Unfiltered conversation with a GRC Software Engineer w/ Varun Gurnaney, Staff Security Engineer

Sep 6, 2025

In this engaging discussion, Varun Gurnaney, a Staff Security Engineer with a rich background at Apple, Robinhood, and Zendesk, dives into the dynamic world of Governance, Risk, and Compliance (GRC). He emphasizes the necessity of automation and the collaboration between engineering and compliance teams. Varun shares insights on the evolving auditing landscape, advocating for continuous assessments over traditional methods. He highlights the transformative potential of AI in compliance, promoting a real-time approach to risk management and enhancing GRC effectiveness.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ADVICE

Use Agents Or Screenshots For Hard-To-Integrate Tools

Use browser automation or agentic AI to capture evidence from tools that lack APIs as a pragmatic stopgap.
Validate AI-collected screenshots with a human reviewer to maintain audit reliability.

INSIGHT

Agentic Workflows Expand Evidence Coverage

Agentic approaches let you test controls by replaying the control owner's steps, reducing dependency on vendor APIs.
This widens evidence coverage for legacy systems, healthcare, and regulated environments.

ADVICE

Automate To Reduce Compliance Toil

Aim to reduce compliance toil; automation can make compliance effectively 'free' while keeping one audit liaison.
Focus GRC on enabling security and proving controls, not manual evidence hunting.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Check out grcengineer.com to learn more!SummaryIn this engaging conversation, Ayoub Fandi and Varun Gurnaney explore the evolving landscape of Governance, Risk, and Compliance (GRC) engineering. Varun shares his unique journey from cybersecurity to GRC, emphasizing the importance of automation and collaboration between engineering and compliance teams. They discuss the challenges faced in GRC, the philosophical aspects of risk management, and the future of compliance in a rapidly changing technological environment. The dialogue highlights the need for a more integrated approach to security and compliance, advocating for a shift towards real-time assessments and a deeper understanding of the technical landscape.Sound Bites"Screenshots are cool again.""Compliance should be free.""Don't get hacked is what I care about."TakeawaysVarun's journey into GRC began with a cybersecurity role at EY.The importance of automation in GRC processes is crucial for efficiency.Cultural differences in compliance approaches between small and large companies.GRC engineering is often misunderstood and underappreciated in larger organizations.The need for collaboration between GRC and engineering teams is essential for success.Risk management should be tied to real business impacts rather than just compliance checkboxes.The future of compliance may involve more automated and real-time assessments.Tools used in security can significantly enhance GRC efforts.Understanding the technical landscape is vital for effective GRC practices.The conversation highlights the philosophical aspects of compliance and risk management.Chapters00:00 Introduction and Guest Background02:42 Varun's Journey into GRC Engineering06:32 Comparing GRC in Different Company Sizes11:56 The Role of Automation in GRC17:34 Challenges in GRC Engineering23:26 The Future of Compliance and Risk Management29:03 The Importance of Collaboration in Security34:47 The Philosophy of Risk and Compliance40:33 The Role of Tools in GRC46:21 Final Thoughts on GRC and Future Directions