Posted inCareer

How to get into GRC

One of the common questions that I get from people who DM me on LinkedIn and on the GRC subreddit is how someone could get into Governance, Risk, and Compliance (GRC). I thought I would write up my thoughts on it.

When I talk about GRC, I am mostly referring to GRC in the IT/Security/Cyber space because that’s what I know best. A lot of what I recommend comes from my own experiences, so it might not apply to everyone.

And a big thanks to my friends for reading the first draft and giving me feedback, especially Ritesh Kini and Kate Redhead for letting me share their experiences and comments. Check this Reddit thread for a discussion on this post.

Typical Paths into GRC

Honestly, it’s quite difficult to get directly into a GRC role as a beginner. You need some sort of IT experience to be valuable in a GRC team.

Here are a few common paths that I have seen:

  • IT Role → Entry-Level Analyst Role: Some people move directly from a general IT role (Helpdesk, SOC engineer) into an entry-level GRC analyst position.
  • IT Role → GRC Project Participation → GRC Role: Some people get involved in a GRC-related project while in an IT role and then get into that job full time. For example, you could be involved in a certification process, an audit, a tool implementation, or helping with regulatory compliance. I took this path. I was given responsibility to implement ISO 20000 in my organization and this is how I got my entry into this space.
  • IT Role → GRC Team Worked with You and Liked You → Open Position in a GRC Team: Sometimes, opportunities come when there is a role that opens up in your organization’s GRC team. And, usually if you have made a good impression on the GRC team while you worked with them in the past, then you get a shot.
  • IT Consultant → GRC Project at Client → GRC Role: Someone who works as an IT Consultant gets into client project where the person has to do some kind of GRC work. This might include conducting security assessments, audits, risk management, assisting with GRC tools, or implementing frameworks like ISO 27001 or NIST. Finding this work engaging, the individual then transitions into a dedicated GRC role within an organization.

My experience is that most transitions to GRC jobs happen within the same company. So, lateral movement is your best bet. There is another possible pathway that I can think of, although I have not seen in that frequently in the GRC space:

  • IT Role → Take a lot of certifications → Entry-level Analyst Role: I have seen this approach work in technical positions. In this pathway, a person uses certifications to gain knowledge about GRC and then gets into a Junior or Entry-Level Analyst role in an Audit, Risk or Compliance function.

My friend Ritesh also talks about going from the tools side to an operational role:

One other way to get into GRC, especially in an India context is to work with GRC tool vendors and learn about the space doing implementations, supporting projects and then over a period of time getting that ‘light-bulb moment’ of – oh, this is how it all comes together.

A reddit user Apprehensive_Lack475 also mentioned this point, which is pretty accurate:

I would like to add shadowing others already in GRC to get early exposure to auditing. Most managers are cool with it and it allows you to build a relationship with GRC management. It ups your chances of moving into an open role.

If you get an opportunity to shadow an audit, that’s a great way to learn.

How Kate got into Risk Management

Kate’s story

My friend Kate Redhead is one of the best Risk Managers I know of. She shared how she became a Risk Manager, starting in Operations and eventually transitioning into IT:

I began in operations in both Banking and Investment management and moved over to compliance for a new challenge. After completing a diverse range of activities within the function, I was asked to represent compliance on a major project within the business where they were building an inhouse platform.

Starting with rule mapping, this quickly developed into policy and process writing and eventually onto risk mapping. I was doing operational risk before I realized what it was. From this I decided to pursue a qualification in operational risk management which then helped me secure my next role as a risk profiling specialist and then risk and compliance manager.

Wanting to expand my skill set further, I completed the IRM Digital Risk Management Certificate. When looking for new roles I had seen that the digital aspect of risk management was a gap in my knowledge and was a common requirement within risk management roles. which allowed me to move into IT GRC and progress to Senior Risk Manager.

Things You Can Do to Get Noticed

  • Offer to volunteer and enthusiastically support GRC-related initiatives.
  • Some large companies assign department coordinator to manage some GRC activities on behalf of the entire department. If a department coordinator role comes up, volunteer for it.
  • Perform a gap assessment using standards like NIST CSF, ISO, etc. In many companies this is something that makes an impression on Managers while also adding value to your organization.
  • When a new regulation comes out, read it, do a gap analysis and share it with your supervisors. If you do it well, chances are when a project is created to implement the regulation, you get to participate.
  • Attend relevant trainings and certifications to build your knowledge base.

Typical GRC Jobs

Once in GRC, there are several common roles that you could fill, such as:

  • Risk Management: Assessing, managing, and mitigating risks.
  • IT Audits: Ensuring compliance with regulations and standards through regular audits.
  • Assessments: Conducting security and risk assessments to evaluate compliance.
  • Policy Development: Developing and maintaining security policies that align with best practices and organizational needs.
  • Standardization: Ensuring consistent practices across the organization through the implementation of standards and guidelines.

How Technical Should You Be?

A common question is how technical you need to be to succeed in GRC. In my personal opinion, having some technical knowledge is incredibly helpful. Especially in the Security GRC front, previous experience working in some security domain helps.

A good grasp of IT fundamentals can go a long way in helping you understand the context for the policies, standards, and frameworks that you will work with.

Essential Skills for GRC

  • Ability to Read and Interpret Standards: A big part of GRC is understanding frameworks, standards, and regulations, which often means reading lengthy, dry documents. It’s important to have the patience and curiosity to absorb these materials.
  • Comfort with Abstract Concepts: Being comfortable with abstract concepts is crucial. GRC often involves interpreting guidelines that aren’t always black and white, which requires a level of comfort with ambiguity.
  • Breaking Down Tasks Clearly: GRC involves a lot of compliance requirements and processes. Being able to break down these requirements into actionable tasks is key.
  • Handling Paperwork: GRC is known for its documentation—policies, reports, audit evidence, and more. If you aren’t bothered by paperwork and find satisfaction in organization and detail, you’ll do well.
  • Ability to building relationships: One reason why people in security, audits, compliance etc. have a bad reputation is that some of them tend to act more as a policeman than as partners. If you are attending an interview internally, you have a higher chance of getting selected if you are known to build relationships and have proven to be a trusted partner.

Ritesh:

I think curiosity is key, curiosity to understand a seemingly complicated regulation – which is complex only because it needs to be ‘clear’ ( I know! It’s the opposite of what it sounds like), and then simplify it enough to make sense in the real world. Like GDPR, seemingly complex – but in reality so clear on how data privacy esp. in today’s world is so important and why enterprises should comply.

A friend emphasized problem solving:

You need to be a good problem solver… when I’m interviewing for a role I always ask about their problem solving skills and how they deal with stakeholders.

Another friend who works in auditing shared her experience:

Becoming a good auditor isn’t just about conducting audits; it’s about making sure the people you’re auditing don’t feel like they’re being audited. I learned how to create a friendly and non-intimidating environment by watching the auditors who visited our company. I picked up techniques from those I respected and adapted my style accordingly, avoiding the approaches of those who were rude or just hunting for faults.

Over the years, I’ve found that understanding both the business and IT aspects really helps. I make friends in Operations and make an effort to learn their processes. This way, when there’s a finding, I can discuss it in terms they understand. People often get lost in IT jargon, so knowing the business side of things really bridges that gap.

What is a recurrent theme in all of these is that fact that soft-skills part of the job is as important as the subject matter expertise. Don’t just focus on subject matter expertise but spend time building relationships, learning about processes and being known as a solutions oriented person in your organization so that when an opportunity arises, you can be seen as a leading candidate.

How Do You Know if You Will Be Good at GRC?

There are certain traits and skills that can indicate whether you’d be good at GRC:

  • Pattern Recognition: One of the biggest traits I’ve noticed in successful GRC professionals is their ability to recognize patterns. They often say things like, “Isn’t this the same as X?” or “Can’t we tweak this other thing and be compliant?” They are great at connecting different ideas and finding similarities across processes.
  • Love to Learn About Best Practices: Successful GRC professionals tend to love learning about how things are done, exploring best practices, and staying updated on innovative approaches.
  • Voracious Readers: Many GRC professionals are voracious readers. They read extensively, and those with good pattern recognition skills can use this knowledge to build effective mental models. Reading widely helps them stay informed and apply diverse insights to solve problems.
  • Love for Philosophical Discussions: If you enjoy debating ideas about existence, morality, or other “big questions” without needing a definitive answer, you might be well-suited for GRC. This trait often indicates comfort with ambiguity, which is crucial in GRC roles where not all answers are straightforward.
  • Not Afraid of Ambiguity: GRC involves working with incomplete or uncertain information. If you’re comfortable with ambiguity and enjoy finding clarity in complex situations, this is a good sign that you’ll excel in GRC.
  • Interest in Abstract (Boring) Stuff: If you don’t mind spending hours poring over dense, boring documents to make sense of what they mean, you’re likely to do well in GRC. The ability to handle tedious reading material without losing focus is a valuable trait in this field.
  • Use of Metaphors: People who use metaphors liberally tend to excel in explaining complex concepts in GRC, making them more relatable and easier to understand.

Aspects of GRC That You May Not Like

  • Documentation, Documentation, Documentation!: A lot of the work is just documentation! Many people who get into GRC end up not liking the job. Especially if you are technically minded and prefer hands-on work, you might find this frustrating.
  • Following up with people: A lot of the work involves following up with people for tasks they should do but often delay until reminded.
  • Seen as Blockers: Unfortunately, GRC teams are sometimes seen as blockers by other departments, as they often have to enforce compliance requirements.
  • Lack of support: There can be a lack of support from management, business units, and executive leadership. In companies where the value of a GRC team is not well communicated or understood, senior people may ask, “What are these people even doing?”
  • Lack of respect from technical teams: Many GRC people are considered ineffective (“don’t have a clue”) by technical teams. Most of the time it happens because the person on the GRC side do not understand the domain enough to translate what’s needed in a way the technical people understand.
  • No career growth in smaller companies: Smaller companies may not have clear career paths for GRC roles, limiting professional growth.
  • Workload: In some companies, the workload can be overwhelming, with too many compliance demands and too few resources.
  • Role not valued by the organization : In some organizations, GRC teams are considered “nice to have,” making them one of the first teams to face cuts during tough times.

Useful Standards and Frameworks to Know

Getting familiar with some of the main standards and frameworks in the field will give you a strong foundation:

  • ISO 27001: The international standard for information security management systems.
  • NIST Cybersecurity Framework (CSF): A popular framework for managing cybersecurity risk.
  • SOC 2: A standard for managing data security for service organizations.
  • PCI-DSS: The Payment Card Industry Data Security Standard. Learning this is beneficial even if your company isn’t directly involved in payments.

Learn about the local standards and regulations in your country. For example, if you live in Germany, you need to know the BSI’s Grundschutz. The UK government has created the Cyber Essentials scheme.

Excel and PowerPoint

Nothing more to add… Learn both!

Figure out how to make fancy charts, good looking dashboards, short and crisp management summaries.

Learn them, and… if possible, also learn Power BI and Python/Pandas (trust me, you will thank me later).

Certifications That Can Help

Certifications can be valuable in demonstrating your expertise and commitment to the field. Here are a few popular ones:

  • ISO 27001 Lead Implementer: You learn about how ISO 27001 is implemented in an organization and about ISMS (Information Security Management System).
  • ISO 27001 Lead Auditor: Focuses on how to audit an ISMS.

Do the Implementer course first, then the Lead Auditor.

  • CISA (Certified Information Systems Auditor): Very popular certification in IT audits.
  • CISM (Certified Information Security Manager): Focused on information security management. Usually taken by people who have leadership ambitions in a Security function.
  • CRISC (Certified in Risk and Information Systems Control): Focused on IT risk management. Not as popular as CISA and CISM.

My Personal Tip to Learn About GRC

One easy way to learn how GRC processes work is by watching YouTube videos from various GRC vendors.

My personal favorite is ServiceNow’s YouTube channel, where they show how various processes work within the context of their platform. Since tools tend to adopt best practices, this can be a great way to learn about how GRC is implemented.

Conclusion

Hopefully, you got some understanding of how to break into GRC.

If you have any questions or some tips from your experience, do let me know.