In this lesson, we're going to look at typical career paths within GRC. Remember that no two routes are the same, your journey through the industry will look very different to mine.

Starting off, we have four entry options that are named differently, but we'll be doing very similar tasks.

A policy writer will spend most of their time collaborating and hosting policy change review meetings. They will often help within other areas of GRC, such as audit management and security awareness training. We will cover this rule in more depth during module 1.

The next three rows typically carry out the same task but are named differently. They will focus on all areas of GRC, carrying out tasks in governance such as policy writing, risk management, and evidence gathering to meet compliance requirements.

Duties might include Security Awareness Training, running phishing simulations, and carrying out remediation of suspicious emails. The roles are Information Assurance Analyst, Information Security Specialist, and GRC analyst.

As you gain experience and knowledge within the field, you might receive a promotion to senior GSE analyst. You will have more focus on one or two specific areas, but you might have knowledge of all three within GRC. You may be required to lead others within the team and provide advice and guidance to the junior members.

An Information Security Auditor typically specialises after a couple of years in GRC. They must have the soft skills to interact with people at all levels of business and have the knowledge to understand the requirements of the framework and the technical understanding to realize when something does not meet the standard.

As a security manager, you will lead a team of Junior and Senior Analysts, to ensure the focus areas are worked on. You have to understand the roles of your team members and provide advice where required. You have all the usual admin tasks that a manager has, but you will also be expected to carry out security tasks. You are a team member before you are the manager. 

As a director of Security or head of GRC, you are the puppet master for all members of your team. You'll provide expert advice where required and might deputize for the CISO when they are unavailable. 

As a Virtual CISO, you'll contract for a period, to provide expert advice to businesses that may not be able to afford a full-time CISO.

Or as a full-time CISO, you're not carrying out security-related tasks. You're more business strategy focused and ensure the security team is working with the goals of the business in mind. You'll spend most of your time in meetings with clients and other business executives. You'll work closely with the Director of Security to maintain your security strategy within the team and the business goals and your risk appetite.

The CISO is the pinnacle of the GRC career path.