The GRC identity crisis
Alan Luk has seen GRC from every angle, from Big 4 audit and consulting, leading GRC teams, and now GRC engineering at Microsoft Azure. In this episode of Risk Grustlers, he joins Nicholas Muy (CISO and VP of Engineering at Scrut Automation) for a candid conversation on the decisions modern GRC teams are being forced to make: what to own, what to enable, when to escalate, and how to work with engineering without turning every audit issue into a fire drill.
Listen on Your favourite platforms
Description
GRC engineering is getting a lot of attention. But for many teams, the harder question is not whether GRC should become more technical. It is what that technical work is supposed to improve.
In this Risk Grustlers episode, Alan and Nick get into the real tradeoffs behind modern GRC: when audit findings deserve urgency, where control ownership should sit, how GRC can work better with engineering, and why automation only helps when the output supports better decisions.
If your team is trying to move beyond evidence chasing and build a GRC program that actually reflects business risk, this conversation is worth listening to.
What listeners will take away?
- How to judge audit findings by business impact, not just audit pressure
- Where GRC should draw the line between owning work, enabling teams, and keeping control owners accountable
- Why GRC engineering only works when automation creates useful signal instead of more compliance noise
Quote from the Episode
“What is the worst that’s going to happen? You’ll have an audit finding. Life goes on. The world doesn’t end.”
— Alan Luk, Principal TPM, Microsoft
About the Risk Grustlers Podcast
Risk Grustlers is a podcast for people working in security, risk, and governance who want sharper conversations than the usual industry soundbites. Each episode features CISOs, security leaders, and risk practitioners sharing how they think through the real operational challenges behind cybersecurity, compliance, AI governance, and enterprise risk.
Hosted by Aayush Ghosh Choudhury (CEO and Co-founder of Scrut Automation) and Nicholas Muy (CISO at Scrut Automation), this podcast series focuses on practical lessons, hard-earned perspectives, and the nuance that comes only from years spent in the security and compliance space.
%201%20(1).avif){kind=icon}
Related Podcasts
