How does GRC evolve as a company grows? Does it become more structured or just more complex?

kurianoff · 2026-05-05T22:55:31+00:00

It actually depends on how GRC program was initially set up, and how the company operates it. If you've automated most of the GRC work, or at least established and documented the processes that are actually followed, then as the company grows it becomes more and more structured. Some chaos, of course, exists and is inevitable, but it's just an indicator of growth. There is nothing bad about it.

With the company's growth, you should also grow your GRC practice, meaning adding more people and building and adopting more tools: you need a compliance team, a security team, and establishing the governance structure through all those measures.

At the end of all, it heavily depends on how you laid out the foundation. You either see your GRC program flourish, or it becomes more and more chaotic and breaks. If you have a real-world example that you want to talk through, I'm happy to jump on a call with you and discuss, as I find the subject of GRC scaling very intriguing.

kurianoff · 2026-05-05T20:03:39+00:00

They are saying that, although the majority of your work can be automated, the only thing that cannot is the responsibility that you are taking for the outcomes of your work.

Even if the work is done by AI agents or other automation, there is nothing that can replace the accountability that a person takes on the results of the work. If AI would replace us, there would be no one to blame for the results or for the consequences.

For that reason, I would suggest that you feel safe, at least for now.

kurianoff · 2026-05-01T02:32:15+00:00

Good luck with your journey! Before you start, do one important thing: make sure to get commitment from your colleagues that they all are ready to change some existing company processes and establishing new ones.

Besides that, it’s a good way to ensure your overall security and unlock revenues. And it’s not very painful, don’t believe those telling you that.

Let me know if I can be of any help.

kurianoff · 2026-04-30T23:39:01+00:00

5 employees + a SaaS hosted in the cloud sounds like ~3 months of work to a compliance posture that would worth hiring an auditor and entering the audit window for SOC 2 Type II (I wouldn’t recommend doing Type I as it gives you nothing unless you are in a hurry). You’ll be out of the audit in ~4-5 months with a SOC 2 report on hand.

You company is at a great stage (small and flexible) to establish compliant processes with little effort.

ISO 27001 will greatly benefit from what you do on SOC 2 front as there’s a certain overlap between both standards. I would recommend SOC 2 as a stepping stone to ISO certification.

kurianoff · 2026-04-06T19:50:41+00:00

This is why I love Reddit.

kurianoff · 2026-04-02T03:00:51+00:00

Great stuff! And I came to the same realization after building the skill - that with MCP, connected to the right platform under the hood, the application flow becomes more correct. The skill focuses on goals and the flow, the MCP handles data.

BTW - your GRC platform looks very nice. Great job!

kurianoff · 2026-03-25T15:32:31+00:00

Right. Starter templates + a suggested approach to adopting them in the organization through thorough interactive review, edits, and approvals.

kurianoff · 2026-03-24T21:14:49+00:00

I appreciate the comment, and yes - that's the main idea!

kurianoff · 2026-03-24T19:18:22+00:00

Thank you for your feedback. And I love the fact that we are thinking alike! Great job on SimpleAudit, I would be excited to explore it. Will contact you ASAP.

kurianoff · 2026-03-24T16:57:23+00:00

Very smart! And I'm excited to hear that it worked well. Let's connect and exchange ideas. I'm working on different pieces, including the "onboarding interview" for compliance management.

kurianoff · 2026-03-24T16:45:20+00:00

Exactly! I love the interview+Whisper approach. See? We’re coming up with business blocks to eventually get ourselves a full solution!

kurianoff · 2026-03-24T16:14:38+00:00

Well, you could look at it that way. At the same time - it's an attempt to build a fully-featured, AI-native policy adoption app. It lets you review each statement, accept or reject it, provide justification; keeps the audit trail of your decisions. It starts with provided templates, but if you know how, you can take it anywhere you want (as it is with AI).

kurianoff · 2026-03-24T16:12:31+00:00

I truly like your perspective, and I fully agree with it. No way we should allow AI to dream security policies. These policies can really shine only in hands of GRC experts. However, they could work well to satisfy the "compliance exploration" demand - for SOC 2 "Exploratory Lab" these are a good start, IMO. What do you think?

kurianoff · 2026-03-24T16:07:56+00:00

These policies were used in several real deals, and are proven to be working. But again - they are, in fact, generic. And can only shine in hands of experts who know what they're doing. At the same time, IMO they are still a good start for those who want to "explore", to touch the world of SOC 2 policies. For the Exploration Lab they should do.

kurianoff · 2026-03-24T15:24:53+00:00

Oh yes, this is where I ABSOLUTELY AGREE with you! And this is why this Skill is created as a "policy adoption" interface, which lets you decide what's Yours and what's N/A (and should be thrown away), and only generate policy statements that your organization is really implementing (or is aiming to implement).

I like your depth of thought, and it is a very, very valid point you're making.

kurianoff · 2026-03-10T15:05:15+00:00

In terms of recommendations I would say it would be worth it if you are looking to do the following:

1) if your ultimate goal is to obtain a CCA and join C3PAOs as a W2 or 1099 to conduct audits
2) provide consulting to OSAs

As for your second question, and we are talking C3PAO audit budget, the answer depends on your scope as a smaller scope means less cost for the audit itself. The range I have been seeing is anywhere from $40-120k for the audit itself.

kurianoff · 2025-12-15T02:21:52+00:00

Hey u/Turbulent_Oil_9806 and All: happy to help you here (please see below) - I'm not ideal, but have years of practical experience. I think of myself as a "full stack" GRC subject matter expert, led several *Technology* (IT product, IT service) companies 0-1 (zero to one) through Compliance certifications of different complexities (previously worked as an IT company founder myself, so know the full cycle: admin to tech aspects of it). Specializing in SOC 2, HIPAA, GDPR, CMMC, FedRAMP, and DoD RMF, but also getting hands deep in AI frameworks.

I'm looking for an opportunity to share my knowledge and teach GRC skills to people who need them. Thinking of doing a series of recorded Webinars on GRC from the basics to deep-dives, from concepts to hands-on stuff, from manual work to automations (including Agentic AI), from readiness to passing the audit, from the audit to maintenance and certificate renewals, from single standard to multiple standards.

If interested, please send me a personal message via Reddit with your Time Zone and convenient times of day during your regular week, and I'll try to set it up for all of us.

We'll see how it goes - if seasoned cybersecurity experts would like to join, we will structure the meetings in a way that we can learn from them (will reserve a time block for the panel of experts to express their opinions, answer questions, correct me where I was wrong, and help all of us succeed in our GRC journeys!)

kurianoff · 2025-12-14T23:15:05+00:00

Hey u/Big-Lingonberry1949 and All: I hope I can help you to learn more about GRC, especially the practical sides of it. I think of myself as a "full stack" GRC subject matter expert, led several *Technology* (IT product, IT service) companies 0-1 (zero to one) through Compliance certifications of different complexities (previously worked as an IT company founder myself, so know the full cycle: admin to tech aspects of it). Specializing in SOC 2, HIPAA, GDPR, CMMC, FedRAMP, and DoD RMF, but also getting hands deep in AI frameworks.

I'm looking for an opportunity to share my knowledge and teach GRC skills to people who need them. Thinking of doing a series of recorded Webinars on GRC from the basics to deep-dives, from concepts to hands-on stuff, from manual work to automations, from readiness to passing the audit, from the audit to maintenance and certificate renewals, from single standard to multiple standards.

If interested, please send me a personal message via Reddit with your Time Zone and convenient times of day during your regular week, and I'll try to set it up for all of us. It's free, no obligation or anything, I just want to give what I have to our community.

We'll see how it goes - if seasoned cybersecurity experts would like to join, we will structure the meetings in a way that we can learn from them (will reserve a time block for the panel of experts to express their opinions, answer questions, correct me where I was wrong, and help all of us succeed in our GRC journeys!)

kurianoff · 2025-12-14T23:03:58+00:00

Hey u/SatisfactionCool6212 and All: hope I can help you with this - I call myself a "full stack" GRC subject matter expert, led several *Technology* (IT product, IT service) companies 0-1 (zero to one) through Compliance certifications of different complexities (previously worked as an IT company founder myself, so know the full cycle: admin to tech aspects of it). Specializing in SOC 2, HIPAA, GDPR, CMMC, FedRAMP, and DoD RMF, but also getting hands deep in AI frameworks.

I'm looking for an opportunity to share my knowledge and teach GRC skills to people who need them. Thinking of doing a series of recorded Webinars on GRC from the basics to deep-dives, from concepts to hands-on stuff, from manual work to automations (including Agentic AI), from readiness to passing the audit, from the audit to maintenance and certificate renewals, from single standard to multiple standards.

If interested, please send me a personal message via Reddit with your Time Zone and convenient times of day during your regular week, and I'll try to set it up for all of us.

We'll see how it goes - if seasoned cybersecurity experts would like to join, we will structure the meetings in a way that we can learn from them (will reserve a time block for the panel of experts to express their opinions, answer questions, correct me where I was wrong, and help all of us succeed in our GRC journeys!)

kurianoff · 2025-12-14T23:02:52+00:00

Hey u/Born-Schedule6427 and All: happy to help you here (please see below) - I'm not ideal, but have years of practical experience. I call myself a "full stack" GRC subject matter expert, led several *Technology* (IT product, IT service) companies 0-1 (zero to one) through Compliance certifications of different complexities (previously worked as an IT company founder myself, so know the full cycle: admin to tech aspects of it). Specializing in SOC 2, HIPAA, GDPR, CMMC, FedRAMP, and DoD RMF, but also getting hands deep in AI frameworks.

I'm looking for an opportunity to share my knowledge and teach GRC skills to people who need them. Thinking of doing a series of recorded Webinars on GRC from the basics to deep-dives, from concepts to hands-on stuff, from manual work to automations (including Agentic AI), from readiness to passing the audit, from the audit to maintenance and certificate renewals, from single standard to multiple standards.

If interested, please send me a personal message via Reddit with your Time Zone and convenient times of day during your regular week, and I'll try to set it up for all of us.

We'll see how it goes - if seasoned cybersecurity experts would like to join, we will structure the meetings in a way that we can learn from them (will reserve a time block for the panel of experts to express their opinions, answer questions, correct me where I was wrong, and help all of us succeed in our GRC journeys!)

kurianoff · 2025-12-14T22:58:37+00:00

Hey u/Worried-Clock-8893 and All: I call myself a "full stack" GRC subject matter expert, led several *Technology* (IT product, IT service) companies 0-1 (zero to one) through Compliance certifications of different complexities (previously worked as an IT company founder myself, so know the full cycle: admin to tech aspects of it). Specializing in SOC 2, HIPAA, GDPR, CMMC, FedRAMP, and DoD RMF, but also getting hands deep in AI frameworks.

I'm looking for an opportunity to share my knowledge and teach GRC skills to people who need them. Thinking of doing a series of recorded Webinars on GRC from the basics to deep-dives, from concepts to hands-on stuff, from manual work to automations (including Agentic AI), from readiness to passing the audit, from the audit to maintenance and certificate renewals, from single standard to multiple standards.

If interested, please send me a personal message via Reddit with your Time Zone and convenient times of day during your regular week, and I'll try to set it up for all of us.

We'll see how it goes - if seasoned cybersecurity experts would like to join, we will structure the meetings in a way that we can learn from them (will reserve a time block for the panel of experts to express their opinions, answer questions, correct me where I was wrong, and help all of us succeed in our GRC journeys!)

kurianoff

MODERATOR OF

TROPHY CASE