GrailCast Live Ep. 3 Rewind: From Zero to Scaled: Building GRC Programs That Last ft. Matt Hillary

Matt Hillary (CISO at Drata) joined DataGrail CEO Daniel Barber for Episode 3 of GrailCast Live to talk about building scalable trust programs in a world where compliance frameworks, automation, and AI are evolving fast. Read on to learn about Matt’s 6 principles to scaling GRC programs. 

Listen to Matt’s full conversation with Daniel Barber on GrailCast Live.

1. Understand your business

Before implementing controls or adopting a framework, security and privacy leaders should understand the company’s business model, customer expectations, and core risks. Effective compliance programs are tailored to the organization they serve, not just copied directly from a framework.

“Sometimes joining a company as a GRC practitioner is approaching a blank canvas if it’s a company that’s just barely starting their journey, and sometimes you’re joining a company that already had a prior leader and you’re just there to continue to paint on the canvas,” explained Matt. “But the reality is, the paints are the same. The way we utilize the paints varies by company.”

2. Explain the “why” behind controls

Security teams often lose buy-in when they rely on answers like “because it’s required for compliance.” Instead, Matt recommends focusing on the underlying risk. When teams understand why a control exists, security becomes a shared responsibility instead of a mandate.

This approach can help break down hierarchical divisions and friction between roles. Your goal is to be a partner, not a dictator, bringing your colleagues into the fold. 

3. Tailor your approach

Revisit your favorite governance frameworks. Now that you understand your unique organizational quirks and you’ve formed the right relationships, what will that framework look like at this organization? Matt says, “No two organizations are the same. That’s the fun part.” 

4. Find the right external partner

Matt emphasized the value of working with a talented assessor that truly cares about your organizational progress. “We’re all trying to improve and grow here,” he explains. “With that mentality, an assessor can be really awesome.” 

5. Adopt a GRC & Trust Management platform

It’s important to choose technology that meets your organization’s unique needs. Matt explained how most platforms come with a variety of out-of-the-box controls and policies that may or may not match your company’s goals. Once you make that alignment, move forward. 

6. Strategically replace manual workflows with automaton

Matt emphasized the value of focusing your attention on the things that matter, which means automating the rest of what you can. Still, automation needs governance too.

Automation works best when the underlying process is sound. Mapping workflows first helps teams identify the right control points and avoid scaling inefficient processes. Relationships are at the heart of it all. 

AI is unlocking major efficiency gains for trust teams. Matt remarked, “AI questionnaire assistance is an almost immediate deal cycle time accelerator, and builds trust with our sales team members.” 

From answering security questionnaires faster to helping teams analyze new frameworks, AI can remove manual work and help lean teams scale. Matt discussed how AI opens doors for compliance teams to get things done they never could have done without engineering support in the past. Human judgment still matters, especially when making risk decisions. 

Trust programs are becoming business enablers

Security, privacy, and GRC teams are no longer just compliance gatekeepers. They are increasingly responsible for enabling growth, entering new markets, and building customer trust.

As Matt put it, this is one of the most exciting moments for the industry.

Read more about how privacy serves as a core value and differentiator for Drata.

This episode is a reminder that strong trust programs are not about checking boxes. They are about clarity: teams understand the risk, leaders own the decisions, and trust becomes a shared outcome.