Breaking silos: How to align GRC, cybersecurity, and privacy teams

What goals unite security, GRC, and privacy teams?

The number one goal that unites security, GRC, and privacy teams is the need to protect the brand. That goal rolls up to company-wide business objectives, which is to generate revenue and grow. In order to do that, customers have to trust and want to do business with us. And to do business in certain industries and countries, there are often regulatory requirements whether that’s GDPR, CCPA, or PCI-DSS.

Although we align on the goal of protecting the brand and meeting regulatory requirements, each team has different though sometimes overlapping responsibilities when it comes to how we fulfill these goals.

Let’s take an example of onboarding a new customer, which supports the business objective of generating revenue and growth. 

The security team ensures that the company’s cybersecurity posture is sound so that new customer’s data is protected and put in the hands of only those who need it. This may involve a more tactical approach, such as conducting vulnerability scanning, leveraging a monitoring tool to look for suspicious activity, or stopping a threat that could expose customer data.

The privacy team (often part of the legal team) reviews the customer contracts. They ensure that personal data is protected by determining how it can be used and how individual rights to that data are fulfilled. 

The GRC team thinks about the additional risk that the company takes on with each new customer, which is a necessary part of growth. They are focused on deploying and maintaining compensating controls and conducting risk assessments so that they can meet the requirements of regulatory, industry, and GRC frameworks. What they achieve is not just for individual customers, but for the longer-term objective of expansion and being ready to take on business in certain industries and geographies. 

What are the biggest challenges cybersecurity leaders face when building alignment across teams? 

It comes down to communication and strong relationships. 

Security-specific or technical language can create barriers, especially when engaging stakeholders outside of IT. For example, when cybersecurity leaders point out flaws in a stakeholder’s database security without first understanding the constraints they face, this can create friction and resistance to change. Instead, it’s best to sit down with the team, discuss the risks, and work together on a plan. Sometimes, it’s a quick fix; other times, it’s about finding ways to get the budget or resources the other team needs. The goal isn’t just to solve the immediate problem—it’s to build trust and turn those stakeholders into security champions.

It’s also about relationships. A question in Gartner's peer community asks, “How can security leaders build impactful partnerships with their chief privacy officer and/or chief data officer? What can they do to ensure effective ongoing collaboration on all things data?” A CISO in Education responded with: “When joining an organization, it's essential to identify key roles and build relationships with those individuals. For me, this means creating a Venn diagram of who I need to talk to, and chief privacy officers and legal teams are always at the top of that list. Building strong relationships often involves informal meetings, such as buying coffee or having lunches together. Although budgets might be tight, these interactions are crucial for fostering collaboration. Regular and purposeful meetings with privacy officers help ensure that we are aligned in defining policies and governing mechanisms.”

What cybersecurity risks do these teams care about? 

The focus on data is where security, privacy, and GRC intersect. For instance, at a former company where I worked, we handled millions of sensitive customer records. All three departments worked together to implement tools for data discovery, classification, and data loss prevention, with a unified goal of protecting our most sensitive data first. The interesting thing to note was that each team had a different approach to risk management:

The security team cares about where the data is, how it’s protected, and who’s accessing it. Data sprawl is a major risk, so we need clear visibility into its location, whether on-prem, in the cloud, or spread across hybrid environments. Just as important is to continuously monitor data, including ETL processes. If we’re not proactively tracking how data moves and who interacts with it, we’re leaving gaps that attackers can exploit. That’s why we focus on ongoing monitoring to detect and respond to potential threats before they escalate.

The privacy team cares about how the data is collected, stored, and processed in compliance with regulations like GDPR and other privacy laws. Their key concern is minimizing data collection to what is necessary, reducing the risk of non-compliance and potential legal exposure. They need clear visibility into the types of personal data that are being collected. Additionally, they track whether data is crossing international borders, how long it is being retained, and if it’s being shared with teams or third parties. 

The GRC team cares that security controls are aligned with regulatory and business requirements. In my extensive experience, GRC can sometimes focus too much on ticking boxes for frameworks instead of addressing actual risks. I’ve seen it happen too many times: a company implements controls just because a framework says so without questioning, “Is this control even relevant to your business?” I once worked with a team that proudly told me they had a control in place to encrypt all cardholder data. Under normal circumstances, that would make sense. Except we didn’t process credit card payments at our company!

Instead of focusing on adding more and more controls, it’s about aligning cyber GRC with business objectives. Frameworks like ISO or PCI-DSS are helpful starting points, but they’re not a one-size-fits-all. It's far more important to focus on implementing controls that address your organization's risks (even if they’re not part of a standard security framework).

Best practices for security leaders working with privacy and GRC teams

Final thoughts

One of the biggest takeaways I’ve learned is that security is just as much about people as it is about technology. Policies and controls only work if teams understand them and are on board. The key is building cross-functional teams that speak the same language and collaborate to protect the business.