Paramify is making FedRAMP (Rev 5 or 20x), GovRAMP & CMMC fun. Get your $750 Gap Assessment at paramify.com/grc

---

What happens when you have to merge three operating systems, satisfy FedRAMP requirements, and keep engineers happy whilst building enterprise security at scale?

In this episode, Kane Narraway, previously leading enterprise security at Atlassian, building Zero Trust at Shopify, and now running enterprise security at Canva, shares battle-tested insights on the intersection of GRC and enterprise security.

Kane's unique perspective comes from working across three major tech companies, navigating everything from SOC 2 to FedRAMP, and building security programmes that scale without creating friction for engineers.

Key Topics Discussed:

The Compliance-Security Partnership

How compliance evolved from yearly audits to sales enablement, and why that actually helps enterprise security teams implement controls faster.

Third-Party Risk Management Handover

The critical transition from TPRM intake to ongoing enterprise security management, and when you should actually push back on vendors.

Platform Consolidation vs Best-of-Breed

Real examples from extremely consolidated (Shopify with Google everything) to open ecosystems (Canva's hundreds of tools), and which approach suits your company culture.

Zero Trust and Continuous Compliance

Why Zero Trust principles align perfectly with GRC engineering, and how to turn point-in-time audit checks into continuous validation systems.

The User Experience Problem

How to implement security controls without creating shadow IT, including the "my machine is perfect" engineer problem and how to solve it.

M&A Security Integration

Principles (not playbooks) for security integration during acquisitions, including when to keep companies separate for compliance reasons.

The AI Compliance Challenge

Why current control frameworks don't match AI-driven access patterns, and what's coming when non-human identities start requesting access at scale.

FedRAMP, HIPAA, and High-Stakes Compliance

The difference between managing SOC 2 (30 minutes of sampling) versus the compliance regimes that can dominate your calendar for months.

About the Guest:

Kane Narraway has spent over a decade building enterprise security programmes at some of the world's leading tech companies. Starting in UK government and BT, he moved to Atlassian where he built their corporate security programme, then to Shopify where he led platform engineering and Zero Trust, and now leads enterprise security at Canva in New Zealand. Kane specializes in building security at scale whilst maintaining developer velocity and user experience.

Connect with the Guest:

Kane Narraway: https://www.linkedin.com/in/kane-n/

About The GRC Engineer:

The GRC Engineer explores how engineering principles are transforming governance, risk, and compliance. Hosted by Ayoub Fandi, each episode features practitioners, leaders, and innovators who are building the future of GRC through automation, code, and systems thinking.

Subscribe for episodes and entries featuring deep-dives into GRC automation, compliance as code, risk engineering, and the intersection of security, compliance, and software development.

🌐 Visit: grcengineer.com

💼 Connect: linkedin.com/in/ayoubfandi

📧 Newsletter: grcengineer.com/subscribe

#GRCEngineering #Canva #EnterpriseSecurityCompliance #Automation #CyberSecurity #RiskManagement #ZeroTrust #DevSecOps

Paramify is making FedRAMP (Rev 5 or 20x), GovRAMP & CMMC fun. Get your $750 Gap Assessment at paramify.com/grc---Troy Fine has conducted hundreds of SOC 2 audits over 15 years. In this conversation, he reveals uncomfortable truths about the audit market that most practitioners won't discuss openly.His most explosive admission: "Nobody can measure audit quality." Not TPRM teams. Not buyers. Not even auditors themselves. You're not paying for quality - you're paying for brand recognition.We cover:**The Evidence Trust Problem**Why auditors trust screenshots but not platform automation, the middleware accountability gap that makes audit firms uncomfortable, and what professional liability concerns reveal about legal defensibility versus technical capability.**Quality vs Brand Reality**Troy's admission that even premium audit firms don't provide measurably better quality, why personal brand premium pricing works at small scale but doesn't solve systematic problems, and how the audit market operates on reputation signalling rather than measurable outcomes.**Platform Evidence & Professional Liability**The risk-based framework Troy actually uses: accepting platform evidence for low-risk controls whilst validating source systems for infrastructure, what would make platforms auditor-trustworthy (cryptographic evidence chains, auditor-controlled queries, platform certification), and why the courtroom scenario keeps auditors sceptical of automation.**SOC 2 Market Commoditisation**The feedback loop problem driving quality degradation, why "no report is better than bad report" reveals systematic market failure, the two-tier market emerging (premium craftsmanship versus commoditised checkbox exercises), and how price compression without quality metrics creates race-to-bottom dynamics.**The SOC 2 Lite Proposal**Troy's vision for formal tiered assurance with 20 prescriptive controls for smaller companies, why this would fail in practice (TPRM teams defaulting to "Full," gaming qualification criteria, arbitrary thresholds), and what transparency about validation depth would actually provide instead.**AI in Audit Practice**Where Troy embraces AI (evidence evaluation, pattern detection, documentation efficiency) versus where human judgement remains essential (risk assessment, control design evaluation, professional scepticism), and why accountability architecture matters more than tool ownership.**What Would Actually Fix This**Moving from point-in-time audits to continuous assurance, building cryptographic evidence chains for provenance verification, auditing platform methodology once instead of each deployment, and why engineering discipline with measurable quality metrics could replace subjective professional judgement.

Connect with Troy:LinkedIn: https://www.linkedin.com/in/troyjfine/Fine Assurance: fineassurance.com**About The GRC Engineer:**The GRC Engineer explores how engineering principles are transforming governance, risk, and compliance. Hosted by Ayoub Fandi, each episode features practitioners, leaders, and innovators building the future of GRC through automation, code, and systems thinking.🌐 Visit: grcengineer.com💼 Connect: linkedin.com/in/ayoubfandi📧 Newsletter: grcengineer.com/subscribeSubscribe for deep-dives into GRC automation, compliance as code, risk engineering, and the intersection of security, compliance, and software development.#GRCEngineering #SOC2 #Audit #Compliance #TroyFine #CyberSecurity #RiskManagement #Automation #SecurityCompliance #AuditQuality

Paramify is making FedRAMP (Rev 5 or 20x), GovRAMP & CMMC fun.

Get your $750 Gap Assessment at paramify.com/grc.

To get access to the deep-dive transcript, subscribe to the GRC Engineer newsletter: grcengineer.com/subscribe

Wrong ink colours. $300,000 authorizations. Congressional investigations within the first month. How do you fix federal compliance from the inside?In this episode, Pete Waterman, Director of FedRAMP, shares how he's applying 20+ years of engineering experience to rebuild federal authorization from first principles.

What started with "violent hatred" of the programme has become one of the most significant transformations in government compliance.Pete's approach is radically different: treat policy like code, make the secure thing the easy thing, and let engineers lead whilst compliance follows. The results speak for themselves.

Key Topics Discussed:

The Problem State

How FedRAMP became a programme where perfection was fetishised beyond security, packages were rejected for cosmetic issues, and $300k costs prevented small teams from using modern tools

FedRAMP 20X Architecture

The dual-path strategy: improving Rev5 whilst building something entirely new with Key Security Indicators, machine-readable evidence, and persistent validation

Risk-Based Authorization

Why "my job is to make the government take more risks" - moving from bar-based to spectrum-based assessment where agencies choose based on their risk tolerance

Engineering-First Requirements

How KSIs like "prevent unauthorized access" replace "do these 18 specific things" and why cloud-native thinking changes everything

Radical Transparency Doctrine

Why posting roadmap updates every two weeks on GitHub creates trust and how "pre-decisional" anxiety is outdated thinking

About the Guest:

Pete Waterman is Director of FedRAMP, bringing over 20 years of engineering leadership experience to federal compliance. Previously worked with US Digital Service as a cloud expert, the Technology Modernization Fund coaching agencies on modernization, and ran engineering at an AI company. He took over FedRAMP in August 2023 with a mandate to transform the programme from an engineering-first perspective.

Connect with Pete:

Pete Waterman: https://www.linkedin.com/in/petewaterman/

About The GRC Engineer: The GRC Engineer explores how engineering principles are transforming governance, risk, and compliance. Hosted by Ayoub Fandi, each episode features practitioners, leaders, and innovators who are building the future of GRC through automation, code, and systems thinking.

Subscribe for episodes and entries featuring deep-dives into GRC automation, compliance as code, risk engineering, and the intersection of security, compliance, and software development.

🌐 Visit: grcengineer.com

💼 Connect: linkedin.com/in/ayoubfandi

📧 Newsletter: grcengineer.com/subscribe

#GRCEngineering #FedRAMP #Compliance #Automation #CyberSecurity #RiskManagement #DevSecOps #CloudSecurity