In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Steven Asifo, Director of Security & GRC at Yahoo, for one of the most refreshing conversations the show has had on communication, influence, and the human side of security. Drawing on his unusual dual life as both a cybersecurity leader and a stand-up comedian, Steven makes the case that security and GRC are not just technical disciplines — they are fundamentally communication disciplines. From using analogies to explain vulnerabilities, to reframing GRC as the “Draymond Green” of cybersecurity, Steven shows how the best security leaders translate complexity into clarity, help the business make better decisions, and meet people where they are instead of overwhelming them with jargon.

Key Takeaways:

• Security and GRC succeed when they communicate clearly to humans, not when they simply present more technical detail.
• The best GRC teams act as guides that help the business make reasonable, compliant, cyber-conscious decisions.
• Metrics only matter when they drive a clear outcome or decision, not when they exist for their own sake.
• Strong GRC teams build trust by doing the hard, cross-functional work that others often avoid.
• Storytelling is a core security skill because people act on messages they understand, remember, and relate to.

What You’ll Learn:

• Why Steven believes security is ultimately a human communication problem.
• How to tailor security messaging for engineering leaders, CISOs, and business stakeholders.
• What “guardrails not gates” looks like in a practical GRC program.
• How to think about data, metrics, and reporting without overwhelming your audience.
• Why AI may change the consumption layer of GRC, but not eliminate the human need for storytelling.

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

Watch more episodes: https://www.compliancecow.com/podcast

Connect With Our Guest:
Steven Asifo | Director of Security & GRC | Yahoo
Connect on LinkedIn: https://www.linkedin.com/in/asifosays/

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Bryan Culp, Senior Director of Customer Trust at Box, to explore how governance, risk, and compliance is evolving beyond certifications and into real-time trust.

Bryan shares why the next two to three years will fundamentally change how GRC operates — driven by automation, AI, large financial institutions demanding real-time internal metrics, and growing pressure to translate security posture into business language.

From managing both customer trust and third-party risk at Box, Bryan offers a rare dual perspective: how companies present assurance to customers while simultaneously evaluating vendors themselves. This conversation challenges the idea that certifications alone create security and makes the case for risk being the true language of leadership.

Key Takeaways:

• Customer Trust is not traditional GRC — it translates security and compliance work into business confidence for customers.
• Certifications enable market access, but they do not eliminate breach risk.
• Risk must be communicated in executive language to influence real business decisions.
• Large financial institutions are beginning to demand real-time internal security metrics instead of snapshot audits.
• AI is transforming GRC workflows — not to cut people, but to enable deeper, higher-value analysis.

What You’ll Learn:

• Why Bryan believes GRC will look materially different in the next 2–3 years.
• How Customer Trust functions differently from compliance and audit teams.
• Why certifications alone cannot prevent major security incidents.
• What “real-time assurance” could look like for large SaaS companies.
• How to think about AI and automation as long-term growth enablers in GRC.

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

Watch more episodes: https://www.compliancecow.com/podcast

Connect With Our Guest:
Bryan Culp | Senior Director of Customer Trust | Box
Connect on LinkedIn: https://www.linkedin.com/in/bryanculp/

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Ryan Schoeller, Director of Security & GRC at Treasure Data, to challenge one of the most deeply rooted assumptions in the industry: that GRC should stay passive and “independent.” Drawing from his experience across startups, mid-market tech companies, and large enterprises, Ryan argues that the most effective GRC teams are the ones that actively participate in control monitoring, risk management, and operational decision-making. This conversation goes beyond audits and checklists, exploring how GRC can truly drive business value by protecting revenue, enabling growth, and embedding risk thinking into everyday operations.

Key Takeaways:

• GRC delivers the most value when it actively participates in monitoring controls, not just validating them after the fact.
• Risk is the most critical — and most neglected — pillar of GRC, often confused with gaps or vulnerabilities.
• Strong relationships with engineering and business teams are essential for GRC to gain meaningful access to data.
• GRC engineering is not just about writing code; it’s about applying an engineering mindset to workflows, tooling, and processes.
• Automation alone is not a business case — value comes from how freed-up time is reinvested.

What You’ll Learn:

• Why the “three lines of defense” model often breaks down in real organizations
• How GRC teams can reduce compliance theater by becoming more operational
• The difference between a vulnerability, a gap, and an actual risk
• How to build a business case for GRC automation that leadership will support
• Why front-ending GRC work (sales assurance, customer trust) often matters more than backend audit prep

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

Watch more episodes: https://www.compliancecow.com/podcast

Connect With Our Guest:
Ryan Schoeller | Director of Security & GRC | Treasure Data
Connect on LinkedIn: https://www.linkedin.com/in/ryanschoeller/

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450