Paramify is making FedRAMP (Rev 5 or 20x), GovRAMP & CMMC fun. Get your $750 Gap Assessment at paramify.com/grc

---

What happens when you have to merge three operating systems, satisfy FedRAMP requirements, and keep engineers happy whilst building enterprise security at scale?

In this episode, Kane Narraway, previously leading enterprise security at Atlassian, building Zero Trust at Shopify, and now running enterprise security at Canva, shares battle-tested insights on the intersection of GRC and enterprise security.

Kane's unique perspective comes from working across three major tech companies, navigating everything from SOC 2 to FedRAMP, and building security programmes that scale without creating friction for engineers.

Key Topics Discussed:

The Compliance-Security Partnership

How compliance evolved from yearly audits to sales enablement, and why that actually helps enterprise security teams implement controls faster.

Third-Party Risk Management Handover

The critical transition from TPRM intake to ongoing enterprise security management, and when you should actually push back on vendors.

Platform Consolidation vs Best-of-Breed

Real examples from extremely consolidated (Shopify with Google everything) to open ecosystems (Canva's hundreds of tools), and which approach suits your company culture.

Zero Trust and Continuous Compliance

Why Zero Trust principles align perfectly with GRC engineering, and how to turn point-in-time audit checks into continuous validation systems.

The User Experience Problem

How to implement security controls without creating shadow IT, including the "my machine is perfect" engineer problem and how to solve it.

M&A Security Integration

Principles (not playbooks) for security integration during acquisitions, including when to keep companies separate for compliance reasons.

The AI Compliance Challenge

Why current control frameworks don't match AI-driven access patterns, and what's coming when non-human identities start requesting access at scale.

FedRAMP, HIPAA, and High-Stakes Compliance

The difference between managing SOC 2 (30 minutes of sampling) versus the compliance regimes that can dominate your calendar for months.

About the Guest:

Kane Narraway has spent over a decade building enterprise security programmes at some of the world's leading tech companies. Starting in UK government and BT, he moved to Atlassian where he built their corporate security programme, then to Shopify where he led platform engineering and Zero Trust, and now leads enterprise security at Canva in New Zealand. Kane specializes in building security at scale whilst maintaining developer velocity and user experience.

Connect with the Guest:

Kane Narraway: https://www.linkedin.com/in/kane-n/

About The GRC Engineer:

The GRC Engineer explores how engineering principles are transforming governance, risk, and compliance. Hosted by Ayoub Fandi, each episode features practitioners, leaders, and innovators who are building the future of GRC through automation, code, and systems thinking.

Subscribe for episodes and entries featuring deep-dives into GRC automation, compliance as code, risk engineering, and the intersection of security, compliance, and software development.

🌐 Visit: grcengineer.com

💼 Connect: linkedin.com/in/ayoubfandi

📧 Newsletter: grcengineer.com/subscribe

#GRCEngineering #Canva #EnterpriseSecurityCompliance #Automation #CyberSecurity #RiskManagement #ZeroTrust #DevSecOps

Paramify is making FedRAMP (Rev 5 or 20x), GovRAMP & CMMC fun. Get your $750 Gap Assessment at paramify.com/grc---Troy Fine has conducted hundreds of SOC 2 audits over 15 years. In this conversation, he reveals uncomfortable truths about the audit market that most practitioners won't discuss openly.His most explosive admission: "Nobody can measure audit quality." Not TPRM teams. Not buyers. Not even auditors themselves. You're not paying for quality - you're paying for brand recognition.We cover:**The Evidence Trust Problem**Why auditors trust screenshots but not platform automation, the middleware accountability gap that makes audit firms uncomfortable, and what professional liability concerns reveal about legal defensibility versus technical capability.**Quality vs Brand Reality**Troy's admission that even premium audit firms don't provide measurably better quality, why personal brand premium pricing works at small scale but doesn't solve systematic problems, and how the audit market operates on reputation signalling rather than measurable outcomes.**Platform Evidence & Professional Liability**The risk-based framework Troy actually uses: accepting platform evidence for low-risk controls whilst validating source systems for infrastructure, what would make platforms auditor-trustworthy (cryptographic evidence chains, auditor-controlled queries, platform certification), and why the courtroom scenario keeps auditors sceptical of automation.**SOC 2 Market Commoditisation**The feedback loop problem driving quality degradation, why "no report is better than bad report" reveals systematic market failure, the two-tier market emerging (premium craftsmanship versus commoditised checkbox exercises), and how price compression without quality metrics creates race-to-bottom dynamics.**The SOC 2 Lite Proposal**Troy's vision for formal tiered assurance with 20 prescriptive controls for smaller companies, why this would fail in practice (TPRM teams defaulting to "Full," gaming qualification criteria, arbitrary thresholds), and what transparency about validation depth would actually provide instead.**AI in Audit Practice**Where Troy embraces AI (evidence evaluation, pattern detection, documentation efficiency) versus where human judgement remains essential (risk assessment, control design evaluation, professional scepticism), and why accountability architecture matters more than tool ownership.**What Would Actually Fix This**Moving from point-in-time audits to continuous assurance, building cryptographic evidence chains for provenance verification, auditing platform methodology once instead of each deployment, and why engineering discipline with measurable quality metrics could replace subjective professional judgement.

Connect with Troy:LinkedIn: https://www.linkedin.com/in/troyjfine/Fine Assurance: fineassurance.com**About The GRC Engineer:**The GRC Engineer explores how engineering principles are transforming governance, risk, and compliance. Hosted by Ayoub Fandi, each episode features practitioners, leaders, and innovators building the future of GRC through automation, code, and systems thinking.🌐 Visit: grcengineer.com💼 Connect: linkedin.com/in/ayoubfandi📧 Newsletter: grcengineer.com/subscribeSubscribe for deep-dives into GRC automation, compliance as code, risk engineering, and the intersection of security, compliance, and software development.#GRCEngineering #SOC2 #Audit #Compliance #TroyFine #CyberSecurity #RiskManagement #Automation #SecurityCompliance #AuditQuality

Paramify is making FedRAMP (Rev 5 or 20x), GovRAMP & CMMC fun.

Get your $750 Gap Assessment at paramify.com/grc.

To get access to the deep-dive transcript, subscribe to the GRC Engineer newsletter: grcengineer.com/subscribe

Wrong ink colours. $300,000 authorizations. Congressional investigations within the first month. How do you fix federal compliance from the inside?In this episode, Pete Waterman, Director of FedRAMP, shares how he's applying 20+ years of engineering experience to rebuild federal authorization from first principles.

What started with "violent hatred" of the programme has become one of the most significant transformations in government compliance.Pete's approach is radically different: treat policy like code, make the secure thing the easy thing, and let engineers lead whilst compliance follows. The results speak for themselves.

Key Topics Discussed:

The Problem State

How FedRAMP became a programme where perfection was fetishised beyond security, packages were rejected for cosmetic issues, and $300k costs prevented small teams from using modern tools

FedRAMP 20X Architecture

The dual-path strategy: improving Rev5 whilst building something entirely new with Key Security Indicators, machine-readable evidence, and persistent validation

Risk-Based Authorization

Why "my job is to make the government take more risks" - moving from bar-based to spectrum-based assessment where agencies choose based on their risk tolerance

Engineering-First Requirements

How KSIs like "prevent unauthorized access" replace "do these 18 specific things" and why cloud-native thinking changes everything

Radical Transparency Doctrine

Why posting roadmap updates every two weeks on GitHub creates trust and how "pre-decisional" anxiety is outdated thinking

About the Guest:

Pete Waterman is Director of FedRAMP, bringing over 20 years of engineering leadership experience to federal compliance. Previously worked with US Digital Service as a cloud expert, the Technology Modernization Fund coaching agencies on modernization, and ran engineering at an AI company. He took over FedRAMP in August 2023 with a mandate to transform the programme from an engineering-first perspective.

Connect with Pete:

Pete Waterman: https://www.linkedin.com/in/petewaterman/

About The GRC Engineer: The GRC Engineer explores how engineering principles are transforming governance, risk, and compliance. Hosted by Ayoub Fandi, each episode features practitioners, leaders, and innovators who are building the future of GRC through automation, code, and systems thinking.

Subscribe for episodes and entries featuring deep-dives into GRC automation, compliance as code, risk engineering, and the intersection of security, compliance, and software development.

🌐 Visit: grcengineer.com

💼 Connect: linkedin.com/in/ayoubfandi

📧 Newsletter: grcengineer.com/subscribe

#GRCEngineering #FedRAMP #Compliance #Automation #CyberSecurity #RiskManagement #DevSecOps #CloudSecurity

To get access to the deep-dive transcript, subscribe to the GRC Engineer newsletter: grcengineer.com/subscribe

How do you build a modern GRC programme when you inherit processes designed for a team three times your size, in an organisation where "compliance frameworks were owning us instead of us owning them"?

In this episode, Emre Ugurlu and Chad Fryer from Docker share their journey transforming compliance, risk, and customer trust functions over the past six months through relentless automation, AI-assisted development, and a ruthless focus on user experience.

Emre previously spent 3.5 years at Plaid working on GRC engineering principles, whilst Chad brings a UX focus with a strong engineering background. Together with a small team at Docker, they're proving that you don't need a massive GRC organisation to deliver enterprise-grade compliance at speed.

Build vs Buy Philosophy
Why Docker defaults to internal development and how they rebuilt their entire security training platform in a couple of weeks, achieving 100% completion rates through gamification and automation.

Zero-to-One Playbook
The first weeks: deep gap analysis, stress-testing controls, collaborative stack-ranking across teams, and building communication channels before building solutions.

Self-Managing Team Model
Three engineers, one analyst, no dedicated GRC manager. How autonomy and trust from leadership enables speed and innovation.

Continuous Compliance at Scale
Moving towards full automation across SOC 2 and ISO 27001, including custom API development with AWS Lambda and EventBridge.

AI as Teammate
Claude as "the sixth member" of the team, the discipline required to use AI effectively, and why pre-AI coding experience makes you 10x better at leveraging it.

User Experience in GRC
Why if nobody uses your solution, it doesn't matter how good it is. Building for adoption, not perfection.

TPRM Transformation
"We promised Steven we would automate the crap out of it" - plans for comprehensive third-party risk management automation.

Cost Model Innovation
How Docker's GRC team is becoming a revenue-generating function by saving costs and offering solutions to other internal teams.

Essential Skills
What aspiring GRC engineers actually need: API documentation reading, embracing failure, proper documentation, and understanding code across multiple languages.

12-Month Vision
Open source tool releases, containerised solutions for the community, and the goal to "transform GRC into something no one's ever seen." Open source cybersecurity training already available: https://emreugurlu.github.io/open-security-training/

Quotes:

"Instead of bending over backwards, we're supposed to make it fit the organisation. Docker is really unique in the way it operates, and we have to adjust compliance accordingly." - Emre

"If we build the most cool thing on the planet, but nobody uses it, it doesn't matter. Everything I do, I think of user experience during the process." - Chad

"Six times out of ten, I have to go correct Claude. The ability to read through code and read through flawed logic never disappears." - Emre

"With the tools we have today, there's no excuse why anybody can't build things themselves." - Emre

"We're going to be a revenue generating team." - Chad

About The GRC Engineer:

The GRC Engineer explores how engineering principles are transforming governance, risk, and compliance. Hosted by Ayoub Fandi, each episode features practitioners, leaders, and innovators who are building the future of GRC through automation, code, and systems thinking.

Subscribe for episodes and entries featuring deep-dives into GRC automation, compliance as code, risk engineering, and the intersection of security, compliance, and software development.

🌐 Visit: grcengineer.com

💼 Connect: linkedin.com/in/ayoubfandi

📧 Newsletter: grcengineer.com/subscribe

Check out grcengineer.com to learn more!SummaryIn this engaging conversation, Ayoub Fandi and Varun Gurnaney explore the evolving landscape of Governance, Risk, and Compliance (GRC) engineering. Varun shares his unique journey from cybersecurity to GRC, emphasizing the importance of automation and collaboration between engineering and compliance teams. They discuss the challenges faced in GRC, the philosophical aspects of risk management, and the future of compliance in a rapidly changing technological environment. The dialogue highlights the need for a more integrated approach to security and compliance, advocating for a shift towards real-time assessments and a deeper understanding of the technical landscape.Sound Bites"Screenshots are cool again.""Compliance should be free.""Don't get hacked is what I care about."TakeawaysVarun's journey into GRC began with a cybersecurity role at EY.The importance of automation in GRC processes is crucial for efficiency.Cultural differences in compliance approaches between small and large companies.GRC engineering is often misunderstood and underappreciated in larger organizations.The need for collaboration between GRC and engineering teams is essential for success.Risk management should be tied to real business impacts rather than just compliance checkboxes.The future of compliance may involve more automated and real-time assessments.Tools used in security can significantly enhance GRC efforts.Understanding the technical landscape is vital for effective GRC practices.The conversation highlights the philosophical aspects of compliance and risk management.Chapters00:00 Introduction and Guest Background02:42 Varun's Journey into GRC Engineering06:32 Comparing GRC in Different Company Sizes11:56 The Role of Automation in GRC17:34 Challenges in GRC Engineering23:26 The Future of Compliance and Risk Management29:03 The Importance of Collaboration in Security34:47 The Philosophy of Risk and Compliance40:33 The Role of Tools in GRC46:21 Final Thoughts on GRC and Future Directions

To learn more, check out grcengineer.com

Summary

In this episode, Dr. Ibrahim Waziri Jr. shares his extensive experience in GRC engineering and cybersecurity, discussing the evolution of compliance from static documentation to dynamic, automated processes. He emphasizes the importance of GRC engineering in bridging different governance models and enhancing operational efficiency. The conversation also explores the challenges of bureaucracy in the public sector and the need for innovation in compliance practices. Dr. Waziri highlights the future of GRC engineering, focusing on regulatory acceleration and the potential for global harmonization in compliance frameworks. If you work in the Public Sector, this is a must-listen episode!

Takeaways

GRC engineering is transforming compliance into a dynamic, automated process.

The complexities in GRC are numerous and growing, requiring innovative solutions.

Automation in GRC can significantly enhance operational efficiency.

Bureaucracy in the public sector can hinder innovation, but GRC can enable it.

Regulatory acceleration is leading to faster compliance processes.

Global harmonization of regulatory requirements is becoming increasingly necessary.

The future of GRC engineering will involve more machine-readable formats.

Understanding different governance models is crucial for GRC professionals.

GRC architects are needed to navigate complex regulatory landscapes.

The role of compliance is evolving to focus on mission continuity and resilience.

Sound bites

"The complexities in GRC are numerous and growing."

"Regulatory acceleration is a new era for compliance."

"The future of GRC is about global harmonisation."

Chapters

00:00 Introduction to GRC Engineering and Guest Background

03:50 Dr. Ibrahim Waziri Jr.'s Journey in Cybersecurity

11:35 Defining GRC Engineering: A Transformative Approach

17:15 GRC Engineering Across Different Governance Models

22:40 The Role of Automation in GRC Engineering

28:46 Balancing Compliance and Innovation in Public Sector

36:45 Proving Impact in Mission-Driven Organisations

52:58 Balance between Bureaucracy and Critical Reviews

58:51 Future of GRC Engineering

Keywords

GRC engineering, cybersecurity, compliance, automation, insider risk management, regulatory frameworks, cloud security, national security, governance, risk management

To learn more, go to grcengineer.com

SummaryIn this episode of the GRC Engineer podcast, host Ayoub interviews Tony Martin-Vegue, a seasoned expert in risk quantification and GRC engineering.

They discuss Tony's career journey from IT to risk management, the importance of cyber risk quantification, and the interplay between governance, risk, and compliance. Tony shares insights on the benefits of risk assessments for various stakeholders, the role of AI in enhancing risk quantification, and practical tips for those looking to start their journey in cyber risk quantification.

The conversation also touches on the philosophical aspects of risk management and the need for better decision-making frameworks in organizations.

Takeaways

- Tony has conducted around a thousand quantitative risk assessments in his career.

- Risk quantification enables richer conversations with executives about trade-offs and investments.

- GRC should be seen as a business enabler rather than a checklist.

- Cyber risk quantification (CRQ) is a philosophy, while FAIR is a tool to implement it.

- Stakeholders across the organization benefit from risk assessments in different ways.

- AI can significantly reduce the time needed for data collection in risk assessments.

- Understanding the philosophy of risk is crucial for effective risk management.

- The majority of time in risk management is spent on identification and communication, not just modeling.

- Organizations should focus on better decision-making rather than just remediation.

- Security awareness training may not provide a good return on investment.

Sound bites

"FAIR gives you a package, a framework."

"We need data to make better decisions."

"Security awareness training doesn't work."

Chapters

00:00 Introduction to GRC Engineering and Guest Background

02:39 Tony's Career Journey in Risk Management

06:49 The Shift to Cyber Risk Quantification

12:27 The Interplay of GRC: Governance, Risk, and Compliance

16:32 Understanding Cyber Risk Quantification and FAIR

23:13 Stakeholders Benefiting from Quantified Risk Assessments

28:32 Balancing Remediation Bias in Risk Management

34:13 Engaging with Risk Owners

39:49 The Philosophy of Risk Management

44:48 Quantifying Risk Activities

47:33 The Role of AI in Risk Assessment

52:21 Getting Started with Cyber Risk Quantification

01:01:04 Collaboration Between GRC Engineering and Risk Analysis

01:01:43 Challenging Conventional Wisdom on Security Training

Keywords

GRC Engineering, Cyber Risk Quantification, FAIR, Risk Management, Governance, Compliance, Risk Assessment, AI in Security, Stakeholder Engagement, Risk Acceptance

Want more? Subscribe to the GRC Engineer newsletter for exclusive content including a detailed transcript of this episode in next week's edition: https://grcengineer.com/subscribe

In this insightful episode of the GRC Engineering Podcast, host Ayoub Fandi sits down with Ange Ferrari, SVP & CISO at Metro Group, for a deep dive into how GRC has evolved over two decades and what it takes to scale security programs globally.

Our expert guest:Ange is a security leader with 20+ years experience across public sector, retail giants (Carrefour, IKEA), AWS EMEA, and now leading security for a global wholesaler operating in 36 countries.

We explore the evolution and engineering of GRC at enterprise scale, covering:

• How GRC became the key to career growth from technical roles to CISO
• Why cloud transformation shattered traditional risk frameworks
• The reality of implementing controls across diverse, global technology stacks
• Hot Take: The critical balance between prevention and detection that most miss
• AWS insider perspective: What enterprise-scale compliance really looks like
• Engineering pragmatic GRC programs that work in messy, real-world environments

• 
  

• Whether you're a CISO scaling global programs, a GRC professional in traditional industries, or anyone trying to make compliance work in complex enterprise environments, Ange shares battle-tested strategies from the front lines.

  📋 Timestamps:00:00 - Introduction and Ange's Background02:57 - How GRC Enabled Career Growth
  06:34 - Evolution of GRC Practices Over Time14:52 - Common GRC Implementation Failures25:56 - Defining GRC Engineering33:01 - Where Should GRC Teams Report?39:20 - GRC Challenges in Complex Enterprise Environments49:05 - Lessons from the AWS Vendor Side59:46 - Building Technical Skills in GRC Teams01:03:39 - Hot Take: Prevention vs Detection Balance