The Paramify Podcast

Paramify
  • 5.0 (3)
  • ENTREPRENEURSHIP
  • UPDATED BIWEEKLY

The Paramify Podcast is a practical, occasionally chaotic show about GRC, risk management, and staying audit-ready without losing your mind. It’s part talking security strategy, and part group therapy. We talk with cybersecurity and GRC leaders, including CISOs, auditors, founders, and security engineers, about FedRAMP and FedRAMP 20x, SOC 2, CMMC, NIST RMF, the shift toward continuous evidence, and everything in between.  Learn about what we do at Paramify here: www.paramify.com

  1. MAR 2

    Justin Merhoff on FedRAMP 20x, Secure AI, Trust Centers, and Modern Cybersecurity

    In this episode of The Paramify Podcast, Kenny sits down with Justin Merhoff to talk about what makes security actually work: usability, speed, adaptability, and real-world adoption. Justin shares lessons from nearly three decades in cybersecurity, from his time in the U.S. Army to leading security and compliance programs in the private sector. The conversation covers FedRAMP 20x, trust centers, secure AI, accessibility in cybersecurity, and why security should support the business instead of slowing it down. They also get into the real burden of FedRAMP and CMMC documentation, why better tooling can reduce burnout for lean security teams, and why “usable security” is often the difference between a control that works in practice and one that only looks good on paper. Note: At the time this episode was recorded, Justin was with Rhymetec. He is now Director of Compliance at DTEX.ai. Links: Justin Merhoff on LinkedIn: https://www.linkedin.com/in/justinmerhoff Kenny Scott on LinkedIn: https://www.linkedin.com/in/kenny-g-scott DTEX.ai: https://www.dtex.ai/ Paramify: https://www.paramify.com/ In this episode, you’ll hear: - Why usable security is better security - How secure AI can help small teams move faster - Why trust centers are becoming more important - How accessibility gaps can create real security risk - Why servant leadership matters in cybersecurity - Why FedRAMP 20x is shifting the focus back to risk Chapters: 0:00 Secure AI, lean teams, and why the right tools matter 1:12 Intro to Justin Merhoff 2:08 How Justin got started in cybersecurity 8:31 Army stories, leadership, and early security lessons 16:06 Moving from the military into corporate security 19:17 Why security should enable the business 20:45 The future of trust centers 25:20 Secure AI, small teams, and reducing compliance burnout 29:32 Why FedRAMP 20x is a needed change 36:31 Cyber leadership, adaptability, and how people break into security 44:13 Why accessibility is a cybersecurity issue 51:18 What Justin was doing at the time and how Rhymetec helps clients 54:35 Outro This episode is a great listen for anyone working in FedRAMP, CMMC, GRC, compliance, security leadership, or third-party trust.

    55 min

  2. FEB 17

    An Apropos of Nothing

    Today's episode is An Apropos of Nothing. This episode is optional, you can skip it if you want, but it's a pretty honest glimpse into what hanging out with us is actually like.

    28 min

  3. FEB 2

    Making Risk Make Sense with Rob Black

    “There’s a 5% chance of a $5 million loss. Is it exactly right? No. But it’s way better than saying medium, because medium means nothing.” Kenny sits down with Rob Black, Founder and CEO of Fractional CISO, to break down how to translate cyber risk into language executives actually act on: probability, dollars, tradeoffs, and clear acceptance instead of vague labels that disappear into a slide deck. We also get into the “magic genie” myth of GRC tools, what vCISO looked like back in 2017, and the origin story behind Rob’s legendary wig videos. Key takeaways: • How to quantify risk without pretending it’s perfectly precise • Why “high/medium/low” breaks the conversation with leadership • Where humans are still required (even with great tools) Learn more about Rob Black here:  https://www.linkedin.com/in/blackrob/ Learn more about FractionalCISO: https://fractionalciso.com/ Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/ Learn more about Paramify: https://www.paramify.com/

    54 min

  4. JAN 20

    From Film to FedRAMP with Justin Rende

    Federal compliance is having a moment. FedRAMP, FedRAMP 20x, CMMC, the whole alphabet soup is going mainstream, fast. In this episode of The Paramify Podcast, we sit down with Justin Rende, Founder and CEO of Rhymetec, to talk about what’s actually changing, what’s still painfully hard, and why “compliance automation” only works if you stay obsessed with real risk. Justin also shares his origin story (tech ➝ film festivals ➝ tech), how Rhymetec grew from early penetration tests into full vCISO and compliance programs, and the most New York lead gen strategy ever: biking around the city delivering Google Homes and handwritten notes to prospects. If you’ve ever been promised an “easy button” for SOC 2, ISO, or FedRAMP, this one’s for you. In this episode: Why federal compliance is exploding (and why it’s not slowing down) FedRAMP 20x and the pace of government innovation (yes, really) The risk of “checkbox compliance” in a world of automation How to set expectations with customers when security is never just one toggle Bootstrapping, building recurring revenue, and staying flexible Customer experience as the real differentiator (care scales better than you think) Where to find Justin and Rhymetec: https://rhymetec.com   / justin-rende   Learn more about Paramify:  Paramify website: https://www.paramify.com/ Mike Schreiner (LinkedIn):   / mikecschreiner   Kenny Scott (LinkedIn):   / kenny-g-scott   Chapters 0:00 Federal compliance is exploding (and getting mainstream) 0:30 Welcome to The Paramify Podcast + Justin Rende intro 1:34 Justin’s origin story: tech ➝ film ➝ tech 2:53 Starting Rhymetec with pentesting (and betting on SaaS early) 4:25 Tribeca and Doha: running VIP experiences and meeting “heroes” 5:33 The real lesson from film: make the customer have a good time 7:01 Mess-ups happen, recovery is the job 8:15 “Don’t meet your heroes” (Rudy story) 9:24 Leaving film, chasing stability, spotting outdated consulting 10:43 Bootstrapping vs taking investment and why flexibility wins 13:53 From big pentest checks to recurring revenue and vCISO programs 15:24 Employee experience: quality of life, culture, and remote done right 18:10 SOC 2 and ISO automation: the pros, the cons, and the risk gap 20:25 The “easy button” myth (MFA is never just one button) 21:38 Sales overpromising, complexity, and doing right by the customer 25:36 Biking NYC: Google Homes, handwritten notes, and standing out 27:13 “Magic” in packaging, Alchemy, and why it works 31:28 Why Rhymetec leaned into federal compliance 32:24 SOC 2 race to the bottom vs doing it the right way 39:15 What’s improving in federal compliance (and what still hurts) 40:11 FedRAMP 20x innovation and building in public 42:52 FedRAMP scale, CMMC scale, and why it’s all accelerating 44:29 Legacy environments and why DoD adoption takes longer 46:24 Where to find Rhymetec + closing thoughts

    47 min

  5. JAN 5

    GRC Lasagna with Ayoub Fandi

    “There’s this misconception in the marketplace that you need to be a coder to do GRC Engineering. You don’t. I don’t want people to be bogged down in scripting. I want them to be systems thinkers focusing on architecture and orchestration.” Kenny and Mike sit down with the GOATed pioneer of GRC Engineering, Ayoub Fandi. In case you’ve been living under a rock, Ayoub is the Security Assurance Automation Team Lead at GitLab and the Founder of GRC Engineer. This episode covers Ayoub’s wild pivot from middle school English teacher to sending 500 cold LinkedIn DMs to break into security. We dive into his first trip to Utah (discovery of "sugarcane fillets" and life-changing butter cake), why APIs are the “landlines” of the past, and how he sparked the movement behind the GRC Engineering Manifesto to give practitioners their own “Phoenix Project” moment for compliance. Key Takeaways: * Systems Over Scripts: GRC Engineering isn't about being a "coder." It’s about systems thinking and moving away from the "crawl space" of manual scripting. * The "Cell Phone" Moment: Why GRC is skipping the "landline" era of APIs and jumping straight to agentic workflows with MCP (Model Context Protocol). * FedRAMP® 20x: How Key Security Indicators (KSIs) move the burden of proof from 4,000-page narratives to 80%+ automated validation. * The 7-Minute Threat: AI-powered adversaries can pop a machine in 7 minutes. If your compliance isn't "threat-driven," it's irrelevant. Learn more about Ayoub: Gitlab: https://about.gitlab.com/  GRC Engineer: https://grcengineer.com/ GRC Engineer Podcast: https://www.youtube.com/channel/UC8cvmIXoEEBs0dryLh2p2cA Ayoub's LinkedIn: https://www.linkedin.com/in/ayoubfandi/ Learn more about Paramify: Website: https://www.paramify.com/ Kenny's LinkedIn: https://www.linkedin.com/in/kenny-g-scott/ Mike's LinkedIn: https://www.linkedin.com/in/mikecschreiner/ Chapters 00:00 Intro — Utah, butter cake, and Ayoub's first time in the U.S. 02:00 How Ayoub got into GRC (500 cold DMs and ISO cramming) 09:00 Struggling to commit to GRC — until Adobe's program changed everything 13:00 What GRC Engineering actually means 15:00 Why evidence collection is plumbing, not strategy 20:00 Why AI won’t kill GRC — it’ll force it to grow up 25:00 Architecting assurance: the new role of GRC 30:00 Why APIs are losing ground to agentic protocols like MCP 35:00 Landlines vs. Cell Phones: How automation skipped a generation 38:00 Platformization, assurance, and the SaaS vendor dilemma 43:00 Can platforms fix SOC 2 quality? 48:00 Sticker fatigue and the case for continuous assurance 52:00 Why threat-driven compliance is the only way forward 56:00 Advice for early-career GRC professionals in an AI-native world

    1h 25m

  6. 12/16/2025

    SOC 2, FedRAMP 20x, and the Future of Audits with Dixon Wright

    Kenny and Mike sit down with Dixon Wright, Head of Delivery at Eden Data, for a grounded and insightful conversation on security, compliance, and building smarter systems. They cover: - Dixon’s journey from college football to leading security at Eden Data - What it takes to actually deliver cybersecurity — not just sell it - Why Eden Data joined the FedRAMP 20x pilot - How compliance is evolving across commercial and federal sectors - Why trust, transparency, and execution matter more than buzzwords It’s one of the most real conversations we’ve had about what delivery actually looks like in the compliance world. Chapters 00:00 Intro: From field goals to FedRAMP 02:00 Dixon’s career in security consulting 05:00 What Eden Data does and who they serve 09:00 Joining the FedRAMP 20x pilot 14:00 Building credibility through execution 18:00 Security in practice vs. theory 23:00 Why delivery teams need flexibility 27:00 Shifts in federal and commercial compliance 32:00 Trust, tools, and transparent reporting 36:00 The future of cybersecurity delivery 41:00 Final thoughts Learn more about Eden Data:  https://www.edendata.com Learn more about Dixon Wright:   / dixon-wright-aab68321   Learn more about Paramify:  https://www.paramify.com/ Learn more about Kenny:   / kenny-g-scott   Learn more about Mike:   / mikecschreiner

    57 min

  7. 12/08/2025

    The Future of GRC with Jack Rumsey

    "The AI age we're in is going to force startups to compete in the higher upper echelon of risk assurance." Jack Rumsey Head of GRC at Swimlane explains why startups will no longer have the luxury of maturing later and how the AI era is pushing even early-stage teams into enterprise-grade security. This episode covers why assurance needs to evolve, how 20X can level the playing field, why automation is changing everything about how companies prove trust, and Jack's brief era as "the richest fifth-year college student of all time." Key Takeaways: • Automation is reshaping how companies prove trust and security • Startups will need enterprise-grade security earlier than ever • Continuous monitoring is becoming the new foundation for real assurance Chapters 00:00 Security teams are drowning 02:40 Scaling trust in public sector 06:10 Check-the-box isn’t cutting it 10:00 The promise of low-code automation 13:40 Swimlane’s mission and momentum 17:00 How to reduce alert fatigue 21:30 Integrating detection with compliance 26:15 CMMC and automation opportunities 30:00 Why orchestration needs flexibility 34:00 Future of GRC tooling 36:50 Final thoughts on doing more with less Learn more about Jack Rumsey:  https://www.linkedin.com/in/jack-rumsey-83303469/ Learn more about GRC Destroyer: https://grcdestroyer.substack.com Learn more abou Swimlane: https://swimlane.com Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/ Learn more about Mike: https://www.linkedin.com/in/mikecschreiner/ Learn more about Paramify: https://www.paramify.com/ Chapters 00:00 Security teams are drowning 02:40 Scaling trust in public sector 06:10 Check-the-box isn’t cutting it 10:00 The promise of low-code automation 13:40 Swimlane’s mission and momentum 17:00 How to reduce alert fatigue 21:30 Integrating detection with compliance 26:15 CMMC and automation opportunities 30:00 Why orchestration needs flexibility 34:00 Future of GRC tooling 36:50 Final thoughts on doing more with less Learn more about Jack Rumsey:  https://www.linkedin.com/in/jack-rumsey-83303469/ Learn more about GRC Destroyer: https://grcdestroyer.substack.com Learn more abou Swimlane: https://swimlane.com Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/ Learn more about Mike: https://www.linkedin.com/in/mikecschreiner/ Learn more about Paramify: https://www.paramify.com/

    53 min

  8. 10/27/2025

    The Giant Washing Machine of Open Source: Container Security with George Manuelian

    Security isn’t sexy. It’s laundry. You know you need to do it, but you’d rather have a tool do it for you. Kenny Scott and Mike Schreiner from Paramify sit down with George Manuelian from RapidFort to talk about freeing the captives — the engineers buried in spreadsheets, patch tickets, and compliance chaos. They cover:   Why security always seems at odds with progress   How automation can fix what boredom created   The giant washing machine for open source   Starting clean, staying clean, and why “7 million vulnerabilities” isn’t a vibe   FedRAMP, CMMC, and the art of not losing your mind in compliance   It’s the least boring conversation you’ll ever hear about vulnerabilities.

    52 min
See All (55)

Ratings & Reviews

5
out of 5
3 Ratings

About

The Paramify Podcast is a practical, occasionally chaotic show about GRC, risk management, and staying audit-ready without losing your mind. It’s part talking security strategy, and part group therapy. We talk with cybersecurity and GRC leaders, including CISOs, auditors, founders, and security engineers, about FedRAMP and FedRAMP 20x, SOC 2, CMMC, NIST RMF, the shift toward continuous evidence, and everything in between.  Learn about what we do at Paramify here: www.paramify.com

Information

  • Creator
    Paramify
  • Years Active
    2023 - 2026
  • Episodes
    55
  • Rating
    Clean
  • Copyright
    © Copyright 2023 All rights reserved.
  • Show Website
    The Paramify Podcast