Does it raise a skeptical eyebrow when I say that I really enjoy working in Cybersecurity Governance, Risk, and Compliance (GRC)? If so, let's fix that. Since crossing over from Finance in 2020, I've found GRC to be awesome, underrated, and not well understood. Rant incoming to elevate GRC perceptions and realities, which can encourage new entrants and unlock dormant capabilities for Cybersecurity programs.

First, let's address the elephant in the room: GRC isn't considered "cool." Just look at the SANS Institute's list of the Top 20 Coolest Cybersecurity Jobs. GRC isn't even on there.

Or watch any YouTube video about cybersecurity careers, and inevitably, when GRC comes up, it's accompanied by a laugh and a comment about how it's "not the fun part."

I get it. If I had elite hacking skills from spending 10,000 hours understanding Information Systems so well that I could break into them, I'd probably rather be pen testing or developing exploits too. Hacking systems Mr. Robot style is exciting in a way that testing controls and writing audit work papers definitely is not. But the thing is, my 10,000 hours have been spent practicing business administration, accounting, compliance, and being a finance business partner. This didn't entail much hands-on keyboard hacking, but I did get valuable transferable skills needed in Cybersecurity from having hands-on phone, hands-on clipboard, and hands-on Excel pivot table.

So while I don't start on day one with depth in the enormous and rapidly changing body of knowledge covered by the Certified Information System Security Professional (CISSP) domains, each of which is a career in itself, GRC can add a lot of value with only a 20% depth of knowledge in these areas. Also, GRC teams can be assembled Avengers style with complementary skills from diverse backgrounds. In fact, some of the best GRC people I've encountered came from accounting, software development, and running a small business. As gritty, continual learners, they were able to comprehend new concepts quickly and apply transferable skills they already had.

So if you're not already a l33t hacker, I would argue that GRC is actually one of the best places to start a cybersecurity career. And even if you are highly technical, it's still a great place for a temporary rotation to unlock the benefits listed below on the path to your next promotion.

Here are the seven specific things that I think make GRC awesome:

First, we are revenue-enabling. Our security assurance work has us directly supporting sales reps in the field and occasionally interfacing directly with customers. That's where you want to be to understand customer needs, how your company can meet them, and how to make a business impact.

Second, breadth. We get to work with the top experts across all departments—the control owners. That includes the Security Operations Center, Architecture, Engineering, Product Security, IT, Finance, HR, Legal, Privacy, and more. I've really enjoyed learning about diverse topics ranging from revenue accounting to software development—both very technical, very complicated, and very interesting to get a front-row seat to observe and understand those processes and their outcomes.

Third, top management. GRC gives you exposure to the top, which is a great opportunity.

Fourth, immersion. When you're exposed to all the departments, you get to learn through immersion and practical application. Even if you want to be very specialized and technical, it might be helpful to your career to rotate into GRC and then rotate out, because when you go into your swim lane, you'll bring with you that bigger picture perspective on how your function fits into the rest of the company.

Fifth, business is booming. As demand continues to ramp up for customer trust and assurance due to digital transformation, the cost of cybercrime, and the proliferation of flawed and complicated technology, GRC continues to be in demand.

Sixth, and this is my favourite, GRC is a feeder role to get your foot in the door. In 2019, I didn't think it was possible for me to break into cybersecurity mid-career from Finance. I heard it was a hot industry and looked like pretty interesting and meaningful work, but I was specifically told that I was not a good fit because I didn't have a computer science degree or a technical diploma. But that was bad advice.

Only a portion of cybersecurity problems are technical, blinky lights, and software. There's a lot of people, process, and technology to work on. And don’t take my word for it, check out cyberseek.org. It objectively shows a path I've taken to go from Finance to IT auditor to Cybersecurity consultant to Cybersecurity manager. If I can do it, you can do it. You can connect your career to one of these paths.

Seventh, blue ocean environment. If you can find a way to add value in an uncontested market space, you can make an outsized impact to elevate your career. Cybersecurity is the new kid on the block in the early innings. It's not the well-worn path, and so it's an opportunity to jump in on the ground floor, bring some process maturity from other functions you've been in that can add a lot of value.

So that's the full list unpacked. I hope it’s helpful to throw GRC some love and open some doors for people to consider an unseen career path. Or if you're exposed to a GRC team that isn't doing a great job, perhaps you could be the person to turn it around. Make it your own Cinderella story.

Additional Resources

Youtube clip about IT audit careers that is talking about me, noting that GRC is "usually not the fun job"   

In a follow up discussion more context is added including some great things about GRC, and of course I continue to be a huge fan, but the original laugh is now permanent record on the internet, and I think representative of a broader sentiment you’ll find out there.

Views expressed are my own. Questions and feedback are welcome.