In this episode, Cheri Hotman sits down with Joe Kodali, a fellow CPA turned cybersecurity and GRC leader, to have a blunt, practitioner-level conversation about what is actually broken in modern cybersecurity programs and why compliance theater is making organizations less secure, not more.

They unpack the unique value CPAs bring to cybersecurity, not because of accounting, but because of how auditors are trained to understand entire businesses, ask uncomfortable questions, and tie controls back to real risk and return on investment. From there, the discussion goes deep into the widening gap between executives and cyber teams, the failure of checkbox audits, and how GRC tools and low-quality SOC 2 practices have created a dangerous false sense of security.

Cheri and Joe challenge the industry’s obsession with compliance over governance and risk, calling out poor scoping, copy-paste controls, and the misuse of frameworks that were never meant to be treated as templates. They also address the hard truth that tools do not fix broken programs, people and discipline do.

The conversation closes with a candid discussion on why governance is the most overlooked and undervalued part of GRC, how boards should be asking better questions, and what it actually takes to build a cyber program that protects the business rather than just passing audits.

This episode is required listening for CISOs, security leaders, GRC practitioners, auditors, and executives who want real security outcomes instead of green checkmarks.