In Episode 107 of the Cybersecurity Readiness Podcast Series, Dr. Dave Chatterjee is joined by Richa Kaul, Founder and Chief Executive Officer of Complyance and a former public sector technology policy leader, to address one of the most consequential misunderstandings in enterprise security governance: the assumption that compliance equals security.

Opening with two recent and high-profile incidents — the May 2025 ransomware attack on Marks & Spencer, which halted online operations for weeks and generated estimated losses exceeding £300 million, and a concurrent third-party support provider compromise that exposed customer data across multiple platforms including Discord — Dr. Chatterjee establishes the episode’s central premise: organizations that invest heavily in GRC platforms, generate dashboards full of green indicators, and maintain formal compliance certifications can still be catastrophically breached. The gap between compliance and security is not theoretical. It is structural and where attackers operate.

Kaul explains the root cause with precision. Traditional GRC tools were built to centralize data and automate workflow notifications — functions that reduce administrative burden but do not reduce risk. The result is a compliance theater dynamic in which organizations check boxes, pass periodic audits, and receive certifications that say little about their actual security posture. The Complyance platform is built on a different philosophy: compliance with standards should be a byproduct of genuinely good security practices, not the objective in its own right.

The episode explores the architecture of intelligent GRC: continuous monitoring across all integrated sources of truth, agentic AI that automates evidence collection and remediation guidance, tiered third-party risk programs that apply scrutiny proportional to vendor criticality, and risk quantification frameworks that translate security signals into board-level governance decisions. Kaul is equally precise about what GRC platforms cannot do: they cannot substitute for operational security teams, and no platform — however sophisticated — can protect an organization whose leadership has not committed to genuine risk reduction as the governing objective.

Analyzed through Dr. Chatterjee’s Commitment–Preparedness–Discipline (CPD) framework, the conversation reframes GRC from a compliance function into a governance discipline. The episode’s central message is neither technical nor vendor-specific: the organizations that will withstand the next breach are not those with the most compliance certifications — they are those that have claimed ownership of the problem, built the continuous processes to address it, and institutionalized the discipline to keep those processes operating after the audit is over.

To access and download the entire podcast summary with discussion highlights - https://www.dchatte.com/episode-107-compliant-but-exposed-rethinking-grc-for-real-security/

Connect with Host Dr. Dave Chatterjee

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Books Published

The DeepFake Conspiracy

Cybersecurity Readiness: A Holistic and High-Performance Approach

Articles & Cases Published

Chatterjee, D. (2026). Root: Automating the Remediation Gap, Ivey Publishing, Jan 7, 2026.

Ramasastry, C. and Chatterjee, D. (2025). Trusona: Recruiting For The Hacker Mindset, Ivey Publishing, Oct 3, 2025.

Chatterjee, D. and Leslie, A. (2024). “Ignorance is not bliss: A human-centered whole-of-enterprise approach to cybersecurity preparedness,” Business Horizons, Accepted on Oct 29, 2024.

Isik, O., Chatterjee, D., and Lourenco, D.A. (2024). “Getting Cybersecurity Right,” California Management Review — Insights, Accepted for Publication, July 8, 2024.