Sign in Subscribe
GRC Featured

GRC is Technical

Pierre-Paul Ferland

4 min read
GRC is Technical
Don't trust the influencers

I’m about to say something that might ruffle some feathers. But here it is: GRC is technical and it’s high time we stopped pretending it’s not.

This may sound harsh to some. I’ve heard the whispers: “Oh, GRC is for people who aren’t technical. It’s for those who don’t want to mess with the complex stuff like coding or systems engineering.” 🙄

But here’s the reality: If that’s how you see GRC, you’re missing the point. I'd go as far as to say you’re actively hindering your own growth.

I’m not here to sugarcoat things. GRC requires depth and it requires technical fluency. Let's see how.

Yes, your relationships and human skills are fundamental. People skills is what make you successful in the long run. But the technical skills get you there faster and protect you from hitting a glass ceiling.

The Myth of “Non-Technical” GRC 🚫💡

For years, there’s been this persistent myth that GRC is a non-technical career. The idea that it’s the “easier” path, one that lets you bypass the heavy lifting required in deep technical areas like coding, system architecture, or data protection. There are way too many influencers selling their bootcamps carrying this narrative, and it has to stop.

Risk management in the cloud is a perfect case in point. A GRC professional who doesn’t understand the intricacies of cloud-native services like serverless computing, IAM configurations, or shared responsibility models won’t be able to accurately assess risks, let alone mitigate them. You can't just drop a risk on an engineers plate and ask them to do all of the heavy lifting. You must abstract the complexity, use their own language and mental models. That's what I have in mind when thinking about "people skills": being relevant to individuals. And you can't be relevant without a certain amount of knowledge yourself.

If you’re sitting in a meeting discussing risk mitigation and someone casually mentions an AWS service, do you know how to ask about the implications of IAM policy misconfigurations? Or how a specific container security vulnerability might impact your infrastructure?

You can’t just rely on frameworks. You need to understand the systems. Otherwise, you are bringing complexity, not clarity. The GRC discipline is complex, we cannot afford to just relay messages and hope people understand our language. What use do we have if we do this?

Frameworks Aren’t Enough: You Need to Understand the Tech ⚠️📚

Here’s a harsh reality I want you to sit with: Frameworks are only half the story. They provide a structure, but that’s about it. If you’re just parroting control after control from ISO 27001, NIST, or SOC 2 without knowing the technical components driving those controls, you’re not doing GRC justice.

As an interviewer, I'll never care about whether people can name you the ISO 8.34 Control or the NIST RMF steps. I'll care much more about problem-solving, making the secure thing matter over the compliant thing, and marrying the two.

For instance, consider vulnerability management in a DevOps environment. It’s one thing to say you need to track vulnerabilities. It’s another thing entirely to understand the CI/CD pipeline, how static analysis tools integrate, or the shift-left strategy where vulnerabilities are caught during development, before they ever reach production. Frameworks don’t protect against the vulnerability introduced by failing to scan container images for outdated dependencies. Only technical understanding can.

You Can’t Protect What You Don’t Understand 💔🔐

This principle is fundamental. You can’t protect what you don’t understand.

I’ll tell you from experience: this is a constant learning process. You’re always going to feel like you’re out of your depth at some point. Imagine: nobody knew about most generative AI models before ChatGPT went mainstream. MCP servers were invented weeks ago. We are building the plane as we fly it. Can you catch up fast enough?

When I first started in GRC, I thought I could rely solely on framework knowledge. But soon, I was in meetings with engineers discussing API security and zero-trust models, and I realized that if I didn’t understand the tech, I was doing everyone a disservice.

Real GRC isn’t about just following rules or ticking off boxes. It’s about understanding how risk manifests in the context of your organization’s technology stack.

The Parrot vs. Architect Analogy 🦜🏗️

I have to drive this point home because it’s crucial: If you’re just parroting the language of frameworks without understanding the underlying tech, you’re missing the point.

A parrot repeats what it hears, it doesn’t understand the why. But an architect builds with intention and expertise, making strategic decisions based on a deep understanding of the environment. Real GRC professionals are architects. They aren’t simply filling out checkboxes, they’re actively constructing, advising, and ensuring that the security controls are effective in real-world systems.

I’ve been there. I’ve walked into a room where the engineers were discussing concepts I didn’t fully understand. Years in and I still don't fully grasp Kubernetes. (Yes, engineers often make thing much more complicated than they should, but that's another rant). In the end, I chose to lean into those uncomfortable moments. I asked questions, even if I felt I looked stupid. Don't make this a calculated thing, just be curious, be interested. The rest will follow.

Conclusion: Real GRC Means Understanding the Tech Stack 👨‍💻🔍

GRC isn’t just a role for process geeks or people who can recite standards by heart. It’s a technical discipline that requires active engagement with technology.

The good news is this: you don’t need to become a full-fledged engineer, but you do need to become fluent in the language of the systems that keep your organization running.

So, let’s stop pretending. GRC is technical, and it requires us to engage with the deep, messy, complex world of modern technology. If we want to be effective, we need to stop playing it safe and dive deep into the very systems we’re trying to secure. Only then can we truly protect what matters.

Final Thought 💭

If this resonates with you, I want you to know: you are not alone. Every GRC professional has felt that discomfort when faced with technical challenges. But embrace it. That’s where you learn, where you grow, and where you start making a true impact.

GRC is hard work. It requires vulnerability. But the depth of expertise you gain in the process will make all the difference when the stakes are high.

We’re in this together. 🌍💪