Listen and watch now on Youtube, Spotify and Apple. Episode transcript is available at the top of the page and timestamps for the episode are at the bottom.

I’m very excited about this episode with Tony. I’ve always seen Cyber Risk Quantification as the next step up in terms of maturity for most GRC programs. Someone who performed ~1,000 quantified risk assessments at companies such as Netflix has to be the perfect guest!

I did my best to ask questions I was always curious about and dive deeper on some of the implementation requirements to run a proper CRQ program. It ended up being pretty philosophical in places (remediation-bias vs. decision-support) and I think it gives a very comprehensive overview of the field and how it interacts with GRC Engineering.

Have a great listen and let myself and Tony know what you thought of it.

Feel free to share it if you enjoyed it 😀

There's no shortage of bold claims about cyber risk management, but how do you separate signal from noise when it comes to quantitative approaches?

In this episode of the GRC Engineer podcast, I'm joined by Tony Martin-Vegue, a seasoned risk quantification expert who's conducted over 1,000 assessments at companies like Netflix, to cut through the hype and share how quantitative risk assessment actually works in practice. Tony shares insights from his economics background, his journey from traditional "red, amber, green" approaches, and why he believes security awareness training doesn't work.

We also discuss:

And much more!

(00:00) Intro

(02:39) Tony's career journey from IT help desk to risk management

(06:49) The pivotal C-suite meeting that changed everything

(12:27) How GRC components should work together as business enablers

(16:32) The difference between CRQ and FAIR

(22:25) Who benefits most from quantitative risk assessments

(28:32) Why risk managers have a bias towards remediation

(34:13) How to engage risk owners and speak their language

(39:49) The philosophy of risk and understanding uncertainty

(44:48) Why most risk work isn't about modelling

(47:33) How AI is transforming risk assessment data collection

(52:21) Practical tips for getting started with risk quantification

(55:05) How GRC engineering and risk analysis work together

(58:04) Tony's hot take on security awareness training

Tony's insights perfectly align with core GRC Engineering principles, particularly around data pipelines and systems thinking:

Data as the Foundation: Tony emphasised how AI eliminates traditional barriers to risk quantification by automating data collection from incident logs, cost records, and control effectiveness metrics. This mirrors the GRC Engineering focus on building central data layers that connect previously siloed information sources.

Natural Alliance: As Tony noted, "GRC engineers and risk analysts are natural allies" because both disciplines prioritise decision-enabling architecture over checkbox compliance. Risk quantification provides the business case; GRC Engineering provides the data infrastructure to make it scalable.

Automation of Busy Work: Tony's point about spending "less than 30 minutes on actual modelling" reveals where GRC Engineering adds value, automating the data gathering, stakeholder coordination, and communication workflows that consume 95% of the time, leaving analysts free to focus on the decision-making conversations that matter.

Tony's controversial opinion: Security awareness training doesn't provide good ROI. After measuring it across multiple companies, the investment rarely justifies the risk reduction achieved.

His alternative? "Build better systems" where users can only make the right choice, rather than relying on them as your first line of defence.

That’s all for this podcast’s issue, folks!

If you enjoyed it, you might also enjoy:

See you this Thursday!