Guide to Careers in Cyber Governance and Compliance

Cyber governance is an executive function that encompasses cyber policy planning, coordination, and oversight for businesses, organizations, agencies, and other entities with significant cyber infrastructures and risk exposure. Assessing and ensuring compliance with federal, state, and international laws and regulations regarding information privacy and cybersecurity, overseeing formal cyber vulnerability and risk audits, and promoting enterprise-wide awareness of issues related to cybersecurity are some of the core responsibilities in the field of cyber governance.

Professionals who work in cyber governance use their knowledge of cybersecurity best practices, information security models, and the external threat and regulatory environment to develop internal policies and plans that mitigate risk, reduce vulnerabilities, and provide direction and coherence to organizational cybersecurity programs and align those programs with other organizational goals. In addition, they stay apprised of the latest developments in local, state, federal, and global cybersecurity policies in order to ensure that their organization remains compliant with evolving cybersecurity regulations, standards, and concerns.

Employment Opportunities in Cyber Governance and Compliance

Cyber governance and compliance responsibilities are typically assigned to senior-level professionals in government agencies, larger businesses and organizations, and other enterprises that have substantial information technology (IT) and networked computer and communication systems requiring top-down security planning and internal regulatory oversight. This includes, but is not limited to, federal and state government entities, military and defense contractors, research universities, multinational corporations, and various types of businesses in the retail, manufacturing, healthcare, finance, and technology sectors. However, as concerns over cybersecurity have grown and the risks associated with cyber incursion and attack have mounted, many smaller businesses and organizations have found it necessary to implement cyber governance and risk management programs and thus seek the services of professionals who are knowledgeable in this field.

While some companies, agencies, and organizations hire and/or promote one or more individuals to oversee cyber governance and compliance matters, others outsource this function to cybersecurity firms and consultants who specialize in creating and implementing information security policies and protocols. Thus, cyber governance and compliance specialists can find employment within many types of businesses and organizations, as well as in consultancy roles.

Professionals who work in this field include but are not limited to those with the following designations:

• Cyber Governance Analyst
• Cyber Program Maturity Analyst
• Cybersecurity Compliance Coordinator
• Cyber Legal Advisor
• Cybersecurity Risk Auditor
• Privacy Compliance Manager

Knowledge, Skills, and Abilities (KSAs) for Cyber Governance and Compliance Professionals

The field of cyber governance and compliance requires a thorough knowledge of the constituent parts of IT systems and networks, including software, hardware, servers, and databases, as well as in-depth understanding of common cyber threats and best practices for monitoring access, identifying anomalies, and securing systems against attack. Professionals in this field must also be familiar with various standards and frameworks for evaluating cyber risks, assessing cyber readiness, and implementing sound cybersecurity practices, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the International Organization for Standardization (ISO) cybersecurity program validation processes, and the Secure Controls Framework (SCF), as well as with specific industry data security and privacy standards and regulations (i.e., the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the Sarbanes–Oxley Act).

Cyber governance professionals draw on this broad body of knowledge, as well as on the expertise of other cybersecurity specialists, to create strategic plans, policies, and guidelines that ensure regulatory compliance, reduce risk exposure, and mitigate the damage done by cyber incursions and attacks.

It is important to note that the governance function often requires teams of individuals who possess expertise in distinct areas related to compliance and risk management, including technical experts, legal counselors, and personnel managers. Indeed, in its Workforce Framework for Cybersecurity, the National Initiative for Cybersecurity Education (NICE), a public/private sector partnership created under the auspices of NIST, lists dozens of overlapping Knowledge, Skills, and Abilities (KSAs) for those who work in the related fields of cyber policy and strategic planning, executive cyber leadership, privacy compliance, and cyber legal advising.

The sections below provide an overview of many of the key KSAs and proficiencies for cyber governance and compliance professionals, drawing on both the NICE Workforce Framework and actual job descriptions.

General Technical Knowledge

• Capabilities, applications, and potential vulnerabilities of network components including hubs, routers, switches, bridges, servers, transmission media, and related hardware
• Cloud computer and cloud security concepts
• Common cyber threats and vulnerabilities
• Common IT platforms, computer operating systems, databases, system software, and communications and network protocols
• Computer networking concepts and network security protocols
• Digital forensics tools and techniques
• Emerging technologies in cybersecurity
• IT systems auditing tools and techniques
• System security controls, network access management principles, logging and monitoring protocols, data encryption, backup and recovery tools, and other security measures

Cyber Governance and Compliance Knowledge and Skills

• Ability to plan for and/or conduct cybersecurity training exercises
• Ability to manage resource prioritization and coordinate the efficient and timely allocation of cybersecurity staff and technological assets
• Cyber/information security frameworks (e.g., NIST, ISO, SCF)
• Disaster recovery and business continuity planning
• Laws, regulations, policies, and ethics as they relate to cybersecurity and privacy
• Privacy technologies and information privacy laws and regulations
• Payment Card Industry (PCI) and Protected Health Information (PHI) data security standards
• Risk management processes

Additional Abilities

• Ability to articulate policy and planning goals to technical and non-technical staff at all levels of an organization
• Ability to create instructional materials, manuals, and policy briefs
• Ability to communicate the importance of IT security among organization stakeholders

Training and Credentials in Cyber Governance and Compliance

Cultivating the technical skills, strategic management proficiencies, and substantial knowledge base that is generally required in the field of cyber governance and compliance is typically a process that involves academic training coupled with several years of experience working in cybersecurity and learning about its various facets. However, organizational cyber governance is commonly a team effort that involves the participation of support staff, technical experts, and managers who may be tasked with collecting and analyzing data, researching trends, writing briefs, and/or performing vulnerability scans, penetration tests, and system-wide audits.

These types of cyber governance and compliance support roles can be a pathway to advancing into more senior positions in the field. However, most entry level positions in cyber governance and adjacent specializations require foundational training and an academic background in computer science, IT management, and/or cybersecurity. There are a number of different ways to access this training, including bachelor’s and master’s degrees, graduate certificates, and professional credentialling programs in cybersecurity.

Bachelor’s, Master’s, and Graduate Certificate Programs in Cyber Governance and Compliance

Many accredited colleges and universities offer a cybersecurity major for undergraduates, combining training in mathematics, computer programming, and information systems with coursework in the principles and practices of cybersecurity. These programs are generally designed to prepare graduates for careers throughout the field of cybersecurity, including in areas related to cyber governance and regulatory compliance.

Advanced training in cyber governance KSAs is also available at the graduate level, specifically in master’s in cybersecurity and information security governance, leadership, and management programs. Master’s programs are generally designed to provide more specialized training than bachelor’s programs; thus, while a master’s program curriculum will typically offer foundational coursework in the theories, methods, and practices of information security, most programs have electives and or designated specializations in one or more areas, such as computer and digital forensics, penetration testing/ethical hacking, and cyber policy and governance.

There are also cyber governance master’s programs and graduate certificate programs, which provide targeted training and instruction in IT and organizational management for cybersecurity professionals, enterprise resource planning (ERP) systems, and IT privacy and security laws and regulations. These types of programs are designed to prepare graduates for careers in cyber governance, compliance and risk management, and other leadership roles in the field.

Professional Credentials and Certifications in Cyber Governance and Compliance

Another way to cultivate cyber governance knowledge and skills is through for-profit and non-profit industry groups and organizations that specialize in cybersecurity training and credentialing. There are a number of private institutes and professional organizations that offer courses, intensive bootcamps, and certification training programs in a broad range of cybersecurity specializations, including cybersecurity strategic planning, policy, and leadership.

For example, the SANS Institute, a private, for-profit training and credentialing company, administers the Global Information Assurance Certification (GIAC) program, which has several relevant certifications: GIAC Security Leadership (GSLC); GIAC Strategic Planning, Policy, and Leadership (GSTRT); GIAC Systems and Network Auditor (GSNA); and GIAC Critical Controls Certification (GCCC). The International Information System Security Certification Consortium (ISC²), a non-profit industry group, is another resource for training and certification in areas relevant to cyber governance. Among the credentials offered by ISC² are Certified Information Systems Security Professional (CISSP) and Systems Security Certified Practitioner (SSCP).

These credentials and others that can be helpful in the field of cyber governance and compliance are listed below.

• Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM), and Certified in the Governance of Enterprise IT (CGEIT), offered by ISACA (formerly the Information Systems Audit and Control Association)
• Certified Information Systems Security Professional (CISSP) and Systems Security Certified Practitioner (SSCP), offered by the International Information System Security Certification Consortium (ISC²)
• CompTIA Security+, offered by CompTIA
• GIAC Security Leadership (GSLC), GIAC Strategic Planning, Policy, and Leadership (GSTRT), GIAC Systems and Network Auditor (GSNA), and GIAC Critical Controls Certification (GCCC), offered by the SANS Institute

Examples of Jobs in Cyber Governance and Compliance

The examples below offer a representative overview of how employers characterize the roles, responsibilities, skills, and training in the field of cyber governance and compliance. These examples are composites drawn from actual job listings and are meant to further illustrate some of the employment opportunities in this field and provide details on what is required for these types of jobs.

Cybersecurity Maturity Analyst

• Primary Responsibilities: Support evaluation of cybersecurity capabilities to determine maturity/preparedness score using the NIST Cybersecurity Framework; work in a team to compile operational information, perform subject matter expert interviews, and produce analysis of cybersecurity strategy; and work to improve policies regarding cybersecurity program management, cyber risk management, and cloud security.
• Education: Bachelor’s degree preferred.
• Experience: Two or more years supporting, partnering, and interacting with key stakeholders/internal business partners, working with cyber maturing/governance models, and supporting governance planning and policy.
• Credentials: None specified.
• Technical Proficiencies: Knowledge of cybersecurity systems, tools, and technologies; ability to obtain and capture and analyze cybersecurity data from multiple sources to produce new insights; in-depth understanding of credit card industry best practices/standards regarding privacy, data security, and cybers defense capabilities, controls, and frameworks; and familiarity with cloud computing environments and cloud security.
• Other Attributes: Ability to brief cyber and IT program leads on technical matters; and provide non-technical stakeholders with reports on cyber governance and maturity policy.

Cyber Governance Analyst

• Primary Responsibilities: Assist team in identifying, developing, implementing, and maintaining information and IT systems security policies and standards; write and publish information security policies, standards, and guidelines; work to align information security processes with the ISO, SCF, and NIST frameworks; drive cybersecurity awareness within the organization; and provide guidance on security controls, password and access management, segregation of duties, logging and monitoring, data encryption, data backup and recovery, disaster recovery, and business continuity management.
• Education: Bachelor’s degree required.
• Experience: Three or more years in information security governance to include include technical risk management, information systems auditing, and cyber policy analysis and implementation.
• Credentials: Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM), and/or Certified in the Governance of Enterprise IT (CGEIT) preferred.
• Technical Proficiencies: In-depth knowledge of common operating systems and platforms, enterprise software, communication and network protocols, data encryption tools, database systems, data backup and recovery protocols, tools for monitoring network access and activity, and cloud security concepts; and experience with enterprise governance risk and compliance (GRC) platforms, such as AuditBoard, LogicGate Risk Cloud, StandardFusion, and SAS GRC.
• Other Attributes: Ability to serve as liaison between business and IT groups; technical and interpersonal communication skills; strong technical writing skills; industry research skills; and familiarity with data security regulatory environment.

Senior Cyber Risk and Governance Specialist

• Primary Responsibilities: Review, update and implement technology policies that align with accepted risk and control best practices and frameworks, such as NIST, ISO, and SCF; facilitate the identification and scoring of cybersecurity risks; drive risk management, compliance, privacy, and security process improvements; design internal compliance training and awareness programs; and collaborate IT staff to maintain internal control documentation.
• Education: Bachelor’s degree in cybersecurity, computer science, or IT management required; master’s degree in relevant field preferred.
• Experience: Seven or more years in IT auditing, cyber risk management, data privacy compliance, and/or data security for candidates with bachelor’s degree; four or more years for candidates with a master’s degree.
• Credentials: Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), and/or Certified in Risk and Information Systems Control (CRISC) preferred.
• Technical Proficiencies: Functional knowledge of multiple security domains and information security industry standards and best practices, IT systems components, and cybersecurity principles and practices.
• Other Attributes: Strong written, verbal communication, and organizational management skills; strong project management skills; high-level analytical abilities.

Cyber Privacy Legal Counsel

• Primary Responsibilities: Provide subject matter expertise on privacy and data security issues; identify and communicate legal exposure and risk in areas related to cybersecurity and privacy; lead and collaborate with IT, human resources, and legal staff on matters related to data security and data loss prevention; participate in strategic initiatives data usage and data security; and conduct research and provide briefings on emerging data privacy and cyber security regulations at the federal and state levels.
• Education: Law degree from a school accredited by the American Bar Association.
• Experience: Three or more years of counseling financial services companies regarding cybersecurity and privacy required.
• Credentials: None specified.
• Technical Proficiencies: In-depth knowledge of the Gramm-Leach-Bliley (GLB) Act, the Health Insurance Portability and Accountability Act (HIPAA), and other federal and state laws that regulate privacy, data usage, and information security; and working knowledge of data storage, analysis, and security systems.
• Other Attributes: Strong written and verbal communication skills; and ability to interface with technical staff.