Security & GRC Decoded
How today’s top organizations navigate the complex world of governance, risk, and compliance (GRC). Security & GRC Decoded brings you actionable strategies, expert insights, and real-world stories that help professionals elevate their security and compliance programs. Hosted by Raj Krishnamurthy. It’s for security professionals, compliance teams, and business leaders responsible security GRC and ensuring their organizations’ are safe, secure and adhere to regulatory mandates. Security & GRC Decoded brings you: + Actionable strategies. + Expert insights. + Real-world stories to elevate your Security GRC programs. Each episode explores frameworks, risk management strategies, and innovations shaping the future of GRC – from practitioners in the trenches. Subscribe now to unlock the tools and knowledge you need to succeed.
info_outline
From Cruise to Whatnot: Kieran Pierman’s GRC Playbook
04/17/2025
From Cruise to Whatnot: Kieran Pierman’s GRC Playbook
In this episode, Raj Krishnamurthy sits down with , GRC & Security at , and a former security, risk and compliance leader at Cruise and Dropbox, to explore fresh perspectives on Security & GRC. Kieran opens with a bold stance: data breaches, while critical, aren't the top threat they used to be. Instead, he argues, maintaining availability and service uptime is now paramount. Drawing from his unique experience building the foundational GRC program at Cruise, a pioneering self-driving car company, Kieran reveals how managing cybersecurity risks took on profound urgency—literally life-and-death implications—when securing autonomous vehicles. Throughout the conversation, Kieran shares actionable insights on: ✅ Why availability and uptime are today's most critical security priorities. ✅ How building GRC at Cruise required an uncompromising security posture due to the potential consequences of vehicle security breaches. ✅ Why GRC should be seen as an engineering discipline rather than a checkbox function. ✅ Practical strategies to shift GRC from a cost center to a profit-driving role. ✅ The importance of automation, technical fluency, and proactive risk management. ✅ Balancing preventative and detective controls to optimize both security and business agility. ✅ Tips on working effectively with auditors to enhance, rather than hinder, security maturity. Tune in to learn how adopting a proactive, engineering-minded approach can elevate your GRC program from compliance-driven to business-critical. 🎙️ Security & GRC Decoded is brought to you by ComplianceCow. 🚀 Enjoying the Show?! 🚀 Don't forget to rate, review, and subscribe to ensure you don't miss out on expert insights from industry leaders shaping the future of security and compliance. Learn More / Connect with Kieran Pierman 💼 LinkedIn: 🌐 Company:
/episode/index/show/8bfad265-53cb-4468-9a46-dedf6d88e1b2/id/35979150
info_outline
Is Your GRC Team Technical Enough? (Probably Not...) ft. Jeevan Singh @ Rippling
04/03/2025
Is Your GRC Team Technical Enough? (Probably Not...) ft. Jeevan Singh @ Rippling
Ever wondered if your GRC team should be writing code? (Spoiler alert: Jeevan thinks they probably should.) In this eye-opening episode of Security & GRC Decoded, Jeevan Singh, Director of Security Engineering at Rippling, joins Raj to challenge traditional views of Governance, Risk, and Compliance (GRC). Jeevan passionately argues why GRC teams must become more technical, automated, and deeply integrated into engineering processes to truly protect and enable businesses. Drawing from his experience at Segment and Rippling, he provides actionable insights and real-world examples to transform compliance from a bureaucratic burden into a proactive, engineering-driven function. Key Takeaways: ✅ Why having technical GRC teams leads to dramatically stronger security outcomes ✅ How automating compliance tasks can eliminate toil and boost productivity ✅ Practical steps to shift your compliance culture from reactive to proactive ✅ The real difference between CVSS and CWSS vulnerability scoring systems ✅ Strategies for fostering productive friction between GRC and engineering teams Take Action: Assess your own GRC team’s technical depth: Could automation improve your compliance posture? Discuss these insights with your security and engineering leaders Share this episode with your team and spark important conversations around GRC innovation 👉 Follow Security & GRC Decoded to stay ahead on the latest insights and trends in security, compliance, and risk management. 🎙️ Security & GRC Decoded is brought to you by . Learn how ComplianceCow can elevate your GRC team today! 🚀 Enjoying The Show? Rate and review the podcast to support the show and let us know you're enjoying the content! 💬 Connect with Jeevan Singh: 💼 LinkedIn: 🌐 Company:
/episode/index/show/8bfad265-53cb-4468-9a46-dedf6d88e1b2/id/35844095
info_outline
Why GRC Teams Are Failing — And How to Fix It with Shobhit Mehta
03/20/2025
Why GRC Teams Are Failing — And How to Fix It with Shobhit Mehta
In this episode, Raj Krishnamurthy interviews , Director of Security and Compliance at , to uncover valuable insights into the evolving world of Governance, Risk, and Compliance (GRC). Shobhit shares his controversial perspective on GRC teams overburdening themselves, emphasizing the need for GRC professionals to expand their technical expertise and embrace a product management mindset. The conversation dives into proactive strategies for GRC success, the importance of integrating privacy into compliance frameworks, and actionable tips for achieving High Trust certification on a budget. Shobhit also reflects on how his endurance sports journey has shaped his approach to discipline and resilience in both his personal and professional life. Tune in to learn how automation, innovation, and strategic thinking can transform your GRC efforts. Key Takeaways: ✅ GRC teams often overburden themselves with audits. ✅ Embracing a product manager mindset helps GRC teams drive security initiatives. ✅ Technical knowledge empowers GRC professionals to enhance security programs. ✅ Changing perceptions of GRC within organizations is crucial for success. ✅ Proactive strategies can elevate GRC’s role and reputation. ✅ Integrating privacy into GRC frameworks strengthens compliance efforts. ✅ High Trust certification is achievable on a budget. ✅ Automation can significantly improve GRC efficiency and reduce redundancy. ✅ Overlapping audit timelines minimizes disruption and streamlines processes. ✅ Discipline from endurance sports fosters focus, resilience, and growth. Listen now to gain actionable insights and elevate your GRC strategy. 🎙️ Security & GRC Decoded is brought to you by ComplianceCow. 🚀 Enjoying The Show?! 🚀 Make sure to rate and review the show to let us know you're enjoying the content! Subscribe now for expert insights from industry leaders shaping the future of security & compliance. Learn More / Connect with Shobhit Mehta If you enjoyed this conversation and want to dive deeper into Shobit Mehta’s insights on GRC, cybersecurity, and building effective security programs, connect with him directly: 💼 LinkedIn: 🌐 Company:
/episode/index/show/8bfad265-53cb-4468-9a46-dedf6d88e1b2/id/35702430
info_outline
Engineering Better Relationships: Why We Should Shift GRC Left w/ Ayoub Fandi @ Gitlab
03/06/2025
Engineering Better Relationships: Why We Should Shift GRC Left w/ Ayoub Fandi @ Gitlab
In this episode of Security & GRC Decoded, host Raj Krishnamurthy (CEO of ComplianceCow) sits down with , a Staff Security Assurance Engineer at GitLab and co-author of the GRC Engineering Manifesto, for a deep dive into the evolution of GRC through an engineering lens. Ayoub shares how his background in consulting and cloud-native startups led him to question the traditional, checklist-heavy approach to GRC—and why embracing real-time data, automation, and developer-friendly processes is the key to building stronger security and compliance programs. He also reveals his controversial perspective on external certifications—explaining why they can sometimes feel overrated—and makes the case for continuous, risk-based assurance that truly reflects an organization’s security posture. If you’ve ever felt the “cognitive dissonance” of outdated compliance controls in a modern engineering world, this conversation is a must-listen. Key Takeaways ✅ Bridging the Gap with Engineering: How GRC teams can embed themselves into developers’ workflows (e.g., JIRA, pull requests) to gain more accurate data and achieve real-time compliance insights. ✅ Continuous vs. Annual Audits: The advantages of leveraging APIs and automation to monitor control effectiveness in near real-time, instead of relying on point-in-time evidence. ✅ Rethinking External Certifications: Why these certifications can be a misleading representation of true security and how GRC professionals can ensure audits deliver real value. ✅ Building a Modern GRC Program: Practical tips on designing policies and controls that align with fast-paced, cloud-native environments—minus the “waterfall mentality.” Tune in to hear why GRC must evolve alongside today’s DevOps-driven world, and how you can unlock greater efficiency, credibility, and trust by adopting an engineering-first approach to governance, risk, and compliance. 🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Make sure to rate and review the show to let us know you're enjoying the content! Subscribe now for expert insights from industry leaders shaping the future of security & compliance. 🎙️ Follow Ayoub Fandi: Stay connected with Carlos’s insights and experiences by following him on LinkedIn: https://www.linkedin.com/in/ayoubfandi/
/episode/index/show/8bfad265-53cb-4468-9a46-dedf6d88e1b2/id/35486380
info_outline
Security Unfiltered: Carlos Batista on GRC, Leadership, and Risk Realities
02/20/2025
Security Unfiltered: Carlos Batista on GRC, Leadership, and Risk Realities
In this episode of Security & GRC Decoded, host Raj Krishnamurthy, CEO of ComplianceCow, sits down with —former CISO and AWS Security Engineering Leader—to explore the evolving landscape of security, governance, and risk management. Carlos shares his journey from leading security in highly regulated industries like banking and energy to championing large-scale security engineering at AWS. Together, they discuss how effective GRC programs can move beyond “checkbox” compliance to become true business enablers—accelerating growth, deepening customer trust, and supporting innovation across the enterprise. Key takeaways include: ✅ Security Awareness & Practical Investments: Why Carlos believes traditional security awareness can be overrated, and how investing in secure-by-design infrastructure may deliver more value. ✅ Third-Party Risk Management: Insights on why TPRM remains fractured, and what it’ll take to move from endless vendor questionnaires to streamlined trust and assurance. ✅ CISO Stress & Leadership: How security leaders can manage the personal and legal pressures of the role, build credibility, and foster healthy collaboration with engineering teams. ✅ Future of GRC: From infrastructure-as-code to automagically patching vulnerabilities—where Carlos sees security, compliance, and governance headed next. Tune in to hear practical insights, real-world strategies, and a fresh perspective on the intersection of security, compliance, and business success in today’s fast-changing regulatory landscape. 🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Make sure to rate and review the show to let us know you're enjoying the content! Subscribe now for expert insights from industry leaders shaping the future of security & compliance. 🎙️ Follow Carlos Batista: Stay connected with Carlos’s insights and experiences by following him on LinkedIn:
/episode/index/show/8bfad265-53cb-4468-9a46-dedf6d88e1b2/id/35340160
info_outline
Security, Compliance & Customer Trust: The Evolution of GRC at Scale | feat. Abhay Kshirsagar from Salesforce
02/06/2025
Security, Compliance & Customer Trust: The Evolution of GRC at Scale | feat. Abhay Kshirsagar from Salesforce
In this episode of Security & GRC Decoded, host Raj Krishnamurthy, CEO of ComplianceCow, sits down with Abhay Kshirsagar, Director of Security Services and Tools at Salesforce, to explore the evolving landscape of security, compliance, and customer assurance. Abhay shares his journey from IT audit and risk advisory to leading compliance automation, continuous monitoring, and customer assurance at industry giants like Cisco and now Salesforce. They discuss how compliance programs can move beyond checkboxes to become strategic enablers of business growth, unlocking new markets, influencing revenue, and strengthening customer trust. Key takeaways include: ✅ Compliance Automation & Risk Reduction: How automation is transforming GRC processes and reducing engineering burdens. ✅ Customer Assurance as a Competitive Advantage: Why transparency and trust are becoming business differentiators. ✅ Metrics That Matter: How compliance teams can track and demonstrate their impact beyond regulatory requirements. ✅ Future of GRC: The shift towards predictive security, self-service platforms, and risk-driven compliance models. Tune in to hear practical insights, real-world strategies, and a fresh perspective on the intersection of security, compliance, and business success in today's fast-changing regulatory landscape. 🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Subscribe now for expert insights from industry leaders shaping the future of security & compliance. 📌 Episode Timestamps 00:00 - Introduction Host Raj Krishnamurthy introduces the episode and guest Abhay Kshirsagar, Director of Security Services & Tools at Salesforce. 02:15 - Abhay’s Background & Journey into Security & GRC From Temple University to IT Audit & Cybersecurity. Early career in risk advisory and SOX ITGC. Transition to Silicon Valley and working on SOC 2 & ISO 27001. 08:45 - Joining Cisco & Building the Cloud Controls Framework (CCF) Creating Cisco’s CCF and open-sourcing it. Moving from compliance into product security and automation. 13:30 - Defining Security, Compliance & Customer Assurance Security = Protection, Compliance = Following Rules, Assurance = Transparency. How these functions overlap and why customer assurance is critical. 18:50 - GRC & Its Role in Business Growth How compliance unlocks market access & revenue growth. The real value of security & compliance programs beyond checkboxes. 23:20 - Customer Assurance & Measuring Customer Trust “What makes customers sad” – tracking gaps in compliance programs. Why SOC 2 isn’t enough for modern supply chain security. 28:00 - Industry Trends: Automation, Transparency & Supply Chain Security The rise of compliance automation and reducing engineering burdens. The role of SBOM (Software Bill of Materials) & SSDF in supply chain security. 34:10 - The Challenge of Security Transparency How to balance transparency with protecting sensitive data. The need for industry-wide frameworks for disclosure. 38:30 - Building a Business Case for GRC with Leadership The 4 key areas of GRC impact: ✅ Unlocking market access ✅ Staying regulatory compliant ✅ Managing security risks ✅ Improving customer trust Why compliance isn’t just about cutting costs – it’s about business enablement. 45:00 - Starting & Scaling a Security GRC Program Step 1: Asset Management – Know your crown jewels. Step 2: Risk Assessment – Prioritize real threats. Step 3: Certification Strategy – Reduce compliance fatigue. Step 4: Automation – Continuous monitoring & control checks. 52:20 - Compliance Automation: What’s Next? How to move beyond traditional automation to predictive security models. Using historical data for proactive risk management. 58:40 - The Future of GRC: AI, Self-Service, and Security as a Business Enabler Building trust centers with AI-driven self-service. Reducing the burden on engineering with chatbots & automation. 1:03:15 - Book & Podcast Recommendations How to Measure Anything in Cybersecurity Risk 📖 Why staying connected with industry peers is critical for solving GRC challenges. 1:06:30 - Closing Thoughts & Takeaways Final advice for security & GRC teams: ✅ Build strong relationships with engineering & leadership. ✅ Focus on risk-driven compliance, not just regulatory checklists. ✅ Leverage metrics & automation for better decision-making. 1:09:15 - Outro Where to follow Abhay Kshirsagar and ComplianceCow for more insights.
/episode/index/show/8bfad265-53cb-4468-9a46-dedf6d88e1b2/id/35078780
info_outline
Navigating DeepSeek’s AI Risks: Insights for Security & Compliance Teams
02/06/2025
Navigating DeepSeek’s AI Risks: Insights for Security & Compliance Teams
In this episode of Security & GRC Decoded, Raj Krishnamurthy, CEO of ComplianceCow, sits down with Walter Haydock, CEO of StackAware, to discuss the evolving landscape of AI security, governance, risk, and compliance (GRC). Walter shares insights on emerging AI threats, the importance of ISO 42001 certification, and the challenges organizations face when integrating AI into their security and compliance programs. Key topics include: DeepSeek and AI Privacy Risks Regulatory Challenges in AI Security & Compliance The Intersection of AI Governance and GRC Building a Business Case for AI Security Programs How Security & GRC Teams Can Adapt to Rapid AI Developments This episode is packed with practical insights for security leaders, compliance professionals, and anyone navigating the risks and opportunities of AI-driven security. 🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Subscribe now for expert insights from industry leaders shaping the future of security & compliance. 💡 Connect with Walter Haydock 💡 For more insights on AI security, governance, and compliance, follow Walter Haydock: 🔗 LinkedIn: 📖 Blog: 📷 Instagram: 🌐 Company Website: Stay updated on AI risk management, compliance automation, and emerging security threats by checking out his latest content! 🚀 ⏳ Timestamps & Key Moments [00:00] – Introduction Host Raj Krishnamurthy welcomes Walter Haydock, CEO of StackAware. Overview of today’s discussion: AI security, governance, and compliance trends. [01:30] – DeepSeek Controversy & AI Security Risks What is DeepSeek and why is it concerning for AI security & privacy? The risks of AI-generated synthetic data and compliance implications. [04:15] – The Evolution of AI SaaS & Security Challenges The rise of AI-powered SaaS tools and the security risks they introduce. AI adoption without security & compliance considerations. [07:10] – Walter’s Background: From Physical Security to AI Governance Transition from defense & physical security to cybersecurity & AI GRC. The importance of risk intelligence and automation in modern security. [10:25] – The Intersection of AI, GRC, & Security Governance Who should own AI governance? Security teams, compliance, or legal? How AI challenges traditional risk management frameworks. [13:40] – AI & Compliance: The Role of ISO 42001 What is ISO 42001 and how does it apply to AI governance? How companies can align AI security strategies with compliance. [17:05] – Building a Business Case for AI Security & Compliance How to justify AI governance investments to leadership. The real-world impact of AI-driven compliance failures. [21:15] – AI GRC in Practice: Where Companies Go Wrong The biggest mistakes companies make when implementing AI security programs. Why compliance automation is essential for scaling AI governance. [26:10] – AI in Security Operations: SOC Automation & Threat Detection How AI is transforming security operations centers (SOCs). Automated threat intelligence and its GRC implications. [30:30] – Advice for Security Leaders Inheriting GRC Programs Where to start when taking over a GRC or AI security program. Key frameworks & methodologies to adopt early on. [34:45] – AI Risk Management: How Companies Should Adapt The difference between traditional risk assessments vs AI-driven risks. The importance of continuous monitoring & real-time compliance checks. [38:20] – Closing Thoughts & Resources Walter’s recommended books, podcasts, and learning resources. Where to follow Walter Haydock: 📢 LinkedIn: 📖 Blog: [41:00] – Outro Final takeaways from Raj & Walter. Why AI governance is becoming a business-critical function.
/episode/index/show/8bfad265-53cb-4468-9a46-dedf6d88e1b2/id/35155770
info_outline
From Risk-Based to Trust-Based: Evolving GRC with Netflix’s Mosi Platt
02/06/2025
From Risk-Based to Trust-Based: Evolving GRC with Netflix’s Mosi Platt
In the premiere episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Mosi Platt, Senior Security Compliance Engineer at Netflix, to explore his unconventional journey into security and governance, risk, and compliance (GRC). From his first exposure to computers in his aunt’s home lab to becoming a leader in IT audits and compliance, Mosi shares the pivotal moments that shaped his career. Together, they unpack the realities vs. myths of security governance, why risk quantification is still an unresolved debate, and how security and GRC teams can move from reactive compliance to proactive trust-building. They also dive into the SEC’s cybersecurity materiality rules, digital transformation in compliance, and the shift from risk-based to trust-based security models. This episode is packed with insights for security leaders, compliance professionals, and anyone looking to understand the evolving landscape of security and GRC. Tune in to learn how leading with truth, adapting to change, and embracing value creation can transform the way organizations approach compliance and security assurance. 🎧 Listen now and decode the future of Security & GRC! 🎤 Guest Contact Information: Mosi Platt Senior Security Compliance Engineer at Netflix 🔗 LinkedIn: ⏱ Timestamps: 0:00 Introduction & Host 0:38 Mosi’s Journey (IT Training to Security Consulting) 6:50 Early Career in Compliance (IT Audits) 10:44 Defining Security & GRC (3 Pillars) 12:38 Myth of Security Governance (CISO Oversight) 14:48 State of GRC Today (Risk Quantification & SEC Regs) 19:30 SEC Cybersecurity Materiality Rules 24:12 Adapting GRC Strategies (People, Process, Tech) 30:10 Building a Security GRC Program (ISO 27001 Steps) 35:00 Risk-Based vs. Trust-Based Security 41:55 Getting Executive Buy-In (Truth vs. Fear) 45:28 Inheriting a GRC Program (Evaluate & Optimize) 49:17 Future of GRC & Digital Transformation 52:37 The Perfect GRC Solution (Automated Compliance) 56:00 Recommended Books & Podcasts 58:30 Final Thoughts & Key Takeaways 🔗 Additional Resources: 📚 Books: Investments Unlimited by IT Revolution: Emergency Skin by N.K. Jemisin (Audiobook): 🎧 Podcasts: Enterprise Security Weekly with Adrian Sanabria: Cybersecurity Where You Are by Center for Internet Security: 📌 Additional Resources & Links: Cyversity YouTube Channel - Four Quadrants Matrix presentation: ISACA Digital Trust Framework: Open Source Security Testing Methodology Manual (OSSTMM): FAIR (Factor Analysis of Information Risk) Framework: https://www.youtube.com/watch?v=Vf4mUd975H4
/episode/index/show/8bfad265-53cb-4468-9a46-dedf6d88e1b2/id/35078630