In this episode, host Tiernan O'Malley sits down with Rachel Curran, GRC practitioner and founder of Locktivity, to unpack the complexities of Governance, Risk, and Compliance (GRC) in a cloud-first world.
We dive deep into why third-party risk management cannot just be a "check-the-box" compliance exercise and how organizations must shift their focus from merely assessing vendors to actively managing how they interact with them.
What You’ll Learn: ◈ The Fallacy of the Checklist: Why passing an audit doesn't automatically equal operational security. ◈ Continuous vs. Point-in-Time: The true value of SOC 2 audits and where continuous monitoring actually needs to step in (like catching missing 2FA). ◈ Quantifying Risk for Leadership: How to move beyond dollar amounts and make cyber risk personal and relatable to the C-suite. ◈ Silent Attack Vectors: The danger of stale OAuth tokens, unenforced SSO, and secrets left in commit histories.
Key Moments: 02:40 ➔ The Breach Reality: Why assessing vendors to completely avoid breaches is impossible, and why impact mitigation is the real goal. 05:43 ➔ The Snowflake Example: How point-in-time audits often miss critical dynamic configurations like 2FA. 10:53 ➔ Personalizing the Threat: How agentic AI integrations exposed a CEO's tax history—and why that changes the security conversation. 16:36 ➔ The OAuth Danger: Why leaving unused OAuth tokens active is like leaving your front door open while on vacation. 18:34 ➔ Warning Signs: How M&A activity, mass layoffs, and vendor evasiveness can predict upcoming security risks.
🎙️ Meet the Guest: Rachel Curran is a GRC practitioner with over a dozen years of experience building SOC 2 and ISO security programs for startups. She is the founder of Locktivity, a platform focused on helping companies understand where their true third-party risk lies and how to proactively limit impact. ➔ LinkedIn: Rachel Curran ➔ Locktivity: locktivity.com
Podden och tillhörande omslagsbild på den här sidan tillhör
Victor Monga. Innehållet i podden är skapat av Victor Monga och inte av,
eller tillsammans med, Poddtoppen.