In this episode of The Art of Cybersecurity, Cheri Hotman sits down with GRC leader Jerry Koshy for an honest, practitioner-to-practitioner conversation about what it really takes to build effective cybersecurity and risk programs.

While compliance and risk management often get framed as rigid processes or box-checking exercises, Cheri and Jerry explore why the most impactful work in GRC is actually an art form—one that requires leadership, communication, and the ability to align people across an organization.

Together they discuss:

• Why governance is often the most overlooked part of GRC

• How cybersecurity professionals must act as business enablers, not roadblocks

• The role of culture, buy-in, and relationship building in successful security programs

• Why many organizations struggle with audits and third-party risk management

• How strong GRC programs focus on continuous improvement, not just passing audits

They also dig into the realities of burnout in the field, the importance of emotional intelligence in leadership, and why the best cybersecurity programs succeed because of people—not just technology.

This episode is a candid look at the human side of cybersecurity, and why building secure organizations requires both science and art.

AI is not the boogeyman. It is not a magic fix either. In this episode of The Art of Cybersecurity, Cheri Hotman sits down with Erica Shoemate (former FBI and U.S. intelligence community, now working across tech policy, trust and safety, and AI literacy) to talk about what most AI conversations miss: the human stakes.

They dig into why “we passed the audit” is not the same as being secure, why integrity has to show up in daily decisions and not just on a values page, and how companies can adopt AI without sacrificing governance. Erica shares a practical example of using internal GenAI to speed up regulatory readiness and control mapping while keeping human review and accountability front and center. The takeaway is simple. Use AI to reduce friction and busywork, so people can focus on judgment, risk, and critical thinking.

In this episode, Cheri Hotman sits down with long-time colleague and GRC leader Peter Spier for a candid, no-nonsense conversation about what actually keeps organizations secure and what quietly puts them at risk.

Peter brings more than two decades of experience across PCI, audits, and enterprise risk to unpack a topic most teams avoid. Integrity in GRC. Together, they challenge the obsession with green checkmarks, clean audit reports, and “passing” frameworks while ignoring what really matters. Reducing real risk.

This conversation cuts straight through common myths:

• Why a report with zero findings should make you nervous, not confident

• How audits differ fundamentally from running a security program

• The danger of scoping games and checkbox compliance

• Why continuous improvement requires uncomfortable conversations

• How ego, incentives, and fear quietly undermine security decisions

Cheri and Peter also explore the human side of cybersecurity. Coachability, transparency, and the willingness to surface problems early before attackers do. This episode is for leaders, practitioners, and auditors who care less about appearances and more about building programs that actually protect the business.

If you have ever felt uneasy about a “perfect” audit, struggled to push bad news up the chain, or wondered whether your compliance program is giving you a false sense of security, this conversation will resonate.