How does a network engineer become a GRC leader? Ramya Subramanian’s journey spans nearly two decades across IT, security, and governance. Now serving as Director of GRC & Privacy Operations at Freshworks, she joins Raj to unpack the evolving role of GRC: from quantifying risk and managing compliance debt to building automation that doesn’t slow engineering down.

Ramya also shares how storytelling, PR-style evangelism, and simplifying policies can shift the perception of GRC from policing to business enabler. This episode is a playbook for anyone trying to modernize risk and compliance in fast-moving environments.

5 Key Takeaways

• Engineer’s edge in GRC: Why Ramya’s technical background makes her approach to governance unique.
• Quantifying risk with dollars: Why risk measurement needs financial context, not just “likelihood x impact.”
• Automation as a path forward: How Freshworks is reducing compliance toil for engineers.
• Simplify policies and awareness: Cutting policy docs by 90% and building bite-sized security training.
• GRC as PR: Storytelling and evangelism can reframe GRC as a business enabler, not a blocker.

What You’ll Learn

• How GRC and security complement each other
• Challenges of risk quantification and continuous measurement
• Why engineers perceive GRC as compliance tax
• How automation and GRC engineering can reduce manual effort
• The cultural perception of GRC and how to change it

⏱️ (Approximate) Timestamps

[00:01:43] From network engineer to GRC leader
[00:03:37] How Ramya defines Governance, Risk, and Compliance
[00:05:28] Quantifying risk: from controls to financial impact
[00:07:41] Why continuous risk measurement is so hard
[00:11:49] How others perceive GRC inside organizations
[00:13:43] Changing the “policing” perception of GRC
[00:17:50] Rewriting policies & security awareness at Freshworks
[00:19:38] Bringing auditors along the journey
[00:21:33] Reducing compliance tax with automation
[00:26:10] Why GRC needs engineering skills
[00:29:58] Technical vs non-technical sides of GRC
[00:31:47] Skills Ramya looks for when hiring
[00:33:53] Generative AI’s impact on GRC
[00:37:49] Dream GRC solution: context-aware automation
[00:39:32] Building a business case for automation
[00:44:00] Who should tell the GRC automation story?
[00:45:54] Challenges with auditors in the AI era
[00:46:49] From city editor to GRC leader — storytelling roots
[00:52:26] Rajinikanth’s influence at Freshworks

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: compliancecow.com

Connect With Our Guest:

Ramya Subramanian | Director of GRC & Privacy Operations | Freshworks
Connect on LinkedIn

Rate, review, and share if you enjoyed the show!
Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify and Apple Podcasts

What’s the true relationship between compliance and security? According to Evan Millman, compliance may not be security—but it’s the necessary starting point for building it.

In this episode, Raj sits down with Evan to explore how organizations can shift their GRC approach from reactive checkbox checking to a proactive and risk-informed security practice. Evan shares stories from his work at Abnormal.AI, lessons from scaling GRC in fast-moving environments, and practical advice for anyone trying to align controls with business objectives.

5 Key Takeaways:

• Compliance is not the destination — but it is the framework for real security conversations.
• Say no to overkill — Right-size controls based on business needs, not frameworks.
• Decentralized GRC works — but only if there’s shared ownership and trust.
• “GRC therapy” is real — and it starts with building internal relationships.
• Metrics matter — but only when they tell a story that drives action.

What You’ll Learn:

• Why compliance ≠ security (but still matters)
• The pitfalls of checklist-first GRC programs
• How to build GRC partnerships across product and engineering teams
• Why business-aligned storytelling is the future of risk communication
• How Abnormal Security approaches frameworks like SOC 2 and ISO 27001

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: compliancecow.com

Connect With Our Guest:

Evan Millman | Security GRC Manager | Abnormal AI
Connect on LinkedIn

Rate, review, and share if you enjoyed the show!
Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify and Apple Podcasts

🕒 (Approximate) Timestamps

[00:02:40] What makes Evan passionate about security GRC?
[00:04:30] How compliance ≠ security — and why that distinction matters
[00:06:50] When GRC goes wrong: overkill, checklists, and inefficiency
[00:10:15] Building trust by embedding security into product discussions
[00:14:40] Right-sizing controls: starting with SOC 2 vs ISO 27001
[00:18:10] Managing a decentralized GRC team at Abnormal
[00:23:02] Metrics and storytelling — what the board actually wants
[00:29:45] Why GRC leaders need emotional intelligence and empathy
[00:35:20] What GRC professionals can learn from product managers
[00:39:11] Evan’s advice to vendors trying to break into GRC
[00:41:05] How GRC can (and should) enable product velocity
[00:44:55] If he could wave a magic wand, what would Evan fix in GRC?

What trade-offs are you willing to make in cybersecurity?
In this episode of Security & GRC Decoded, host Raj Krishnamurthy is joined by Trupti Shiralkar, a seasoned cybersecurity leader and Advisory Board Member at Backslash Security, to explore how risk, ROI, and real-world constraints shape modern security programs. With decades of experience across AppSec, security architecture, and risk governance, Trupti brings a rare blend of deep technical insight and strategic thinking.

They dive into cyber economics, AI-driven tooling, and why security storytelling may soon matter more than fear-based metrics. Whether you're a security veteran or just entering the space, this is a must-listen on staying relevant and effective in the age of automation.

5 Key Takeaways

• Cybersecurity is about trade-offs – No org can secure everything; knowing what to ignore is just as critical.
• LLMs can’t fully replace layered defense – Copilots help, but context and reachability still matter.
• ROI matters more than ever – Security teams must prove business value in language execs understand.
• Storytelling wins boardrooms – Fear, uncertainty, and doubt (FUD) is out. Framing risk with narrative is in.
• Reinvent or be replaced – AI won’t eliminate jobs—it’ll replace outdated versions of them.

What You’ll Learn

• How cyber economics helps frame decision-making
• The evolving role of LLMs and software composition tools in vulnerability management
• Why OWASP hasn’t solved insecure code after decades
• How to prioritize reachability over volume
• What developers and security pros should focus on to stay relevant

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: compliancecow.com

Connect With Our Guest:

Trupti Shiralkar | Advisory Board Member, Backslash Security
Connect on LinkedIn

Rate, review, and share if you enjoyed the show!
Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify and Apple Podcasts

Timestamps (Approx)

[00:00] Intro
[02:47] Why cyber economics goes beyond traditional budgeting
[06:10] Introduction of grey swan events and the need for proactive innovation
[10:10] Aligning compliance and security using LLMs
[16:56] Reducing cognitive load in cybersecurity decision-making
[20:00] Budgeting for innovation: Lessons from Trupti’s past security leadership
[23:00] Difference between cyber economics and cyber risk quantification
[33:50] The misunderstood strategic role of GRC
[54:30] How meditation and mindfulness help navigate the security world
[57:15] Trupti’s final shout-outs to historic and modern tech inspirations