Hosted on Acast. See acast.com/privacy for more information.
Hosted on Acast. See acast.com/privacy for more information.
This episode dives deep into the messy, absurd, and sometimes hilarious world of SOC 2 audits and compliance frameworks. Wiz CISO Expert Zlatko Unger joins the crew to talk about the expanding “acronym soup” of frameworks, the blurred lines between automation and assurance, and why finding an auditor who vibes with your team might matter more than the name on the certificate.
The crew also debates the future of SOC 2 — from fast-track “15-hour audits” to the rise of AI-generated reports — and whether the entire model needs a ground-up rebuild.
Guest: Zlatko Unger, CISO at Wiz
Hosts: Troy Fine, Kendra Cooley, Elliot Volkman
00:03 — Framework overload
00:07 — Auditor “vibe check”
00:11 — SOC 2’s fall from grace
00:16 — TPRM and audit fatigue
00:25 — SOC 2 for robots
00:36 — Reform or rebuild?
Hosted on Acast. See acast.com/privacy for more information.
TJ, Kendra, and Elliot are back, and welcomed Evan Millman, GRC Manager at Abnormal Security, for what started as a casual chat and evolved into a sharp look at compliance blind spots, the role of AI in GRC, and how professionals can shape their careers in a changing field.
[00:02:00] Evan shares how he used ChatGPT to analyze a risk assessment report.
[00:05:00] What GRC leadership looks like at Abnormal Security (ISO 27001, 27701, 42001, SOC 2).
[00:07:00] The complicated relationship between organizations and auditors — bias, incentives, and the reality of “clean” reports.
[00:12:00] Why third-party attestations are table stakes, not real assurance.
[00:19:00] TJ and Evan debate solutions: peer reviews, government oversight, or is the system fundamentally flawed?
[00:27:00] How Abnormal approaches vendor risk: criticality ratings, renewals, and compensating controls.
[00:32:00] Tools and automation in GRC — benefits and buyer’s remorse.
[00:36:00] The role of AI: evidence review, documentation search, and “trust but verify.”
[00:39:00] Should GRC professionals become coders, or double down on soft skills?
[00:44:00] Evan’s career advice: networking, persistence, and why soft skills matter more than technical depth.
Hosted on Acast. See acast.com/privacy for more information.
This week on GRC Uncensored, hosts Troy Fine and Elliot Volkman sat down with Merritt Baer, Chief Security Officer at Enkrypt AI, for a candid conversation about the collision between AI, governance, and security. Merritt brought decades of CISO experience — from AWS to the intelligence community — and didn’t hold back, fully embracing our podcast name, on what’s hype, what’s real, and what CISOs should be doing today.
Hosted on Acast. See acast.com/privacy for more information.
In the latest episode of GRC Uncensored, hosts Kendra Cooley and Troy Fine sat down with Jake Bernardes, CISO of Anecdotes and host of Risking It All, to talk about the positive side of GRC. What unfolded was less about sugar-coating and more about the tensions shaping our industry from AI disruption to the shaky future of SOC 2 reports. More specifically, is there a world where we see a consolidation of regulations and frameworks in response to the sprawl we see now?
[00:02:00] AI and Auditing – Will automation replace auditors or make them indispensable?
[00:06:00] The Positive Side of GRC – How automation is reshaping the auditor’s role.
[00:15:00] Are Compliance Platforms Lowering the Bar? – Check-the-box programs vs. meaningful assurance.
[00:23:00] The SOC 2 Debate – Is it still valuable, or creating a false sense of security?
[00:30:00] Toward Continuous Assurance – Dynamic trust centers and evidence as the new currency.
[00:40:00] The Future of Risk in GRC – Why risk registers must evolve and become data-driven.
[00:46:00] Closing Thoughts – Optimism about where GRC is headed despite today’s challenges.
Hosted on Acast. See acast.com/privacy for more information.
This week, the crew sits down with Henry Stanley—founder of Fabrik and engineer-turned-GRC troublemaker-to dig into the messy reality of third-party risk management (TPRM). With experience across fintech, startups, and security consulting, Henry brings a pragmatic but optimistic view of how the industry can move forward.
From the limits of SOC 2 and the myth of standardization to the risks and rewards of AI-powered questionnaires, the group unpacks why TPRM is so fragmented—and why that’s not necessarily a bad thing. They also get real about AI in audits, the future role of assurance professionals, and why human connection still matters.
06:30 – Why TPRM Is Fragmented by Nature
09:00 – SOC 2 Isn’t Enough (And Never Was)
13:30 – Does Anyone Really Trust Audit Reports?
17:30 – Blacklists, Quality Checks & the SOC 2 Vibe Check
20:00 – The Rise of AI in Vendor Assessments
25:30 – AI Answers vs. AI Confidence
28:30 – Auditing the Auditors (and Their AI)
32:00 – Reasonable Assurance in an AI World
35:30 – Skepticism, Trust, and Human-in-the-Loop Auditing
38:00 – Does AI Kill Creativity? A Side Quest
44:00 – Will TPRM Be Agent-to-Agent in the Future?
Guest: Henry Stanley, Founder of Security Program.io
Hosts: Troy Fine, Kendra Cooley
Producer: Elliot Volkman
Runtime: ~56 minutes
Hosted on Acast. See acast.com/privacy for more information.
This week on GRC Uncensored, the crew welcomes John Santore, a longtime FedRAMP and SOC 2 practitioner who has seen firsthand how compliance frameworks evolve, and sometimes unravel. Now serving as Director of Cyber Acceleration at Constellation GovCloud, John joins Troy and Elliot to unpack FedRAMP 20x, a new pilot program designed to streamline the U.S. government’s cloud authorization process dramatically.
The promise? Fewer controls, faster approvals, and greater automation.The concern? That all sounds a little too familiar.
Together, they explore whether FedRAMP 20x is an overdue modernization or the start of a dangerous slide toward the kind of checkbox compliance that has made SOC 2 certifications easier to get but harder to trust. From control mapping and auditor disruption to agency adoption and AI-assisted audits, this episode provides a deep dive into what happens when good frameworks move too quickly and how to maintain trust when they do.
[00:01:00] – Guest intro: John’s history with SOC 2, FedRAMP, and working with Troy
[00:06:00] – How SOC 2 influenced John’s transition into federal compliance
[00:08:00] – What is FedRAMP 20x, and why is it happening now?
[00:10:00] – From 12-month review cycles to fast-tracking assessments
[00:14:00] – Key Security Indicators (KSIs): replacing hundreds of controls with a handful of validations
[00:18:00] – Are KSIs basically just vague control summaries? (Spoiler: yes)
[00:22:00] – Why GRC platforms are being prioritized in the pilot
[00:25:00] – Potential expansion to FedRAMP Moderate and High
[00:28:00] – Will agencies even accept this?
[00:31:00] – Advice for cloud service providers evaluating FedRAMP now
[00:34:00] – Is FedRAMP on the path to commoditization?
[00:39:00] – Evaluating rigor vs. relevance: security posture ≠ certification
[00:44:00] – The problem of vague frameworks and audit inconsistency
[00:48:00] – Comparing SOC 2, FedRAMP, and the race to the bottom
[00:54:00] – Closing thoughts on AI, automation, and the future of white-collar work
Guest: John Santore, Director of Cyber Acceleration, Constellation GovCloud
Hosts: Troy Fine & Elliot Volkman
Runtime: ~58 minutes
Hosted on Acast. See acast.com/privacy for more information.
In this episode of GRC Uncensored, Richa, founder and CEO of Complyance, joins the hosts to unpack the growing tension between scalable compliance tooling and the real needs of maturing GRC teams. The conversation examines why SOC 2 in a box solutions fall short for mid-market organizations and what it truly means to integrate AI without compromising privacy. Along the way, the group debates the future of entry-level roles, the role of trust in automation, and whether AI is truly replacing, or simply reshaping, the GRC profession.
[00:01:00] — Intro & guest introduction: Who is Richa and what is Complyance?
[00:03:00] — Why Complyance is not “SOC 2 in a box” and how their ethos differs
[00:06:00] — Segmenting the GRC tooling market: Startups vs mid-market vs enterprise
[00:08:00] — Mid-market struggles: From Excel to Airtable to tailored automation
[00:12:00] — The audit bundling debate: Why Complyance refuses to package audits
[00:15:00] — Saying no to venture capital pressure and building for the right customer
[00:18:00] — What GRC software should enable: peace of mind, not paperwork
[00:19:00] — Roundtable: Troy and Kendra weigh in on AI in GRC
[00:27:00] — Conversational AI, embedded AI, and the rise of Agentic AI
[00:31:00] — Risk owners, vendor reviews, and trust in automation
[00:34:00] — Is AI replacing entry-level jobs or just reshaping them?
[00:38:00] — Teaching with AI: From education to GRC upskilling
[00:42:00] — The risk treatment plan case study: AI as a draft, not a decision
[00:47:00] — Closing thoughts on AI, SaaS disruption, and Jetsons-level predictions
Hosts: Troy Fine, Kendra Cooley
Producer: Elliot Volkman
Runtime: ~49 minutes
Hosted on Acast. See acast.com/privacy for more information.
As organizations contend with growing threats and shrinking GRC teams, this episode explores the widening talent gap in governance, risk, and compliance. Guest Shruti Mukherjee, a former software engineer turned GRC practitioner, shares her journey, her insights on the evolving nature of the field, and her call to action for both professionals and organizations to rethink what GRC careers can look like.
Guests: Shruti (GRC Professional)
Hosts: Troy Fine, Kendra Cooley
Producer: Elliot Volkman
Runtime: ~55 minutes
Show Notes & Segments:
00:00 – Intro & Banter
Casual chatter and AI banter with the crew, including Shruti’s first ChatGPT query and a few carrot cake recipes.
09:00 – GRC’s Image Problem: Is It Just Boring?
Shruti discusses the perception problem around GRC, generational gaps in interest, and why it’s often viewed as unsexy or undervalued work.
14:30 – Reframing the Pipeline: Who Should We Be Recruiting?
The group considers alternative talent pipelines, especially mid-career professionals who better understand the strategic value of GRC.
Quote: “Maybe it’s time to come to the good side.” – Kendra
20:30 – The Role of AI and Automation: Friend or Foe?
Shruti and the hosts weigh in on how automation platforms are shaping the field—for better or worse—and whether GRC jobs are at risk of being replaced.
Quote: “I treat AI like an intern. It can do some of the work, but I’ll always check it before it leaves the building.” – Shruti
26:00 – What Should New GRC Pros Learn?
Shruti shares what she wishes she had known earlier—especially around audit practices—and the value of soft skills and continuous learning.
30:30 – Critical Thinking, Not Just Checkboxes
Why GRC professionals must retain their ability to think critically, validate automation outputs, and question assumptions.
Quote: “We are losing our ability to be critical thinkers.” – Kendra
36:00 – Does GRC Need to Be Technical Now?
Shruti unpacks how her technical background helps her talk with engineers, understand tooling, and embrace AI; arguing that technical fluency is becoming essential.
44:30 – Final Thoughts: Risk Culture, Knowledge Transfer, and the Future
The group reflects on the need to pass down GRC fundamentals, resist overreliance on AI, and target new demographics for hiring.
Hosted on Acast. See acast.com/privacy for more information.
Guest: Pete Strouse, Cybersecurity Talent Advisor & Host of The Talent Gap Fireside Chat
This episode explores how governance, risk, and compliance (GRC) roles are filled, and why it's getting harder to land one. Pete Strouse unpacks the current job market, share recruiter insights, and offer advice to job seekers and hiring managers navigating a GRC landscape shaped by automation, offshoring, and unrealistic expectations.
[02:30] – GRC Careers Usually Start in Consulting
[09:45] – Are Candidates Using ChatGPT to Fake It?
[17:00] – How Recruiters Actually Source Talent
[23:00] – Red Flags: What Turns Recruiters Off Immediately
[28:30] – Is There Really a Talent Shortage in GRC?
[36:00] – How Automation and Offshoring Are Reshaping GRC Roles
[42:00] – Advice for Candidates and Hiring Managers
Hosted on Acast. See acast.com/privacy for more information.
This episode of GRC Uncensored goes full behind-the-scenes as Troy Fine, Kendra Cooley, and producer Elliot Volkman sit down for an unscripted discussion. From the challenges CPAs face in the security world to the ethics of auditing, the team explores what happens when trust, risk, and reputation collide. Plus, a big reveal: Troy is starting his own CPA firm—Fine Assurance.
[00:10:00] The CPA Debate
Troy breaks down the CPA backlash in cybersecurity, explaining why the criticism isn’t always fair—and why the problem might be deeper than just the credential.
[00:16:00] What Does “Technical” Really Mean?
The team explores what it means to be “technical” in security and whether that should be a requirement for auditors or GRC pros.
[00:30:00] Kendra’s Take: Use Your Auditor to Scale Security
Kendra flips the audit narrative: instead of hiding problems, she embraces audits as an opportunity to advocate for budget and resources.
Hosted on Acast. See acast.com/privacy for more information.
In this episode of GRC Uncensored, hosts Troy Fine and Kendra Cooley, along with producer Elliot Volkman chat with Rob Wood, founder and CEO of Sidekick Security, to explore the relationship between compliance and security. They dig into topics such as the limitations of compliance as a security measure, the role of compliance tools and platforms, and the importance of effective communication and leadership in fostering robust security programs. Various perspectives on compliance as a foundational element for security, contrasting viewpoints on automation tools, and the impact of breaches highlight the intricate balance between meeting compliance requirements and achieving genuine security improvements.
05:38 Compliance vs. Security: A Deeper Dive
11:26 The Role of Compliance in Building Security
25:19 The Impact of Breaches on Security Practices
32:35 Balancing Security Spending and Compliance
34:08 Risk Reduction and Customer Trust
38:03 Quantifying Risk and Compliance
47:09 Compliance Tools and Automation
51:00 High Trust Certification and Breach Impact
Hosted on Acast. See acast.com/privacy for more information.
In this episode of GRC Uncensored, hosts Troy Fine and Elliot Volkman invite Jeff Cook, a compliance expert with over 20 years of experience, to discuss the intricacies of auditor oversight and peer reviews. Jeff shares insights into the complexities of the peer review process, including the role of State Boards of Accountancy, AICPA, and the challenges of maintaining quality in SOC reports. The conversation also addresses potential improvements in the peer review system, market education, and the impact of GRC tools.
05:08 Diving into CPA and Compliance
08:50 Challenges in Peer Review and Quality Control
12:09 Market Influence and Future Directions
25:22 The Role of GRC Tools
Hosted on Acast. See acast.com/privacy for more information.
On a recent episode of GRC Uncensored, host Troy Fine and producer Elliot Volkman were joined by guest Stanley Krochik, a now seasoned GRC professional and former city security program manager, to discuss the realities of third-party risk Management (TPRM). The conversation focused on the growing issue of low-quality audits, the challenge of assessing vendor security postures, and the dilemma risk managers face when reviewing third-party documentation.
04:43 The Importance of Third Party Risk Management
05:45 Challenges with Low Quality Audits
07:45 Evaluating SOC 2 Reports
12:55 Issues with Sales-Focused GRC Tools
14:44 The Need for Better Compliance Programs
27:50 High-Risk Vendor Architecture Review
29:07 SOC 2 Reports and Vendor Risk Management
31:50 Challenges with SOC 2 and Auditor Quality
36:49 Financial Impact of Data Breaches
38:10 Differences in Security Between Old and New Systems
47:43 Proactive vs. Reactive Security Measures
Hosted on Acast. See acast.com/privacy for more information.
The latest episode of GRC Uncensored dove deep into the magical world of AI governance, specifically on ISO 42001. This week, our guests are Chris Honda, Whistic’s Manager of Security, Risk, and Compliance; and Jonathan LeBaron, MasterControl Senior GRC Engineer with the golden voice. Our due shared their firsthand experiences navigating compliance, business adoption, and the broader implications of AI risk management.
02:23 Discussing AI in GRC and ISO 42001
02:56 ChatGPT and AI Experiences
08:07 Implementing ISO 42001: Challenges and Insights
19:20 Third-Party Risk Management and AI
26:43 Scope and Complexity of AI in Software Products
27:57 Challenges in High-Risk AI Applications
29:43 Regulatory Landscape and AI
32:02 Driving Forces Behind ISO Certification
38:53 AI Risks and Business Understanding
43:56 Ethical and Societal Impacts of AI
Hosted on Acast. See acast.com/privacy for more information.
In this episode of GRC Uncensored, hosts Troy Fine, Kendra Cooley, and producer Elliot Volkman dive into an unfiltered discussion with Joseph Kirkpatrick, founder and president of KirkpatrickPrice. The focus is on the implications of private equity and compliance automation tools in GRC.
Joseph shares his insights on how the influx of private equity funding and the rise of 'SOC in a box' platforms have transformed the GRC landscape, often negatively impacting audit quality and independence. Key topics include the challenge of maintaining ethics in auditing, the adverse effects of aggressive marketing by compliance tools, and the importance of conducting thorough, unbiased audits. The conversation also touches on the difficulty audit firms face when pressured to lower costs or cut corners to retain business.
01:21 The Impact of SOC 2 Platforms
02:51 Private Equity's Influence on the Industry
03:04 Challenges Faced by Licensed Practitioners
04:32 Marketing Dollars and Industry Perception
06:06 The Role of Compliance Tools
10:51 Conflicts of Interest in Auditing
21:08 The Reality of Zero-Touch Audits
24:46 Trusting Compliance Platforms
33:44 Challenging the Status Quo in Auditing
34:27 Targeting the Right Market
35:09 The Role of Audit and Customer Expectations
35:44 Critique of AICPA and Cybersecurity Education
36:55 Practitioners' Responsibility in Auditing
39:13 The Problem with Automation Tools
43:30 Shady Business Practices in Auditing
47:29 Ethics and Integrity in Auditing
50:34 The Importance of Thorough Audits
Hosted on Acast. See acast.com/privacy for more information.
In this episode, host Troy Fine and producer Elliot Volkman welcome guest Kevin Kriebel, VP of Business Development at Drata. The conversation focuses on the challenges and intricacies of maintaining auditor independence and integrity in the compliance automation landscape. Key topics include the impact of bundling and price fixing on audit quality, the need for improved TPRM functionality, and the role of enterprises in ensuring higher standards. The discussion also addresses the importance of education and transparency in mitigating the risks associated with low-quality audits and driving market changes.
01:04 Introductions and Ground Rules
02:23 Discussing Auditor Independence
04:30 Challenges in the Audit Industry
06:19 Vendor Relationships and Audit Integrity
10:14 Education Gap in Compliance
23:58 Industry Price Fixing Concerns
27:30 Discussing Audit Automation and Vendor Practices
28:19 The Problem with Bundling Services
29:02 Challenges in Vendor Accountability
30:34 The Role of TPRM and AI in Compliance
33:29 The Importance of Education in Compliance
38:24 Market Dynamics and Compliance Requirements
Hosted on Acast. See acast.com/privacy for more information.
In the pilot episode of GRC Uncensored, hosts Troy Fine and Elliot Volkman introduce the podcast aimed at having unfiltered discussions about Governance, Risk, and Compliance (GRC). This episode was recorded before any interviews and offers some retrospectives of what became reality or not. They detail their professional backgrounds, especially highlighting Troy's unexpected journey into auditing and meme culture on LinkedIn. The hosts share the focus of future episodes (which have already been published), including the commoditization of compliance and the quality of audits, while emphasizing the importance of honest and authentic conversations in the GRC field. They also discuss the potential for disagreement among industry professionals and encourage audience engagement and feedback.
00:00 Introduction to GRC Uncensored
00:42 Meet the Hosts: Troy Fine and Elliot Volkman
01:34 Troy's Journey into Auditing and Memes
03:10 The Role of CPAs in Cybersecurity
05:29 The Purpose of GRC Uncensored
07:08 Pilot Season and Episode Preview
09:51 Commoditization of Compliance
19:02 Quality of Audits and Future Topics
21:45 Conclusion and Call for Feedback
Hosted on Acast. See acast.com/privacy for more information.
In this episode of GRC Uncensored, hosts Troy Fine and Kendra Cooley, along with producer Elliot Volkman, continue their pursuit of trying to understand what is explicitly holding the GRC world back. Joined by ISO expert David Foreman, the discussion tackles the roles of auditors, tech vendors, and market forces in shaping audit quality.
They explore the significance of audit integrity, the staying power of governance programs, and the varying expectations of companies undergoing audits. Amidst an insightful dialogue, the hosts debate the future of automated compliance tools, check-the-box audits, and the elusive definition of audit quality. Ultimately, the episode underscores the issue's complexity, emphasizing that it's not just about the vendors or auditors but also market demands and expectations.
00:00 Introduction to GRC uncensored
00:42 Meet the hosts: Troy and Kendra
01:05 Controversies and LinkedIn debates
01:37 International expansion and podcast updates
02:28 Commoditization of compliance 03:07 Introduction to Dave and his expertise
04:43 The role of vendors in compliance
07:49 Audit quality and market dynamics
09:49 The importance of audit integrity
13:11 Defining audit quality
20:26 Market expectations and audit quality
23:48 Staying power in compliance programs
28:00 High-quality vs. low-quality audit firms
28:59 Top qualities of a good auditor
29:19 Importance of knowledge in auditing
31:06 Compliance automation tools
32:26 Challenges in finding quality auditors
34:30 The reality of check-box audits
35:34 Accreditation and certification nuances
42:12 The future of auditing and trust centers
43:42 Closing remarks and shameless plugs
47:05 Final thoughts and tagline
Hosted on Acast. See acast.com/privacy for more information.
GRC Uncensored is back, and your hosts Troy Fine and Elliot Volkman are joined by Martin Cozzi, CEO of Pima, to discuss when, if at all, it makes sense to invest in a GRC tool to support a company's compliance efforts.
The discussion spans the necessity and use of various compliance tools, the challenges of scaling compliance, and the importance of having well-defined processes and dedicated personnel. They highlight the actual costs and benefits of compliance, questioning superficial practices and emphasizing the need for personalized solutions. The episode also addresses misconceptions and executive decisions crucial for maintaining compliance, offering comprehensive insights into modern GRC strategies and the evolving role of tools in achieving SOC 2 compliance.
00:00 Introduction to GRC Uncensored
00:22 Meet the Hosts and Guest Introduction
00:38 The Need for GRC Tools
02:52 Legacy vs. Modern GRC Tools
05:26 Challenges with GRC Tools
12:12 When to Choose GRC Tools
12:49 The Role of Processes in GRC
20:49 GRC Tools for Startups
23:20 The Cost of Compliance
24:43 The Role of Auditors
26:47 Touchless Audits: Pros and Cons
28:19 The Value of SOC 2 Reports
30:50 Choosing the Right Compliance Tools
32:31 The Future of Compliance Tools
40:46 Final Thoughts and Reflections
Hosted on Acast. See acast.com/privacy for more information.
In the first episode of 'GRC Uncensored,' hosts Troy Fine, dubbed the 'GRC Meme King,' and Elliot Volkman, alongside guest Kendra Cooley dive into the complexities of Governance, Risk, and Compliance (GRC) in cybersecurity. The discussion unravels the 'love-hate' relationship many security professionals have with compliance frameworks like SOC 2, exploring how they have become commoditized and possibly devalued over time.
The conversation touches upon the challenges security practitioners face in conveying the true value of GRC to businesses, the potential pitfalls of 'SOC in a box' offerings, and the broader implications of compliance becoming a 'check the box' exercise. Moreover, the episode delves into the broader regulatory landscape and the ongoing debates about the role of government regulations in cybersecurity compliance. This candid dialogue sets the stage for future episodes that promise further to dissect the nuances of cybersecurity audits and standards.
00:00 Welcome to GRC Uncensored
01:34 Introducing Kendra Cooley
02:05 Love-Hate Relationship with GRC
03:16 The SOC 2 Debate
04:33 Challenges with SOC 2 Audits
09:10 The Value of SOC 2 in the Industry
12:04 The Evolution of Compliance Frameworks
20:39 False Sense of Security in Compliance
24:46 The Buzz Around AI and Quantum
25:10 Staying Updated as a Security Professional
26:45 Challenges in Penetration Testing and Vendor Assessments
27:37 Compliance and Its Impact on Security
30:10 Government Regulations and Their Effectiveness
32:23 The Complexity of Privacy Laws
38:29 The Role of GRC Teams in Risk Management
42:30 Concluding Thoughts and Future Episodes
Hosted on Acast. See acast.com/privacy for more information.
