IN PARTNERSHIP WITH

Automate your SDLC Governance with Kosli

Are you delivering software in a regulated industry? Know the pains of ensuring supply chain security, change management, and runtime monitoring? Kosli automates all of the governance tasks in your software delivery process, giving you speed, security, and audit-ready proof—at scale.

⏰ Before anything else, I need 3 minutes of your time

Before we dive into the year that was, I need 3 minutes of your time.

I've built a quick survey to understand what's working, what's not, and where GRC Engineer should head in 2026. Your feedback directly shapes everything from newsletter topics to podcast guests to the frameworks I develop.

Take the 2025 GRC Engineer Survey →

It's 5 questions, takes 2 minutes, and helps me focus on what actually matters to you.

Now, let's look back at 2025.

The Year in Numbers 𝟷𝟸𝟹𝟺𝟻𝟼𝟽𝟾𝟿𝟶

What started as 135 subscribers in January ended at 2,300 by December. That's 1,600% growth, which isn't just growth, it's momentum.

Across 40 newsletter posts, we published 67,500 words and generated 95,300 impressions. The average open rate held at 62%, fairly high by industry standards. This means y’all are highly engaged! The click-through rate averaged 5%, with some posts hitting over 15%.

On the podcast side, we published 20 episodes featuring practitioners from Netflix, Docker, Zoom, Canva, METRO AG, and Google. The top episode pulled 475 total plays, with strong engagement across the entire season.

The audience spans 75% United States, 5.1% United Kingdom, 2.4% Australia, and the remaining 17.4% distributed globally across every continent.

This isn't just a newsletter. It's become a community of practitioners who are genuinely rethinking how GRC works.

What Resonated Most 📣

Newsletter 📩

Three posts drove the highest engagement this year:

The Technical Foundations Every GRC Professional Needs The "no-spreadsheet newsletter for GRC trailblazers" post that clarified exactly what technical knowledge matters and what doesn't. Turns out, you don't need to become a cloud architect to be effective at GRC Engineering.

Rebuilding GRC from Scratch at Docker Emre and Chad's story of completely rebuilding a GRC programme in six months using engineering principles hit hard. Real implementation, real constraints, real results.

Automating Quarterly Access Reviews: GRC Engineering in Practice The step-by-step practical guide that showed how to leverage existing IAM infrastructure to automate access reviews without building parallel systems.

Other standout posts included Are You Building for Auditors or Attackers?, Signal vs. Noise, and the entire GRC Collector Cards series, which became the most distinctive content format we've developed.

Podcast 🎙️

Four episodes dominated listens and drove the deepest engagement:

Beyond The API: GRC Engineering in the Real World w/ Ange Ferrari Ange's journey from technical pentester to Global CISO, with stops at AWS, IKEA, and METRO AG, offered rare insight into how GRC Engineering scales across different organisational contexts.

Rebuilding GRC from Scratch at Docker w/ Emre & Chad How two GRC engineers completely rebuilt a GRC programme in six months at a major tech company, walking through their implementation in forensic detail.

Why Cyber Risk Quantification is the mindset shift your GRC program needs w/ Tony Martin-Vegue Learnings from an expert who conducted over 1,000 FAIR assessments, showcasing why CRQ and GRC Engineering are a natural fit.

The GRC Engineering Blueprint for the Public Sector w/ Dr. Ibrahim Waziri Jr. Insights from a leader who delivered ATOs across US Federal environments, bridging cloud service provider and consulting perspectives.

The GRC Automation Vendors Roundtable also stands out as a first-of-its-kind conversation bringing seven competing platform executives together for an unfiltered discussion.

IN PARTNERSHIP WITH

Still looking for the perfect gift for your GRC friends and colleagues?

Look no further.

The Anecdotes GRC Holiday Store has a curated collection of punny and fun holiday items designed specifically for our community.

Love from the Community ❤️

LinkedIn's Year in Review feature revealed something I wasn't expecting: I appeared as the most-connected person for dozens of GRC practitioners, CISOs, and security leaders across the industry. These public shoutouts captured what this community has become.

Simon Goldsmith (CISO at OVO): "Shout out to Ayoub Fandi, the person I connected with the most on LinkedIn this year. I know I am one of many where Ayoub has been the individual they've interacted with the most on LinkedIn this year - I think it's a sign that he's building a community that can really change how we think about security. And just in time for the Agentic era. Mark my words, he's just getting started!"

Jake Bernardes (CISO at Anecdotes): "There's no real surprise here. Ayoub Fandi has done more in the GRC space this year than anyone else to raise its profile, importance & technicality...anyone want to disagree?! Add to that fact he's just a wonderful human being who I will always happily spend a day with mooching around the city."

Phil A. (Risk @ EDB): "Shout out to Ayoub Fandi, the person who I learnt the most from this year. Always producing great content!"

Charles Nwatu (ex-head of GRC @ Netflix): "Shout out to Ayoub Fandi, the person I connected with the most on LinkedIn this year. The conversations about work, life and everything in-between has been refreshing. Looking forward to 2026, looking forward to continuing working together to drive changes in GRC and Security."

Sid Roper: "Shout out to Ayoub Fandi, the person I connected with the most on LinkedIn this year."

Tristan Ingold (Security GRC @ Meta): "I'm not surprised at all. I'm not the first person to post that Ayoub Fandi was their most active connection throughout 2025, and I probably won't be the last before the end of the year. Whether it's his work at GitLab, GRC Engineer, or LinkedIn, he consistently moves the industry forward and we're fortunate that he so consistently offers to bring his peers along with him!"

Justin Pagano (Director of Security Risk & Trust at Klaviyo): "Huge thank you for the great discussions, knowledge sharing, and leadership around all things GRC Engineering this year. You've had such a big influence on me and so many others and continue to make such a positive impact on our profession. Cheers, dude! You've had such a big influence on me and so many others and continue to make such a positive impact on our profession - can't thank you enough for it."

Anton Horn (Founder at Envoy Security): "Including my own LinkedIn summary, this is the third time I see Ayoub Fandi being the person most connected with. He really is killing it with his content."

The GRC Collector Cards series sparked particular enthusiasm.

Kristi Hoffmaster: "Ayoub Fandi - these GRC Collector cards and writeups are AMAZING! Can someone say data-driven stocking stuffers?"

Mohamed Khalil Bouzemmi captured why they resonated: "Really enjoyed the GRC Engineering Collector Card: CISO by Ayoub Fandi. The 'collector card' concept feels like building a Yu-Gi-Oh! deck for GRC: each role has a purpose, and real value comes from strategy and synergy, not isolated controls or certifications. Great perspective on moving GRC from audit firefighting to continuous trust, speaking the CISO & board language, and positioning GRC as a strategic security partner, not just a compliance function."

What’s Ahead in 2026? 📅

This isn't just audience growth. It's a community actively reshaping how GRC works.

Huge news coming both personally and professionally in early 2026. More on that when I can share.

Your feedback through the survey will directly shape what GRC Engineer becomes in 2026. Whether that's deeper technical content, more vendor analysis, additional podcast formats, or something entirely different depends on what you tell me matters most.

Complete the survey here →

No newsletter next week, we’ll see each other in the new year :)

I love y’all 💓 

Onward and upward 🚀

That’s all for this week’s issue, folks!

If you enjoyed it, you might also enjoy:

• My spicier takes on LinkedIn [/in/ayoubfandi]

• Listening to the GRC Engineer Podcast 

  • Spotify

  • Youtube

  • Apple Podcasts

See you next year*!