Beyond the API: GRC Engineering in the Real World w/ Ange Ferrari, CISO/SVP @ METRO AG

Want more? Subscribe to the GRC Engineer newsletter for exclusive content including a detailed transcript of this episode in next week's edition: https://grcengineer.com/subscribe

In this insightful episode of the GRC Engineering Podcast, host Ayoub Fandi sits down with Ange Ferrari, SVP & CISO at Metro Group, for a deep dive into how GRC has evolved over two decades and what it takes to scale security programs globally.

Our expert guest:Ange is a security leader with 20+ years experience across public sector, retail giants (Carrefour, IKEA), AWS EMEA, and now leading security for a global wholesaler operating in 36 countries.

We explore the evolution and engineering of GRC at enterprise scale, covering:

• How GRC became the key to career growth from technical roles to CISO
• Why cloud transformation shattered traditional risk frameworks
• The reality of implementing controls across diverse, global technology stacks
• Hot Take: The critical balance between prevention and detection that most miss
• AWS insider perspective: What enterprise-scale compliance really looks like
• Engineering pragmatic GRC programs that work in messy, real-world environments

Whether you're a CISO scaling global programs, a GRC professional in traditional industries, or anyone trying to make compliance work in complex enterprise environments, Ange shares battle-tested strategies from the front lines.

📋 Timestamps:00:00 - Introduction and Ange's Background02:57 - How GRC Enabled Career Growth
06:34 - Evolution of GRC Practices Over Time14:52 - Common GRC Implementation Failures25:56 - Defining GRC Engineering33:01 - Where Should GRC Teams Report?39:20 - GRC Challenges in Complex Enterprise Environments49:05 - Lessons from the AWS Vendor Side59:46 - Building Technical Skills in GRC Teams01:03:39 - Hot Take: Prevention vs Detection Balance