GRC Uncensored

Chaos
  • 0.0 (0)
  • TECH NEWS
  • EVERY TWO WEEKS

GRC Uncensored is an experimental podcast designed to elevate real conversations with GRC professionals, auditors, regulators, and those building programs around it. Your hosts are Troy Fine and Elliot Volkman. Hosted on Acast. See acast.com/privacy for more information.

  1. 5 DAYS AGO

    AMA: GRC, SOC 2, and the State of Audits

    It’s the last day of 2025, which means it’s time to wrap season one. When Troy and I piloted this series, we didn’t expect thousands of you to tune in, and certainly didn’t expect to pickup the wonderfully smart Kendra to join our crew. With that, we want to thank you for encouraging us to keep this series going. We’ll be back for season 2 soon, and are taking in new pitches for episodes now. To wrap the year, we conducted a AMA on the current state of GRC. We pulled questions from Reddit and LinkedIn and tackled them live in conversation. What we coveredAre we “anti–GRC automation tools”? Short answer: no. Long answer: automation isn’t the problem. It’s misuse, blind trust, and compromised audit integrity are. Cheap SOC 2s and bundled audits Why budget startups often don’t have a real incentive to avoid low-cost, bundled auditors, and what you give up when you go that route. SOC 2 pentesting vs PCI DSS Why SOC 2 allows weak or missing pentests, why PCI doesn’t, and how automated scans differ from real manual testing. Conflicts of interest in the GRC ecosystem Platforms, auditors, and vCISOs all partner, so where does objectivity break down, and is it even possible to keep it clean? Who’s really at fault: tools or auditors? A blunt discussion on incentives, accountability, and why low-quality audits keep winning. Offshoring and the race to the bottom When cost-cutting leads to offshoring, what should clients actually be worried about and what’s just noise. The future of audits and AI Will AI replace auditors? Where automation helps, where humans still matter, and what happens if we stop caring about independent assurance altogether. Hosted on Acast. See acast.com/privacy for more information.

    47 min

  2. 20/11/2025

    Do Ethical GRC auditors really exist?

    In this episode, the crew digs into a messy but necessary topic: what does ethical auditing even mean in a market overrun with automation shortcuts, low-effort SOC 2 audits, and firms that self-declare “quality” without proving it? With Troy actively auditing today and Kendra working with auditors in real time, the team breaks down where rigor actually shows up, where the system is broken, and why SOC 2’s value is slipping as fast as demand for speed is rising. 03:00 – “Quality theater” and firms self-labeling as high quality 04:10 – Who defines quality—auditors or customers? 05:00 – The four-hour SOC 2 audit example 06:00 – The danger of “better than the worst” logic 07:00 – What thorough auditing actually looks like (Kendra’s experience) 09:30 – SOC 2 inconsistency across auditors and firms 11:00 – Should audit firms be objectively measured? 15:00 – Kendra’s “secret shopper auditor” idea 19:20 – Automation platforms producing shallow “green checkmark” results 22:00 – Drive-by auditors rubber-stamping automated data 26:00 – Peer review and “enhanced oversight” gaps 33:00 – Why the industry isn’t incentivized to fix the quality problem 39:00 – Ethical auditors exist—but the system doesn’t reward them Hosted on Acast. See acast.com/privacy for more information.

    44 min

  3. 22/10/2025

    SOC 2, Vibes, and the Audit Arms Race

    This episode dives deep into the messy, absurd, and sometimes hilarious world of SOC 2 audits and compliance frameworks. Wiz CISO Expert Zlatko Unger joins the crew to talk about the expanding “acronym soup” of frameworks, the blurred lines between automation and assurance, and why finding an auditor who vibes with your team might matter more than the name on the certificate. The crew also debates the future of SOC 2 — from fast-track “15-hour audits” to the rise of AI-generated reports — and whether the entire model needs a ground-up rebuild. Guest: Zlatko Unger, CISO Expert at Wiz Hosts: Troy Fine, Kendra Cooley, Elliot Volkman 00:03 — Framework overload 00:07 — Auditor “vibe check” 00:11 — SOC 2’s fall from grace 00:16 — TPRM and audit fatigue 00:25 — SOC 2 for robots 00:36 — Reform or rebuild? Hosted on Acast. See acast.com/privacy for more information.

    47 min

  4. 09/10/2025

    Clean Reports, Flawed Systems, and the Future of GRC

    TJ, Kendra, and Elliot are back, and welcomed Evan Millman, GRC Manager at Abnormal Security, for what started as a casual chat and evolved into a sharp look at compliance blind spots, the role of AI in GRC, and how professionals can shape their careers in a changing field. [00:02:00] Evan shares how he used ChatGPT to analyze a risk assessment report. [00:05:00] What GRC leadership looks like at Abnormal Security (ISO 27001, 27701, 42001, SOC 2). [00:07:00] The complicated relationship between organizations and auditors — bias, incentives, and the reality of “clean” reports. [00:12:00] Why third-party attestations are table stakes, not real assurance. [00:19:00] TJ and Evan debate solutions: peer reviews, government oversight, or is the system fundamentally flawed? [00:27:00] How Abnormal approaches vendor risk: criticality ratings, renewals, and compensating controls. [00:32:00] Tools and automation in GRC — benefits and buyer’s remorse. [00:36:00] The role of AI: evidence review, documentation search, and “trust but verify.” [00:39:00] Should GRC professionals become coders, or double down on soft skills? [00:44:00] Evan’s career advice: networking, persistence, and why soft skills matter more than technical depth. Hosted on Acast. See acast.com/privacy for more information.

    46 min

  5. 25/09/2025

    AI Guardrails, Foot Guns, and the Ostrich Problem

    This week on GRC Uncensored, hosts Troy Fine and Elliot Volkman sat down with Merritt Baer, Chief Security Officer at Enkrypt AI, for a candid conversation about the collision between AI, governance, and security. Merritt brought decades of CISO experience — from AWS to the intelligence community — and didn’t hold back, fully embracing our podcast name, on what’s hype, what’s real, and what CISOs should be doing today.  Key Moments[00:03:00] – How Merritt uses ChatGPT to re-voice her own drafts — and why she immediately strips out the “saccharine” endings.[00:05:30] – Why security and innovation don’t need to “hold hands” — they just need shared expectations.[00:08:45] – The “foot guns” moment: how an accounting firm’s chatbot started teaching customers to hide assets from the IRS.[00:13:30] – Why most enterprises don’t even know where AI is being used internally.[00:15:00] – How to build guardrails that are realistic, enforceable, and tuned over time.[00:24:30] – Why “ostrich” policies will fail — and how enforcement actions, not regulations, will shape AI accountability.[00:40:00] – Merritt’s closing advice for CISOs: you don’t need to be an expert, but you do need a plan. Hosted on Acast. See acast.com/privacy for more information.

    43 min

  6. 28/08/2025

    The Softer (and Sometimes Spicier) Side of GRC

    In the latest episode of GRC Uncensored, hosts Kendra Cooley and Troy Fine sat down with Jake Bernardes, CISO of Anecdotes and host of Risking It All, to talk about the positive side of GRC. What unfolded was less about sugar-coating and more about the tensions shaping our industry from AI disruption to the shaky future of SOC 2 reports. More specifically, is there a world where we see a consolidation of regulations and frameworks in response to the sprawl we see now? [00:02:00] AI and Auditing – Will automation replace auditors or make them indispensable? [00:06:00] The Positive Side of GRC – How automation is reshaping the auditor’s role. [00:15:00] Are Compliance Platforms Lowering the Bar? – Check-the-box programs vs. meaningful assurance. [00:23:00] The SOC 2 Debate – Is it still valuable, or creating a false sense of security? [00:30:00] Toward Continuous Assurance – Dynamic trust centers and evidence as the new currency. [00:40:00] The Future of Risk in GRC – Why risk registers must evolve and become data-driven. [00:46:00] Closing Thoughts – Optimism about where GRC is headed despite today’s challenges. Hosted on Acast. See acast.com/privacy for more information.

    49 min

  7. 31/07/2025

    The TPRM Tug-of-War: Trust, Tools, and the AI Tradeoff

    This week, the crew sits down with Henry Stanley—founder of Fabrik and engineer-turned-GRC troublemaker-to dig into the messy reality of third-party risk management (TPRM). With experience across fintech, startups, and security consulting, Henry brings a pragmatic but optimistic view of how the industry can move forward. From the limits of SOC 2 and the myth of standardization to the risks and rewards of AI-powered questionnaires, the group unpacks why TPRM is so fragmented—and why that’s not necessarily a bad thing. They also get real about AI in audits, the future role of assurance professionals, and why human connection still matters. 06:30 – Why TPRM Is Fragmented by Nature 09:00 – SOC 2 Isn’t Enough (And Never Was) 13:30 – Does Anyone Really Trust Audit Reports? 17:30 – Blacklists, Quality Checks & the SOC 2 Vibe Check 20:00 – The Rise of AI in Vendor Assessments 25:30 – AI Answers vs. AI Confidence 28:30 – Auditing the Auditors (and Their AI) 32:00 – Reasonable Assurance in an AI World 35:30 – Skepticism, Trust, and Human-in-the-Loop Auditing 38:00 – Does AI Kill Creativity? A Side Quest 44:00 – Will TPRM Be Agent-to-Agent in the Future? Guest: Henry Stanley, Founder of Security Program.io Hosts: Troy Fine, Kendra Cooley Producer: Elliot Volkman Runtime: ~56 minutes Hosted on Acast. See acast.com/privacy for more information.

    50 min

  8. 17/07/2025

    Will FedRAMP 20x Repeat SOC 2’s Mistakes?

    This week on GRC Uncensored, the crew welcomes John Santore, a longtime FedRAMP and SOC 2 practitioner who has seen firsthand how compliance frameworks evolve, and sometimes unravel. Now serving as Director of Cyber Acceleration at Constellation GovCloud, John joins Troy and Elliot to unpack FedRAMP 20x, a new pilot program designed to streamline the U.S. government’s cloud authorization process dramatically. The promise? Fewer controls, faster approvals, and greater automation.The concern? That all sounds a little too familiar. Together, they explore whether FedRAMP 20x is an overdue modernization or the start of a dangerous slide toward the kind of checkbox compliance that has made SOC 2 certifications easier to get but harder to trust. From control mapping and auditor disruption to agency adoption and AI-assisted audits, this episode provides a deep dive into what happens when good frameworks move too quickly and how to maintain trust when they do. [00:01:00] – Guest intro: John’s history with SOC 2, FedRAMP, and working with Troy [00:06:00] – How SOC 2 influenced John’s transition into federal compliance [00:08:00] – What is FedRAMP 20x, and why is it happening now? [00:10:00] – From 12-month review cycles to fast-tracking assessments [00:14:00] – Key Security Indicators (KSIs): replacing hundreds of controls with a handful of validations [00:18:00] – Are KSIs basically just vague control summaries? (Spoiler: yes) [00:22:00] – Why GRC platforms are being prioritized in the pilot [00:25:00] – Potential expansion to FedRAMP Moderate and High [00:28:00] – Will agencies even accept this? [00:31:00] – Advice for cloud service providers evaluating FedRAMP now [00:34:00] – Is FedRAMP on the path to commoditization? [00:39:00] – Evaluating rigor vs. relevance: security posture ≠ certification [00:44:00] – The problem of vague frameworks and audit inconsistency [00:48:00] – Comparing SOC 2, FedRAMP, and the race to the bottom [00:54:00] – Closing thoughts on AI, automation, and the future of white-collar work Guest: John Santore, Director of Cyber Acceleration, Constellation GovCloud Hosts: Troy Fine & Elliot Volkman Runtime: ~58 minutes Hosted on Acast. See acast.com/privacy for more information.

    58 min
See All (23)

About

GRC Uncensored is an experimental podcast designed to elevate real conversations with GRC professionals, auditors, regulators, and those building programs around it. Your hosts are Troy Fine and Elliot Volkman. Hosted on Acast. See acast.com/privacy for more information.

Information

  • Creator
    Chaos
  • Years Active
    2024 - 2025
  • Episodes
    23
  • Rating
    Clean
  • Copyright
    © Elliot Volkman
  • Show Website
    GRC Uncensored

You Might Also Like