Sign up to save your podcasts
Or
Share RGC, Not GRC: Why Risk Comes First ft Ricky Waldron
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
RGC, Not GRC: Why Risk Comes First ft Ricky Waldron
What if compliance wasn't just about passing audits—but about building trust from the ground up?
In this powerful episode of Security & GRC Decoded, Raj sits down with Ricky Waldron, Director of Security Audit & GRC at Navan, whose GRC experience spans tech giants like Microsoft, Disney, Oracle, and Smartsheet. Ricky shares how GRC is evolving into a strategic business partner, why automation and technical fluency are no longer optional, and what it takes to make compliance an engine of trust, not a blocker.
From FedRAMP horror stories to generative AI workflows, this conversation dives deep into the future of governance, risk, and compliance—and why it's time for GRC teams to start thinking like engineers.
🔑 5 Key Takeaways
- 💥 Compliance = Security (If Done Right): Internal compliance based on risk and business needs often leads to stronger security outcomes than external certifications alone.
- 🤝 Stop Policing, Start Partnering: GRC shouldn’t just point out problems—it should offer solutions and collaborate with teams to reduce risk.
- 📊 Quantify Risk to Speak Leadership’s Language: Turn technical risk into business impact using frameworks like FAIR to get buy-in and budget.
- ⚙️ Automation Is GRC’s Future: From policy drafting with AI to continuous control monitoring, GRC teams must become technical and leverage automation.
- 🧩 GRC as a Sales Enabler: GRC isn't just an internal function—it builds trust with customers, shortens sales cycles, and helps close deals.
✅ Take Action
- Explore risk-first approaches: Lead with R in GRC to align controls with actual business risks.
- Invest in automation: Save engineering hours and scale audits with continuous evidence collection.
- Use GenAI wisely: Leverage it for speed, but ensure strong human review before anything goes to auditors.
🔗 Powered by ComplianceCow.com – automate audits, collect evidence continuously, and shift GRC left.
🎧 Subscribe to Security & GRC Decoded for weekly insights from today’s top compliance leaders.
💼 Connect with Ricky Waldron on LinkedIn.
⏱ Timestamps (approx.)
00:00 – Intro
01:35 – Hot take on GRC
04:31 – Why GRC & Security clash
08:44 – GRC is storytelling
12:57 – Risk comes before compliance
16:08 – How to talk risk with execs
20:41 – Trust as a compliance goal
24:50 – Keeping your promises
27:54 – Why GRC struggles with automation
33:15 – Speaking engineers’ language
38:50 – GRC as the customer conduit
45:00 – GRC as sales enablement
47:15 – How Ricky learned FedRAMP
50:20 – What is FedRAMP 20X?
52:27 – Why OSCAL hasn’t taken off
56:15 – Would you use OSCAL commercially?
58:36 – GenAI in GRC workflows
1:02:31 – Using AI with auditors
1:06:45 – State of GRC tooling
1:12:30 – Getting budget for automation
View all episodes
By Raj KrishnamurthyWhat if compliance wasn't just about passing audits—but about building trust from the ground up?
In this powerful episode of Security & GRC Decoded, Raj sits down with Ricky Waldron, Director of Security Audit & GRC at Navan, whose GRC experience spans tech giants like Microsoft, Disney, Oracle, and Smartsheet. Ricky shares how GRC is evolving into a strategic business partner, why automation and technical fluency are no longer optional, and what it takes to make compliance an engine of trust, not a blocker.
From FedRAMP horror stories to generative AI workflows, this conversation dives deep into the future of governance, risk, and compliance—and why it's time for GRC teams to start thinking like engineers.
🔑 5 Key Takeaways
- 💥 Compliance = Security (If Done Right): Internal compliance based on risk and business needs often leads to stronger security outcomes than external certifications alone.
- 🤝 Stop Policing, Start Partnering: GRC shouldn’t just point out problems—it should offer solutions and collaborate with teams to reduce risk.
- 📊 Quantify Risk to Speak Leadership’s Language: Turn technical risk into business impact using frameworks like FAIR to get buy-in and budget.
- ⚙️ Automation Is GRC’s Future: From policy drafting with AI to continuous control monitoring, GRC teams must become technical and leverage automation.
- 🧩 GRC as a Sales Enabler: GRC isn't just an internal function—it builds trust with customers, shortens sales cycles, and helps close deals.
✅ Take Action
- Explore risk-first approaches: Lead with R in GRC to align controls with actual business risks.
- Invest in automation: Save engineering hours and scale audits with continuous evidence collection.
- Use GenAI wisely: Leverage it for speed, but ensure strong human review before anything goes to auditors.
🔗 Powered by ComplianceCow.com – automate audits, collect evidence continuously, and shift GRC left.
🎧 Subscribe to Security & GRC Decoded for weekly insights from today’s top compliance leaders.
💼 Connect with Ricky Waldron on LinkedIn.
⏱ Timestamps (approx.)
00:00 – Intro
01:35 – Hot take on GRC
04:31 – Why GRC & Security clash
08:44 – GRC is storytelling
12:57 – Risk comes before compliance
16:08 – How to talk risk with execs
20:41 – Trust as a compliance goal
24:50 – Keeping your promises
27:54 – Why GRC struggles with automation
33:15 – Speaking engineers’ language
38:50 – GRC as the customer conduit
45:00 – GRC as sales enablement
47:15 – How Ricky learned FedRAMP
50:20 – What is FedRAMP 20X?
52:27 – Why OSCAL hasn’t taken off
56:15 – Would you use OSCAL commercially?
58:36 – GenAI in GRC workflows
1:02:31 – Using AI with auditors
1:06:45 – State of GRC tooling
1:12:30 – Getting budget for automation