In this episode of the TPRM Podcast, Threats, Pitfalls & Risk Myths, Nate Lee sits down with Ayub Fandi, GRC Engineering Lead at GitLab and creator of the GRC Engineer podcast and newsletter.

As AI reshapes how security teams operate, many GRC programs are still built around audits, frameworks, and compliance driven workflows. Ayub explains why this model is quickly losing relevance and why simply automating existing processes often leads to solving the wrong problems faster.

The conversation explores how security teams need to rethink their operating models in an AI driven world. Nate and Ayub discuss the shift from compliance driven programs to risk driven decision making, and why teams must move beyond audit cycles and start rebuilding workflows from first principles.

They also examine how AI is changing the nature of work inside security, why compliance is becoming table stakes, and why risk management remains one of the most complex and human parts of security. This shift is forcing organizations to rethink how they approach workflows, decision making, and collaboration across teams.

Beyond tooling, the discussion dives into systems thinking, stakeholder alignment, and how GRC teams can become more embedded within engineering, security, and the broader business.

This episode is essential listening for CISOs, security leaders, engineers, and practitioners navigating AI driven change, modern security architecture, and the evolving role of security teams.

Listen and Subscribe
Spotify - https://open.spotify.com/show/7JvPsyMJPgVLOKuJhkKfxA?si=c862255fc2b84d12

Apple Podcasts - https://podcasts.apple.com/us/podcast/the-tprm-podcast/id1848217699

YouTube - https://youtube.com/@TPRMPodcast

Episode Sponsor
This episode features a message from TrustMind, a security questionnaire automation platform designed to help teams respond more quickly and consistently to vendor security reviews.

TrustMind uses AI to automatically complete security questionnaires using your existing documentation, policies, and prior responses so security teams can spend less time copying and pasting and more time securing their platforms.

Learn more at https://trustmind.com

About the Guest
Ayub Fandi is the GRC Engineering Lead at GitLab and creator of the GRC Engineer podcast and newsletter. He focuses on rethinking how governance, risk, and compliance evolve in an AI driven world.

His work centers on applying systems thinking, automation, and engineering principles to modernize GRC programs and better align them with modern security practices.

About the Host
Nate Lee is a B2B Scaleup CISO and Founder of Cloudsec.ai and TrustMind. He works with SaaS companies to build business aligned security programs that increase developer velocity, strengthen customer trust, and support rapid growth.

About the Show
The TPRM Podcast features real world conversations with security leaders who are reshaping how we think about cybersecurity and risk.

Each episode explores the threats, pitfalls, and risk myths behind modern security programs and what it actually takes to protect organizations operating at scale.

In this episode of the TPRM Podcast, Threats, Pitfalls & Risk Myths, Nate Lee sits down with Michael Coates, Founding Partner at Seven Hill Ventures and former CISO of Twitter, Mozilla, and CoinList.

As AI continues to accelerate both attack speed and capability, the gap between attackers and defenders is rapidly shrinking. Michael explains how automated attacks are compressing response times to the point where human driven security models are no longer viable, and why organizations must begin removing humans from critical decision loops.

The conversation explores how security teams need to rethink their operating models in an AI driven world. Nate and Michael discuss the future of the SOC, the rise of automation and agent driven workflows, and why many traditional security practices may soon become obsolete.

They also examine how AI is lowering the barrier to entry for attackers, enabling capabilities that were once limited to nation state actors. This shift is forcing organizations to move faster, experiment more, and rethink how they balance risk, speed, and innovation.

Beyond technology, the discussion dives into how roles inside security teams are evolving, what skills will matter most going forward, and why security leaders must shift from gatekeepers to enablers of business velocity.

This episode is essential listening for CISOs, security leaders, and practitioners navigating AI driven threats, modern security architecture, and the rapidly changing role of cybersecurity.

Listen and Subscribe

Spotify - https://open.spotify.com/show/7JvPsyMJPgVLOKuJhkKfxA?si=c862255fc2b84d12

Apple Podcasts - https://podcasts.apple.com/us/podcast/the-tprm-podcast/id1848217699

YouTube - https://youtube.com/@TPRMPodcast

Episode Sponsor

This episode features a message from TrustMind, a security questionnaire automation platform designed to help teams respond more quickly and consistently to vendor security reviews.

TrustMind uses AI to automatically complete security questionnaires using your existing documentation, policies, and prior responses so security teams can spend less time copying and pasting and more time securing their platforms.

Learn more at https://trustmind.com

About the Guest

Michael Coates is the Founding Partner at Seven Hill Ventures and former CISO of Twitter, Mozilla, and CoinList. He has spent his career building and scaling security programs at some of the most influential technology companies while also advising and investing in the next generation of cybersecurity startups.

Michael brings a unique perspective across operator, founder, and investor roles, with deep expertise in modern security architecture, risk, and the evolving impact of AI on cybersecurity.

About the Host

Nate Lee is a B2B Scaleup CISO and Founder of Cloudsec.ai and TrustMind. He works with SaaS companies to build business aligned security programs that increase developer velocity, strengthen customer trust, and support rapid growth.

About the Show

The TPRM Podcast features real world conversations with security leaders who are reshaping how we think about cybersecurity and risk.

Each episode explores the threats, pitfalls, and risk myths behind modern security programs and what it actually takes to protect organizations operating at scale.

In this episode of the TPRM Podcast, Threats, Pitfalls & Risk Myths, Nate Lee sits down with Conor Sherman, CISO in Residence at Sysdig and host of the Zero Signal Podcast.

As AI rapidly reshapes the cybersecurity landscape, both attackers and defenders are beginning to automate their operations in ways that were not possible just a few years ago. Conor explains how threat actors are already using AI driven techniques to accelerate attacks and why traditional security operating models are starting to struggle to keep up.

The conversation explores how defenders should rethink security strategy in a world where attacks can move from discovery to exploitation in minutes. Nate and Conor discuss autonomous defense, the limits of human driven response models, and why security teams must begin designing systems that can react at machine speed.

They also examine the role of the modern CISO, the importance of resilience over perfection, and how security leaders can help their organizations adopt AI safely while still moving fast enough to stay competitive.

This episode is essential listening for CISOs, security leaders, and practitioners navigating AI driven threats, modern cloud security, and the evolving role of security leadership.

Listen and Subscribe

Spotify
https://open.spotify.com/show/7JvPsyMJPgVLOKuJhkKfxA?si=1c7d77143ad7424a

Apple Podcasts
https://podcasts.apple.com/us/podcast/the-tprm-podcast/id1848217699

YouTube
https://youtube.com/@TPRMPodcast

Episode Sponsor

This episode features a message from TrustMind, a security questionnaire automation platform designed to help teams respond more quickly and consistently to vendor security reviews.

TrustMind uses AI to automatically complete security questionnaires using your existing documentation, policies, and prior responses so security teams can spend less time copying and pasting and more time securing their platforms.

Learn more at
https://trustmind.com

About the Guest

Conor Sherman is the CISO in Residence at Sysdig and the host of the Zero Signal Podcast. In his role he works closely with security leaders and organizations navigating modern cloud threats and the rapidly evolving AI powered threat landscape.

Conor advises companies on building resilient security programs, adapting defenses to emerging attack techniques, and helping security teams operate effectively as both attackers and defenders begin using AI driven tools.

About the Host

Nate Lee is a B2B Scaleup CISO and Founder of Cloudsec.ai and TrustMind. He works with SaaS companies to build business aligned security programs that increase developer velocity, strengthen customer trust, and support rapid growth.

About the Show

The TPRM Podcast features real world conversations with security leaders who are reshaping how we think about cybersecurity and risk.

Each episode explores the threats, pitfalls, and risk myths behind modern security programs and what it actually takes to protect organizations operating at scale.

In this episode of the TPRM Podcast, Threats, Pitfalls & Risk Myths, Nate Lee talks with Jake Bernardes, Chief Information Security Officer at Anecdotes and former CISO at Whistic, known for his candid, data-first approach to GRC and third-party risk.

Jake brings deep experience across GRC, TPRM, and security leadership, and is an outspoken voice on why traditional compliance frameworks like SOC 2 have become procurement shortcuts rather than meaningful security signals. He shares a pragmatic view on what is broken in modern GRC and what it will take to fix it.

They explore what agentic GRC actually means beyond the marketing hype, why data quality and completeness are foundational for AI-driven security workflows, and how treating GRC as an engineering problem can fundamentally change how risk is assessed. The conversation also covers trust centers, machine-readable evidence, the future of audits and certifications, and how real security data could replace checkbox-based assessments.

Jake also shares direct career advice for security and GRC professionals, including why networking matters more than certifications, what it really means to be an effective CISO, and why security leaders should be driving business outcomes rather than positioning themselves as cost centers.

This episode is packed with insight for CISOs, security leaders, GRC and TPRM practitioners, and anyone thinking seriously about the future of compliance, trust, and risk.

Listen and Subscribe
- Spotify → https://open.spotify.com/show/7JvPsyMJPgVLOKuJhkKfxA?si=bf17a655fc0049f9
- Apple Podcasts → https://podcasts.apple.com/us/podcast/the-tprm-podcast/id1848217699
- YouTube → @TPRMPodcast

About the Guest
Jake Bernardes is the Chief Information Security Officer at Anecdotes and former CISO at Whistic. He has extensive experience leading GRC, TPRM, and security programs and is a strong advocate for transparency, data-driven risk assessment, and treating GRC as an engineering discipline.

About the Host
Nate Lee is a B2B Scaleup CISO and Founder of Cloudsec.ai, helping SaaS companies build business-aligned security programs that increase developer velocity, strengthen trust, and support rapid growth.

About the Show
The TPRM Podcast explores real-world conversations with security leaders reshaping how we think about risk, uncovering the threats, pitfalls, and myths behind today’s cybersecurity challenges.

Nate’s LinkedIn → /natetrustmind
TPRM Podcast LinkedIn → /tprm-podcast
Website → https://tprmpodcast.com
Instagram → @TPRMPodcast
TikTok → @tprmpodcast

In this episode of the TPRM Podcast — Threats, Pitfalls & Risk Myths — Nate Lee talks with Ross Young, a former CISO and longtime security leader known for his pragmatic, outcome-driven approach to cybersecurity.

Ross brings experience from the intelligence community, including over a decade in government service, as well as senior security leadership roles at Capital One and Caterpillar Financial. He’s also the co-host of the CISO Tradecraft podcast and the author of Cybersecurity’s Dirty Secret: Why Most Budgets Go to Waste.

They explore why so much security spending fails to meaningfully reduce risk, why legacy assumptions continue to shape modern programs, and how CISOs can rethink budgeting, tooling, and prioritization. The conversation covers zero-based budgeting, tool sprawl and rationalization, third-party risk incentives, and how AI is rapidly changing both attack velocity and defensive strategy.

Ross shares practical frameworks for aligning spend with real threats, improving patching speed, and making smarter tradeoffs; without simply asking for more budget.

This episode is packed with insight for CISOs, security leaders, risk executives, and anyone responsible for building security programs that actually work.

Listen and Subscribe
Spotify → https://open.spotify.com/show/7JvPsyMJPgVLOKuJhkKfxA?si=bf17a655fc0049f9
Apple Podcasts → https://podcasts.apple.com/us/podcast/the-tprm-podcast/id1848217699
YouTube → @TPRMPodcast

About the Guest
Ross Young is a former CISO with leadership experience at Capital One and Caterpillar Financial, following more than a decade in the intelligence community. He is the co-host of the CISO Tradecraft podcast and the author of Cybersecurity’s Dirty Secret: Why Most Budgets Go to Waste, where he focuses on helping security leaders spend smarter and reduce real-world risk.

About the Host
Nate Lee is a B2B Scaleup CISO and Founder of Cloudsec.ai, helping SaaS companies build business-aligned security programs that increase developer velocity, strengthen trust, and support rapid growth.

About the Show
The TPRM Podcast explores real-world conversations with security leaders reshaping how we think about risk — uncovering the threats, pitfalls, and myths behind today’s cybersecurity challenges.

All right. Okay
Nate’s LinkedIn → /natetrustmind
TPRM Podcast LinkedIn → /tprm-podcast
Website → tprmpodcast.com
Instagram → @TPRMPodcast
TikTok → @tprmpodcast

In this episode of the TPRM Podcast — Threats, Pitfalls & Risk Myths — host Nate Lee sits down with Mike Johnson, who led security as CISO at Lyft, Fastly, and now, Rivian, to explore what modern security really looks like at AI speed.

Mike has had a front-row seat to the evolution of security — from the early days of SaaS and hyperscale cloud platforms to today’s world of AI-driven attacks, software supply chain risk, and software-defined vehicles. He brings a pragmatic, experience-backed perspective on what actually works when security has to scale fast.

They discuss:
• Why security questionnaires fail — and what reflects real risk instead
• How AI is accelerating both attacks and detection
• The growing threat of software supply chain vulnerabilities
• Why security teams must treat telemetry as a big-data problem
• Lessons from securing SaaS, consumer-scale systems, and global infrastructure
• What “minimum viable security” really means for vendors
• The rise of automated exploitation and AI-driven attack chaining
• How defenders can finally gain leverage through context
• Why inventory and hygiene remain foundational controls
• What modern resilience looks like when third-party failures are inevitable

This episode delivers high-signal insight for CISOs, security leaders, founders, AppSec engineers, cloud security teams, and anyone building modern, engineering-aligned security programs.

Listen and Subscribe
- Spotify → https://open.spotify.com/show/7JvPsyMJPgVLOKuJhkKfxA
- Apple Podcasts → https://podcasts.apple.com/us/podcast/the-tprm-podcast-threats-pitfalls-and-risk-myths/id1848217699
- YouTube → @TPRMPodcast

About the Host
Nate Lee is a B2B Scaleup CISO and Founder of Cloudsec.ai, helping SaaS companies build business-aligned security programs that increase developer velocity and strengthen trust.

About the Show
The TPRM Podcast explores real-world conversations with security leaders reshaping how we think about risk — uncovering the threats, pitfalls, and myths behind today’s cybersecurity challenges.

Connect with Us
Nate’s LinkedIn → https://www.linkedin.com/in/natetrustmind/
TPRM Podcast LinkedIn → https://www.linkedin.com/company/tprm-podcast/
Website → tprmpodcast.com
Instagram → @TPRMPodcast
TikTok → @tprmpodcast

Cybersecurity, CISO, CloudSecurity, AIinSecurity, SupplyChainSecurity, VendorRisk, SecurityLeadership, DetectionEngineering, BigDataSecurity, SoftwareSupplyChain, AppSec, DevSecOps, RiskManagement, TPRMPodcast, SecurityArchitecture, StartupSecurity, NateLee, MikeJohnson