GRC meets Enterprise Security: TPRM, Compliance, Zero Trust and M&A w/ Kane Narraway from Canva episode artwork

EPISODE · Dec 2, 2025 · 1H 6M

GRC meets Enterprise Security: TPRM, Compliance, Zero Trust and M&A w/ Kane Narraway from Canva

from GRC Engineer · host Ayoub Fandi

Paramify is making FedRAMP (Rev 5 or 20x), GovRAMP & CMMC fun. Get your $750 Gap Assessment at paramify.com/grc---What happens when you have to merge three operating systems, satisfy FedRAMP requirements, and keep engineers happy whilst building enterprise security at scale?In this episode, Kane Narraway, previously leading enterprise security at Atlassian, building Zero Trust at Shopify, and now running enterprise security at Canva, shares battle-tested insights on the intersection of GRC and enterprise security.Kane's unique perspective comes from working across three major tech companies, navigating everything from SOC 2 to FedRAMP, and building security programmes that scale without creating friction for engineers.Key Topics Discussed:The Compliance-Security PartnershipHow compliance evolved from yearly audits to sales enablement, and why that actually helps enterprise security teams implement controls faster.Third-Party Risk Management HandoverThe critical transition from TPRM intake to ongoing enterprise security management, and when you should actually push back on vendors.Platform Consolidation vs Best-of-BreedReal examples from extremely consolidated (Shopify with Google everything) to open ecosystems (Canva's hundreds of tools), and which approach suits your company culture.Zero Trust and Continuous ComplianceWhy Zero Trust principles align perfectly with GRC engineering, and how to turn point-in-time audit checks into continuous validation systems.The User Experience ProblemHow to implement security controls without creating shadow IT, including the "my machine is perfect" engineer problem and how to solve it.M&A Security IntegrationPrinciples (not playbooks) for security integration during acquisitions, including when to keep companies separate for compliance reasons.The AI Compliance ChallengeWhy current control frameworks don't match AI-driven access patterns, and what's coming when non-human identities start requesting access at scale.FedRAMP, HIPAA, and High-Stakes ComplianceThe difference between managing SOC 2 (30 minutes of sampling) versus the compliance regimes that can dominate your calendar for months.About the Guest:Kane Narraway has spent over a decade building enterprise security programmes at some of the world's leading tech companies. Starting in UK government and BT, he moved to Atlassian where he built their corporate security programme, then to Shopify where he led platform engineering and Zero Trust, and now leads enterprise security at Canva in New Zealand. Kane specializes in building security at scale whilst maintaining developer velocity and user experience.Connect with the Guest:Kane Narraway: https://www.linkedin.com/in/kane-n/About The GRC Engineer:The GRC Engineer explores how engineering principles are transforming governance, risk, and compliance. Hosted by Ayoub Fandi, each episode features practitioners, leaders, and innovators who are building the future of GRC through automation, code, and systems thinking.Subscribe for episodes and entries featuring deep-dives into GRC automation, compliance as code, risk engineering, and the intersection of security, compliance, and software development.🌐 Visit: grcengineer.com💼 Connect: linkedin.com/in/ayoubfandi📧 Newsletter: grcengineer.com/subscribe#GRCEngineering #Canva #EnterpriseSecurityCompliance #Automation #CyberSecurity #RiskManagement #ZeroTrust #DevSecOps

Episode metadata supplied by the publisher feed · Published Dec 2, 2025

Paramify is making FedRAMP (Rev 5 or 20x), GovRAMP & CMMC fun. Get your $750 Gap Assessment at paramify.com/grc---What happens when you have to merge three operating systems, satisfy FedRAMP requirements, and keep engineers happy whilst building enterprise security at scale?In this episode, Kane Narraway, previously leading enterprise security at Atlassian, building Zero Trust at Shopify, and now running enterprise security at Canva, shares battle-tested insights on the intersection of GRC and enterprise security.Kane's unique perspective comes from working across three major tech companies, navigating everything from SOC 2 to FedRAMP, and building security programmes that scale without creating friction for engineers.Key Topics Discussed:The Compliance-Security PartnershipHow compliance evolved from yearly audits to sales enablement, and why that actually helps enterprise security teams implement controls faster.Third-Party Risk Management HandoverThe critical transition from TPRM intake to ongoing enterprise security management, and when you should actually push back on vendors.Platform Consolidation vs Best-of-BreedReal examples from extremely consolidated (Shopify with Google everything) to open ecosystems (Canva's hundreds of tools), and which approach suits your company culture.Zero Trust and Continuous ComplianceWhy Zero Trust principles align perfectly with GRC engineering, and how to turn point-in-time audit checks into continuous validation systems.The User Experience ProblemHow to implement security controls without creating shadow IT, including the "my machine is perfect" engineer problem and how to solve it.M&A Security IntegrationPrinciples (not playbooks) for security integration during acquisitions, including when to keep companies separate for compliance reasons.The AI Compliance ChallengeWhy current control frameworks don't match AI-driven access patterns, and what's coming when non-human identities start requesting access at scale.FedRAMP, HIPAA, and High-Stakes ComplianceThe difference between managing SOC 2 (30 minutes of sampling) versus the compliance regimes that can dominate your calendar for months.About the Guest:Kane Narraway has spent over a decade building enterprise security programmes at some of the world's leading tech companies. Starting in UK government and BT, he moved to Atlassian where he built their corporate security programme, then to Shopify where he led platform engineering and Zero Trust, and now leads enterprise security at Canva in New Zealand. Kane specializes in building security at scale whilst maintaining developer velocity and user experience.Connect with the Guest:Kane Narraway: https://www.linkedin.com/in/kane-n/About The GRC Engineer:The GRC Engineer explores how engineering principles are transforming governance, risk, and compliance. Hosted by Ayoub Fandi, each episode features practitioners, leaders, and innovators who are building the future of GRC through automation, code, and systems thinking.Subscribe for episodes and entries featuring deep-dives into GRC automation, compliance as code, risk engineering, and the intersection of security, compliance, and software development.🌐 Visit: grcengineer.com💼 Connect: linkedin.com/in/ayoubfandi📧 Newsletter: grcengineer.com/subscribe#GRCEngineering #Canva #EnterpriseSecurityCompliance #Automation #CyberSecurity #RiskManagement #ZeroTrust #DevSecOps

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

GRC meets Enterprise Security: TPRM, Compliance, Zero Trust and M&A w/ Kane Narraway from Canva

0:00 1:06:21

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

AI Generated - EDU Video Podcast Magnus Lian Explore how video tools and AI are transforming education with Magnus Sæternes Lian, Senior Engineer at NTNU and founder of ReadyMedia. This podcast dives into the latest video technologies, real-world use cases, and actionable insights for educators and tech enthusiasts. Created using cutting-edge AI tools like GoogleLM and ElevenLabs, all content is verified for accuracy. Discover practical solutions and stay ahead in the evolving landscape of educational technology! The Driven To Draw Podcast: Self Improvement|Painting|Drawing|Visual Problem Solving|Unleashing the Creativity Within! Arvind Ramkrishna/Designer/Artist/Engineer The Driven to Draw Podcast will teach you how to solve problems visually, think outside the box, build your confidence, generate ideas, and innovate.You'll hear from top creative artists, designers, engineers, and photographers who share their techniques to create products, broaden their creative abilities, and share the benefits of thinking visually.No matter your background or area of expertise, Driven to Draw will be your constant motivator to help you become your best…and Unleash the Creative Within! Prompt / AI Podcast from Japan Inyu | prompt engineer JPN I'm a Japanese prompt engineer. On this podcast, I talk about my job, research of AI and prompting. Mohammad Qutub Muslim Central Dr. Mohammad Qutub is an Islamic scholar with several decades of experience as a teacher and orator. He completed his Master’s and PhD degrees in Uṣūl al-Dīn and Comparative Religion at the International Islamic University Malaysia (IIUM), and has several Ijāzahs (licenses) and certificates in Qur’an, Hadith, etc. He has spoken internationally in the Middle East, the U.S., and Southeast Asia and regularly holds intensive seminars and university lectures. His passions and research revolve around: Islamic thought and history, Qur’anic Tafsīr, scientific Iʿjāz (inimitability) in the Qur’an and Sunnah, and comparative religion. He teaches students of all different ages and backgrounds in-person and online. He is also an engineer by profession with a Bachelor of Science in Chemical Engineering from the U.S., and extensive experience in the field of Industrial Gases.

Frequently Asked Questions

How long is this episode of GRC Engineer?

This episode is 1 hour and 6 minutes long.

When was this GRC Engineer episode published?

This episode was published on December 2, 2025.

What is this episode about?

Paramify is making FedRAMP (Rev 5 or 20x), GovRAMP & CMMC fun. Get your $750 Gap Assessment at paramify.com/grc---What happens when you have to merge three operating systems, satisfy FedRAMP requirements, and keep engineers happy whilst building...

Can I download this GRC Engineer episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!