Hey there, 👋 

Great to see some of you at Canada’s premiere IT security education conference last week: SecTor. Leigh Honeywell’s keynote on election security was a highlight.

Some exciting updates:

1. 📆 📺️ Mark your calendars for Thursday Oct 31 at 12:30 PM ET (and smash the Notify Me bell here 🥊), to check out my live #GRC workshop streaming to YouTube and SIMPLY CYBERCON Discord

2. 📣 Release of the AKYLADE Certified Cyber Resilience Practitioner course (CCRP) in Simply Cyber Academy is imminent - and Dr. Gerald Auger is in it! 😱

   • It builds on the AKYLADE Certified Cyber Resilience Foundations course (CCRF), progressing from what to do, to how to do it as an independent consultant or cybersecurity leader

   • Here’s what some recent students have to say about the CCRF course

3. My rant about why GRC is awesome and underrated was published in the Financial Post. Check it out below.

Excited to see you (virtually) at the workshop and SIMPLY CYBERCON!

Steve

Opinion: The untapped potential of business skills in cybersecurity governance, risk and compliance

Breaking into cybersecurity from a business background is not only possible, but valuable

When outsiders typically think of cybersecurity careers, they imagine hackers and technical wizards battling it out in cyberspace. It’s an intimidating image, especially for those coming from non-technical backgrounds. But what if I told you that your business skills could be the key to a successful career in cybersecurity?

When I pivoted from accounting to cybersecurity governance, risk and compliance (GRC), it felt like stepping into an entirely new world. But I soon realized two important things: first, that cybersecurity is fundamentally a business problem and, second, that it’s a team sport that benefits from diverse skills.

The cybersecurity industry is moving away from alchemy and toward chemistry, from wizardry to accounting. This is where the business skills of GRC team members can make a big impact. Those skills are essential to helping companies reliably achieve their business objectives while managing cyber risk.

Despite this, GRC often gets overlooked. It didn’t make the cut for a poster of the top 20 coolest cybersecurity jobs created by the SANS Institute, “the world’s largest cybersecurity research and training organization,” and it doesn’t have a spot in the Cyberseek.org career pathway tool. But those are missed opportunities for SANS and CyberSeek. Here are six reasons why GRC is underrated and a great place to consider for a career:

First, GRC is revenue-enabling. Security assurance work directly supports sales reps in the field and occasionally interfaces with customers. That’s where you want to be to understand customer needs, how your company can meet them, and how to make a business impact.

Second, GRC offers exposure working with top experts across all departments — the control owners. That includes business operations, finance, legal, HR, privacy, security operations, architecture, engineering, product security and more. You get to learn about diverse topics ranging from revenue accounting to software development — both very technical, very complicated and very interesting to get a front-row seat to observe and understand.

Third, GRC gives you exposure to top management, which is a great opportunity.

Fourth, GRC immerses you in the business. When you’re exposed to all the departments, you get to learn through immersion and practical application. Even if you want to specialize in something technical, it might be helpful to your career to rotate into GRC and then rotate out, because when you go into your specialty, you’ll bring with you that bigger picture perspective on how your function fits into the rest of the company.

Fifth, demand continues to ramp up for customer trust and assurance due to digital transformation, the cost of cybercrime and the proliferation of flawed and complicated technology.

Sixth (my favourite): GRC is a great way to get your foot in the door in cybersecurity.

So how can you break into cybersecurity GRC from a non-technical background? Consider these steps:

1. Adopt a continuous learning mindset

Cybersecurity evolves rapidly, so staying updated is crucial.

2. Get technical

While you don’t need to become a technical expert, having a basic understanding of technical concepts will help you communicate effectively with your technical colleagues.

3. Leverage business skills

Your understanding of business operations, risk management and how to apply decision making frameworks to business problems can help you bridge the communication gap between technical and business teams.

4. Pursue training and certifications

These can help you get past application tracking systems and demonstrate your commitment to the field.

Breaking into cybersecurity from a business background is not only possible, but valuable. So don’t be intimidated by the technical wizardry. Cybersecurity needs diverse skill sets to tackle its complex challenges. Whether you’re an accountant, a business analyst or come from another “non-technical” background, your transferable skills might be exactly what a cybersecurity team needs to succeed.

—

Discover more about how to break into cybersecurity GRC at https://www.cpatocybersecurity.com/