In partnership with
Hey everyone,
If you are job-seeking in cyber, you are entering a market that genuinely cannot fill its own vacancies. The opportunity is real. The question is whether you are positioned to take it.
That gap gets quoted a lot. What rarely gets mentioned: a significant slice of those unfilled roles don't require deep technical skills. They require clear thinking, an understanding of risk, and the ability to communicate it to a business. Sound familiar? This week, let's talk about GRC.
GRC: The Cybersecurity Career Most People Walk Past
A few weeks ago, an Australian court ordered a company called FIIG Securities to pay $3 million in penalties for cybersecurity failures. It was the first time an Australian court had issued a civil penalty specifically for cybersecurity shortcomings under financial services law.
Three million dollars. Not for a hack. Not for a breach. For failing to have the right controls, policies, and compliance frameworks in place.
Here's the thing: that ruling changed something. Compliance is no longer just a checkbox. It's a legal liability. And the people who understand how to prevent that kind of exposure? They're in serious demand right now.
That's why this week I want to talk about GRC: Governance, Risk and Compliance. It's the most underrated career path in cybersecurity, and in 2026, it might also be the most accessible one for career changers.
What GRC actually is
When most people picture cybersecurity, they imagine someone staring at scrolling code, hunting for vulnerabilities, or responding to an active breach. That image isn't wrong, but it's only a small slice of what the industry actually does.
GRC sits at the intersection of security, business, and law. GRC professionals build the frameworks that keep organisations compliant, assess risk before it becomes a crisis, and translate technical vulnerabilities into language that a board or a regulator can act on.
Let's be honest: most organisations aren't attacked because hackers outsmarted their technical defences. They're compromised because someone ignored a policy, skipped a patch cycle, or never documented their access controls properly. GRC is how you fix that before it costs $3 million in court.
The demand is real and growing fast
Interest in GRC roles has grown by over 1,000% in the last five years. The average GRC Analyst earns around $99,000 to $112,000 USD per year, with Managers pushing $146,000+. In Australia, the federal government's Essential Eight framework has created sustained demand across government, financial services, healthcare, and critical infrastructure. If you have ISM, PSPF, or Essential Eight on your resume, you are in a very small candidate pool right now.
And here's what I see from the recruiter's seat: GRC is one of the few areas in cybersecurity where a background outside of IT can actually be an advantage. I've placed people into GRC Analyst roles who came from banking operations, project management in government, legal and contract administration, and IT helpdesk. The common thread was not a technical background. It was the ability to understand risk, write clear documentation, and communicate across teams. Sound familiar?
How to get started in GRC
Start with the frameworks, not the tools. ISO 27001, NIST CSF, SOC 2, and Australia's Essential Eight are the languages of GRC. You don't need to memorise every control. You need to understand what each framework is trying to achieve and why organisations are required to care about it. The NIST Cybersecurity Framework documentation is free. Spend a few hours with it this week.
Get a foundation cert, then a GRC-specific one. CompTIA Security+ establishes your baseline. From there, ISO 27001 Lead Implementer, CISA, or (ISC)² CGRC are the credentials that signal genuine GRC capability. They show employers you understand risk management, audit processes, and control frameworks, not just technical security.
Translate your existing experience into GRC language. If you've dealt with audits, written process documentation, managed risk registers, or worked in a regulated industry, you already have transferable skills. Swap "managed compliance reporting" for "conducted control assessments against ISO 27001 Annex A requirements" and see how different that reads on a resume.
Target the sectors that can't hire fast enough. In Australia, the busiest sectors for GRC roles are federal and state government, financial services (APRA CPS 234), healthcare, and defence contractors. These organisations have mandatory compliance obligations and nowhere near enough qualified people to meet them.
💡 Recruiter's Take: The FIIG Securities case is a wake-up call for every AFSL holder in Australia. Compliance teams under board-level pressure are hiring right now. Put "AFSL compliance" and "APRA CPS 234" in your vocabulary before your next application.
Your Tax Data, Finally in One Place
Are you tired of hunting down data, fixing errors, and manually updating disconnected spreadsheets?
Tax reporting isn’t a simple as it used to be. You need real-time, flexible reporting so you can confidently make decisions backed by accurate, centralized data.
Learn how bringing all your tax information into one central system automates repetitive tasks, improves scenario planning, and frees your team to focus on strategy instead of data entry.
Whether you operate in one country or dozens, Longview Tax scales with you—reducing risk, speeding up your close process, and helping you optimize tax policies across all jurisdictions.
📰 News & Trends This Week
Australia's first cybersecurity court penalty sets a precedent. FIIG Securities was ordered to pay AUD $2.5M plus $500K costs for failures between 2019 and 2023, culminating in a breach affecting 18,000 clients and 385GB of data. For anyone in GRC, this is the case study you reference in every interview from here on.
AI-driven attacks up 89% in early 2026. The WEF's Global Cybersecurity Outlook 2026 report found 94% of security leaders cite AI as the biggest driver of change in the threat landscape. Phishing campaigns now deploy deepfakes and AI-generated voice cloning at scale. AI security skills are no longer optional on a modern resume.
Tycoon 2FA phishing platform taken down. A coordinated effort between Proofpoint, Microsoft, and Europol seized 330 domains from the Tycoon 2FA platform on March 4. Understanding how these MFA-bypass attacks work is now a core interview topic in defensive security roles.
Contract-to-permanent conversions are accelerating in the Australian cyber sector. Hiring data shows a clear uptick in contracts converting to permanent, particularly in Canberra. If you're open to contract work, it's a strong entry route into the sector right now.
🎥 Latest Video
Want to Be a Penetration Tester? Watch This First.
Penetration testing is one of the most talked-about roles in cybersecurity, and also one of the most misunderstood entry points. In this week's video I break down what pen testing actually involves day to day, the certs that carry real weight (OSCP is requested in 35% of job listings right now), and the realistic path to get there without wasting years going in the wrong direction.
New videos every week on cybersecurity careers, certifications, and what recruiters actually want.
⚡ Quick Wins
Add "GRC" and "Essential Eight" to your LinkedIn skills section if you have any compliance, audit, or policy experience. Recruiters search these terms.
Search "GRC Analyst" on Seek or LinkedIn filtered to your state. Open three job ads and note the most common cert requirements. That's your study list.
If your LinkedIn About section doesn't include the word "cybersecurity", add it today. One mention improves how often you appear in recruiter searches.
🎯 Your Challenge This Week
Pull up three GRC Analyst or Compliance Analyst job ads on LinkedIn or Seek. Open the requirements list for each one. Write down every skill, experience, or qualification you already have that maps to those requirements. Most people are surprised by how much crossover they have. That list is your GRC resume starting point, and it should take no more than 45 minutes.
So where does this leave you? GRC is worth a serious look if you've been assuming cybersecurity means becoming a technical expert first. The demand is real, the money is good, and the door is genuinely open right now. Most people just haven't looked for it.
From the Desk: Cybersecurity Job-Ready Blueprint
If this issue has you thinking seriously about a cybersecurity career, I want to point you to something I put together specifically for people at this stage.
The Cybersecurity Job-Ready Blueprint is a step-by-step guide covering the exact path from zero to job-ready, which certs to get first, how to build proof of work, how to structure your resume so it gets past ATS, and how to approach your first few applications like a recruiter would.
It's the resource I wish every candidate I've ever interviewed had read before walking through the door.
Want to get SOC-ready? Check out CCDL1
If you're looking at breaking into a Security Operations Centre role, I want to put something on your radar. CyberDefenders have launched a certification called CCDL1, their Entry-Level SOC Analyst certification, and I've been checking it out from a recruiter's perspective.
It's built specifically for beginners and career changers who want hands-on experience with the kind of work SOC analysts actually do day to day. I've been going through the platform myself and evaluating it the way I would if a candidate put it on a resume in front of me.
I did a full review video with my honest take on who it's best for, how it compares to other entry-level paths, and whether it actually moves the needle when applying for roles. Check it out here
In the meantime, I've got a 10% discount code for you if you want to get started. Use my link below to grab it: Make sure to use code LUKE at checkout.
👉 https://cyberdefenders.org/?via=e5c717
Thanks for reading. As always, keep levelling up your career.
Best wishes
Luke
Career Coach | Cybersecurity Recruiter
Was this forwarded to you? Subscribe here to get The Career Compass every fortnight.
P.S. Remember to share The Career Compass with your network, and let’s work together to empower more careers!
