Have you ever considered how your business skills might be the key to unlocking a successful career in cybersecurity? Or perhaps the technological arms race between attackers and defenders in the fifth domain of cyberspace looks too intimidating.

This insight from a recent Cloud Security Office Hours is particularly relevant to Cybersecurity Governance, Risk & Compliance (GRC), where transitioning from diverse backgrounds like business and accounting is not only possible, but can be advantageous.

Read on for how you can find skill fit in GRC coming from diverse backgrounds, why it’s underrated, tips to break in, and how learning about NIST Cybersecurity Framework can help you make an outsized impact.

Meeting Insight Roundup

• Career Crossover Myth Busting 🥊

• Spotlight on The Importance of Compliance: Enron C …

• The Unseen GRC Path: Why It’s Underrated 🛣️

• Breaking In: The First Steps 👣

• NIST Cybersecurity Framework: A Great Tool For GRC …

• Bottom Line ✅

Career Crossover Myth Busting 🥊 

When I first transitioned from accounting to GRC, it felt like stepping into a different world dominated by technical cybersecurity “wizards.” But I soon realized that Cybersecurity is:

1. A business problem

2. A team sport that like any team, benefits from diverse skills

In order to reliably achieve business objectives by managing cyber risk, the industry aspires to have less alchemy and more chemistry; less wizardry and more accounting. This is where GRC team member business administration, documentation, reporting, process, project management skills and outsider perspectives can shine.

Spotlight on The Importance of Compliance: Enron Case Study 🔍️ 

To illustrate the importance of GRC and expand on the idea of cybersecurity transitioning from wizardry to accounting, let’s take a closer look at the Enron real life case study. Enron was America's seventh-largest company before it collapsed due to accounting fraud. The scandal led to significant regulatory changes, including the Sarbanes-Oxley Act (SOX), which aimed to restore trust in financial reporting needed for liquidity in capital markets.

In cybersecurity, similar principles apply. Assurance work is essential for providing trust and transparency. Effective GRC practices can help prevent disasters by checking that internal controls are designed and operating effectively.

• Most of Enron’s 21,000 employees lost their jobs without severance or health insurance

• Arthur Andersen was charged with obstruction of justice for shredding documents, leading to its downfall and the loss of jobs for most of its 28,000 employees

• Enron’s collapse led to the conviction of 21 individuals

The Unseen GRC Path: Why It’s Underrated 🛣️ 

While GRC is a great entry point to outsiders to break into cybersecurity, it gets a bad rap. For example it didn't make the cut for the SANS poster of the coolest cybersecurity jobs, but I think that’s missed an opportunity.

Here are the six specific things that I think make GRC awesome:

First, we are revenue-enabling. Our security assurance work has us directly supporting sales reps in the field and occasionally interfacing directly with customers. That's where you want to be to understand customer needs, how your company can meet them, and how to make a business impact.

Second, breadth. We get to work with the top experts across all departments—the control owners. That includes the Security Operations Center, Architecture, Engineering, Product Security, IT, Finance, HR, Legal, Privacy, and more. I've really enjoyed learning about diverse topics ranging from revenue accounting to software development—both very technical, very complicated, and very interesting to get a front-row seat to observe and understand those processes and their outcomes.

Third, top management. GRC gives you exposure to the top, which is a great opportunity.

Fourth, immersion. When you're exposed to all the departments, you get to learn through immersion and practical application. Even if you want to be very specialized and technical, it might be helpful to your career to rotate into GRC and then rotate out, because when you go into your swim lane, you'll bring with you that bigger picture perspective on how your function fits into the rest of the company.

Fifth, business is booming. As demand continues to ramp up for customer trust and assurance due to digital transformation, the cost of cybercrime, and the proliferation of flawed and complicated technology, GRC continues to be in demand.

Sixth (my favourite): GRC is a feeder role to get your foot in the door.

Breaking In: The First Steps 👣 

If you're coming from a non-technical background and want to break into cybersecurity, particularly GRC, here are some steps you can take:

1. Continuous Learning Mindset: Be prepared to learn continuously. Cybersecurity is a rapidly evolving field, and staying updated is crucial.

2. Get Technical: While you don't need to become a technical expert, having a basic understanding of technical concepts will help you communicate effectively with your technical colleagues.

3. Leverage Your Business Skills: Your understanding of business processes, risk management, and compliance can be incredibly valuable. Use these skills to bridge the gap between technical and business teams.

4. Training and Certifications: Consider pursuing education relevant to GRC in the GRC Certification Roadmap that was recently updated to version 1.1 here:

These can help you get through application tracking systems and demonstrate your commitment to the field.

NIST Cybersecurity Framework: A Great Tool For GRC Work ⚒️ 

One of the most useful tools in GRC is the NIST Cybersecurity Framework (CSF). It provides a flexible and adaptive approach to managing cybersecurity risk. The framework is voluntary and focuses on risk management rather than prescriptive controls. This allows organizations to tailor their cybersecurity strategies to their unique needs.

The CSF breaks down cybersecurity into six functions: Identify, Protect, Detect, Respond, Recover, and Govern. This structure facilitates communication between different levels of an organization, from executives to technical staff.

Bottom Line ✅ 

Breaking into cybersecurity from a business background is not only possible but also valuable. The skills you bring from previous experiences can provide a unique perspective that enhances the overall effectiveness of a cybersecurity team. By continuously learning, getting technical, leveraging your business skills, and pursuing relevant certifications, you can make a successful transition into this exciting field.

Cybersecurity needs diverse skill sets to tackle its complex challenges. Whether you're an accountant, a business analyst, or come from another non-technical background, you might find that your transferable skills are exactly what a cybersecurity team needs to succeed.