Security GRC Can Be a Business Asset (If We Let It) ft Abhay Kshirsagar, Director, Security Services and Tools, Salesforce

The Compliance Burden is a Choice

Security GRC has a reputation problem.

For too many teams, it’s an operational headache. Endless audits, reactive evidence gathering, and regulatory box-checking slow the business down. But it doesn’t have to be this way.

I recently had a conversation with Abhay Kshirsagar, Director, Security Services and Tools at Salesforce and who previously led Compliance Transformation Engineering & Continuous Monitoring at Cisco.

His perspective is clear: compliance can strengthen a business, creating trust and efficiency instead of being a drag on operations. The difference comes down to approach.

Abhay wants security teams to move past the mindset of compliance as a defensive function. Security GRC works best when it supports transparency, drives real security improvements, and contributes to business outcomes.

If you’d like to hear my conversation with Abhay, please check out the podcast Security & GRC Decoded” 

Here are a few key themes that we discussed.

1. Customer Assurance is a Core Outcome of GRC

Abhay made a clear point: enterprise customers, prospects, and partners see compliance as a sign of security maturity. They expect proof that security controls are in place and regularly tested. Gaps in compliance create friction in sales cycles, raising concerns about risk.

“Security is all about protection, compliance is all about following the rules, and customer assurance is about increasing customer trust through transparency,” Abhay said.

At Cisco, Abhay’s team tracked customer friction points and specifically the compliance gaps that caused delays or concerns in sales cycles.

“We track something called ‘what makes our customers sad,’ which essentially means a customer made a request, and we were not able to fulfill it.”

Focusing on these issues helped the team prioritize security improvements that supported business growth. When compliance and customer expectations align, security programs become a driver for closing deals and reducing barriers in the sales process.

2. Compliance and Security Must Align with Business Goals

Abhay talked about how compliance needs to be measured in ways that executives care about: revenue, market expansion, and customer confidence. Security GRC is often viewed as a cost center, but that perception changes when the team can show its direct impact on business success.

“We also track security-influenced revenue. Through compliance and customer assurance, we are helping sales teams close deals and maintain ARR. But what’s the dollar amount? Leadership really appreciates that metric,” he said.

It’s such a powerful point. Compliance teams that make these connections clear will have stronger support from leadership. When security and compliance initiatives enable faster sales cycles, open new markets, or improve customer retention, they become part of the company’s competitive advantage rather than just an obligation.

3. Automation Should Provide More Than Efficiency Gains

Many teams look to automation to reduce manual work in compliance. And that makes sense. Compliance professionals are constantly asked to do more with less. More audits, more evidence collection, more reporting. And, often with limited resources. So anything that speeds up documentation and reduces repetitive tasks is a win.

But Abhay believes that automation needs to drive more fundamental improvements in how security and compliance operate.

“Compliance automation isn’t just about gathering evidence. The goal is real-time checks so that if a control fails in February, we don’t wait until the audit in August to find out,” he said.

This shift is critical.

For compliance team, automation doesn’t just make compliance work faster. It makes it smarter, too. Instead of treating compliance as a point-in-time effort, teams gain continuous visibility into control effectiveness, allowing them to identify and address risks before they escalate.

For security teams, automation plays a different but equally critical role. Automated control validation helps catch misconfigurations, outdated policies, or security drift early. This reduces exposure before they become real vulnerabilities.

Rather than scrambling to fix problems long after they’ve occurred, security and compliance teams can validate controls in real time. That ensures compliance isn’t just an afterthought. It’s always audit-ready.

4. Transparency is a Growing Expectation. But it’s a Hard Problem to Solve

We’ve seen how regulators and customers want more visibility into security practices. That demand is increasing, especially with supply chain security concerns. Abhay pointed out that while transparency is necessary, sharing too much can introduce new risks.

“With SBOMs and SSDF, the government is saying: ‘You are all software producers, and we need to know where your software is built, what dependencies it has, and whether you’re using outdated components that could impact us.’”

Security leaders need to find the right balance. Providing assurance to external stakeholders without exposing operational details is a challenge.

“Transparency is a complicated problem because vendor risk teams assume that all vendors have poor security, so they keep digging deeper. But on our side, we have policies that restrict how much we can share.”

Security teams already manage disclosure through red teaming, security incident reporting, and controlled risk assessments. But navigating how much to disclose externally (without increasing risk exposure) is where the real challenge lies.

Abhay sees a gap in how security teams handle transparency. Customers want more insight, but internal policies limit what can be shared. He believes companies need a structured way to provide assurance and build trust without exposing sensitive security details.

5. A Risk-Based Approach is Essential for Security & Compliance Programs

Abhay emphasized that not every security issue deserves the same level of attention. Teams need to focus their efforts on high-value assets and the risks that truly matter.

“You can’t boil the ocean. Not every risk can be treated. You need to focus on the assets that, if compromised, would have the highest impact on the business.”

He also made the case for compliance teams working closely with engineers instead of operating separately.

“Be friends with engineering. Ask them: ‘What are your most critical assets? If this asset goes down, what’s the dollar impact?’”

A smarter, risk-based approach to compliance reduces unnecessary disruptions to security and engineering teams while ensuring that the right controls are continuously validated where they matter most.

This perspective isn’t unique to Abhay. Mosi Platt at Netflix shared a similar view when I spoke with him. (((Read about that conversation here) or listen to the podcast))).

Security teams already prioritize risks, threats, and high-value assets. Many compliance teams are already moving in this direction, but making this a shared strategy with security can drive even greater impact

When compliance follows this approach, it strengthens security operations instead of feeling like a competing priority. A shared risk-based strategy creates stronger alignment between security and compliance teams, ensuring that controls aren’t just checked but actively improve protection.

6. Consolidation & Strategy Reduce the Compliance Burden

Many compliance teams struggle with inefficiency because they treat each framework as a separate effort, leading to redundant audits and unnecessary work for engineers.

At Cisco, Abhay’s team took a different approach.

“We created the Cisco Cloud Controls Framework (CCF) as a consolidated certification strategy. The goal was to reduce the compliance burden on engineering by mapping multiple frameworks to a single baseline.”

By gathering evidence once and reusing it across multiple audits, the team reduced the number of interruptions to engineering teams while ensuring that all regulatory requirements were met.

“You don’t want engineers getting hit ten times a year for audits. We need a solution where we gather evidence once and reuse it across multiple audits.”

Of course, this problem isn’t unique to Cisco. Many organizations must comply with multiple regulatory frameworks (ISO/IEC 27001, SOC 2, FedRAMP, NIST, PCI DSS , etc.) yet the underlying security controls often overlap.

Without a unified approach, teams waste time proving the same controls separately for each framework, multiplying their workload instead of streamlining it. A consolidated approach ensures compliance efforts scale efficiently, reduces friction across teams, and improves security. All while minimizing audit fatigue. Everyone wins.

7. The Future of GRC: A Security “Observability Plane”

Compliance has long been treated as a separate function, disconnected from security operations. As we spoke, it became clear Abhay’s vision for the future of compliance goes beyond audits and documentation. He sees where compliance data is integrated into security programs, helping teams detect risks earlier and make better decisions.

“I don’t want compliance to work in a silo. Compliance data should feed into security operations, customer assurance, and business strategy,” Abhay said.

He envisions compliance as a real-time observability layer for security, much like how engineering teams use monitoring tools to track system health. When compliance insights are continuously available, security teams can spot patterns, identify control failures faster, and proactively address risks (before they turn into audit findings or security incidents).

“That data has a lot of useful applications,” Abhay said. “It can serve as a valuable input into security programs, the assurance program, and beyond.”

This shift is real. Companies that integrate compliance into security operations will reduce manual reporting, improve visibility into risks, and speed up decision-making at all levels. Instead of being a record of past actions, compliance can play an active role in strengthening security, resilience, and business growth.

This means compliance insights should flow into the same security ecosystems that teams already rely on (SIEM, SOAR, vulnerability management, and incident response workflows). That’s why at ComplianceCow, we’ve built 300+ integrations to ensure compliance findings can feed directly into security tooling. When compliance data is integrated, teams can detect risks sooner and act before small issues become full-blown security incidents.

Bridging the Gap: Solving Today’s Compliance Burdens While Advancing Security and Business Goals

For many security and compliance teams, the reality today looks nothing like Abhay’s vision of compliance as a business and security enabler.

Instead, teams are overwhelmed with manual evidence collection, redundant audits, and reactive compliance cycles that drain time and energy.

That’s exactly the problem ComplianceCow was built to solve, while also enabling the security GRC future Abhay describes that supports transparency, drives real security improvements, and contributes to business outcomes.

Here’s how ComplianceCow helps:

🐮 Automates security GRC controls evidence collection, analysis, and remediation,  for traditional cloud as well as for proprietary, on-prem, and hybrid cloud environments, where traditional GRC platforms lack automation.

🐮
Eliminates redundant audits by mapping controls across multiple frameworks, reducing compliance friction for security and engineering teams.

🐮
Provides a second line of defense with continuous compliance monitoring, so teams can catch and fix issues before an audit happens.

🐮
Seamlessly connects with existing GRC platforms, eliminating manual workarounds and ensuring compliance teams work with a single source of truth.

By shifting compliance from a reactive, audit-driven function to real-time security assurance, ComplianceCow helps organizations:

🐮 Reduce manual reporting and compliance firefighting.
🐮 Improve security visibility and risk management.
🐮 Align compliance with business and security goals.

Our goal is to free teams from the survival mode they’re often in today, while setting them up for a smarter, security-driven compliance future.

Final Thoughts: Compliance Can Be a Business Accelerator

Security GRC doesn’t have to be a bottleneck. Abhay’s discussion with me focused on how teams can approach compliance strategically—through automation, transparency, and alignment with security and business goals. When done right, compliance creates real value.

This isn’t just Abhay’s view. Others I’ve spoken with share the same perspective (check out those conversations here). The best organizations aren’t treating compliance as a necessary evil. They’re using it to drive trust, efficiency, and security improvements that have a tangible impact on the business.

Abhay saw this firsthand at Cisco. By shifting from reactive compliance to continuous monitoring and automation, his team reduced manual workloads, strengthened security controls, and even helped accelerate sales cycles. Forward-thinking companies are following this model, proving that compliance can be a driver, not a drag.

More teams are recognizing that compliance doesn’t have to be a burden. By moving beyond check-the-box processes and siloed audits, they’re building programs that improve security visibility, reduce risk exposure, and create real trust with customers.

And this transformation isn’t theoretical. Organizations that integrate compliance into security operations gain a more resilient, proactive security posture while ensuring business success. The journey will look different for every company, but the goal is the same: smarter, stronger, and more strategic compliance.

🔹 Want to see if ComplianceCow’s capabilities fit your situation? Book a Demo
🔹 Listen to other conversations with security GRC compliance leads. Click Here