3 Mind-Blowing Stats About GRC—And Why You'll Want To Make It Your Next Career Move

Maybe I'm just biased...no! GRC is cool!

It’s true.

Governance, Risk and Compliance (GRC) is on the up-and-up.

Some stats that will blow your mind:

• 44% of firms say they are being asked for proof of cybersecurity as part of a proposal process. (ACA Key Trends 2021 Report)

• If it was a country, U.S. regulation would be the eight-largest economy, ranking right behind Italy. (CEI Ten Thousand Commandments)

• $80k is the LOW END for those moving down the GRC career path. (Got this by looking at LinkedIn/Indeed postings and what other sites reported.)

BONUS FACT:

• The Pentagon only managed to account for 39% of its $3.5 trillion assets. That is 61% of $3.5 TRILLION THAT IS UNACCOUNTED FOR. Yikes. (Responsible Statecraft)

But it isn’t until you break each of these stats down that you realize how much of an opportunity GRC really is.

44% Of Firms Say They Are Being Asked For Proof Of Cybersecurity As Part Of A Proposal Process

This is big.

Companies have to actually prove they have good cybersecurity practices. They can’t say “Just trust me bro” anymore.

This means they’ll have to undergo audits and earn certifications like a SOC II certification. I am seeing it in my area of work too. I work for a company that does government contracting. The big thing there is CMMC or the Cybersecurity Maturity Model Certification.

The Department of Defense is having to hold contractors accountable. For too long companies were saying they had implemented NIST 800-171 and were secure enough to process CUI (Controlled Unclassified Information). I bet you can guess the truth though, can’t you? They were lying.

The Government needs contractors to do its work and research. So now they’re hard at work with the CMMC program. Once its completed in 2023(?), contractors will have to earn the certification before they can apply for projects that have CUI.

What does this mean for you?

Opportunity.

Companies need employees that understand IT, cybersecurity and compliance. This combination of knowledge will be used to implement controls and prove compliance.

Companies are willing to pay big money for this. To them its a no brainer to pay a team a combined salary of $1 million dollars plus a year if it means they can win $50 million dollar contracts.

If It Was A Country, U.S. Regulation Would Be The Eighth-Largest Economy, Ranking Right Behind Italy

Government contractors have to prepare for CMMC.

Private sector companies have earn SOC II certifications.

Companies handling credit cards need to follow the Payment Card Industry Data Security standard (PCI DSS).

Those are just the tip of the ice berg for regulation within the United States. Governance, Risk and Compliance is full of money. If you think about it, it makes sense.

The Government doesn’t want its data falling into foreign hands. The last thing it wants is controlled information going to China or North Korea. Truthfully, it shouldn’t go to any foreign nation unless it has been approved.

Private companies need to follow rules because they’re also targets of foreign nations. There are domestic threats too. Ransomware gangs continue to steal information and private companies need to know what to do for their industry.

Do they report it? To who? Do customers need to be notified? People with GRC skills need to be there to interpret regulation, implement policy and make sure it is followed.

If the first statistic didn’t convince you that there is money in GRC then this one should. If you’re wanting a career that has money, is growing and will not disappear overnight…then GRC might be for you.

$80k Is The Low End For Those Moving Down The GRC Career Path

We know that companies have to prove compliance.

We know the market for U.S. regulation is so big that if it was its own economy it would be the eight largest in the world.

So how much do you get paid for helping companies prove compliance?

A ton.

Companies are paying money hand over fist to prove their compliance to win contracts. But it doesn’t end there. They also have to maintain their compliance. IT systems don’t stay static.

You know that technology moves fast if you’ve been in the field longer than a year. Best practices change. Systems get decommissioned and new ones put in. New procedures get approved.

Every time something happens in the business it means it is up to the GRC team to make sure everything is still compliant. If it isn’t they now need to work with other teams to figure out changes, plan them and then implement them.

GRC is perfect if you have 3+ years of experience in IT already. Because you need years of experience and GRC has big impact, it pays a nice sum. Here’s some examples from LinkedIn:

$135k+:

$100k+:

$130k:

$81k+:

$110k+:

What All Of This Means For You

Bells should be going of in your head if you:

• Want a career that is stable

• Want a career that will not disappear overnight

• Want a career that helps you prepare to become a CISO

• And want to put some money in your pocket

GRC is growing and that will continue. As long as there is a Government there will be compliance. If companies want to win projects? They’ll need to manage risk and understand compliance. If the freaking Pentagon can’t find trillions of dollars worth of assets?

Well they’re gonna need people like you to help them.

My goal of this post was to highlight a route you can take in your IT career that doesn’t get as much love. Hackers and red teamers get more of the spotlight. They’re seen as more sexy.

But behind the “boring” door of GRC is opportunity. Perhaps you should crack the door open and take a peek.

Let me know what you think.

Peace,

Tanuki

---

Comments

[jspnceg]

What is the pathway/roadmap to get into GRC as someone completely new to the industry?