GRC Engineer

Paramify is making FedRAMP (Rev 5 or 20x), GovRAMP & CMMC fun. Get your $750 Gap Assessment at paramify.com/grc---What happens when you have to merge three operating systems, satisfy FedRAMP requirements, and keep engineers happy whilst building enterprise security at scale?In this episode, Kane Narraway, previously leading enterprise security at Atlassian, building Zero Trust at Shopify, and now running enterprise security at Canva, shares battle-tested insights on the intersection of GRC and enterprise security.Kane's unique perspective comes from working across three major tech companies, navigating everything from SOC 2 to FedRAMP, and building security programmes that scale without creating friction for engineers.Key Topics Discussed:The Compliance-Security PartnershipHow compliance evolved from yearly audits to sales enablement, and why that actually helps enterprise security teams implement controls faster.Third-Party Risk Management HandoverThe critical transition from TPRM intake to ongoing enterprise security management, and when you should actually push back on vendors.Platform Consolidation vs Best-of-BreedReal examples from extremely consolidated (Shopify with Google everything) to open ecosystems (Canva's hundreds of tools), and which approach suits your company culture.Zero Trust and Continuous ComplianceWhy Zero Trust principles align perfectly with GRC engineering, and how to turn point-in-time audit checks into continuous validation systems.The User Experience ProblemHow to implement security controls without creating shadow IT, including the "my machine is perfect" engineer problem and how to solve it.M&A Security IntegrationPrinciples (not playbooks) for security integration during acquisitions, including when to keep companies separate for compliance reasons.The AI Compliance ChallengeWhy current control frameworks don't match AI-driven access patterns, and what's coming when non-human identities start requesting access at scale.FedRAMP, HIPAA, and High-Stakes ComplianceThe difference between managing SOC 2 (30 minutes of sampling) versus the compliance regimes that can dominate your calendar for months.About the Guest:Kane Narraway has spent over a decade building enterprise security programmes at some of the world's leading tech companies. Starting in UK government and BT, he moved to Atlassian where he built their corporate security programme, then to Shopify where he led platform engineering and Zero Trust, and now leads enterprise security at Canva in New Zealand. Kane specializes in building security at scale whilst maintaining developer velocity and user experience.Connect with the Guest:Kane Narraway: https://www.linkedin.com/in/kane-n/About The GRC Engineer:The GRC Engineer explores how engineering principles are transforming governance, risk, and compliance. Hosted by Ayoub Fandi, each episode features practitioners, leaders, and innovators who are building the future of GRC through automation, code, and systems thinking.Subscribe for episodes and entries featuring deep-dives into GRC automation, compliance as code, risk engineering, and the intersection of security, compliance, and software development.🌐 Visit: grcengineer.com💼 Connect: linkedin.com/in/ayoubfandi📧 Newsletter: grcengineer.com/subscribe#GRCEngineering #Canva #EnterpriseSecurityCompliance #Automation #CyberSecurity #RiskManagement #ZeroTrust #DevSecOps

Troy Fine, an experienced SOC 2 auditor and founder of Fine Insurance, dives into the uncomfortable truths of the audit market. He reveals that audit quality is practically unmeasurable, putting brand recognition in the spotlight instead. Troy shares why auditors trust screenshots over automated platforms due to accountability concerns. He also discusses the need for tiered assurance for small vendors and critiques the influence of brand reputation on audit pricing. His insights challenge conventional views on auditing and urge a deeper understanding of trust in the process.

Paramify is making FedRAMP (Rev 5 or 20x), GovRAMP & CMMC fun. Get your $750 Gap Assessment at paramify.com/grc.To get access to the deep-dive transcript, subscribe to the GRC Engineer newsletter: grcengineer.com/subscribeWrong ink colours. $300,000 authorizations. Congressional investigations within the first month. How do you fix federal compliance from the inside?In this episode, Pete Waterman, Director of FedRAMP, shares how he's applying 20+ years of engineering experience to rebuild federal authorization from first principles. What started with "violent hatred" of the programme has become one of the most significant transformations in government compliance.Pete's approach is radically different: treat policy like code, make the secure thing the easy thing, and let engineers lead whilst compliance follows. The results speak for themselves.Key Topics Discussed:The Problem StateHow FedRAMP became a programme where perfection was fetishised beyond security, packages were rejected for cosmetic issues, and $300k costs prevented small teams from using modern toolsFedRAMP 20X ArchitectureThe dual-path strategy: improving Rev5 whilst building something entirely new with Key Security Indicators, machine-readable evidence, and persistent validationRisk-Based AuthorizationWhy "my job is to make the government take more risks" - moving from bar-based to spectrum-based assessment where agencies choose based on their risk toleranceEngineering-First RequirementsHow KSIs like "prevent unauthorized access" replace "do these 18 specific things" and why cloud-native thinking changes everythingRadical Transparency DoctrineWhy posting roadmap updates every two weeks on GitHub creates trust and how "pre-decisional" anxiety is outdated thinkingAbout the Guest:Pete Waterman is Director of FedRAMP, bringing over 20 years of engineering leadership experience to federal compliance. Previously worked with US Digital Service as a cloud expert, the Technology Modernization Fund coaching agencies on modernization, and ran engineering at an AI company. He took over FedRAMP in August 2023 with a mandate to transform the programme from an engineering-first perspective.Connect with Pete:Pete Waterman: https://www.linkedin.com/in/petewaterman/About The GRC Engineer: The GRC Engineer explores how engineering principles are transforming governance, risk, and compliance. Hosted by Ayoub Fandi, each episode features practitioners, leaders, and innovators who are building the future of GRC through automation, code, and systems thinking.Subscribe for episodes and entries featuring deep-dives into GRC automation, compliance as code, risk engineering, and the intersection of security, compliance, and software development.🌐 Visit: grcengineer.com 💼 Connect: linkedin.com/in/ayoubfandi 📧 Newsletter: grcengineer.com/subscribe#GRCEngineering #FedRAMP #Compliance #Automation #CyberSecurity #RiskManagement #DevSecOps #CloudSecurity

To get access to the deep-dive transcript, subscribe to the GRC Engineer newsletter: grcengineer.com/subscribeHow do you build a modern GRC programme when you inherit processes designed for a team three times your size, in an organisation where "compliance frameworks were owning us instead of us owning them"?In this episode, Emre Ugurlu and Chad Fryer from Docker share their journey transforming compliance, risk, and customer trust functions over the past six months through relentless automation, AI-assisted development, and a ruthless focus on user experience.Emre previously spent 3.5 years at Plaid working on GRC engineering principles, whilst Chad brings a UX focus with a strong engineering background. Together with a small team at Docker, they're proving that you don't need a massive GRC organisation to deliver enterprise-grade compliance at speed.Build vs Buy PhilosophyWhy Docker defaults to internal development and how they rebuilt their entire security training platform in a couple of weeks, achieving 100% completion rates through gamification and automation.Zero-to-One PlaybookThe first weeks: deep gap analysis, stress-testing controls, collaborative stack-ranking across teams, and building communication channels before building solutions.Self-Managing Team ModelThree engineers, one analyst, no dedicated GRC manager. How autonomy and trust from leadership enables speed and innovation.Continuous Compliance at ScaleMoving towards full automation across SOC 2 and ISO 27001, including custom API development with AWS Lambda and EventBridge.AI as TeammateClaude as "the sixth member" of the team, the discipline required to use AI effectively, and why pre-AI coding experience makes you 10x better at leveraging it.User Experience in GRCWhy if nobody uses your solution, it doesn't matter how good it is. Building for adoption, not perfection.TPRM Transformation"We promised Steven we would automate the crap out of it" - plans for comprehensive third-party risk management automation.Cost Model InnovationHow Docker's GRC team is becoming a revenue-generating function by saving costs and offering solutions to other internal teams.Essential SkillsWhat aspiring GRC engineers actually need: API documentation reading, embracing failure, proper documentation, and understanding code across multiple languages.12-Month VisionOpen source tool releases, containerised solutions for the community, and the goal to "transform GRC into something no one's ever seen." Open source cybersecurity training already available: https://emreugurlu.github.io/open-security-training/Quotes:"Instead of bending over backwards, we're supposed to make it fit the organisation. Docker is really unique in the way it operates, and we have to adjust compliance accordingly." - Emre"If we build the most cool thing on the planet, but nobody uses it, it doesn't matter. Everything I do, I think of user experience during the process." - Chad"Six times out of ten, I have to go correct Claude. The ability to read through code and read through flawed logic never disappears." - Emre"With the tools we have today, there's no excuse why anybody can't build things themselves." - Emre"We're going to be a revenue generating team." - ChadAbout The GRC Engineer:The GRC Engineer explores how engineering principles are transforming governance, risk, and compliance. Hosted by Ayoub Fandi, each episode features practitioners, leaders, and innovators who are building the future of GRC through automation, code, and systems thinking.Subscribe for episodes and entries featuring deep-dives into GRC automation, compliance as code, risk engineering, and the intersection of security, compliance, and software development.🌐 Visit: grcengineer.com💼 Connect: linkedin.com/in/ayoubfandi📧 Newsletter: grcengineer.com/subscribe

In this engaging discussion, Varun Gurnaney, a Staff Security Engineer with a rich background at Apple, Robinhood, and Zendesk, dives into the dynamic world of Governance, Risk, and Compliance (GRC). He emphasizes the necessity of automation and the collaboration between engineering and compliance teams. Varun shares insights on the evolving auditing landscape, advocating for continuous assessments over traditional methods. He highlights the transformative potential of AI in compliance, promoting a real-time approach to risk management and enhancing GRC effectiveness.

To learn more, check out grcengineer.comSummaryIn this episode, Dr. Ibrahim Waziri Jr. shares his extensive experience in GRC engineering and cybersecurity, discussing the evolution of compliance from static documentation to dynamic, automated processes. He emphasizes the importance of GRC engineering in bridging different governance models and enhancing operational efficiency. The conversation also explores the challenges of bureaucracy in the public sector and the need for innovation in compliance practices. Dr. Waziri highlights the future of GRC engineering, focusing on regulatory acceleration and the potential for global harmonization in compliance frameworks. If you work in the Public Sector, this is a must-listen episode!TakeawaysGRC engineering is transforming compliance into a dynamic, automated process.The complexities in GRC are numerous and growing, requiring innovative solutions.Automation in GRC can significantly enhance operational efficiency.Bureaucracy in the public sector can hinder innovation, but GRC can enable it.Regulatory acceleration is leading to faster compliance processes.Global harmonization of regulatory requirements is becoming increasingly necessary.The future of GRC engineering will involve more machine-readable formats.Understanding different governance models is crucial for GRC professionals.GRC architects are needed to navigate complex regulatory landscapes.The role of compliance is evolving to focus on mission continuity and resilience.Sound bites"The complexities in GRC are numerous and growing.""Regulatory acceleration is a new era for compliance.""The future of GRC is about global harmonisation."Chapters00:00 Introduction to GRC Engineering and Guest Background03:50 Dr. Ibrahim Waziri Jr.'s Journey in Cybersecurity11:35 Defining GRC Engineering: A Transformative Approach17:15 GRC Engineering Across Different Governance Models22:40 The Role of Automation in GRC Engineering28:46 Balancing Compliance and Innovation in Public Sector36:45 Proving Impact in Mission-Driven Organisations52:58 Balance between Bureaucracy and Critical Reviews58:51 Future of GRC EngineeringKeywordsGRC engineering, cybersecurity, compliance, automation, insider risk management, regulatory frameworks, cloud security, national security, governance, risk management

Tony Martin-Vegue, an expert in risk quantification and GRC engineering at Netflix, shares his insights on navigating the complex world of cyber risk. He discusses his journey from IT to risk management and highlights the transformative power of the FAIR framework. The conversation delves into the critical role of AI in speeding up risk assessments, effective communication for decision-makers, and the importance of viewing GRC as a business enabler. Tony also introduces his new Substack and upcoming book aimed at simplifying cyber risk quantification for all.

Want more? Subscribe to the GRC Engineer newsletter for exclusive content including a detailed transcript of this episode in next week's edition: https://grcengineer.com/subscribeIn this insightful episode of the GRC Engineering Podcast, host Ayoub Fandi sits down with Ange Ferrari, SVP & CISO at Metro Group, for a deep dive into how GRC has evolved over two decades and what it takes to scale security programs globally.Our expert guest:Ange is a security leader with 20+ years experience across public sector, retail giants (Carrefour, IKEA), AWS EMEA, and now leading security for a global wholesaler operating in 36 countries.We explore the evolution and engineering of GRC at enterprise scale, covering:How GRC became the key to career growth from technical roles to CISOWhy cloud transformation shattered traditional risk frameworksThe reality of implementing controls across diverse, global technology stacksHot Take: The critical balance between prevention and detection that most missAWS insider perspective: What enterprise-scale compliance really looks likeEngineering pragmatic GRC programs that work in messy, real-world environmentsWhether you're a CISO scaling global programs, a GRC professional in traditional industries, or anyone trying to make compliance work in complex enterprise environments, Ange shares battle-tested strategies from the front lines.📋 Timestamps:00:00 - Introduction and Ange's Background02:57 - How GRC Enabled Career Growth06:34 - Evolution of GRC Practices Over Time14:52 - Common GRC Implementation Failures25:56 - Defining GRC Engineering33:01 - Where Should GRC Teams Report?39:20 - GRC Challenges in Complex Enterprise Environments49:05 - Lessons from the AWS Vendor Side59:46 - Building Technical Skills in GRC Teams01:03:39 - Hot Take: Prevention vs Detection Balance

Want more? Subscribe to the GRC Engineer newsletter for exclusive content including a detailed transcript of this episode in next week's edition: https://grcengineer.com/subscribeIn this premiere episode of the GRC Engineering Podcast Experts Panel, host Ayoub Fandi brings together three seasoned Third-Party Risk Management (TPRM) practitioners to discuss the real-world challenges and innovations in vendor security assessment.Our expert panelists:McKenna Yeakey (Netflix) - TPRM professional with previous experience at Splunk and SamsaraKristi Hoffmaster - TPRM practitioner with experience at OktaBlake Hoge (Airbnb) - TPRM professional with previous experiences at Instacart and SalesforceThey dive deep into the practical realities of TPRM, exploring:How to optimise questionnaires for different vendor risk tiersStrategies for balancing speed and thoroughness in assessmentsThe evolving value of SOC 2 and other third-party attestationsTrust Centres: genuine security resources or marketing tools?Security scoring platforms: their benefits and limitationsHow SaaS security tools can enhance TPRM programsReal-world stories from thousands of vendor assessmentsWhether you're a security professional, TPRM practitioner, or interested in understanding how companies evaluate their vendors, this episode provides valuable insights into how leading companies like Netflix and Airbnb approach third-party risk.Subscribe to the GRC Engineering Podcast for more expert discussions on governance, risk, and compliance engineering.00:00 - Introduction to the Experts Panel03:20 - Questionnaire optimisation approaches11:00 - Risk-based vendor tiering strategies18:00 - Balancing speed and thoroughness in assessments26:45 - Netflix's way of integrating TPRM30:05 - Declining value of certification and attestations37:30 - Trust Centres: helpful or just marketing?44:30 - Security scoring platforms: useful signals or noise?49:40 - Kristi pulls a reverse UNO card and asks Ayoub about TPRM disruptions52:45 - SaaS Security tools for TPRM programs58:25 - Interesting vendor assessment stories01:05:00 - Closing thoughts on TPRM's value#TPRM #VendorSecurity #RiskManagement #GRCEngineering #SupplyChainSecurity

In this groundbreaking episode of the GRC Engineering Podcast, we bring together executives from the 7 leading GRC automation platforms for an unprecedented discussion on the future of compliance automation. For the first time ever, leaders from Vanta, Drata, Anecdotes, Secureframe, Sprinto, Scrut Automation, and Thoropass share the same virtual stage to debate critical industry topics, challenge common assumptions, and share their visions for the future of GRC.Featured Guests:Jake Bernardes - CISO, AnecdotesMatt Hillary - CISO, DrataJeremy Epling - Chief Product Officer, VantaShrav Mehta - Founder & CEO, SecureframeGirish Redekar - Co-founder & CEO, SprintoNicholas Muy - CISO, Scrut AutomationAndrew Persons - VP of Product, ThoropassFrom the commoditisation debate to enterprise adoption challenges, get unique insights into how these platforms are shaping the future of GRC.Key Timestamps:00:00 Introduction and guest introductions09:00 Is compliance being commoditised? The vendor perspective32:30 Is Assurance impacted from selling compliance to non-GRC stakeholders49:30 If quality was very low, most GRC automation firms would be out of business54:30 Selling GRC automation to enterprise customers01:19:00 Working around existing legacy GRC platforms01:34:30 Risk of being replaceable as being embedded at the data layer01:38:40 Working with product feedback from non-customers01:46:45 GRC Engineering discussion01:50:00 Conclusion and key takeawaysSpecial thanks to our guests for making this historic conversation possible.This discussion represents a turning point in how we think about GRC automation and its role in modern organisations.#GRCEngineering