Voices of the Vigilant S2 EP6 | GRC Has Layers!
In This Episode
Monica Reagor, Manager of Information Security Compliance at Crestron Electronics, joins me for Voices of the Vigilant Season 2, Episode 6!
You can learn more about the conversation and the guest below.
Tune into the audio version of this episode by clicking the player below:
Tune into the video version of this episode by clicking the YouTube player below:
VIDEO: Voices of the Vigilant S2 Ep06
GRC Has Layers! with Monica Reagor, Manager of Information Security Compliance at Crestron Electronics
About the Guest
Monica Reagor is a Governance, Risk, and Compliance leader whose work sits at the intersection of technical expertise, cultural awareness, and community impact. She serves as Manager of Information Security Compliance at Crestron Electronics and as Chairwoman of the Privacy and Data Security Workgroup for the National Association of Black Compliance and Risk Management Professionals (NABCRMP). She's also a contributor to the National Initiative for Cybersecurity Education (NICE), a DEI advocate, a published author, and the host of MY GRC POV — a podcast exploring the evolving challenges and opportunities in GRC and cybersecurity.
Beyond the boardroom, Monica co-founded the PCOS Awareness Association, serves as President and Executive Director of the National Liturgical Dance Network Global, and brings that same energy for building community into everything she does — including her work as a motivational speaker and pageant coach.
Full Episode Transcript
Jess Vachon: 00:27
Hello everyone, welcome back. Sit back because I have a long intro for you, but it's a great intro. Today's guest is amazing. She has one of those careers that makes you realize how much is possible when you refuse to be put in a box. She's a GRC leader, a podcast host, a published author, a pageant coach, a liturgical dance executive, a co-founder of a health advocacy organization serving over seven million women. And somehow she still finds the time to build Lego sets and paint diamond art. I mean, honestly, that is awesome. Monica Reagor is the Manager of Information Security Compliance at Crestron Electronics, the Chairwoman of the Privacy and Data Security Work Group for the National Association of Black Compliance and Risk Professionals — that's N-A-B-C-R-M-P for anyone keeping score — and she's also the host of the My GRC POV podcast, a podcast all about the evolving world of governance, risk, and compliance. It is amazing. Go listen to it after this episode. She brings together technical expertise, a deep passion for DEI, and a leadership philosophy rooted in emotional intelligence and cultural awareness. I cannot wait to get into all of it with her. Monica, welcome to the Voices of the Vigilant podcast.
Monica Reagor: 01:56
Thank you so much, Jess. I really appreciate being here. I'm super excited to be part of your community and to have a really good conversation. We're going to pick up right where we left off backstage.
Jess Vachon: 02:06
All right. I like to dig into everyone's background and origin story, so let's start there. Springfield, Illinois — and then Virginia Beach. Are you back there now?
Monica Reagor: 02:17
Not quite. I traveled a bit more. I was born at Scott Air Force Base in Springfield, Illinois — I'm a Navy brat. My family moved around for the first five or six years of my life, and then we finally landed in Virginia Beach, which has a huge Navy community. After about 20 years, my parents divorced and my mother became really sick. She relocated back to Louisiana, her home state. In 2008, I was working for Bank of America when the recession hit, so I took the severance package and headed to Louisiana to be with my mom before she passed a few years later.
My working background had been in IT — I was an implementation engineer, did help desk analysis, supported commercial credit cards, and handled client education. When I moved to Louisiana, I applied for a position as an IT technician at a training agency. They said they'd hire me, but then they asked: "You speak well, you seem really personable — would you be interested in compliance?" I said sure, because I had bills to pay. They said they'd train me, and on day one I jumped head first into compliance. I never considered it as a career option, but like anything you commit to, you're going to excel at it. And I did. I absolutely loved it.
That early compliance work brought me into the community around Title VI and VII — making sure there was diversity and inclusion, that schedules were available in multiple languages. But what I understood was that compliance can transcend any industry and any field. Eventually the opportunity came where I moved to New Jersey, my company relocated me, and now I get to do both cybersecurity and compliance — what is now called information security compliance. And I love it. It covers governance, risk, and compliance. You can bring programming skills or policy-writing skills — risk assessments, threat modeling. And now with AI, there's even more to it. It's an exciting time.
Jess Vachon: 05:05
In my own experience getting into GRC, I started on the technical side and then learned the GRC. What were your early challenges in figuring out what GRC means, which regulations to follow, which frameworks to use?
Monica Reagor: 05:26
Great question. I'd frame it in three challenges. The first was understanding what compliance actually was. In the early 2000s through 2012 and 2014, most people considered compliance a legal profession. The only compliance professionals were lawyers or adjacent legal staff — paralegals, clerks, court clerks. Not people like me who moved from the technical side into GRC. Understanding that nuance, and being an anomaly in the field, was a challenge. I didn't go to law school, but I am good at what I do. I can read legislation, break it down, and translate it — I can speak to my executive team in terms they understand, and then translate those same requirements into engineering and tech speak for my engineers. I didn't fit the standard mold, and early in my career I was often told I wouldn't go far because I hadn't followed the conventional path. But I'm scrappy. I got my hands in, figured it out, and made every opportunity — good, bad, or ugly — my own.
The second challenge was when I was hired for my current role, it was specifically to help the company earn government certifications for our products. Almost from day one, security was added to my plate. I told my boss at the time, "You know this is going to grow, right?" They said it wouldn't be a big deal — it was like doing disaster recovery planning, something no one expected to actually use. And then four months later, we had a global pandemic. Suddenly we had all these gaps in our technology because no one had planned for remote work at scale. My career evolved overnight and the demand became real.
The third challenge has been articulating the cost value of security. If you're bringing in tools, experts, or advisory services, it's expensive. How do you explain the ROI of a $150K or $200K platform to leadership who doesn't see security as revenue? What I've developed over time is this: I don't make the money, but I protect your money. When CrowdStrike had that bad software deployment a couple of years ago and shut down half the world, I had data to show that when you don't follow frameworks and secure deployment principles, it has real financial impact. Delta sued Microsoft. We're talking about $66 billion in impact. And now the NIST standards have evolved to include supply chain risk management — you're not just managing your own environment, you're managing your third and fourth parties. So there's a level of accountability that's reshaping everything. Those were my three big challenges: operating outside the status quo, understanding how compliance transcends industries, and since 2020 — keeping up with a sprint that shows no signs of slowing down.
Jess Vachon: 12:08
What PTO? What vacation?
Monica Reagor: 12:11
Exactly. They keep telling me to use my time, and I keep saying I know.
Jess Vachon: 12:17
I love that you touched on showing value, because I think that's a central struggle for information security professionals. FAIR is one attempt to put a valuation framework around security. In my experience there's been real resistance to that approach. What I've done instead is look at specific incidents and say — given what happened here, in light of governance, risk, and compliance, what would this cost us? And then: if we do A, B, and C, we can avoid that cost. While I'm not directly generating revenue, I can help you avoid expenses that drain it. Have you seen the same resistance?
Monica Reagor: 13:18
Absolutely. We recently evolved our compliance program to include some new tools, because the world has evolved. In traditional compliance there have always been tools — Archer, 360 Compliance, KeyLite, LockPath. There's always been a risk register, a risk assessment, likelihood analysis, remediation planning. The NIST standards were designed for the federal government, but enterprise and commercial organizations adopted them because they set a high bar — around a thousand controls — that if you meet, you're likely in line with most industry standards. Then you have ISO 27001 and SOC 2, and they all map back to NIST 800-53 in some form.
The challenge is that managing all of this manually is expensive when your team is already expensive. I made the case to my boss that we needed to upgrade our tools to be scalable and resilient, and to support the growing volume of evidence we need to produce for audits. In the last five to seven years — more aggressively in the last five — tools have emerged specifically for information security that integrate with your cloud environments, support risk registers, and track CVSS scoring. I can do all of that in one platform. But the platform costs $150K or $200K, and when you don't generate revenue, the immediate question is: what's the ROI?
That's where you have to get creative and reframe the conversation. I am protecting your revenue. Because of these tools, I can now track when a new sales opportunity comes in and a customer won't move forward until we pass a security assessment. I can document that I completed the questionnaire, we provided the required information, and we influenced a $200K deal. Scale that across the year and I can show exactly how much revenue security enabled. Without that data, the argument is hard to make. But if you leverage the right tools and speak the language of the business, the case becomes clear.
Jess Vachon: 17:46
And I'll add — GRC can be used for marketing and for winning contracts. I helped one organization become compliant with NIST 800-171, which allowed them to compete for and win government contracts worth millions of dollars. The three-year program I stood up was paid for many times over, and we turned that compliance posture into a marketing differentiator. That's our job as GRC professionals — to educate leadership on a different way of thinking about the investment. If they're only looking at the cost of the tool and not seeing the $20 million contract it enables, they're missing the picture. CISOs are told to operate like business leaders, and that's true — but we need the business to actually listen when we're advising them. We're not looking backward. We're thinking about today and anticipating what's coming.
Monica Reagor: 19:30
And that forecasting part is hard sometimes. My boss will ask me to project out, and I have to explain — there are over 200 regulatory changes every single day, and probably 30% of them touch cybersecurity, privacy, or data security in some way. I've had to become a good storyteller, painting the picture while being transparent that it could change tomorrow. AI has made everyone anxious. Biometrics, AI bias — everyone wants to implement AI not because they're dismissing the risks, but because they want to remain competitive. My job is to slow that down just enough to say: there are frameworks we need to work through to make sure we're implementing something responsibly, protecting our end users, our customers, and ourselves from a tool that, without guardrails, could cause real harm.
Our role has shifted. It's no longer just "here are the standards, here are the controls, here is the evidence." Now we're almost like therapists — thinking through all the potential harm a new tool could cause while also projecting what's coming down the pipeline. The EU is already moving toward updating GDPR to account for AI. That's going to affect how we handle cookies, data subject requests, and data deletion. If a user doesn't want their data used in an AI model, how do you remove it? That's a hard technical and legal problem. And it's evolving in real time.
As GRC professionals, we have to live at the intersection of strategist, architect, solutionist, and business driver. I always tell my team: at some point my tap shoes are going to run out. So give me what I need, or tell me what we have and I'll work with it. If we're always operating in reactive mode, we'll always be one step behind. The goal is for the business to see GRC as a solutionist function, not a blocker.
Jess Vachon: 23:46
Everything you're saying speaks to how interconnected this all is. There used to be a clear division between technical teams and GRC. Not anymore. A state passes an AI regulation, a technical team brings in an AI solution, and suddenly that regulation affects the implementation. If you're subject to GLBA or SOX, now you've got additional interconnected requirements. If you're operating in Europe, GDPR and the EU AI Act come into play. It's no longer a simple decision to bring in a tool and adapt policy around it. You have 50 states each developing their own regulations, the federal government with its own agenda, the EU, the UK, and if you're doing business in Asia Pacific — Australia, Singapore, India — they each have their own frameworks too.
Monica Reagor: 24:50
Yes, and those markets are extremely security conscious. Singapore, Australia, and New Zealand are among the most security-forward countries in the world, with India right behind them. The level of work required to support their compliance requirements is significant. And interestingly, on the flip side, our current administration has relaxed some cybersecurity requirements in the US, leaving more discretion to individual agencies. I had a customer call me asking whether we were scaling back our secure software deployment practices because of those changes. I told them: no, we're not, because we sell in your market. We posture against the most restrictive standard we operate under, and right now that's the EU. If you're selling in the EU, don't change anything. Stay the course.
Jess Vachon: 26:18
And the reason we do that is because it's far easier for GRC professionals to maintain one strict operating standard globally than to run parallel postures by region. Default to the strictest, and you know that's both the safest and the most administratively efficient approach.
Monica Reagor: 26:47
Absolutely. I was at a conference recently and a lawyer on the panel made the point clearly: no one has ever failed an audit for being too secure. Organizations only fail audits when there are no guardrails at all. So there's no harm in maintaining a strong posture, regardless of what's changing in U.S. legislation. And if you have a strategist leading your team, they'll use 800-53 as the foundation and map from there. If you manage the roughly 1,000 applicable controls in your environment, you're very likely already compliant with ISO, SOC 2, NIST CSF 2.0, and the EU directives. Manage those standards, and you can confidently say you're meeting industry requirements across the board. OWASP just released their AI Top 10, and NIST is still developing their AI-specific control framework — I expect it'll be another three to five years before we have something as mature as what we have for GDPR. But that's the direction we're moving.
Jess Vachon: 29:07
And that's exactly why GRC is layers. Every time I think about layers I think about Shrek — "Onions have layers." GRC has layers and layers and layers, but there's a core. If you concentrate on that core and build out, a lot of it becomes interconnected. That's the key insight. Now, what we know in 2026 is that GRC is bumping up against the "move fast and break things" mentality. That may be great for innovation and revenue, but someone is held accountable at the end — and it's usually those of us in GRC.
When we run alongside teams saying, "I see you're breaking things, but we need to keep an inventory of what's broken and figure out how to do it better," we're not just being the department of no. We're the ones who have to document accountability, assume the risk, and hold the line. So let's come to an agreement.
Monica Reagor: 30:24
Exactly. Keep everyone informed of what's happening. I tell my engineering team all the time — just tell me what's going on down the pipeline. My engineers are brilliant at breaking things apart, but they'll bust it wide open and then I'm the last to know. And when senior management comes asking, and I don't have an answer, that's a problem. The compliance function can't be the last to know. GRC is no longer a silo. Back in the early 2000s you might have had one or two people on an audit team who'd come out, check a few boxes, and leave. Now you have to build relationships, because if you don't, you'll never be in the room at the beginning of a design conversation or an acquisition. If GRC is only brought in at the end, all we can say is no — because we're still accountable for how the organization represents its security posture to the market. Bring me in early, and I will work with you to build a solution that meets the regulation and still lets you innovate.
Jess Vachon: 32:30
Exactly. And we can actually facilitate the "move fast" mentality — that's what a risk register is for. That's what a Plan of Action and Milestones is for, or a non-conformities list. We capture the issue short-term, you acknowledge the risk, you move fast, and then on our monthly review we come back and tighten things up. The overall message is: work with us. We've got you. But you have to bring us to the table.
Monica Reagor: 33:15
Absolutely. And for those working in GRC and compliance: come to the table with solutions. If you don't know the answer, say so — then go find someone who does. I do it all the time. Risk analytics, for example — I know what the words mean and I can run a script in Excel, but I'm not an expert in all its nuances. I have someone in the field who is. I'll ask for 15 minutes of their time, explain what I'm trying to accomplish, and we figure it out together. When we build a community around GRC, we all succeed. Everything is interwoven, and there's a shared responsibility across every organization. It's a win-win when we work together. And because our community is such a niche, a lot of the tools and principles transcend across fields and positions — and there are still roles that haven't even been defined yet.
Jess Vachon: 34:50
Is it true you're studying law and policy?
Monica Reagor: 34:53
Yes, at Liberty University. My long-term goal is to finish that, then pursue my law degree and a master's in compliance — probably in the next three years. I have no interest in practicing law, but I understand the importance. Before AI became widely available, I spent hours reading legislation and translating it into responses for customers and government agencies. My relationship with the legal team has grown because of it. They'll reach out and ask: what's our policy around malicious code? What standards are we following? I write it up, they take it and put it into the legal document, and it holds up. That kind of trust tells me I already have a niche here, and I want to maximize it.
Jess Vachon: 36:47
And I want to highlight that when we invest in ourselves, we're also investing in the businesses we work for. If you're a business leader and your security team comes to you asking for training funding — it's not about another certification to tout. It's about a skill gap they've identified that will make them better at their work. You just made that point perfectly. You're already doing the work; you just want to close the gaps. And if your legal team doesn't have to spend an extra 30 minutes reviewing your writing, that's a win for everyone.
Monica Reagor: 37:35
Absolutely. My legal team is fantastic, and I appreciate their confidence in me. And for context — the EU Cybersecurity Resilience Act is being rolled out in phases, with key milestones in September 2026 and through 2027. I've been preparing for it for two years, quietly mapping its requirements to NIST 800-53. So when leadership started asking where we stood, I could tell them: we're already 90% there. That's what building relationships looks like in practice. My legal team will reach out with questions before making external statements. My marketing team sometimes needs a reminder that we can't claim capabilities we haven't documented — that's educating them to understand that security posture has to grow and mature over time. Even if you have an ISO 27001 certification or a SOC 2 report, the work is never done. You have to stay ahead of it. But if you've built a solid foundation, everything else becomes an additional policy, procedure, or playbook layered on top.
Jess Vachon: 39:17
Let's talk about NABCRMP — I'm not going to say the full name again. You're the Chair of the Privacy and Data Security Work Group. Talk about the purpose of the organization and what it means to you.
Monica Reagor: 39:35
It's the National Association of Black Compliance and Risk Management Professionals, also known as NABCRMP. The organization was founded in 2020 and is the first of its kind — there was no affinity group specifically for Black compliance and risk management professionals before that. Our founder built it so that Black professionals in this GRC niche would have a place to come together, share ideas, and function as a think tank around awareness, career development, and innovation in the field.
In the last three to five years there's been more visibility — compliance programs, risk management programs, cybersecurity degree programs — but it's still a relatively niche space. NABCRMP is a great place to meet talented people, and many of the guests on my podcast have come through that community. We also address shared challenges — being overlooked in the room, being dismissed — and we encourage each other through those moments.
My specific role covers the Privacy and Data Security Work Group, which is the overarching umbrella for cybersecurity and AI within the organization. I have members from healthcare, retail, telecommunications, and financial crime — people who want to understand what's coming in cybersecurity. I also have college students who are asking which frameworks to study and what hands-on experience they need, because cybersecurity degrees teach a lot of theory but not always the practical side — how to build a repository, how to identify encryption issues. We do virtual events, lunch-and-learns, and I bring in experts for focused 40-minute sessions. We also talk about personal branding, because it's not enough anymore to send in a resume. You need a network, a portfolio, and the ability to demonstrate your expertise.
Right now, with over 300,000 Black women who are unemployed despite holding master's or doctoral degrees, many are trying to figure out how to transition careers. And I tell them: if you have operational risk experience, you can do GRC. If you've provided oversight in any form, you can do governance. Let me show you how. We also have approximately 11 active work groups and are always looking for partners and contributors — and no, you don't have to be a person of color to get involved. We have a summit coming up in October and a virtual career fair in September focused on GRC roles. I'm always on a panel somewhere, trying to highlight the importance of GRC and cybersecurity.
Jess Vachon: 44:32
How do people join?
Monica Reagor: 44:36
Go to www.nabcrmp.org.
Jess Vachon: 44:41
Perfect. I have a hundred more questions, but we're out of time for this episode — which means you're coming back.
Monica Reagor: 44:60
I love it. You're fantastic, Jess.
Jess Vachon: 45:02
Thank you! Before we go, plug My GRC POV for us.
Monica Reagor: 45:09
Definitely tune in to My GRC POV. You can also find past episodes at www.mygrcpov.com. I drop a new episode every other week — our next one drops April 29th, and it's going to be a great one. We're talking about data equity from a demographics perspective. I also write long-form on mygrcpov.substack.com — thoughts, opinions, and analysis. And you can follow me on LinkedIn under Monica Reagor, or on Instagram. I'm super excited to be part of this space.
Jess Vachon: 45:59
Monica, thank you so much for being on Voices of the Vigilant. This conversation was more than I hoped for. Folks, if you enjoyed this, please like and subscribe on your favorite streaming platform, and go give My GRC POV a follow as well. Until next time, everyone — stay vigilant. Bye!
