In this episode, Raj Krishnamurthy speaks with Tony Martin-Vegue, seasoned risk practitioner, speaker, and co-chair of the FAIR Institute San Francisco chapter. Tony shares decades of lessons learned from leading cyber risk management at Netflix, Gap, and other major enterprises—showing how to move from qualitative heat maps to quantitative insights that drive smarter business decisions.

He breaks down Monte Carlo simulations, risk modeling, and the six levers that influence risk—all through a practical, approachable lens. Tony also explores how generative AI is transforming risk quantification and what every CISO, analyst, and engineer can do today to make risk measurable, actionable, and business-aligned.

Key Takeaways

1. CRQ doesn’t require perfection—start with what you have and refine over time.
2. The most effective risk programs focus on directionally correct data, not precision.
3. Good risk scenarios clearly define asset, threat, and effect to avoid misalignment.
4. Generative AI accelerates scenario development, data research, and model creation.
5. CISOs should demand more from risk teams—move beyond “pick a color” heat maps.

Topics Covered

• Cyber risk quantification (CRQ)
• Monte Carlo simulations and modeling
• Risk scenario design and measurement
• GRC and compliance integration
• Generative AI in risk management
• Moving from qualitative to quantitative risk
• Improving risk hygiene and maturity
• CISO leadership and risk culture
  
  

What You’ll Learn

• The difference between qualitative and quantitative risk methods
• How to conduct your first risk quantification in Excel
• Why Monte Carlo simulations are simpler than most think
• How GRC, compliance, and security teams can collaborate effectively
• The six levers that influence risk magnitude and frequency

This podcast is brought to you by ComplianceCow:

ComplianceCow helps enterprises automate GRC, shift compliance left, and continuously monitor controls across the business.

Learn more at ComplianceCow.com

Connect with our guest: Tony Martin-Vegue on LinkedIn

• Co-Chair, FAIR Institute San Francisco Chapter
• Former Risk Leader at Netflix and Gap Inc.
• Author, From Heat Maps to Histograms (coming 2026)

Subscribe to Security & GRC Decoded on your favorite platform:

• Spotify
• Apple Podcasts
• Explore all episodes: ComplianceCow.com/podcast