Introducing the 2024 PKI & Digital Trust Report     | Download the Report

  • Home
  • Blog
  • The Convergence of IT & Security and Risk & Compliance

The Convergence of IT & Security and Risk & Compliance

IT and Compliance Departments Working Together With Greater Frequency

The Integration between IT and Compliance

Presently, a marked shift from the silos of IT and compliance teams is resulting in a departmental convergence for many businesses. A tightening and consolidation effort between IT, security, and GRC has proven to benefit overall organization security posture, and many businesses are making the change.

Here’s why: given the virulent landscape of security today and the ever-increasing compliance demands for all sectors, compliance must be built-in to IT designs—not being added later. IT designs should not go forward without the blessing of GRC. Building in compliance from the inception of an IT project is considerably easier to execute than retrofitting.

Part of the function of GRC is not only to ensure compliance, but also to create and enforce policy. In concert with security and IT teams, one of GRC’s responsibilities is understanding what requires protection, and the appropriate policies needed to support that protection. Historically, IT and security teams often executed projects and self-established policies that didn’t necessarily originate from GRC, the negative impact of which was getting hacked. When IT & Security and GRC work together, compliance becomes a more prominent influence, and plays a tangible role in IT security.

The earlier GRC is involved with IT, the greater the benefit. Deploying a compliant system from the get go is the ideal IT deployment scenario—simply because, an organization typically cannot ever get more secure. If a system is deployment, security can’t increase over time, but it can degrade. Additionally, IT is busy with the actual mechanisms used to control assets, but determining the most appropriate controls for systems is the job of GRC.


Comparing IT & Security and GRC Skillsets

Risk managers and IT specialists differ in that a risk manager is concerned with understanding the value of IT assists and their potential exposures, while an IT or security specialist will be more focused on the actual technical controls necessary to protect a specific asset.


IT & Security GRC
  • Focus on necessary technical controls.
  • Determine which security controls can be increased to provide the highest possible level of protection.
  • Less concerned about risk and more concerned about actual security mechanisms.
  • Translate assets and potential exposures into consumable financial loss.
  •  Understand IT assets and their value.
  • Identify asset exposures and threats which exist in the world.
  • Communicate risk and controls available to a CISO or VIO to make a determination as to what amount of risk is acceptable.


Both IT & security and GRC have written policies in the past, and understandably so; each group deals with many of the same machines. Today, the integration between IT & security and GRC is increasing, with less overlap between responsibilities for greater overall efficiency and security. The integrated development of IT policy, and the compliance thereof, is key to achieving an optimal security posture.


Managing the Departmental Merge

Role definition is absolutely critical. Since both groups were once independent machines with overlapping functions, making workloads that have responsibility for policies, control development, compliance and risk should be singular in nature across departments.

Creating workloads that define how reporting occurs, systems are adopted, and policies created will ensure that technical implementations run smoothly. The merge is a matter of roles, definition, and setting expectations within departments. Both departments still have independent value they bring to the table, but they do different things. It has always been a mistake for security and IT to make policies that are devoid of risk and compliance—embracing the change will only support the security of your business.

CSS develops controls and policies on a continuous basis by assisting customers with development within the GRC framework. If your security organization would like to learn more, contact us to talk about your cybersecurity compliance needs.