What’s the true relationship between compliance and security? According to Evan Millman, compliance may not be security—but it’s the necessary starting point for building it.

In this episode, Raj sits down with Evan to explore how organizations can shift their GRC approach from reactive checkbox checking to a proactive and risk-informed security practice. Evan shares stories from his work at Abnormal.AI, lessons from scaling GRC in fast-moving environments, and practical advice for anyone trying to align controls with business objectives.

5 Key Takeaways:

• Compliance is not the destination — but it is the framework for real security conversations.
• Say no to overkill — Right-size controls based on business needs, not frameworks.
• Decentralized GRC works — but only if there’s shared ownership and trust.
• “GRC therapy” is real — and it starts with building internal relationships.
•  Metrics matter — but only when they tell a story that drives action.

What You’ll Learn:

• Why compliance ≠ security (but still matters)
• The pitfalls of checklist-first GRC programs
• How to build GRC partnerships across product and engineering teams
• Why business-aligned storytelling is the future of risk communication
• How Abnormal Security approaches frameworks like SOC 2 and ISO 27001

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: compliancecow.com

Connect With Our Guest:

Evan Millman | Security GRC Manager | Abnormal AI
Connect on LinkedIn

Rate, review, and share if you enjoyed the show!
Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify and Apple Podcasts

🕒 (Approximate) Timestamps

[00:02:40] What makes Evan passionate about security GRC?
 [00:04:30] How compliance ≠ security — and why that distinction matters
 [00:06:50] When GRC goes wrong: overkill, checklists, and inefficiency
 [00:10:15] Building trust by embedding security into product discussions
 [00:14:40] Right-sizing controls: starting with SOC 2 vs ISO 27001
 [00:18:10] Managing a decentralized GRC team at Abnormal
 [00:23:02] Metrics and storytelling — what the board actually wants
 [00:29:45] Why GRC leaders need emotional intelligence and empathy
 [00:35:20] What GRC professionals can learn from product managers
 [00:39:11] Evan’s advice to vendors trying to break into GRC
 [00:41:05] How GRC can (and should) enable product velocity
 [00:44:55] If he could wave a magic wand, what would Evan fix in GRC?