive smarter business decisions.
He breaks down Monte Carlo simulations, risk modeling, and the six levers that influence risk—all through a practical, approachable lens. Tony also explores how generative AI is transforming risk quantification and what every CISO, analyst, and engineer can do today to make risk measurable, actionable, and business-aligned.
Key Takeaways
- CRQ doesn’t require perfection—start with what you have and refine over time.
- The most effective risk programs focus on directionally correct data, not precision.
- Good risk scenarios clearly define asset, threat, and effect to avoid misalignment.
- Generative AI accelerates scenario development, data research, and model creation.
- CISOs should demand more from risk teams—move beyond “pick a color” heat maps.
Topics Covered
- Cyber risk quantification (CRQ)
- Monte Carlo simulations and modeling
- Risk scenario design and measurement
- GRC and compliance integration
- Generative AI in risk management
- Moving from qualitative to quantitative risk
- Improving risk hygiene and maturity
- CISO leadership and risk culture
What You’ll Learn
- The difference between qualitative and quantitative risk methods
- How to conduct your first risk quantification in Excel
- Why Monte Carlo simulations are simpler than most think
- How GRC, compliance, and security teams can collaborate effectively
- The six levers that influence risk magnitude and frequency
This podcast is brought to you by ComplianceCow:
ComplianceCow helps enterprises automate GRC, shift compliance left, and continuously monitor controls across the business.
Learn more at ComplianceCow.com
Connect with our guest: Tony Martin-Vegue on LinkedIn
- Co-Chair, FAIR Institute San Francisco Chapter
- Former Risk Leader at Netflix and Gap Inc.
- Author, From Heat Maps to Histograms (coming 2026)
Subscribe to Security & GRC Decoded on your favorite platform:
- Spotify
- Apple Podcasts
- Explore all episodes: ComplianceCow.com/podcast
View all episodes
By Raj KrishnamurthyIn this episode, Raj Krishnamurthy speaks with Tony Martin-Vegue, seasoned risk practitioner, speaker, and co-chair of the FAIR Institute San Francisco chapter. Tony shares decades of lessons learned from leading cyber risk management at Netflix, Gap, and other major enterprises—showing how to move from qualitative heat maps to quantitative insights that drive smarter business decisions.
He breaks down Monte Carlo simulations, risk modeling, and the six levers that influence risk—all through a practical, approachable lens. Tony also explores how generative AI is transforming risk quantification and what every CISO, analyst, and engineer can do today to make risk measurable, actionable, and business-aligned.
Key Takeaways
- CRQ doesn’t require perfection—start with what you have and refine over time.
- The most effective risk programs focus on directionally correct data, not precision.
- Good risk scenarios clearly define asset, threat, and effect to avoid misalignment.
- Generative AI accelerates scenario development, data research, and model creation.
- CISOs should demand more from risk teams—move beyond “pick a color” heat maps.
Topics Covered
- Cyber risk quantification (CRQ)
- Monte Carlo simulations and modeling
- Risk scenario design and measurement
- GRC and compliance integration
- Generative AI in risk management
- Moving from qualitative to quantitative risk
- Improving risk hygiene and maturity
- CISO leadership and risk culture
What You’ll Learn
- The difference between qualitative and quantitative risk methods
- How to conduct your first risk quantification in Excel
- Why Monte Carlo simulations are simpler than most think
- How GRC, compliance, and security teams can collaborate effectively
- The six levers that influence risk magnitude and frequency
This podcast is brought to you by ComplianceCow:
ComplianceCow helps enterprises automate GRC, shift compliance left, and continuously monitor controls across the business.
Learn more at ComplianceCow.com
Connect with our guest: Tony Martin-Vegue on LinkedIn
- Co-Chair, FAIR Institute San Francisco Chapter
- Former Risk Leader at Netflix and Gap Inc.
- Author, From Heat Maps to Histograms (coming 2026)
Subscribe to Security & GRC Decoded on your favorite platform:
- Spotify
- Apple Podcasts
- Explore all episodes: ComplianceCow.com/podcast