Description

What if compliance wasn't just about passing audits—but about building trust from the ground up?

In this powerful episode of Security & GRC Decoded, Raj sits down with Ricky Waldron, Director of Security Audit & GRC at Navan, whose GRC experience spans tech giants like Microsoft, Disney, Oracle, and Smartsheet. Ricky shares how GRC is evolving into a strategic business partner, why automation and technical fluency are no longer optional, and what it takes to make compliance an engine of trust, not a blocker.

From FedRAMP horror stories to generative AI workflows, this conversation dives deep into the future of governance, risk, and compliance—and why it's time for GRC teams to start thinking like engineers.

🔑 5 Key Takeaways

• 💥 Compliance = Security (If Done Right): Internal compliance based on risk and business needs often leads to stronger security outcomes than external certifications alone.
• 🤝 Stop Policing, Start Partnering: GRC shouldn’t just point out problems—it should offer solutions and collaborate with teams to reduce risk.
• 📊 Quantify Risk to Speak Leadership’s Language: Turn technical risk into business impact using frameworks like FAIR to get buy-in and budget.
• ⚙️ Automation Is GRC’s Future: From policy drafting with AI to continuous control monitoring, GRC teams must become technical and leverage automation.
• 🧩 GRC as a Sales Enabler: GRC isn't just an internal function—it builds trust with customers, shortens sales cycles, and helps close deals.

✅ Take Action

• Explore risk-first approaches: Lead with R in GRC to align controls with actual business risks.
• Invest in automation: Save engineering hours and scale audits with continuous evidence collection.
• Use GenAI wisely: Leverage it for speed, but ensure strong human review before anything goes to auditors.
  

🔗 Powered by ComplianceCow.com – automate audits, collect evidence continuously, and shift GRC left.
🎧 Subscribe to Security & GRC Decoded for weekly insights from today’s top compliance leaders.
💼 Connect with Ricky Waldron on LinkedIn.

⏱ Timestamps (approx.)

00:00 – Intro
 01:35 – Hot take on GRC
 04:31 – Why GRC & Security clash
 08:44 – GRC is storytelling
 12:57 – Risk comes before compliance
 16:08 – How to talk risk with execs
 20:41 – Trust as a compliance goal
 24:50 – Keeping your promises
 27:54 – Why GRC struggles with automation
 33:15 – Speaking engineers’ language
 38:50 – GRC as the customer conduit
 45:00 – GRC as sales enablement
 47:15 – How Ricky learned FedRAMP
 50:20 – What is FedRAMP 20X?
 52:27 – Why OSCAL hasn’t taken off
 56:15 – Would you use OSCAL commercially?
 58:36 – GenAI in GRC workflows
 1:02:31 – Using AI with auditors
 1:06:45 – State of GRC tooling
 1:12:30 – Getting budget for automation