In this groundbreaking episode of the GRC Engineering Podcast, we bring together executives from the 7 leading GRC automation platforms for an unprecedented discussion on the future of compliance automation. For the first time ever, leaders from Vanta, Drata, Anecdotes, Secureframe, Sprinto, Scrut Automation, and Thoropass share the same virtual stage to debate critical industry topics, challenge common assumptions, and share their visions for the future of GRC.Featured Guests:Jake Bernardes - CISO, AnecdotesMatt Hillary - CISO, DrataJeremy Epling - Chief Product Officer, VantaShrav Mehta - Founder & CEO, SecureframeGirish Redekar - Co-founder & CEO, SprintoNicholas Muy - CISO, Scrut AutomationAndrew Persons - VP of Product, ThoropassFrom the commoditisation debate to enterprise adoption challenges, get unique insights into how these platforms are shaping the future of GRC.Key Timestamps:00:00 Introduction and guest introductions09:00 Is compliance being commoditised? The vendor perspective32:30 Is Assurance impacted from selling compliance to non-GRC stakeholders49:30 If quality was very low, most GRC automation firms would be out of business54:30 Selling GRC automation to enterprise customers01:19:00 Working around existing legacy GRC platforms01:34:30 Risk of being replaceable as being embedded at the data layer01:38:40 Working with product feedback from non-customers01:46:45 GRC Engineering discussion01:50:00 Conclusion and key takeawaysSpecial thanks to our guests for making this historic conversation possible.This discussion represents a turning point in how we think about GRC automation and its role in modern organisations.#GRCEngineering

If you enjoy the podcast, feel free to subscribe to the GRC Engineer newsletter: grcengineer.com/subscribe

In this episode of The GRC Engineering Podcast, host Ayoub Fandi speaks with Akhila Chitiprolu, head of GRC at Sierra and former GRC leader at Stripe, Expedia, and T-Mobile.

Akhila shares her journey from engineering to GRC leadership and offers deep insights on transforming traditional compliance into engineering-driven programs that scale with modern technology companies.

Drawing from over a decade of experience across tech, fintech, telecom, and AI, she provides practical strategies for building GRC Engineering capabilities from the ground up.

Whether you're just starting your GRC Engineering journey or looking to scale existing efforts, this episode provides tactical advice on:

- Transforming control design for automation and scalability

- Convincing traditional auditors to accept API-driven evidence

- Building the business case for GRC Engineering investments

- Developing effective collaborations between technical and non-technical GRC staff

- Measuring and demonstrating the value of engineering

-driven compliance

- Creating a roadmap for continuous control monitoring

Key topics covered:

00:00 Introduction and guest background

02:58 Evolution of GRC: From spreadsheets to engineering-driven approaches

04:05 The biggest pain point: Evidence collection at scale across multiple frameworks

05:38 Why control design matters more than evidence automation alone

11:20 The tipping point for GRC Engineering adoption in organizations

13:30 Breaking down GRC process phases and where engineering adds value

26:52 How to work with auditors on engineering evidence and build trust

31:53 Build vs. Buy: Finding the right approach for your organization size

37:10 Building relationships with engineering teams through shared pain points

39:33 How compliance can become an engineering roadmap for platform teams

42:04 Key principles for scaling GRC Engineering programs beyond initial wins

48:19 GRC Engineers & Analysts: Working together effectively across skill sets

53:41 The magic wand question: Asset to control view and community education

To view the notes from the podcast and much more, check out the episode summary on the GRC Engineer.

Join us for the first episode of Season 2 of the GRC Engineering Podcast, featuring Justin Pagano, Director of Security Risk, and Trust at Klaviyo.

Justin shares his journey through GRC, from his early days as a software engineer to being a catalyst of the GRC Engineering initiative.

He discusses the limitations of traditional documentation-heavy approaches and advocates for more engineering-driven practices in governance, risk, and compliance and how GRC Engineering could be the next DevSecOps.

Be warned, TPRM is taking repeated hits in this episode!

Learn more about the why behind the podcast, some info about the background of the host as well as the main objectives of the GRC Engineering podcast.

Join Akshay Finney, a GRC Engineering team lead at Zoom, as he dive into the dynamic realm of security engineering and GRC integration. Uncover the importance of translating security requirements into engineering language, the evolving role of GRC engineering, the importance taking an engineering approach to security programs and the importance of collaboration with product teams to advance the GRC objectives

Explore the evolution of compliance engineering with Vic Bhatia, CEO of Compliance Foundry, as he shares insights from his journey, including experiences at Meta. Discover the challenges and solutions in aligning compliance with engineering incentives and the future of automated compliance solutions in the cloud.

With Chris and Lloyd from Aquia, you'll learn more about why we need GRC Engineering, what skills you need to work on and the impact of innovations (such as AI) on how we should view our field.

Episode Summary

In this episode, I welcome Simon Goldsmith, the Head of Information Security at OVO and a seasoned security leader with over 20 years of experience across industries like defence, financial services, and retail.

Simon shares his journey from working on helicopter survivability for the Ministry of Defence to leading security efforts at OVO, focusing on systems thinking and the evolving role of GRC in fast-paced environments.

The discussion dives deep into the challenges of balancing speed and security, the importance of collaboration in regulatory compliance, and how personal responsibility for CISOs is shaping the future of security leadership.

Key Topics Discussed

• 💼 Career Journey: Simon reflects on his career path, starting in the defense sector with the Ministry of Defense, moving through financial services and retail, and eventually taking on his current role at OVO.
• 🌀 Systems Thinking in Security: Insights into how Simon applied systems engineering concepts like "the survivability onion" to improve security outcomes across different industries.
• 📹 Balancing Speed and Security: A discussion on how fast-moving environments like defense and private sectors can integrate security assurance early in development to achieve better outcomes.
• 📃 Regulatory Challenges Across Jurisdictions: Simon shares his experiences navigating complex regulatory landscapes in Asia-Pacific and Europe, including personal liability challenges for CISOs.
• 💼 Leadership and Collaboration: Emphasizing the importance of strong teams and relationships to manage stress and uncertainty in high-stakes environments.
• 🚅 Forward-Looking Reflections: Simon discusses his current mission at OVO, supporting zero-carbon living through tech-enabled energy retail while addressing broader societal challenges.

Notable Quotes

"The time horizon of the board is radically different from that of an engineer in a sprint."

"Balancing prevention with a positive attitude towards detection and discovery is key to building effective systems."

"Bringing assurance teams into the development lifecycle early can lead to better security outcomes—not just better documentation."

"Personal liability for CISOs is a growing challenge; it requires courage to take on such roles."

Useful links

• Simon Goldsmith’s LinkedIn
• OVO Energy

Guest Bio

Simon Goldsmith is an accomplished information security leader with over two decades of experience across defense, financial services, retail, and energy sectors. Currently serving as Head of Information Security at OVO, Simon has a passion for systems thinking and collaborative leadership to drive impactful security outcomes.

Call to Action

If you enjoyed this episode, please subscribe to our podcast for more insights into GRC Engineering and cybersecurity leadership. Don’t forget to leave a review if you found value in this conversation!

For questions, guest ideas, or feedback, reach out to me on LinkedIn.

Charles will give us an overview of how GRC can benefit from an engineering mindset and DevOps practices. We cover a lot of ground and also discuss future developments that could propel the industry further towards continuous assurance.