All About Risk

Episode 9: AI Is Rewriting Risk

Chip Block joins Lily Yeoh and explains how AI is forcing organizations to rethink governance, security, and traditional control frameworks. From AI-generated software to data validation and trust, this episode explores why checklists and static controls are no longer enough for modern risk management. 00:00 - Chip Block’s Background and Why Risk Is Changing 03:12 - Why Cybersecurity Is a Business Problem, Not Just a Tech Problem 06:18 - How AI Breaks Traditional Security Models 10:05 - Why GRC Frameworks and Legacy Controls Need to Evolve 14:22 - Data Ownership vs Data Validation in the AI Era 18:40 - Shifting Risk Management Toward Business Outcomes 22:05 - Securing Data Beyond Devices, Networks, and Perimeters 27:10 - Why Many Security Controls No Longer Matter 31:08 - AI and the Future of Software Vulnerabilities 36:02 - The End of Traditional SDLC and Slower Release Cycles 40:15 - What Cybersecurity Leaders Should Invest In Now 44:05 - Why Trust May Replace Information Security as the Next Frontier

Episode 8: Defensible Evidence - Say What You Do. Then Prove It.

In this episode of All About Risk, Lily Yeoh sits down with Shayne Adler, co-founder of Aetos Data Consulting, to talk about defensible evidence, the gap between policy and reality, and why perfect compliance is a myth. They unpack compliance debt, right-sizing controls, AI overpromises, data theater, and what it really means to say what you do and do what you say. To learn more about Shayne Adler and Aetos Data Consulting visit here [https://www.aetos-data.com/] 00:00 – From Law to Chief Trust Officer 07:11 – What Defensible Evidence Actually Means 11:30 – Compliance Debt and the Policy Gap 16:15 – Who Is Compliance For? 17:43 – Right-Sizing Controls and Avoiding Overload 24:19 – AI Hype, Data Theater, and Operational Discipline

Episode 7: The Real Risks of AI in Legal-Tech

AI is moving fast, but in legal-tech, accuracy and trust are non-negotiable. In this episode of All About Risk, Lily Yeoh speaks with Dean Sapp, CISO and DPO at Filevine, about what happens when AI is introduced into environments where bad data and false outputs carry real consequences. Dean breaks down why enterprise AI is different from consumer tools, the risks of hallucinations, deepfakes, and AI-driven phishing, and why strong guardrails around data, permissions, and retention matter. They also explore how CISOs are using AI to improve threat detection, automate controls, and translate technical risk into business impact leaders can act on. The result is a practical look at AI, security, and risk as an operational reality, not a trend.

Bonus Episode 6: Your First Role in GRC

In this final episode of this three part bonus series, Lily Yeoh shares clear, practical insight on what it really takes to break into a career in GRC. She talks about where people often start, how different backgrounds can translate into the field, and what helps you stand out early on. She also touches on common missteps, the importance of staying curious, and what to focus on in your first months on the job.

Bonus Episode 5: How Do I Get Ready? School, Certs, and Skills

Lily Yeoh breaks down what you really need to enter GRC, from choosing between a degree or certifications to knowing which starter certs are worth your time. She explains how to get hands-on experience before your first role, the soft skills that actually help you stand out, and the one practical skill that’s shaped her own career. This episode gives you a clear, grounded starting point for building a future in GRC. 1. GRCP — GRC Professional ⁠OCEG⁠ [https://www.oceg.org/certifications/grc-professional-certification/]-Great intro to governance, risk, compliance, ethics, and audit basics. 2. CCEP — Certified Compliance & Ethics Professional ⁠SCCE⁠ [https://www.corporatecompliance.org/certification/become-certified/ccep]-Focuses on compliance, ethics, investigations, and corporate policy. 3. ISO 31000 Risk Management Certification ⁠Various accredited bodies⁠ [https://www.iso.org/standard/65694.html]-Covers organizational risk frameworks and is accessible without technical depth. 4. CompTIA Security ⁠CompTIA⁠ [https://www.comptia.org/certifications/security]-Security fundamentals that support GRC roles tied to IT and cybersecurity. 5. CGRC (formerly CAP) ⁠ISC2⁠ [https://www.isc2.org/certifications/cgrc]-Intro to governance, risk and security authorization. Good for early GRC careers. ADVANCED LEVEL CERTIFICATIONS These require experience, deeper security knowledge, or exposure to audit, risk, or governance functions. 6. CISSP — Certified Information Systems Security Professional ⁠ISC2⁠ [https://www.isc2.org/certifications/cissp]-High-level security governance, risk, architecture, and leadership. 7. CISA — Certified Information Systems Auditor ⁠ISACA⁠ [https://www.isaca.org/credentialing/cisa]-The gold standard for audit, controls, and assessment work inside GRC teams. 8. CRISC — Certified in Risk and Information Systems Control ⁠ISACA⁠ [https://www.isaca.org/credentialing/crisc]-Focused on IT risk, business risk, mitigation, and control design. 9. CISM — Certified Information Security Manager ⁠ISACA⁠ [https://www.isaca.org/credentialing/cism]-Security governance, program management, and risk management at scale. 10. CGEIT — Certified in the Governance of Enterprise IT ⁠ISACA⁠ [https://www.isaca.org/credentialing/cgeit]-Enterprise-level IT governance, strategic alignment, and performance risk.