Risk in Dollars: The Future of GRC Measurement ft Ramya Subramanian, Director of GRC @ Freshworks Artwork

Security & GRC Decoded

How today’s top organizations navigate the complex world of governance, risk, and compliance (GRC). Security & GRC Decoded brings you actionable strategies, expert insights, and real-world stories that help professionals elevate their security and compliance programs. Hosted by Raj Krishnamurthy. It’s for security professionals, compliance teams, and business leaders responsible security GRC and ensuring their organizations’ are safe, secure and adhere to regulatory mandates. Security & GRC Decoded brings you: Actionable strategies, expert insights, and real-world stories to elevate your Security GRC programs. Each episode explores frameworks, risk management strategies, and innovations shaping the future of GRC – from practitioners in the trenches. Subscribe now to unlock the tools and knowledge you need to succeed!

All Episodes

Security & GRC Decoded

Risk in Dollars: The Future of GRC Measurement ft Ramya Subramanian, Director of GRC @ Freshworks

September 04, 2025 • Raj Krishnamurthy • Season 1 • Episode 18

0:00 | 54:50

How does a network engineer become a GRC leader? Ramya Subramanian’s journey spans nearly two decades across IT, security, and governance. Now serving as Director of GRC & Privacy Operations at Freshworks, she joins Raj to unpack the evolving role of GRC: from quantifying risk and managing compliance debt to building automation that doesn’t slow engineering down.

Ramya also shares how storytelling, PR-style evangelism, and simplifying policies can shift the perception of GRC from policing to business enabler. This episode is a playbook for anyone trying to modernize risk and compliance in fast-moving environments.

5 Key Takeaways

Engineer’s edge in GRC: Why Ramya’s technical background makes her approach to governance unique.
Quantifying risk with dollars: Why risk measurement needs financial context, not just “likelihood x impact.”
Automation as a path forward: How Freshworks is reducing compliance toil for engineers.
Simplify policies and awareness: Cutting policy docs by 90% and building bite-sized security training.
GRC as PR: Storytelling and evangelism can reframe GRC as a business enabler, not a blocker.

What You’ll Learn

How GRC and security complement each other
Challenges of risk quantification and continuous measurement
Why engineers perceive GRC as compliance tax
How automation and GRC engineering can reduce manual effort
The cultural perception of GRC and how to change it

⏱️ (Approximate) Timestamps

[00:01:43] From network engineer to GRC leader
[00:03:37] How Ramya defines Governance, Risk, and Compliance
[00:05:28] Quantifying risk: from controls to financial impact
[00:07:41] Why continuous risk measurement is so hard
[00:11:49] How others perceive GRC inside organizations
[00:13:43] Changing the “policing” perception of GRC
[00:17:50] Rewriting policies & security awareness at Freshworks
[00:19:38] Bringing auditors along the journey
[00:21:33] Reducing compliance tax with automation
[00:26:10] Why GRC needs engineering skills
[00:29:58] Technical vs non-technical sides of GRC
[00:31:47] Skills Ramya looks for when hiring
[00:33:53] Generative AI’s impact on GRC
[00:37:49] Dream GRC solution: context-aware automation
[00:39:32] Building a business case for automation
[00:44:00] Who should tell the GRC automation story?
[00:45:54] Challenges with auditors in the AI era
[00:46:49] From city editor to GRC leader — storytelling roots
[00:52:26] Rajinikanth’s influence at Freshworks

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: compliancecow.com

Connect With Our Guest:

Ramya Subramanian | Director of GRC & Privacy Operations | Freshworks
Connect on LinkedIn

Rate, review, and share if you enjoyed the show!
Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify and Apple Podcasts

UNKNOWN 0:00

you

SPEAKER_01 0:02

Welcome to Security and GRC Decoded, the podcast where security, governance, risk, and compliance professionals, CISOs, executive leaders, and practitioners can stay ahead of industry trends and challenges. I'm your host, Raj Krishnamoorthy, founder of Compliance Club. Join us twice a month to bring you expert insights, actionable strategies, and real-world stories to elevate your security, governance, risk, and compliance programs. Each week, we decode the complexities of GRC to help you make smarter decisions and drive innovation in your organization. Let's dive into today's conversation.

UNKNOWN 0:44

Welcome.

SPEAKER_01 0:45

Hey, hey, hey. Welcome to Security and GRC Decoded. I'm your favorite host, Raj Krishnamoorthy. And today we have awesome Ramya Subramaniam with us. Ramya has an interesting career. She's a network engineer turned security and GRC operator and practitioner. Ramya has more than 19 years of experience in engineering, security, and GRC space. She's currently the director of GRC and privacy operations at Freshworks. Ramya, welcome to the show.

SPEAKER_00 1:13

Thank you so much. part of this podcast, Raj. Thank you so much. Thank you.

SPEAKER_01 1:19

So how did a network engineer become a GRC practitioner?

SPEAKER_00 1:24

Awesome. So there is a bit of a story that I want to tell. I started off my career as a network engineer, as you mentioned, right? So it was through a college campus recruitment and that was the second company I sat for. So the first company was for a role of software engineer and I'm glad I did not make it through that role because I don't think I'm set to do coding all day. It's not just my cup of tea. So I'm very thankful that I landed in the network engineering space. So I think to start off my career with the network engineering background, it gave me a lot of basics, right? You need to understand networking if you have to excel in security. That's my opinion. You need to understand the basics, IP, IP subnetting, how networks work for you to understand security. So eventually I kind of moved to security implementations, did all the downtimes, no configuring devices, and then moved on to the vulnerability assessments and pentests of the world and then finally landed up in GRC. And that's when I realized that this is my space. This is my arena that I wanted to excel in. So that's how from network engineer to a security engineer and then to a GRC practitioner, that's how I rolled into this role.

SPEAKER_01 2:45

And your first role as a GRC practitioner was with RR Donnelly.

SPEAKER_00 2:49

Absolutely, yes.

SPEAKER_01 2:50

And then you moved into Freshworks, right? Fresh, that is right. And all of this, you did this being in India. Is that right?

SPEAKER_00 2:58

It's a combination. So with Wipro, absolutely, I was in India and then the US for some time. But the rest of it, it's just India. I just traveled around for audits and stuff, but it was predominantly in India.

SPEAKER_01 3:15

Got it. Got it. So as an engineer, is there any particular advantage that you have being a GRC practitioner, in your opinion?

SPEAKER_00 3:28

I think it is not any basic degree that gives you that advantage. It's just the experience that you gather as you move forward gives you that advantage is what I feel. It's not just about the degree, Raj. That's my humble opinion.

SPEAKER_01 3:42

Okay. So, maybe what is your opinion of G and R and C? Ramya, how do you define G, R, C?

SPEAKER_00 3:52

I think we've got it really wrong, at least the order. To me, risk comes first all the time, right? All these times, we've always been compliance-driven, and that's why GRC wasn't embedded into the product operations, embedded into the organization's culture. It was always compliance-driven. But I think we are changing the focus, shifting the focus to risk-driven these days. To me, risk is where you start. That's where you understand what's going to impact your crown jewels and then you write policies and standards in order to protect your crown jewels right so risk is the foundation to me and then you move on to governing right policy standards and then measure what you have implemented and then comes the compliance like when you're doing the risk and compliance right risk and governance right that's when compliance automatically lands into your portfolio

SPEAKER_01 4:47

no i love it i love it so um When you think about risk, Ramya, how do you think about risk from a quantification and a qualification perspective? How much of risk in reality is quantification versus not?

SPEAKER_00 5:05

Quantification is still a very niche concept, right? Qualitative analysis is what we've always been exposed to. It's always the heat maps that we work with, high, medium, lows. That's what people understand these days. But it's just not enough anymore. You have to probably reiterate to your leadership or the boards to make them understand the cyber risk exposure of you not having a control or you not having implementing a set of controls right so to me quantification is the way forward there are tools that are offering there are frameworks that you can adapt but to me we have to make that shift from qualitative to quantitative eventually that's when the real worth of GRC and the risk remediations will start to evolve is what my opinion is

SPEAKER_01 5:56

okay and what is the what are the challenges with quant maybe can you if you feel comfortable sharing can you break down you know when When I think of risk quantification as an audience and the listener, how do you quantify risks?

SPEAKER_00 6:13

Absolutely. So to me, first, you understand the nature of risk and then what are the controls implemented in your space and your organization and see the effectiveness of the controls. Anyways, it starts with the control effectiveness, right? And then you move on to understanding the revenue of your company and also to understand what could go wrong if you're not complying with the controls, the penalties that comes with all these compliance violations. So I think quantification is a combination of all these. When you have the controls in place, when you have the revenue information in place, you mix and match all of this to understand your cyber exposure, the loss exposure that you're going to incur eventually. So that's how I see quantification. But today what we're doing is just understanding the control effectiveness against a particular risk and then see if the risk is high, medium or low. Until we incorporate that finance numbers, I don't think you will end up on the real, real impact of what that risk could get you.

SPEAKER_01 7:18

Got it. So let me make sure I understand because typically we maintain a risk catalog and we have a listing of all the risks. And then we typically try to say what is the degree of impact of that risk if that were to materialize. And you talk about likelihood, right? And then it becomes a very basic math of likelihood times impact. What you're basically saying is that look at it from the make sure that you associate dollars to each of those Risk element from an impact perspective is what I'm hearing. Is that right? That is right. Now, what are the typical challenges in making that happen? How do you collect the data?

SPEAKER_00 7:55

That is where the real problem The sustainability of having these numbers and then constantly putting it into the calculations and then identifying it in real time is a real challenge, which is why I think a lot of teams are not able to adopt to the quantitative aspects of it. And we do not have a lot of tools in play. There are tools, but they are complicated. That's not user-friendly for everyone to understand how revenue works, how penalties work, how the control effectiveness works. And it's not completely automated. So to me, that makes it very difficult. So GRC folks are not someone who reads JSON, XML and all of that, right? So you need to have some technical aspects of it to understand the metrics and incorporate that with the financial aspects as well. So that's a real struggle that I see.

SPEAKER_01 9:16

Okay. So what I'm hearing you is that, I think if I can articulate here correctly, is that when we think about audits with we think of it primarily from a perspective of compliance. When we think of GRC, I think you can approach from two perspectives. One, you can approach from the perspective of audits. And one, you can approach from a perspective of assurance. What you're basically saying is that if you use audits as a means to measure risks, it is less infrequent, extremely manual. As a result, it is not sort of a continuous process, right? And you're basically saying, I think what you're advocating is that the right way to do it is almost make it a continuous as almost like a continuous part of your operations and try to measure these risks continuously. Am I hearing that right?

SPEAKER_00 10:02

Absolutely, absolutely.

SPEAKER_01 10:03

And I think a big part of that is data collection, I would assume, right? I mean, you need to be able to make sure that you collect data. So why are companies not, I mean, maybe I can understand why small companies cannot do that, but how about bigger companies? What is the struggle in them in making this happen from an operations perspective? Why not collect the data continuously and why not evaluate the risks continuously?

SPEAKER_00 10:26

I think, how do I put it? So metrics is something that needs to be a very matured program, which is not the case in a lot of these organizations, right? Even bigger companies. How... If we can't measure what we are doing, I mean, then we really do not know what the effectiveness is, right? So the constant, continuous collection of data, not having real tools in place to constantly collect that information, I think that's what it makes it very difficult for even the smaller companies and the larger companies as well. So there is a tool probably that could help us in terms of constantly collecting these evidences and keep it ready for your GRC folks to consume, probably that's what is missing is what I understand.

SPEAKER_01 11:17

I see. I see. Okay. Maybe I'll switch the slightly differently Ramya. What is your opinion of the relationship between GRC and security?

SPEAKER_00 11:29

I think GRC is a connect, a conduit between a lot of different teams that see risk in a different perspective, right? I mean, HR sees it differently. Security engineering sees differently. And different teams look at risk differently. I think GRC is one team that can connect all of these and then kind of see patterns and see in a big picture of what a risk can do to the organization. So this is one team that touches every other teams in the organization and then kind of bring them together for a larger cost. That's how I see it.

SPEAKER_01 12:09

Got it. So GRC is an aggregator. I mean, you're essentially pulling together all these different disciplines to measure and monitor. How do you think others see GRC? Let's talk about your product organization or your leadership teams or even security teams. What do you think is their view of GRC?

SPEAKER_00 12:34

Let's be honest, right? You ask 10 different people of what GRC is and you're going to get 12 different answers from them, right? What GRC is about. So some people think we're just writing policies. Others think we just do audits. Some think we do spreadsheets and documents all the time. But to me, the reality of GRC is incredibly broad. It's about understanding the risks of the organization, right? That's what is a primary thing that I think of GRC. And then policies, there's compliance, there's privacy, there's control frameworks and awareness vendor reviews. And none of it is optional anymore, right? Like these are all like embedded in your organization's culture all of these days. So to me, the perception is evolving. It is still not always very clear to folks outside of what we kind of do. But I think when GRC is done right, it's a lot of relationship building it's a ton of pattern recognition that we do in the back end to connect the dots there could be something going wrong with one space which could be a larger issue and when you connect that dots you kind of understand right so I think the perception is evolving people are not thinking that GRC is just a process oriented anymore a process oriented function anymore but GRC is much more from my perspective but the view is evolving as we speak that's what I feel

SPEAKER_01 14:08

got it and what can be done to me so maybe I'll double click on that when you say view is evolving are you saying the current view about if you are in product or engineering about GRC is that it is a necessary evil sort of a function is that a am I going too far when I say that

SPEAKER_00 14:27

no I think that's the perception people have right it's a policing function it's a policing function that's how people think so I think how we can change the perception is by start speaking human stop all these compliance jargons and kind of talk about the impact talk about the risk talk about how a risk have saved your company or how a risk could put your organization into a dangerous spot right so when you kind of build that relationship do a bit of PR and then talk to people I think then it kind of evolves that That's really what I feel.

SPEAKER_01 15:05

Got it. So I think this goes back to your earlier comment. So your point is that when I say GRC, you say compliance, it's typically what you're saying people think about. And as a result, they see this as a policing function. Absolutely. And I think there's a lot, I think by constant evangelism, I think you use the word PR, that's a brilliant word. I think you're essentially, you have to put GRC in the right light and present it in the right light across the organization.

SPEAKER_00 15:32

Absolutely. Help is also like not by writing a 30 page policy documentation and all of that, and then break it down like one hour of awareness training and 30 page policy documents like makes it you not, no showing up real friendly phase of yours, right? Probably break it down, break it into a digestible format for people to consume. And probably that's a way forward. You make bite-sized videos for people to understand the real risk, real impact and of just putting them to death by you know giving that one hour training that nobody really understands nobody really watches it so I think we have to evolve as a function as well and see what are the challenges that the other teams are facing because of how we perceive GRC right so I think that evolution has to be mutual we have to step outside of our comfort zone what we've been doing all this while and then kind of expect the same from the rest of the departments as well.

SPEAKER_01 16:37

I think when we spoke last time, you said something very interesting in this space, especially around security awareness and some of the things that you have done at Freshworks. Maybe for our audience, I want to maybe double click, right? Maybe if you can take the specific challenge that you saw with security awareness and especially around policy management and what did you do to simplify? I think that can be super helpful.

SPEAKER_00 17:00

Absolutely. So to start with security awareness, we understood the real pain of watching a video I mean no today's attention span is probably to like two minutes three minutes not more than that right and when you give them a one hour video to watch I mean it's kind of put that effort to useless stuff right so nobody is really watching it everyone's just nosing and then moving on to the next work so it's it's not the efforts are not getting realized so that's a pain point that we had and And that's when we thought, I mean, we have to break this chain, right? And then make it bite-sized for everyone. So anything that you see at Freshworks, it's not more than four minutes videos, right? And it's not an annual exercise. It's kind of continuous. We do it monthly, a reinforcement of a particular theme, and then do it by making a poster, which is very eye-catching. And you have contests and you have videos that we shoot internally within Freshworks and then kind of publish it. So people are able to connect with you. People are able to connect to the real security team and kind of understand what these topics are, what these risks are. So that's how I think we've broken down the security awareness piece. And to talk about the policy again, right? So nobody reads policies anymore, right? So it's all legal jargons and compliance words. Nobody understands. It's like your... iTunes agreement. Everyone knows it exists, but they do not read it. They just click accept and move on. Click accept. Click accept and move on. So that's what happened, right? So what we did was a workshop, probably a five-day workshop to rewrite our entire policies and then standards. And then we cut down so much words, like from 60,000 to probably 3,000 to 5,000 words. to that extent right now our policies and standards are like like two lines and it just has about 10 controls where it's readable it's digestible and they are controls which are measurable as well so to me you break it and make it easy for the teams to consume that's when I think they are going to put the trust on you and then they come to you even before the disaster happens otherwise I mean GRC is a team where they are brought in only after a disaster happens right when an incident happens but I think this is how you build relationship with the end users that makes them trust you more

SPEAKER_01 19:40

got it and then what is the role of auditors because while this is happening your audit cycles are continuing to happen as well right so how did you bring in auditors into this entire discussion

SPEAKER_00 19:53

So I think it was a bit of a challenge, right? Your compliance says you have to do a mandatory one-hour training annually, right? But we don't have that anymore. So it took a bit of a time for us to socialize this with the auditors. But I think when you put it in the right note and the right light and showcase the effects and the impact that this is creating, I think the auditors understand as I mean, we have moved on from the traditional way of doing audits to something modern. I mean, your general auditors do not like if your policy documents are small or your security awareness training is small and it's bite-sized, right? But you bring them along with you, along with your journey, and that's how it's going to work. I mean, if you are in one plane and your auditors and assessors are in another plane, it's definitely not going to work. I think we have to evolve as an industry. together rather than just doing it in silos.

SPEAKER_01 20:56

Got it. Freshworks is a software company, right? And I think software is eating the world. AI is eating the world now. We'll talk about AI and your perspectives on this. But The big theme that we hear, especially from software companies, is this engineer's toil, right? The time that engineers spend on security and GRC, right, compliance, whatever, because they don't see that as productive time. Have you heard this from your constituents in engineering on this term called compliance toil, and what is your take on it?

SPEAKER_00 21:32

Absolutely. I think it is real, right? The amount of audits that we go through in a year, the amount of certifications that each company has put engineers and the other stakeholders with a lot of turmoil, right? It's definitely real, right? You keep asking the same evidences. You keep asking the same screenshots over and over. I mean, anyone tends to get irritated and frustrated as well. So I think this can only be overcome by automating to me that's a way forward until you have automations in place which can fetch you all the evidences by itself and not bothering your human resources anymore I think that's a way forward and I think we have taken that step in terms of automating controls in a smaller way and then eventually I mean we wanted to make it big but I think we have taken that path right now and I think All the organizations should take that path so that the engineers and even your GRC folks' time is put to good use and not just sitting and doing the mundane work.

SPEAKER_01 22:42

Got it. And what do you see as the current state of tools, the GRC platforms, if you will? You don't have to name names, but generally speaking, what do you see as the current state with respect to automation?

SPEAKER_00 22:56

I think we've evolved so much. Back then, we did not have a tool. It was just workflow automation. I mean, we didn't have a lot of sophisticated integrations with other security tools or other tools that are used in the company, right? So I think we've evolved so much. These days, tools are much more sophisticated and bring you that glassy UI where you can see everything about your compliance requirements and you integrate with every single tool that's there in your to bring in that new data to one platform, right? I think we have come to a much better space than where we were like five, six years back. I think tools are great these days.

SPEAKER_01 23:43

So you're saying the tools have already caught up to where you want it to be in terms of automation?

SPEAKER_00 23:51

I think we are getting by. I wouldn't say it's completely there. There are a lot of use cases. And the tools concentrate more on the technical aspects of it, right? When you're connecting with other tools, you pull in data for the technical configurations. But there aren't many tools to understand the process within the organization. That's a major space, right? 50% of technical controls and 50% of process controls is what we have in our organization. But there is nothing on the process space at this point in time very very few tools but which is still not that sophisticated from my perspective so that's what we are missing and that's what we need to focus on

SPEAKER_01 24:32

I think that's a great point that's a great point because one of the constant themes that I've heard from some of our other guests and we frankly see in the industry as well is that a lot of the automation needs to be contextual and there is no one size fits all because every company has you don't build software products you don't build products because you have to pass compliance you build products because you have to serve your customers and those design choices are very contextual to the industry you are in and the problem that you are trying to solve right so how do you is this also a problem that you see where the automation has to evolve where it is not just a black box one size fits all but allows you to be able to contextualize that to your environment

SPEAKER_00 25:16

absolutely I mean there are tools where you are able to give that tool you context on what you and your organization perceive as a risk right so that's kind of very important otherwise anything and everything is a finding when it comes to automation and tools right so you need to give that context I wouldn't say we are there 100% of giving that context to these tools but I think we are at least midway we are able to give some context for the tools to understand and kind of interpret how they are giving the findings so we have probably in the midway is what I feel.

SPEAKER_01 25:53

So I wanted to point to you. So we had some very interesting guests on our show where I think you have some of the guests making an argument that the GRC team has to evolve into an engineering discipline, meaning they have to sort of have the skills to automate. Not that the entire GRC team has to become engineering, but their argument is that GRC teams have to be self-sufficient with automation. And there are other part of the guests who's say that that's not the role of the GRC team that sits with control owners whether it is security engineering or application security or product security or application engineering wherever that is right what is your take Ramya where should automation sit for it to be effective

SPEAKER_00 26:37

I think GRC engineering is a a beautiful way of doing this, right? It's not enough for us to just have our policies in a shared drive and hope people remember to upload that quarterly evidences periodically, right? So it's not enough anymore. So you're essentially, you have to wire risk awareness into your business. So that's when the GRC is going to work out in future is what I really feel. So GRC engineering is a function that every organization must have because you always cannot depend on someone for your automations, right? You definitely need automations. You need to build everything in your pipeline so that compliance checks happen as part of the coding, as part of the design. Because, I mean, you only have 10 people in your GRC team and then there are 1,500 developers, 2,000 developers that are developing products and it's not scalable, right? For you to sit in every single conversation. So, automation is the key and that can only happen if you have an engineering function for GRC. And if you're embedding it into the process and the design and people don't even realize that they're doing GRC, right? It just happens. So that's a way forward.

SPEAKER_01 27:56

I think what you're saying is something very interesting. You're saying the engineering is a process-driven GRC engineering is what I'm hearing, right? That's a beautiful statement. Ramya, how much of GRC in your world today If you were to sort of put them into buckets, how much of GRC time is spent on security versus non-security? Maybe I'll put IT and security into the bucket, right? The technical aspects of GRC versus the non-technical controls of GRC.

SPEAKER_00 28:28

I think technical, it's 50-50, right? To me, that's how I perceive. 50% of all the GRC done is technical. So you need people to understand these technicalities and the environment better. And the other part, 50% is non-technical is what I really feel because that involves your HR controls, your physical controls. There are a lot of other controls where you need a different perspective altogether. So you You wear different glasses when you kind of look at these technical and non-technical controls throughout.

SPEAKER_01 29:04

And in that remaining 50%, do you also account for the financial controls like the segregation of duties between accounts payable and accounts receivable, things like that, right? Is that something that you deal with as a team or do you primarily deal with HR and cybersecurity?

SPEAKER_00 29:21

No, I think access is basic, right? When you have right access, that means you have right SOPs built into the access, right? That's when you are avoiding no troubles when you are implementing the right access controls. To me, I think it's a space that GRC should have visibility into and they are the ones that needs to build these SODs and the access controls as well.

SPEAKER_01 29:47

Got it, got it. So given that 50% of these controls are IT and security controls, cybersecurity controls that is, how technical do you think the GRC team should be?

SPEAKER_00 29:58

I think they don't need to write codes, but they need to understand the environment that they are in, right? So they need to be technical enough to understand the components that are running in your environment. They need to be technical enough to understand what issues, what risks we could run into if this is not working 100% anymore. So I think you do not get deeply into technical, but rather learn everything. So for you to be a seasoned security professional, I think you need to do a bit of security engineering, engineering sit-on sales calls to understand how your company is doing business, right? So I think it's a bit of everything is what I feel, Raj. So it's not like you learn technical and you're good. You need to understand every single process in your organization. So learn everything. Got

SPEAKER_01 30:53

it. Maybe I'll rephrase the question. I think that's a fantastic answer. So if you were to hire... In your team right now, what would you look for? And I think it's sort of a very broad question. What would you look for in that person in this middle sort of intermediate experience, right, that you're trying to hire into your team? What would you look for in this person? What sort of skills do you expect this person to have?

SPEAKER_00 31:18

So see, JRC is a space or one of the rare fields where your knowledge isn't directly proportional to your experience, right? Just because someone has been doing this for 10 years doesn't mean that they know how everything works, that they are ahead. Because what we know five years ago might be completely irrelevant now. So I think when I hire people, I look for not the number of years, not the number of certificates that they hold or any technical jargons on their resume but I look for the curiosity the openness to learn because I mean you constantly you have to unlearn and relearn what you've been doing all this while so five years back there was no cloud but today everything is on cloud today we have AI so you constantly need to learn a lot of things right unlearn and relearn so to me that's what I look for I look for people that can break down complex situations and to sound simple that can explain things in a better way that has right attitude and abilities to convince a person or that has a lot of curiosity and ask right questions so those are the qualities that I actually look for technically you can learn anytime frameworks you can learn anytime you can try and understand but that perspective you need to have in order for you to learn all these is what I look for when I hire people

SPEAKER_01 32:48

Got it. Got it. Thank you. So I think all of us have become sort of AI consumers of some way, shape or form, right? And companies have taken generative AI first, generative AI native. All these terms are coming about. I'm reminded 10 years ago of all these cloud jargons and I think we are getting revisited with all the AI jargons now. What do you see the effect of AI in terms of software development, the engineering teams using it, the operations team using it, the security teams using it. What is the effect of those things on the GRC team?

SPEAKER_00 33:27

So I myself, I use Jene all the time, right? Right from drafting policies or summarizing any audit responses or helping me interpret that long documents, right? So I use AI all the time. So it's about... The trick is to accelerate and not replace. So you accelerate everything that's happening using AI, but not replace. Because I think... Like, see, generative AI is here to stay. It's not going to go forever. So the role of GRC when it comes to generative AI is to not panic, rather govern this behavior smartly, right? So you write safe guidelines of how to use it safely and then embed AI into your processes with a lot of intention and not panic or fear or anything of that sort and govern this behavior smartly. I think everyone should use AI to make it simple for them, make it easy to cut down all the repetitive work, mundane work, but use it judiciously. That's

SPEAKER_01 34:37

a great word, judiciously. Now, when you say accelerate, not replace, are you saying not replace humans? Is that what you're saying?

SPEAKER_00 34:44

Absolutely, absolutely. So let it write your first draft, but you have to put your brain in terms of fine-tuning it, right? So to me, it won't replace the judge. the context, the relationships that you're building, it can never do that. I mean, those are still like 100% human stuff, right? So you can only use it to accelerate what you're doing.

SPEAKER_01 35:06

Got it. Got it. No, makes sense. I think the intent behind my question was that I remember when cloud hit us, and I've been an engineer, right? I've not been sort of a compliance practitioner in my early part of my life. One of the significant challenges was that GRC was used to static environments physical machines virtual machines and even virtual is not that static but I think when cloud hit right the surface area just exploded and the GRC teams were trying to figure out how to readjust them into the cloud world that was 10 years ago now Gen AI is making that explosion even further right I mean if the divide was big now the divide is huge right so my question the intern behind the question is that is this cost a chasm between the speed at which the applications are being developed and the nature of and the speed at which the GRC teams need to keep up and the security teams need to keep up as well. Do you see, are you seeing that friction today? And what is your view?

SPEAKER_00 36:10

Absolutely. I think we're all not well versed with AI, at least in terms of putting it to good use to govern things, putting it to good use to secure things, right? Gen AI is currently used... I mean, AI is being used for developing applications in every single space. But are we really putting it to right use in our security teams to help it, you know, govern better or keep it secure better? I don't think we are at there. We are still catching up is what I feel. I think it's a long way to go for the security teams, the GRC teams to embed AI into their, you know, routine to make sure things are working better.

SPEAKER_01 36:53

Got it. Got it. If, if I were to ask you to dream Ramya and what would be a dream GRC solution for you? What would it look like?

SPEAKER_00 37:05

Okay, so... Okay, my dream solution is then not going to have any work for the GRC itself. So now the GRC team is just going to build relationships and then take whatever the tool is going to give you and then take it back to the teams and then explain it in a way that teams understand and build that relationships. Probably I'm looking at a solution that's going to be very evolving in nature. It's customizable in nature where you're organized framework because organizations cannot or do not generally pull in all the frameworks and then directly use them right you have to customize it to your business perspective business context and all of that so the tools have to have that contextual idea of what your business is and then what your risks are for your particular environment industry that you belong to and then put that context into your risk management right so today every everything is a vulnerability everything is an issue everything is a finding but is it now you will have to put the organization context is this no storing any sensitive information is this within your internal network that it's not no exposed to a no external network so you have to put all that organizational context into the GRC tool for it to be able to 100% do what you're doing, what the GRC folks are currently doing right now, right? That's the, I mean, the intelligence that the GRC folks are bringing in. So you have something from the tool, but you put your experience and you put your knowledge along with that tool findings and then you present it. Today, it's always that mix of everything and then taking it back to the respective teams. My ideal GRC tool would be able to do all of that within the tool itself.

SPEAKER_01 39:06

Got it. Got it. No, I think that's good answer so I think you talked about your perspective of a process contextual GRC engineering if I can recap what he just said I think one of the challenges that we see is that the GRC teams traditionally have not been equipped to handle this and primarily from the perspective of building a business case selling it internally selling it upwards to their leaders right and As a GRC leader, what do you expect your teams to bring you, right, to build this business case of automation effectively? And how would you build that business case to your leadership above?

SPEAKER_00 39:47

I think it's all about the storytelling, right? You need to have that storytelling capability to bring this back with a little bit of risk context, right, to the leaders. To me, The compliance is growing. You're looking at competitors and see what certifications do they hold, what compliances they are in, and then you try and catch up. But when you have these tools in place, it's actually going to help. So today, there is a regulation that's coming in, like, for example, DORA. Tomorrow, there is some other regulation coming in. But now you have the time to take it back to shelf is longer than what you think, right? So you need to do a gap assessment in order for you to understand what you're missing out and then kind of do the implementation and then take it back to your customers. So to me, this is how I will sell probably, right? So My tool is going to help me secure my compliance roadmap for the next three years, four years with this particular tool. So that's how I will be pitching because I have my competitor analysis done and I have my compliance roadmap. In order for me to do this sustainably, I would need GRC tooling in place, which is going to help automate a lot of things that is currently being done by human.

SPEAKER_01 41:15

Got it. Because when we think of the business case, Ramya, there are multiple vectors, right? One is how much is it reducing the toil for the non-GRC teams, your engineers, your operations, your security teams, whoever they are. Number two, how effective is it in helping you to go into new markets, right? As you expand the business into new markets. Number three, how do you cope up with the new requirements that are coming about, right? And there are a bunch of things. How much do you spend on audit and all these different and how much is the toil on the GRC team itself, right? Is there, when you think about this from a business case perspective, are there vectors that are outsized in terms of impact than others?

SPEAKER_00 42:04

Probably, can you rephrase your last sentence? So

SPEAKER_01 42:08

there are multiple line items in which you can build, show the value. Like, I think you said it beautifully. It is about storytelling. And as you're trying to tell the story for the value that you're going to save, or a three-year roadmap of building an automation program or building a better GRC program. I don't want to just limit it to automation. Now we have generative AI as well. And that could mean saving engineers time. That could mean saving time as you That could mean saving time as you get into new regulations. That could mean saving time with auditors. That could mean saving time with the GRC teams, right, and not having to hire more folks. Are there particular line items that you think have a very outsized impact in the storytelling than others?

SPEAKER_00 42:54

I think it's how much time you reduce for the non-GRC folks, right? That to me is a huge thing today. I mean, they are the ones who go through this turmoil and then hand you the evidences all the time. To me, that's what I will be focusing on. It's going to reduce a lot of time for them to work on compliance requirements. And compliance would become then a process. It's not going to become a separate topic. Because to me, for the non-GRC folks, GRC or security is not their primary responsibility, right? They have their own responsibility of building a product, building a feature, revenue, and all of that. Now you're forcing them to do security as a separate task, which I think is a big thing. We will have to focus on that, reducing that time taken for them to do all these compliances. To me, that's huge.

SPEAKER_01 43:54

Got it. Now the challenge, one of the challenges that I constantly hear, Ramya, is that the scope, right? So GRC teams can understand very clearly that it's going to save time on the engineers. So a lot of values accruing to the engineering team or the product team or the security teams, but how do they tell the story, but they're not responsible for it, right? So who is responsible for telling the story? Is it the GRC director like you? Is it the CISO who you roll up to? Or is it the VP of engineering? Who is supposed to tell the story?

SPEAKER_00 44:30

I think... It's a collective bet is what I feel, right? So everyone is going through frustration because of the evolving compliance need and we are very nasal in terms of the automations and all of that. So it's a bit of everyone is what I feel, right? But I think GRC being that conduit between all these different teams, GRC is in the space for us to take it back to the leaders board and then kind of simplify it for the entire organization. I think we are the ones talking to everyone to understand their pain points, their risk nature. So it should be the GRC function and the GRC leaders for them to reach out to the leadership and the board to explain this better.

SPEAKER_01 45:19

Got it. So I think it goes back to your earlier point where you were saying GRC is an aggregator. It's a catalyst of bringing all these different functions. You see this no different, right, from some of the other. Beautiful. What do you see as the challenges as you embrace generative AI as a GRC leader, right? With asking your teams to embrace generative AI, trying to figure out how to cope up with generative AI that is being done by other teams. What do you see as the challenges when you work with auditors?

SPEAKER_00 45:51

So I think the auditors need to grow along with us as a statement I said earlier, right? Somewhere that I see that as a challenge, right? While your organizations grow tenfold when it comes to AI and all of that, the auditors are still catching up. It could be controversial. This might truffle a few feathers, but to me, that's a real challenge, right? They still expect a lot of traditional controls in your space. They pass when you have generative AI in your space on how these are happening, right? So to me, we need to approach with a lot of intention rather than fear and panic, as I mentioned earlier. Even the auditors have to look at that way. Audits have to become like a value add to the organization, organization controls and not being that policing against it. How others perceive GRC, that's how GRC perceives auditors as well, right? So it's a loop, right? So I think auditors have to evolve as well as the companies grow.

SPEAKER_01 47:01

No, that's a great statement. Ramiya, on a lighter note, I think a lot of what you have said is about storytelling. And I couldn't help but notice that you are doing a four-year stint as a city editor at Momspresso. What is that?

SPEAKER_00 47:20

Okay, so I took a maternity break for my elder one and the little one. So that's a time, see, I'm a person, I cannot just sit idle. I wasn't idle, by the way, right? So I have two kids in my hand. Absolutely.

SPEAKER_01 47:39

I wouldn't call it, I wouldn't call the giving birth, you know, it is not idle.

SPEAKER_00 47:45

At least from a work perspective, that's what I meant. I mean, otherwise, it's a, dual role that you play, right? It's an overtime role that you play when you're a mother, you're a parent. So to me, that's when I was always passionate about writing. At all my stages of life, I've been writing right from my journal, my personal journal, right from my childhood, I write a personal journal, then move to a gratitude journal. So some all parts of my life had this writing as a passion. So I think then I picked it up in that time when I didn't have a lot of GRC stuff to do because I took a break. So I thought I could pursue my passion at that point in time. So Moms Preso was this place where it's a space dedicated for parents and their kids. So it was the right time and using my passion for the right cause. I think it was great. I was a correspondent and a city editor. editor in mom's press so writing articles I even talked so much about cyber security how should it be taken back to the children how important is security securing know everything that child has right so so everything about parents kids and then even a little bit of cyber security within that space

SPEAKER_01 49:13

no that's a that's a beautiful story Ramya I am reminded of I don't know if you follow Andrew Karpathy and Rich Karpathy right Karpathy but the last year he said when prompting became this big thing and the reasoning models became more sophisticated he said there is a new programming language in town it's called English so I think a lot of this falls into this idea of the futuristic way on how to sort of write better how to express better how to ask better and it all comes down to stories right so and I love it we are almost approaching the end of the segment we are approaching the end of the segment Ramya what I want to to ask you is that maybe I want to give you 60 seconds. Any shout out to folks that have helped you get here, books that you read, videos that you watch, anything that you want our listeners to know that can help them better understand the space?

SPEAKER_00 50:07

Absolutely. That's a great question. And I have a lot of inputs, but you have given only 60 seconds. No,

SPEAKER_01 50:13

you can take two minutes.

SPEAKER_00 50:16

No, so I'm a little old school. I don't do audio books. I need paper. I I need to underline things. I need to dog your pages and then scribble and all of that, right? So I need paper books. I need to read books, right? So there is something about just holding a book that makes it stick to me. So one book I recently read, this was a suggestion given by one of the leaders from my company. So it's called Smart Bravity. How do you tell good stories in less words? So that's what this book is about. To me, it's a book that every GRC person has to read because people dread reading long documents, long audit reports, how to cut short things without dumping it down. It kind of completely changed how I write for executives, for various stakeholders that I deal with. So I think it's a great book that everyone should read. and to talk about people who have helped me get here I've got great mentors through my life right so that's how I'm here I think a mentorship is a great way for anyone who's starting anyone who's there in the leadership or any phase of life right talk to people find a mentor and probably do a lot of networking it's the books and the conversations that kind of make you evolve as a person in any industry for that matter. So, yeah, that's what I wanted to just say and finish up.

SPEAKER_01 52:00

Got it, got it. Now, I normally would end the podcast here, but given that you are from Freshworks, I cannot but ask this question, right, which is, Girish Mathruvudham called out Rajinikanth on the S1 filing, right? What is the influence of Thalaivar in Freshworks, in the GRC function? and maybe let me let me contact for the for the for our listeners in the US or who are not from maybe India or Tamil Nadu so Rajinikanth is the is the Chuck Norris of India right he is a huge idol film movie star and I think he's more than a movie star I think it's an understatement to call him a movie star and your CEO is a huge fan of Rajinikanth so much so that he called him on his during the public filing right so what is what is the role of Rajinikanth and maybe our you know listeners with Indian origin may appreciate it better what is the role of Rajinikanth on the GRC function or at Freshworks in general? Influence.

SPEAKER_00 52:56

So, you see Rajnikanth everywhere when you enter our organization, right? At least the Madras campus, you see everywhere, right? So, to me, the influence is how can you be so humble even though you are a big star? To me, those are some small inspirations that we kind of draw from Rajnikanth as a superstar and then, yeah, that's probably it is because Girish mentions that all the time right he's so humble yet he's a superstar right so that's the kind of energy we kind of draw from all the posters that we see around

SPEAKER_01 53:37

got it I am I would be Girish contemporary I think we I think we would be almost the same age we graduated almost at the same time and to put this in context I used to be a huge huge Rajini buff when I was in college So I can totally relate to it, but I have to ask you that question. So anyway, Ramya, thank you very much for being on the show. This was a fantastic conversation, right? And I thoroughly loved it and I hope our listeners did as well. So thank you for being on the show.

SPEAKER_00 54:03

Thank you so much. I enjoyed our conversation. Thank you so much.

SPEAKER_01 54:10

Thank you for listening to Security and GRC Decoder. We are your go-to resource for staying ahead in governance, risk and compliance. If today's episode resonated with you, we would love for you to subscribe, leave a review and share it with your network. To dive deeper into these topics, visit us at compliancecow.com and follow us on LinkedIn for more insights and community conversations. Join us next time as we continue decoding the future of TRC.

UNKNOWN 54:44

Thank you.

Raj Krishnamurthy

Host