Security & GRC Decoded

Raj Krishnamurthy
  • 5.0 (1)
  • 科技
  • 两周一更

How today’s top organizations navigate the complex world of governance, risk, and compliance (GRC).Security & GRC Decoded brings you actionable strategies, expert insights, and real-world stories that help professionals elevate their security and compliance programs. Hosted by Raj Krishnamurthy.It’s for security professionals, compliance teams, and business leaders responsible security GRC and ensuring their organizations’ are safe, secure and adhere to regulatory mandates.Security & GRC Decoded brings you:+ Actionable strategies.+ Expert insights.+ Real-world stories to elevate your Security GRC programs.Each episode explores frameworks, risk management strategies, and innovations shaping the future of GRC – from practitioners in the trenches.Subscribe now to unlock the tools and knowledge you need to succeed.

  1. 1天前

    Risk in Dollars: The Future of GRC Measurement

    How does a network engineer become a GRC leader? Ramya Subramanian’s journey spans nearly two decades across IT, security, and governance. Now serving as Director of GRC & Privacy Operations at Freshworks, she joins Raj to unpack the evolving role of GRC: from quantifying risk and managing compliance debt to building automation that doesn’t slow engineering down. Ramya also shares how storytelling, PR-style evangelism, and simplifying policies can shift the perception of GRC from policing to business enabler. This episode is a playbook for anyone trying to modernize risk and compliance in fast-moving environments. 5 Key Takeaways Engineer’s edge in GRC: Why Ramya’s technical background makes her approach to governance unique.Quantifying risk with dollars: Why risk measurement needs financial context, not just “likelihood x impact.”Automation as a path forward: How Freshworks is reducing compliance toil for engineers.Simplify policies and awareness: Cutting policy docs by 90% and building bite-sized security training.GRC as PR: Storytelling and evangelism can reframe GRC as a business enabler, not a blocker.What You’ll Learn How GRC and security complement each otherChallenges of risk quantification and continuous measurementWhy engineers perceive GRC as compliance taxHow automation and GRC engineering can reduce manual effortThe cultural perception of GRC and how to change it⏱️ (Approximate) Timestamps [00:01:43] From network engineer to GRC leader  [00:03:37] How Ramya defines Governance, Risk, and Compliance  [00:05:28] Quantifying risk: from controls to financial impact  [00:07:41] Why continuous risk measurement is so hard  [00:11:49] How others perceive GRC inside organizations  [00:13:43] Changing the “policing” perception of GRC  [00:17:50] Rewriting policies & security awareness at Freshworks  [00:19:38] Bringing auditors along the journey  [00:21:33] Reducing compliance tax with automation  [00:26:10] Why GRC needs engineering skills  [00:29:58] Technical vs non-technical sides of GRC  [00:31:47] Skills Ramya looks for when hiring  [00:33:53] Generative AI’s impact on GRC  [00:37:49] Dream GRC solution: context-aware automation  [00:39:32] Building a business case for automation  [00:44:00] Who should tell the GRC automation story?  [00:45:54] Challenges with auditors in the AI era  [00:46:49] From city editor to GRC leader — storytelling roots  [00:52:26] Rajinikanth’s influence at Freshworks This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: compliancecow.com Connect With Our Guest: Ramya Subramanian | Director of GRC & Privacy Operations | Freshworks Connect on LinkedIn Rate, review, and share if you enjoyed the show! Subscribe to Security & GRC Decoded wherever you get your podcasts: Spotify and Apple Podcasts

    55 分钟

  2. 8月21日

    Compliance ≠ Security: It Sets the Foundation ft Evan Millman, Security GRC Manager @ Abnormal AI

    What’s the true relationship between compliance and security? According to Evan Millman, compliance may not be security—but it’s the necessary starting point for building it. In this episode, Raj sits down with Evan to explore how organizations can shift their GRC approach from reactive checkbox checking to a proactive and risk-informed security practice. Evan shares stories from his work at Abnormal.AI, lessons from scaling GRC in fast-moving environments, and practical advice for anyone trying to align controls with business objectives. 5 Key Takeaways: Compliance is not the destination — but it is the framework for real security conversations.Say no to overkill — Right-size controls based on business needs, not frameworks.Decentralized GRC works — but only if there’s shared ownership and trust.“GRC therapy” is real — and it starts with building internal relationships. Metrics matter — but only when they tell a story that drives action. What You’ll Learn: Why compliance ≠ security (but still matters)The pitfalls of checklist-first GRC programsHow to build GRC partnerships across product and engineering teamsWhy business-aligned storytelling is the future of risk communicationHow Abnormal Security approaches frameworks like SOC 2 and ISO 27001This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: compliancecow.com Connect With Our Guest: Evan Millman | Security GRC Manager | Abnormal AI Connect on LinkedIn Rate, review, and share if you enjoyed the show! Subscribe to Security & GRC Decoded wherever you get your podcasts: Spotify and Apple Podcasts 🕒 (Approximate) Timestamps [00:02:40] What makes Evan passionate about security GRC?  [00:04:30] How compliance ≠ security — and why that distinction matters  [00:06:50] When GRC goes wrong: overkill, checklists, and inefficiency  [00:10:15] Building trust by embedding security into product discussions  [00:14:40] Right-sizing controls: starting with SOC 2 vs ISO 27001  [00:18:10] Managing a decentralized GRC team at Abnormal  [00:23:02] Metrics and storytelling — what the board actually wants  [00:29:45] Why GRC leaders need emotional intelligence and empathy  [00:35:20] What GRC professionals can learn from product managers  [00:39:11] Evan’s advice to vendors trying to break into GRC  [00:41:05] How GRC can (and should) enable product velocity  [00:44:55] If he could wave a magic wand, what would Evan fix in GRC?

    1 小时 14 分钟

  3. 8月7日

    Cyber Economics and Keeping Up with Innovation ft Trupti Shiralkar (Cybersecurity Leader & Advisor)

    What trade-offs are you willing to make in cybersecurity?  In this episode of Security & GRC Decoded, host Raj Krishnamurthy is joined by Trupti Shiralkar, a seasoned cybersecurity leader and Advisory Board Member at Backslash Security, to explore how risk, ROI, and real-world constraints shape modern security programs. With decades of experience across AppSec, security architecture, and risk governance, Trupti brings a rare blend of deep technical insight and strategic thinking. They dive into cyber economics, AI-driven tooling, and why security storytelling may soon matter more than fear-based metrics. Whether you're a security veteran or just entering the space, this is a must-listen on staying relevant and effective in the age of automation. 5 Key Takeaways Cybersecurity is about trade-offs – No org can secure everything; knowing what to ignore is just as critical.LLMs can’t fully replace layered defense – Copilots help, but context and reachability still matter.ROI matters more than ever – Security teams must prove business value in language execs understand.Storytelling wins boardrooms – Fear, uncertainty, and doubt (FUD) is out. Framing risk with narrative is in.Reinvent or be replaced – AI won’t eliminate jobs—it’ll replace outdated versions of them. What You’ll Learn How cyber economics helps frame decision-makingThe evolving role of LLMs and software composition tools in vulnerability managementWhy OWASP hasn’t solved insecure code after decadesHow to prioritize reachability over volumeWhat developers and security pros should focus on to stay relevantThis podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: compliancecow.com Connect With Our Guest: Trupti Shiralkar | Advisory Board Member, Backslash Security Connect on LinkedIn Rate, review, and share if you enjoyed the show! Subscribe to Security & GRC Decoded wherever you get your podcasts: Spotify and Apple Podcasts Timestamps (Approx) [00:00] Intro  [02:47] Why cyber economics goes beyond traditional budgeting  [06:10] Introduction of grey swan events and the need for proactive innovation  [10:10] Aligning compliance and security using LLMs  [16:56] Reducing cognitive load in cybersecurity decision-making  [20:00] Budgeting for innovation: Lessons from Trupti’s past security leadership  [23:00] Difference between cyber economics and cyber risk quantification  [33:50] The misunderstood strategic role of GRC  [54:30] How meditation and mindfulness help navigate the security world  [57:15] Trupti’s final shout-outs to historic and modern tech inspirations

    1 小时

  4. 8月5日

    Why Security And GRC Teams Must Act Like Service Teams ft Jiphun Satapathy from Medallia

    Jiphun Satapathy has built and scaled security organizations at AWS, Snowflake, and now Medallia. In this episode, he joins our host Raj to explore the evolving role of CISOs as strategic business leaders. They discuss the importance of treating security as a service organization, how to handle vendor noise, and why insider risk is often overlooked. You’ll hear practical advice for security and GRC leaders working in AI-first, high-growth environments—and how to maintain trust across engineering, compliance, and executive teams. Key Takeaways Security as a Service Function: Security should empower—not block—the business. Jiphun shares how his team supports product, engineering, and sales.Vendor Engagement Matters: CISOs who ignore vendors miss out on innovation. But filtering the noise is key.Insider Risk is Real: Not rogue employees, but everyday developer behavior is a top source of risk.Modern GRC Requires Technical Fluency: Especially in AI-first companies, GRC teams must understand the tech stack to stay relevant.Earn Trust Through Action: Metrics matter, but culture and execution are what build credibility with boards, customers, and engineers.What You’ll Learn How to build a risk-based security roadmap that keeps pace with rapid developmentThe role of security in shaping culture across a global orgHow startups can engage CISOs without falling into FUD tacticsThis episode is brought to you by ComplianceCow — the smarter way to automate compliance and monitor controls. -- Learn more at compliancecow.com  -- Connect with Jiphun on Linkedin: linkedin.com/in/jiphunsatapathy 🎧  Rate, review, and share if you enjoyed the show!  🎙 Subscribe to Security & GRC Decoded wherever you get your podcasts: Spotify and Apple Podcasts (Approximate) Timestamps: [00:01:48] Jiphun challenges CISO aversion to vendor engagement[00:03:25] Filtering vendors based on prioritized security needs[00:06:24] Empowering teams with bottom-up decision-making[00:08:15] Driving culture change and making security a productivity enabler[00:11:33] MFA example showing how to improve both security and UX[00:15:25] Treating internal stakeholders as customers[00:21:02] Measuring risk with frameworks and metrics[00:30:22] Using automation to align security cadence with CI/CD pipelines[00:32:47] Insider risk and why it belongs on board slides[00:42:33] Empowering devs by reducing vulnerability noise[00:51:22] Why healthy paranoia is essential in AI adoption[00:56:51] Why GRC teams must be technical in AI-first environments[01:03:15] Advice to security startups: stop with the FUD[01:07:02] Coping strategies for CISO stress and burnout[01:09:60] Books and mentors that shaped Jiphun’s leadership journey

    1 小时 13 分钟

  5. 7月10日

    Preetam Joshi Breaks Down ML, LLMs, AI Agents, and Governance Challenges

    How do you make sense of security, governance, and risk in an age of black-box AI? This week, Raj is joined by Preetam Joshi, founder of Aimon Labs and machine learning veteran with experience at DRDO, Yahoo, Netflix, and Thumbtack. Together, they break down the technical evolution behind large language models (LLMs), explore the real challenges of explainability, and discuss why GRC teams must rethink risk in the age of autonomous reasoning systems. Preetam brings a rare mix of hands-on ML expertise and practical experience deploying LLMs in enterprise environments. If you’ve been wondering how transformers work, what explainability really means, or why AI governance is still a mess — this episode is for you.  5 Key Takeaways: -From DRDO to Netflix to Aimon Labs — Preetam’s career journey shows the intersection of machine learning, security, and entrepreneurship. -How Transformers Work — A simple breakdown of encoder/decoder architecture, embeddings, and attention mechanisms. -Explainability in AI — What it meant in traditional ML... and why it’s nearly impossible with today’s LLMs. -Rule-Based Logic Isn’t Dead — In high-stakes environments, deterministic systems still matter. -Bridging AI & GRC — Practical steps for model security, auditing, and compliance in non-deterministic systems. 📌 Take Action Visit ComplianceCow.com/podcast to catch all episodes Connect with Preetam on LinkedIn Follow the show on Spotify and Apple PodcastsSecurity & GRC Decoded is brought to you by ComplianceCow — the platform for proactive, automated compliance. 🎧 Subscribe, rate, and share if this episode sparked a thought. ⏱ Timestamps (approx.) 00:00 – Intro  01:11 – Welcome Preetam to the show  03:20 – What has been your favorite experience working in AI so far?  07:08 – What is transformer architecture and how does it work?  10:23 – How do LLMs solve problems like math or reasoning?  12:38 – Where do agents fit in the LLM ecosystem?  16:07 – How does reinforcement learning apply to AI models?  21:33 – What does explainability mean in ML?  24:55 – Can you explain the limitations of SHAP and parameter-level reasoning?  27:33 – What does GRC look like in the LLM age?  30:58 – What does AIMon Labs actually do?  35:00 – Why is reliability a challenge with LLMs?  39:15 – Where does GRC intersect with AI deployment and compliance?  41:30 – What is fine-tuning and when is it useful?  44:43 – Is Retrieval Augmented Generation (RAG) still relevant with longer context windows?  47:29 – How do we guard against LLM misuse and toxic output?  49:43 – How can LLMs overexpose sensitive company data?  53:28 – Advice for those starting a career in AI or ML  55:34 – What are your favorite models right now?

    59 分钟

  6. 6月26日

    RGC, Not GRC: Why Risk Comes First ft Ricky Waldron

    What if compliance wasn't just about passing audits—but about building trust from the ground up? In this powerful episode of Security & GRC Decoded, Raj sits down with Ricky Waldron, Director of Security Audit & GRC at Navan, whose GRC experience spans tech giants like Microsoft, Disney, Oracle, and Smartsheet. Ricky shares how GRC is evolving into a strategic business partner, why automation and technical fluency are no longer optional, and what it takes to make compliance an engine of trust, not a blocker. From FedRAMP horror stories to generative AI workflows, this conversation dives deep into the future of governance, risk, and compliance—and why it's time for GRC teams to start thinking like engineers. 🔑 5 Key Takeaways 💥 Compliance = Security (If Done Right): Internal compliance based on risk and business needs often leads to stronger security outcomes than external certifications alone.🤝 Stop Policing, Start Partnering: GRC shouldn’t just point out problems—it should offer solutions and collaborate with teams to reduce risk.📊 Quantify Risk to Speak Leadership’s Language: Turn technical risk into business impact using frameworks like FAIR to get buy-in and budget.⚙️ Automation Is GRC’s Future: From policy drafting with AI to continuous control monitoring, GRC teams must become technical and leverage automation.🧩 GRC as a Sales Enabler: GRC isn't just an internal function—it builds trust with customers, shortens sales cycles, and helps close deals.✅ Take Action Explore risk-first approaches: Lead with R in GRC to align controls with actual business risks.Invest in automation: Save engineering hours and scale audits with continuous evidence collection.Use GenAI wisely: Leverage it for speed, but ensure strong human review before anything goes to auditors. 🔗 Powered by ComplianceCow.com – automate audits, collect evidence continuously, and shift GRC left. 🎧 Subscribe to Security & GRC Decoded for weekly insights from today’s top compliance leaders. 💼 Connect with Ricky Waldron on LinkedIn. ⏱ Timestamps (approx.) 00:00 – Intro  01:35 – Hot take on GRC  04:31 – Why GRC & Security clash  08:44 – GRC is storytelling  12:57 – Risk comes before compliance  16:08 – How to talk risk with execs  20:41 – Trust as a compliance goal  24:50 – Keeping your promises  27:54 – Why GRC struggles with automation  33:15 – Speaking engineers’ language  38:50 – GRC as the customer conduit  45:00 – GRC as sales enablement  47:15 – How Ricky learned FedRAMP  50:20 – What is FedRAMP 20X?  52:27 – Why OSCAL hasn’t taken off  56:15 – Would you use OSCAL commercially?  58:36 – GenAI in GRC workflows  1:02:31 – Using AI with auditors  1:06:45 – State of GRC tooling  1:12:30 – Getting budget for automation

    1 小时 19 分钟

  7. 6月12日

    What Does ‘Technical’ Even Mean in GRC? ft Alan Luk @ Grammarly

    Is it time to stop pretending GRC is technical? Alan Luk makes the case for a new kind of compliance leader—and it might surprise you. In this sharp and unfiltered episode of Security & GRC Decoded, Alan Luk, Director of GRC at Grammarly (and former Microsoft and PwC leader), joins Raj to dismantle common myths about GRC—and why even your engineers might be thinking about it all wrong. Drawing from over 20 years of experience, Alan makes the case for why GRC should be seen as a program management function, not a technical one—and how that shift unlocks better controls, less friction with engineering, and less painful audits. From audit war stories to his vision for continuous assurance, Alan brings blunt honesty, practical insight, and some well-earned hot takes to the mic. 🔑 Key Takeaways: ✅ Why most companies—and even GRC pros—misunderstand what GRC is actually for  ✅ How PM skills (not coding) unlock stronger GRC outcomes and happier engineers  ✅ What good compliance teams do before audit season to avoid chaos ✅ Why control owners—not GRC—should own the metrics (and what to do if they don’t) ✅ A bold vision for the future: GRC as an observability layer, not an evidence factory 🎯 Take Action: → Rethink what GRC really means inside your org: is it a service, a blocker, or a translator? → Audit your compliance program’s audit readiness—do you have metrics or just screenshots? → Share this episode with your PMs, engineers, or auditors who still think GRC is just check-the-box 👉 Follow Security & GRC Decoded for fresh insights on how to make your GRC program faster, smarter, and more resilient. 🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Discover how ComplianceCow helps teams move from reactive compliance to proactive control automation. 🚀 Liking the show? Leave a rating and review to help us grow and keep bringing you bold GRC conversations. 💬 Connect with Alan Luk:  💼 LinkedIn: https://www.linkedin.com/in/alan-luk-4027b29/ 🌐 Company: https://www.grammarly.com

    1 小时 10 分钟

  8. 5月29日

    No More Compliance Theater: Meet Real Security Compliance with Adam Brennick

    Is it time to rethink SOC 2? (Spoiler: Adam thinks so—and he’s got the receipts.) In this insightful episode of Security & GRC Decoded, Adam Brennick, Director of Security Risk & Compliance at Cockroach Labs, joins Raj to challenge the status quo of SOC 2, compliance culture, and how GRC teams should operate in a modern, engineering-driven world. With a unique perspective from leading both security and GRC functions, Adam shares why today’s compliance efforts often miss the mark—and how we can fix that. From his hot takes on “a la carte” SOC 2 to building automation-first programs that actually reduce risk, Adam brings clarity, conviction, and practical wisdom to the mic. Key Takeaways: ✅ Why SOC 2 should be customizable—and how that shift would improve both trust and transparency  ✅ How GRC, security, and trust functions intersect (and where they often break down)  ✅ The role of “vibe coding” and AI in enabling GRC engineering  ✅ Real-world strategies for building a balanced, high-impact GRC team  ✅ How to make a bulletproof business case for compliance automation using data (not just complaints) Take Action: → Reflect on your own compliance program: Is it outcome-driven or check-the-box?  → Re-evaluate how your GRC, security, and engineering teams collaborate  → Share this episode with teammates who care about making compliance actually matter 👉 Follow Security & GRC Decoded for fresh insights on how to make your GRC program faster, smarter, and more resilient. 🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Discover how ComplianceCow helps teams move from reactive compliance to proactive control automation. 🚀 Liking the show? Leave a rating and review to help us grow and keep bringing you bold GRC conversations. 💬 Connect with Adam Brennick:  💼 LinkedIn: https://www.linkedin.com/in/adam-brennick-959352158/ 🌐 Company: https://www.cockroachlabs.com/

    1 小时 20 分钟
查看全部 18 集

评分及评论

关于

How today’s top organizations navigate the complex world of governance, risk, and compliance (GRC).Security & GRC Decoded brings you actionable strategies, expert insights, and real-world stories that help professionals elevate their security and compliance programs. Hosted by Raj Krishnamurthy.It’s for security professionals, compliance teams, and business leaders responsible security GRC and ensuring their organizations’ are safe, secure and adhere to regulatory mandates.Security & GRC Decoded brings you:+ Actionable strategies.+ Expert insights.+ Real-world stories to elevate your Security GRC programs.Each episode explores frameworks, risk management strategies, and innovations shaping the future of GRC – from practitioners in the trenches.Subscribe now to unlock the tools and knowledge you need to succeed.

信息

  • 创作者
    Raj Krishnamurthy
  • 活跃年份
    2025年
  • 单集
    18
  • 分级
    儿童适宜
  • 版权
    © 2025 Security & GRC Decoded
  • 节目网站
    Security & GRC Decoded

你可能还喜欢