GRC Engineering is so hot right now, and I can only see demand for these skills growing.

There's a great opportunity to build your capabilities through a new free resource called the GRC Engineering Learning Hub, which launched yesterday and features two of my podcasts as an "unsuspecting addition" from GRC Engineering Manifesto co-author Justin Pagano.

Table of Contents

• What is GRC Engineering?

• Building Your Career Development Plan

  • Start with fundamentals, not tools

  • Use affordable, targeted resources

  • Persist in relationship building

• The Labs Advantage for Your CDP

• Why GRC Engineering Matters Now

• From Learning to Impact

• Your Next Step

What is GRC Engineering?

According to the manifesto:

Adopting an engineering mindset and learning how to write code makes a lot of sense against a backdrop of the Magnificent 7 (Alphabet, Amazon, Apple, Broadcom, Meta Platforms, Microsoft, and NVIDIA) bringing historically high concentration of economic impact (with associated opportunities and risks) with their technology we depend on every day.

The obvious and immediate impact of GRC manifesto concepts is to organizations with cloud infrastructure, or that were even born in the cloud. I had AWS Certified Cloud Practitioner on my initial draft GRC Certification Roadmap but removed it after feedback that it would only apply to companies with cloud footprints. I'm now overdue to add it back in.

Sure, the only constant in tech is change and there's even been a surprising swing of the pendulum from cloud back to on-prem for data residency reasons amongst geo-political tensions, or cost reasons for steady state workloads, however:

1. As McKinsey noted long ago, every company is now a software company

2. Software development and cloud go hand-in-hand

3. GRC engineering values such as "evidence, logic, math and reason over fear, uncertainty and doubt" can apply to any environment

Building Your Career Development Plan

In a 70-20-10 career development plan (CDP) to break into cybersecurity GRC, the formula flips for newcomers: over-weight education early to unlock relationships and experience opportunities. The traditional model suggests 70% of learning comes from experiences, 20% from relationships, and 10% from formal education. But when breaking into GRC, that 10% education component becomes your unlock mechanism—it's what makes the other 90% possible.

Key insights from my podcast with Ayoub Fandi, now featured in the Learning Hub, show how this works in practice.

Start with fundamentals, not tools

Ayoub began with a 15-hour course on IPv4. Not to become a network engineer, but to understand what he was securing.

Instead of jumping into penetration testing tools, he asked:

Tie learning to immediate application. Every piece of knowledge should connect to your current role. When building compliance dashboards at EY, Ayoub watched videos about the specific technologies he encountered—Red Hat, Citrix, IBM AIX. This wasn't abstract learning; it was immediately applicable.

Use affordable, targeted resources

Ayoub leveraged CBT Nuggets, O'Reilly subscriptions, Harvard's CS50 course, and YouTube channels with whiteboard explanations. The goal wasn't proficiency but understanding. Quality education doesn't require expensive bootcamps—it requires strategic selection of resources.

Persist in relationship building

Ayoub sent 450 LinkedIn messages when breaking into security. Only 15 people responded, but those connections launched his career. Some relationships continue today. Education gave him something valuable to discuss in those conversations.

The Labs Advantage for Your CDP

Especially interesting for the experiences section of your CDP is the Labs section of the GRC Engineering Learning Hub. Hands-on labs let you build real artifacts that stand out on your resume with a GitHub link. This transforms theoretical knowledge into demonstrable skills—exactly what hiring managers want to see.

Labs complement the foundational knowledge from certifications and take it to the next level. While courses and certifications provide structured learning and credential recognition, labs give you working examples of your capabilities. You're not just saying you understand cloud security; you're showing the automated compliance checks you've built.

Why GRC Engineering Matters Now

Modern organizations operate in staggering complexity. They run hybrid infrastructure across on-premises and multiple clouds. They integrate AI models into core services. They depend on hundreds of SaaS vendors. Traditional GRC approaches—built for simpler times—cannot keep pace.

As Ayoub explained in our conversation, GRC practitioners uniquely span the entire organization.

But these conversations only work if you understand the underlying technology. GRC Engineering bridges this gap, combining technical depth with risk management expertise.

From Learning to Impact

My recent conversation with Richard Seiersen—possibly the first GRC engineer—dove into cyber risk quantification, showing how GRC professionals can communicate risk in business terms that drive decisions. This isn't entry-level content; it's advanced practice that helps experienced professionals refine their craft.

The GRC Engineering Learning Hub makes this progression possible. Start with fundamentals, build through labs, learn from practitioners, and gradually tackle more complex challenges. Each step builds on the last, creating a clear path from newcomer to expert.

Your Next Step

The resources are free. The community is welcoming. The demand for GRC Engineering skills is growing. Whether you're transitioning from another field or elevating your current GRC practice, the Learning Hub provides a structured path forward.

The GRC Engineering movement is gaining momentum, and early adopters will have an advantage. As more organizations realize they need technically-savvy GRC professionals who can bridge business and engineering, those who've invested in these skills will be ready.

The question isn't whether GRC Engineering will become the standard—it's whether you'll be ahead of the curve when it does.