CyberVoices - Cybersecurity News

Finding skill fit in the unseen path of cybersecurity GRC

Written by Steve McMichael | Aug 20, 2024 12:07:25 PM
Have you ever considered how your business skills might be the key to unlocking a successful career in cybersecurity?  Or perhaps the technological arms race between attackers and defenders in the fifth domain of cyberspace looks too intimidating.
 
“I’ve met so many people who thought they didn't fit and then they found that their skills fit. And that’s primarily why I started Cloud Security Office Hours: to find those people and bring them in.” -Shawn Nunley
 
This insight from a recent volunteer based networking meeting with Canadian attendees is particularly relevant to Cybersecurity Governance, Risk & Compliance (GRC), where transitioning from diverse backgrounds like business and accounting is not only possible, but can be advantageous.
 
Read on for how you can find skill fit in GRC coming from diverse backgrounds, why it’s underrated, tips break in, and how learning about the NIST Cybersecurity Framework can help you make an outsized impact.
 
CAREER CROSSOVER MYTH BUSTING 
 
When I first transitioned from accounting to GRC, it felt like stepping into a different world dominated by technical cybersecurity “wizards.” But I soon realized that Cybersecurity is:
 
1. A business problem
2. A team sport that like any team, benefits from diverse skills 
 
In order to reliably achieve business objectives by managing cyber risk, the industry aspires to have less alchemy and more chemistry; less wizardry and more accounting. This is where GRC team member business administration, documentation, reporting, process, project management skills and outsider perspectives can shine.
 
Related article: SEC vs. SolarWinds is Cybersecurity's ENRON Moment. Cybersecurity just transitioned from wizardry to accounting, and the transition will be messy.
https://danielmiessler.com/p/sec-vs-solarwinds-cybersecuritys-enron-moment
 
SPOTLIGHT ON THE IMPORTANCE OF COMPLIANCE: ENRON CASE STUDY
 
To illustrate the importance of GRC and expand on the idea of cybersecurity transitioning from wizardry to accounting, let’s take a closer look at the Enron real life case study. Enron was America's seventh-largest company before it collapsed due to accounting fraud. 
 
“The collapse of Enron was devastating to tens of thousands of people and shook the public’s confidence in corporate America” -Former FBI Director Robert Mueller
 
- Most of Enron’s 21,000 employees lost their jobs without severance or health insurance
- Arthur Andersen was charged with obstruction of justice for shredding documents, leading to its downfall and the loss of jobs for most of its 28,000 employees
- Enron’s collapse led to the conviction of 21 individuals 
 
The scandal led to significant regulatory changes, including the Sarbanes-Oxley Act (SOX), which aimed to restore trust in financial reporting needed for liquidity in capital markets.  In cybersecurity, similar principles apply. Assurance work is essential for providing trust and transparency. Effective GRC practices can help prevent disasters by checking that internal controls are designed and operating effectively.
 
THE UNSEEN GRC PATH: WHY IT’S UNDERRATED
 
While GRC is a great entry point to outsiders to break into cybersecurity, it gets a bad rap. For example it didn't make the cut for a SANS poster of the top 20 coolest cybersecurity jobs, but I think that’s missed an opportunity.
 
Here are the six specific things that make GRC awesome:
 
First, we are revenue-enabling. Our security assurance work has us directly supporting sales reps in the field and occasionally interfacing directly with customers. That's where you want to be to understand customer needs, how your company can meet them, and how to make a business impact.
 
Second, breadth. We get to work with the top experts across all departments—the control owners. That includes the Security Operations Center, Architecture, Engineering, Product Security, IT, Finance, HR, Legal, Privacy, and more. I've really enjoyed learning about diverse topics ranging from revenue accounting to software development—both very technical, very complicated, and very interesting to get a front-row seat to observe and understand those processes and their outcomes.
 
Third, top management. GRC gives you exposure to the top, which is a great opportunity.
 
Fourth, immersion. When you're exposed to all the departments, you get to learn through immersion and practical application. Even if you want to be very specialized and technical, it might be helpful to your career to rotate into GRC and then rotate out, because when you go into your swim lane, you'll bring with you that bigger picture perspective on how your function fits into the rest of the company.
 
Fifth, business is booming. As demand continues to ramp up for customer trust and assurance due to digital transformation, the cost of cybercrime, and the proliferation of flawed and complicated technology, GRC continues to be in demand.
 
Sixth (my favourite): GRC is a feeder role to get your foot in the door.
 
BREAKING IN: THE FIRST STEPS
 
If you're coming from a non-technical background and want to break into cybersecurity, particularly GRC, here are some steps you can take:
 
1. Continuous Learning Mindset: Be prepared to learn continuously. Cybersecurity is a rapidly evolving field, and staying updated is crucial.
 
2. Get Technical: While you don't need to become a technical expert, having a basic understanding of technical concepts will help you communicate effectively with your technical colleagues.
 
3. Leverage Your Business Skills: Your understanding of business processes, risk management, and compliance can be incredibly valuable. Use these skills to bridge the gap between technical and business teams.
 
4. Training and Certifications: Consider pursuing education relevant to GRC in the GRC Certification Roadmap here: www.cpatocybersecurity.com/p/certs
These can help you get through application tracking systems and demonstrate your commitment to the field.
 
NIST CYBERSECURITY FRAMEWORK: A GREAT TOOL FOR GRC WORK
 
One of the most useful tools in GRC is the NIST Cybersecurity Framework (CSF). It provides a flexible and adaptive approach to managing cybersecurity risk. The framework is voluntary and focuses on risk management rather than prescriptive controls. This allows organizations to tailor their cybersecurity strategies to their unique needs.
 
The CSF breaks down cybersecurity into six functions: Identify, Protect, Detect, Respond, Recover, and Govern. This structure facilitates communication between different levels of an organization, from executives to technical staff.
 
It’s a free, 32 page pdf that make a great guidebook to cyber resilience, whether you’re brand new or a seasoned expert. https://www.nist.gov/cyberframework
 
BOTTOM LINE
 
Breaking into cybersecurity from a business background is not only possible but also valuable. The skills you bring from previous experiences can provide a unique perspective that enhances the overall effectiveness of a cybersecurity team. By continuously learning, getting technical, leveraging your business skills, and pursuing relevant certifications, you can make a successful transition into this exciting field.
 
Cybersecurity needs diverse skill sets to tackle its complex challenges. Whether you're an accountant, a business analyst, or come from another non-technical background, you might find that your transferable skills are exactly what a cybersecurity team needs to succeed. 
 
To watch the recorded presentation, visit Steve’s blog https://www.cpatocybersecurity.com/