Paramify is making FedRAMP (Rev 5 or 20x), GovRAMP & CMMC fun. Get your $750 Gap Assessment at paramify.com/grc

---

What happens when you have to merge three operating systems, satisfy FedRAMP requirements, and keep engineers happy whilst building enterprise security at scale?

In this episode, Kane Narraway, previously leading enterprise security at Atlassian, building Zero Trust at Shopify, and now running enterprise security at Canva, shares battle-tested insights on the intersection of GRC and enterprise security.

Kane's unique perspective comes from working across three major tech companies, navigating everything from SOC 2 to FedRAMP, and building security programmes that scale without creating friction for engineers.

Key Topics Discussed:

The Compliance-Security Partnership

How compliance evolved from yearly audits to sales enablement, and why that actually helps enterprise security teams implement controls faster.

Third-Party Risk Management Handover

The critical transition from TPRM intake to ongoing enterprise security management, and when you should actually push back on vendors.

Platform Consolidation vs Best-of-Breed

Real examples from extremely consolidated (Shopify with Google everything) to open ecosystems (Canva's hundreds of tools), and which approach suits your company culture.

Zero Trust and Continuous Compliance

Why Zero Trust principles align perfectly with GRC engineering, and how to turn point-in-time audit checks into continuous validation systems.

The User Experience Problem

How to implement security controls without creating shadow IT, including the "my machine is perfect" engineer problem and how to solve it.

M&A Security Integration

Principles (not playbooks) for security integration during acquisitions, including when to keep companies separate for compliance reasons.

The AI Compliance Challenge

Why current control frameworks don't match AI-driven access patterns, and what's coming when non-human identities start requesting access at scale.

FedRAMP, HIPAA, and High-Stakes Compliance

The difference between managing SOC 2 (30 minutes of sampling) versus the compliance regimes that can dominate your calendar for months.

About the Guest:

Kane Narraway has spent over a decade building enterprise security programmes at some of the world's leading tech companies. Starting in UK government and BT, he moved to Atlassian where he built their corporate security programme, then to Shopify where he led platform engineering and Zero Trust, and now leads enterprise security at Canva in New Zealand. Kane specializes in building security at scale whilst maintaining developer velocity and user experience.

Connect with the Guest:

Kane Narraway: https://www.linkedin.com/in/kane-n/

About The GRC Engineer:

The GRC Engineer explores how engineering principles are transforming governance, risk, and compliance. Hosted by Ayoub Fandi, each episode features practitioners, leaders, and innovators who are building the future of GRC through automation, code, and systems thinking.

Subscribe for episodes and entries featuring deep-dives into GRC automation, compliance as code, risk engineering, and the intersection of security, compliance, and software development.

🌐 Visit: grcengineer.com

💼 Connect: linkedin.com/in/ayoubfandi

📧 Newsletter: grcengineer.com/subscribe

#GRCEngineering #Canva #EnterpriseSecurityCompliance #Automation #CyberSecurity #RiskManagement #ZeroTrust #DevSecOps