We know that certifications can be helpful for your security staff as a way to better recognize and mitigate threats, as well as to ensure your organization remains in compliance of industry regulations. But they usually aren’t a requirement, something that your staff absolutely has to have in order to get the job done.
Is that the case if you decide to implement a governance, risk management and compliance (GRC) strategy into your organization? And if you need certification, what type?
Any certification should depend on what the goal of your GRC strategy is, Ignacio Martinez, VP of Risk and Compliance with Smartsheet, told me in an email comment:
One will see a variety of certifications in the GRC world: certifications for the organization and/or its processes, and also certifications of personnel in the GRC program. Ultimately, stick to the GRC goals originally defined and then pursue certifications in specific areas or personnel that support the needs of the GRC program.
The idea behind implementing a GRC is to create a system of checks and balances to decrease the chance of risk. But those who are in charge of GRC also have to keep business operations in mind. There has to be a marriage of sorts between operations and security – ensuring that the organization is meeting expectations of leadership and stakeholders while protecting data, privacy and customer trust.
Having some certifications will assist the person or team designated to put the GRC framework together, especially since those responsible for GRC may come from departments where security or compliance or even governance is part of the job description. According to CIO, here are the top certifications for GRC:
- Certified in Risk and Information Systems Control (CRISC)
- Certified in the Governance of Enterprise IT (CGEIT)
- Project Management Institute - Risk Management Professional (PMI-RMP)
- ITIL Expert
- Certification in Risk Management Assurance (CRMA)
- GRC Professional (GRCP)
Patrick Taylor, CEO with Oversight Systems, added that certifications can be very helpful, particularly in regulated industries, because they ensure that the people leading those areas have the knowledge and skills to implement and enforce international risk management and compliance standards and requirements. Taylor did add an important caveat in our email conversation, however:
GRC isn’t static; it’s constantly changing, like all aspects of the business. So, the upfront training and continuing education required as part of these certification programs can ensure that these leaders stay up to date with the latest GRC best practices and regulatory requirements.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba