Security & GRC Decoded

In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Val Dobrushkin, Director of GRC at Tricentis, to challenge one of the most overlooked failures in modern security programs: third-party risk management. Drawing from his experience building GRC programs at ForgeRock, NoName Security, and beyond, Val explains why most organizations are still stuck in compliance theater and how GRC teams can evolve into t...

In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Dylan O’Dell, AVP Information Risk Officer at Manulife, to challenge one of the biggest assumptions in the industry: that GRC is working as intended. Dylan argues that most organizations are stuck in control-centric thinking and missing the true purpose of risk management — translating data into business decisions.

Drawing from his background in Lean Six...

In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Steven Asifo, Director of Security & GRC at Yahoo, for one of the most refreshing conversations the show has had on communication, influence, and the human side of security. Drawing on his unusual dual life as both a cybersecurity leader and a stand-up comedian, Steven makes the case that security and GRC are not just technical disciplines — they ar...

In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Bryan Culp, Senior Director of Customer Trust at Box, to explore how governance, risk, and compliance is evolving beyond certifications and into real-time trust.

Bryan shares why the next two to three years will fundamentally change how GRC operates — driven by automation, AI, large financial institutions demanding real-time internal metrics, and growing...

In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Ryan Schoeller, Director of Security & GRC at Treasure Data, to challenge one of the most deeply rooted assumptions in the industry: that GRC should stay passive and “independent.” Drawing from his experience across startups, mid-market tech companies, and large enterprises, Ryan argues that the most effective GRC teams are the ones that actively pa...

What if GRC shouldn’t sit inside Security at all—and what if the bigger problem isn’t automation, but what you do after you automate? In this episode, Raj Krishnamurthy sits down with Charles Nwatu (former Security GRC Engineering & Assurance leader at Netflix) for a candid, systems-level conversation about why “annual audit rituals” fail modern engineering, how GRC can produce high-fidelity signals that strengthen security dec...

GRC has long been seen as abstract, manual, and disconnected from how modern engineering teams actually work, but that narrative is breaking down. In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Akhila Chitiprolu, Head of Security & GRC at Sierra, to explore why GRC must be treated as an engineering discipline, not a compliance afterthought. Drawing from her experience across T-Mobile, Expedia, S...

In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Vivek Madan to unpack what it really means to run a modern GRC program inside a global cybersecurity company. Drawing from his journey across networking, security engineering, risk, and compliance, Vivek shares how GRC can function as a true business enabler—opening markets, accelerating revenue, and strengthening trust. This conversation stands out for...

Audits are often misunderstood, frequently disliked, and almost always viewed as a necessary evil — but what if that mindset is holding security teams back? In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Varun Prasad to unpack what audits are actually designed to do: provide reasonable assurance, not absolute security. Drawing on more than two decades of experience across internal and external audit...

In this episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Tom Scuderi, Senior Manager of Security & GRC at LTK and a veteran practitioner who has spent his career building governance functions at QTS, Tableau, Salesforce, and LTK. Tom shares how to scale GRC in high-growth environments by designing processes that resemble engineering workflows, reducing friction with stakeholders, and shifting from re...

In this episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Sergio Alonso, a seasoned GRC and information security leader at Rapid7, whose 17–year career spans auditing, high-regulation banking, blockchain innovation at Akamai, privacy GRC at Twitter, and now trust and governance in cybersecurity. Sergio breaks down how to translate legacy compliance thinking into modern engineering-aligned practices, why a...

In this episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Mukund Sarma, Deputy CISO and Head of Product Security at Chime, to explore what happens when governance, risk, and compliance teams work with engineering instead of against it. Mukund shares real-world lessons from a decade in security, explaining how to balance shift-left initiatives, build paved paths that reduce friction, and make compliance a ...

How do you build real trust between GRC and engineering? In this episode of Security & GRC Decoded, host Raj Krishnamurthy welcomes Tristan Ingold, Security GRC Program Manager at Meta. Tristan shares how consulting shaped his approach, why “policing” doesn’t work, and how GRC earns influence by acting as a partner to engineering -- not a blocker.

He discusses the cultural friction between audit, security, and product teams, how...

In this episode, Raj Krishnamurthy speaks with Tony Martin-Vegue, seasoned risk practitioner, speaker, and co-chair of the FAIR Institute San Francisco chapter. Tony shares decades of lessons learned from leading cyber risk management at Netflix, Gap, and other major enterprises—showing how to move from qualitative heat maps to quantitative insights that drive smarter business decisions.

He breaks down Monte Carlo simulations, risk ...

In this episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Kenneth Moras, Head of Security GRC at Plaid. Kenneth shares his journey from web developer and pen tester to building GRC and assurance teams at scale across leading companies like Adobe, Meta, and now Plaid.

The conversation explores how GRC must balance governance, risk, and compliance as distinct but interdependent functions — and why great prog...

How does a software engineer become a GRC leader? In this episode of Security & GRC Decoded, host Raj Krishnamurthy welcomes Varun Gurnaney, Staff Security Engineer at Apple. Varun shares his journey from writing janky Python scripts for compliance evidence collection to shaping the discipline of GRC engineering at some of the world’s biggest companies.

He discusses the cultural and technical gaps between security, engineering, ...

How does a network engineer become a GRC leader? Ramya Subramanian’s journey spans nearly two decades across IT, security, and governance. Now serving as Director of GRC & Privacy Operations at Freshworks, she joins Raj to unpack the evolving role of GRC: from quantifying risk and managing compliance debt to building automation that doesn’t slow engineering down.

Ramya also shares how storytelling, PR-style evangelism, and simpl...

What’s the true relationship between compliance and security? According to Evan Millman, compliance may not be security—but it’s the necessary starting point for building it.

In this episode, Raj sits down with Evan to explore how organizations can shift their GRC approach from reactive checkbox checking to a proactive and risk-informed security practice. Evan shares stories from his work at Abnormal.AI, lessons from scaling GRC in ...

What trade-offs are you willing to make in cybersecurity?
 In this episode of Security & GRC Decoded, host Raj Krishnamurthy is joined by Trupti Shiralkar, a seasoned cybersecurity leader and Advisory Board Member at Backslash Security, to explore how risk, ROI, and real-world constraints shape modern security programs. With decades of experience across AppSec, security architecture, and risk governance, Trupti brings a rar...