Security & GRC Decoded

Raj Krishnamurthy
  • 5.0 (1)
  • TECHNOLOGY
  • UPDATED BIWEEKLY

How today’s top organizations navigate the complex world of governance, risk, and compliance (GRC). Security & GRC Decoded brings you actionable strategies, expert insights, and real-world stories that help professionals elevate their security and compliance programs. Hosted by Raj Krishnamurthy. It’s for security professionals, compliance teams, and business leaders responsible security GRC and ensuring their organizations’ are safe, secure and adhere to regulatory mandates. Security & GRC Decoded brings you: Actionable strategies, expert insights, and real-world stories to elevate your Security GRC programs. Each episode explores frameworks, risk management strategies, and innovations shaping the future of GRC – from practitioners in the trenches. Subscribe now to unlock the tools and knowledge you need to succeed!

  1. 11H AGO

    From Compliance Theater to GRC Infrastructure: Why AI Breaks Traditional GRC ft Jasmine Kaur, Principal of Security & Assurance Engineering @ CoreWeave

    In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Jasmine Kaur, Principal of Security & Assurance Engineering at CoreWeave, to explore how AI-native infrastructure is fundamentally reshaping GRC. Drawing from her experience at companies like SAP, Google, and now an AI hyperscaler, Jasmine explains why traditional GRC models are failing in high-velocity, ephemeral environments—and what needs to replace them. From “GRC as infrastructure” to the rise of agentic GRC, this conversation dives into how compliance must evolve from a reactive audit function into a real-time assurance capability embedded directly into systems. Key Takeaways: Traditional GRC models break in AI environments because systems are ephemeral and disappear before audits can validate them.Compliance should be treated as a byproduct of strong risk modeling and control design—not the end goal.GRC must evolve into an infrastructure-level capability that continuously emits assurance signals.Agentic GRC is the next evolution beyond automation and CCM, enabling decision-capable systems with human oversight.Future GRC teams must operate more like engineering and reliability functions rather than audit teams.What You’ll Learn: Why AI infrastructure makes traditional audits ineffectiveWhat “GRC as infrastructure” actually means in practiceHow to move from point-in-time audits to continuous assuranceThe difference between automation, CCM, and agentic GRCHow to position GRC as a proactive, business-critical functionThis podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com Watch more episodes: https://www.compliancecow.com/podcast Connect With Our Guest: Jasmine Kaur | Principal of Security & Assurance Engineering | CoreWeave Connect on LinkedIn: https://www.linkedin.com/in/jask31/ Rate, review, and share if you enjoyed the show! Subscribe to Security & GRC Decoded wherever you get your podcasts: Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683 Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

    54 min

  2. APR 21

    The GRC Illusion: Why Third-Party Risk Is Still Broken ft Val Dobrushkin, Director of GRC @ Tricentis

    In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Val Dobrushkin, Director of GRC at Tricentis, to challenge one of the most overlooked failures in modern security programs: third-party risk management. Drawing from his experience building GRC programs at ForgeRock, NoName Security, and beyond, Val explains why most organizations are still stuck in compliance theater and how GRC teams can evolve into true business enablers. This conversation dives into the disconnect between frameworks and reality, the limits of SOC 2, the role of GRC in revenue and M&A outcomes, and why solving for today while building for the future is the key to long-term success. Key Takeaways: Third-party risk management is fundamentally broken due to over-reliance on questionnaires and weak enforcement of meaningful controls.SOC 2 is too flexible and inconsistent to be relied on as a true indicator of security maturity.GRC has a unique advantage over security in directly demonstrating business value and revenue impact.“Solve for now, build for later” is critical for startups and fast-growing companies preparing for IPO or acquisition.Strong GRC programs can directly influence company valuation by identifying contractual and compliance gaps early.What You’ll Learn: Why questionnaires and annual vendor reviews fail to capture real third-party riskHow GRC teams can prove revenue impact through customer trust and assuranceThe hidden role of GRC in M&A, IPO readiness, and contract validationWhy most GRC metrics fail and what meaningful measurement should look likeHow to implement a “solve now, build for future” strategy in fast-growing companiesThis podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com Watch more episodes: https://www.compliancecow.com/podcast Connect With Our Guest: Val Dobrushkin | Director of GRC | Tricentis Connect on LinkedIn: https://www.linkedin.com/in/dobrushkin/ Rate, review, and share if you enjoyed the show! Subscribe to Security & GRC Decoded wherever you get your podcasts: Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683 Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

    55 min

  3. APR 7

    GRC Is Broken... And Nobody Wants to Admit It ft Dylan O’Dell, AVP Information Risk Officer @ Manulife

    In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Dylan O’Dell, AVP Information Risk Officer at Manulife, to challenge one of the biggest assumptions in the industry: that GRC is working as intended. Dylan argues that most organizations are stuck in control-centric thinking and missing the true purpose of risk management — translating data into business decisions. Drawing from his background in Lean Six Sigma and large-scale enterprise risk, Dylan breaks down why GRC needs to evolve beyond audits and control testing into automation, orchestration, and storytelling. This conversation explores how modern GRC teams can reduce operational friction, quantify real risk, and actually influence business outcomes. Key Takeaways: GRC today is overly focused on control testing rather than true risk management and decision-making.Automation should eliminate manual audit friction — not just make existing processes faster.The future GRC professional must combine technical awareness with storytelling, influence, and business understanding.Risk management should be rooted in probability and financial impact — not pass/fail compliance.GRC teams can unlock funding and influence by tying their work directly to revenue, cost savings, and business outcomes.What You’ll Learn: Why the “three lines of defense” model often breaks down in practice.How to translate technical data into meaningful business risk narratives.What modern GRC automation should actually look like (beyond tools).How to position GRC as a revenue enabler — not just a cost center.Why “start with why” is critical for influencing stakeholders and reducing friction.This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence.  Learn more: https://www.compliancecow.com Watch more episodes: https://www.compliancecow.com/podcast Connect With Our Guest: Dylan O’Dell | AVP Information Risk Officer | Manulife Connect on LinkedIn: https://www.linkedin.com/in/dylan-odell-72a06412b/ Rate, review, and share if you enjoyed the show! Subscribe to Security & GRC Decoded wherever you get your podcasts: Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683 Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

    1h 8m

  4. MAR 24

    Security Is a Human Problem, Not a Tool Problem ft Steven Asifo, Director of Security & GRC @ Yahoo

    In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Steven Asifo, Director of Security & GRC at Yahoo, for one of the most refreshing conversations the show has had on communication, influence, and the human side of security. Drawing on his unusual dual life as both a cybersecurity leader and a stand-up comedian, Steven makes the case that security and GRC are not just technical disciplines — they are fundamentally communication disciplines. From using analogies to explain vulnerabilities, to reframing GRC as the “Draymond Green” of cybersecurity, Steven shows how the best security leaders translate complexity into clarity, help the business make better decisions, and meet people where they are instead of overwhelming them with jargon. Key Takeaways: Security and GRC succeed when they communicate clearly to humans, not when they simply present more technical detail.The best GRC teams act as guides that help the business make reasonable, compliant, cyber-conscious decisions.Metrics only matter when they drive a clear outcome or decision, not when they exist for their own sake.Strong GRC teams build trust by doing the hard, cross-functional work that others often avoid.Storytelling is a core security skill because people act on messages they understand, remember, and relate to.What You’ll Learn: Why Steven believes security is ultimately a human communication problem.How to tailor security messaging for engineering leaders, CISOs, and business stakeholders.What “guardrails not gates” looks like in a practical GRC program.How to think about data, metrics, and reporting without overwhelming your audience.Why AI may change the consumption layer of GRC, but not eliminate the human need for storytelling. This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com Watch more episodes: https://www.compliancecow.com/podcast Connect With Our Guest: Steven Asifo | Director of Security & GRC | Yahoo Connect on LinkedIn: https://www.linkedin.com/in/asifosays/ Rate, review, and share if you enjoyed the show! Subscribe to Security & GRC Decoded wherever you get your podcasts: Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683 Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

    1 hr

  5. MAR 10

    The 3 Year GRC Reckoning: Customer Trust, Real-Time Assurance, and the Future of Risk ft Bryan Culp, Senior Director of Customer Trust @ Box

    In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Bryan Culp, Senior Director of Customer Trust at Box, to explore how governance, risk, and compliance is evolving beyond certifications and into real-time trust. Bryan shares why the next two to three years will fundamentally change how GRC operates — driven by automation, AI, large financial institutions demanding real-time internal metrics, and growing pressure to translate security posture into business language. From managing both customer trust and third-party risk at Box, Bryan offers a rare dual perspective: how companies present assurance to customers while simultaneously evaluating vendors themselves. This conversation challenges the idea that certifications alone create security and makes the case for risk being the true language of leadership. Key Takeaways: Customer Trust is not traditional GRC — it translates security and compliance work into business confidence for customers.Certifications enable market access, but they do not eliminate breach risk.Risk must be communicated in executive language to influence real business decisions.Large financial institutions are beginning to demand real-time internal security metrics instead of snapshot audits.AI is transforming GRC workflows — not to cut people, but to enable deeper, higher-value analysis.What You’ll Learn: Why Bryan believes GRC will look materially different in the next 2–3 years.How Customer Trust functions differently from compliance and audit teams.Why certifications alone cannot prevent major security incidents.What “real-time assurance” could look like for large SaaS companies.How to think about AI and automation as long-term growth enablers in GRC.This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com Watch more episodes: https://www.compliancecow.com/podcast Connect With Our Guest: Bryan Culp | Senior Director of Customer Trust | Box Connect on LinkedIn: https://www.linkedin.com/in/bryanculp/ Rate, review, and share if you enjoyed the show! Subscribe to Security & GRC Decoded wherever you get your podcasts: Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683 Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

    1h 6m

  6. FEB 24

    When GRC Stops Watching and Starts Working ft Ryan Schoeller, Director of Security & GRC @ Treasure Data

    In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Ryan Schoeller, Director of Security & GRC at Treasure Data, to challenge one of the most deeply rooted assumptions in the industry: that GRC should stay passive and “independent.” Drawing from his experience across startups, mid-market tech companies, and large enterprises, Ryan argues that the most effective GRC teams are the ones that actively participate in control monitoring, risk management, and operational decision-making. This conversation goes beyond audits and checklists, exploring how GRC can truly drive business value by protecting revenue, enabling growth, and embedding risk thinking into everyday operations. Key Takeaways: GRC delivers the most value when it actively participates in monitoring controls, not just validating them after the fact.Risk is the most critical — and most neglected — pillar of GRC, often confused with gaps or vulnerabilities.Strong relationships with engineering and business teams are essential for GRC to gain meaningful access to data.GRC engineering is not just about writing code; it’s about applying an engineering mindset to workflows, tooling, and processes.Automation alone is not a business case — value comes from how freed-up time is reinvested.What You’ll Learn: Why the “three lines of defense” model often breaks down in real organizationsHow GRC teams can reduce compliance theater by becoming more operationalThe difference between a vulnerability, a gap, and an actual riskHow to build a business case for GRC automation that leadership will supportWhy front-ending GRC work (sales assurance, customer trust) often matters more than backend audit prepThis podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com Watch more episodes: https://www.compliancecow.com/podcast Connect With Our Guest: Ryan Schoeller | Director of Security & GRC | Treasure Data Connect on LinkedIn: https://www.linkedin.com/in/ryanschoeller/ Rate, review, and share if you enjoyed the show! Subscribe to Security & GRC Decoded wherever you get your podcasts: Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683 Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

    57 min

  7. FEB 10

    Does GRC Belongs Outside Security? The Case for an Independent Second Line ft Charles Nwatu - GRC Engineering Leader

    What if GRC shouldn’t sit inside Security at all—and what if the bigger problem isn’t automation, but what you do after you automate? In this episode, Raj Krishnamurthy sits down with Charles Nwatu (former Security GRC Engineering & Assurance leader at Netflix) for a candid, systems-level conversation about why “annual audit rituals” fail modern engineering, how GRC can produce high-fidelity signals that strengthen security decision-making, and why the next wave of GRC engineering is about analytics, specifications, and business impact—not just speeding up evidence collection. Key Takeaways: GRC is a continuous discipline—point-in-time compliance can help, but it can’t be the end state.Automation is necessary but not sufficient: the real value is in turning collected evidence into actionable insights.Specifications enable measurement—without clear expected behaviors, security metrics become inconsistent and hard to compare.GRC can feed security with high-fidelity signals (like identity/access review metadata) that improve posture beyond audit readiness.Third-party risk doesn’t “finish”—the goal is visibility, data lineage awareness, and making the mess less messy.  What You’ll Learn: Where Charles believes GRC should sit org-wise—and why Security should be a “customer” of GRCWhat “shift-left GRC” looks like in practice (beyond annual audits)Why “efficiency savings” don’t automatically equal “security value”How to think about metrics, specifications, and risk in a shared languageWhy third-party risk management is “unsolvable,” and how to build guardrails anyway This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com Watch more episodes: https://www.compliancecow.com/podcast Connect With Our Guest: Charles Nwatu | GRC Engineering Leader Connect on LinkedIn: https://www.linkedin.com/in/cnwatu/ Rate, review, and share if you enjoyed the show! Subscribe to Security & GRC Decoded wherever you get your podcasts: Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683 Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

    1h 1m

  8. JAN 27

    GRC Is an Engineering Discipline. Not a Checklist. ft Akhila Chitiprolu, Head of Security & GRC @ Sierra

    GRC has long been seen as abstract, manual, and disconnected from how modern engineering teams actually work, but that narrative is breaking down. In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Akhila Chitiprolu, Head of Security & GRC at Sierra, to explore why GRC must be treated as an engineering discipline, not a compliance afterthought. Drawing from her experience across T-Mobile, Expedia, Stripe, and AI-native companies, Akhila explains how systems thinking, automation, and shared ownership can radically reduce compliance toil while increasing trust. This conversation goes deep into GRC engineering, audit realities, automation tradeoffs, and what the future of compliance looks like in an AI-driven world. Key Takeaways: GRC works best when treated as a system with inputs, processes, outputs, and feedback loops Automation should focus on intent and outcomes, not blindly speeding up broken manual processesGRC professionals act as a middleware layer between engineers, auditors, and customersNot all controls should be automated — but 70% can be, with humans in the loop where it mattersThe future of GRC depends on engineering mindset, context, and trust, not checklists What You’ll Learn: Why GRC is fundamentally a systems engineering problemHow to reduce engineering toil without weakening audit postureWhen automation helps — and when it creates false efficiencyHow GRC teams should approach AI, agents, and non-deterministic systemsPractical ways to build a GRC engineering function over timeThis podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com Watch more episodes: https://www.compliancecow.com/podcast Connect With Our Guest: Akhila Chitiprolu | Head of Security & GRC | Sierra Connect on LinkedIn: https://www.linkedin.com/in/akhilachitiprolu/ Rate, review, and share if you enjoyed the show! Subscribe to Security & GRC Decoded wherever you get your podcasts: Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683 Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

    55 min
See All (35)

Ratings & Reviews

About

How today’s top organizations navigate the complex world of governance, risk, and compliance (GRC). Security & GRC Decoded brings you actionable strategies, expert insights, and real-world stories that help professionals elevate their security and compliance programs. Hosted by Raj Krishnamurthy. It’s for security professionals, compliance teams, and business leaders responsible security GRC and ensuring their organizations’ are safe, secure and adhere to regulatory mandates. Security & GRC Decoded brings you: Actionable strategies, expert insights, and real-world stories to elevate your Security GRC programs. Each episode explores frameworks, risk management strategies, and innovations shaping the future of GRC – from practitioners in the trenches. Subscribe now to unlock the tools and knowledge you need to succeed!

Information

  • Creator
    Raj Krishnamurthy
  • Years Active
    2025 - 2026
  • Episodes
    35
  • Rating
    Clean
  • Copyright
    © 2026 Security & GRC Decoded
  • Show Website
    Security & GRC Decoded