What is it?
Governance, Risk, and Compliance (GRC) in cybersecurity play an important role in ensuring that a company’s infrastructure meets industry standards. These standards vary depending on the sector. For example, healthcare companies must adhere to HIPAA (Health Insurance Portability and Accountability Act) regulations, while government organizations align with NIST (National Institute of Standards and Technology) guidelines, specifically NIST 800 series.Aligning IT with business goals and ensuring compliance with regulatory requirements are core responsibilities of this role within cybersecurity.
GRC sets forth the minimum requirements for compliance across industries. It mandates measures to safeguard organizational data and security. It is important to note that compliance alone does not guarantee immunity from cyber threats.
NIST 800 Series
The NIST 800 series, managed by the U.S. government, establishes standards and guidelines for federal agencies and organizations to manage and secure their information systems. There is an official website where anyone can view the frameworks and mandates set forth. For students learning, this could be important to understand the key aspects taken into account when assuming roles involving security.
HIPAA
HIPAA (Health Insurance Portability and Accountability Act) sets the standard for protecting sensitive patient information for healthcare providers and related organizations. It falls under the U.S. Department of Health and Human Services.
Real-Time Updates
Why is This Important?
Security is extremely interconnected with how we operate today as humans. Many may think that this is exclusive to their technology devices only, but that is untrue.
I will give you a modern example of the implications. In 2021, the FDA sent a warning letter to the manufacturing company of a diabetes insulin pump. They stated that there were vulnerabilities within the product and that the manufacturer failed to mitigate certain risks associated with it.
Furthermore, CISA (Cybersecurity and Infrastructure Security Agency) stated that these vulnerabilities could be exploited, resulting in the device not functioning at all. These machines are essential to those with diabetes to ensure that their life-saving medicine is administered in a timely manner—and a vulnerability can completely halt its functionality. This could be life-threatening.
This is just one example of how security vulnerabilities can come into play.
Preparing for a Role
So, does all of this sound interesting to you? Are you wondering how you could position yourself for a role like this while you are currently an undergraduate?’
1
Job Description Investigation – Analyze job descriptions for your target roles to identify key competencies employers consistently demand. These may include regulatory expertise (e.g., HIPAA, GDPR), risk management proficiency, compliance auditing skills, and cybersecurity knowledge. Reverse engineer these requirements to create a personalized development plan. Proactively acquire and hone these critical skills to align yourself with industry expectations and enhance your marketability.
2
Internships – Look for internships focused on risk management or compliance. Hands-on experience is crucial for understanding how theoretical knowledge applies in real-world scenarios.
3
Case Studies – Delve into recent breach reports. Analyze whether companies met compliance standards and explore additional measures they could have taken to mitigate risks. Examining their post-breach improvements can reveal valuable lessons in best practices.
4
Mentorship – Connect with professionals already established in the field. A mentor can offer guidance, share industry insights, and help navigate the complexities of career development.
5
Communication Skills – Practice articulating complex frameworks and security concepts to non-technical audiences. Effective communication is essential as GRC professionals often translate technical details into actionable insights for business stakeholders.
6
Documentation Experience- Take on opportunities to draft policies or compliance documents. This practical experience will familiarize you with regulatory requirements and the meticulous nature of GRC responsibilities.