Moving into Governance Risk & Compliance/Cybersecurity from civil service policy

[Psm92]

An idea from a recent Mumsnet thread! I've been looking into this and it looks pretty interesting. I currently work in security policy for the Gov (not cyber, so a tenuous link), have a background in law, and am interested in AI, etc. So it feels like a career choice that makes sense for me.

However, my primary aim of moving career from the civil service is to make more money. I'm unsure as to how I'd go about making the transition - would I have to start from the bottom? Any advice appreciated.

Civil service are pretty big on cyber security and in some departments are among the best paid people.

I would approach your cyber team and see if there are any opportunities for a secondment or move. Your background in security policy is a good foot in!

Once in, there are cyber qualifications you can do that your employer would probably fund.

With the training and experience under your belt you could then look to move out into private sector.

Hello. I work in compliance, in financial services (investments) and have done for over 10 years. I got into compliance by working in just PA/admin roles, then ended up moving into the compliance team as an analyst. I have done multiple qualifications - CFAUK IMC, CISI Compliance Diploma, Financial Crime certificate, CISI IOC... also you can do ICA qualifications too.

What industry do you want to work in? Every industry has a compliance function, but different industries pay different and requires different qualifications.

If you want a way in your best bet is to do similar. It's not easy to break in and you might need to be willing to take a pay cut to do it, depending how much you are already on. You need industry experience which is why you possibly need to take the pay cut you see.

I hope this helps.

Familiarise yourself with:

• ISO27001 (information security) and linked from there ISO22301 (Business continuity) 27701 (privacy) and 9001 (quality) there are lots of cross over clauses
• cyber essentials/ NCSC infrastructure framework
• CyberAssurance Framework (CAF)
• NIST

You can find lots of free resources online and interviews in GRC/CyberSecurity will expect a level of understanding of these.

If I am interviewing for a GRC Analyst, which is an entry level GRC role at around £40K I'm looking for someone with an understanding of:

• Management system frameworks (above list) clauses 4-10 of the ISO frameworks (leadership, risk, continuous improvement, competency etc)
• Risk Assessment and Treatment procedures
• structuring a policy to meet the framework requirements, gathering feedback from the stakeholders, getting acceptance.
• Documentation control - version control, classification
• Communication of changes to policy or procedure - how to get buy in, how to communicate effectively to all levels
• formal meeting governance - agendas, minutes, advance meeting materials etc
• following up on actions and getting traction on moving those forwards, things like project plans, corrective actions, continuous improvements. These will generally be developed by more senior members of the team and chased up by the analyst.
• building rapport and working with teams from across the whole business, being able to adjust your approach to different people, you will need to communicate differently with DevOps/Infrastructure teams than with Marketing and PR for example. They have different ways of working and attract different personalities.

They won't necessarily have significant experience but should be able to explain how they would approach a situation or task like the above.

CyberAssurance - you're looking at the Annex A controls in ISO27001, the NCSC/CE and CAF as well as the technical controls in NIST.

• You do need more technical knowledge/interest as this is covering things like Network security, Access Control, Identity and Authentication, Cryptography, Secure Software Development, Cloud Security, Vulnerability management....

Oh and with a background in law, have you considered Data Privacy?

It's a growing area of concern for most businesses, especially those with a global footprint because up until a couple of years ago GDPR was the big player, most other countries didn't have much of anything when it came to Privacy Legislation. Since GDPR coming into play it's exploding and now there's new legislation is cropping up all over the world.

• EU GDPR
• U.K. Data protection act
• China - PIPL
• Saudi Arabia - PDPL
• Brazil - LGPD
• Canada - PIPEDA
• California - CPPA
• Virginia - CDPA
• Colorado - CPA

And the list goes on and on.

There are links to AI because Data Privacy covers things like Automated Decision Making and how data is used without human intervention. Also strong links to Information/Data Security and the technical controls established by the business to prevent data loss, data amendment and cross border transfers into different jurisdictions.

@workoholic can I ask you please what kind of companies did you start as PA/admin? Was it investment bank or small investment companies? I would like to get into compliance, probably should start from PA route too

i worked in law firms doing admin. Then ended up in a compliance admin role in a team, and then just acted interested and become an analyst and gone from there