In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Vivek Madan to unpack what it really means to run a modern GRC program inside a global cybersecurity company. Drawing from his journey across networking, security engineering, risk, and compliance, Vivek shares how GRC can function as a true business enabler—opening markets, accelerating revenue, and strengthening trust. This conversation stands out for its practical frameworks, real-world stories, and honest discussion about friction between engineering, security, auditors, and compliance teams, giving listeners a grounded view of how GRC works when it’s done right.

Key Takeaways:

• GRC works best when it is positioned as a growth enabler that unlocks new markets, not just a compliance checkbox.
• Strong governance establishes foundational rules that allow security and risk decisions to scale consistently across the business.
• Storytelling is a critical GRC skill—people align with compliance when they understand the “why,” not just the requirement.
• Common controls frameworks reduce complexity when designed intentionally across global, application-specific, and product-specific needs.
• Automation matters, but process automation is just as important as technical automation to reduce compliance friction.

What You’ll Learn:

• How GRC enables business expansion into regulated and global markets
• Why compliance resistance exists—and how to overcome it
• A practical 50–35–15 model for common controls frameworks
• How to balance continuous assurance with annual audits
• What modern GRC leaders look for when hiring talent

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

Watch more episodes: https://www.compliancecow.com/podcast

Connect With Our Guest:
Vivek Madan | Director of Security, Risk, and Compliance | Fortinet
Connect on LinkedIn: https://www.linkedin.com/in/vivek-madan-cissp-ccsp/

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

Apple Podcasts:https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

Audits are often misunderstood, frequently disliked, and almost always viewed as a necessary evil — but what if that mindset is holding security teams back? In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Varun Prasad to unpack what audits are actually designed to do: provide reasonable assurance, not absolute security. Drawing on more than two decades of experience across internal and external audits, Varun explains why “auditable controls” are the missing link between fast-moving engineering teams and slow, annual audit cycles — and how organizations can stop treating audits as an afterthought and start using them as a trust-building mechanism.

Key Takeaways:

• Audits are designed to provide reasonable assurance, not eliminate all risk
• The biggest failure in modern GRC is building controls that are automated but not auditable
• Continuous controls monitoring only works if auditors can validate completeness and accuracy
• Screenshots persist because they remain the clearest way to demonstrate system state over time
• Security controls should be built to improve posture first — and explained clearly second
  
  

What You’ll Learn:

• Why audit skepticism is a feature, not a flaw
• How internal and external audits serve fundamentally different purposes
• Where continuous monitoring breaks down from an auditor’s perspective
• What “auditable controls” actually mean in CI/CD environments
• How AI can assist auditors without replacing human judgment

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

Watch more episodes: https://www.compliancecow.com/podcast

Connect With Our Guest:
Varun Prasad | Cloud Security & Privacy Assurance | BDO
Connect on LinkedIn: https://www.linkedin.com/in/varunprasad/

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

Apple Podcasts:

https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

In this episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Tom Scuderi, Senior Manager of Security & GRC at LTK and a veteran practitioner who has spent his career building governance functions at QTS, Tableau, Salesforce, and LTK. Tom shares how to scale GRC in high-growth environments by designing processes that resemble engineering workflows, reducing friction with stakeholders, and shifting from reactive audits to continuous visibility. He breaks down why curated visibility beats blanket access, why SOC 2 should sharpen—not dilute—your security program, and how to anchor leadership decisions with meaningful risk data.

Key Takeaways

• GRC only scales when its processes mirror how engineering teams already work.
• SOC 2 should enhance your security program rather than becoming a superficial checkbox exercise.
• Curated visibility reduces friction and improves cross-functional trust.
• Clarity in ownership is the backbone of a scalable GRC function.
• Continuous, context-driven evidence cuts audit fatigue and sharpens the entire program.

What You’ll Learn

• How Tom built and matured GRC programs across four different companies.
• Why engineering alignment is essential for sustainable compliance.
• How curated visibility replaces access sprawl and accelerates audits.
• The difference between risk-driven and compliance-driven GRC.
• Why automation only works when underlying processes are mature.
• How to structure ownership to reduce bottlenecks during SOC 2 and similar frameworks.

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

Watch more episodes: https://www.compliancecow.com/podcast

Connect With Our Guest:
Tom Scuderi | Senior Manager of Security & GRC | LTK
Connect on LinkedIn: https://www.linkedin.com/in/tom-scuderi/

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify:

https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

Apple Podcasts:

https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

#SecurityAndGRCDecoded #RajKrishnamurthy #TomScuderi #LTK #GRC #ScalingGRC #SOC2 #EngineeringAlignment #RiskManagement #SecurityLeadership #Compliance #GovernanceRiskCompliance #SecurityGRCPodcast #ComplianceCow