Have you ever thought about how your credit card information stays safe when you shop online? Credit card companies follow strict rules to protect your data from hackers. Other businesses also have rules to keep your information safe.
But who checks if these rules are being followed? Enter Governance, Risk, and Compliance (GRC) analysts. Read on to see if you'd like being one of them!
γπΌ What GRC analysts do day-to-day
γπ How happy are GRC analysts with the job?
γπ What type of people thrive?
γπ Pros
γπ Cons
γπ Impact
γβοΈ Work-life balance
γπ€ΈββοΈ Flexibility
γπ€ The people
γβ¬οΈ Your managers
γπ§ Values alignment
γπ«π½ Diversity
γβ Job stability
γπ± Learning & development
γπ Job outlook
γπ΅ Pay
γπ Career progression
γπ Exit options
4. Where can I find internships?
My daily routine involves a lot of communication, especially through emails. This is because:
- An important part of a GRC analyst's job is to make sure your organization is compliant so that it passes audits. For instance, if we have a new rule that passwords must be 12 characters long, you can't just set the rule and go back to your desk. You have to make sure people are actually following it and understand what's required of them.
- Often, people don't respond since security isnβt on top of their minds. For instance, if I send out a question to 100 people, maybe only 80 will respond. I then have to hound down the remaining 20.
- I also need to answer questions. For instance, a vendor might ask for our SOC II report (a report that shows we've met certain cybersecurity requirements) or request that we fill out a security survey.
Now apply that to up to 250 rules and you have an idea of why this involves so much communication!
Besides emails, I also do things to make sure we maintain our cybersecurity posture. These include:
- Setting up a cybersecurity training session.
- Prepare for an upcoming audit.
- Keeping our risk register up-to-date.
- Running disaster recovery tests. A disaster is like your site getting hacked and you needing to shut it down to recover. Some businesses can only afford to be down for 10 minutes. So you need to have disaster recovery plans, which we need to test. We need to know everyone knows where to go and what to do in an emergency. So my job is to run these tests, record them, and make sure everyone is clear on the process.
The governance side of the job involves writing policies and adapting them for the needs of the business. In cybersecurity, we're here to enable the business, not to hinder it. If we make the business so secure that it can't operate, what good is it?
For instance, let's say we want to set a policy for 14-character passwords. But maybe our sales team is on the road a lot and their phones can't handle 14-character passwords. So I'd have to adapt the policy so it's practical for the people who'll need to follow it.
β Senior GRC analyst, formerly @ Equifax and UPS
I'd say extremely happy. I've been a business analyst, project manager, and I think those fields are good too, but one thing about cybersecurity that makes people extremely happy is the pay.
And it's respected. There are lots of cybersecurity jobs and not a lot of people to fill them. So companies are treating you well. They don't want to lose you. They want to retain you.
So I know I'm being paid well and I'm getting a level of autonomy and perks (I can work from home), that makes me happy.
β Senior GRC analyst, formerly @ Equifax and UPS
People who thrive in this field are those who are constantly open to learning new things. This industry never stays the same; technology evolves so rapidly that I doubt I'll ever reach a point where I feel I've learned enough.
For example:
- I've transitioned from working with bank data to handling healthcare data. This involves learning new nuances, as the data are treated differently.
- With recent developments like privacy concerns and regulations such as GDPR, understanding how to protect personal information has become a crucial part of our work. Privacy wasn't as prominent a concern 3-5 years ago as it is today. Now, people are more aware and cautious about how their data, even something as simple as their search history for "plants," is used by large corporations.
- The rise of AI introduces new challenges. It's a burgeoning field, and its implications for security are still unfolding. If employees are interacting with AI, that information might be stored elsewhere, potentially exposing our organization to new risks. It's crucial to understand these emerging technologies and adapt our security measures accordingly.
So this field is expansive and constantly evolving, which keeps me engaged because there's always something new to challenge my understanding and skills.
But it's definitely not a career where you learn a set of skills once and apply them unchanged for years. It requires continuous learning. If someone thinks that finishing college means they're done learning, they're mistaken. This field moves too fast for that. In cybersecurity, adaptability isnβt just an advantage; it's a necessity.
β Senior GRC analyst, formerly @ Equifax and UPS
- I like that the field is always changing, but even with all the change, I'm not starting all over. I'm building on the things I know. As much as this industry and technology evolves, there's certain things that don't change. And when you get good at it, then you've got it. You're going to always need to protect information.
- I've gotten a taste of different industries. I've learned about healthcare, credit cards, etc.
- Cybersecurity is a respected industry. Not a lot of people do it, so most people are impressed and curious about it. "Wow that must be so exciting!"
- Job security is great.
β Senior GRC analyst, formerly @ Equifax and UPS
#1 Cybersecurity is a cost center for the company, so I don't think I'll ever get the same level of respect as a sales person working on a hot product that everybody wants.
The company thinks highly of sales and salespeople who bring in a lot of money. As a cybersecurity analyst, I bring in no money. Do I get the respect because it's a hard field and they need me? Yes. But it's not the same as someone who's bringing in $1 million of revenue.
The priority of a CEO is for the company to be profitable. So he's going to pay attention to people who can make the company profitable and give them more recognition.
You kind of just have to deal with that. Naturally, if you're a technical person, you're not going to do something like sales. You just have to be OK with the pecking order.
#2 You have to work with people in different time zones, especially after the pandemic, when companies started hiring people in different parts of the world. So if I really need to talk to someone in a different time zone, I may need to stay up later or get up earlier. That's a sacrifice you need to make.
#3 Most technical people work long hours. Not all the time, but as a technical person, your job is to make sure things are working, which takes time and you won't always know how much time it'll take. Something I think is really hard actually takes 15 minutes. And something that I think is easy makes me stay up all night. That's a part of the job.
β Senior GRC analyst, formerly @ Equifax and UPS
Here's another con, shared by a cybersecurity engineer we interviewed.
During my cybersecurity internship, I learned I didn't want to do GRC. GRC is a lot of paperwork, a lot of meetings. It's just very boring.
A lot of GRC is meeting with internal resources (people inside the company) beforehand to make sure that you're going to pass the audit. A consolation is you can make big money in GRC because it is so important - a company may have to close up shop if your company isn't compliant!
β SIEM engineer
I once worked for a credit card company, which didn't take security seriously at all.
When they got breached, they lost their Payment Card Industry (PCI) certification. This meant they couldn't do business. After all, nobody's going to do business with a business that's not certified and not keeping cardholder data safe!
So "analyst" sounds like a lowly position but if your analysts can't do their job, business stops.
β Senior GRC analyst, formerly @ Equifax and UPS
Typically work-life balance is good in GRC roles. You don't have to work a whole lot of extra hours except when there's an audit coming up and most companies only do one or two audits per year.
Personally though, I do spend a good amount of time outside of work to keep up my skills. Let's say a job is looking for five certifications and I only have four. I'd have to study before and after work and maybe on the weekend, which that does away with the balance.
β Senior GRC analyst, formerly @ Equifax and UPS
This career is very flexible. There are more cybersecurity jobs than talent. So people can be in the driver's seat for how they want to work. For instance, I've had the ability to work from home for about 8 years now. Even with more people returning to office, you can find plenty of remote GRC jobs.
My hours are technically 9-5 but they're flexible. I work eight hour days and I get to decide when those hours are. If I get up in the morning and do a bunch of work at 6-7 am or if I stay up late, no one really cares. (I work remotely.)
There may be certain hours of the day where I need to be available. For instance:
- Some jobs want you to be available during "core hours," meaning that if someone were to call me, I'd need to be able to answer my phone. So I can make a doctors' appointment during the morning, but I'll still be available on my phone.
- Team meetings will take place during normal work hours. But I don't have a lot of meetings as I mainly work on my own.
If you're more junior, you'll need to work with people (and their schedules), so there won't be as much flexibility.
β Senior GRC analyst, formerly @ Equifax and UPS
Cybersecurity teams are usually relatively small. So you're not going to be working with 10-20 cybersecurity people. Even at big companies, there are only a handful of people.
Outside of cybersecurity, I usually work with people in infrastructure, a lot of managers, HR, and Legal.
I also work with business owners of applications. Let's say I work at a tech company, which makes five applications. Each application will have a business owner who owns the development and life cycle of the application. I'll work with them to make sure the application is developed and maintained in a secure way.
What's challenging in this career is that a lot of people don't understand the importance of cybersecurity. Let's say there's 10 policies and I want to make sure a part of the organization is compliant with all of them. I'll reach out to the people there and ask them some questions ("Does everyone have their own passwords and usernames?" "Do people save things in encrypted areas?" "Do we have any shared accounts?")
Whenever they say they don't know something and need to check, that's when I need to follow up. If after I follow up, they're like "Yeah, I still don't know and I'm a little busy so I don't know if I'll be able to help you," I have to remind them that an audit is coming up and we don't want to fail as an organization. I may also have to threaten to escalate things ("If you don't let me know, I'm going to assume the answer is no and we need to fix it. And I'm going to need to raise this as a risk").
β Senior GRC analyst, formerly @ Equifax and UPS
Currently, I report to a VP who has a bunch of analysts under him. At one of my roles, I reported to a director, and was his only direct report.
My managers:
- Guide me on how things are done at this particular organization.
- Tell me what to do, e.g. "run an audit," "be on top of these policies," "fill out these questionnaires," "check these things quarterly," "make sure people are attending training and passing the quizzes."
β Senior GRC analyst, formerly @ Equifax and UPS
I think values alignment comes down to the company you work for. I'd look for:
- Does the company do the right thing (in terms of cybersecurity) because of regulations? Or do they do it because it's the right thing to do? (Most companies do what they need to do because it's what they need to do. I feel my values are more aligned with highly responsible companies that go above and beyond.)
- Does a company value inclusion and diversity? For instance, does it celebrate Chinese New Year, Martin Luther King or Juneteeth? Or does it just celebrate Jewish holidays? I see value being more important than ever.
Though it really boils down to the level of skills you have. When you're skilled, you can make those choices. When you don't have those skills, you're choosing the job that chooses you.
β Senior GRC analyst, formerly @ Equifax and UPS
You can say there's a lot of minorities β Indians, Asians, people of color. But like in IT, there's not a lot of women. There are more and more women these days, but it's still a lot of men.
I do think GRC is a women-friendly field, since it has more to do with audits and the legal side of things.
In fact, I went to school for software development and I find cybersecurity more women-friendly, because the job is more communicative. Being a developer is more of a solo endeavor where you're working with a lot of people who don't do a lot of talking. By contrast, GRC is a career where talking and communicating is a bigger part of your role.
β Senior GRC analyst, formerly @ Equifax and UPS
There are a lot of jobs! There was a company I really liked that had to let everyone go because they lost funding, but other than that, I haven't had to try that hard to find work.
Personally, I hate looking for jobs. I find a good job and I stay there, so it's nice to be in an industry, where if you needed to find a new job with good pay, it's easy to do that.
When you have this skillset, you can choose who you work for as opposed to taking whatever because you don't have a lot of options.
β Senior GRC analyst, formerly @ Equifax and UPS
I'm learning all the time. Companies will also pay for you to learn. They'll have programs and tuition reimbursement, pay for your tests and stuff like that.
Personally, I chose to pay for my own books and certifications as it puts me in charge. A company might pay for a certification if it costs less than $500, but maybe you need $1000 worth of material or need to go to a bootcamp, which is expensive. And if you take their money, you may need to work with them for a certain amount of time, whereas if I pay for it, I can ifnd a new job now.
β Senior GRC analyst, formerly @ Equifax and UPS
The Bureau of Labor Statistics predicts that cybersecurity analyst jobs will grow 32% (much faster than average).
In terms of GRC specifically, our analyst believes there will be more and more roles as well.
Before you'd only have GRC roles in companies or bigger companies with sensitive data (like banks or healthcare companies). But now with privacy on the rise, I can't think of any type of company that doesn't have data that they don't need to protect. And with that, there are probably some regulations and laws they need to follow. So cybersecurity is in almost every company now, and if there's a cybersecurity program there's probably GRC analysts as well.
β Senior GRC analyst, formerly @ Equifax and UPS
That said, there's a bit of a mismatch in the job market since employers generally want experienced cybersecurity professionals (it's hard to entrust your security to someone without experience). Check out our best tips on breaking into cybersecurity.
According to Glassdoor, GRC analysts make an average of $106,000 a year. What's the pay like for entry-level analysts?
GRC analysts can start out making $70,000 across the board. I've seen entry-level roles that are $50,000 but those are few.
You make more money based on whether you have higher education. If you don't have that but are certified, you can also make decent money. If you have both, you'll make even more money.
If you work for companies based in California or New York, they pay more. I live in Georgia and worked for a NY-based company and they paid really well.
Seasoned people can make six figures and up and you can even qualify for bonuses.
β Senior GRC analyst, formerly @ Equifax and UPS
In GRC, you start out as an analyst.
- As a junior analyst, you'd be given smaller tasks. For instance, you might be asked to coordinate audit interviews and make sure leaders are signing documents. As you do those tasks, you'd ask lots of questions and be given feedback. After a while, you'll know what quality means. And then you can be more independent.
- As a senior analyst, you might train junior analysts and take on tasks with more visibility. You'd also own things as opposed to assisting with them. For example, you might be over a client (or a type of client), a particular domain (like risk management or vendor management), or a project. If someone were to ask me about a project, I'd be able to say "My project is doing X" or "My project is suffering" and I'd be able to explain why.
If you stay at the same organization (and it's a big one with lots of hierarchy), then you might move up to lead analyst, manager, director, VP (and senior VP), even CISO (Chief Information Security Officer). This really depends on the organization though. For example, in some places, cybersecurity falls under IT, so there's no CISO, only a CIO.
Instead of climbing the ladder at the big companies, you can also move to smaller companies, which pay more. They tend to not have a lot of people (think: five cybersecurity people) so they usually don't hire junior people, but you can get in after you're a senior analyst and able to work independently.
You also have the choice of specializing or staying a generalist. Some people specialize in one domain and just do that! Some examples are access management (you'd make sure roles are clear and make sure people only have access to what they need), disaster recovery (you'd make sure companies are ready in a disaster and make sure there's a business continuity program in place), IAM applications for identity (you can make a lot of money specializing in this).
β Senior GRC analyst, formerly @ Equifax and UPS
- Run your own consulting business: If you have a specialty, you can offer consulting services. For example, if you specialize in disaster recovery, a company that gets breached might reach out for help with disaster recovery.
- Teach: I'm getting a master's degree so I can eventually teach.
- Become a cybersecurity coach: Some people get certifications and then they teach others to get certified.
β Senior GRC analyst, formerly @ Equifax and UPS
You can find plenty of internships on Prosple. We have a vast selection of internships curated for students like you. Just filter 'til you find the right fit!