Careeer Path Series – Governance, Risk and Compliance (GRC)

In our second series on career path, Mosimi interviewed cybersecurity professionals in Governance, Risk and Compliance(GRC).If you missed it, check out our first series on security assessment.

There are two main categories of career paths in cybersecurity- Strategic and Tactical.

  • The Strategic Path focuses on areas such as Governance, Risk and Compliance (GRC), IT Audit, Security Frameworks e.g. ISO 27001/2, PCI-DSS etc; and
  • The Tactical Path focuses on areas such as Vulnerability Assessment, Penetration Testing, Bug Bounty, IoT Assessments, Incident Response etc.

GRC refers to a strategy for managing an organization’s overall governance, enterprise risk management and compliance with regulations. GRC are three disciplines that can help ensure an organization meets its objectives. An organization:

  • Needs processes to monitor the achievement of its goals (governance)
  • Should attempt to assess and mitigate the risks that may prevent this, (risk management) and
  • Should comply with relevant internal and external policies, regulations and laws (compliance).

The great thing about the strategic path is that you do not need to be “techie techie”. In this role, you help to manage, plan, execute projects related to compliance, information risk management, control assurance and user security awareness. In addition, you help organisation to implement and certify controls for standards such as ISO 27001/2, PCI-DSS etc.

Do enjoy the interviews 😊.

Veronica Ikpa

Veronica Ikpa is building a career in cybersecurity.She currently work in the managed security team in a broadband, ISP and communications company.She has perfromed information security audits with ISACA standards and global best practices and also risks assessment using COBIT 5.She currently work in implementing ISO27001 security controls and ensuring security policies and procedures are in line with ISO27001 and PCI-DSS standards. In her spare time, she create contents and drive conversations about technology through her blog Digiconvos. She loves food,travelling, visiting new places, learning new things and exploring cultures.

What attracted you to this career path?

I started my career in information systems auditing. As an auditor, you are required to assess the security controls in information systems that have been deployed in an organization. You also play the role of an independent advisor to the management of any organization you work in. Although, I loved auditing, I was curious about how information security works, and this picked my interest. I wanted to be able to perform vulnerability and penetration tests, configure and manage firewalls, document policies and create awareness about information security in my organization. I wanted to be a subject matter expert in auditing and security, this desire attracted me to information security.

How has your first few years in IS GRC been for you?

My first few years has been a learning curve. There are so many things to learn and so little time. Although there were some technical contents that I had difficulty understanding, I spent time after work studying these topics to build my knowledge and skillset. I signed up with a paid plan on platforms like Cybary that offers free courses. The paid plan has more labs and courses I have access to.

What would you wish someone had told you before going into this field?

  • You need to understand technical concepts and also how to code or write scripts. There is no running away from it.
  • Understanding the basics of networking makes it easier for you.
  • You might be the only female on your team, so be confident, assertive and bold to communicate what you know.You also need to connect with individuals who are in this field, people who have experience.
  • You never stop learning, as long as attackers and cyber criminals are out there, you have to be ahead of them in the game.

What would be an important piece of advice for someone who is considering going into your career path?

  • Be open to learning, be confident and have a mentor or someone you look up to.
  • Connect with groups of people interested in what you do.
  • Be a good communicator.
  • Have a professional development plan, give yourself goals to achieve, work hard to achieve such goals and give yourself a treat when you do so, because you deserve it.

What advice would you give someone prior to getting a job in this field?

Do a research on the role you are going for, and the role you want to be in the next 3 years, build your skillset on the skills required to occupy such roles. Be ready to train yourself, you don’t have to wait for your organization or anyone to train you.

Do you have a mentor?

No, I do not, but I have people I look up to. People who motivate me in this field. People like Rotimi, Sophie, Simi, Kess, Lilian and a couple of others.

Damilola Obasa

Damilola is an Information Security Consultant with some years of experience in certification of organizations to international best practices and standard. He possesses IT project management and business communication skills. He is interested in learning, educating and collaborating with interested intelligent individuals and attending Silent Discos.

What attracted you to this career path?

Firstly, I knew I wasn’t going to pursue a career in my course of bachelor’s degree (Electrical Electronics). So I researched on the best career path in IT and generally on jobs that would be relevant over a long period of time, Information Security and a few others emerged, However I had conversations with a few people and luckily my first job landed me directly in Information Security.

Was there something you wish you knew when you started?

Not really, it was an entirely new field to me and I was willing to learn all I can as I continued to build my career.

What would be an important piece of advice for someone who is considering going into your career path?

Stay patient and hungry. As long as you have those two attributes, you will get to the level which you want someday. Also, be willing to sell yourself any time you have an opportunity.

Do you have a mentor? How important is it to have a mentor in the infosec field?

Yes I do have a few people whose experience I emulate and model my career after. Having a mentor will definitely open doors that you can leverage on including their relationship.

‘If I have seen any farther, it is by standing on the shoulders of those who have gone ahead of me’ – Abraham Lincoln.

What is the most underrated skill someone needs to have to excel in this path?

Most underrated to me or rather overlooked to me will be ‘Public Speaking’. More around understanding your audience and passing your knowledge to them in a perfect way.

How do you continuously keep yourself updated?

  • Have conversations with people in the industry to know what’s happening so far
  • Cybersecurity conferences, groups and forums.
  • Online Courses.

What professional course would you advice?

For a newbie in Information Security, I would advise Security+ or SSCP. But the ultimate goal would be CISSP or OSCP if one is technical.

Do you have any regrets so far?

None so far. Everything has been going according to plan. To God be the glory.

Nkiru Aimienoho

Nkiru Aimienoho (@InfoSecAmazon) is a Senior Manager Cybersecurity & Business resilience at PwC Nigeria. She has been involved in the provision of various cybersecurity and business resilience services in the various sectors of the economy both internationally and locally. Some of these sectors include banking and I.T services, energy, and telecommunications.

Nkiru devotes her craft to promoting Cybersecurity and Business continuity. When she is not leading her team, she spends her time mentoring females in the tech industry. In her spare time she enjoys a good laugh with friends, watching her favorite comedy shows, or reading a good book.

What would be an important piece of advice for someone who is considering going into Information Security GRC?

I would advise anyone with the opportunity to seize it, learn ferociously, and connect with people that drive you to be better. Taking this advice early in my career enabled me to undertake a variety of exciting cybersecurity roles, such as – Information Assurance Analyst, Information security Manager, Business Continuity & Disaster recovery specialist, Security Awareness Training Specialist, Security Auditor, and People Hacker/ social engineer.It facilitated the discovery of my inclination for both Information/Cyber security and Business resilience.

What’s the most underrated skill someone needs to have to excel in this path?

That’s a hard one! The ability to be curious, confident, and possess excellent relationship management, and communication skills are underrated in the tech industry.

What is the one book you’ve read that changed/impacted your life?

‘The Pressure Cooker’ by Nkiru Olumide – Ojo, it helped me build character and mental strength. Among other things, she gave advice, relevant for cybersecurity ladies like you and I, such as: Be confident, recognize allies and be an ally, seize opportunities, build your life in the way that allows you have the things that matter to you, (e.g. quality time with – family, your spouse, and kids), dream big, master the art of self-assessment, build competence, the wise have learned to manage themselves and their bosses. She bolstered the need to create a support system that enables one to maintain the home front and bring their best self to work.

Do you have mentees? How do you pass on this knowledge?

Yes, I have mentees. I run a personal volunteering / mentoring initiative for ladies, and I call it – InfoSec Amazons. I am passionate about supporting ladies in Cybersecurity and Resilience. Years ago, my boss brought this innate disposition to my attention. She noticed that although I worked well with the guys, I took a keen interest in grooming younger female consultants. I transfer knowledge through coaching, having short-sessions where I motivate them and talk about their career goals and the areas they need my support.It could be as little as listening to them, putting in a word for them as they grow, sending relevant study materials, checking up on or encouraging them through the learning process, and most importantly celebrating their progress and wins.

What is your advice for experienced people like yourself?

I consider myself as someone who is still learning. However, here’s my opinion: Use your power for others. Help a sister or brother up! As the case may be. Our community would be better if we support each other.

Just for laughs:Some fun/quirky facts about you.

I represented my elementary and secondary/high school in athletics competitions. I was in the relay team; and ran 100 meters and 200 meters races. However, Sweet bread happened! So I lost it. I still believe that soon, my glory days on the tracks would be restored. Additionally, I have other cool skills that I am hell-bent on retaining. I draw and sing very well (I’ll like to think so!)…Laughs. I got both skills from my Dad. Plus, in school, I was nicknamed ‘Effizzi’ for my drawing prowess.

About Author:

Mosimilolu Odusanya is a cybersecurity senior consultant with experience in IT Audit and IT Security Consulting. She has assisted SEC-Listed organisations with various cyber security projects from Security Assessments, Data Privacy Law Implementation, SCADA Assessments, etc. She have also have worked with various clients in various sectors including Oil & Gas Companies, Financial Institutions, Insurance Companies etc.

One of her goals is bridging the gender gap in cyber security by motivating women to join the Cyber Security Industry. She is also available for a chat/discussion if any lady needs it.

She enjoys travelling and blog about her experience on