GRC Engineer

Ayoub Fandi

The podcast helping Security GRC practitioners getting their career to the next level. We speak with trailblazers, innovators and experts in the GRC realm that champion an engineering-minded GRC practice. Episodes are jam-packed with practical tips, concepts and use cases to help you scale your GRC program and create better relationships with your engineering and product colleagues.

  1. Unfiltered conversation with a GRC Software Engineer w/ Varun Gurnaney, Staff Security Engineer

    6 SEPT

    Unfiltered conversation with a GRC Software Engineer w/ Varun Gurnaney, Staff Security Engineer

    Check out grcengineer.com to learn more!SummaryIn this engaging conversation, Ayoub Fandi and Varun Gurnaney explore the evolving landscape of Governance, Risk, and Compliance (GRC) engineering. Varun shares his unique journey from cybersecurity to GRC, emphasizing the importance of automation and collaboration between engineering and compliance teams. They discuss the challenges faced in GRC, the philosophical aspects of risk management, and the future of compliance in a rapidly changing technological environment. The dialogue highlights the need for a more integrated approach to security and compliance, advocating for a shift towards real-time assessments and a deeper understanding of the technical landscape.Sound Bites"Screenshots are cool again.""Compliance should be free.""Don't get hacked is what I care about."TakeawaysVarun's journey into GRC began with a cybersecurity role at EY.The importance of automation in GRC processes is crucial for efficiency.Cultural differences in compliance approaches between small and large companies.GRC engineering is often misunderstood and underappreciated in larger organizations.The need for collaboration between GRC and engineering teams is essential for success.Risk management should be tied to real business impacts rather than just compliance checkboxes.The future of compliance may involve more automated and real-time assessments.Tools used in security can significantly enhance GRC efforts.Understanding the technical landscape is vital for effective GRC practices.The conversation highlights the philosophical aspects of compliance and risk management.Chapters00:00 Introduction and Guest Background02:42 Varun's Journey into GRC Engineering06:32 Comparing GRC in Different Company Sizes11:56 The Role of Automation in GRC17:34 Challenges in GRC Engineering23:26 The Future of Compliance and Risk Management29:03 The Importance of Collaboration in Security34:47 The Philosophy of Risk and Compliance40:33 The Role of Tools in GRC46:21 Final Thoughts on GRC and Future Directions

    57 min
  2. The GRC Engineering Blueprint for the Public Sector w/ Dr. Ibrahim Waziri Jr. from Google

    26 AUG

    The GRC Engineering Blueprint for the Public Sector w/ Dr. Ibrahim Waziri Jr. from Google

    To learn more, check out grcengineer.com Summary In this episode, Dr. Ibrahim Waziri Jr. shares his extensive experience in GRC engineering and cybersecurity, discussing the evolution of compliance from static documentation to dynamic, automated processes. He emphasizes the importance of GRC engineering in bridging different governance models and enhancing operational efficiency. The conversation also explores the challenges of bureaucracy in the public sector and the need for innovation in compliance practices. Dr. Waziri highlights the future of GRC engineering, focusing on regulatory acceleration and the potential for global harmonization in compliance frameworks. If you work in the Public Sector, this is a must-listen episode! Takeaways GRC engineering is transforming compliance into a dynamic, automated process. The complexities in GRC are numerous and growing, requiring innovative solutions. Automation in GRC can significantly enhance operational efficiency. Bureaucracy in the public sector can hinder innovation, but GRC can enable it. Regulatory acceleration is leading to faster compliance processes. Global harmonization of regulatory requirements is becoming increasingly necessary. The future of GRC engineering will involve more machine-readable formats. Understanding different governance models is crucial for GRC professionals. GRC architects are needed to navigate complex regulatory landscapes. The role of compliance is evolving to focus on mission continuity and resilience. Sound bites "The complexities in GRC are numerous and growing." "Regulatory acceleration is a new era for compliance." "The future of GRC is about global harmonisation." Chapters 00:00 Introduction to GRC Engineering and Guest Background 03:50 Dr. Ibrahim Waziri Jr.'s Journey in Cybersecurity 11:35 Defining GRC Engineering: A Transformative Approach 17:15 GRC Engineering Across Different Governance Models 22:40 The Role of Automation in GRC Engineering 28:46 Balancing Compliance and Innovation in Public Sector 36:45 Proving Impact in Mission-Driven Organisations 52:58 Balance between Bureaucracy and Critical Reviews 58:51 Future of GRC Engineering Keywords GRC engineering, cybersecurity, compliance, automation, insider risk management, regulatory frameworks, cloud security, national security, governance, risk management

    1h 9m
  3. Deep-dive on Cyber Risk Quantification and GRC w/ Tony Martin-Vegue from Netflix

    29 JUL

    Deep-dive on Cyber Risk Quantification and GRC w/ Tony Martin-Vegue from Netflix

    To learn more, go to grcengineer.com SummaryIn this episode of the GRC Engineer podcast, host Ayoub interviews Tony Martin-Vegue, a seasoned expert in risk quantification and GRC engineering. They discuss Tony's career journey from IT to risk management, the importance of cyber risk quantification, and the interplay between governance, risk, and compliance. Tony shares insights on the benefits of risk assessments for various stakeholders, the role of AI in enhancing risk quantification, and practical tips for those looking to start their journey in cyber risk quantification. The conversation also touches on the philosophical aspects of risk management and the need for better decision-making frameworks in organizations. Takeaways - Tony has conducted around a thousand quantitative risk assessments in his career. - Risk quantification enables richer conversations with executives about trade-offs and investments. - GRC should be seen as a business enabler rather than a checklist. - Cyber risk quantification (CRQ) is a philosophy, while FAIR is a tool to implement it. - Stakeholders across the organization benefit from risk assessments in different ways. - AI can significantly reduce the time needed for data collection in risk assessments. - Understanding the philosophy of risk is crucial for effective risk management. - The majority of time in risk management is spent on identification and communication, not just modeling. - Organizations should focus on better decision-making rather than just remediation. - Security awareness training may not provide a good return on investment. Sound bites "FAIR gives you a package, a framework." "We need data to make better decisions." "Security awareness training doesn't work." Chapters 00:00 Introduction to GRC Engineering and Guest Background 02:39 Tony's Career Journey in Risk Management 06:49 The Shift to Cyber Risk Quantification 12:27 The Interplay of GRC: Governance, Risk, and Compliance 16:32 Understanding Cyber Risk Quantification and FAIR 23:13 Stakeholders Benefiting from Quantified Risk Assessments 28:32 Balancing Remediation Bias in Risk Management 34:13 Engaging with Risk Owners 39:49 The Philosophy of Risk Management 44:48 Quantifying Risk Activities 47:33 The Role of AI in Risk Assessment 52:21 Getting Started with Cyber Risk Quantification 01:01:04 Collaboration Between GRC Engineering and Risk Analysis 01:01:43 Challenging Conventional Wisdom on Security Training Keywords GRC Engineering, Cyber Risk Quantification, FAIR, Risk Management, Governance, Compliance, Risk Assessment, AI in Security, Stakeholder Engagement, Risk Acceptance

    1h 2m
  4. Beyond the API: GRC Engineering in the Real World w/ Ange Ferrari, CISO/SVP @ METRO AG

    1 JUL

    Beyond the API: GRC Engineering in the Real World w/ Ange Ferrari, CISO/SVP @ METRO AG

    Want more? Subscribe to the GRC Engineer newsletter for exclusive content including a detailed transcript of this episode in next week's edition: https://grcengineer.com/subscribe In this insightful episode of the GRC Engineering Podcast, host Ayoub Fandi sits down with Ange Ferrari, SVP & CISO at Metro Group, for a deep dive into how GRC has evolved over two decades and what it takes to scale security programs globally. Our expert guest:Ange is a security leader with 20+ years experience across public sector, retail giants (Carrefour, IKEA), AWS EMEA, and now leading security for a global wholesaler operating in 36 countries. We explore the evolution and engineering of GRC at enterprise scale, covering: How GRC became the key to career growth from technical roles to CISOWhy cloud transformation shattered traditional risk frameworksThe reality of implementing controls across diverse, global technology stacksHot Take: The critical balance between prevention and detection that most missAWS insider perspective: What enterprise-scale compliance really looks likeEngineering pragmatic GRC programs that work in messy, real-world environmentsWhether you're a CISO scaling global programs, a GRC professional in traditional industries, or anyone trying to make compliance work in complex enterprise environments, Ange shares battle-tested strategies from the front lines. 📋 Timestamps:00:00 - Introduction and Ange's Background02:57 - How GRC Enabled Career Growth06:34 - Evolution of GRC Practices Over Time14:52 - Common GRC Implementation Failures25:56 - Defining GRC Engineering33:01 - Where Should GRC Teams Report?39:20 - GRC Challenges in Complex Enterprise Environments49:05 - Lessons from the AWS Vendor Side59:46 - Building Technical Skills in GRC Teams01:03:39 - Hot Take: Prevention vs Detection Balance

    1h 9m
  5. Third-Party Risk Management from the Trenches w/ Blake, McKenna and Kristi | Experts Panel

    20 MAY

    Third-Party Risk Management from the Trenches w/ Blake, McKenna and Kristi | Experts Panel

    Want more? Subscribe to the GRC Engineer newsletter for exclusive content including a detailed transcript of this episode in next week's edition: https://grcengineer.com/subscribe In this premiere episode of the GRC Engineering Podcast Experts Panel, host Ayoub Fandi brings together three seasoned Third-Party Risk Management (TPRM) practitioners to discuss the real-world challenges and innovations in vendor security assessment.Our expert panelists:McKenna Yeakey (Netflix) - TPRM professional with previous experience at Splunk and SamsaraKristi Hoffmaster - TPRM practitioner with experience at OktaBlake Hoge (Airbnb) - TPRM professional with previous experiences at Instacart and SalesforceThey dive deep into the practical realities of TPRM, exploring:How to optimise questionnaires for different vendor risk tiersStrategies for balancing speed and thoroughness in assessmentsThe evolving value of SOC 2 and other third-party attestationsTrust Centres: genuine security resources or marketing tools?Security scoring platforms: their benefits and limitationsHow SaaS security tools can enhance TPRM programsReal-world stories from thousands of vendor assessmentsWhether you're a security professional, TPRM practitioner, or interested in understanding how companies evaluate their vendors, this episode provides valuable insights into how leading companies like Netflix and Airbnb approach third-party risk.Subscribe to the GRC Engineering Podcast for more expert discussions on governance, risk, and compliance engineering.00:00 - Introduction to the Experts Panel03:20 - Questionnaire optimisation approaches11:00 - Risk-based vendor tiering strategies18:00 - Balancing speed and thoroughness in assessments26:45 - Netflix's way of integrating TPRM30:05 - Declining value of certification and attestations37:30 - Trust Centres: helpful or just marketing?44:30 - Security scoring platforms: useful signals or noise?49:40 - Kristi pulls a reverse UNO card and asks Ayoub about TPRM disruptions52:45 - SaaS Security tools for TPRM programs58:25 - Interesting vendor assessment stories01:05:00 - Closing thoughts on TPRM's value#TPRM #VendorSecurity #RiskManagement #GRCEngineering #SupplyChainSecurity

    1h 7m
  6. The Unfiltered GRC Automation Roundtable: 7 Platform Executives on Enterprise GRC & Commoditisation

    25 MAR

    The Unfiltered GRC Automation Roundtable: 7 Platform Executives on Enterprise GRC & Commoditisation

    In this groundbreaking episode of the GRC Engineering Podcast, we bring together executives from the 7 leading GRC automation platforms for an unprecedented discussion on the future of compliance automation. For the first time ever, leaders from Vanta, Drata, Anecdotes, Secureframe, Sprinto, Scrut Automation, and Thoropass share the same virtual stage to debate critical industry topics, challenge common assumptions, and share their visions for the future of GRC.Featured Guests:Jake Bernardes - CISO, AnecdotesMatt Hillary - CISO, DrataJeremy Epling - Chief Product Officer, VantaShrav Mehta - Founder & CEO, SecureframeGirish Redekar - Co-founder & CEO, SprintoNicholas Muy - CISO, Scrut AutomationAndrew Persons - VP of Product, ThoropassFrom the commoditisation debate to enterprise adoption challenges, get unique insights into how these platforms are shaping the future of GRC.Key Timestamps:00:00 Introduction and guest introductions09:00 Is compliance being commoditised? The vendor perspective32:30 Is Assurance impacted from selling compliance to non-GRC stakeholders49:30 If quality was very low, most GRC automation firms would be out of business54:30 Selling GRC automation to enterprise customers01:19:00 Working around existing legacy GRC platforms01:34:30 Risk of being replaceable as being embedded at the data layer01:38:40 Working with product feedback from non-customers01:46:45 GRC Engineering discussion01:50:00 Conclusion and key takeawaysSpecial thanks to our guests for making this historic conversation possible.This discussion represents a turning point in how we think about GRC automation and its role in modern organisations.#GRCEngineering

    1h 53m
  7. Scaling GRC Engineering: The Definitive Guide w/ Akhila Chitiprolu from Sierra | S2E3

    18 MAR

    Scaling GRC Engineering: The Definitive Guide w/ Akhila Chitiprolu from Sierra | S2E3

    If you enjoy the podcast, feel free to subscribe to the GRC Engineer newsletter: grcengineer.com/subscribe In this episode of The GRC Engineering Podcast, host Ayoub Fandi speaks with Akhila Chitiprolu, head of GRC at Sierra and former GRC leader at Stripe, Expedia, and T-Mobile. Akhila shares her journey from engineering to GRC leadership and offers deep insights on transforming traditional compliance into engineering-driven programs that scale with modern technology companies. Drawing from over a decade of experience across tech, fintech, telecom, and AI, she provides practical strategies for building GRC Engineering capabilities from the ground up. Whether you're just starting your GRC Engineering journey or looking to scale existing efforts, this episode provides tactical advice on: - Transforming control design for automation and scalability - Convincing traditional auditors to accept API-driven evidence - Building the business case for GRC Engineering investments - Developing effective collaborations between technical and non-technical GRC staff - Measuring and demonstrating the value of engineering -driven compliance - Creating a roadmap for continuous control monitoring Key topics covered: 00:00 Introduction and guest background 02:58 Evolution of GRC: From spreadsheets to engineering-driven approaches 04:05 The biggest pain point: Evidence collection at scale across multiple frameworks 05:38 Why control design matters more than evidence automation alone 11:20 The tipping point for GRC Engineering adoption in organizations 13:30 Breaking down GRC process phases and where engineering adds value 26:52 How to work with auditors on engineering evidence and build trust 31:53 Build vs. Buy: Finding the right approach for your organization size 37:10 Building relationships with engineering teams through shared pain points 39:33 How compliance can become an engineering roadmap for platform teams 42:04 Key principles for scaling GRC Engineering programs beyond initial wins 48:19 GRC Engineers & Analysts: Working together effectively across skill sets 53:41 The magic wand question: Asset to control view and community education

    58 min
  8. AI Agents as the next GRC Frontier w/ Shruti Gupta from Zania | S2E2

    02/12/2024

    AI Agents as the next GRC Frontier w/ Shruti Gupta from Zania | S2E2

    To view the notes from the podcast and much more, check out the episode summary on the GRC Engineer.

    1h 6m
See All (15)

About

The podcast helping Security GRC practitioners getting their career to the next level. We speak with trailblazers, innovators and experts in the GRC realm that champion an engineering-minded GRC practice. Episodes are jam-packed with practical tips, concepts and use cases to help you scale your GRC program and create better relationships with your engineering and product colleagues.

Information

  • Creator
    Ayoub Fandi
  • Years Active
    2024 - 2025
  • Episodes
    15
  • Rating
    Clean
  • Copyright
    © Ayoub Fandi
  • Show Website
    GRC Engineer

You Might Also Like