Is it time to stop pretending GRC is technical? Alan Luk makes the case for a new kind of compliance leader—and it might surprise you.

In this sharp and unfiltered episode of Security & GRC Decoded, Alan Luk, Director of GRC at Grammarly (and former Microsoft and PwC leader), joins Raj to dismantle common myths about GRC—and why even your engineers might be thinking about it all wrong.

Drawing from over 20 years of experience, Alan makes the case for why GRC should be seen as a program management function, not a technical one—and how that shift unlocks better controls, less friction with engineering, and less painful audits. From audit war stories to his vision for continuous assurance, Alan brings blunt honesty, practical insight, and some well-earned hot takes to the mic.

🔑 Key Takeaways:

✅ Why most companies—and even GRC pros—misunderstand what GRC is actually for
✅ How PM skills (not coding) unlock stronger GRC outcomes and happier engineers
✅ What good compliance teams do before audit season to avoid chaos
✅ Why control owners—not GRC—should own the metrics (and what to do if they don’t)
✅ A bold vision for the future: GRC as an observability layer, not an evidence factory

🎯 Take Action:

→ Rethink what GRC really means inside your org: is it a service, a blocker, or a translator?
→ Audit your compliance program’s audit readiness—do you have metrics or just screenshots?
→ Share this episode with your PMs, engineers, or auditors who still think GRC is just check-the-box

👉 Follow Security & GRC Decoded for fresh insights on how to make your GRC program faster, smarter, and more resilient.
🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Discover how ComplianceCow helps teams move from reactive compliance to proactive control automation.
🚀 Liking the show? Leave a rating and review to help us grow and keep bringing you bold GRC conversations.

💬 Connect with Alan Luk:
💼 LinkedIn: https://www.linkedin.com/in/alan-luk-4027b29/
🌐 Company: https://www.grammarly.com

Is it time to rethink SOC 2? (Spoiler: Adam thinks so—and he’s got the receipts.)
In this insightful episode of Security & GRC Decoded, Adam Brennick, Director of Security Risk & Compliance at Cockroach Labs, joins Raj to challenge the status quo of SOC 2, compliance culture, and how GRC teams should operate in a modern, engineering-driven world.

With a unique perspective from leading both security and GRC functions, Adam shares why today’s compliance efforts often miss the mark—and how we can fix that. From his hot takes on “a la carte” SOC 2 to building automation-first programs that actually reduce risk, Adam brings clarity, conviction, and practical wisdom to the mic.

Key Takeaways:

✅ Why SOC 2 should be customizable—and how that shift would improve both trust and transparency
✅ How GRC, security, and trust functions intersect (and where they often break down)
✅ The role of “vibe coding” and AI in enabling GRC engineering
✅ Real-world strategies for building a balanced, high-impact GRC team
✅ How to make a bulletproof business case for compliance automation using data (not just complaints)

Take Action:

→ Reflect on your own compliance program: Is it outcome-driven or check-the-box?
→ Re-evaluate how your GRC, security, and engineering teams collaborate
→ Share this episode with teammates who care about making compliance actually matter

👉 Follow Security & GRC Decoded for fresh insights on how to make your GRC program faster, smarter, and more resilient.

🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Discover how ComplianceCow helps teams move from reactive compliance to proactive control automation.

🚀 Liking the show? Leave a rating and review to help us grow and keep bringing you bold GRC conversations.

💬 Connect with Adam Brennick:
💼 LinkedIn: https://www.linkedin.com/in/adam-brennick-959352158/
🌐 Company: https://www.cockroachlabs.com/

In this episode of Security and GRC Decoded, Raj Krishnamurthy sits down with Andrew Spangler, Director of Security and GRC at Harness, to explore how compliance engineering can go far beyond checkboxes—and actually drive innovation.

Andrew shares his journey from building the compliance engineering function at Datadog to scaling automation and visibility across the SDLC at Harness. He dives into how using internal platforms for security workflows (aka “drinking your own champagne”) can unlock time savings and risk reduction, especially in areas like vulnerability management and secure software delivery.

Key Takeaways:

✅ How compliance automation builds credibility and supports innovation.

✅ Lessons from building compliance engineering at Datadog.

✅ Harnessing the power of SBOMs and supply chain security.

✅ Practical uses of generative AI and ChatGPT for GRC workflows.

✅ The future of democratized threat modeling.

✅ Advice for new grads entering security and GRC.

✅ Podcast recommendations that go beyond the security bubble.

Whether you're leading a GRC team or just getting started in the field, this conversation will expand how you think about security, compliance, and the role of curiosity in technical leadership.

Listen now to learn how modern GRC teams are shaping the future of secure software delivery.

🎙️ Security & GRC Decoded is brought to you by ComplianceCow.

Learn More About How ComplianceCow Can Help Your GRC Team Today!
Click Here 👉https://www.compliancecow.com/

🚀 Enjoying The Show?! 🚀

Make sure to rate and review the show to let us know you're enjoying the content!

Subscribe now for expert insights from industry leaders shaping the future of security & compliance.

Learn More / Connect with Andrew Spangler

If you enjoyed this conversation and want to learn more about Andrew Spangler, connect with him directly:

💼 LinkedIn: https://www.linkedin.com/in/atspangler/
🌐 Company: https://www.harness.io/