GRC Engineer

Unfiltered conversation with a GRC Software Engineer w/ Varun Gurnaney, Staff Security Engineer

Sep 6, 2025
In this engaging discussion, Varun Gurnaney, a Staff Security Engineer with a rich background at Apple, Robinhood, and Zendesk, dives into the dynamic world of Governance, Risk, and Compliance (GRC). He emphasizes the necessity of automation and the collaboration between engineering and compliance teams. Varun shares insights on the evolving auditing landscape, advocating for continuous assessments over traditional methods. He highlights the transformative potential of AI in compliance, promoting a real-time approach to risk management and enhancing GRC effectiveness.
Ask episode
AI Snips
Chapters
Transcript
Episode notes
ANECDOTE

From Spreadsheet Audits To Automation

  • Varun started in EY reviewing ISO27001 vendor assessments and found checkbox audits boring and unscalable.
  • He automated evidence collection with scripts later at Zendesk and turned that into a full-time role.
ANECDOTE

The First Continuous Monitoring Prototype

  • At Zendesk Varun wrote Python scripts to collect and validate evidence and ran them daily as a precursor to continuous monitoring.
  • The director hired him full-time after seeing the time savings and automation value.
INSIGHT

Compliance Culture Is Constant, Tech Complexity Isn’t

  • Compliance thinking stays similar across company sizes, but technical ability and infrastructure complexity vary drastically.
  • Who owns patching, when to patch, and why it hasn't been done all change as organizations scale.
Get the Snipd Podcast app to discover more snips from this episode
Get the app