
 GRC Engineer
 GRC Engineer Unfiltered conversation with a GRC Software Engineer w/ Varun Gurnaney, Staff Security Engineer
 Sep 6, 2025 
 In this engaging discussion, Varun Gurnaney, a Staff Security Engineer with a rich background at Apple, Robinhood, and Zendesk, dives into the dynamic world of Governance, Risk, and Compliance (GRC). He emphasizes the necessity of automation and the collaboration between engineering and compliance teams. Varun shares insights on the evolving auditing landscape, advocating for continuous assessments over traditional methods. He highlights the transformative potential of AI in compliance, promoting a real-time approach to risk management and enhancing GRC effectiveness. 
 AI Snips 
 Chapters 
 Transcript 
 Episode notes 
From Spreadsheet Audits To Automation
- Varun started in EY reviewing ISO27001 vendor assessments and found checkbox audits boring and unscalable.
- He automated evidence collection with scripts later at Zendesk and turned that into a full-time role.
The First Continuous Monitoring Prototype
- At Zendesk Varun wrote Python scripts to collect and validate evidence and ran them daily as a precursor to continuous monitoring.
- The director hired him full-time after seeing the time savings and automation value.
Compliance Culture Is Constant, Tech Complexity Isn’t
- Compliance thinking stays similar across company sizes, but technical ability and infrastructure complexity vary drastically.
- Who owns patching, when to patch, and why it hasn't been done all change as organizations scale.
