The GRC analyst job role
This section sheds light on the GRC analyst job role, including how to pivot into it from another IT job role, relevant skills of a GRC analyst, and relevant industry certifications
Learning objectives
• Understand from which organizational functions you can pivot into a GRC analyst role • Identify important skills of a GRC analyst • Identify industry certifications relevant to the GRC analyst/manager role
This section sheds light on the GRC analyst role as a career choice, including how to pivot into it from another IT job role, relevant skills of a GRC analyst, and relevant industry certifications.
Topics covered in this section
How to get into GRC
Skills of a GRC analyst
Salient risk management frameworks
Key GRC analyst job activities/responsibilities
GRC analyst/manager industry certifications
GRC training resources
How to get into GRC
GRC analysts ensure organizational compliance with regulations, assess risks, and align governance frameworks with business objectives. You can get into GRC through a security analyst role, a cyber defender role (e.g., SOC analyst), a red teaming role, a policy analyst role, a risk analyst or risk manager role, a compliance auditor role, or a Quality Assurance role, to name a few. GRC analyst can be your first job in IT.
GRC analyst relevant job titles include Compliance Analyst, IT Auditor, Risk and Compliance Analyst, Cyber Audit Analyst, GRC Specialist, and GRC manager.
Skills of a GRC analyst
A cybersecurity analyst has skills in the technical foundations of cybersecurity, such as network administration, system administration, incident and disaster recovery management, and cloud computing. Familiarity with key cybersecurity risk management frameworks such as NIST CSF and NIST SP 800-37 is a definite plus.
As a GRC professional, you’re interacting and coordinating regulatory compliance and assurance activities with legal, procurement, engineering, project management, etc. You’re working internally, or externally with professional services.
Salient risk management frameworks
NIST Cybersecurity Framework (CSF) as an information security program framework and NIST SP 800-30 (Guide for Conducting Risk Assessments) to risk assess it
NIST SP 800-37 (Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy) and the appropriate subset of security controls from the control catalog in NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations)
SOC 2 Cybersecurity Framework as a RMF – AICPA (American Institute of Certified Public Accountants) maps SOC 2 to various other frameworks
Other: ISO/IEC 27001 Information Security Management System (ISMS), CMMC (DoD)
Key GRC analyst job activities/responsibilities
A GRC analyst/manager may partake in the following organizational IT governance activities:
Developing a cybersecurity governance program
Specifying the committees, roles, and plans needed to perform contingency planning
Identifying regulations/compliance needs relevant to the organization’s industry and business activities, and a suitable GRC RMF to help the organization achieve compliance in alignment with its business goals
Establishing compliance procedures relevant to GDPR, PCI (financial services), HIPAA (health care), FISMA (Federal IT), CMMC (DoD), etc. (regulations the organization may be held accountable to)
Establishing IT security audit procedures relevant to NIST, SOC 2, ISO 27001, etc.
Establishing performance measures for assessing and improving GRC programs
GRC analyst/manager industry certifications
CISA – Certified Information Systems Auditor by ISACA (you can take the test pending 3 years experience to receive the certification)
ISACA’s IT Risk Fundamentals Certificate
CRISC – ISACA’s Certified in Risk and Information Systems Control certification (ideal for mid-career IT/IS audit, risk, and security professionals)
CISM – Certified Information Security Manager by ISACA
ISO 27001 Lead Auditor (ISMS) by CIS
GRC training resources
Cybersecurity Compliance Framework & System Administration (Coursera – Course 3 in IT Fundamentals for Cybersecurity Specialization) This Coursera course “gives you the background needed to understand the key cybersecurity compliance and industry standards.”
Executive RMF (Cybrary) “This course will discuss the NIST Risk Management Framework (RMF) from an executive perspective. Each module will not only address each step in the RMF process, but how this process can be implemented into your organization or business.”
GRC Analyst Master Class (TCM Security Academy) “This class assumes no prior background knowledge and is setup to give you a full scope understanding and the practical skills needed to be an effective GRC Analyst.”
The GRC Approach to Managing Cybersecurity (Coursera – Course 2 in Managing Cybersecurity Specialization) This Coursera course “examines the role of Governance, Risk Management, and Compliance (GRC) as part of the Cybersecurity management process, including key functions of planning, policies, and the administration of technologies to support the protection of critical information assets.”
Key takeaways
You can get into GRC through various roles, including security analyst and policy analyst
Important skills of a GRC analyst span compliance auditing to incident and disaster recovery
Well regarded GRC analyst/manager industry certifications include CISA by ISACA and ISO 27001 Lead Auditor by CIS
References
GRACE-IT – The “Critical Six” disciplines of GRC (oceg.org)
How to GRC Like A Boss with Erika McDuffie (YouTube video by Gerald Auger of Simply Cyber)
Information Security Governance (EDUCAUSE, 2022)
NIST Cybersecurity Program Development Plan (“Plain English Guide” by Praxiom Research Group Limited)
Last updated