Rebuilding GRC from Scratch: Build-First Engineering w/ Emre & Chad from Docker

To get access to the deep-dive transcript, subscribe to the GRC Engineer newsletter: grcengineer.com/subscribe

How do you build a modern GRC programme when you inherit processes designed for a team three times your size, in an organisation where "compliance frameworks were owning us instead of us owning them"?

In this episode, Emre Ugurlu and Chad Fryer from Docker share their journey transforming compliance, risk, and customer trust functions over the past six months through relentless automation, AI-assisted development, and a ruthless focus on user experience.

Emre previously spent 3.5 years at Plaid working on GRC engineering principles, whilst Chad brings a UX focus with a strong engineering background. Together with a small team at Docker, they're proving that you don't need a massive GRC organisation to deliver enterprise-grade compliance at speed.

Build vs Buy Philosophy
Why Docker defaults to internal development and how they rebuilt their entire security training platform in a couple of weeks, achieving 100% completion rates through gamification and automation.

Zero-to-One Playbook
The first weeks: deep gap analysis, stress-testing controls, collaborative stack-ranking across teams, and building communication channels before building solutions.

Self-Managing Team Model
Three engineers, one analyst, no dedicated GRC manager. How autonomy and trust from leadership enables speed and innovation.

Continuous Compliance at Scale
Moving towards full automation across SOC 2 and ISO 27001, including custom API development with AWS Lambda and EventBridge.

AI as Teammate
Claude as "the sixth member" of the team, the discipline required to use AI effectively, and why pre-AI coding experience makes you 10x better at leveraging it.

User Experience in GRC
Why if nobody uses your solution, it doesn't matter how good it is. Building for adoption, not perfection.

TPRM Transformation
"We promised Steven we would automate the crap out of it" - plans for comprehensive third-party risk management automation.

Cost Model Innovation
How Docker's GRC team is becoming a revenue-generating function by saving costs and offering solutions to other internal teams.

Essential Skills
What aspiring GRC engineers actually need: API documentation reading, embracing failure, proper documentation, and understanding code across multiple languages.

12-Month Vision
Open source tool releases, containerised solutions for the community, and the goal to "transform GRC into something no one's ever seen." Open source cybersecurity training already available: https://emreugurlu.github.io/open-security-training/

Quotes:

"Instead of bending over backwards, we're supposed to make it fit the organisation. Docker is really unique in the way it operates, and we have to adjust compliance accordingly." - Emre

"If we build the most cool thing on the planet, but nobody uses it, it doesn't matter. Everything I do, I think of user experience during the process." - Chad

"Six times out of ten, I have to go correct Claude. The ability to read through code and read through flawed logic never disappears." - Emre

"With the tools we have today, there's no excuse why anybody can't build things themselves." - Emre

"We're going to be a revenue generating team." - Chad

About The GRC Engineer:

The GRC Engineer explores how engineering principles are transforming governance, risk, and compliance. Hosted by Ayoub Fandi, each episode features practitioners, leaders, and innovators who are building the future of GRC through automation, code, and systems thinking.

Subscribe for episodes and entries featuring deep-dives into GRC automation, compliance as code, risk engineering, and the intersection of security, compliance, and software development.

🌐 Visit: grcengineer.com

💼 Connect: linkedin.com/in/ayoubfandi

📧 Newsletter: grcengineer.com/subscribe