Traditionally, cyber GRC (governance, risk, and compliance) was managed by IT teams or compliance specialists alongside their numerous other responsibilities, with varying levels of success and efficiency. However, with regulations increasing in number and networks becoming larger and more complex, that’s no longer a satisfactory solution.
I’m glad to see more and more companies establishing cyber GRC teams, but they need to know what roles to include and which skills to look for, while job seekers need to know how to position themselves for success.
Key Roles for Your Cyber GRC Team
The exact roles within your cyber GRC team will depend on a number of factors. It’s not just about the size of your team and your organization, but also its complexity in terms of business units and geographies, the types of tech and infrastructure it uses, and the nature of the regulatory landscape within which it operates.
That said, every cyber GRC team needs four key roles: GRC lead, compliance analyst, cyber security analyst, and risk analyst. In larger organizations, you might build out the last three roles into full teams for cybersecurity, risk, and compliance analysis. Here’s a brief overview of each of those roles:
- GRC Lead: Responsible for overseeing the entire GRC program and maintaining the security controls library, the GRC lead develops strategies for managing cyber risks and compliance, and coordinates with the executive suite on GRC initiatives.
- Cybersecurity Analyst: The cybersecurity analyst, or analysis team, coordinates the implementation of security controls, monitors and analyzes them for gaps and vulnerabilities, conducts ongoing risk assessments, and periodically reviews permissions and access privileges to ensure they are fit for purpose, thereby complying with relevant regulatory frameworks.
- Compliance Analyst: Compliance analysts are tasked with ensuring adherence to industry trade group standards, which includes carrying out compliance assessments, enabling external and internal audits, and developing and updating compliance policies and procedures.
- Risk Analyst: Risk analysts are responsible for identifying and assessing possible dangers that the organization might face, developing risk mitigation strategies, and analyzing and reporting on risk trends and metrics.
Larger and/or more complex organizations may add more roles, such as a security architect to develop security architecture, produce security policies, design and implement secure systems and networks, and ensure that all security measures align with business goals.
You might also hire analysts for specialized categories of risk, such as a vendor risk management analyst, who would be responsible for assessing and managing the risks that come with third-party vendors, running vendor risk management programs, and checking that vendors comply with your security and privacy requirements.
The Most In-demand Skills for Cyber GRC
Designing and implementing security controls requires a unique set of skills and domain expertise, and some of them are extremely difficult to find. Employees have to be able to consider both the company’s business requirements and the broader regulatory landscape, as well as any industry-specific concerns. Few have this depth and breadth of knowledge.
Ideally, cyber GRC professionals have a well-rounded understanding of cybersecurity laws and regulations, know how to navigate the formal requirements, and are familiar with realistic implementation paths. But it’s rare to find a candidate with a strong background in cybersecurity regulation, and it’s even rarer to find someone who can put that theoretical knowledge into practice.
Knowledge of and experience with data privacy and protection regulations is another crucial—and scarce—skill. Data privacy regulations are growing in number and complexity, so it’s an increasingly important sphere of activity for cyber GRC.
Applicants who are familiar with designing and implementing effective data protection programs are hard to find. Anyone looking for a job in cyber GRC should work on strengthening these capabilities.
The Skills You Didn’t Realize Cyber GRC Teams Need
Although those skills are rare, most organizations recognize their importance and include them in their job descriptions. In my experience, there’s another set of skills that are equally important, but many recruiters may be unaware of their value.
Communication skills are critical for cyber GRC professionals, who often need to convey complex technical information to non-technical stakeholders. They have to be able to explain cyber GRC issues to stakeholders who use your systems, and describe your GRC processes to auditors, customers, and partners who know nothing about GRC concerns or your networks. This type of expertise is often dismissed as “soft skills,” but this attitude is a mistake.
Business knowledge is another crucial area for cyber GRC candidates. Cyber GRC occupies the crossroads of tech, security, and business. Unless your team fully understands business processes and priorities, they won’t know which stakeholders to talk to or the right questions to ask.
Automation is arguably more important today than traditional GRC skills. Cyber GRC is complex, extensive, and fast-moving, making automation technologies the only way to monitor and manage GRC across all your tech stacks and networks. You need employees who can master the AI and ML algorithms and pipelines that lie behind automated workflows, security controls, and continuous monitoring.
A Strong Cyber GRC Team
Cyber GRC is a fast-growing field. Many organizations are building up their cyber GRC teams, and even more will be over the next few years. This makes it an excellent career choice, especially for those candidates who are able to muster all the skills that are needed.
On the other side of the interviewing desk, cyber GRC leaders need to make sure they seek talent with the skills that they’ll need to build and implement robust cyber GRC processes now and in the future.
Arik Solomon is the co-founder and CEO of Cypago.