In this episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Tom Scuderi, Senior Manager of Security & GRC at LTK and a veteran practitioner who has spent his career building governance functions at QTS, Tableau, Salesforce, and LTK. Tom shares how to scale GRC in high-growth environments by designing processes that resemble engineering workflows, reducing friction with stakeholders, and shifting from reactive audits to continuous visibility. He breaks down why curated visibility beats blanket access, why SOC 2 should sharpen—not dilute—your security program, and how to anchor leadership decisions with meaningful risk data.

Key Takeaways

• GRC only scales when its processes mirror how engineering teams already work.
• SOC 2 should enhance your security program rather than becoming a superficial checkbox exercise.
• Curated visibility reduces friction and improves cross-functional trust.
• Clarity in ownership is the backbone of a scalable GRC function.
• Continuous, context-driven evidence cuts audit fatigue and sharpens the entire program.

What You’ll Learn

• How Tom built and matured GRC programs across four different companies.
• Why engineering alignment is essential for sustainable compliance.
• How curated visibility replaces access sprawl and accelerates audits.
• The difference between risk-driven and compliance-driven GRC.
• Why automation only works when underlying processes are mature.
• How to structure ownership to reduce bottlenecks during SOC 2 and similar frameworks.

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

Watch more episodes: https://www.compliancecow.com/podcast

Connect With Our Guest:
Tom Scuderi | Senior Manager of Security & GRC | LTK
Connect on LinkedIn: https://www.linkedin.com/in/tom-scuderi/

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify:

https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

Apple Podcasts:

https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

#SecurityAndGRCDecoded #RajKrishnamurthy #TomScuderi #LTK #GRC #ScalingGRC #SOC2 #EngineeringAlignment #RiskManagement #SecurityLeadership #Compliance #GovernanceRiskCompliance #SecurityGRCPodcast #ComplianceCow

In this episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Sergio Alonso, a seasoned GRC and information security leader at Rapid7, whose 17–year career spans auditing, high-regulation banking, blockchain innovation at Akamai, privacy GRC at Twitter, and now trust and governance in cybersecurity. Sergio breaks down how to translate legacy compliance thinking into modern engineering-aligned practices, why automation is the only scalable path forward, and how controls should be treated as “promises” that teams must honor every day. This conversation explores scaling GRC in high-velocity environments, reducing compliance fatigue, applying zero-knowledge principles to trust, and building the next generation of context-driven risk programs.

Key Takeaways

• Automation is the only sustainable path to scaling GRC without increasing friction.
• Controls should be viewed as “promises,” and audits as the consequence of keeping or breaking them.
• Context — technical, business, and risk — is the primary driver of effective triage and prioritization.
• GRC must evolve from a legacy function into a trust-driven, engineering-aligned discipline.
• Zero-knowledge-style thinking may define the future of transparency and customer trust.

What You’ll Learn

• How to adapt legacy compliance experience for cloud, SaaS, and fast-moving tech companies.
• Why automation, evidence APIs, and GRC engineering are becoming non-negotiable.
• How to reduce compliance fatigue using “meet once, meet many” principles.
• Why context is the key to reducing noise from security tools.
• How to partner with engineers using empathy, clarity, and strong framing.
• Why trust and transparency are reshaping GRC inside cybersecurity companies.

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

Watch more episodes: https://www.compliancecow.com/podcast

Connect With Our Guest:
Sergio Alonso | GRC & Information Security Leader | Rapid7
Connect on LinkedIn: https://www.linkedin.com/in/salonsor/

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify: https://open.spotify.com/show/5xuvsT8HdJsa2sbhAFZQhL

Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

In this episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Mukund Sarma, Deputy CISO and Head of Product Security at Chime, to explore what happens when governance, risk, and compliance teams work with engineering instead of against it. Mukund shares real-world lessons from a decade in security, explaining how to balance shift-left initiatives, build paved paths that reduce friction, and make compliance a natural byproduct of great engineering. This is a masterclass in aligning security, GRC, and DevOps for scale and sanity.

5 Key Takeaways

• GRC isn’t a blocker—it’s a mirror that keeps security honest and accountable.
• Strong security engineering automatically strengthens compliance outcomes.
• Friction between security and engineering fades when empathy drives collaboration.
• “Shift left” works best when paved paths and automation support developers.
• Practical controls and continuous validation create sustainable, scalable governance.

What You’ll Learn

• How to bridge silos between security, GRC, and engineering teams.
• Why automation and continuous control monitoring are the future of compliance.
• What “practical controls” really mean in modern DevSecOps environments.
• How empathy and communication transform security culture.
• Why compliance should follow great security engineering, not lead it.
• Real-world examples from Chime’s approach to product security.

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

Watch more episodes: https://www.compliancecow.com/podcast

Connect With Our Guest:
Mukund Sarma | Deputy CISO and Head of Product Security | Chime
Connect on LinkedIn: https://www.linkedin.com/in/sarmamukund/

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:
Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr
Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450?i=1000736617569