Fireproof Your Castle with Risk-First GRC
Aakash Yadav, Lindsey Pilver
BSidesSF 2025 — Here Be Dragons · Day 2 · Main
Most GRC programs start with compliance frameworks and work backward to risk — a sequence that reliably misses the actual threats to the business. Lindsey Pilver and Aakash Yadav from Roblox's security GRC team argue for inverting that order: identify real business risks first, then map controls and compliance requirements to those risks. The difference is not just philosophical; it changes which controls get funded and why. ---
AI review
The risk-first versus compliance-first inversion is the right argument and Roblox's GRC team makes it credibly. Pilver's treatment of Monte Carlo simulation for cyber risk quantification — including the correct point about ordinal scale averaging being a statistical error — is more technically rigorous than most GRC talks I suffer through. The content is sound; the novelty for a technical security audience is limited.