Security & GRC Decoded

In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Jasmine Kaur, Principal of Security & Assurance Engineering at CoreWeave, to explore how AI-native infrastructure is fundamentally reshaping GRC.Drawing from her experience at companies like SAP, Google, and now an AI hyperscaler, Jasmine explains why traditional GRC models are failing in high-velocity, ephemeral environments—and what needs to replace them. From “GRC as infrastructure” to the rise of agentic GRC, this conversation dives into how compliance must evolve from a reactive audit function into a real-time assurance capability embedded directly into systems.Key Takeaways:Traditional GRC models break in AI environments because systems are ephemeral and disappear before audits can validate them.Compliance should be treated as a byproduct of strong risk modeling and control design—not the end goal.GRC must evolve into an infrastructure-level capability that continuously emits assurance signals.Agentic GRC is the next evolution beyond automation and CCM, enabling decision-capable systems with human oversight.Future GRC teams must operate more like engineering and reliability functions rather than audit teams.What You’ll Learn:Why AI infrastructure makes traditional audits ineffectiveWhat “GRC as infrastructure” actually means in practiceHow to move from point-in-time audits to continuous assuranceThe difference between automation, CCM, and agentic GRCHow to position GRC as a proactive, business-critical functionThis podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.comWatch more episodes: https://www.compliancecow.com/podcastConnect With Our Guest:Jasmine Kaur | Principal of Security & Assurance Engineering | CoreWeaveConnect on LinkedIn: https://www.linkedin.com/in/jask31/Rate, review, and share if you enjoyed the show!Subscribe to Security & GRC Decoded wherever you get your podcasts:Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Val Dobrushkin, Director of GRC at Tricentis, to challenge one of the most overlooked failures in modern security programs: third-party risk management. Drawing from his experience building GRC programs at ForgeRock, NoName Security, and beyond, Val explains why most organizations are still stuck in compliance theater and how GRC teams can evolve into true business enablers.This conversation dives into the disconnect between frameworks and reality, the limits of SOC 2, the role of GRC in revenue and M&A outcomes, and why solving for today while building for the future is the key to long-term success.Key Takeaways:Third-party risk management is fundamentally broken due to over-reliance on questionnaires and weak enforcement of meaningful controls.SOC 2 is too flexible and inconsistent to be relied on as a true indicator of security maturity.GRC has a unique advantage over security in directly demonstrating business value and revenue impact.“Solve for now, build for later” is critical for startups and fast-growing companies preparing for IPO or acquisition.Strong GRC programs can directly influence company valuation by identifying contractual and compliance gaps early.What You’ll Learn:Why questionnaires and annual vendor reviews fail to capture real third-party riskHow GRC teams can prove revenue impact through customer trust and assuranceThe hidden role of GRC in M&A, IPO readiness, and contract validationWhy most GRC metrics fail and what meaningful measurement should look likeHow to implement a “solve now, build for future” strategy in fast-growing companiesThis podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.comWatch more episodes: https://www.compliancecow.com/podcastConnect With Our Guest:Val Dobrushkin | Director of GRC | TricentisConnect on LinkedIn: https://www.linkedin.com/in/dobrushkin/Rate, review, and share if you enjoyed the show!Subscribe to Security & GRC Decoded wherever you get your podcasts:Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Dylan O’Dell, AVP Information Risk Officer at Manulife, to challenge one of the biggest assumptions in the industry: that GRC is working as intended. Dylan argues that most organizations are stuck in control-centric thinking and missing the true purpose of risk management — translating data into business decisions.Drawing from his background in Lean Six Sigma and large-scale enterprise risk, Dylan breaks down why GRC needs to evolve beyond audits and control testing into automation, orchestration, and storytelling. This conversation explores how modern GRC teams can reduce operational friction, quantify real risk, and actually influence business outcomes.Key Takeaways:GRC today is overly focused on control testing rather than true risk management and decision-making.Automation should eliminate manual audit friction — not just make existing processes faster.The future GRC professional must combine technical awareness with storytelling, influence, and business understanding.Risk management should be rooted in probability and financial impact — not pass/fail compliance.GRC teams can unlock funding and influence by tying their work directly to revenue, cost savings, and business outcomes.What You’ll Learn:Why the “three lines of defense” model often breaks down in practice.How to translate technical data into meaningful business risk narratives.What modern GRC automation should actually look like (beyond tools).How to position GRC as a revenue enabler — not just a cost center.Why “start with why” is critical for influencing stakeholders and reducing friction.This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.comWatch more episodes: https://www.compliancecow.com/podcastConnect With Our Guest:Dylan O’Dell | AVP Information Risk Officer | ManulifeConnect on LinkedIn: https://www.linkedin.com/in/dylan-odell-72a06412b/Rate, review, and share if you enjoyed the show!Subscribe to Security & GRC Decoded wherever you get your podcasts:Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Steven Asifo, Director of Security & GRC at Yahoo, for one of the most refreshing conversations the show has had on communication, influence, and the human side of security. Drawing on his unusual dual life as both a cybersecurity leader and a stand-up comedian, Steven makes the case that security and GRC are not just technical disciplines — they are fundamentally communication disciplines. From using analogies to explain vulnerabilities, to reframing GRC as the “Draymond Green” of cybersecurity, Steven shows how the best security leaders translate complexity into clarity, help the business make better decisions, and meet people where they are instead of overwhelming them with jargon.Key Takeaways:Security and GRC succeed when they communicate clearly to humans, not when they simply present more technical detail.The best GRC teams act as guides that help the business make reasonable, compliant, cyber-conscious decisions.Metrics only matter when they drive a clear outcome or decision, not when they exist for their own sake.Strong GRC teams build trust by doing the hard, cross-functional work that others often avoid.Storytelling is a core security skill because people act on messages they understand, remember, and relate to.What You’ll Learn:Why Steven believes security is ultimately a human communication problem.How to tailor security messaging for engineering leaders, CISOs, and business stakeholders.What “guardrails not gates” looks like in a practical GRC program.How to think about data, metrics, and reporting without overwhelming your audience.Why AI may change the consumption layer of GRC, but not eliminate the human need for storytelling.This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.comWatch more episodes: https://www.compliancecow.com/podcastConnect With Our Guest:Steven Asifo | Director of Security & GRC | YahooConnect on LinkedIn: https://www.linkedin.com/in/asifosays/Rate, review, and share if you enjoyed the show!Subscribe to Security & GRC Decoded wherever you get your podcasts:Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Bryan Culp, Senior Director of Customer Trust at Box, to explore how governance, risk, and compliance is evolving beyond certifications and into real-time trust.Bryan shares why the next two to three years will fundamentally change how GRC operates — driven by automation, AI, large financial institutions demanding real-time internal metrics, and growing pressure to translate security posture into business language.From managing both customer trust and third-party risk at Box, Bryan offers a rare dual perspective: how companies present assurance to customers while simultaneously evaluating vendors themselves. This conversation challenges the idea that certifications alone create security and makes the case for risk being the true language of leadership.Key Takeaways:Customer Trust is not traditional GRC — it translates security and compliance work into business confidence for customers.Certifications enable market access, but they do not eliminate breach risk.Risk must be communicated in executive language to influence real business decisions.Large financial institutions are beginning to demand real-time internal security metrics instead of snapshot audits.AI is transforming GRC workflows — not to cut people, but to enable deeper, higher-value analysis.What You’ll Learn:Why Bryan believes GRC will look materially different in the next 2–3 years.How Customer Trust functions differently from compliance and audit teams.Why certifications alone cannot prevent major security incidents.What “real-time assurance” could look like for large SaaS companies.How to think about AI and automation as long-term growth enablers in GRC.This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.comWatch more episodes: https://www.compliancecow.com/podcastConnect With Our Guest:Bryan Culp | Senior Director of Customer Trust | BoxConnect on LinkedIn: https://www.linkedin.com/in/bryanculp/Rate, review, and share if you enjoyed the show!Subscribe to Security & GRC Decoded wherever you get your podcasts:Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Ryan Schoeller, Director of Security & GRC at Treasure Data, to challenge one of the most deeply rooted assumptions in the industry: that GRC should stay passive and “independent.” Drawing from his experience across startups, mid-market tech companies, and large enterprises, Ryan argues that the most effective GRC teams are the ones that actively participate in control monitoring, risk management, and operational decision-making. This conversation goes beyond audits and checklists, exploring how GRC can truly drive business value by protecting revenue, enabling growth, and embedding risk thinking into everyday operations.Key Takeaways:GRC delivers the most value when it actively participates in monitoring controls, not just validating them after the fact.Risk is the most critical — and most neglected — pillar of GRC, often confused with gaps or vulnerabilities.Strong relationships with engineering and business teams are essential for GRC to gain meaningful access to data.GRC engineering is not just about writing code; it’s about applying an engineering mindset to workflows, tooling, and processes.Automation alone is not a business case — value comes from how freed-up time is reinvested.What You’ll Learn:Why the “three lines of defense” model often breaks down in real organizationsHow GRC teams can reduce compliance theater by becoming more operationalThe difference between a vulnerability, a gap, and an actual riskHow to build a business case for GRC automation that leadership will supportWhy front-ending GRC work (sales assurance, customer trust) often matters more than backend audit prepThis podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.comWatch more episodes: https://www.compliancecow.com/podcastConnect With Our Guest:Ryan Schoeller | Director of Security & GRC | Treasure DataConnect on LinkedIn: https://www.linkedin.com/in/ryanschoeller/Rate, review, and share if you enjoyed the show!Subscribe to Security & GRC Decoded wherever you get your podcasts:Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

What if GRC shouldn’t sit inside Security at all—and what if the bigger problem isn’t automation, but what you do after you automate? In this episode, Raj Krishnamurthy sits down with Charles Nwatu (former Security GRC Engineering & Assurance leader at Netflix) for a candid, systems-level conversation about why “annual audit rituals” fail modern engineering, how GRC can produce high-fidelity signals that strengthen security decision-making, and why the next wave of GRC engineering is about analytics, specifications, and business impact—not just speeding up evidence collection.Key Takeaways:GRC is a continuous discipline—point-in-time compliance can help, but it can’t be the end state.Automation is necessary but not sufficient: the real value is in turning collected evidence into actionable insights.Specifications enable measurement—without clear expected behaviors, security metrics become inconsistent and hard to compare.GRC can feed security with high-fidelity signals (like identity/access review metadata) that improve posture beyond audit readiness.Third-party risk doesn’t “finish”—the goal is visibility, data lineage awareness, and making the mess less messy. What You’ll Learn:Where Charles believes GRC should sit org-wise—and why Security should be a “customer” of GRCWhat “shift-left GRC” looks like in practice (beyond annual audits)Why “efficiency savings” don’t automatically equal “security value”How to think about metrics, specifications, and risk in a shared languageWhy third-party risk management is “unsolvable,” and how to build guardrails anywayThis podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.comWatch more episodes: https://www.compliancecow.com/podcastConnect With Our Guest:Charles Nwatu | GRC Engineering LeaderConnect on LinkedIn: https://www.linkedin.com/in/cnwatu/Rate, review, and share if you enjoyed the show!Subscribe to Security & GRC Decoded wherever you get your podcasts:Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

GRC has long been seen as abstract, manual, and disconnected from how modern engineering teams actually work, but that narrative is breaking down. In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Akhila Chitiprolu, Head of Security & GRC at Sierra, to explore why GRC must be treated as an engineering discipline, not a compliance afterthought. Drawing from her experience across T-Mobile, Expedia, Stripe, and AI-native companies, Akhila explains how systems thinking, automation, and shared ownership can radically reduce compliance toil while increasing trust. This conversation goes deep into GRC engineering, audit realities, automation tradeoffs, and what the future of compliance looks like in an AI-driven world.Key Takeaways:GRC works best when treated as a system with inputs, processes, outputs, and feedback loops Automation should focus on intent and outcomes, not blindly speeding up broken manual processesGRC professionals act as a middleware layer between engineers, auditors, and customersNot all controls should be automated — but 70% can be, with humans in the loop where it mattersThe future of GRC depends on engineering mindset, context, and trust, not checklists What You’ll Learn:Why GRC is fundamentally a systems engineering problemHow to reduce engineering toil without weakening audit postureWhen automation helps — and when it creates false efficiencyHow GRC teams should approach AI, agents, and non-deterministic systemsPractical ways to build a GRC engineering function over timeThis podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.comWatch more episodes: https://www.compliancecow.com/podcastConnect With Our Guest:Akhila Chitiprolu | Head of Security & GRC | SierraConnect on LinkedIn: https://www.linkedin.com/in/akhilachitiprolu/Rate, review, and share if you enjoyed the show!Subscribe to Security & GRC Decoded wherever you get your podcasts:Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Vivek Madan to unpack what it really means to run a modern GRC program inside a global cybersecurity company. Drawing from his journey across networking, security engineering, risk, and compliance, Vivek shares how GRC can function as a true business enabler—opening markets, accelerating revenue, and strengthening trust. This conversation stands out for its practical frameworks, real-world stories, and honest discussion about friction between engineering, security, auditors, and compliance teams, giving listeners a grounded view of how GRC works when it’s done right.Key Takeaways:GRC works best when it is positioned as a growth enabler that unlocks new markets, not just a compliance checkbox.Strong governance establishes foundational rules that allow security and risk decisions to scale consistently across the business.Storytelling is a critical GRC skill—people align with compliance when they understand the “why,” not just the requirement.Common controls frameworks reduce complexity when designed intentionally across global, application-specific, and product-specific needs.Automation matters, but process automation is just as important as technical automation to reduce compliance friction.What You’ll Learn:How GRC enables business expansion into regulated and global marketsWhy compliance resistance exists—and how to overcome itA practical 50–35–15 model for common controls frameworksHow to balance continuous assurance with annual auditsWhat modern GRC leaders look for when hiring talentThis podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.comWatch more episodes: https://www.compliancecow.com/podcastConnect With Our Guest:Vivek Madan | Director of Security, Risk, and Compliance | FortinetConnect on LinkedIn: https://www.linkedin.com/in/vivek-madan-cissp-ccsp/Rate, review, and share if you enjoyed the show!Subscribe to Security & GRC Decoded wherever you get your podcasts:Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683Apple Podcasts:https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

Audits are often misunderstood, frequently disliked, and almost always viewed as a necessary evil — but what if that mindset is holding security teams back? In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Varun Prasad to unpack what audits are actually designed to do: provide reasonable assurance, not absolute security. Drawing on more than two decades of experience across internal and external audits, Varun explains why “auditable controls” are the missing link between fast-moving engineering teams and slow, annual audit cycles — and how organizations can stop treating audits as an afterthought and start using them as a trust-building mechanism.Key Takeaways:Audits are designed to provide reasonable assurance, not eliminate all risk The biggest failure in modern GRC is building controls that are automated but not auditableContinuous controls monitoring only works if auditors can validate completeness and accuracyScreenshots persist because they remain the clearest way to demonstrate system state over timeSecurity controls should be built to improve posture first — and explained clearly secondWhat You’ll Learn:Why audit skepticism is a feature, not a flawHow internal and external audits serve fundamentally different purposesWhere continuous monitoring breaks down from an auditor’s perspectiveWhat “auditable controls” actually mean in CI/CD environmentsHow AI can assist auditors without replacing human judgmentThis podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.comWatch more episodes: https://www.compliancecow.com/podcastConnect With Our Guest:Varun Prasad | Cloud Security & Privacy Assurance | BDOConnect on LinkedIn: https://www.linkedin.com/in/varunprasad/Rate, review, and share if you enjoyed the show!Subscribe to Security & GRC Decoded wherever you get your podcasts:Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683Apple Podcasts:https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

In this episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Tom Scuderi, Senior Manager of Security & GRC at LTK and a veteran practitioner who has spent his career building governance functions at QTS, Tableau, Salesforce, and LTK. Tom shares how to scale GRC in high-growth environments by designing processes that resemble engineering workflows, reducing friction with stakeholders, and shifting from reactive audits to continuous visibility. He breaks down why curated visibility beats blanket access, why SOC 2 should sharpen—not dilute—your security program, and how to anchor leadership decisions with meaningful risk data.Key TakeawaysGRC only scales when its processes mirror how engineering teams already work.SOC 2 should enhance your security program rather than becoming a superficial checkbox exercise.Curated visibility reduces friction and improves cross-functional trust.Clarity in ownership is the backbone of a scalable GRC function.Continuous, context-driven evidence cuts audit fatigue and sharpens the entire program.What You’ll LearnHow Tom built and matured GRC programs across four different companies.Why engineering alignment is essential for sustainable compliance.How curated visibility replaces access sprawl and accelerates audits.The difference between risk-driven and compliance-driven GRC.Why automation only works when underlying processes are mature.How to structure ownership to reduce bottlenecks during SOC 2 and similar frameworks.This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.comWatch more episodes: https://www.compliancecow.com/podcastConnect With Our Guest:Tom Scuderi | Senior Manager of Security & GRC | LTKConnect on LinkedIn: https://www.linkedin.com/in/tom-scuderi/Rate, review, and share if you enjoyed the show!Subscribe to Security & GRC Decoded wherever you get your podcasts:Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683Apple Podcasts:https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450#SecurityAndGRCDecoded #RajKrishnamurthy #TomScuderi #LTK #GRC #ScalingGRC #SOC2 #EngineeringAlignment #RiskManagement #SecurityLeadership #Compliance #GovernanceRiskCompliance #SecurityGRCPodcast #ComplianceCow

In this episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Sergio Alonso, a seasoned GRC and information security leader at Rapid7, whose 17–year career spans auditing, high-regulation banking, blockchain innovation at Akamai, privacy GRC at Twitter, and now trust and governance in cybersecurity. Sergio breaks down how to translate legacy compliance thinking into modern engineering-aligned practices, why automation is the only scalable path forward, and how controls should be treated as “promises” that teams must honor every day. This conversation explores scaling GRC in high-velocity environments, reducing compliance fatigue, applying zero-knowledge principles to trust, and building the next generation of context-driven risk programs.Key TakeawaysAutomation is the only sustainable path to scaling GRC without increasing friction.Controls should be viewed as “promises,” and audits as the consequence of keeping or breaking them.Context — technical, business, and risk — is the primary driver of effective triage and prioritization.GRC must evolve from a legacy function into a trust-driven, engineering-aligned discipline.Zero-knowledge-style thinking may define the future of transparency and customer trust.What You’ll LearnHow to adapt legacy compliance experience for cloud, SaaS, and fast-moving tech companies.Why automation, evidence APIs, and GRC engineering are becoming non-negotiable.How to reduce compliance fatigue using “meet once, meet many” principles.Why context is the key to reducing noise from security tools.How to partner with engineers using empathy, clarity, and strong framing.Why trust and transparency are reshaping GRC inside cybersecurity companies.This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.comWatch more episodes: https://www.compliancecow.com/podcastConnect With Our Guest:Sergio Alonso | GRC & Information Security Leader | Rapid7Connect on LinkedIn: https://www.linkedin.com/in/salonsor/Rate, review, and share if you enjoyed the show!Subscribe to Security & GRC Decoded wherever you get your podcasts:Spotify: https://open.spotify.com/show/5xuvsT8HdJsa2sbhAFZQhLApple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

In this episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Mukund Sarma, Deputy CISO and Head of Product Security at Chime, to explore what happens when governance, risk, and compliance teams work with engineering instead of against it. Mukund shares real-world lessons from a decade in security, explaining how to balance shift-left initiatives, build paved paths that reduce friction, and make compliance a natural byproduct of great engineering. This is a masterclass in aligning security, GRC, and DevOps for scale and sanity.5 Key TakeawaysGRC isn’t a blocker—it’s a mirror that keeps security honest and accountable.Strong security engineering automatically strengthens compliance outcomes.Friction between security and engineering fades when empathy drives collaboration.“Shift left” works best when paved paths and automation support developers.Practical controls and continuous validation create sustainable, scalable governance.What You’ll LearnHow to bridge silos between security, GRC, and engineering teams.Why automation and continuous control monitoring are the future of compliance.What “practical controls” really mean in modern DevSecOps environments.How empathy and communication transform security culture.Why compliance should follow great security engineering, not lead it.Real-world examples from Chime’s approach to product security.This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.comWatch more episodes: https://www.compliancecow.com/podcastConnect With Our Guest:Mukund Sarma | Deputy CISO and Head of Product Security | Chime Connect on LinkedIn: https://www.linkedin.com/in/sarmamukund/Rate, review, and share if you enjoyed the show!Subscribe to Security & GRC Decoded wherever you get your podcasts:Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqrApple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450?i=1000736617569

How do you build real trust between GRC and engineering? In this episode of Security & GRC Decoded, host Raj Krishnamurthy welcomes Tristan Ingold, Security GRC Program Manager at Meta. Tristan shares how consulting shaped his approach, why “policing” doesn’t work, and how GRC earns influence by acting as a partner to engineering -- not a blocker.He discusses the cultural friction between audit, security, and product teams, how to communicate in the language of engineering, and why the right role for GRC is a “sparring partner” that helps teams ship safer, faster. From reframing control objectives to focusing on evidence the business already produces, this conversation is a practical playbook for building credibility and velocity at the same time.5 Key TakeawaysPartnership Over Policing: GRC earns influence by modeling partnership behaviors and meeting teams where they are.Translate Controls to Engineering: Use product language and existing telemetry; design evidence around the way the system actually works.Make It Observable: Treat GRC like an observability layer -- surface risk signals the business already emits.Tell the Story, Not the Score: Dashboards support the narrative; they aren’t the narrative. Lead with context and trade-offs.Define the Right Role: The best GRC teams act as a sparring partner --challenging, supportive, and focused on outcomes.What You’ll LearnHow to rebuild trust with engineering after “audit fatigue”Practical ways to convert control requirements into product languageHow to design evidence from logs, pipelines, and tickets you already haveWhen to push, when to partner, and how to escalate with credibilityCommunicating risk trade-offs without killing roadmap velocityConnect With Our Guest:Tristan Ingold | Security GRC Program Manager | MetaThis podcast is brought to you by ComplianceCow - the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence.Watch more episodesRate, review, and share if you enjoyed the show! Subscribe to Security & GRC Decoded wherever you get your podcasts:SpotifyApple Podcasts

In this episode, Raj Krishnamurthy speaks with Tony Martin-Vegue, seasoned risk practitioner, speaker, and co-chair of the FAIR Institute San Francisco chapter. Tony shares decades of lessons learned from leading cyber risk management at Netflix, Gap, and other major enterprises—showing how to move from qualitative heat maps to quantitative insights that drive smarter business decisions.He breaks down Monte Carlo simulations, risk modeling, and the six levers that influence risk—all through a practical, approachable lens. Tony also explores how generative AI is transforming risk quantification and what every CISO, analyst, and engineer can do today to make risk measurable, actionable, and business-aligned.Key TakeawaysCRQ doesn’t require perfection—start with what you have and refine over time.The most effective risk programs focus on directionally correct data, not precision.Good risk scenarios clearly define asset, threat, and effect to avoid misalignment.Generative AI accelerates scenario development, data research, and model creation.CISOs should demand more from risk teams—move beyond “pick a color” heat maps.Topics CoveredCyber risk quantification (CRQ)Monte Carlo simulations and modelingRisk scenario design and measurementGRC and compliance integrationGenerative AI in risk managementMoving from qualitative to quantitative riskImproving risk hygiene and maturityCISO leadership and risk cultureWhat You’ll LearnThe difference between qualitative and quantitative risk methodsHow to conduct your first risk quantification in ExcelWhy Monte Carlo simulations are simpler than most thinkHow GRC, compliance, and security teams can collaborate effectivelyThe six levers that influence risk magnitude and frequencyThis podcast is brought to you by ComplianceCow:ComplianceCow helps enterprises automate GRC, shift compliance left, and continuously monitor controls across the business. Learn more at ComplianceCow.comConnect with our guest: Tony Martin-Vegue on LinkedInCo-Chair, FAIR Institute San Francisco ChapterFormer Risk Leader at Netflix and Gap Inc.Author, From Heat Maps to Histograms (coming 2026)Subscribe to Security & GRC Decoded on your favorite platform:SpotifyApple PodcastsExplore all episodes: ComplianceCow.com/podcast

In this episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Kenneth Moras, Head of Security GRC at Plaid. Kenneth shares his journey from web developer and pen tester to building GRC and assurance teams at scale across leading companies like Adobe, Meta, and now Plaid.The conversation explores how GRC must balance governance, risk, and compliance as distinct but interdependent functions — and why great programs require clarity, collaboration, and simplicity. Kenneth also dives into the origins of the Adobe Common Control Framework (CCF), co-authoring the Open Finance Data Security Standard (OFDSS), and how Plaid applies these principles to secure the future of fintech.From reducing GRC toil through engineering and automation, to the role of AI and LLMs in risk management, Kenneth makes the case that GRC isn’t just about passing audits — it’s about building trust, reducing risk, and enabling innovation.🔑 5 Key Takeaways🌐 Career Evolution: Kenneth’s path from developer to GRC leader shows how diverse skills — from IT audit to consulting — strengthen risk leadership.🏗️ Building Frameworks: Adobe CCF and OFDSS highlight the importance of reducing complexity and standardizing security controls for scalability.⚖️ Governance vs. Risk vs. Compliance: These functions are distinct but must operate in harmony; misalignment creates organizational risk.🤖 AI in GRC: Generative AI and MCP tools are shifting GRC from “click ops” to “chat ops,” enabling faster risk assessment and reducing toil.🚀 GRC as an Enabler: Done right, GRC accelerates innovation by providing clarity, trust, and measurable security benefits.📘 What You’ll LearnHow to build a GRC program from scratch in a hyper-growth company.Why governance, risk, and compliance require unique skill sets but interlock as checks and balances.The story behind Adobe’s CCF and why Plaid open-sourced OFDSS.How AI and automation are changing GRC engineering and risk management.What Kenneth looks for when hiring the next generation of GRC professionals.📺 Watch more episodes: https://www.compliancecow.com/podcastThis podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: www.compliancecow.com🔗 Connect With Our Guest: Kenneth Moras | Head of Security GRC at Plaid⭐ Stay Connected:Rate, review, and subscribe to Security & GRC Decoded wherever you get your podcasts:SpotifyApple Podcasts

How does a software engineer become a GRC leader? In this episode of Security & GRC Decoded, host Raj Krishnamurthy welcomes Varun Gurnaney, Staff Security Engineer at Apple. Varun shares his journey from writing janky Python scripts for compliance evidence collection to shaping the discipline of GRC engineering at some of the world’s biggest companies.He discusses the cultural and technical gaps between security, engineering, GRC, and audit — and how automation can bridge them. From building one control really well to proving value through audit automation, Varun lays out why the GRC space is hotter than ever. This conversation is a must-listen for anyone navigating compliance at scale.🔑 5 Key TakeawaysCompliance ≠ Security: Passing audits is not enough — engineering-driven GRC is the future.Start Small: Automate one control well to prove value before scaling automation.Bridging Teams: Cultural friction between engineering, security, GRC, and audit is real — empathy and communication reduce the pain.Audit Anxiety: Audit automation is about reducing anxiety and toil as much as passing audits.GRC Engineering is a Discipline: Whether it lives inside GRC or security, automation is now essential.📚 What You’ll LearnHow Varun transitioned from software engineering into GRC leadershipWhy compliance automation looks different for SMBs, mid-market, and enterprisesThe technical and cultural blockers between engineering and GRCPractical strategies for proving automation value internallyHow generative AI and coding agents will shape audit and compliance automationThis podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence.📺 Watch more episodes and learn from top leaders in the GRC space!Connect With Our Guest: Varun Gurnaney | Staff Security Engineer | AppleRate, review, and share if you enjoyed the show!Subscribe to Security & GRC Decoded wherever you get your podcasts:SpotifyApple Podcasts

How does a network engineer become a GRC leader? Ramya Subramanian’s journey spans nearly two decades across IT, security, and governance. Now serving as Director of GRC & Privacy Operations at Freshworks, she joins Raj to unpack the evolving role of GRC: from quantifying risk and managing compliance debt to building automation that doesn’t slow engineering down.Ramya also shares how storytelling, PR-style evangelism, and simplifying policies can shift the perception of GRC from policing to business enabler. This episode is a playbook for anyone trying to modernize risk and compliance in fast-moving environments.5 Key TakeawaysEngineer’s edge in GRC: Why Ramya’s technical background makes her approach to governance unique.Quantifying risk with dollars: Why risk measurement needs financial context, not just “likelihood x impact.”Automation as a path forward: How Freshworks is reducing compliance toil for engineers.Simplify policies and awareness: Cutting policy docs by 90% and building bite-sized security training.GRC as PR: Storytelling and evangelism can reframe GRC as a business enabler, not a blocker.What You’ll LearnHow GRC and security complement each otherChallenges of risk quantification and continuous measurementWhy engineers perceive GRC as compliance taxHow automation and GRC engineering can reduce manual effortThe cultural perception of GRC and how to change it⏱️ (Approximate) Timestamps[00:01:43] From network engineer to GRC leader [00:03:37] How Ramya defines Governance, Risk, and Compliance [00:05:28] Quantifying risk: from controls to financial impact [00:07:41] Why continuous risk measurement is so hard [00:11:49] How others perceive GRC inside organizations [00:13:43] Changing the “policing” perception of GRC [00:17:50] Rewriting policies & security awareness at Freshworks [00:19:38] Bringing auditors along the journey [00:21:33] Reducing compliance tax with automation [00:26:10] Why GRC needs engineering skills [00:29:58] Technical vs non-technical sides of GRC [00:31:47] Skills Ramya looks for when hiring [00:33:53] Generative AI’s impact on GRC [00:37:49] Dream GRC solution: context-aware automation [00:39:32] Building a business case for automation [00:44:00] Who should tell the GRC automation story? [00:45:54] Challenges with auditors in the AI era [00:46:49] From city editor to GRC leader — storytelling roots [00:52:26] Rajinikanth’s influence at FreshworksThis podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: compliancecow.comConnect With Our Guest:Ramya Subramanian | Director of GRC & Privacy Operations | FreshworksConnect on LinkedInRate, review, and share if you enjoyed the show!Subscribe to Security & GRC Decoded wherever you get your podcasts:Spotify and Apple Podcasts

What’s the true relationship between compliance and security? According to Evan Millman, compliance may not be security—but it’s the necessary starting point for building it.In this episode, Raj sits down with Evan to explore how organizations can shift their GRC approach from reactive checkbox checking to a proactive and risk-informed security practice. Evan shares stories from his work at Abnormal.AI, lessons from scaling GRC in fast-moving environments, and practical advice for anyone trying to align controls with business objectives.5 Key Takeaways:Compliance is not the destination — but it is the framework for real security conversations.Say no to overkill — Right-size controls based on business needs, not frameworks.Decentralized GRC works — but only if there’s shared ownership and trust.“GRC therapy” is real — and it starts with building internal relationships. Metrics matter — but only when they tell a story that drives action.What You’ll Learn:Why compliance ≠ security (but still matters)The pitfalls of checklist-first GRC programsHow to build GRC partnerships across product and engineering teamsWhy business-aligned storytelling is the future of risk communicationHow Abnormal Security approaches frameworks like SOC 2 and ISO 27001This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: compliancecow.comConnect With Our Guest:Evan Millman | Security GRC Manager | Abnormal AIConnect on LinkedInRate, review, and share if you enjoyed the show!Subscribe to Security & GRC Decoded wherever you get your podcasts:Spotify and Apple Podcasts🕒 (Approximate) Timestamps[00:02:40] What makes Evan passionate about security GRC? [00:04:30] How compliance ≠ security — and why that distinction matters [00:06:50] When GRC goes wrong: overkill, checklists, and inefficiency [00:10:15] Building trust by embedding security into product discussions [00:14:40] Right-sizing controls: starting with SOC 2 vs ISO 27001 [00:18:10] Managing a decentralized GRC team at Abnormal [00:23:02] Metrics and storytelling — what the board actually wants [00:29:45] Why GRC leaders need emotional intelligence and empathy [00:35:20] What GRC professionals can learn from product managers [00:39:11] Evan’s advice to vendors trying to break into GRC [00:41:05] How GRC can (and should) enable product velocity [00:44:55] If he could wave a magic wand, what would Evan fix in GRC?

What trade-offs are you willing to make in cybersecurity? In this episode of Security & GRC Decoded, host Raj Krishnamurthy is joined by Trupti Shiralkar, a seasoned cybersecurity leader and Advisory Board Member at Backslash Security, to explore how risk, ROI, and real-world constraints shape modern security programs. With decades of experience across AppSec, security architecture, and risk governance, Trupti brings a rare blend of deep technical insight and strategic thinking.They dive into cyber economics, AI-driven tooling, and why security storytelling may soon matter more than fear-based metrics. Whether you're a security veteran or just entering the space, this is a must-listen on staying relevant and effective in the age of automation.5 Key TakeawaysCybersecurity is about trade-offs – No org can secure everything; knowing what to ignore is just as critical.LLMs can’t fully replace layered defense – Copilots help, but context and reachability still matter.ROI matters more than ever – Security teams must prove business value in language execs understand.Storytelling wins boardrooms – Fear, uncertainty, and doubt (FUD) is out. Framing risk with narrative is in.Reinvent or be replaced – AI won’t eliminate jobs—it’ll replace outdated versions of them.What You’ll LearnHow cyber economics helps frame decision-makingThe evolving role of LLMs and software composition tools in vulnerability managementWhy OWASP hasn’t solved insecure code after decadesHow to prioritize reachability over volumeWhat developers and security pros should focus on to stay relevantThis podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: compliancecow.comConnect With Our Guest:Trupti Shiralkar | Advisory Board Member, Backslash Security Connect on LinkedInRate, review, and share if you enjoyed the show!Subscribe to Security & GRC Decoded wherever you get your podcasts:Spotify and Apple PodcastsTimestamps (Approx)[00:00] Intro [02:47] Why cyber economics goes beyond traditional budgeting [06:10] Introduction of grey swan events and the need for proactive innovation [10:10] Aligning compliance and security using LLMs [16:56] Reducing cognitive load in cybersecurity decision-making [20:00] Budgeting for innovation: Lessons from Trupti’s past security leadership [23:00] Difference between cyber economics and cyber risk quantification [33:50] The misunderstood strategic role of GRC [54:30] How meditation and mindfulness help navigate the security world [57:15] Trupti’s final shout-outs to historic and modern tech inspirations

Jiphun Satapathy has built and scaled security organizations at AWS, Snowflake, and now Medallia. In this episode, he joins our host Raj to explore the evolving role of CISOs as strategic business leaders. They discuss the importance of treating security as a service organization, how to handle vendor noise, and why insider risk is often overlooked. You’ll hear practical advice for security and GRC leaders working in AI-first, high-growth environments—and how to maintain trust across engineering, compliance, and executive teams.Key TakeawaysSecurity as a Service Function: Security should empower—not block—the business. Jiphun shares how his team supports product, engineering, and sales.Vendor Engagement Matters: CISOs who ignore vendors miss out on innovation. But filtering the noise is key.Insider Risk is Real: Not rogue employees, but everyday developer behavior is a top source of risk.Modern GRC Requires Technical Fluency: Especially in AI-first companies, GRC teams must understand the tech stack to stay relevant.Earn Trust Through Action: Metrics matter, but culture and execution are what build credibility with boards, customers, and engineers.What You’ll LearnHow to build a risk-based security roadmap that keeps pace with rapid developmentThe role of security in shaping culture across a global orgHow startups can engage CISOs without falling into FUD tacticsThis episode is brought to you by ComplianceCow — the smarter way to automate compliance and monitor controls.-- Learn more at compliancecow.com -- Connect with Jiphun on Linkedin: linkedin.com/in/jiphunsatapathy🎧  Rate, review, and share if you enjoyed the show! 🎙 Subscribe to Security & GRC Decoded wherever you get your podcasts:Spotify and Apple Podcasts(Approximate) Timestamps:[00:01:48] Jiphun challenges CISO aversion to vendor engagement[00:03:25] Filtering vendors based on prioritized security needs[00:06:24] Empowering teams with bottom-up decision-making[00:08:15] Driving culture change and making security a productivity enabler[00:11:33] MFA example showing how to improve both security and UX[00:15:25] Treating internal stakeholders as customers[00:21:02] Measuring risk with frameworks and metrics[00:30:22] Using automation to align security cadence with CI/CD pipelines[00:32:47] Insider risk and why it belongs on board slides[00:42:33] Empowering devs by reducing vulnerability noise[00:51:22] Why healthy paranoia is essential in AI adoption[00:56:51] Why GRC teams must be technical in AI-first environments[01:03:15] Advice to security startups: stop with the FUD[01:07:02] Coping strategies for CISO stress and burnout[01:09:60] Books and mentors that shaped Jiphun’s leadership journey

How do you make sense of security, governance, and risk in an age of black-box AI? This week, Raj is joined by Preetam Joshi, founder of Aimon Labs and machine learning veteran with experience at DRDO, Yahoo, Netflix, and Thumbtack. Together, they break down the technical evolution behind large language models (LLMs), explore the real challenges of explainability, and discuss why GRC teams must rethink risk in the age of autonomous reasoning systems.Preetam brings a rare mix of hands-on ML expertise and practical experience deploying LLMs in enterprise environments. If you’ve been wondering how transformers work, what explainability really means, or why AI governance is still a mess — this episode is for you. 5 Key Takeaways:-From DRDO to Netflix to Aimon Labs — Preetam’s career journey shows the intersection of machine learning, security, and entrepreneurship.-How Transformers Work — A simple breakdown of encoder/decoder architecture, embeddings, and attention mechanisms.-Explainability in AI — What it meant in traditional ML... and why it’s nearly impossible with today’s LLMs.-Rule-Based Logic Isn’t Dead — In high-stakes environments, deterministic systems still matter.-Bridging AI & GRC — Practical steps for model security, auditing, and compliance in non-deterministic systems.📌 Take ActionVisit ComplianceCow.com/podcast to catch all episodesConnect with Preetam on LinkedInFollow the show on Spotify and Apple PodcastsSecurity & GRC Decoded is brought to you by ComplianceCow — the platform for proactive, automated compliance.🎧 Subscribe, rate, and share if this episode sparked a thought.⏱ Timestamps (approx.)00:00 – Intro 01:11 – Welcome Preetam to the show 03:20 – What has been your favorite experience working in AI so far? 07:08 – What is transformer architecture and how does it work? 10:23 – How do LLMs solve problems like math or reasoning? 12:38 – Where do agents fit in the LLM ecosystem? 16:07 – How does reinforcement learning apply to AI models? 21:33 – What does explainability mean in ML? 24:55 – Can you explain the limitations of SHAP and parameter-level reasoning? 27:33 – What does GRC look like in the LLM age? 30:58 – What does AIMon Labs actually do? 35:00 – Why is reliability a challenge with LLMs? 39:15 – Where does GRC intersect with AI deployment and compliance? 41:30 – What is fine-tuning and when is it useful? 44:43 – Is Retrieval Augmented Generation (RAG) still relevant with longer context windows? 47:29 – How do we guard against LLM misuse and toxic output? 49:43 – How can LLMs overexpose sensitive company data? 53:28 – Advice for those starting a career in AI or ML 55:34 – What are your favorite models right now?

What if compliance wasn't just about passing audits—but about building trust from the ground up?In this powerful episode of Security & GRC Decoded, Raj sits down with Ricky Waldron, Director of Security Audit & GRC at Navan, whose GRC experience spans tech giants like Microsoft, Disney, Oracle, and Smartsheet. Ricky shares how GRC is evolving into a strategic business partner, why automation and technical fluency are no longer optional, and what it takes to make compliance an engine of trust, not a blocker.From FedRAMP horror stories to generative AI workflows, this conversation dives deep into the future of governance, risk, and compliance—and why it's time for GRC teams to start thinking like engineers.🔑 5 Key Takeaways💥 Compliance = Security (If Done Right): Internal compliance based on risk and business needs often leads to stronger security outcomes than external certifications alone.🤝 Stop Policing, Start Partnering: GRC shouldn’t just point out problems—it should offer solutions and collaborate with teams to reduce risk.📊 Quantify Risk to Speak Leadership’s Language: Turn technical risk into business impact using frameworks like FAIR to get buy-in and budget.⚙️ Automation Is GRC’s Future: From policy drafting with AI to continuous control monitoring, GRC teams must become technical and leverage automation.🧩 GRC as a Sales Enabler: GRC isn't just an internal function—it builds trust with customers, shortens sales cycles, and helps close deals.✅ Take ActionExplore risk-first approaches: Lead with R in GRC to align controls with actual business risks.Invest in automation: Save engineering hours and scale audits with continuous evidence collection.Use GenAI wisely: Leverage it for speed, but ensure strong human review before anything goes to auditors.🔗 Powered by ComplianceCow.com – automate audits, collect evidence continuously, and shift GRC left. 🎧 Subscribe to Security & GRC Decoded for weekly insights from today’s top compliance leaders. 💼 Connect with Ricky Waldron on LinkedIn.⏱ Timestamps (approx.)00:00 – Intro 01:35 – Hot take on GRC 04:31 – Why GRC & Security clash 08:44 – GRC is storytelling 12:57 – Risk comes before compliance 16:08 – How to talk risk with execs 20:41 – Trust as a compliance goal 24:50 – Keeping your promises 27:54 – Why GRC struggles with automation 33:15 – Speaking engineers’ language 38:50 – GRC as the customer conduit 45:00 – GRC as sales enablement 47:15 – How Ricky learned FedRAMP 50:20 – What is FedRAMP 20X? 52:27 – Why OSCAL hasn’t taken off 56:15 – Would you use OSCAL commercially? 58:36 – GenAI in GRC workflows 1:02:31 – Using AI with auditors 1:06:45 – State of GRC tooling 1:12:30 – Getting budget for automation

Is it time to stop pretending GRC is technical? Alan Luk makes the case for a new kind of compliance leader—and it might surprise you.In this sharp and unfiltered episode of Security & GRC Decoded, Alan Luk, Director of GRC at Grammarly (and former Microsoft and PwC leader), joins Raj to dismantle common myths about GRC—and why even your engineers might be thinking about it all wrong.Drawing from over 20 years of experience, Alan makes the case for why GRC should be seen as a program management function, not a technical one—and how that shift unlocks better controls, less friction with engineering, and less painful audits. From audit war stories to his vision for continuous assurance, Alan brings blunt honesty, practical insight, and some well-earned hot takes to the mic.🔑 Key Takeaways:✅ Why most companies—and even GRC pros—misunderstand what GRC is actually for ✅ How PM skills (not coding) unlock stronger GRC outcomes and happier engineers ✅ What good compliance teams do before audit season to avoid chaos ✅ Why control owners—not GRC—should own the metrics (and what to do if they don’t) ✅ A bold vision for the future: GRC as an observability layer, not an evidence factory🎯 Take Action:→ Rethink what GRC really means inside your org: is it a service, a blocker, or a translator? → Audit your compliance program’s audit readiness—do you have metrics or just screenshots? → Share this episode with your PMs, engineers, or auditors who still think GRC is just check-the-box👉 Follow Security & GRC Decoded for fresh insights on how to make your GRC program faster, smarter, and more resilient. 🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Discover how ComplianceCow helps teams move from reactive compliance to proactive control automation. 🚀 Liking the show? Leave a rating and review to help us grow and keep bringing you bold GRC conversations.💬 Connect with Alan Luk: 💼 LinkedIn: https://www.linkedin.com/in/alan-luk-4027b29/ 🌐 Company: https://www.grammarly.com

Is it time to rethink SOC 2? (Spoiler: Adam thinks so—and he’s got the receipts.) In this insightful episode of Security & GRC Decoded, Adam Brennick, Director of Security Risk & Compliance at Cockroach Labs, joins Raj to challenge the status quo of SOC 2, compliance culture, and how GRC teams should operate in a modern, engineering-driven world.With a unique perspective from leading both security and GRC functions, Adam shares why today’s compliance efforts often miss the mark—and how we can fix that. From his hot takes on “a la carte” SOC 2 to building automation-first programs that actually reduce risk, Adam brings clarity, conviction, and practical wisdom to the mic.Key Takeaways:✅ Why SOC 2 should be customizable—and how that shift would improve both trust and transparency ✅ How GRC, security, and trust functions intersect (and where they often break down) ✅ The role of “vibe coding” and AI in enabling GRC engineering ✅ Real-world strategies for building a balanced, high-impact GRC team ✅ How to make a bulletproof business case for compliance automation using data (not just complaints)Take Action:→ Reflect on your own compliance program: Is it outcome-driven or check-the-box? → Re-evaluate how your GRC, security, and engineering teams collaborate → Share this episode with teammates who care about making compliance actually matter👉 Follow Security & GRC Decoded for fresh insights on how to make your GRC program faster, smarter, and more resilient.🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Discover how ComplianceCow helps teams move from reactive compliance to proactive control automation.🚀 Liking the show? Leave a rating and review to help us grow and keep bringing you bold GRC conversations.💬 Connect with Adam Brennick: 💼 LinkedIn: https://www.linkedin.com/in/adam-brennick-959352158/ 🌐 Company: https://www.cockroachlabs.com/

In this episode of Security and GRC Decoded, Raj Krishnamurthy sits down with Andrew Spangler, Director of Security and GRC at Harness, to explore how compliance engineering can go far beyond checkboxes—and actually drive innovation.Andrew shares his journey from building the compliance engineering function at Datadog to scaling automation and visibility across the SDLC at Harness. He dives into how using internal platforms for security workflows (aka “drinking your own champagne”) can unlock time savings and risk reduction, especially in areas like vulnerability management and secure software delivery.Key Takeaways:✅ How compliance automation builds credibility and supports innovation.✅ Lessons from building compliance engineering at Datadog.✅ Harnessing the power of SBOMs and supply chain security.✅ Practical uses of generative AI and ChatGPT for GRC workflows.✅ The future of democratized threat modeling.✅ Advice for new grads entering security and GRC.✅ Podcast recommendations that go beyond the security bubble.Whether you're leading a GRC team or just getting started in the field, this conversation will expand how you think about security, compliance, and the role of curiosity in technical leadership.Listen now to learn how modern GRC teams are shaping the future of secure software delivery.🎙️ Security & GRC Decoded is brought to you by ComplianceCow.Learn More About How ComplianceCow Can Help Your GRC Team Today!Click Here 👉https://www.compliancecow.com/🚀 Enjoying The Show?! 🚀Make sure to rate and review the show to let us know you're enjoying the content!Subscribe now for expert insights from industry leaders shaping the future of security & compliance.Learn More / Connect with Andrew SpanglerIf you enjoyed this conversation and want to learn more about Andrew Spangler, connect with him directly:💼 LinkedIn: https://www.linkedin.com/in/atspangler/🌐 Company: https://www.harness.io/

In this episode, Raj Krishnamurthy sits down with Josh Bressers, VP of Security at Anchore and longtime leader in the open source security space. With decades of experience, Josh brings a candid and compelling perspective on everything from the chaos of early cybersecurity days to the nuanced challenges of SBOMs and compliance in today’s world.Josh reflects on how he entered the security world before there were formal certifications or programs, how community and curiosity fuel innovation in open source, and why the relationships you build are often the most valuable asset in your career. He also dives into exciting new work with the SBOM Everywhere Working Group and shares how GenAI is helping categorize the sprawling ecosystem of SBOM tools.Key Takeaways:✅ GRC teams often overburden themselves with audits.✅ Embracing a product manager mindset helps GRC teams drive security initiatives.✅ Technical knowledge empowers GRC professionals to enhance security programs.✅ Changing perceptions of GRC within organizations is crucial for success.✅ Proactive strategies can elevate GRC’s role and reputation.✅ Integrating privacy into GRC frameworks strengthens compliance efforts.✅ High Trust certification is achievable on a budget.✅ Automation can significantly improve GRC efficiency and reduce redundancy.✅ Overlapping audit timelines minimizes disruption and streamlines processes.✅ Discipline from endurance sports fosters focus, resilience, and growth.🎙️ Security & GRC Decoded is brought to you by ComplianceCow.Learn More About How ComplianceCow Can Help Your GRC Team Today!🚀 Enjoying The Show?! 🚀Make sure to rate and review the show to let us know you're enjoying the content!Subscribe now for expert insights from industry leaders shaping the future of security & compliance.Learn More / Connect with Josh Bressers:If you enjoyed this conversation and want to dive deeper into Josh Bressers’s insights on GRC, cybersecurity, and building effective security programs, connect with him directly:💼 LinkedIn: https://www.linkedin.com/in/joshbressers/🌐 Company: https://anchore.com/

In this episode, Raj Krishnamurthy sits down with Kieran Pierman, GRC & Security at Whatnot, and a former security, risk and compliance leader at Cruise and Dropbox, to explore fresh perspectives on Security & GRC. Kieran opens with a bold stance: data breaches, while critical, aren't the top threat they used to be. Instead, he argues, maintaining availability and service uptime is now paramount. Drawing from his unique experience building the foundational GRC program at Cruise, a pioneering self-driving car company, Kieran reveals how managing cybersecurity risks took on profound urgency—literally life-and-death implications—when securing autonomous vehicles. Throughout the conversation, Kieran shares actionable insights on: ✅ Why availability and uptime are today's most critical security priorities. ✅ How building GRC at Cruise required an uncompromising security posture due to the potential consequences of vehicle security breaches. ✅ Why GRC should be seen as an engineering discipline rather than a checkbox function. ✅ Practical strategies to shift GRC from a cost center to a profit-driving role. ✅ The importance of automation, technical fluency, and proactive risk management. ✅ Balancing preventative and detective controls to optimize both security and business agility.  ✅ Tips on working effectively with auditors to enhance, rather than hinder, security maturity. Tune in to learn how adopting a proactive, engineering-minded approach can elevate your GRC program from compliance-driven to business-critical. 🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Learn how ComplianceCow can enhance your GRC efforts today! 🚀 Enjoying the Show?! 🚀 Don't forget to rate, review, and subscribe to ensure you don't miss out on expert insights from industry leaders shaping the future of security and compliance. Learn More / Connect with Kieran Pierman 💼 LinkedIn: Kieran Pierman  🌐 Company: Whatnot

Ever wondered if your GRC team should be writing code? (Spoiler alert: Jeevan thinks they probably should.) In this eye-opening episode of Security & GRC Decoded, Jeevan Singh, Director of Security Engineering at Rippling, joins Raj to challenge traditional views of Governance, Risk, and Compliance (GRC). Jeevan passionately argues why GRC teams must become more technical, automated, and deeply integrated into engineering processes to truly protect and enable businesses. Drawing from his experience at Segment and Rippling, he provides actionable insights and real-world examples to transform compliance from a bureaucratic burden into a proactive, engineering-driven function. Key Takeaways: ✅ Why having technical GRC teams leads to dramatically stronger security outcomes ✅ How automating compliance tasks can eliminate toil and boost productivity ✅ Practical steps to shift your compliance culture from reactive to proactive ✅ The real difference between CVSS and CWSS vulnerability scoring systems ✅ Strategies for fostering productive friction between GRC and engineering teams Take Action: Assess your own GRC team’s technical depth: Could automation improve your compliance posture? Discuss these insights with your security and engineering leaders Share this episode with your team and spark important conversations around GRC innovation 👉 Follow Security & GRC Decoded to stay ahead on the latest insights and trends in security, compliance, and risk management. 🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Learn how ComplianceCow can elevate your GRC team today! 🚀 Enjoying The Show? Rate and review the podcast to support the show and let us know you're enjoying the content! 💬 Connect with Jeevan Singh:  💼 LinkedIn: https://www.linkedin.com/in/jeevansecurity/ 🌐 Company: https://www.rippling.com/

In this episode, Raj Krishnamurthy interviews Shobhit Mehta, Director of Security and Compliance at Headspace, to uncover valuable insights into the evolving world of Governance, Risk, and Compliance (GRC). Shobhit shares his controversial perspective on GRC teams overburdening themselves, emphasizing the need for GRC professionals to expand their technical expertise and embrace a product management mindset. The conversation dives into proactive strategies for GRC success, the importance of integrating privacy into compliance frameworks, and actionable tips for achieving High Trust certification on a budget. Shobhit also reflects on how his endurance sports journey has shaped his approach to discipline and resilience in both his personal and professional life. Tune in to learn how automation, innovation, and strategic thinking can transform your GRC efforts. Key Takeaways: ✅ GRC teams often overburden themselves with audits. ✅ Embracing a product manager mindset helps GRC teams drive security initiatives. ✅ Technical knowledge empowers GRC professionals to enhance security programs. ✅ Changing perceptions of GRC within organizations is crucial for success. ✅ Proactive strategies can elevate GRC’s role and reputation. ✅ Integrating privacy into GRC frameworks strengthens compliance efforts. ✅ High Trust certification is achievable on a budget. ✅ Automation can significantly improve GRC efficiency and reduce redundancy. ✅ Overlapping audit timelines minimizes disruption and streamlines processes. ✅ Discipline from endurance sports fosters focus, resilience, and growth. Listen now to gain actionable insights and elevate your GRC strategy. 🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Learn More About How ComplianceCow Can Help Your GRC Team Today! 🚀 Enjoying The Show?! 🚀 Make sure to rate and review the show to let us know you're enjoying the content! Subscribe now for expert insights from industry leaders shaping the future of security & compliance. Learn More / Connect with Shobhit Mehta If you enjoyed this conversation and want to dive deeper into Shobit Mehta’s insights on GRC, cybersecurity, and building effective security programs, connect with him directly: 💼 LinkedIn:

In this episode of Security & GRC Decoded, host Raj Krishnamurthy (CEO of ComplianceCow) sits down with Ayoub Fandi, a Staff Security Assurance Engineer at GitLab and co-author of the GRC Engineering Manifesto, for a deep dive into the evolution of GRC through an engineering lens. Ayoub shares how his background in consulting and cloud-native startups led him to question the traditional, checklist-heavy approach to GRC—and why embracing real-time data, automation, and developer-friendly processes is the key to building stronger security and compliance programs. He also reveals his controversial perspective on external certifications—explaining why they can sometimes feel overrated—and makes the case for continuous, risk-based assurance that truly reflects an organization’s security posture. If you’ve ever felt the “cognitive dissonance” of outdated compliance controls in a modern engineering world, this conversation is a must-listen. Key Takeaways ✅ Bridging the Gap with Engineering: How GRC teams can embed themselves into developers’ workflows (e.g., JIRA, pull requests) to gain more accurate data and achieve real-time compliance insights. ✅ Continuous vs. Annual Audits: The advantages of leveraging APIs and automation to monitor control effectiveness in near real-time, instead of relying on point-in-time evidence. ✅ Rethinking External Certifications: Why these certifications can be a misleading representation of true security and how GRC professionals can ensure audits deliver real value. ✅ Building a Modern GRC Program: Practical tips on designing policies and controls that align with fast-paced, cloud-native environments—minus the “waterfall mentality.” Tune in to hear why GRC must evolve alongside today’s DevOps-driven world, and how you can unlock greater efficiency, credibility, and trust by adopting an engineering-first approach to governance, risk, and compliance. 🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Make sure to rate and review the show to let us know you're enjoying the content! Subscribe now for expert insights from industry leaders shaping the future of security & compliance. Learn More About How ComplianceCow Can Help Your GRC Team Today! 🎙️ Follow Ayoub Fandi: Stay connected with Carlos’s insights and experiences by following him on LinkedIn:

In this episode of Security & GRC Decoded, host Raj Krishnamurthy, CEO of ComplianceCow, sits down with Carlos Batista—former CISO and AWS Security Engineering Leader—to explore the evolving landscape of security, governance, and risk management. Carlos shares his journey from leading security in highly regulated industries like banking and energy to championing large-scale security engineering at AWS. Together, they discuss how effective GRC programs can move beyond “checkbox” compliance to become true business enablers—accelerating growth, deepening customer trust, and supporting innovation across the enterprise. Key takeaways include: ✅ Security Awareness & Practical Investments: Why Carlos believes traditional security awareness can be overrated, and how investing in secure-by-design infrastructure may deliver more value. ✅ Third-Party Risk Management: Insights on why TPRM remains fractured, and what it’ll take to move from endless vendor questionnaires to streamlined trust and assurance. ✅ CISO Stress & Leadership: How security leaders can manage the personal and legal pressures of the role, build credibility, and foster healthy collaboration with engineering teams. ✅ Future of GRC: From infrastructure-as-code to automagically patching vulnerabilities—where Carlos sees security, compliance, and governance headed next. Tune in to hear practical insights, real-world strategies, and a fresh perspective on the intersection of security, compliance, and business success in today’s fast-changing regulatory landscape. 🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Make sure to rate and review the show to let us know you're enjoying the content! Subscribe now for expert insights from industry leaders shaping the future of security & compliance. Learn More About How ComplianceCow Can Help Your GRC Team Today! 🎙️ Follow Carlos Batista: Stay connected with Carlos’s insights and experiences by following him on LinkedIn: linkedin.com/in/carlos-m-batista/

In this episode of Security & GRC Decoded, Raj Krishnamurthy, CEO of ComplianceCow, sits down with Walter Haydock, CEO of StackAware, to discuss the evolving landscape of AI security, governance, risk, and compliance (GRC). Walter shares insights on emerging AI threats, the importance of ISO 42001 certification, and the challenges organizations face when integrating AI into their security and compliance programs. Key topics include: DeepSeek and AI Privacy Risks Regulatory Challenges in AI Security & Compliance The Intersection of AI Governance and GRC Building a Business Case for AI Security Programs How Security & GRC Teams Can Adapt to Rapid AI Developments This episode is packed with practical insights for security leaders, compliance professionals, and anyone navigating the risks and opportunities of AI-driven security. 🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Subscribe now for expert insights from industry leaders shaping the future of security & compliance. Learn more about ComplianceCow and how we can help your GRC teams! 💡 Connect with Walter Haydock 💡 For more insights on AI security, governance, and compliance, follow Walter Haydock: 🔗 LinkedIn: Walter Haydock 📖 Blog: Deploy Securely 📷 Instagram: @walter.haydock 🌐 Company Website: StackAware Stay updated on AI risk management, compliance automation, and emerging security threats by checking out his latest content! 🚀 ⏳ Timestamps & Key Moments [00:00] – Introduction Host Raj Krishnamurthy welcomes Walter Haydock, CEO of StackAware. Overview of today’s discussion: AI security, governance, and compliance trends. [01:30] – DeepSeek Controversy & AI Security Risks What is DeepSeek and why is it concerning for AI security & privacy? The risks of AI-generated synthetic data and compliance implications. [04:15] – The Evolution of AI SaaS & Security Challenges The rise of AI-powered SaaS tools and the security risks they introduce. AI adoption without security & compliance considerations. [07:10] – Walter’s Background: From Physical Security to AI Governance Transition from defense & physical security to cybersecurity & AI GRC. The importance of risk intelligence and automation in modern security. [10:25] – The Intersection of AI, GRC, & Security Governance Who should own AI governance? Security teams, compliance, or legal? How AI challenges traditional risk management frameworks. [13:40] – AI & Compliance: The Role of ISO 42001 What is ISO 42001 and how does it apply to AI governance? How companies can align AI security strategies with compliance.

In this episode of Security & GRC Decoded, host Raj Krishnamurthy, CEO of ComplianceCow, sits down with Abhay Kshirsagar, Director of Security Services and Tools at Salesforce, to explore the evolving landscape of security, compliance, and customer assurance. Abhay shares his journey from IT audit and risk advisory to leading compliance automation, continuous monitoring, and customer assurance at industry giants like Cisco and now Salesforce. They discuss how compliance programs can move beyond checkboxes to become strategic enablers of business growth, unlocking new markets, influencing revenue, and strengthening customer trust. Key takeaways include: ✅ Compliance Automation & Risk Reduction: How automation is transforming GRC processes and reducing engineering burdens. ✅ Customer Assurance as a Competitive Advantage: Why transparency and trust are becoming business differentiators. ✅ Metrics That Matter: How compliance teams can track and demonstrate their impact beyond regulatory requirements. ✅ Future of GRC: The shift towards predictive security, self-service platforms, and risk-driven compliance models. Tune in to hear practical insights, real-world strategies, and a fresh perspective on the intersection of security, compliance, and business success in today's fast-changing regulatory landscape. 🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Subscribe now for expert insights from industry leaders shaping the future of security & compliance. Learn More About How ComplianceCow Can Help Your GRC Team Today! 📌 Episode Timestamps 00:00 - Introduction Host Raj Krishnamurthy introduces the episode and guest Abhay Kshirsagar, Director of Security Services & Tools at Salesforce. 02:15 - Abhay’s Background & Journey into Security & GRC From Temple University to IT Audit & Cybersecurity. Early career in risk advisory and SOX ITGC. Transition to Silicon Valley and working on SOC 2 & ISO 27001. 08:45 - Joining Cisco & Building the Cloud Controls Framework (CCF) Creating Cisco’s CCF and open-sourcing it. Moving from compliance into product security and automation. 13:30 - Defining Security, Compliance & Customer Assurance Security = Protection, Compliance = Following Rules, Assurance = Transparency. How these functions overlap and why customer assurance is critical. 18:50 - GRC & Its Role in Business Growth How compliance unlocks market access & revenue growth. The real value of security & compliance programs beyond checkboxes. 23:20 - Customer Assurance & Measuring Customer Trust “What makes customers sad” – tracking gaps in compliance programs. Why SOC 2 isn’t enough for modern supply chain security. 28:00 - Industry Trends: Automation, Transparency & Supply Chain Security The rise of compliance automation and reducing engineering burdens. The role of SBOM (Software Bill of Materials) & SSDF in supply chain security. 34:10 - The Challenge of Security Transparency How to

In the premiere episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Mosi Platt, Senior Security Compliance Engineer at Netflix, to explore his unconventional journey into security and governance, risk, and compliance (GRC). From his first exposure to computers in his aunt’s home lab to becoming a leader in IT audits and compliance, Mosi shares the pivotal moments that shaped his career. Together, they unpack the realities vs. myths of security governance, why risk quantification is still an unresolved debate, and how security and GRC teams can move from reactive compliance to proactive trust-building. They also dive into the SEC’s cybersecurity materiality rules, digital transformation in compliance, and the shift from risk-based to trust-based security models. This episode is packed with insights for security leaders, compliance professionals, and anyone looking to understand the evolving landscape of security and GRC. Tune in to learn how leading with truth, adapting to change, and embracing value creation can transform the way organizations approach compliance and security assurance. 🎧 Listen now and decode the future of Security & GRC! Learn more about ComplianceCow and how we can help your GRC teams! 🎤 Guest Contact Information: Mosi Platt Senior Security Compliance Engineer at Netflix 🔗 LinkedIn: https://www.linkedin.com/in/mosi-k-platt/   ⏱ Timestamps: 0:00  Introduction & Host 0:38  Mosi’s Journey (IT Training to Security Consulting) 6:50  Early Career in Compliance (IT Audits) 10:44 Defining Security & GRC (3 Pillars) 12:38 Myth of Security Governance (CISO Oversight) 14:48 State of GRC Today (Risk Quantification & SEC Regs) 19:30 SEC Cybersecurity Materiality Rules 24:12 Adapting GRC Strategies (People, Process, Tech) 30:10 Building a Security GRC Program (ISO 27001 Steps) 35:00 Risk-Based vs. Trust-Based Security 41:55 Getting Executive Buy-In (Truth vs. Fear) 45:28 Inheriting a GRC Program (Evaluate & Optimize) 49:17 Future of GRC & Digital Transformation 52:37 The Perfect GRC Solution (Automated Compliance) 56:00 Recommended Books & Podcasts 58:30 Final Thoughts & Key Takeaways 🔗 Additional Resources: 📚 Books: Investments Unlimited by IT Revolution: https://itrevolution.com/product/investments-unlimited/ Emergency Skin by N.K. Jemisin (Audiobook): https://www.audible.com/pd/Emergency-Skin-Audiobook/1978650841 🎧