Re-learning what it means to manage risk with GRC 2.0
In Episode 3 of The SAFE Cyber Risk Podcast, host Pankaj Goyal, COO at SAFE, dives into a critical topic: The complexities of managing cyber risk. Our guest in this episode is Vinod Madhavan, the Senior Director of Cybersecurity GRC at Honeywell.
Cyber risk is no longer just a security issue—it’s a business risk that demands a unified, data-driven approach. Yet, many organizations still operate in silos, making risk management fragmented and reactive. At Honeywell, that’s changing.
Vinod shares how one of the world’s largest Fortune 500 companies is reshaping cyber risk management. By breaking silos, integrating teams, quantifying risk, and leveraging AI, Honeywell is building a continuous, proactive risk management framework that scales.
Watch the Full Podcast Episode Now!
Top 5 Takeaways from Episode 3 with Vinod Madhavan
1. Modeling the Next-Gen Three Lines of Defense
The three lines of defense, 3LOD, designed by the Institute of Internal Auditors (IIA) is promoted as a solution to enhance risk management. However, in a recent report titled “Stop Defending The Three Lines Of Defense” Forrester pointed out that “the division is conceptually simple but does not match the operating model at most organizations”. Vinod agrees that while it might be a good starting point, business leaders need to make modifications. He emphasized the importance of integration rather than separation. “The three lines are probably not using the same language, so there’s always been a difference in how they look at requirements or control.”
To bridge these gaps, Honeywell adopted a common control approach, aligning regulatory requirements across all three lines. This integration, supported by automation and AI, has improved communication and collaboration, ensuring that cyber risk management is more efficient and effective. Looking ahead, Honeywell is working towards a next-gen Three Lines of Defense model, one that embraces automation and real-time risk visibility.
2. Building GRC 2.0: A Roadmap for Success
Vinod highlighted three key pillars for modernizing GRC:
- Technology & AI Integration: Embracing AI-driven automation to reduce repetitive tasks and enhance decision-making.
- Industry Risk Awareness: Understanding external risks and trends, while aligning them with Honeywell’s specific business risks.
- Breaking Down Silos: Ensuring risk assessments and mitigation strategies are unified across the organization to create a clear, quantifiable view of cyber risk.
Quantification is central to Honeywell’s approach. Instead of relying on qualitative risk ratings (e.g., “high/low/medium risk”), they have shifted to a data-driven, quantitative model. This method allows them to assign a dollar value to risks, improving prioritization and investment decision-making.
3. From Risk Reporting to Risk-Driven Decision-Making
Investments in security controls and compliance initiatives aren’t just about checking regulatory boxes; they create tangible business value by reducing financial exposure and strengthening customer trust. Organizations must leverage risk data to drive strategic decisions, much like how finance teams use risk assessments to inform investment choices.
It is critical to demonstrate risk reduction because “you have current customers who are looking into the way that you’re handling security measurements and mitigations,” says Vinod. Honeywell’s Risk Buy-Down program exemplifies this shift. By calculating the financial impact of cyber risks—sometimes in the range of hundreds of millions of dollars—Honeywell can demonstrate informed, data-backed decisions on mitigation strategies.
4. The Growing Importance of Third-Party Risk Management
With more than half of recent cyberattacks originating from third parties, organizations must elevate their third-party risk management (TPRM) strategies. Honeywell has implemented a tiered supplier assessment process, ensuring that high-risk vendors undergo continuous evaluation. This includes onsite audits, security assessments, and compliance checks to maintain a robust risk posture across the supply chain.
5. Looking Ahead: Key Focus Areas for 2025
Vinod mentions the urgency of focusing on the evolving regulatory landscape but urges leaders to “understand the similarity between the regulations that are coming in, and understand the delta.”
As GRC leaders plan for the future, Vinod identified three critical areas of focus:
- Embracing Technology & AI: Automating risk management processes to enhance efficiency and accuracy.
- Fostering Cross-Organizational Collaboration: Breaking down silos to unify risk frameworks and methodologies.
- Keeping Pace with Regulations: Navigating the ever-growing regulatory landscape by identifying commonalities and leveraging AI to track evolving requirements.
Honeywell’s approach to cyber risk management showcases the power of integration, automation, and data-driven decision-making.Watch the full episode for more insights on mastering cyber risk management and driving meaningful security outcomes.
To learn how SAFE’s AI-led cyber risk management platform can empower you to stay ahead of enterprise and third-party cyber risks, schedule a demo with our cyber experts.
Stay tuned for more insights from industry leaders on future episodes of the Cyber Risk Podcast!
SUBSCRIBE TO WEEKLY BLOG NEWSLETTER
SHARE THE PAGE
