Cybersecurity Career Paths: GRC

Career Path Series

One path within Cybersecurity that holds a lot of potential for growth is the one of Compliance and Governance, Risk, and Compliance (GRC).

A factor that makes this path compelling, is that it could potentially be a great way to get your start into Cybersecurity.

This will be a deep dive on GRC as a career path, part 3 of the series

where we discuss different career paths and roles within Cybersecurity.

We previously we went over

• Detection and Response

• Threat Intelligence

• Threat Hunting

Let's look into this career path and understand how a day in the life of a Compliance and GRC professional looks like.

---

Thanks for reading Danny's Newsletter! Feel free to share with a friend

---

What is GRC?

GRC stands for Governance, Risk, and Compliance, three areas that go hand in hand with each other.

An Information Security Governance, Risk, and Compliance (GRC) Specialist is a role within this realm that focuses on ensuring a company's information security policies and procedures are in compliance with regulatory requirements.

Infographic from Global Risk Academy

The Role of Compliance in Cybersecurity

In the layered world of Cybersecurity, Compliance professionals play a critical role. They ensure that an organization aligns with all security regulations working meticulously to comprehend these requirements and implement security controls to meet them​.

Given the global nature of many businesses today and the expanding landscape of regulations, the role of Compliance professionals is vital due to the potentially legal and financial consequences of non-compliance.

They navigate this maze of rules, and regulations ensuring that their organizations are always on the right side of the law.

Even though there are roles that are technical in nature within GRC, they could be more policy and risk assessment oriented. This makes the domain a potential path to get your start into the field.

A Day in the Life of a GRC Specialist

The role of a GRC specialist varies widely depending on the organization, but here's a snapshot of some typical duties and responsibilities:

• Implementing Security Controls and Risk Assessment Frameworks

• Conducting Security Reviews & Assessments

• Implementing of security policies aligned with standards (ISO 27001, SOC 2, NIST)

• Reporting on Audit Failures

Now let’s dive deeper into this sample job description.

Implementing Security Controls and Risk Assessment Frameworks: develop and implement security controls that align with regulatory requirements, such as SOX or GDPR ensuring sustainable compliance that furthers business objectives.

Conducting Security Assessments: GRC specialists perform and investigate internal and external information security risk assessments. They assess incidents, vulnerability management, patching status, penetration test results, and phishing/social engineering tests and attacks​​. The goal is to assess where there were shortcomings.

Reporting on Control Failures: They document and report control failures and gaps to stakeholders, providing remediation guidance and preparing management reports to track remediation activities​.

These were taken from actual job descriptions, so you can be sure they reflect what is expected in the real world.

Key Skills and Qualifications

A career in Compliance and GRC requires a particular set of skills and qualifications. Relevant experience can sometimes substitute for the degree requirement. Experience in cybersecurity programs, audits, assessments, risk, remediation, or cybersecurity compliance management can help.

GRC professionals need a solid understanding of information security management, governance, and compliance principles, laws, rules, and regulations.

Skills in developing and implementing enterprise governance, risk, and compliance strategy and solutions are crucial. They must have the ability to communicate technical issues to diverse audiences, both in writing and verbally. The stakeholders can vary here so having both of these will help immensely.

Example Job Posting

Here is an example GRC role job description

https://www.linkedin.com/jobs/view/4012087523

Directly from the job posting, some of the responsibilities include.

• “Evaluating the security posture of our cloud infrastructure and application security designs, ensuring they comply with compliance frameworks such as SOC 2 and PCI DSS controls”

• “Perform in-depth security assessments of third party hosted applications and systems, and provide security recommendations on the desired integration with such systems.”

You can see how having the ability to communicate technical issues to diverse audiences will be a key skill here.

---

What I Read This Week

• Submitting the Pyramid: Robust and Accurate Detection

  • MITRE Engenuity building on previous research, now includes resources to build accurate, robust analytics for host and network data
    

• Lessons Learned from Red Teaming 100 AI Apps

  • Microsoft’s testing of 100 of their Gen AI apps. 8 main lessons learned outlined
    

• Brief Guide for Dealing with ‘Humanless SOC’ Idiots

  • Nice rant about how AI isn’t gonna replace us

---

Conclusion

The world of Compliance and GRC is complex and rewarding.

If you are detail-oriented, and enjoy diving into complex frameworks, this could be an area to focus on.

If this sounds like something you want to dive deeper in here are some resources to look into

• Compliance vs Security Blog Post

• Differences between ISO 27001:2022 and ISO 27001:2013

• Course: Cybersecurity Foundations: Governance, Risk, and Compliance

That’s all for this week! See you on the next one

---