How do you build real trust between GRC and engineering? In this episode of Security & GRC Decoded, host Raj Krishnamurthy welcomes Tristan Ingold, Security GRC Program Manager at Meta. Tristan shares how consulting shaped his approach, why “policing” doesn’t work, and how GRC earns influence by acting as a partner to engineering -- not a blocker.

He discusses the cultural friction between audit, security, and product teams, how to communicate in the language of engineering, and why the right role for GRC is a “sparring partner” that helps teams ship safer, faster. From reframing control objectives to focusing on evidence the business already produces, this conversation is a practical playbook for building credibility and velocity at the same time.

5 Key Takeaways

• Partnership Over Policing: GRC earns influence by modeling partnership behaviors and meeting teams where they are.
• Translate Controls to Engineering: Use product language and existing telemetry; design evidence around the way the system actually works.
• Make It Observable: Treat GRC like an observability layer -- surface risk signals the business already emits.
• Tell the Story, Not the Score: Dashboards support the narrative; they aren’t the narrative. Lead with context and trade-offs.
• Define the Right Role: The best GRC teams act as a sparring partner --challenging, supportive, and focused on outcomes.

What You’ll Learn

• How to rebuild trust with engineering after “audit fatigue”
• Practical ways to convert control requirements into product language
• How to design evidence from logs, pipelines, and tickets you already have
• When to push, when to partner, and how to escalate with credibility
• Communicating risk trade-offs without killing roadmap velocity

Connect With Our Guest:
Tristan Ingold | Security GRC Program Manager | Meta

This podcast is brought to you by ComplianceCow - the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence.

Watch more episodes

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:

• Spotify
• Apple Podcasts