In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Val Dobrushkin, Director of GRC at Tricentis, to challenge one of the most overlooked failures in modern security programs: third-party risk management. Drawing from his experience building GRC programs at ForgeRock, NoName Security, and beyond, Val explains why most organizations are still stuck in compliance theater and how GRC teams can evolve into true business enablers.

This conversation dives into the disconnect between frameworks and reality, the limits of SOC 2, the role of GRC in revenue and M&A outcomes, and why solving for today while building for the future is the key to long-term success.

Key Takeaways:

• Third-party risk management is fundamentally broken due to over-reliance on questionnaires and weak enforcement of meaningful controls.
• SOC 2 is too flexible and inconsistent to be relied on as a true indicator of security maturity.
• GRC has a unique advantage over security in directly demonstrating business value and revenue impact.
• “Solve for now, build for later” is critical for startups and fast-growing companies preparing for IPO or acquisition.
• Strong GRC programs can directly influence company valuation by identifying contractual and compliance gaps early.

What You’ll Learn:

• Why questionnaires and annual vendor reviews fail to capture real third-party risk
• How GRC teams can prove revenue impact through customer trust and assurance
• The hidden role of GRC in M&A, IPO readiness, and contract validation
• Why most GRC metrics fail and what meaningful measurement should look like
• How to implement a “solve now, build for future” strategy in fast-growing companies

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

Watch more episodes: https://www.compliancecow.com/podcast

Connect With Our Guest:
Val Dobrushkin | Director of GRC | Tricentis
Connect on LinkedIn: https://www.linkedin.com/in/dobrushkin/

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Dylan O’Dell, AVP Information Risk Officer at Manulife, to challenge one of the biggest assumptions in the industry: that GRC is working as intended. Dylan argues that most organizations are stuck in control-centric thinking and missing the true purpose of risk management — translating data into business decisions.

Drawing from his background in Lean Six Sigma and large-scale enterprise risk, Dylan breaks down why GRC needs to evolve beyond audits and control testing into automation, orchestration, and storytelling. This conversation explores how modern GRC teams can reduce operational friction, quantify real risk, and actually influence business outcomes.

Key Takeaways:

• GRC today is overly focused on control testing rather than true risk management and decision-making.
• Automation should eliminate manual audit friction — not just make existing processes faster.
• The future GRC professional must combine technical awareness with storytelling, influence, and business understanding.
• Risk management should be rooted in probability and financial impact — not pass/fail compliance.
• GRC teams can unlock funding and influence by tying their work directly to revenue, cost savings, and business outcomes.

What You’ll Learn:

• Why the “three lines of defense” model often breaks down in practice.
• How to translate technical data into meaningful business risk narratives.
• What modern GRC automation should actually look like (beyond tools).
• How to position GRC as a revenue enabler — not just a cost center.
• Why “start with why” is critical for influencing stakeholders and reducing friction.

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence.

Learn more: https://www.compliancecow.com

Watch more episodes: https://www.compliancecow.com/podcast

Connect With Our Guest:
Dylan O’Dell | AVP Information Risk Officer | Manulife
Connect on LinkedIn: https://www.linkedin.com/in/dylan-odell-72a06412b/

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Steven Asifo, Director of Security & GRC at Yahoo, for one of the most refreshing conversations the show has had on communication, influence, and the human side of security. Drawing on his unusual dual life as both a cybersecurity leader and a stand-up comedian, Steven makes the case that security and GRC are not just technical disciplines — they are fundamentally communication disciplines. From using analogies to explain vulnerabilities, to reframing GRC as the “Draymond Green” of cybersecurity, Steven shows how the best security leaders translate complexity into clarity, help the business make better decisions, and meet people where they are instead of overwhelming them with jargon.

Key Takeaways:

• Security and GRC succeed when they communicate clearly to humans, not when they simply present more technical detail.
• The best GRC teams act as guides that help the business make reasonable, compliant, cyber-conscious decisions.
• Metrics only matter when they drive a clear outcome or decision, not when they exist for their own sake.
• Strong GRC teams build trust by doing the hard, cross-functional work that others often avoid.
• Storytelling is a core security skill because people act on messages they understand, remember, and relate to.

What You’ll Learn:

• Why Steven believes security is ultimately a human communication problem.
• How to tailor security messaging for engineering leaders, CISOs, and business stakeholders.
• What “guardrails not gates” looks like in a practical GRC program.
• How to think about data, metrics, and reporting without overwhelming your audience.
• Why AI may change the consumption layer of GRC, but not eliminate the human need for storytelling.

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

Watch more episodes: https://www.compliancecow.com/podcast

Connect With Our Guest:
Steven Asifo | Director of Security & GRC | Yahoo
Connect on LinkedIn: https://www.linkedin.com/in/asifosays/

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450