GRC Isn’t a Checkbox: Dr. Mike Brass on AI Governance, Risk & the Three Lines of Defense S1E11

Описание: Source:
https://www.podbean.com/eau/pb-tcm8m-...

GRC isn’t about checklists. It’s about structure, accountability, and human behavior.
In this episode of The Cyber Mettle Podcast, Dr. Mike Brass — Head of Governance, Risk & Compliance and Enterprise Security Architecture at National Highways (UK) — joins Dr. Omar Sangurima and Alyson Laderman, Esq. for a deep dive into:

• Why cybersecurity is fundamentally about human behavior
• The evolution (and misuse) of “GRC engineering”
• AI governance beyond the hype
• The three lines of defense model and why it still matters
• Why automation ≠ strategy• How apprenticeship models are reshaping cyber talent pipelines

Dr. Brass brings a rare interdisciplinary lens — from archaeology and anthropology to global IT leadership — explaining why governance must be holistic, structured, and aligned to business outcomes.

If your organization is being told AI can replace GRC… this conversation is for you.

🔎 What We Cover:

Why GRC is a second-line-of-defense function — not a checkbox

The difference between automation and governance

Why AI controls must extend existing frameworks — not bypass them

The role of Enterprise Security Architecture (ESA)

Apprenticeships vs. “mythical unicorn” hiring

CAF, ISO 42001, NIST AI RMF, CSA guidance

Aligning security to business mission

Why governance is about asking “why” — not just “how”

📘 Featured Book
Governance, Risk and Compliance by Dr. Mike Brass
Published by CRC Press (Taylor & Francis)

⚠️ Standard Podcast Disclaimer
Though Dr. Brass and Dr. Sangurima are cybersecurity experts, and Alyson Laderman is an attorney, this podcast does not provide legal advice or specific cybersecurity consulting guidance. We share lived experience to help you think critically and make informed decisions.

⏱️ Chapters
00:00 – Omar’s “Fanboy” Moment & Intro
00:34 – Podcast Disclaimer
01:26 – Dr. Mike Brass Background (Archaeology → Cybersecurity)
03:46 – The Moment That Changed His View of Cybersecurity
07:12 – Human Behavior as the Core of Security
10:43 – Apprenticeships vs. Traditional Entry Paths
14:54 – UK Cyber Apprenticeship Model Explained
20:35 – Why Diversity of Thought Matters in Security
22:48 – What GRC Actually Does (Second Line of Defense)
28:47 – The “GRC Engineering” Debate
32:54 – AI Marketing vs. AI Reality
37:36 – AI Governance Frameworks (ISO 42001, NIST, CSA, ISACA)
44:40 – Aligning Controls to Business Outcomes
51:52 – AI, Supply Chain & Hidden Risk
56:59 – Enterprise Security Architecture’s Role
59:30 – Final Advice for Business Leaders
1:01:07 – Book Mention & Where to Find It
1:01:31 – Closing Thoughts
 
#CyberSecurity#GRC#AIGovernance#RiskManagement#InfoSec#ThreeLinesOfDefense#CyberLeadership#Governance#EnterpriseSecurity#CyberMettle

🔑 Keywords
Dr Mike Brass interview, GRC explained, governance risk compliance podcast, AI governance framework, ISO 42001 overview, NIST AI RMF, CAF framework UK, three lines of defense cybersecurity, enterprise security architecture, cybersecurity apprenticeships UK, automation vs governance, AI risk management, cyber leadership strategy