Bridging the dev–security divide
Featuring
Siyavash G. Nia
In this episode of Risk Grustlers, Nicholas Muy, CISO at Scrut Automation, sits down with Siyavash G. Nia, CISO at ShyftLabs, to talk about what actually works for smaller teams that care about security but do not have an army of specialists: making vulnerabilities real for developers, using QA as a bridge instead of a shield, using GRC tools for shared visibility, and ignoring the AI noise until the fundamentals of secure code, infra, and data are in place.
Bridging the dev–security divide
Bridging the dev–security divide
In this episode of Risk Grustlers, Nicholas Muy, CISO at Scrut Automation, sits down with Siyavash G. Nia, CISO at ShyftLabs, to talk about what actually works for smaller teams that care about security but do not have an army of specialists: making vulnerabilities real for developers, using QA as a bridge instead of a shield, using GRC tools for shared visibility, and ignoring the AI noise until the fundamentals of secure code, infra, and data are in place.
Listen on Your favourite platforms
Description
In this conversation, Nick and Siyavash look at application security from that blended lens of engineer, consultant, and CISO. They talk through how to teach developers what a vulnerability looks like in their own code, why a simple live exploit lands better than a slide deck, and how to avoid turning every security review into a blame game. The goal is fewer findings in every scan because the code is getting better, not because the reports are being ignored.
They also dig into how a GRC platform can do more than help with audits. When findings like public buckets or vulnerable packages are visible to project managers, they start driving fixes themselves instead of waiting for security to escalate.
Highlights from the episode
- How small teams can cut vulnerability counts by teaching developers with real examples instead of hiring endless security roles.
- How GRC-driven visibility lets project managers and engineers spot and own risks without waiting for a security escalation
- Why revisiting core testing of infrastructure, code, and networks matters more than the latest AI scanner hype
“I always believed there is a huge gap where developers do not know security, and security engineers do not know development. The only way to close that gap is training and a better understanding of each other.”
- Siyavash G. Nia, CISO, ShyftLabs
%201%20(1).avif){kind=icon}
Related Podcasts
