The GRC analyst role
This section sheds light on the GRC analyst role as a career choice, including how to pivot into it from an IT job function, relevant skills, and helpful industry certifications
Learning objectives
• Understand from which organizational functions you can pivot into a GRC analyst role • Identify important skills of a GRC analyst • Identify industry certifications relevant to the GRC analyst/manager role
Illuminating the GRC (Governance, Risk Management, and Compliance) cybersecurity career path – focusing on the role of the GRC analyst/manager. This discussion covers the ins and outs of the GRC analyst/manager role.
Topics covered in this section
How to get into GRC
Skills of a GRC analyst
GRC analyst/manager industry certifications
Salient risk management frameworks
GRC training resources
How to get into GRC
You can get into GRC through a security analyst role (e.g., vulnerability assessment analyst), a cyber defender role (e.g., SOC analyst), a cyber operator role (e.g., penetration tester), a security/privacy policy analyst role, a risk analyst or risk management role (e.g., IT vendor risk manager), a compliance auditor role, or an IA/QA assurance role. GRC analyst can be your first job in IT.
GRC analyst relevant job titles include Compliance Analyst, IT Auditor, Risk and Compliance Analyst, Cyber Audit Analyst, GRC Specialist, and GRC manager.
Skills of a GRC analyst
A cybersecurity analyst/manager has skills/knowledge in the technical foundations of cybersecurity – especially network security, incident and disaster management, operating systems, and system administration. As a GRC professional, you’re interacting and coordinating regulatory compliance and assurance activities with legal, procurement, engineering, project management, etc. You’re working internally, or externally with professional services.
A GRC analyst/manager may partake in the following organizational IT governance activities:
Developing a cybersecurity governance program
Specifying the committees, roles, and plans needed to perform contingency planning
Identifying regulations/compliance needs relevant to the organization’s industry and business activities, and a suitable GRC RMF to help the organization achieve compliance in alignment with its business goals
Establishing compliance procedures relevant to GDPR, PCI (financial services), HIPAA (health care), FISMA (Federal IT), CMMC (DoD), etc. (regulations the organization may be held accountable to)
Establishing IT security audit procedures relevant to NIST, SOC 2, ISO 27001, etc.
Establishing performance measures as a method to assess and improve GRC programs
GRC analyst/manager industry certifications
CISA – Certified Information Systems Auditor by ISACA (you can take the test pending 3 years experience to receive the certification)
ISACA’s IT Risk Fundamentals Certificate
CRISC – ISACA’s Certified in Risk and Information Systems Control certification is ideal for mid-career IT/IS audit, risk, and security professionals
CISM – Certified Information Security Manager by ISACA
ISO 27001 Lead Auditor (ISMS) by CIS
Salient risk management frameworks
NIST CSF as an information security program framework and NIST SP 800-30 to risk assess it
NIST SP 800-37 and select the appropriate subset of security controls from the control catalog in NIST SP 800-53
SOC 2 Cybersecurity Framework is a good RMF – AICPA maps SOC 2 to all sorts of frameworks
Other: ISO/IEC 27001, CMMC
GRC training resources
Cybersecurity Compliance Framework & System Administration (Coursera – Course 3 in IT Fundamentals for Cybersecurity Specialization) This Coursera course “gives you the background needed to understand the key cybersecurity compliance and industry standards.”
Executive RMF (Cybrary) “This course will discuss the NIST Risk Management Framework (RMF) from an executive perspective. Each module will not only address each step in the RMF process, but how this process can be implemented into your organization or business.”
GRC Analyst Master Class (TCM Security Academy) “This class assumes no prior background knowledge and is setup to give you a full scope understanding and the practical skills needed to be an effective GRC Analyst.”
The GRC Approach to Managing Cybersecurity (Coursera – Course 2 in Managing Cybersecurity Specialization) This Coursera course “examines the role of Governance, Risk Management, and Compliance (GRC) as part of the Cybersecurity management process, including key functions of planning, policies, and the administration of technologies to support the protection of critical information assets.”
Key takeaways
• You can get into GRC through various roles, including security analyst and policy analyst • Important skills of a GRC analyst span compliance and auditing to incident and disaster recovery • Well regarded GRC analyst/manager industry certifications include CISA by ISACA and ISO 27001 Lead Auditor by CIS
References
GRACE-IT – The “Critical Six” disciplines of GRC (oceg.org)
How to GRC Like A Boss with Erika McDuffie (YouTube video by Gerald Auger of Simply Cyber)
Information Security Governance (EDUCAUSE, 2022)
NIST Cybersecurity Program Development Plan (“Plain English Guide” by Praxiom Research Group Limited)
Last updated