Episodes

  • Security Is a Human Problem, Not a Tool Problem ft Steven Asifo, Director of Security & GRC @ Yahoo

    Security Is a Human Problem, Not a Tool Problem ft Steven Asifo, Director of Security & GRC @ Yahoo
    Mar 24 2026

    In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Steven Asifo, Director of Security & GRC at Yahoo, for one of the most refreshing conversations the show has had on communication, influence, and the human side of security. Drawing on his unusual dual life as both a cybersecurity leader and a stand-up comedian, Steven makes the case that security and GRC are not just technical disciplines — they are fundamentally communication disciplines. From using analogies to explain vulnerabilities, to reframing GRC as the “Draymond Green” of cybersecurity, Steven shows how the best security leaders translate complexity into clarity, help the business make better decisions, and meet people where they are instead of overwhelming them with jargon.

    Key Takeaways:

    • Security and GRC succeed when they communicate clearly to humans, not when they simply present more technical detail.
    • The best GRC teams act as guides that help the business make reasonable, compliant, cyber-conscious decisions.
    • Metrics only matter when they drive a clear outcome or decision, not when they exist for their own sake.
    • Strong GRC teams build trust by doing the hard, cross-functional work that others often avoid.
    • Storytelling is a core security skill because people act on messages they understand, remember, and relate to.

    What You’ll Learn:

    • Why Steven believes security is ultimately a human communication problem.
    • How to tailor security messaging for engineering leaders, CISOs, and business stakeholders.
    • What “guardrails not gates” looks like in a practical GRC program.
    • How to think about data, metrics, and reporting without overwhelming your audience.
    • Why AI may change the consumption layer of GRC, but not eliminate the human need for storytelling.


    This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

    Watch more episodes: https://www.compliancecow.com/podcast

    Connect With Our Guest:
    Steven Asifo | Director of Security & GRC | Yahoo
    Connect on LinkedIn:     https://www.linkedin.com/in/asifosays/

    Rate, review, and share if you enjoyed the show!

    Subscribe to Security & GRC Decoded wherever you get your podcasts:

    Spotify:     https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683


    Apple Podcasts:     https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450
    Show More Show Less
    1 hr
  • The 3 Year GRC Reckoning: Customer Trust, Real-Time Assurance, and the Future of Risk ft Bryan Culp, Senior Director of Customer Trust @ Box

    The 3 Year GRC Reckoning: Customer Trust, Real-Time Assurance, and the Future of Risk ft Bryan Culp, Senior Director of Customer Trust @ Box
    Mar 10 2026

    In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Bryan Culp, Senior Director of Customer Trust at Box, to explore how governance, risk, and compliance is evolving beyond certifications and into real-time trust.

    Bryan shares why the next two to three years will fundamentally change how GRC operates — driven by automation, AI, large financial institutions demanding real-time internal metrics, and growing pressure to translate security posture into business language.

    From managing both customer trust and third-party risk at Box, Bryan offers a rare dual perspective: how companies present assurance to customers while simultaneously evaluating vendors themselves. This conversation challenges the idea that certifications alone create security and makes the case for risk being the true language of leadership.


    Key Takeaways:

    • Customer Trust is not traditional GRC — it translates security and compliance work into business confidence for customers.
    • Certifications enable market access, but they do not eliminate breach risk.
    • Risk must be communicated in executive language to influence real business decisions.
    • Large financial institutions are beginning to demand real-time internal security metrics instead of snapshot audits.
    • AI is transforming GRC workflows — not to cut people, but to enable deeper, higher-value analysis.

    What You’ll Learn:

    • Why Bryan believes GRC will look materially different in the next 2–3 years.
    • How Customer Trust functions differently from compliance and audit teams.
    • Why certifications alone cannot prevent major security incidents.
    • What “real-time assurance” could look like for large SaaS companies.
    • How to think about AI and automation as long-term growth enablers in GRC.

    This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

    Watch more episodes: https://www.compliancecow.com/podcast

    Connect With Our Guest:
    Bryan Culp | Senior Director of Customer Trust | Box
    Connect on LinkedIn: https://www.linkedin.com/in/bryanculp/

    Rate, review, and share if you enjoyed the show!

    Subscribe to Security & GRC Decoded wherever you get your podcasts:

    Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

    Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450
    Show More Show Less
    1 hr and 6 mins
  • When GRC Stops Watching and Starts Working ft Ryan Schoeller, Director of Security & GRC @ Treasure Data

    When GRC Stops Watching and Starts Working ft Ryan Schoeller, Director of Security & GRC @ Treasure Data
    Feb 24 2026

    In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Ryan Schoeller, Director of Security & GRC at Treasure Data, to challenge one of the most deeply rooted assumptions in the industry: that GRC should stay passive and “independent.” Drawing from his experience across startups, mid-market tech companies, and large enterprises, Ryan argues that the most effective GRC teams are the ones that actively participate in control monitoring, risk management, and operational decision-making. This conversation goes beyond audits and checklists, exploring how GRC can truly drive business value by protecting revenue, enabling growth, and embedding risk thinking into everyday operations.

    Key Takeaways:

    • GRC delivers the most value when it actively participates in monitoring controls, not just validating them after the fact.
    • Risk is the most critical — and most neglected — pillar of GRC, often confused with gaps or vulnerabilities.
    • Strong relationships with engineering and business teams are essential for GRC to gain meaningful access to data.
    • GRC engineering is not just about writing code; it’s about applying an engineering mindset to workflows, tooling, and processes.
    • Automation alone is not a business case — value comes from how freed-up time is reinvested.

    What You’ll Learn:

    • Why the “three lines of defense” model often breaks down in real organizations
    • How GRC teams can reduce compliance theater by becoming more operational
    • The difference between a vulnerability, a gap, and an actual risk
    • How to build a business case for GRC automation that leadership will support
    • Why front-ending GRC work (sales assurance, customer trust) often matters more than backend audit prep

    This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

    Watch more episodes: https://www.compliancecow.com/podcast

    Connect With Our Guest:
    Ryan Schoeller | Director of Security & GRC | Treasure Data
    Connect on LinkedIn: https://www.linkedin.com/in/ryanschoeller/

    Rate, review, and share if you enjoyed the show!

    Subscribe to Security & GRC Decoded wherever you get your podcasts:

    Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

    Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450
    Show More Show Less
    57 mins
  • Does GRC Belongs Outside Security? The Case for an Independent Second Line ft Charles Nwatu - GRC Engineering Leader

    Does GRC Belongs Outside Security? The Case for an Independent Second Line ft Charles Nwatu - GRC Engineering Leader
    Feb 10 2026

    What if GRC shouldn’t sit inside Security at all—and what if the bigger problem isn’t automation, but what you do after you automate? In this episode, Raj Krishnamurthy sits down with Charles Nwatu (former Security GRC Engineering & Assurance leader at Netflix) for a candid, systems-level conversation about why “annual audit rituals” fail modern engineering, how GRC can produce high-fidelity signals that strengthen security decision-making, and why the next wave of GRC engineering is about analytics, specifications, and business impact—not just speeding up evidence collection.

    Key Takeaways:

    • GRC is a continuous discipline—point-in-time compliance can help, but it can’t be the end state.
    • Automation is necessary but not sufficient: the real value is in turning collected evidence into actionable insights.
    • Specifications enable measurement—without clear expected behaviors, security metrics become inconsistent and hard to compare.
    • GRC can feed security with high-fidelity signals (like identity/access review metadata) that improve posture beyond audit readiness.
    • Third-party risk doesn’t “finish”—the goal is visibility, data lineage awareness, and making the mess less messy.

    What You’ll Learn:

    • Where Charles believes GRC should sit org-wise—and why Security should be a “customer” of GRC
    • What “shift-left GRC” looks like in practice (beyond annual audits)
    • Why “efficiency savings” don’t automatically equal “security value”
    • How to think about metrics, specifications, and risk in a shared language
    • Why third-party risk management is “unsolvable,” and how to build guardrails anyway


    This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence.

    Learn more: https://www.compliancecow.com

    Watch more episodes: https://www.compliancecow.com/podcast

    Connect With Our Guest:
    Charles Nwatu | GRC Engineering Leader
    Connect on LinkedIn: https://www.linkedin.com/in/cnwatu/

    Rate, review, and share if you enjoyed the show!

    Subscribe to Security & GRC Decoded wherever you get your podcasts:

    Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

    Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450
    Show More Show Less
    1 hr and 1 min
  • GRC Is an Engineering Discipline. Not a Checklist. ft Akhila Chitiprolu, Head of Security & GRC @ Sierra

    GRC Is an Engineering Discipline. Not a Checklist. ft Akhila Chitiprolu, Head of Security & GRC @ Sierra
    Jan 27 2026

    GRC has long been seen as abstract, manual, and disconnected from how modern engineering teams actually work, but that narrative is breaking down. In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Akhila Chitiprolu, Head of Security & GRC at Sierra, to explore why GRC must be treated as an engineering discipline, not a compliance afterthought. Drawing from her experience across T-Mobile, Expedia, Stripe, and AI-native companies, Akhila explains how systems thinking, automation, and shared ownership can radically reduce compliance toil while increasing trust. This conversation goes deep into GRC engineering, audit realities, automation tradeoffs, and what the future of compliance looks like in an AI-driven world.

    Key Takeaways:

    • GRC works best when treated as a system with inputs, processes, outputs, and feedback loops
    • Automation should focus on intent and outcomes, not blindly speeding up broken manual processes
    • GRC professionals act as a middleware layer between engineers, auditors, and customers
    • Not all controls should be automated — but 70% can be, with humans in the loop where it matters
    • The future of GRC depends on engineering mindset, context, and trust, not checklists

    What You’ll Learn:

    • Why GRC is fundamentally a systems engineering problem
    • How to reduce engineering toil without weakening audit posture
    • When automation helps — and when it creates false efficiency
    • How GRC teams should approach AI, agents, and non-deterministic systems
    • Practical ways to build a GRC engineering function over time

    This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

    Watch more episodes: https://www.compliancecow.com/podcast

    Connect With Our Guest:
    Akhila Chitiprolu | Head of Security & GRC | Sierra
    Connect on LinkedIn: https://www.linkedin.com/in/akhilachitiprolu/

    Rate, review, and share if you enjoyed the show!

    Subscribe to Security & GRC Decoded wherever you get your podcasts:

    Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

    Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450
    Show More Show Less
    55 mins
  • GRC as a Growth Engine: From Checklists to Continuous Assurance ft Vivek Madan - Director of Security, Risk, and Compliance @ Fortinet

    GRC as a Growth Engine: From Checklists to Continuous Assurance ft Vivek Madan - Director of Security, Risk, and Compliance @ Fortinet
    Jan 13 2026

    In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Vivek Madan to unpack what it really means to run a modern GRC program inside a global cybersecurity company. Drawing from his journey across networking, security engineering, risk, and compliance, Vivek shares how GRC can function as a true business enabler—opening markets, accelerating revenue, and strengthening trust. This conversation stands out for its practical frameworks, real-world stories, and honest discussion about friction between engineering, security, auditors, and compliance teams, giving listeners a grounded view of how GRC works when it’s done right.

    Key Takeaways:

    • GRC works best when it is positioned as a growth enabler that unlocks new markets, not just a compliance checkbox.
    • Strong governance establishes foundational rules that allow security and risk decisions to scale consistently across the business.
    • Storytelling is a critical GRC skill—people align with compliance when they understand the “why,” not just the requirement.
    • Common controls frameworks reduce complexity when designed intentionally across global, application-specific, and product-specific needs.
    • Automation matters, but process automation is just as important as technical automation to reduce compliance friction.

    What You’ll Learn:

    • How GRC enables business expansion into regulated and global markets
    • Why compliance resistance exists—and how to overcome it
    • A practical 50–35–15 model for common controls frameworks
    • How to balance continuous assurance with annual audits
    • What modern GRC leaders look for when hiring talent

    This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

    Watch more episodes: https://www.compliancecow.com/podcast

    Connect With Our Guest:
    Vivek Madan | Director of Security, Risk, and Compliance | Fortinet
    Connect on LinkedIn: https://www.linkedin.com/in/vivek-madan-cissp-ccsp/

    Rate, review, and share if you enjoyed the show!

    Subscribe to Security & GRC Decoded wherever you get your podcasts:

    Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

    Apple Podcasts:https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450
    Show More Show Less
    55 mins
  • Audit ≠ Security: Building Auditable Controls in a High-Velocity World ft Varun Prasad, Cloud Security & Privacy Assurance @ BDO

    Audit ≠ Security: Building Auditable Controls in a High-Velocity World ft Varun Prasad, Cloud Security & Privacy Assurance @ BDO
    Dec 30 2025

    Audits are often misunderstood, frequently disliked, and almost always viewed as a necessary evil — but what if that mindset is holding security teams back? In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Varun Prasad to unpack what audits are actually designed to do: provide reasonable assurance, not absolute security. Drawing on more than two decades of experience across internal and external audits, Varun explains why “auditable controls” are the missing link between fast-moving engineering teams and slow, annual audit cycles — and how organizations can stop treating audits as an afterthought and start using them as a trust-building mechanism.

    Key Takeaways:

    • Audits are designed to provide reasonable assurance, not eliminate all risk
    • The biggest failure in modern GRC is building controls that are automated but not auditable
    • Continuous controls monitoring only works if auditors can validate completeness and accuracy
    • Screenshots persist because they remain the clearest way to demonstrate system state over time
    • Security controls should be built to improve posture first — and explained clearly second

    What You’ll Learn:

    • Why audit skepticism is a feature, not a flaw
    • How internal and external audits serve fundamentally different purposes
    • Where continuous monitoring breaks down from an auditor’s perspective
    • What “auditable controls” actually mean in CI/CD environments
    • How AI can assist auditors without replacing human judgment

    This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

    Watch more episodes: https://www.compliancecow.com/podcast

    Connect With Our Guest:
    Varun Prasad | Cloud Security & Privacy Assurance | BDO
    Connect on LinkedIn: https://www.linkedin.com/in/varunprasad/

    Rate, review, and share if you enjoyed the show!

    Subscribe to Security & GRC Decoded wherever you get your podcasts:

    Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

    Apple Podcasts:

    https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450
    Show More Show Less
    59 mins
  • Scaling GRC Without the Chaos: How to Build Programs That Don’t Break ft Tom Scuderi, Senior Manager of Security & GRC @ LTK

    Scaling GRC Without the Chaos: How to Build Programs That Don’t Break ft Tom Scuderi, Senior Manager of Security & GRC @ LTK
    Dec 16 2025

    In this episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Tom Scuderi, Senior Manager of Security & GRC at LTK and a veteran practitioner who has spent his career building governance functions at QTS, Tableau, Salesforce, and LTK. Tom shares how to scale GRC in high-growth environments by designing processes that resemble engineering workflows, reducing friction with stakeholders, and shifting from reactive audits to continuous visibility. He breaks down why curated visibility beats blanket access, why SOC 2 should sharpen—not dilute—your security program, and how to anchor leadership decisions with meaningful risk data.

    Key Takeaways

    • GRC only scales when its processes mirror how engineering teams already work.
    • SOC 2 should enhance your security program rather than becoming a superficial checkbox exercise.
    • Curated visibility reduces friction and improves cross-functional trust.
    • Clarity in ownership is the backbone of a scalable GRC function.
    • Continuous, context-driven evidence cuts audit fatigue and sharpens the entire program.

    What You’ll Learn

    • How Tom built and matured GRC programs across four different companies.
    • Why engineering alignment is essential for sustainable compliance.
    • How curated visibility replaces access sprawl and accelerates audits.
    • The difference between risk-driven and compliance-driven GRC.
    • Why automation only works when underlying processes are mature.
    • How to structure ownership to reduce bottlenecks during SOC 2 and similar frameworks.

    This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

    Watch more episodes: https://www.compliancecow.com/podcast

    Connect With Our Guest:
    Tom Scuderi | Senior Manager of Security & GRC | LTK
    Connect on LinkedIn: https://www.linkedin.com/in/tom-scuderi/

    Rate, review, and share if you enjoyed the show!

    Subscribe to Security & GRC Decoded wherever you get your podcasts:

    Spotify:

    https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683


    Apple Podcasts:

    https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450


    #SecurityAndGRCDecoded #RajKrishnamurthy #TomScuderi #LTK #GRC #ScalingGRC #SOC2 #EngineeringAlignment #RiskManagement #SecurityLeadership #Compliance #GovernanceRiskCompliance #SecurityGRCPodcast #ComplianceCow
    Show More Show Less
    56 mins