What is a GRC analyst? Cybersecurity roles explained
Here’s what it means to be a governance, risk, and compliance analyst, the skills you need to enter this career path, and how to get them.
Oct 7, 2024 • 10 Minute Read
I’m going to be upfront: Governance, risk, and compliance (GRC) specialists have a special place in my heart, and that’s because I’m married to one. Because of that, I can tell you that GRC isn’t just a profession, it’s something that you are long before you even get the job—governance, risk, and compliance are already part of your DNA.
Here are some telltale signs you’ve got GRC in your veins, and you’re just not aware of it:
When someone goes about a task in an inefficient way—such as a friend, family member, or colleague—your eye visibly twitches.
You’re the kind of person who starts planning a holiday several months in advance, and you always remember to check the country’s travel restrictions.
When someone tells you a sob story about how some tragedy befell them, inwardly you’re trying not to point out all the obvious warning signs and pitfalls they missed.
You’re good at suggesting solutions to people’s problems, and little details don’t escape you.
You get along well with other people, even when they’re not in your immediate circle of coworkers or friends.
You love learning new things, and you’re excited to hear about how other people tackled a problem you or others have.
If any of these sound like you, you’re a GRC analyst—you’re just not getting paid for it yet.
What a GRC analyst is
Governance, risk, and compliance (GRC) analysts are subject-matter experts on compliance and regulatory frameworks, and help ensure their employer or clients adhere to them. Risk is never far from their minds, as they advise key stakeholders and management on how to mitigate it through proper governance, and are excellent communicators.
GRC analysts play a pivotal role in getting an organization audit-ready, and are often found in fields with strong compliance requirements such as public sector organizations, healthcare, banking, and software companies. They support cybersecurity incident response by making sure incident response plans are up to date as well as other key tasks.
What are a GRC analyst’s role responsibilities?
A typical GRC analyst position tends to have the following role responsibilities:
Acting as a subject-matter expert on relevant compliance and regulatory frameworks (E.g. HIPAA, ISO standards, PCI, SOC 2, GDPR, CCPA, etc), and staying on top of industry best practices.
Engaging in risk management and updating playbooks to align with current industry standards, regulatory changes, and best practices
Engaging in Disaster Recovery (DR) and Business Continuity Planning (BCP), and managing the testing of these plans
Conducting compliance audits to ensure adherence to cybersecurity standards and regulations
Monitoring compliance with regulations and standards, typically by key cybersecurity KPIs.
Engaging in Third-Party Risk Management (TPRM) by analyzing and minimizing risks associated with outsourcing to third-party vendors or service providers.
Assisting with documentation following incident response
Security awareness and training
Engaging in regulatory change management to make sure the companies policies and practices are adjusted following regulatory updates
Preparing detailed reports and documentation of compliance findings and security gaps
Developing and implementing controls to address cybersecurity and compliance needs across an organization.
Does GRC pay well?
It depends on several factors, with location being the biggest, but generally yes. According to Talent.com, GRC analysts make on average $112k USD a year, or $54 an hour. On top of that, GRC specialists can earn significantly more as GRC Managers, earning $179k on average and over $200k in the top 25%.
For context, your average GRC analyst—which can be an entry-level position—earns nearly 40k more than an IT technician ($73k), and considerably more than non-tech positions such as a marketing specialist ($63k). While there are higher-paying cybersecurity roles such as being a Cybersecurity Architect or Engineer, it’s fair to say in terms of tech salaries it’s right up there.
If earning a big salary is your main career focus, though, you could augment your GRC knowledge with AI, and become an AI GRC Leader. Salaries for these positions easily fall in the $200k-$250k USD range. What’s mind-blowing is these are only the listed positions: a large percentage of jobs are unadvertised, with employers preferring to use their networks to find candidates.
What should I do to become a GRC analyst?
1. Pick up some foundational cybersecurity certifications
If you’re brand-new to cybersecurity, pick up your ISC2 CC, SSCP, or CompTIA Security+ to start with, so you get a feel for both the field and sitting these types of exams. From there, I’d recommend sitting the Certified Information Systems Auditor (CISA), followed by the well-regarded Certified Informations Systems Security Professional (CISSP). It’s like a puddle—vast, but not very deep—so you don’t need to know the subjects in depth. Given you’re aiming for GRC, you’re after more broad understanding than hands-on practitioner skills, as your duties will be more focused on knowledge and awareness. From there, you can get into the more niche CRISC, CISM, and CCSP.
It’s a good idea to pick up some cloud certifications as well, since cloud computing is everywhere these days, and will almost certainly be something your organization is defending. Pick either AWS or Azure depending on your organization’s primary focus. There’s no wrong call here—cloud fundamentals are highly transferable, and once you’ve studied for one, it’s very easy to go on and learn another. The things you want to learn are mostly about networking in the cloud, and common security controls and services.
2. Work on a compliance project
Every role out there—whether it’s a technical or non-technical role—has some sort of compliance framework it’s meant to be adhering to. Identify the one that relates to yours, and then lead a project to implement it. This will demonstrate a ton of key skills related to being a GRC analyst: researching a framework, project management, stakeholder engagement, and measuring adoption success.
The sky's the limit with this, but here are some ideas to get you started:
If you’re a software developer, you could lead a project around adopting the Secure Software Development Framework (SSDF) or learn more about the OWASP Top 10. Kevin Henry, who’s always an easy listen, has a video course here worth checking out: “Secure Software Implementation for CSSLP®”
If you’re in or involved with cloud computing, you could lead a project around adopting AWS or Azure’s Well-Architected Frameworks.
If your organization is using or considering adopting AI, you could lead a compliance project around adhering to ISO 42001.
If you’re in IT services, you could look into adopting popular frameworks like ITIL, ISO 38500, ISO 27001, or COBIT.
If you’re in a non-tech field, you could examine how your organization is complying with GPDR or your country’s equivalent data protection legislation.
Even working on a non-cybersecurity standard, such as advocating for WCAG accessibility standards on your company’s website, shows your ability to handle compliance-focused projects.
Of course, there’s every chance your organization is already complying with these standards. In this case, get involved with the team that’s tasked with doing this. Since these projects require participation from various business areas, you can get experience working with and demonstrating your knowledge of them all without being formally employed as a GRC analyst.
Remember that in small organizations, the role of the governance, risk, and compliance specialist often goes to the person who actually learns about these standards, makes leadership aware of them, and implements them as a supplement to their actual role (no matter what that’s meant to be). This approach is a great way to get valuable experience and then leap into a future career as a dedicated GRC professional.
3. Make sure you’ve got a good track record of getting buy-in
I’ve said it a million times, because it bears repeating: soft skills often matter more than technical skills when it comes to IT positions. For GRC, this is especially true, because a large part of your role is going to be getting people’s buy-in to comply with things.
You can’t just barge in and cite PCC requirements, and expect compliance to suddenly happen. People who adopt this approach certainly do exist in cybersecurity, particularly when they’re hired more on technical aptitude than soft skills. The result is limited adoption and resentment of the cybersecurity function, which isn’t good for anyone involved.
According to Larry Trittschuh, a seasoned CISO and CSO, if there was one skill he’d go back and develop in cybersecurity, it would be empathy.
“It’s very easy to fall into a pattern where you’re like ’Hey IT, just patch this thing’ or ‘Hey engineers, just develop code securely,’” Larry said. “When you walk in their shoes and see what’s driving them, it makes a huge difference.”
4. Get familiar with popular compliance frameworks
If you’re going for your first GRC role, nobody’s going to expect you to come in the door and be able to recite the ISO 27001 standard from memory (That will come later). However, you should at least be aware of the existence of the big frameworks like NIST and why they’re important to GRC.
If you can study these though, this is great! You’re going to have to learn them anyway, as a large part of your role will involve becoming incredibly familiar with these frameworks, and keeping constantly up to date with any changes, so you can make sure your organization is complying with them.
Keep in mind that learning these standards at a deep level is hard work. If you think you’re not GRC analyst material because your eyes are glazing over reading something like NIST’s Digital Identity Guidelines—which is 35,000 words of madness—you’d be dead wrong. Even existing GRC professionals can find this soul sucking. Just take solace in the knowledge that nobody else wants to read them either, and your ability to do what nobody else wants to is why you’ll get paid the big bucks.
If you’re looking for a less painful way to start learning these frameworks, Pluralsight offers a dedicated Governance, Risk, and Compliance learning path. These expert-led videos cover all the major frameworks—CMMC, the ISO 27000 series, SOC 2, GDPR, and a ton of other acronyms I’ll skip listing out because you can just click on the link.
Once you’re done with those, I’d also suggest checking out these more advanced NIST-related courses which teach you how to go about implementation and management:
- Implementing NIST's Risk Management Framework
- Implementing the NIST Framework for Improving Critical Infrastructure Cybersecurity in Your Organization
- Preparing to Manage Security and Privacy Risk with NIST's Risk Management Framework
A pro tip: If you have experience with these standards from a previous role, even if it’s not as a GRC specialist, this is something you should highlight in your resume and interviews. This can be as simple as if you were a software engineer who had to build something around these guidelines, or a nurse who knows HIPAA rules through handling patient data.
5. Don’t sweat not knowing everything, but showcase your love of learning
According to John Elliott, seasoned GRC expert and PCI Security Standards advisor, the best words he ever learned in his entire cybersecurity career were “I’m sorry, I don’t know.”
“One of two things will happen when you utter them. Either someone will tell you the answer—and you’ll be smarter for it—or you’ll realize you need to go away to find out the answer,” John said.
“Whenever I’ve recruited people in the past for cybersecurity roles, these were the five words I wanted to hear in an interview. People who can recognize what they don’t know, admit it, and seek to know the answers—curious, life-long learners—are the kind of people who thrive in cybersecurity.”
Another way to showcase your love of learning is, well, to learn a lot of things! Aside from cybersecurity courses and certificates, throw yourself at Google and search for cybersecurity topics you’re passionate about, particularly in GRC. Interviewers will look at your laundry list of skills broken down by year on your resume—or your ability to discuss current cybersecurity trends in an interview—and conclude you’re someone who’s always eager to learn more.
6. Sign up to cybersecurity news sites
Remember how I mentioned a large part of being a GRC analyst is being a know-it-all? Signing up for tons of cybersecurity publications is one way of doing that. Even if the news sites aren’t discussing compliance per se, they’ll be discussing trends and risks, both of which are very important to your future role.
Here are some resources to get you started:
Conclusion
The fact you got to the end of this admittedly long article is a good sign you’ve got two great traits to succeed as a GRC analyst: the ability to scroll through lengthy industry standards, and a desire to seek out new knowledge.
GRC is a highly rewarding profession where you get to bring order to disorder, and visibly see the difference you can make on an organization by improving it for the better. If all of this sounds like you, it’s worth exploring this career option further.
Further learning
Again, if you’re interested in getting your foot in the door as a GRC analyst, I’d highly recommend the Governance, Risk, and Compliance learning path. The great thing about learning paths is you can just start where your current knowledge-level is at—beginner, practitioner, or seasoned professional—and this one covers all the major frameworks worth knowing about.
If you’re after more articles like this one on kickstarting your career in cybersecurity, here are some that might help you out:
- How to get into cybersecurity with no prior experience
- Starting in cybersecurity: FAQs about how to get your first job
- Cybersecurity jobs: Key skills, certificates, and traits leaders want
- From Air Force pilot to CISO: How this security leader landed the top job
- 5 ways to get practical experience in tech (so you can land a job)