Is it time to stop pretending GRC is technical? Alan Luk makes the case for a new kind of compliance leader—and it might surprise you.

In this sharp and unfiltered episode of Security & GRC Decoded, Alan Luk, Director of GRC at Grammarly (and former Microsoft and PwC leader), joins Raj to dismantle common myths about GRC—and why even your engineers might be thinking about it all wrong.

Drawing from over 20 years of experience, Alan makes the case for why GRC should be seen as a program management function, not a technical one—and how that shift unlocks better controls, less friction with engineering, and less painful audits. From audit war stories to his vision for continuous assurance, Alan brings blunt honesty, practical insight, and some well-earned hot takes to the mic.

🔑 Key Takeaways:

✅ Why most companies—and even GRC pros—misunderstand what GRC is actually for
✅ How PM skills (not coding) unlock stronger GRC outcomes and happier engineers
✅ What good compliance teams do before audit season to avoid chaos
✅ Why control owners—not GRC—should own the metrics (and what to do if they don’t)
✅ A bold vision for the future: GRC as an observability layer, not an evidence factory

🎯 Take Action:

→ Rethink what GRC really means inside your org: is it a service, a blocker, or a translator?
→ Audit your compliance program’s audit readiness—do you have metrics or just screenshots?
→ Share this episode with your PMs, engineers, or auditors who still think GRC is just check-the-box

👉 Follow Security & GRC Decoded for fresh insights on how to make your GRC program faster, smarter, and more resilient.
🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Discover how ComplianceCow helps teams move from reactive compliance to proactive control automation.
🚀 Liking the show? Leave a rating and review to help us grow and keep bringing you bold GRC conversations.

💬 Connect with Alan Luk:
💼 LinkedIn: https://www.linkedin.com/in/alan-luk-4027b29/
🌐 Company: https://www.grammarly.com

Is it time to rethink SOC 2? (Spoiler: Adam thinks so—and he’s got the receipts.)
In this insightful episode of Security & GRC Decoded, Adam Brennick, Director of Security Risk & Compliance at Cockroach Labs, joins Raj to challenge the status quo of SOC 2, compliance culture, and how GRC teams should operate in a modern, engineering-driven world.

With a unique perspective from leading both security and GRC functions, Adam shares why today’s compliance efforts often miss the mark—and how we can fix that. From his hot takes on “a la carte” SOC 2 to building automation-first programs that actually reduce risk, Adam brings clarity, conviction, and practical wisdom to the mic.

Key Takeaways:

✅ Why SOC 2 should be customizable—and how that shift would improve both trust and transparency
✅ How GRC, security, and trust functions intersect (and where they often break down)
✅ The role of “vibe coding” and AI in enabling GRC engineering
✅ Real-world strategies for building a balanced, high-impact GRC team
✅ How to make a bulletproof business case for compliance automation using data (not just complaints)

Take Action:

→ Reflect on your own compliance program: Is it outcome-driven or check-the-box?
→ Re-evaluate how your GRC, security, and engineering teams collaborate
→ Share this episode with teammates who care about making compliance actually matter

👉 Follow Security & GRC Decoded for fresh insights on how to make your GRC program faster, smarter, and more resilient.

🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Discover how ComplianceCow helps teams move from reactive compliance to proactive control automation.

🚀 Liking the show? Leave a rating and review to help us grow and keep bringing you bold GRC conversations.

💬 Connect with Adam Brennick:
💼 LinkedIn: https://www.linkedin.com/in/adam-brennick-959352158/
🌐 Company: https://www.cockroachlabs.com/

In this episode of Security and GRC Decoded, Raj Krishnamurthy sits down with Andrew Spangler, Director of Security and GRC at Harness, to explore how compliance engineering can go far beyond checkboxes—and actually drive innovation.

Andrew shares his journey from building the compliance engineering function at Datadog to scaling automation and visibility across the SDLC at Harness. He dives into how using internal platforms for security workflows (aka “drinking your own champagne”) can unlock time savings and risk reduction, especially in areas like vulnerability management and secure software delivery.

Key Takeaways:

✅ How compliance automation builds credibility and supports innovation.

✅ Lessons from building compliance engineering at Datadog.

✅ Harnessing the power of SBOMs and supply chain security.

✅ Practical uses of generative AI and ChatGPT for GRC workflows.

✅ The future of democratized threat modeling.

✅ Advice for new grads entering security and GRC.

✅ Podcast recommendations that go beyond the security bubble.

Whether you're leading a GRC team or just getting started in the field, this conversation will expand how you think about security, compliance, and the role of curiosity in technical leadership.

Listen now to learn how modern GRC teams are shaping the future of secure software delivery.

🎙️ Security & GRC Decoded is brought to you by ComplianceCow.

Learn More About How ComplianceCow Can Help Your GRC Team Today!
Click Here 👉https://www.compliancecow.com/

🚀 Enjoying The Show?! 🚀

Make sure to rate and review the show to let us know you're enjoying the content!

Subscribe now for expert insights from industry leaders shaping the future of security & compliance.

Learn More / Connect with Andrew Spangler

If you enjoyed this conversation and want to learn more about Andrew Spangler, connect with him directly:

💼 LinkedIn: https://www.linkedin.com/in/atspangler/
🌐 Company: https://www.harness.io/

In this episode, Raj Krishnamurthy sits down with Josh Bressers, VP of Security at Anchore and longtime leader in the open source security space. With decades of experience, Josh brings a candid and compelling perspective on everything from the chaos of early cybersecurity days to the nuanced challenges of SBOMs and compliance in today’s world.

Josh reflects on how he entered the security world before there were formal certifications or programs, how community and curiosity fuel innovation in open source, and why the relationships you build are often the most valuable asset in your career. He also dives into exciting new work with the SBOM Everywhere Working Group and shares how GenAI is helping categorize the sprawling ecosystem of SBOM tools.

Key Takeaways:
✅ GRC teams often overburden themselves with audits.

✅ Embracing a product manager mindset helps GRC teams drive security initiatives.

✅ Technical knowledge empowers GRC professionals to enhance security programs.

✅ Changing perceptions of GRC within organizations is crucial for success.

✅ Proactive strategies can elevate GRC’s role and reputation.

✅ Integrating privacy into GRC frameworks strengthens compliance efforts.

✅ High Trust certification is achievable on a budget.

✅ Automation can significantly improve GRC efficiency and reduce redundancy.

✅ Overlapping audit timelines minimizes disruption and streamlines processes.

✅ Discipline from endurance sports fosters focus, resilience, and growth.

🎙️ Security & GRC Decoded is brought to you by ComplianceCow.

Learn More About How ComplianceCow Can Help Your GRC Team Today!

🚀 Enjoying The Show?! 🚀

Make sure to rate and review the show to let us know you're enjoying the content!

Subscribe now for expert insights from industry leaders shaping the future of security & compliance.

Learn More / Connect with Josh Bressers:
If you enjoyed this conversation and want to dive deeper into Josh Bressers’s insights on GRC, cybersecurity, and building effective security programs, connect with him directly:

💼 LinkedIn: https://www.linkedin.com/in/joshbressers/
🌐 Company: https://anchore.com/

In this episode, Raj Krishnamurthy sits down with Kieran Pierman, GRC & Security at Whatnot, and a former security, risk and compliance leader at Cruise and Dropbox, to explore fresh perspectives on Security & GRC.

Kieran opens with a bold stance: data breaches, while critical, aren't the top threat they used to be. Instead, he argues, maintaining availability and service uptime is now paramount. Drawing from his unique experience building the foundational GRC program at Cruise, a pioneering self-driving car company, Kieran reveals how managing cybersecurity risks took on profound urgency—literally life-and-death implications—when securing autonomous vehicles.

Throughout the conversation, Kieran shares actionable insights on:

✅ Why availability and uptime are today's most critical security priorities.

✅ How building GRC at Cruise required an uncompromising security posture due to the potential consequences of vehicle security breaches.

✅ Why GRC should be seen as an engineering discipline rather than a checkbox function.

✅ Practical strategies to shift GRC from a cost center to a profit-driving role.

✅ The importance of automation, technical fluency, and proactive risk management.

✅ Balancing preventative and detective controls to optimize both security and business agility.

✅ Tips on working effectively with auditors to enhance, rather than hinder, security maturity.

Tune in to learn how adopting a proactive, engineering-minded approach can elevate your GRC program from compliance-driven to business-critical.

🎙️ Security & GRC Decoded is brought to you by ComplianceCow.

Learn how ComplianceCow can enhance your GRC efforts today!

🚀 Enjoying the Show?! 🚀

Don't forget to rate, review, and subscribe to ensure you don't miss out on expert insights from industry leaders shaping the future of security and compliance.

Learn More / Connect with Kieran Pierman

💼 LinkedIn: Kieran Pierman
🌐 Company: Whatnot

Ever wondered if your GRC team should be writing code? (Spoiler alert: Jeevan thinks they probably should.) In this eye-opening episode of Security & GRC Decoded, Jeevan Singh, Director of Security Engineering at Rippling, joins Raj to challenge traditional views of Governance, Risk, and Compliance (GRC).

Jeevan passionately argues why GRC teams must become more technical, automated, and deeply integrated into engineering processes to truly protect and enable businesses. Drawing from his experience at Segment and Rippling, he provides actionable insights and real-world examples to transform compliance from a bureaucratic burden into a proactive, engineering-driven function.

Key Takeaways:

✅ Why having technical GRC teams leads to dramatically stronger security outcomes

✅ How automating compliance tasks can eliminate toil and boost productivity

✅ Practical steps to shift your compliance culture from reactive to proactive

✅ The real difference between CVSS and CWSS vulnerability scoring systems

✅ Strategies for fostering productive friction between GRC and engineering teams

Take Action:

• Assess your own GRC team’s technical depth: Could automation improve your compliance posture?

• Discuss these insights with your security and engineering leaders

• Share this episode with your team and spark important conversations around GRC innovation

👉 Follow Security & GRC Decoded to stay ahead on the latest insights and trends in security, compliance, and risk management.

🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Learn how ComplianceCow can elevate your GRC team today!

🚀 Enjoying The Show? Rate and review the podcast to support the show and let us know you're enjoying the content!

💬 Connect with Jeevan Singh:

💼 LinkedIn: https://www.linkedin.com/in/jeevansecurity/
🌐 Company: https://www.rippling.com/

In this episode, Raj Krishnamurthy interviews Shobhit Mehta, Director of Security and Compliance at Headspace, to uncover valuable insights into the evolving world of Governance, Risk, and Compliance (GRC). Shobhit shares his controversial perspective on GRC teams overburdening themselves, emphasizing the need for GRC professionals to expand their technical expertise and embrace a product management mindset.

The conversation dives into proactive strategies for GRC success, the importance of integrating privacy into compliance frameworks, and actionable tips for achieving High Trust certification on a budget. Shobhit also reflects on how his endurance sports journey has shaped his approach to discipline and resilience in both his personal and professional life.

Tune in to learn how automation, innovation, and strategic thinking can transform your GRC efforts.

✅ GRC teams often overburden themselves with audits.

✅ Embracing a product manager mindset helps GRC teams drive security initiatives.

✅ Technical knowledge empowers GRC professionals to enhance security programs.

✅ Changing perceptions of GRC within organizations is crucial for success.

✅ Proactive strategies can elevate GRC’s role and reputation.

✅ Integrating privacy into GRC frameworks strengthens compliance efforts.

✅ High Trust certification is achievable on a budget.

✅ Automation can significantly improve GRC efficiency and reduce redundancy.

✅ Overlapping audit timelines minimizes disruption and streamlines processes.

✅ Discipline from endurance sports fosters focus, resilience, and growth.

Listen now to gain actionable insights and elevate your GRC strategy.

🎙️ Security & GRC Decoded is brought to you by ComplianceCow.

Learn More About How ComplianceCow Can Help Your GRC Team Today!

🚀 Enjoying The Show?! 🚀

Make sure to rate and review the show to let us know you're enjoying the content!

Subscribe now for expert insights from industry leaders shaping the future of security & compliance.

If you enjoyed this conversation and want to dive deeper into Shobit Mehta’s insights on GRC, cybersecurity, and building effective security programs, connect with him directly:

💼 LinkedIn: https://www.linkedin.com/in/shobhitmehta/
🌐 Company: https://www.headspace.com/

In this episode of Security & GRC Decoded, host Raj Krishnamurthy (CEO of ComplianceCow) sits down with Ayoub Fandi, a Staff Security Assurance Engineer at GitLab and co-author of the GRC Engineering Manifesto, for a deep dive into the evolution of GRC through an engineering lens. Ayoub shares how his background in consulting and cloud-native startups led him to question the traditional, checklist-heavy approach to GRC—and why embracing real-time data, automation, and developer-friendly processes is the key to building stronger security and compliance programs.

He also reveals his controversial perspective on external certifications—explaining why they can sometimes feel overrated—and makes the case for continuous, risk-based assurance that truly reflects an organization’s security posture. If you’ve ever felt the “cognitive dissonance” of outdated compliance controls in a modern engineering world, this conversation is a must-listen.

Key Takeaways
✅ Bridging the Gap with Engineering: How GRC teams can embed themselves into developers’ workflows (e.g., JIRA, pull requests) to gain more accurate data and achieve real-time compliance insights.
✅ Continuous vs. Annual Audits: The advantages of leveraging APIs and automation to monitor control effectiveness in near real-time, instead of relying on point-in-time evidence.
✅ Rethinking External Certifications: Why these certifications can be a misleading representation of true security and how GRC professionals can ensure audits deliver real value.
✅ Building a Modern GRC Program: Practical tips on designing policies and controls that align with fast-paced, cloud-native environments—minus the “waterfall mentality.”

Tune in to hear why GRC must evolve alongside today’s DevOps-driven world, and how you can unlock greater efficiency, credibility, and trust by adopting an engineering-first approach to governance, risk, and compliance.

🎙️ Security & GRC Decoded is brought to you by ComplianceCow.

Make sure to rate and review the show to let us know you're enjoying the content!

Subscribe now for expert insights from industry leaders shaping the future of security & compliance.

Learn More About How ComplianceCow Can Help Your GRC Team Today!

🎙️ Follow Ayoub Fandi:
Stay connected with Carlos’s insights and experiences by following him on LinkedIn:
https://www.linkedin.com/in/ayoubfandi/