In this episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Mukund Sarma, Deputy CISO and Head of Product Security at Chime, to explore what happens when governance, risk, and compliance teams work with engineering instead of against it. Mukund shares real-world lessons from a decade in security, explaining how to balance shift-left initiatives, build paved paths that reduce friction, and make compliance a natural byproduct of great engineering. This is a masterclass in aligning security, GRC, and DevOps for scale and sanity.

5 Key Takeaways

• GRC isn’t a blocker—it’s a mirror that keeps security honest and accountable.
• Strong security engineering automatically strengthens compliance outcomes.
• Friction between security and engineering fades when empathy drives collaboration.
• “Shift left” works best when paved paths and automation support developers.
• Practical controls and continuous validation create sustainable, scalable governance.

What You’ll Learn

• How to bridge silos between security, GRC, and engineering teams.
• Why automation and continuous control monitoring are the future of compliance.
• What “practical controls” really mean in modern DevSecOps environments.
• How empathy and communication transform security culture.
• Why compliance should follow great security engineering, not lead it.
• Real-world examples from Chime’s approach to product security.

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

Watch more episodes: https://www.compliancecow.com/podcast

Connect With Our Guest:
Mukund Sarma | Deputy CISO and Head of Product Security | Chime
Connect on LinkedIn: https://www.linkedin.com/in/sarmamukund/

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:
Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr
Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450?i=1000736617569

How do you build real trust between GRC and engineering? In this episode of Security & GRC Decoded, host Raj Krishnamurthy welcomes Tristan Ingold, Security GRC Program Manager at Meta. Tristan shares how consulting shaped his approach, why “policing” doesn’t work, and how GRC earns influence by acting as a partner to engineering -- not a blocker.

He discusses the cultural friction between audit, security, and product teams, how to communicate in the language of engineering, and why the right role for GRC is a “sparring partner” that helps teams ship safer, faster. From reframing control objectives to focusing on evidence the business already produces, this conversation is a practical playbook for building credibility and velocity at the same time.

5 Key Takeaways

• Partnership Over Policing: GRC earns influence by modeling partnership behaviors and meeting teams where they are.
• Translate Controls to Engineering: Use product language and existing telemetry; design evidence around the way the system actually works.
• Make It Observable: Treat GRC like an observability layer -- surface risk signals the business already emits.
• Tell the Story, Not the Score: Dashboards support the narrative; they aren’t the narrative. Lead with context and trade-offs.
• Define the Right Role: The best GRC teams act as a sparring partner --challenging, supportive, and focused on outcomes.

What You’ll Learn

• How to rebuild trust with engineering after “audit fatigue”
• Practical ways to convert control requirements into product language
• How to design evidence from logs, pipelines, and tickets you already have
• When to push, when to partner, and how to escalate with credibility
• Communicating risk trade-offs without killing roadmap velocity

Connect With Our Guest:
Tristan Ingold | Security GRC Program Manager | Meta

This podcast is brought to you by ComplianceCow - the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence.

Watch more episodes

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:

• Spotify
• Apple Podcasts
  
  

In this episode, Raj Krishnamurthy speaks with Tony Martin-Vegue, seasoned risk practitioner, speaker, and co-chair of the FAIR Institute San Francisco chapter. Tony shares decades of lessons learned from leading cyber risk management at Netflix, Gap, and other major enterprises—showing how to move from qualitative heat maps to quantitative insights that drive smarter business decisions.

He breaks down Monte Carlo simulations, risk modeling, and the six levers that influence risk—all through a practical, approachable lens. Tony also explores how generative AI is transforming risk quantification and what every CISO, analyst, and engineer can do today to make risk measurable, actionable, and business-aligned.

Key Takeaways

1. CRQ doesn’t require perfection—start with what you have and refine over time.
2. The most effective risk programs focus on directionally correct data, not precision.
3. Good risk scenarios clearly define asset, threat, and effect to avoid misalignment.
4. Generative AI accelerates scenario development, data research, and model creation.
5. CISOs should demand more from risk teams—move beyond “pick a color” heat maps.

Topics Covered

• Cyber risk quantification (CRQ)
• Monte Carlo simulations and modeling
• Risk scenario design and measurement
• GRC and compliance integration
• Generative AI in risk management
• Moving from qualitative to quantitative risk
• Improving risk hygiene and maturity
• CISO leadership and risk culture
  
  

What You’ll Learn

• The difference between qualitative and quantitative risk methods
• How to conduct your first risk quantification in Excel
• Why Monte Carlo simulations are simpler than most think
• How GRC, compliance, and security teams can collaborate effectively
• The six levers that influence risk magnitude and frequency

This podcast is brought to you by ComplianceCow:

ComplianceCow helps enterprises automate GRC, shift compliance left, and continuously monitor controls across the business.

Learn more at ComplianceCow.com

Connect with our guest: Tony Martin-Vegue on LinkedIn

• Co-Chair, FAIR Institute San Francisco Chapter
• Former Risk Leader at Netflix and Gap Inc.
• Author, From Heat Maps to Histograms (coming 2026)

Subscribe to Security & GRC Decoded on your favorite platform:

• Spotify
• Apple Podcasts
• Explore all episodes: ComplianceCow.com/podcast