In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Ryan Schoeller, Director of Security & GRC at Treasure Data, to challenge one of the most deeply rooted assumptions in the industry: that GRC should stay passive and “independent.” Drawing from his experience across startups, mid-market tech companies, and large enterprises, Ryan argues that the most effective GRC teams are the ones that actively participate in control monitoring, risk management, and operational decision-making. This conversation goes beyond audits and checklists, exploring how GRC can truly drive business value by protecting revenue, enabling growth, and embedding risk thinking into everyday operations.

Key Takeaways:

• GRC delivers the most value when it actively participates in monitoring controls, not just validating them after the fact.
• Risk is the most critical — and most neglected — pillar of GRC, often confused with gaps or vulnerabilities.
• Strong relationships with engineering and business teams are essential for GRC to gain meaningful access to data.
• GRC engineering is not just about writing code; it’s about applying an engineering mindset to workflows, tooling, and processes.
• Automation alone is not a business case — value comes from how freed-up time is reinvested.

What You’ll Learn:

• Why the “three lines of defense” model often breaks down in real organizations
• How GRC teams can reduce compliance theater by becoming more operational
• The difference between a vulnerability, a gap, and an actual risk
• How to build a business case for GRC automation that leadership will support
• Why front-ending GRC work (sales assurance, customer trust) often matters more than backend audit prep

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

Watch more episodes: https://www.compliancecow.com/podcast

Connect With Our Guest:
Ryan Schoeller | Director of Security & GRC | Treasure Data
Connect on LinkedIn: https://www.linkedin.com/in/ryanschoeller/

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

What if GRC shouldn’t sit inside Security at all—and what if the bigger problem isn’t automation, but what you do after you automate? In this episode, Raj Krishnamurthy sits down with Charles Nwatu (former Security GRC Engineering & Assurance leader at Netflix) for a candid, systems-level conversation about why “annual audit rituals” fail modern engineering, how GRC can produce high-fidelity signals that strengthen security decision-making, and why the next wave of GRC engineering is about analytics, specifications, and business impact—not just speeding up evidence collection.

Key Takeaways:

• GRC is a continuous discipline—point-in-time compliance can help, but it can’t be the end state.
• Automation is necessary but not sufficient: the real value is in turning collected evidence into actionable insights.
• Specifications enable measurement—without clear expected behaviors, security metrics become inconsistent and hard to compare.
• GRC can feed security with high-fidelity signals (like identity/access review metadata) that improve posture beyond audit readiness.
• Third-party risk doesn’t “finish”—the goal is visibility, data lineage awareness, and making the mess less messy.
  
  

What You’ll Learn:

• Where Charles believes GRC should sit org-wise—and why Security should be a “customer” of GRC
• What “shift-left GRC” looks like in practice (beyond annual audits)
• Why “efficiency savings” don’t automatically equal “security value”
• How to think about metrics, specifications, and risk in a shared language
• Why third-party risk management is “unsolvable,” and how to build guardrails anyway

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence.

Learn more: https://www.compliancecow.com

Watch more episodes: https://www.compliancecow.com/podcast

Connect With Our Guest:
Charles Nwatu | GRC Engineering Leader
Connect on LinkedIn: https://www.linkedin.com/in/cnwatu/

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

GRC has long been seen as abstract, manual, and disconnected from how modern engineering teams actually work, but that narrative is breaking down. In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Akhila Chitiprolu, Head of Security & GRC at Sierra, to explore why GRC must be treated as an engineering discipline, not a compliance afterthought. Drawing from her experience across T-Mobile, Expedia, Stripe, and AI-native companies, Akhila explains how systems thinking, automation, and shared ownership can radically reduce compliance toil while increasing trust. This conversation goes deep into GRC engineering, audit realities, automation tradeoffs, and what the future of compliance looks like in an AI-driven world.

Key Takeaways:

• GRC works best when treated as a system with inputs, processes, outputs, and feedback loops
• Automation should focus on intent and outcomes, not blindly speeding up broken manual processes
• GRC professionals act as a middleware layer between engineers, auditors, and customers
• Not all controls should be automated — but 70% can be, with humans in the loop where it matters
• The future of GRC depends on engineering mindset, context, and trust, not checklists

What You’ll Learn:

• Why GRC is fundamentally a systems engineering problem
• How to reduce engineering toil without weakening audit posture
• When automation helps — and when it creates false efficiency
• How GRC teams should approach AI, agents, and non-deterministic systems
• Practical ways to build a GRC engineering function over time

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

Watch more episodes: https://www.compliancecow.com/podcast

Connect With Our Guest:
Akhila Chitiprolu | Head of Security & GRC | Sierra
Connect on LinkedIn: https://www.linkedin.com/in/akhilachitiprolu/

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450