Security & GRC Decoded

Raj Krishnamurthy
  • 5.0 (1)
  • TECHNOLOGY
  • UPDATED BIWEEKLY

How today’s top organizations navigate the complex world of governance, risk, and compliance (GRC). Security & GRC Decoded brings you actionable strategies, expert insights, and real-world stories that help professionals elevate their security and compliance programs. Hosted by Raj Krishnamurthy. It’s for security professionals, compliance teams, and business leaders responsible security GRC and ensuring their organizations’ are safe, secure and adhere to regulatory mandates. Security & GRC Decoded brings you: Actionable strategies, expert insights, and real-world stories to elevate your Security GRC programs. Each episode explores frameworks, risk management strategies, and innovations shaping the future of GRC – from practitioners in the trenches. Subscribe now to unlock the tools and knowledge you need to succeed!

  1. DEC 16

    Scaling GRC Without the Chaos: How to Build Programs That Don’t Break ft Tom Scuderi, Senior Manager of Security & GRC @ LTK

    In this episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Tom Scuderi, Senior Manager of Security & GRC at LTK and a veteran practitioner who has spent his career building governance functions at QTS, Tableau, Salesforce, and LTK. Tom shares how to scale GRC in high-growth environments by designing processes that resemble engineering workflows, reducing friction with stakeholders, and shifting from reactive audits to continuous visibility. He breaks down why curated visibility beats blanket access, why SOC 2 should sharpen—not dilute—your security program, and how to anchor leadership decisions with meaningful risk data. Key Takeaways GRC only scales when its processes mirror how engineering teams already work.SOC 2 should enhance your security program rather than becoming a superficial checkbox exercise.Curated visibility reduces friction and improves cross-functional trust.Clarity in ownership is the backbone of a scalable GRC function.Continuous, context-driven evidence cuts audit fatigue and sharpens the entire program.What You’ll Learn How Tom built and matured GRC programs across four different companies.Why engineering alignment is essential for sustainable compliance.How curated visibility replaces access sprawl and accelerates audits.The difference between risk-driven and compliance-driven GRC.Why automation only works when underlying processes are mature.How to structure ownership to reduce bottlenecks during SOC 2 and similar frameworks.This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com Watch more episodes: https://www.compliancecow.com/podcast Connect With Our Guest: Tom Scuderi | Senior Manager of Security & GRC | LTK Connect on LinkedIn: https://www.linkedin.com/in/tom-scuderi/ Rate, review, and share if you enjoyed the show! Subscribe to Security & GRC Decoded wherever you get your podcasts: Spotify:  https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683 Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450 #SecurityAndGRCDecoded #RajKrishnamurthy #TomScuderi #LTK #GRC #ScalingGRC #SOC2 #EngineeringAlignment #RiskManagement #SecurityLeadership #Compliance #GovernanceRiskCompliance #SecurityGRCPodcast #ComplianceCow

    56 min

  2. DEC 2

    Controls Are Promises: Rethinking GRC for Modern Security ft Sergio Alonso @ Rapid7

    In this episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Sergio Alonso, a seasoned GRC and information security leader at Rapid7, whose 17–year career spans auditing, high-regulation banking, blockchain innovation at Akamai, privacy GRC at Twitter, and now trust and governance in cybersecurity. Sergio breaks down how to translate legacy compliance thinking into modern engineering-aligned practices, why automation is the only scalable path forward, and how controls should be treated as “promises” that teams must honor every day. This conversation explores scaling GRC in high-velocity environments, reducing compliance fatigue, applying zero-knowledge principles to trust, and building the next generation of context-driven risk programs. Key Takeaways Automation is the only sustainable path to scaling GRC without increasing friction.Controls should be viewed as “promises,” and audits as the consequence of keeping or breaking them.Context — technical, business, and risk — is the primary driver of effective triage and prioritization.GRC must evolve from a legacy function into a trust-driven, engineering-aligned discipline.Zero-knowledge-style thinking may define the future of transparency and customer trust.What You’ll Learn How to adapt legacy compliance experience for cloud, SaaS, and fast-moving tech companies.Why automation, evidence APIs, and GRC engineering are becoming non-negotiable.How to reduce compliance fatigue using “meet once, meet many” principles.Why context is the key to reducing noise from security tools.How to partner with engineers using empathy, clarity, and strong framing.Why trust and transparency are reshaping GRC inside cybersecurity companies.This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com Watch more episodes: https://www.compliancecow.com/podcast Connect With Our Guest: Sergio Alonso | GRC & Information Security Leader | Rapid7 Connect on LinkedIn: https://www.linkedin.com/in/salonsor/ Rate, review, and share if you enjoyed the show! Subscribe to Security & GRC Decoded wherever you get your podcasts: Spotify: https://open.spotify.com/show/5xuvsT8HdJsa2sbhAFZQhL Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

    56 min

  3. NOV 13

    How Pragmatic Controls Build Trust Between GRC, Security, and Engineering ft Mukund Sarma, Deputy CISO @ Chime

    In this episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Mukund Sarma, Deputy CISO and Head of Product Security at Chime, to explore what happens when governance, risk, and compliance teams work with engineering instead of against it. Mukund shares real-world lessons from a decade in security, explaining how to balance shift-left initiatives, build paved paths that reduce friction, and make compliance a natural byproduct of great engineering. This is a masterclass in aligning security, GRC, and DevOps for scale and sanity. 5 Key Takeaways GRC isn’t a blocker—it’s a mirror that keeps security honest and accountable.Strong security engineering automatically strengthens compliance outcomes.Friction between security and engineering fades when empathy drives collaboration.“Shift left” works best when paved paths and automation support developers.Practical controls and continuous validation create sustainable, scalable governance.What You’ll Learn How to bridge silos between security, GRC, and engineering teams.Why automation and continuous control monitoring are the future of compliance.What “practical controls” really mean in modern DevSecOps environments.How empathy and communication transform security culture.Why compliance should follow great security engineering, not lead it.Real-world examples from Chime’s approach to product security.This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com Watch more episodes: https://www.compliancecow.com/podcast Connect With Our Guest: Mukund Sarma | Deputy CISO and Head of Product Security | Chime Connect on LinkedIn: https://www.linkedin.com/in/sarmamukund/ Rate, review, and share if you enjoyed the show! Subscribe to Security & GRC Decoded wherever you get your podcasts: Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450?i=1000736617569

    57 min

  4. OCT 30

    How to Build Trust Between GRC and Engineering ft Tristan Ingold, Security GRC Program Manager at Meta

    How do you build real trust between GRC and engineering? In this episode of Security & GRC Decoded, host Raj Krishnamurthy welcomes Tristan Ingold, Security GRC Program Manager at Meta. Tristan shares how consulting shaped his approach, why “policing” doesn’t work, and how GRC earns influence by acting as a partner to engineering -- not a blocker. He discusses the cultural friction between audit, security, and product teams, how to communicate in the language of engineering, and why the right role for GRC is a “sparring partner” that helps teams ship safer, faster. From reframing control objectives to focusing on evidence the business already produces, this conversation is a practical playbook for building credibility and velocity at the same time. 5 Key Takeaways Partnership Over Policing: GRC earns influence by modeling partnership behaviors and meeting teams where they are.Translate Controls to Engineering: Use product language and existing telemetry; design evidence around the way the system actually works.Make It Observable: Treat GRC like an observability layer -- surface risk signals the business already emits.Tell the Story, Not the Score: Dashboards support the narrative; they aren’t the narrative. Lead with context and trade-offs.Define the Right Role: The best GRC teams act as a sparring partner --challenging, supportive, and focused on outcomes.What You’ll Learn How to rebuild trust with engineering after “audit fatigue”Practical ways to convert control requirements into product languageHow to design evidence from logs, pipelines, and tickets you already haveWhen to push, when to partner, and how to escalate with credibilityCommunicating risk trade-offs without killing roadmap velocityConnect With Our Guest: Tristan Ingold | Security GRC Program Manager | Meta This podcast is brought to you by ComplianceCow - the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Watch more episodes Rate, review, and share if you enjoyed the show!  Subscribe to Security & GRC Decoded wherever you get your podcasts: SpotifyApple Podcasts

    57 min

  5. OCT 16

    Rethinking Risk: Data-Driven Decisions for Modern CISOs ft Tony Martin-Vegue

    In this episode, Raj Krishnamurthy speaks with Tony Martin-Vegue, seasoned risk practitioner, speaker, and co-chair of the FAIR Institute San Francisco chapter. Tony shares decades of lessons learned from leading cyber risk management at Netflix, Gap, and other major enterprises—showing how to move from qualitative heat maps to quantitative insights that drive smarter business decisions. He breaks down Monte Carlo simulations, risk modeling, and the six levers that influence risk—all through a practical, approachable lens. Tony also explores how generative AI is transforming risk quantification and what every CISO, analyst, and engineer can do today to make risk measurable, actionable, and business-aligned. Key Takeaways CRQ doesn’t require perfection—start with what you have and refine over time.The most effective risk programs focus on directionally correct data, not precision.Good risk scenarios clearly define asset, threat, and effect to avoid misalignment.Generative AI accelerates scenario development, data research, and model creation.CISOs should demand more from risk teams—move beyond “pick a color” heat maps. Topics Covered Cyber risk quantification (CRQ)Monte Carlo simulations and modelingRisk scenario design and measurementGRC and compliance integrationGenerative AI in risk managementMoving from qualitative to quantitative riskImproving risk hygiene and maturityCISO leadership and risk culture What You’ll Learn The difference between qualitative and quantitative risk methodsHow to conduct your first risk quantification in ExcelWhy Monte Carlo simulations are simpler than most thinkHow GRC, compliance, and security teams can collaborate effectivelyThe six levers that influence risk magnitude and frequencyThis podcast is brought to you by ComplianceCow: ComplianceCow helps enterprises automate GRC, shift compliance left, and continuously monitor controls across the business.  Learn more at ComplianceCow.com Connect with our guest: Tony Martin-Vegue on LinkedIn Co-Chair, FAIR Institute San Francisco ChapterFormer Risk Leader at Netflix and Gap Inc.Author, From Heat Maps to Histograms (coming 2026)Subscribe to Security & GRC Decoded on your favorite platform: SpotifyApple PodcastsExplore all episodes: ComplianceCow.com/podcast

    1 hr

  6. OCT 2

    Why GRC Is More Than Compliance with Kenneth Moras | Head of Security GRC | Plaid

    In this episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Kenneth Moras, Head of Security GRC at Plaid. Kenneth shares his journey from web developer and pen tester to building GRC and assurance teams at scale across leading companies like Adobe, Meta, and now Plaid. The conversation explores how GRC must balance governance, risk, and compliance as distinct but interdependent functions — and why great programs require clarity, collaboration, and simplicity. Kenneth also dives into the origins of the Adobe Common Control Framework (CCF), co-authoring the Open Finance Data Security Standard (OFDSS), and how Plaid applies these principles to secure the future of fintech. From reducing GRC toil through engineering and automation, to the role of AI and LLMs in risk management, Kenneth makes the case that GRC isn’t just about passing audits — it’s about building trust, reducing risk, and enabling innovation. 🔑 5 Key Takeaways 🌐 Career Evolution: Kenneth’s path from developer to GRC leader shows how diverse skills — from IT audit to consulting — strengthen risk leadership. 🏗️ Building Frameworks: Adobe CCF and OFDSS highlight the importance of reducing complexity and standardizing security controls for scalability. ⚖️ Governance vs. Risk vs. Compliance: These functions are distinct but must operate in harmony; misalignment creates organizational risk. 🤖 AI in GRC: Generative AI and MCP tools are shifting GRC from “click ops” to “chat ops,” enabling faster risk assessment and reducing toil. 🚀 GRC as an Enabler: Done right, GRC accelerates innovation by providing clarity, trust, and measurable security benefits. 📘 What You’ll Learn How to build a GRC program from scratch in a hyper-growth company. Why governance, risk, and compliance require unique skill sets but interlock as checks and balances. The story behind Adobe’s CCF and why Plaid open-sourced OFDSS. How AI and automation are changing GRC engineering and risk management. What Kenneth looks for when hiring the next generation of GRC professionals. 📺 Watch more episodes: https://www.compliancecow.com/podcast This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: www.compliancecow.com 🔗 Connect With Our Guest: Kenneth Moras | Head of Security GRC at Plaid ⭐ Stay Connected: Rate, review, and subscribe to Security & GRC Decoded wherever you get your podcasts: SpotifyApple Podcasts

    1h 19m

  7. SEP 11

    “This GRC Space is Hot!” with Varun Gurnaney, Staff Security Engineer at Apple

    How does a software engineer become a GRC leader? In this episode of Security & GRC Decoded, host Raj Krishnamurthy welcomes Varun Gurnaney, Staff Security Engineer at Apple. Varun shares his journey from writing janky Python scripts for compliance evidence collection to shaping the discipline of GRC engineering at some of the world’s biggest companies. He discusses the cultural and technical gaps between security, engineering, GRC, and audit — and how automation can bridge them. From building one control really well to proving value through audit automation, Varun lays out why the GRC space is hotter than ever. This conversation is a must-listen for anyone navigating compliance at scale. 🔑 5 Key Takeaways Compliance ≠ Security: Passing audits is not enough — engineering-driven GRC is the future.Start Small: Automate one control well to prove value before scaling automation.Bridging Teams: Cultural friction between engineering, security, GRC, and audit is real — empathy and communication reduce the pain.Audit Anxiety: Audit automation is about reducing anxiety and toil as much as passing audits.GRC Engineering is a Discipline: Whether it lives inside GRC or security, automation is now essential.📚 What You’ll Learn How Varun transitioned from software engineering into GRC leadershipWhy compliance automation looks different for SMBs, mid-market, and enterprisesThe technical and cultural blockers between engineering and GRCPractical strategies for proving automation value internallyHow generative AI and coding agents will shape audit and compliance automationThis podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. 📺 Watch more episodes and learn from top leaders in the GRC space! Connect With Our Guest: Varun Gurnaney | Staff Security Engineer | Apple Rate, review, and share if you enjoyed the show! Subscribe to Security & GRC Decoded wherever you get your podcasts: SpotifyApple Podcasts

    54 min

  8. SEP 4

    Risk in Dollars: The Future of GRC Measurement

    How does a network engineer become a GRC leader? Ramya Subramanian’s journey spans nearly two decades across IT, security, and governance. Now serving as Director of GRC & Privacy Operations at Freshworks, she joins Raj to unpack the evolving role of GRC: from quantifying risk and managing compliance debt to building automation that doesn’t slow engineering down. Ramya also shares how storytelling, PR-style evangelism, and simplifying policies can shift the perception of GRC from policing to business enabler. This episode is a playbook for anyone trying to modernize risk and compliance in fast-moving environments. 5 Key Takeaways Engineer’s edge in GRC: Why Ramya’s technical background makes her approach to governance unique.Quantifying risk with dollars: Why risk measurement needs financial context, not just “likelihood x impact.”Automation as a path forward: How Freshworks is reducing compliance toil for engineers.Simplify policies and awareness: Cutting policy docs by 90% and building bite-sized security training.GRC as PR: Storytelling and evangelism can reframe GRC as a business enabler, not a blocker.What You’ll Learn How GRC and security complement each otherChallenges of risk quantification and continuous measurementWhy engineers perceive GRC as compliance taxHow automation and GRC engineering can reduce manual effortThe cultural perception of GRC and how to change it⏱️ (Approximate) Timestamps [00:01:43] From network engineer to GRC leader  [00:03:37] How Ramya defines Governance, Risk, and Compliance  [00:05:28] Quantifying risk: from controls to financial impact  [00:07:41] Why continuous risk measurement is so hard  [00:11:49] How others perceive GRC inside organizations  [00:13:43] Changing the “policing” perception of GRC  [00:17:50] Rewriting policies & security awareness at Freshworks  [00:19:38] Bringing auditors along the journey  [00:21:33] Reducing compliance tax with automation  [00:26:10] Why GRC needs engineering skills  [00:29:58] Technical vs non-technical sides of GRC  [00:31:47] Skills Ramya looks for when hiring  [00:33:53] Generative AI’s impact on GRC  [00:37:49] Dream GRC solution: context-aware automation  [00:39:32] Building a business case for automation  [00:44:00] Who should tell the GRC automation story?  [00:45:54] Challenges with auditors in the AI era  [00:46:49] From city editor to GRC leader — storytelling roots  [00:52:26] Rajinikanth’s influence at Freshworks This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: compliancecow.com Connect With Our Guest: Ramya Subramanian | Director of GRC & Privacy Operations | Freshworks Connect on LinkedIn Rate, review, and share if you enjoyed the show! Subscribe to Security & GRC Decoded wherever you get your podcasts: Spotify and Apple Podcasts

    55 min
See All (25)

Ratings & Reviews

About

How today’s top organizations navigate the complex world of governance, risk, and compliance (GRC). Security & GRC Decoded brings you actionable strategies, expert insights, and real-world stories that help professionals elevate their security and compliance programs. Hosted by Raj Krishnamurthy. It’s for security professionals, compliance teams, and business leaders responsible security GRC and ensuring their organizations’ are safe, secure and adhere to regulatory mandates. Security & GRC Decoded brings you: Actionable strategies, expert insights, and real-world stories to elevate your Security GRC programs. Each episode explores frameworks, risk management strategies, and innovations shaping the future of GRC – from practitioners in the trenches. Subscribe now to unlock the tools and knowledge you need to succeed!

Information

  • Creator
    Raj Krishnamurthy
  • Years Active
    2K
  • Episodes
    25
  • Rating
    Clean
  • Copyright
    © 2025 Security & GRC Decoded
  • Show Website
    Security & GRC Decoded