Automation has allowed Darktrace APAC analyst technical director Oakley Cox to move away from mundane tasks. He tells the work is traditionally very binary and knowledge-based decision making, and very repetitive. “But now, leveraging AI, it has that wider context and understanding and makes that decision for you. It then allows you as a human analyst to take a step back from the knowledge side and instead focus on hypothesis testing and investigate methods on fewer alerts to only focusing on important alerts.”
How the GRC specialist role is evolving
Like the emergence of any new technology, there are pros and cons. Bandara warns that while AI can be used for good, it can also be used to create new attacks and further risks, which all cybersecurity professionals need to be aware of. “If you have a governance, risk and compliance specialist and they have a particular project that comes onto their in-tray to do a risk assessment, they previously wouldn’t have had to consider AI-based risks. For example, if an employee is using an open AI platform to generate a bid or somebody copying and pasting company IP onto ChatGPT,” he says.
Off the back of these new considerations, KordaMentha cybersecurity executive director Tony Vizza believes GRC specialists are increasingly playing a greater advisory role to companies. “I think there’s an increasing realization that the world of cybersecurity is very much like medicine because if you are not well, you go to a GP…but the GP won’t be the person that knows everything, they will send you to a specialist or send you in for a scan or a blood test,” he says. “Their job really is the consultant, so to speak, that coordinates the different specialties of medicine, and then comes back to you with the results and says this is what you need to do…yet within the realm of medicine, there’s a whole ecosystem of people who specialize in different areas…we’re seeing in the world of cybersecurity that it’s exactly the same.”
Vizza explains that in the past, people who worked in GRC would typically be called by the very technical people who would say “you don’t understand the tech” while the GRC people would “say you don’t understand the tech won’t fix everything”. “I think we’re starting to see that actually you need both.”
GRC specialists need to be equipped with some legal knowledge to be able to successfully advise organizations on the design of governance plans and frameworks and best cybersecurity practices, for instance. Recognizing this need, Vizza, a GRC specialist himself, is finishing up a law degree. “Over the last couple of years, from a GRC perspective, we’ve seen a requirement that you need to understand the regulatory space, beyond ‘it’s a Privacy Act issue’. You’ve got to explain when you’re working with organizations specifically how it’s going to impact them if they have a data breach,” he says. “You don’t need to be a lawyer, but you do need to have enough understanding and really be across that legal and regulatory landscape.”
Incident responders now need good communication skills
It’s not just GRC specialists who are expected to be handing out advice. Incident responders, typically valued for their technical skills, are finding themselves increasingly interacting directly with customers. According to David Ulcigrai, CyberCX senior managing investigator of digital forensics and incident response, incident responders are being required to brush up on their oral and written communication skills. “What we’re noticing is the customer doesn’t necessarily want to wait for somebody to review an email or review a report before it goes out, and that’s what it used to be, we’d come in do the investigation, find some results and then we would give them a written report at the end,” he says.