This GRC Space is Hot!

Raj Krishnamurthy (00:00.962)
Hey, hey, hey, welcome to another episode of Security and GRC Decoded. I’m your favorite host, Raj Krishnamurthy. And today we have a fantastic person, Varun Gurnaney. He’s not only good looking, he’s a fantastic GRC professional as well. So I’m super glad to have you, Varun. Welcome to the show.

Varun Gurnaney (00:22.226)
Same here Raj, I know I owe this to you. It’s been a while since I’ve known you and we’ve chatted so many times and this is something that I’ve always wanted to do with you and record this thing. And these good looks are not my good looks, this is just AI filters. It’s just AI filters, I’m an old guy. So don’t get deceived.

Raj Krishnamurthy (00:38.69)
The AI filter, okay.

Raj Krishnamurthy (00:43.534)
Okay, now appreciate it. You have 10 years and you’ve been a GRC professional, in a security and GRC space for more than 10 years. You work for companies like Robinhood. You’re currently a staff security engineer at Apple. I’m super excited. I think some of these leading companies, leading thought process, you are on the speaking circuits on GRC and security. I’ve seen you in B-sides, I’ve seen you in other places. So how did you get into GRC?

Varun Gurnaney (01:14.13)
Oh man, this is 10 years ago. It’s been a while. Okay, so I was in undergrad and I used to write Android, iOS, apps, build websites, write WordPress plugins and PHP. And then my first job out of my undergrad was to be a cybersecurity analyst at EY. And my first assignment was to go into ISO 27001 vendor audits for large…

banks and finance companies in India. when you throw a software engineer who’s used to writing code with a bunch of spreadsheets to go and talk to people across the finance, the boring legacy finance industry, it’s not the most fun thing. So I saw myself with physical printouts of the ISO 27001 checklist.

going into data centers and like actually physically noting down things and like what’s wrong with the fire extinguisher and then coming back to my laptop typing things up and doing these audits for ISO. It was tragic because as a software engineer you don’t want to do checklists and like print out how it works. But for a year I learned a lot. I learned how audits work. I what it is to actually see security from an InfoSec standpoint.

And but the inner software engineer inside me was just depressed. yeah, that was my first gig. And then I quit my job in a year. Then I came to the US, got my master’s degree. And then my first internship I got was in San Francisco at a company called Zendesk. And my first week zero, assignment one as an intern was go look at our SOC 2. We have an audit coming up. Go help us collect evidences for the audit.

And I was like, again, these compliance folks, these compliancey things just don’t leave my back. So I’m like, I’m not going to go with the spreadsheet approach. I’m going to write Python code for it. So I wrote up really bad, janky Python code, 15, 20 lines each for a bunch of controls. And it would just go hit the APIs of like Jira and look at this blank and then collect the evidences, put them into a folder, print out a

Varun Gurnaney (03:34.962)
web dashboard, I think you use Python Flask for it, was just janky Python scripts, but this is 2018. So this is the cusp of compliance automation being a thing. So TLDR, software engineer, front of the compliance world, fell in love with the problem, stayed on. But my time at Robinhood was a little different. Robinhood was a career choice I made, thought compliance is automation is gonna be essentially boring.

The technology is there, but the culture problem has not been solved yet. GRC people never understood what Python could do for them. So I’m like, you know what, let’s just jump back over to doing security engineering. So Robinhood was actually a gig, which I did for a year. I was an AppSec engineer, security reviews, threat modeling, know, just that pen testing, bug hunting, just that typical second work. And then I was like, man, this GRC space is hot. It’s picking up and…

And that’s how I moved to Apple. And then I was building out compliance automation slash GRC tooling slash GRC engineering function within a team at Apple. So that’s been my journey.

Raj Krishnamurthy (04:46.398)
No, that’s a fascinating journey. And what made you think that the GRC space is hot? And this is in 2022, right, when you moved to Apple.

Varun Gurnaney (04:53.906)
So I’ll tell you there were like two spikes which I saw one is in 2018 when I was writing those janky Python scripts at Zendesk and the GRC team at Zendesk was not 25 people and my boss was a director back then she saw this future where know scripting could be a good way to automate evidence testing and 2018 is also when of YC decided to fund a bunch of startups in this space

So that was a good validation for choosing this as a career path. And then in 2022 is then a lot of these companies which actually decided to take this path and building compliance tools and automations, they actually saw market validation and growth. Fun fact, thought of doing my own thing back in 2022. I decided not to and decided I wanted to test out my hypothesis that compliance automation will look extremely different if you.

try to sell this compliance automation bundle to a small company which has a compliance team of one or two, a mid-market company which has a compliance team of like five to 25, and then an enterprise which is like Fortune 500. I was more interested in the the boarding problem of the mid-market enterprise companies and that’s exactly why I went to Apple to see that if the things I want to do for mid-market enterprises makes sense or not. And it does make sense. They need tools but the story is completely different, right? If you are a

account exec for SMB for compliance tool and if you’re an account exec for enterprise focus team for a GRC tools, different game. To answer question what I saw was essentially investor and market validation in this space. Especially with YC investing and then other investors playing catch up and deciding to know fund these initiatives and mainly like directors and leadership of security investing in these tools.

Raj Krishnamurthy (06:50.891)
Interesting because the almost every single company that has been founded in the GRC space in the last few years, right? Vanta, Drata, Secureframe, Theropass, you name it.

Varun Gurnaney (06:51.941)
Yeah.

Varun Gurnaney (07:04.187)
Can we name them? Okay, awesome. I was just back on the names. Okay, okay.

Raj Krishnamurthy (07:07.157)
No, we don’t have to name them. We in some ways compete with some of them. But if you really look at them, almost all of them have exclusively focused on the SMB side of the business, right? And they’re not focused on the benchmark and enterprise. Why do think that is the case?

Varun Gurnaney (07:25.339)
We’re talking business now, Raj. Okay, okay.

Raj Krishnamurthy (07:27.861)
No, maybe let me rephrase the question. And it’s not so much whether from solving a problem perspective, right? And these are two, I’m going back to the earlier point that you made. And I think you made this very well in your, I think you wrote a blog around the hybrid nature of GRC that was a brilliant blog. So I’m actually tying this back to what you wrote, which is that.

Varun Gurnaney (07:39.409)
Hmm.

Varun Gurnaney (07:43.697)
Yeah.

Varun Gurnaney (07:49.648)
Yeah.

Raj Krishnamurthy (07:50.348)
These seems to be two different worlds, right? The SMB world and the mid-market and the enterprise world. That’s what I got from what you were saying. Is that correct? Is that accurate? I think what I am trying to ask you is that if these are two different worlds, why is that there has been so much investment on the SMB world and not so much on the mid-market and the enterprise world?

Varun Gurnaney (07:55.377)
Yes, yes, that’s absolutely correct.

Varun Gurnaney (08:06.545)
Hmm.

I’ll answer your question in two parts. One is, as an engineer, it is easier to build tools when your infrastructure is less complex. So if I’m building my own B2B SaaS companies with the GRC tool, it’s much easier to build for other B2B SaaS companies which have very typical cloud deployments. Much easier. They don’t have 15 different clouds they work with. They probably have at max one or two.

It’s much easier to tool. From a business standpoint, a sales standpoint, feel it’s a quicker sales cycle. It’s easier to sell. It’s less sticky because your customer will easily pay like a 4 to 5k USD for a tool, get their sock to move on in life, maybe the short shop in two years. And that’s why I’m not really confident on the…

annual recurring revenue from these places. again, two part answer, business part, it’s easier to sell, technology part, it’s easier to implement. And as an investor, if I see, it’s a lot easier to get that valuation if you have quick sales. So investors will tell you, hey, look, why don’t you go and sell to small startups? It’s easier to close, it’s easier to sell, quicker market cycles, I can get a series B faster, right? So yes, so business side and tech side, easier.

Raj Krishnamurthy (09:35.47)
Got it. Now, you’ve been on both sides, right? You started with Zendesk, and then you moved on to sort of this massive enterprise called Robinhood, which is obviously growing at Leaps and Bounds. then, it’s… And then obviously, Apple, right? What do you fundamentally see as a practitioner? What is that you saw as fundamentally different between these two types of companies?

Varun Gurnaney (09:44.859)
Hmm. It’s huge now. When I was back there, it was like a lot smaller.

Yeah.

Varun Gurnaney (10:03.58)
fundamentally different.

Raj Krishnamurthy (10:06.85)
for GRC.

Varun Gurnaney (10:07.129)
If you… Yes, yes, of course. It’s hard because Zendesk B2B company, the compliance was sales driven in many ways. Also great security culture. Luckily I’ve been in all three places of great security culture. Fundamental difference in the scale of the complexity of each security control. Let’s talk about patch management or change management. Extremely different at Zendesk.

Raj Krishnamurthy (10:17.879)
Okay.

Varun Gurnaney (10:38.129)
Very different at Apple. Very different. I’ll skip Robinhood because it was more of a security, engineering kind of a focused journey for me. But these two places, that’s what I saw. What is actually common is the culture of compliance. That’s common. Because compliance folks, GRC folks, think in a certain way.

Raj Krishnamurthy (10:56.299)
Interesting, interesting.

Varun Gurnaney (11:05.014)
and that’s always interesting to me.

Raj Krishnamurthy (11:08.375)
Cut. I think that’s a great segue. one of the, if you really stack, I always say, if there is a pecking order of hate, right, I think maybe after your immediate manager, your audit team comes somewhere below that, and I think the GRC team is somewhere. There seems to be this disconnect between engineering and security, security and GRC, and GRC and audit.

Varun Gurnaney (11:12.059)
Hmm.

Varun Gurnaney (11:21.563)
Hmm.

Varun Gurnaney (11:29.189)
Yeah.

Raj Krishnamurthy (11:35.647)
In your experience, first do you agree that there is something going on there and why do you think that is the case?

Varun Gurnaney (11:44.293)
I think it’s more of a human thing.

As a human being you don’t like people blocking you in any way. Let’s say you’re driving on the Interstate Highway System in America, you want to get on the ramp, you’re on I-680 heading towards Dublin, right, and you hit the ramp and you see the red light saying one car per red light. You will get the green in the next three seconds but it is hella annoying, right? We as humans are fundamentally designed to run, we are not used to people saying…

you should pause and hold on. Unless you yourself decide that I should pause and ramp up my speed to 65 miles per hour to get out to the highway speed. Somebody else saying that to you is humans don’t like that. It’s a people problem. So I think that’s pretty much it. Engineers don’t like to hear from security saying that, you need to encrypt your SD buckets. As a software engineer, shipping features, they don’t really care. Same with compliance, folks.

Compliance folks will want each access review ticket to be documented, approved, and reviewed after 180 days. Does it actually provide the security assurance that the security team wants? Maybe.

But they have other compensating controls for it, right? So just being a blocker to them for no reason. I think that’s it. I think it’s just a culture thing.

Raj Krishnamurthy (13:11.467)
Okay, no, I think actually I love the analogy. That’s a brilliant analogy. But do you see compliance and GRC easier, are you saying that they are a blocker and they can be better? Or are you saying that inherently the nature of the function is to block? What are you saying?

Varun Gurnaney (13:31.34)
Inherently the nature of the function becomes blocking. All the compliance folks I speak to, they want to be business enablers, they want to be in line with the business, but the nature of the job is like, hey, can you send me evidence that you approve this request and you review the request in 180 days? Sure, because your framework says so, but where is it aligned with the security engineer or the engineering manager of like a billing team, let’s say what PCI, of a billing team?

how does it map? They need to be on your team to understand what’s happening. And I think the communication, the lack of technical understanding of systems in a GRC team to communicate that to an engineering leadership, that’s the gap. Can your compliance leadership, can a security compliance leadership communicate with great technical understanding of what a VP of engineering would want in your organization?

is what I see and that’s why exactly when I work for companies I actually see if the leader is capable to do that and that’s exactly where I take up the job. Yeah.

Raj Krishnamurthy (14:35.968)
No, I love it. So you’re saying that I think the technical speak and the technical understanding brings clarity and sort of a common ground for communications between GRs in engineering, right? But it doesn’t take away the fact that you are still telling the engineer to do his access review. You are still telling the engineer, asking them if they are within the SLA for remediating their critical vulnerabilities, right? So how do you overcome that the blocker is still a blocker? So how are you overcoming with better communications?

Varun Gurnaney (14:47.022)
It gets you easy buying.

Varun Gurnaney (14:54.19)
Yeah.

Varun Gurnaney (15:03.44)
Yeah, I always say this, and if you go hear my B-Sides presentations recording on YouTube, my goal as an engineer on the compliance team, on the compliance side, is to make other engineers hate compliance less. Yeah, no one will love you. Nobody loves you, They’re going to hate you a little less because you made the job a little bit easier. So just showing them that, hey, look, we have these tools that we are trying to plug into your system.

Raj Krishnamurthy (15:18.444)
You’re compliance-less. Okay.

Varun Gurnaney (15:32.656)
which will make access reviews a little bit easier for you. They’re not going solve it for you, but just a step easier. It’s going to be one less email or like two less meetings or like three less access requests, email, click approved, something like that that will make them feel like, compliance is looking out for us. So it’s just that. When you try to update your phone or your laptop to the next software version, it prompts you, do you want to update it?

now or like try again tonight. I think that when you give human beings an option to choose from, they’re automatically driven to do the right thing themselves. yeah, that’s also like I’m biased because I’m an engineer myself and I have a lot of empathy for other software engineers who are in the industry and what they might be facing when they talk to compliance teams. So I feel like if you make lives easier for engineering managers and engineers, you’ll naturally have less security

Raj Krishnamurthy (16:12.534)
Got it,

Varun Gurnaney (16:32.366)
debt and less compliance debt going forward because they are busy fixing technical debt anyway.

Raj Krishnamurthy (16:35.254)
Makes sense.

Makes sense, makes sense. We had Jeefun Sathapathy, who’s a CISO after Medalia. And he was an engineer, right? He actually grew up the ranks of engineer, software developer, security engineering, and then eventually to the CISO. And one of the brilliant points that he makes is around the builder empathy, right? And how security can, the more you understand, the more you can put yourself in their shoes, the better you can reduce the friction. So.

Varun Gurnaney (17:00.56)
Mm.

Raj Krishnamurthy (17:04.426)
I think which I see you echo as well. So a lot, a big factor here seems to be the behavioral understanding, right, and the change management of how all these different parties can come together and GRC can truly act as the glue. That’s what I’m hearing you say. Is that correct?

Varun Gurnaney (17:17.648)
Yes, yes. It’s not just a technological challenge. It’s not we don’t have the tech or AI is not good enough. That’s not the reason. It’s just that we as people need to adapt, right? And for it to get people to adapt, you need to play the people game. You need to social engineer your way through. So it’s just one of those things.

Raj Krishnamurthy (17:35.425)
Got it. Got it. So one question. So you have been a big proponent of GRC engineering, right? And it comes in different names, right? Some call from automation is sort of not the sexy word anymore, And we have different names. But GRC engineering truly is an engineering discipline. There is nothing wrong with the word. We truly embrace that word. But you’ve been lucky to be part of companies that have adopted GRC engineering. Is that a fair thing to say?

Varun Gurnaney (17:55.28)
Thank

Varun Gurnaney (18:03.76)
I can’t answer that but yeah.

Raj Krishnamurthy (18:06.174)
Okay, and you don’t have to. So let me, I think the question I want to ask you is that when you think about building a business case as a GRC leader, right, to go get the capital, when I say capital, it is not just money, right, the engineering capital that is required to automate. Does the leadership team understand what it takes to automate? What do you have to typically go through to make them understand?

Varun Gurnaney (18:16.75)
Hmm.

Varun Gurnaney (18:21.391)
Yeah.

Varun Gurnaney (18:34.425)
So you’re saying if I am like a VP of compliance at a company or a VP of security at company, is that what you’re about? Are you referring to me as a mid-level engineer trying to convince my boss who should have talked to you?

Raj Krishnamurthy (18:46.092)
I’m talking about you as an engineer, you as part of the compliance team, trying to convince your team that automation is the right thing to do.

Varun Gurnaney (18:50.263)
Okay, okay, okay. Yes. Okay, this is how you do it. You take one control that has historically either failed or was tending to fail or takes the longest time in your organization to actually implement. You take that one control and you automate it right from evidence collection, like gathering, validating, dashboarding, reporting, metrics.

how many hours you saved while doing the automation, providing security value through what you just built. You can just like wipe code this thing. You don’t even have to go buy a tool. Wipe code is one control well. Put it into a user interface, show it to your leadership. This is what we did for like one control. One control for one product. This is what we say. We saved like say 30 hours or 40 hours of man work plus we saved human toil. We saved

time on the engineering side, we reduced our audit fatigue, we reduced our audit anxiety, put this into some kind of document or some kind of presentation, take it to your bosses, this is a tool, this is what it did, this is what it saved, can we replicate this for other controls as well and that’s when you are now actually building out a GRC engineering function because nobody’s going to trust you with just hearsay.

They want to see actual physical working stuff. Sure you can go out and buy tools. There’s a bunch of vendor tools you can go and buy in the market. They may fit your use case based on the size of your organization or they may not. Sometimes you might need a tool. Sometimes you might need just a middleware. Sometimes you might just need a glorified spreadsheet holder. So depending on your organization, you automate one control really well.

right from your control automation all the way to your audit automation like throughout the journey show the results then you get your buy-in for what you want to do next

Raj Krishnamurthy (20:54.379)
I love what you’re saying. So start small, don’t try to boil the ocean. Be true to the agile sprint principles. Execute on one thing, one thing well. Demonstrate the productivity and the value. And then try to see if you can continue to keep expanding.

Varun Gurnaney (21:09.391)
Yeah.

Varun Gurnaney (21:13.015)
Everybody knows this Raj that you’re supposed to start small, don’t boil the ocean, but how? And the how is you take one control, one implementation, do it from start to finish, maybe deploy that dashboard locally in your organization infrastructure. And once you deploy something, if you deploy one small service into, as a GRC person, if deploy one small service into your organization, you will see how hard or how easy it is.

to work with the developer productivity tools that a company is offering you. And you will build that empathy for the builder. Yeah.

Raj Krishnamurthy (21:48.876)
No, totally. Now, there are typically anywhere between 15 and 18 security domains, and most assessments have somewhere around 150 to 200 controls, implementable controls, right? Where do you start? Where did you start?

Varun Gurnaney (22:03.842)
I started, why nobody management controls? Why? That was the pain point. It could have been patching, it could have been change management, it could have been access, user access reviews. It’s a hard thing to fix. People have been trying to fix it. There’s no fix for it. It’s a culture fix, right? Sure, there might be fixes depending on the organization. But yes, whatever hits, whatever is the biggest pain point.

Raj Krishnamurthy (22:22.559)
Yeah.

Varun Gurnaney (22:33.943)
if you solve that for people, people will like you somehow. It’s an easy trick.

Raj Krishnamurthy (22:37.887)
Make sense, make sense. Now I want to double click on this particular control, maybe we’ll take vulnerability management just so that our leaders can get a better understanding of this. Almost all scanners are part of your CI-CD pipeline, right? I mean, you scan your container and your virtual images, your golden images and all of those things. What is that the GRC team is doing that the SecOps is not doing in vulnerability management?

Varun Gurnaney (22:51.416)
Yeah.

Varun Gurnaney (22:57.443)
Yeah.

Varun Gurnaney (23:07.801)
SecOps is working with engineering people to fix things. GRC is waiting on the side for things to be fixed. GRC is saying for PCI, for SOCs, for SOC 2.0, we need this to be fixed in 30, 180, 60 days. Unless you have a common control framework or a minimum security standard that you abide by, you have SLAs all over the place. Standardize your SLAs. Figure a way out.

I don’t know what organization you’re a part of but figure a way out. Also like, SecOps, I’ve seen some SecOps teams also use compliance as a strong arm to get things fixed. They can do it but they should do it like with compliance folks on their side, right? It should not be situation where SecOps is saying, you need to do this to be fixed in like 30 days and then they go to compliance and says, hey,

SecOps says 30, you say 180. What is this? Connect. Your security anyway. So I feel it’s just… Also tooling, right? And SecOps has a lot more visibility into all the scanners. And again, I feel we just say GRC very loosely and openly, Raj, in our industry, in our conversations. We need to specify. You’re talking about compliance at a small startup, at a mid-sized company, or at a large Fortune 500. The game is completely different.

One-on-one management at a big tech company like the Fortune 500 or a Fortune 100 would be its own specific team of like say 10 people. They might also include software engineers in them. Right? A separate TPM for that. At a mid-size company it’s probably two people. It depends, it depends on the organization size. So we should just as a community we should just try to bucket

Raj Krishnamurthy (24:57.259)
Very well said.

Varun Gurnaney (25:03.726)
Okay, we talking about SMBs, mid-market or enterprise? What are we talking about? It cannot be generalized.

Raj Krishnamurthy (25:10.507)
But I guess when we talk about GRC engineering and automation, and I think like we were discussing earlier, this problem is more profound for mid-market and large enterprises. If you’re an SMB, you’re most likely not setting up, you’re not hiring a GRC engineer, you’re not working on it, you’re not doing any of this stuff.

Varun Gurnaney (25:22.754)
Yeah.

Varun Gurnaney (25:36.118)
I feel the archetype is changing. If you look at the very recent job postings of security engineer GRC, it’s more of a GRC engineering based approach. Nobody’s not writing automation or engineering in their GRC job postings. They may or not include a coding round for you. It is changing though. And I’m loving it because it’s working. But yes, for smaller companies, they don’t have to worry about it because they have smaller blast radius, but these companies also grow.

Raj Krishnamurthy (25:50.9)
Okay.

Varun Gurnaney (26:06.573)
And with the AI boom, they’re growing into mid-market really fast. So at what stage do you feel like, I need a GRC engineer versus a GRC analyst? I’m saying don’t. There needs to be a time where we like, the GRC analyst job family doesn’t even exist. It has turned into a GRC engineer who’s probably paid somewhere between these two job types.

Raj Krishnamurthy (26:06.603)
Totally.

Raj Krishnamurthy (26:27.723)
Okay, okay. Now, if you look at the mid-market and large enterprises, I think to your point earlier, a lot of what you talked about, reducing the friction, bringing people together, the behavioral change, is about reducing the engineering toil, right? Reducing the, because that’s not their day job. Their day job is something else. Their day job is releasing products and features. How do you take this argument of a productivity gain, where it is accruing outside of the GRC team?

Varun Gurnaney (26:37.132)
Hmm.

Raj Krishnamurthy (26:56.211)
It’s accruing with your engineering team, with your security team, so on and so forth. How do you take this argument? Does your compliance leadership typically understand in your experience? And you talk to a whole bunch of compliance leaders as well, right? Do they understand how to take this argument beyond their group?

Varun Gurnaney (27:07.18)
Yeah, I do.

Varun Gurnaney (27:14.222)
Sometimes they do, sometimes they don’t. when they don’t, they usually fall back to people in the sec-eng organization. People who do appsec, people who do threat hunting, people who are traditional engineers. They get tooling built by them. Or they use other piggyback on top of, OK, we need this particular control done for, like I said, threat hunting. And we can.

automate this part of it, this small part of it and we’re taking away engineers don’t have to do it. Also great relationships if you have the DevOps team that also goes a long way. So leaders, again every organization different motivation right from B2B company my compliance landscape is built on sales. From B2C company it’s built mostly on reputation. From public company because of socks it’s built on the fact that I don’t want my

I think it’s form 8k or 10k, one of those forms to have any problems, right? My CFO should sign off on those forms. So it depends on the organization. I worked in tech companies, I’m tech biased, of course. So I feel, in tech companies, engineering leaderships usually get this. And usually the CISOs or the head of securities have enough technical understanding and a buy-in with

the product and engineering teams that they can push this narrative through. It could be as little as, just install this SAS GitHub app into your repository, all the way to we have a blocking situation if you commit secrets into code. So it could be the entire spectrum of things, right? I don’t know if I answered the question though.

Raj Krishnamurthy (29:08.394)
Okay, so, no, I think you did. I think you did. so I think they come in all sizes and shapes, and your point is that they need to be able to take this argument further. We have had Alan Luck, who’s the head of GRC at Grammarly with us a couple of sessions ago, and he made actually a brilliant point. His argument was not that GRC needs to be automated, meaning the controls need to be automated, the evidence collection, controls testing, so on and so forth.

Varun Gurnaney (29:12.108)
Yeah. Yeah.

Varun Gurnaney (29:17.335)
Yeah.

Raj Krishnamurthy (29:38.45)
His argument though is that that automation is not the function of the GRC team. The function of the GRC team is to enable audits and the automation should fall with second. What is your take on

Varun Gurnaney (29:47.35)
Yeah.

Varun Gurnaney (29:53.154)
I mean if it works for his organization and culture, that’s fine. I don’t think security engineers have enough incentive to fix audits. Also look, I think what he’s talking about is control automation. I think what we’ve been talking about is more about how do we automate our audits. Let’s take one control. Let’s take the one everybody management control that Aarupark is speaking about. What does it say? Scan.

assets for vulnerabilities, fix them in time. I think for these two things is building integrations with your scanners, secops and secengen will do that. Check if it’s fixed on time, that’s something if it’s automated, if it’s automatable to patch those things, it was just like a version upgrade number, your secops team can do that. What it cannot do is check if the vulnerabilities were closed on time, depending on

Is it in scope of FedRAMP or SOC 2 or ISO or PCI or SOCs, depending on which framework you’re looking at. It changes. That’s the job of the compliance team. And they write audit automations for it. They don’t care about if the integration is broken or not. They don’t care. I mean, they do care about it, but they are mainly looking at the audit, passing the audit for it. And that’s where I feel the GRC engineering is not just about

figuring out if our vulnerability scanners are working or not, so we can do a health check on it while doing the automation. But the main goal is to figure out what things we need to go into an audit, do we have that data before we walk into an audit? Do we have less audit anxiety with these automations? what, because I’m assuming what Alan was talking about is more about control automation. Like this is all seconds a job, like to figure out if the vulnerability scanner is working or not, if the ticket was closed or not. That’s something that they should worry about.

Raj Krishnamurthy (31:46.068)
But are you are you

Varun Gurnaney (31:46.817)
But tying it down to a standard is where the auto automation comes

Raj Krishnamurthy (31:49.429)
Got it. So you’re basically separating the controls testing separate from the audit automation, right? But in many cases, they are inter-coupled. And the reason is this, Typically, what happens is that the GRC teams are experts at the process that the company adopts. Because basically, your job is to make sure that you keep the promises that you make. That’s the job of the GRC team.

Varun Gurnaney (31:53.825)
Yeah.

Varun Gurnaney (32:08.319)
and

Varun Gurnaney (32:13.634)
Yeah.

Raj Krishnamurthy (32:15.144)
So and many of these teams are not familiar with the process. So the GRC team is essentially trying to evaluate the process boundaries are intact, right, that you’re honoring those promises. So if you understand the process and you want to automate, you are certainly talking about integrating with different systems, collecting data, normalizing, standardizing, and correlating them, and then applying the rules on top to determine what should be compliant, confirming, non-confirming, things like that, right? But that is an engineering discipline.

Varun Gurnaney (32:23.788)
Yeah.

Varun Gurnaney (32:41.633)
Hmm.

Varun Gurnaney (32:45.057)
Yeah.

Raj Krishnamurthy (32:45.256)
So his argument is that that engineering discipline can exist outside. I’m not going back to Alan. mean, his comments are his comments. I think my general question to you is that, but you talked about GRC engineering as a discipline, and that’s exactly what sort of your embodiment of as well, right? Do you see the distinction? Do you see that engineering has to be a capability within the GRC function? Or do you think that engineering has to be, this capability, engineering capability should exist with security?

Varun Gurnaney (32:51.499)
Yeah, yeah. Yeah, that’s fine.

Varun Gurnaney (33:04.365)
Yeah.

Varun Gurnaney (33:13.069)
I don’t really care where it belongs, it should get the job done. It could belong inside and report into your GRC function or it could also report into your CSO function like directly into an automation team that could do automations for everyone in the security organization. It depends on your organization and what your CSO decides is the best play for and the best bang for your resource buck. What I want to see is before walking into an audit, if my auditor gives me a sample of 25

change requests that they want to see evidence for, I should be able to put those change request numbers into a tool, click on submit and get all the data for the audit. That’s what I want to see in an audit automation tool. In a control automation tool, I should be able to see status of all change requests happening. Right? But I can’t show that to my auditor. That’s 100 % sampling. That’s like, just a bad compliance person then.

Raj Krishnamurthy (33:51.316)
Makes sense.

Raj Krishnamurthy (34:03.444)
I’m with you.

Raj Krishnamurthy (34:08.34)
But want to challenge you there. Why not? Why should, if, I mean, there are practical realities, which is what I’m trying to get to. But if the auditor’s job is to evaluate and sample and make sure that he can gain some assurance, he or she or they can gain some assurance, if you can expose all the data to the auditor, why is there a need for a GRCT?

Varun Gurnaney (34:14.349)
Yeah.

Yeah.

Varun Gurnaney (34:24.801)
Yeah.

Varun Gurnaney (34:33.909)
Okay, you’re talking about a broken system we all agreed to before I was born, where we have auditors as a system in check, right? The way the world is going right now, I think we will not have compliance. You and I should not have jobs because security should be so strong and the assurance metrics should be built on our security practices that compliance is automatically met, but that doesn’t happen.

That doesn’t happen in any organization I have seen or spoken to. So we need the compliance job type. And because we have that, please show, your auditor will say, please show me 25 of the 5,000 samples you have for change request, right?

So the way auditors function inherently is broken, but it’s fine. We’ve all agreed upon this broken system. how can we, okay, if you want to unbreak the system, think we’ll have to, it will take us, and I’ll have to be like, take a rebirth and then come back and then figure this out. But in this current broken system where auditors ask you for evidence, this is what we want to see, right? Sure, I would want an AI auditor coming in and looking at evidences generated by a.

compliance AI agent, which uses an MCP server to talk to all the people so that we have, this is an ideal world, but yeah.

Raj Krishnamurthy (35:54.475)
Got it. So if the auditors are asking for samples and if the audits are performed once a year, I think at best maybe, I’ve never seen anybody do anything more frequently than that, maybe once a quarter in some cases. And there are different types of audits, right? What is the need for automation? Is it purely the size of the company that is requiring you to automate?

Varun Gurnaney (36:06.805)
Hmm. Yeah, exactly.

Varun Gurnaney (36:20.173)
It’s the size and it’s the audit anxiety. If something was broken in September of 2025 and we discovered it in January 26, we were not seeing, we failed four months, right? Five months. So, yeah, that’s the problem.

Raj Krishnamurthy (36:48.82)
So let me rephrase the question, because I think I was actually expecting a different answer, and I was trying to see that question. Are you saying then the GRC team essentially acts as a buffer between continuous assurance and audit? In other words, you are actually getting a constant feed of activities that are happening, and you’re evaluating a process. But what you’re actually sending the auditors is almost a curated data set.

Varun Gurnaney (36:54.815)
Okay, okay.

Varun Gurnaney (37:15.117)
They’re asking you for a secure data set. They’re asking you for 25. If they ask you for 100 % sample, you will battle with them on why do you need that. As a security engineer, I want to see 100 % of my change requests passing all the controls that you set on them. As a compliance person, I do not want a qualified software report. As an auditor, I want to discover holes in your system.

Right? So everybody is exactly why we have the concept of audit independence. Right? So, yes, the GRC function acts as a layer between the inside and the outside, and that’s their job. So does exactly what internal audit does, right? In a company like the Fortune 500s. But the compliance is just, I feel, it could be deemed unnecessary if we did security right.

and if we could prove security right in some ways but the systems are not designed that way. You know there’s a theory which says that in the next couple of years when we all have to legally buy driverless vehicles and humans are not allowed to drive anymore we wouldn’t need red lights, wouldn’t need street rules and we would not need sign boards.

We’re not driving as humans. So if you don’t have auditors, we won’t have the compliance function. If it a compliance function, we would have auditors and then security should just prove itself. But it doesn’t happen. It doesn’t work like that. We’ll have driverless, way more than also we’ll have people driving the cars. Same states. Yep, green laws.

Raj Krishnamurthy (38:53.449)
If we particularly focus on the mid-market and large enterprises, what do you see as the current state of GRC2?

Varun Gurnaney (38:59.168)
Hmm.

Varun Gurnaney (39:05.172)
I’m gonna put it in air quotes and says, I have this tool X, it does Y percentage of the job really well, but I wish it did Z as well. You have a tool that works really well, but you want it to go an extra mile or two and it does not.

Raj Krishnamurthy (39:25.033)
Can you be specific?

Varun Gurnaney (39:27.616)
Mmm.

Let’s talk about patching. The GRC tool I have can look into my cloud infrastructure really well, but it does not determine if my on-prem infrastructure has one of these. It cannot integrate with my on-prem infrastructure. And if it does, it does not scale well. Or if it scales well, but it does not cover all of the on-prem stuff.

Right? it covers all the on-prem stuff, but it does not cover Windows servers. Right? Things like that. So the larger the organization, maybe we had an acquisition. They use a different cloud provider. It can’t orchestrate three different cloud providers together and give me a common risk score. Something’s like that. It’s just…

snowflake out of snowflake. it does this really well but I also needed to do that.

So I feel you need something that you can actually tweak and play with. And exactly why the GRC engineer archetype fits well in the mid market to enterprise organization, because you need someone to join these things. And exactly what I think in my second part I write about this where you need to have skills that your vendor tool does this thing amazing.

Varun Gurnaney (40:58.176)
maybe does dashboarding really well and does risk scoring really well but it does not look at your entirety of your assets because your assets are in five different places and so you build that plugin or you build that connector you extend your GRC tool or you build another service which kind of extends your existing GRC tool right you don’t reinvent the wheel so yeah

Raj Krishnamurthy (41:19.785)
How mature do you think the current GRC tools are with respect to even the foundational stuff, right? The API, the robustness of the APIs, right? We are not even going to the JNI space. We’ll get there next. But how robust do you think the current GRC tools are in being open and being transparent?

Varun Gurnaney (41:45.798)
In being open, I think they are open to experimentation and being design partners for a bunch of things. I don’t think they’ve been load tested for scaling really well. Also, I don’t blame them, man, because their customers are not engineers. But I’m an engineer, right? So I’m looking from that perspective. Why are you limiting me to this number of API calls? Why? Why can’t you scale up?

Raj Krishnamurthy (41:47.995)
Access through APIs.

Varun Gurnaney (42:15.117)
Why can’t you scale down? Why can’t you give me a product in a separate instance? Some customers do it, some customers don’t. Sorry, some companies do, some companies don’t. I’m not a big fan of any one particular tool in general. I think they all achieve a minimum baseline that we call the GRC tool. And then it’s the battle of the last mind who does it the best. So let’s see. I think there is a time where we’ll…

see consolidation in the cybersecurity market. think I told you this thing last time we spoke as well. I see there should be some consolidation happening and that’s going to be the right thing to happen for our industry. It’s going to solve problems for a of people. Again, going back, like GRC is so different. Okay, let’s talk about a mid-market company, right? Robinhood, we said it’s mid-market. Zendes is mid-market too. A thousand plus employees, sizable security, sizable GRC function.

The compliance landscape is so different. The systems are so different that you can’t compare.

Raj Krishnamurthy (43:25.415)
No, makes sense. How do you see sort of the, what do you see as the role of generative AI, large language models, large listening models in the world of GRC?

Varun Gurnaney (43:35.084)
Hmm.

Varun Gurnaney (43:41.356)
I feel it’s extremely easy to prove the proof of concept of an automation tool that you need in a team. As a GRC analyst, the example I gave you of take one control, automate the heck out of it, the last mile to develop this thing. Even if you throw a prompt in cursor, you can get this done. Don’t expose your API keys.

from publisher API keys to GitHub. But yes, proving the value of automation is going to be very easy because you can wipe code these things. Secondly, documentation will be lot more easier. I keep forgetting names of tools. There was this open source tool. think it was, fuck that name again. It looks at a repository and then it creates documentation for it. It’s like way back. It’s like I saw it last year.

I’m sure there’s better tools now as well. I’ve been using a code plugin in Statsys as well. Give it a code base and it’ll write all the readme’s for you for it.

Raj Krishnamurthy (44:48.744)
I know what you’re talking about.

Varun Gurnaney (44:49.831)
Yeah, yeah. So throw the compliance flavor to it.

it creates better documentation that you need for your audits, or you need to learn more about the system. And if you have a less technical audience, it makes it much easier. I feel this is a place where we can a lot of value from Gen.ai tools. Where else? I I mainly use coding agents, and I’ve used documentation agents, which is also a part of the coding agent. I feel…

The third party vendor is management space.

Varun Gurnaney (45:31.179)
Everybody’s trying to disrupt it. I think we’ll see it happen. I was talking to IU as well, and we were talking about how trust pages, the trust centers of companies could be your new SOC 2. You will not need to get a SOC 2. The trust center is what you will trust when you go to buy a vendor tool.

So yeah, that’s creating those systems, creating those checks, filling out questionnaires, looking at a trust center. Could be a thing. Using GNI.

Raj Krishnamurthy (46:11.177)
OK, now, so you talked about sort of wipe coding, right? And I think you made a great point about sort of getting to your controls and demoing them. How do you go from the demo to a production deployment at scale?

Varun Gurnaney (46:31.179)
I mean, wipe coding gets you only so far. After that you need pure engineering skills to make the right prompts to the system. You’ve got to make the system design decisions on yourself. And how do you go from zero to one from a wipe coded local hosted Node.js app to a production ready.

front-end, back-end, system, databases, queuing, deployments and Kubernetes. That’s gonna require engineering skill sets. And I think if I was a GRC analyst trying to break into the GRC engineering archetype, I would take help from my DevOps folks for that. Hey, look, I have this system containerized. How do I deploy this? Containers have made life easier. So yes, I don’t have an exact answer for you on that, but seek help.

Raj Krishnamurthy (47:27.881)
Got it. No, that’s a great point. That’s a great point. Got it. No, you’re absolutely right. And I’ve been a systems engineer all my life. And you’re absolutely right. There is a difference between Docker file and Docker creating a creating a container image. I shouldn’t say keep using to a Docker. Versus deploying this on Kubernetes. These are very different scale problems. So absolutely.

Varun Gurnaney (47:28.299)
If you a GRC analyst, you won’t help, hit me up. I’ll tell you what to

Varun Gurnaney (47:47.818)
Hmm.

Varun Gurnaney (47:51.593)
Yeah, ingress, egress rules, this is gonna get you man.

Raj Krishnamurthy (47:57.331)
No, no, very well said.

Are there…

Raj Krishnamurthy (48:08.532)
We are approaching almost the end of the segment. Eric, I’m just calling out Eric because there was a pause and he’s gonna edit this out so I’ll take this one. We are approaching the end of the segment, Varun, and are there people that you wanna call out, books that you read, Role models that you look up to that have helped you shape up who you are today in your career.

Varun Gurnaney (48:14.621)
Yeah, that’s fine.

Varun Gurnaney (48:33.707)
There are so many people I could not just name one. Let’s take the GRC specific function and ignore my security journey. I think if you look at the blog or the newsletters by Ayub, great resource.

Raj Krishnamurthy (48:53.65)
You know that he was a guest on this podcast, on this very show. I know he has his own show as well. Yeah, that’s true.

Varun Gurnaney (48:58.175)
He has his own show as well. Yeah, so I’m glad you guys are doing this. It’s pretty cool. There is a bunch of content by AJ which is pretty good as well. Yeah, AJ on. He’s good stuff. He’s putting good learning material. I think this is more of like beginner level stuff that is out there, but it’s very important to get that thing out there. Me personally, I read these newsletters. I listen to your podcast. I listen to Ayub’s.

Raj Krishnamurthy (49:11.346)
is a yawn.

Varun Gurnaney (49:27.669)
podcast. I think a bunch of ISACA stuff is also pretty good that I listen to and take inspiration from. If I just start name dropping people is going to be a long list man and I don’t like miss people out and make them feel even say my name out loud. So yeah, I just a bunch of people who I feel people should follow. I follow literally like everything is generated on LinkedIn.

Raj Krishnamurthy (49:41.674)
Mm-hmm.

Varun Gurnaney (49:57.045)
But if you’re a beginner, follow these guys. If you want to get more advanced, there is the GRC Engineering Learning Lab page. I think it was brought recently. Let me just look it up. Yes, it’s the learning hub on GRC engineering. It has a good list of courses and podcasts and blogs and newsletters that you can read and refer to. But yeah, a bunch of mentors, bunch of people.

Can’t name all of them. It’ll be unfair. Yeah.

Raj Krishnamurthy (50:30.415)
that’s totally okay. And for a person who’s entering this field, trying to get into GRC engineering, what would your advice be to them? What should they look up to? What should they read?

Varun Gurnaney (50:43.711)
Find the problem that pisses you off the most and don’t stop until you solve it for yourself. Forget what’s out there, forget what I’m saying, forget what the podcasts or the blogs, the newsletters keep on saying to you. You have a problem in your compliance place, go fix it for yourself and for your team and you will find people along the way who will guide you, mentor you, take care of you and this is the entire community we have around here at. So, it’s all of us. You’ll find us along the way if you’re new.

Go fix your own problem first and then you will see the world opens up for you.

Raj Krishnamurthy (51:18.887)
No, love it, love it. And if folks want to reach you, how do they reach you?

Varun Gurnaney (51:23.115)
LinkedIn is a great place. Connect with me, message me, reach out. I also accept Venmo. Just kidding. Hit me up on Venmo, I can’t ignore you then. So that works. But yeah, LinkedIn is a good place to reach out. I write, I try to write on Medium. I’m not the most disciplined content creator out there in the world. So massive respect for people who do this.

Raj Krishnamurthy (51:31.463)
Ha ha ha ha ha

Varun Gurnaney (51:51.413)
people like you who create these podcasts good stuff but yeah, LinkedIn is how you talk to me

Raj Krishnamurthy (51:57.299)
So with that, we come to the end of the podcast. Varun, it was fantastic having you on the show. Thank you.

Varun Gurnaney (52:01.799)
Same here Raj, see you Bye bye.