Unfiltered conversation with a GRC Software Engineer w/ Varun Gurnaney, Staff Security Engineer

Sep 6, 2025

In this engaging discussion, Varun Gurnaney, a Staff Security Engineer with a rich background at Apple, Robinhood, and Zendesk, dives into the dynamic world of Governance, Risk, and Compliance (GRC). He emphasizes the necessity of automation and the collaboration between engineering and compliance teams. Varun shares insights on the evolving auditing landscape, advocating for continuous assessments over traditional methods. He highlights the transformative potential of AI in compliance, promoting a real-time approach to risk management and enhancing GRC effectiveness.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ANECDOTE

From Spreadsheet Audits To Automation

Varun started in EY reviewing ISO27001 vendor assessments and found checkbox audits boring and unscalable.
He automated evidence collection with scripts later at Zendesk and turned that into a full-time role.

ANECDOTE

The First Continuous Monitoring Prototype

At Zendesk Varun wrote Python scripts to collect and validate evidence and ran them daily as a precursor to continuous monitoring.
The director hired him full-time after seeing the time savings and automation value.

INSIGHT

Compliance Culture Is Constant, Tech Complexity Isn’t

Compliance thinking stays similar across company sizes, but technical ability and infrastructure complexity vary drastically.
Who owns patching, when to patch, and why it hasn't been done all change as organizations scale.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Check out grcengineer.com to learn more!SummaryIn this engaging conversation, Ayoub Fandi and Varun Gurnaney explore the evolving landscape of Governance, Risk, and Compliance (GRC) engineering. Varun shares his unique journey from cybersecurity to GRC, emphasizing the importance of automation and collaboration between engineering and compliance teams. They discuss the challenges faced in GRC, the philosophical aspects of risk management, and the future of compliance in a rapidly changing technological environment. The dialogue highlights the need for a more integrated approach to security and compliance, advocating for a shift towards real-time assessments and a deeper understanding of the technical landscape.Sound Bites"Screenshots are cool again.""Compliance should be free.""Don't get hacked is what I care about."TakeawaysVarun's journey into GRC began with a cybersecurity role at EY.The importance of automation in GRC processes is crucial for efficiency.Cultural differences in compliance approaches between small and large companies.GRC engineering is often misunderstood and underappreciated in larger organizations.The need for collaboration between GRC and engineering teams is essential for success.Risk management should be tied to real business impacts rather than just compliance checkboxes.The future of compliance may involve more automated and real-time assessments.Tools used in security can significantly enhance GRC efforts.Understanding the technical landscape is vital for effective GRC practices.The conversation highlights the philosophical aspects of compliance and risk management.Chapters00:00 Introduction and Guest Background02:42 Varun's Journey into GRC Engineering06:32 Comparing GRC in Different Company Sizes11:56 The Role of Automation in GRC17:34 Challenges in GRC Engineering23:26 The Future of Compliance and Risk Management29:03 The Importance of Collaboration in Security34:47 The Philosophy of Risk and Compliance40:33 The Role of Tools in GRC46:21 Final Thoughts on GRC and Future Directions