Blog
What’s Driving the Demand for GRC Professionals in Critical Infrastructure?
As geopolitical tensions continue, cyberwarfare has taken its toll on the world. Last July, the FBI, CISA and the Department of the Treasury issued a joint advisory about North Korean hackers targeting U.S. healthcare systems. Another warning was issued about Russian state-sponsored CNI attacks aimed against Ukraine or organizations providing materiel support. Alarmingly, the last few years have seen cyberattacks on oil and gas (Colonial Pipeline), nuclear operations (Iranian nuclear facility , Kansas nuclear plant , Stuxnet) and water utilities (Oldsmar , Israeli facilities ) among others.
In response, more CNI-geared legislation is on the way. The most game-changing move on this front last year for the U.S. was the Cyber Incident Reporting for Critical Infrastructure Act of 2022 . It marks an important milestone in improving U.S. cybersecurity by requiring CISA to implement regulations requiring CNI sectors to report incidents of ransomware payments and cyber abuse. Taking a proactive role, CISA will dispatch resources to aid those sectors at immediate risk.
This legislation saw its share in global efforts to shore up CNI systems in 2022. In the face of the international scene’s new challenges, the National Intelligence Centre (CNI) was created in Spain, and a new European cybersecurity directive seeks to shore up EU industrial and governmental defenses to a degree previously unattained. Contributing member and lead MEP Bart Groothuis says, “Ransomware and other cyberthreats have preyed on Europe for far too long. We need to act to make our businesses, governments and society more resilient to hostile cyber operations.”
Compliance: the new competitive edge
It’s no longer enough to know one thing and know it well. While there will always be a place in any industry for niche specialization, the cybersecurity leaders of tomorrow are the ones who are able to respond to global digitization and know the rules across the board. It’s no longer enough to comply with domestic regulations; organizations must be familiar with the government, risk and compliance (GRC) requirements of the markets into which they hope to expand. The contracts, opportunities and supply chain spots of the future will go to those that can hit the ground running without slowing down to adapt to new security rules.
There is so much to learn. This past March, the U.S. Congress passed the Strengthening American Cybersecurity Act (SACA) following the Executive Order on Improving the Nation’s Cybersecurity issued in 2021. On the docket is The American Data Privacy and Protection Act (ADPPA) , a groundbreaking new law that, if passed, could preempt many state privacy regulations already in existence. Meanwhile, more than 20 states passed similar privacy laws in 2022, and as of this year, a grand total of five will be in effect. Overseas, GDPR continues to move forward amid growing pains. The EU-U.S. Privacy Shield was invalidated by the European Court of Justice and is now replaced by a new standard for transatlantic data transfer, the EU-US Data Privacy Framework .
As the landscape continues to heat up, compliance will require being competitive. Those who understand this brave new world will be in top demand in the not-too-distant future. The time to prepare is now.
Gap in GRC professionals expected
As GRC policies expand around the world, GRC appears to be the next big area for cybersecurity. Those who can take their operations to the next international level of expansion will be the ones who can smoothly and quickly comply with global GRC requirements. This rapid expansion will create the need for more GRC professionals within every organization and a leadership vacuum is likely to emerge.
Many are turning to certification programs and continuing education to fill the need for GRC professionals. Those who become Certified in Governance, Risk and Compliance will be in a position to meet the demands of this highly sought-after specialization. All organizations need compliance advisors. Once more of them realize this, there will likely be a rush to snatch up the few who are well-prepared.
Compliance is the future. Data regulation is the basis upon which tomorrow’s decisions will be made, and everything from national security to human rights will hinge upon it. The skill sets in high demand as organizations are forced to the table will be the ones with the knowledge of what to do to play the game right. More often, organizations are risking shutdown or even executive jail time for infractions of data privacy. Security professionals versed in GRC will be an insurance asset in their own right.
Increasingly, data and compliance regulations are becoming the minimum fare for entrance as governments crack down on enterprises for their mishandling of consumer information. Nation-state actors threaten CNI sectors. The less prepared organizations are, the more likely they are to become a target for hackers seeking low-hanging fruit. The path to security leads through GRC, and faced with mandatory audits, risk reduction and security requirements, everyone will seek a guide.
The next decade of cybersecurity is here, and professionals who cross-train and upskill now will be the ones to navigate us all through it.
Learn more about professional certification in governance, risk and compliance in the Ultimate Guide to the CGRC.