In this episode, we sat down with AJ Yawn, Author of the upcoming book GRC Engineering for AWS and Director of GRC Engineering at Aquia, to discuss how GRC engineering can transform compliance.

We discussed the current pain points and challenges in Governance, Risk, and Compliance (GRC), how GRC has failed to keep up with software development and the threat landscape, and how to leverage cloud-native services, AI, and automation to bring GRC into the digital era.

We dove into:

• What the phrase “GRC Engineering” means and how it differs from traditional Governance, Risk and Compliance
• What some of the major issues are with traditional compliance in the age of DevSecOps, Cloud, API’s, Automation and now AI
• Specific examples of GRC Engineering, including the use of automation, API’s and cloud-native services to streamline security control implementation, assessment and reporting
• The promise and potential of AI in GRC, and how AJ is using various models for control assessments, artifact creation and more, and how GRC practitioners should be leveraging AI as a force multiplier
• AJ’s new book “GRC Engineering For AWS: A Hands-On Guide to Governance, Risk and Compliance Engineering”

In this episode of Resilient Cyber, we chat with Patrick Duffy, Product Manager at Material Security, on Securing the Modern Workspace.

The conversation will include discussions about the increased adoption of cloud office suites, limitations of traditional security approaches, and a deep dive into how Material Security is tackling issues such as securing email and data, identity threat detection, and posture management.

• Stepping back a bit before we get too specific, we've seen major fundamental shifts in the way organizations work and operate today, including widespread adoption of Cloud Office Suites (e.g., Google Workspaces, Microsoft 365, etc.). How have these shifts changed the threat landscape, and what sort of issues are we seeing with traditional security practices when it comes to securing these environments?
• We know phishing and email attacks are common and critical to protect against, but what about challenges around visibility of accounts/activity, sensitive data, and secure configurations and posture?
• Getting more specific to Material, can you help us understand how you all approach this problem space from a platform and offering perspective? What are some key features and abilities Material Security customers utilize to secure their cloud office suite environments, and what threats do they help against?
• What are some key differentiators for Material compared to some of the other vendors working on this problem, or even how do you all differ from some of the native security capabilities of environments such as M365 or Google Workspace?
• This space continues to evolve, both in terms of the cloud workspace environments and their usage by organizations and the relevant threats. How is Material preparing for these changes, whether it's the widespread adoption of AI, increased complexity, and so on
• It's always great to hear some first-hand use cases and applications. Can you share some examples where Material Security has found success with specific customers and users of the solution?
• We've covered everything from the pitfalls and shortcomings of traditional security approaches to cloud office suites to where the market is headed. Where can folks learn more about Material, and what should we keep an eye out for next?

In this episode, I sit down with longtime industry researcher Wade Baker to dive into Cyentia's latest IRIS report. The report provides a data-driven look at incident trends, impacts, costs, and more.

Are cyber incidents becoming more or less frequent? Are specific industries doing better than others? What does the average incident impact actually look like?

Tune in to learn the answers, along with many other interesting insights!

The report found that the number of security incidents continue to climb YoY, which isn’t a surprise, although there has been peaks and valleys throughout various periods, note the huge uptick in 2021~

Similar to recent reports such as DBIR and M-Trends, application exploitation (e.g., system intrusion) is climbing. In contrast, methods such as physical threat and others have declined due to increased cloud adoption, virtual infrastructure, and so on.

One finding that may surprise some is that the proportion of incidents is going down for some organizations, particularly the largest enterprises, while it is going up for SMBs and smaller organizations. This ties to concepts such as the cybersecurity poverty line, which I have discussed in other articles, such as with

Ross Haleliuk

in our article “Lifting the world out of cybersecurity poverty.”

This is likely due to factors such as large enterprise organizations having robust security teams, larger budgets, being able to afford the latest security tooling and more, while SMB’s often fail to have many of these and deal with resource constraints in both dollars and expertise.

We also see sectors which had historically low incidents now climbing, likely due to factors such as increased adoption of software and being digitally connected, as well as being a previously untapped sector for attackers