All About Risk

Chip Block joins Lily Yeoh and explains how AI is forcing organizations to rethink governance, security, and traditional control frameworks. From AI-generated software to data validation and trust, this episode explores why checklists and static controls are no longer enough for modern risk management.00:00 - Chip Block’s Background and Why Risk Is Changing03:12 - Why Cybersecurity Is a Business Problem, Not Just a Tech Problem06:18 - How AI Breaks Traditional Security Models10:05 - Why GRC Frameworks and Legacy Controls Need to Evolve14:22 - Data Ownership vs Data Validation in the AI Era18:40 - Shifting Risk Management Toward Business Outcomes22:05 - Securing Data Beyond Devices, Networks, and Perimeters27:10 - Why Many Security Controls No Longer Matter31:08 - AI and the Future of Software Vulnerabilities36:02 - The End of Traditional SDLC and Slower Release Cycles40:15 - What Cybersecurity Leaders Should Invest In Now44:05 - Why Trust May Replace Information Security as the Next Frontier

In this episode of All About Risk, Lily Yeoh sits down with Shayne Adler, co-founder of Aetos Data Consulting, to talk about defensible evidence, the gap between policy and reality, and why perfect compliance is a myth.They unpack compliance debt, right-sizing controls, AI overpromises, data theater, and what it really means to say what you do and do what you say.To learn more about Shayne Adler and Aetos Data Consulting visit here00:00 – From Law to Chief Trust Officer07:11 – What Defensible Evidence Actually Means11:30 – Compliance Debt and the Policy Gap16:15 – Who Is Compliance For?17:43 – Right-Sizing Controls and Avoiding Overload24:19 – AI Hype, Data Theater, and Operational Discipline

AI is moving fast, but in legal-tech, accuracy and trust are non-negotiable. In this episode of All About Risk, Lily Yeoh speaks with Dean Sapp, CISO and DPO at Filevine, about what happens when AI is introduced into environments where bad data and false outputs carry real consequences.Dean breaks down why enterprise AI is different from consumer tools, the risks of hallucinations, deepfakes, and AI-driven phishing, and why strong guardrails around data, permissions, and retention matter. They also explore how CISOs are using AI to improve threat detection, automate controls, and translate technical risk into business impact leaders can act on.The result is a practical look at AI, security, and risk as an operational reality, not a trend.

In this final episode of this three part bonus series, Lily Yeoh shares clear, practical insight on what it really takes to break into a career in GRC. She talks about where people often start, how different backgrounds can translate into the field, and what helps you stand out early on.She also touches on common missteps, the importance of staying curious, and what to focus on in your first months on the job.

Lily Yeoh breaks down what you really need to enter GRC, from choosing between a degree or certifications to knowing which starter certs are worth your time. She explains how to get hands-on experience before your first role, the soft skills that actually help you stand out, and the one practical skill that’s shaped her own career. This episode gives you a clear, grounded starting point for building a future in GRC.1. GRCP — GRC Professional⁠OCEG⁠-Great intro to governance, risk, compliance, ethics, and audit basics.2. CCEP — Certified Compliance & Ethics Professional⁠SCCE⁠-Focuses on compliance, ethics, investigations, and corporate policy.3. ISO 31000 Risk Management Certification⁠Various accredited bodies⁠-Covers organizational risk frameworks and is accessible without technical depth.4. CompTIA Security⁠CompTIA⁠-Security fundamentals that support GRC roles tied to IT and cybersecurity.5. CGRC (formerly CAP)⁠ISC2⁠-Intro to governance, risk and security authorization. Good for early GRC careers.ADVANCED LEVEL CERTIFICATIONSThese require experience, deeper security knowledge, or exposure to audit, risk, or governance functions.6. CISSP — Certified Information Systems Security Professional⁠ISC2⁠-High-level security governance, risk, architecture, and leadership.7. CISA — Certified Information Systems Auditor⁠ISACA⁠-The gold standard for audit, controls, and assessment work inside GRC teams.8. CRISC — Certified in Risk and Information Systems Control⁠ISACA⁠-Focused on IT risk, business risk, mitigation, and control design.9. CISM — Certified Information Security Manager⁠ISACA⁠-Security governance, program management, and risk management at scale.10. CGEIT — Certified in the Governance of Enterprise IT⁠ISACA⁠-Enterprise-level IT governance, strategic alignment, and performance risk.

In this bonus episode (1 of 3), we zoom out and unpack what a career in GRC actually looks like. Lily Yeoh explains the field in simple terms, talks through the types of challenges GRC professionals help organizations navigate, and highlights the mix of backgrounds that thrive here. We touch on what early roles focus on, how government and commercial paths differ, and what someone should understand before jumping in. If you’re curious about GRC as a profession, this first of three episode gives you a clear, approachable starting point.1. GRCP — GRC ProfessionalOCEG-Great intro to governance, risk, compliance, ethics, and audit basics.2. CCEP — Certified Compliance & Ethics ProfessionalSCCE-Focuses on compliance, ethics, investigations, and corporate policy.3. ISO 31000 Risk Management CertificationVarious accredited bodies-Covers organizational risk frameworks and is accessible without technical depth.4. CompTIA SecurityCompTIA-Security fundamentals that support GRC roles tied to IT and cybersecurity.5. CGRC (formerly CAP)ISC2-Intro to governance, risk and security authorization. Good for early GRC careers.ADVANCED LEVEL CERTIFICATIONSThese require experience, deeper security knowledge, or exposure to audit, risk, or governance functions.6. CISSP — Certified Information Systems Security ProfessionalISC2-High-level security governance, risk, architecture, and leadership.7. CISA — Certified Information Systems AuditorISACA-The gold standard for audit, controls, and assessment work inside GRC teams.8. CRISC — Certified in Risk and Information Systems ControlISACA-Focused on IT risk, business risk, mitigation, and control design.9. CISM — Certified Information Security ManagerISACA-Security governance, program management, and risk management at scale.10. CGEIT — Certified in the Governance of Enterprise ITISACA-Enterprise-level IT governance, strategic alignment, and performance risk.

Dr. David Mussington, former member of the White House National Security Council and Professor at the University of Maryland, joins Lily Yeoh on All About Risk to challenge how we think about cybersecurity. He argues that the biggest threat isn’t just in the network, it’s in how we communicate, govern, and make decisions. From national policy to AI’s growing role in cyber defense, this episode explores what real resilience looks like when people, not just systems, are at the center of security.

In this final installment of our bonus series Understanding GRC, we explore the practical side of adopting GRC tools. From the limits of spreadsheets to the advantages of integrated platforms, this episode highlights what to look for in a solution, how ROI is measured, and why phasing in processes with a “crawl, walk, run” approach sets organizations up for long-term success.

In our second bonus episode, we dig into the first steps of building a GRC program with our expert Lily Yeoh. We cover why it starts with people, process, and technology, and the importance of documenting what you’re protecting. You’ll hear how to make policies meaningful instead of just templates, when to bring in expert guidance, and how to get leadership buy-in. We also touch on the real risks of skipping GRC, from regulatory fines to reputation loss.

Bonus Episodes: Understanding GRC is a special bonus series designed for anyone who’s new to governance, risk, and compliance. Each episode breaks down core concepts into simple, practical insights, helping you understand not just what GRC is, but why it matters and how it impacts everyday business decisions. Whether you’re starting your career, leading a small team, or just curious about the field, this series will give you a solid foundation to build on.In our first bonus episode, we kick things off with the fundamentals: What does GRC really stand for, and how do governance, risk, and compliance actually work together? We’ll also look at why GRC is a framework every business can benefit from.

Yiping Sun is a leader within Plante Moran’s cybersecurity compliance group. Her expertise includes SOC, ISO 27001, STAR, DPR, and more. She’s a CPA, a CISA, and one of the most trusted voices in cyber audit.In this episode, Yiping takes us inside the real world of audit. She speaks with Lily Yeoh about her career path in cybersecurity, breaking down what an effective audit truly looks like—and why it’s far more than just checking boxes. Yiping shares insights on the importance of collaborating with auditors early, how to identify red flags, and the evolving role of auditors. Whether you're in audit, work with auditors, or simply want to understand how assurance really works, this episode offers a practical look behind the scenes.More about Yiping Sun, Principal at ⁠Plante Moran

In this episode, guest host John Paul Tran sits down with Lily Yeoh, CEO of C1Risk, to hear her hot takes on recent GRC events. They dive into insider threats such as the Coinbase hacking, public sector risks, and why faster, smarter governance is more critical than ever.

Lily Yeoh is joined by Terry Roberts, Founder, President & CEO of WhiteHawk. Terry served as a senior leader in the US government; her career in public service includes Director at the Secretary of Defense for Intelligence (USDI) and Deputy Director of Naval Intelligence. She’s led Military Intelligence Programs and the global defense, information-warfare, and technology strategies. In addition, our guest also served as an Executive Director at the Software Engineering Institute at Carnegie Mellon University, where she led technology innovations between Cyber & IT across US Department of Defense and the US Intelligence Community.

Today, Lily Yeoh is joined by Patrick Sullivan who brings over 25 years of experience in IT security and compliance, making him a trusted voice on AI governance and the new standard ISO 42001. He also provides insights into the work of ISO’s SC 42 subcommittee, which is shaping global standards for AI, including governance, ethics, and trustworthiness—making this essential knowledge for anyone engaged with AI technologies.Hear more from Patrick where he hosts The Business of Compliance, Podcast Edition: https://open.spotify.com/show/2N1aPuS0FFYzYXiXqxvef3?si=6e52ec974c7f4e79

Join C1Risk's CEO, Lily Yeoh and Joe Sullivan as they delve into the confluence of GenAI and Cybersecurity at Ilta Evolve 2024 Joe Sullivan Ex Uber, Cloudflare & Facebook CSO, brings unmatched cybersecurity insights from his extensive career in the private sector. His contributions are further distinguished by his public service, including his appointment by President Obama to the Cybersecurity Commission and his role as a board member of the National Cybersecurity Alliance. Lily Yeoh is the founder and CEO of C1Risk. She is a leading risk management practitioner, recognized for her design and implementation of information security technology solutions for fortune 500 companies, federal and state governments, big four consulting, and Silicon Valley startups.