GRC, Unfiltered: Raw Takes from Our Virtual Roundtable

There is nothing like battle-tested insights from the brightest minds in Governance, Risk, and Compliance. At our recent virtual roundtable ‘Trust Triangle’ , conducted on March 25th, 2025, veteran security professionals dissected key challenges through lenses that are often overlooked. These experts then shared their wealth of wisdom and invaluable perspectives.

In this blog, we unpack key insights from their inspiring conversations and the most impactful takeaways we think will benefit you.

But first, meet the experts

From building global GRC programs to navigating the complexities of the tech startup landscape, our roundtable guests bring decades of hands-on experience. They are on the front lines of security and compliance, making their insights particularly valuable.

Introducing the nine voices that made trust triangle a masterclass in GRC:

Matthew Webster: Matthew is a CEO and CISO for Cyvergence with extensive experience in building GRC programs. An international speaker, he is passionate about cybersecurity, risk management, governance, and strategy.

Joseph Haske: Originally from Wisconsin and now based in Estonia, Joseph is a security risk manager at Pipedrive, specializing in managing and mitigating security risks.

Matt Lemley: With a consulting background from Big 4, Matt now works at ServiceNow, applying his expertise to navigate security and compliance challenges.

Brian Engle: Brian is a field CISO at GDT-General Datatech, offering consulting services and specializing in building and scaling enterprise security programs.

Ricky Waldron: Ricky is the Director of Security Assurance and Trust at Navan, bringing 17 years of experience in the security and GRC space.

Kannan Srinivasan: Kannan is the co-founder of CyberzaleTechnologies, leveraging over 25 years of experience as a former CISO and business unit head for large organizations.

Brooke Lynne Bowman: Brooke leads compliance at Cedar, specializing in GRC for health tech startups. She brings deep expertise in navigating compliance challenges in emerging companies.

Ariana Karzai: Ariana is a compliance and privacy leader at Zephyr with over 20 years of experience in banking compliance and consulting for startups to establish and mature GRC programs.

Ash Duttachowdhury: Ash is the CISO at First Orion, specializing in scam protection and branded communication solutions, with two decades of experience across various technical and security leadership roles.

The wisdom in focus: Key learnings unveiled

We’ve skimmed the richest insights from the session—the crème de la crème, if you must and here are six standout takeaways from the round table you won’t want to miss:

1. Governance: What it is—and what it isn’t

Most of us picture governance as policies, oversight, and reporting. But it goes beyond that—it creates a foundation that aligns the organization’s expectations with its reality.

Strong governance weaves risk management with business objectives and security and compliance efforts with daily operations, ensuring nothing is done in silos.

Matt Lemley also points out that Governance is proactive, not reactive. He talks about clients scrambling to prioritize governance post-incident when, in reality, reactive governance fails. 

Establishing strong governance starts with things as small as setting up clear approval processes, setting measurable goals, ensuring transparent communication, and board-level engagement.

Matt also gives a beautiful analogy of governance as changing your car’s oil and making sure you vacuum it—things that are unseen but critical to ensuring long-term efficiency.

2. Data quality: The unsung hero of effective decision-making

Data quality is the bedrock of effective governance. Poor data quality creates a ripple effect where one wrong data set leads to misguided decisions, ineffective risk management, and compliance failures.

As Brooke puts it, bad data creates strategic vulnerabilities. Why? Because of skewed vulnerability prioritization.

Governance helps enforce data discipline to ensure data integrity, accuracy and reliability across functions for better risk visibility and meaningful insights.

3. Governance: A translation layer between compliance and business goals

“Nobody wakes up saying,’ I’m gonna comply hard!’”, Brian states, referring to the complex acronyms and jargon some organizations use to communicate. When in fact, governance acts as a translation layer between regulatory requirements and business operations.

Ricky Waldron shares an example of how, instead of communicating the wordy NIST 800-53 controls, he prefers translating them into actionable steps for non-technical teams.

For example, the PeopleOps team must understand what is required from them when conducting background checks and how this exercise contributes to overall compliance posture. This approach fosters greater understanding and accountability, helping shift the ‘compliance as a checkbox’ perspective.

4. Communicating risks the right way

The correct way to communicate risks is to anchor those discussions around business use cases and relevance. Ariana shares some wisdom nuggets on how to achieve this:

• Position security as an enabler. “Don’t say audits require this; say this protects the business.” The switch from ‘audit compliance’ framing to business protection language makes the message clear and relatable.
• Take a human-centric approach where you don’t position security teams as enforcers but as allies to foster better collaboration. It minimizes any resentment and brings a mindset shift from security as a policing function to security as a partnership that supports business objectives.

Adding to this, Ricky Waldron talks about using quantification techniques such as FAIR methodology for financial impact assessment. This is useful when communicating with executives such as CFOs. It gives an idea about not only fines and penalties but also secondary costs such as legal fees, customer churn, engineering hours, and credit monitoring costs.

Similarly, Ash Duttachowdhury emphasizes the ISO 27001 framework (clause 6 for risk management ) for systematically quantifying risks, justifying risk decisions, and maintaining a risk register.

5. Striking the right balance: Quantification meets context

While quantification techniques can support your case, numbers alone are not enough. You need narrative and contextualization to bridge the gap. This happens when you tailor the message according to the audience.
Joseph recalls his team spending two days defining terms like ‘use case’ to create a shared language and align on initiatives.

Also, Kannan shares the perfect example in this regard: For CFOs, focus on revenue impact; for engineers, talk about attack vectors.

Another area that requires balancing is not getting too rigid with numbers. Brian suggests using ranges instead of absolutes and modeling scenarios with minimum and maximum estimates to reflect real-world unpredictability.

Here’s an example—The phishing rate under normal circumstances is 5%. During mergers (which are high-stress situations), this can increase to 15-30%.

Humans behave differently under stress, so this statement contextualizes how tired or stressed employees can impact numbers better. This makes the data more meaningful for nontechnical audiences.

6. Building resilience with business impact analysis

Business impact analysis is the starting point for understanding and communicating risks. According to Kannan, it helps minimize the ‘everything is critical’ syndrome and distinguish the crown assets. It also quantifies things like downtime costs or loss of customer trust and sets recovery objectives and priorities accordingly.

Like BIAs, PIAs or Privacy Impact Assessments are not just a GDPR mandate, says Ariana. They help map data flows which supports breach prevention or proactive risk reduction. Privacy by design ensures compliance doesn’t clash with day-to-day operations.

Business resilience comes when you care for both because BIA tells you what to protect, and PIA tells you how. This reduces surprises for businesses and helps them recover faster.

Stay tuned for our next roundtable

Whether you’re looking to enhance your governance practices or refine your risk management strategy, these insights are a great starting point. And the best part? The goldmine of perspectives doesn’t end here! Our next roundtable is happening on April 25th, and we’ll be back with another treasure trove of insights. Meanwhile, you can sign up for our newsletter for much such practical takeaways.

In the meantime, if automating GRC is on your radar, Sprinto is your go-to platform. With built-in policy templates, ready-made training modules, automated evidence collection, role-based access controls, and real-time dashboards, it takes care of the heavy lifting — delivering maximum output with minimal input. Talk to an expert today and see the platform in action.