#NextGenResearch: Are GRC Skills Being Demanded in Job Adverts?

At the start of this year, Infosecurity conducted its second State of Cybersecurity Report. This determined 31 distinct trends in cybersecurity that respondents believed were driving the industry.

Following on from the publication of this report, Infosecurity launched a second piece of research, engaging with students, people on work placements and those starting out their careers in cybersecurity to find out how these trends affected them.

Having looked at two specific areas in the past two weeks, over the next few weeks we will look at the concept of compliance. This was top rated in our 2018 research, and came in as a third trend in this year’s survey. Therefore we asked, have our next generation respondents noticed more demand for GRC (governance, risk and compliance) skills in job ads?

Overall we received 51 responses, and of that, 27 were positive and were seeing that demand, whilst 24 said they were not seeing this. One person did say that there was an increase, but it was not “a primary skill companies look for.”

The feeling among those who answered positively was that GRC was part of the job. One person said it “depends on the industry” as there is greater scrutiny on this in parts of the public sector as well as for government contracts, while another said that this was the case for audit or forensics roles.

In the past 12-18 months we have seen more compliance frameworks be introduced, be it the GDPR in May 2018, the PSD2 this year and the upcoming consumer privacy act in California in January, and this should be driving more need for employees with risk and compliance skills. One respondent said that they were seeing more demand for risk specifically in “70-80% of all my job alerts” and another said that they are seeing these in job postings for security analysts or similar positions

One US respondent cited more governance and compliance in job ads, and after working with an instructor who works with governance and compliance in their job, this led to the respondent to research more into GRC.

Two respondents, who admitted that they were not actively seeking work, did say that they had seen these skills increase in the specification. One said that “many of the roles that I do focus towards have an element of GRC” especially following the introduction of GDPR, while another said that there had been a “significant increase in GRC skills demand across roles” since they had last looked a few months previously.

“For example several traditional technical security roles now include responsibilities such as supporting compliance activities or performing risk assessments.”

From the negative side, a number of responses seemed to sit on the fence, with one saying that they “see technical jobs adverts far more frequently than GRC” and another cited a small increase, but they said that compliance was very much on a “need to know basis.”

Most of the negative responses came from people who claimed to not be looking for work, or simply that they were not seeing those types of skills being demanded. More of the respondents cited that they were looking for more technical roles, with one stating that “most of the job ads I have seen mostly revolve around the core technical concepts related to penetration testing, incident response and vulnerability research.” However another said that GRC is a discussion which seems to be coming up more often.

Compliance has been a consistently popular topic for us here at Infosecurity, and with top five placings in both of our State of Cybersecurity reports and a never-ending discussion around gaining and retaining a compliant status, it is good that this is being seen as a skill to be gained. Whilst not every job is apparently requiring GRC skills, it also seems that not everyone feels the need to know everything. However a bit of knowledge on compliance could serve you well.

What’s Hot on Infosecurity Magazine?