Despite a broad range of efforts to close the cybersecurity skills gap, one expert has warned that recruiters’ focus on technical cybersecurity roles leads many non-technical workers to miss out on opportunities to specialise in cyber governance, risk, and compliance (GRC).
Cyber GRC specialists have been in shortage across every Australian state and territory for years, according to Jobs and Skills Australia, but without clear training paths for such roles – and little clarity about what they actually entail – visibility of the role remains low and there has been little guidance as to what types of workers would be best suited for the roles.
Indeed, even the Australian Bureau of Statistics’ formal ANZSCO list of job occupations doesn’t seem to know how to describe Cyber GRC: while the guide offers detailed lists of the skills, tasks, and job roles related to a range of ICT and cyber security jobs, its cursory description of the Cyber GRC occupation – which is described as someone who “lead[s] the governance, risk and compliance for cyber security” – offers little clarity for job seekers or the recruiters who would place them.
“GRC seems to be this mysterious and inaccessible cybersecurity specialty,” said Abed Hamdan, a onetime Unix server administrator whose career progressed to a role in cybersecurity strategy consulting with PwC Australia.
“Even if you’re a technical person, GRC is a good specialisation because you can get all the benefits that come with a cybersecurity career – high salaries, options for remote work, and career progression to management or consulting without having to do things like shift work, after hours work, or weekends.”
What little training in GRC exists is both expensive and exclusive: although some universities offer GRC certificates, they typically require previous university qualifications, years of relevant work experience, and five-figure price tags – making them inaccessible for people that may be looking to reinvent their careers in cyber security.
“GRC jobs are not always accessible to beginners,” Hamdan explained, “and certifications that allegedly claim to teach you some GRC skills want you to have five years of professional experience before you can be certified.”
He had observed the effect of this firsthand: when hiring graduates to work in GRC roles at PwC, Hamdan said he “always struggled to recommend training courses for individuals who want to learn more about GRC and progress in their careers.”
“I really wanted to make GRC accessible for everyone.”
GRC for the people
Because they don’t require the same level of detailed technical skill, GRC roles can be more accessible than many cyber careers because the key capabilities they require – business advisory, translation of technical issues to managers and other non technical business stakeholders, and monitoring of the effectiveness of risk management programs – can resonate with a broad range of people once they are presented in an accessible way.
Aiming to take the mystery out of GRC and engage interested parties to help fill the GRC skills gap, Hamdan worked to develop GRC Mastery, an extensive training course that explains GRC concepts in plain language, and guides students through the process of building their skills in the area.
Through a series of short and concise videos, practical lectures, and interactive quizzes, the course addresses the seven key domains of GRC – including strategy management, business processes, policies and procedures, performance management, risk management, control activities, and audits.
Modules explain concepts such as asset management, identity and access management, security education and awareness programs, data security and data loss prevention, third party risk management, penetration testing, and more.
There’s also a capstone project in which students apply their skills to conduct a maturity assessment using the NIST Cybersecurity Framework, which has been widely adopted across the NSW Government and elsewhere as an example of cyber GRC best practice.
In a cyber security climate where hacks of large businesses like Latitude Financial and MediSecure are leaving tens of millions of Australians’ personal information exposed, and everyday hacks are funnelling money away from organisations that should be better protected, careful attention to assessing and managing risk has never been more important.
Particularly as AI further complicates the situation – Queensland, for one, recently mandated AI and automated decision-making risk reviews – and incidents such as the recent Crowdstrike-Microsoft global outage show the potential effects of poor risk management, students with robust GRC skills have never had more opportunities to apply those skills.
The key is for recruiters, and the rest of a cybersecurity industry that continues to beg for staff to fill its skills gap, to recognise the difference between technology-heavy cybersecurity roles and the broader base of skills that can make a cyber GRC specialist successful.
“When I interview individuals who memorise a bunch of concepts to pass a multiple choice exam, they fail as soon as I ask a scenario based question,” Hamdan said, adding that the GRC Mastery course “will make sure that students not only understand the concepts, but know exactly how they are implemented in the real world.”
“This is what I wish I had access to when I was starting out,” he said. “It could have saved me a lot of time, money, and pain – and it could have gotten me to my goal a lot faster.”