GRC · Domain 06/10

Governance, Risk & Compliance

Paperwork, policy, and people. The all-rounder safe path with the clearest CISO ladder.

No code required⏱ 9–14 monthsRemote Media transfer

01 · A realistic Tuesday

What the day actually looks like.

GRC is the 'paperwork, policy, and people' side. You prove the company is following rules (ISO 27001, SOC 2, NIST CSF, PCI DSS, NDPA, GDPR, HIPAA, CBN circulars), measure how risky things are, and write down what the security team commits to. A realistic Tuesday: standup on SOC 2 evidence collection, chase MFA screenshots in Okta, pull access reviews from HR, review a vendor security questionnaire, redraft an incident-response policy, build a heat map for the Risk Committee, and answer a customer-success Slack about GDPR.

02 · Who hires

Where the work lives.

VantaDrataSecureframeSprintoAuditBoardServiceNowDeloitteKPMGPwCEY

03 · Skills

What you actually need.

Technical

ISO 27001 / SOC 2 / NIST CSF / PCI DSS
NDPR / NDPA / GDPR
Risk methodologies (qualitative + quantitative)
GRC tooling (Vanta, Drata, AuditBoard, ServiceNow GRC)
Excel (pivot tables, lookups, heat maps)transferable

Soft

Policy writingtransferable
Maps directly to scriptwriting. Same muscle.
Audit project coordinationtransferable
Producer-style project coordination is audit project management.
Vendor due diligencetransferable
Documentary fact-checking, retitled.
Board narrativestransferable
TikTok hooks for executives.

04 · Career ladder

The shape of the journey.

1
Junior GRC Analyst0–1 yr
2
GRC Analyst / IT Auditor / TPRM Analyst1–3 yr
3
Senior GRC Analyst3–6 yr
4
GRC Manager5–9 yr
5
Director of GRC8–14 yr
6
CISO / CRO track12–20 yr

9–14 monthsto break in

36121824

Note. Times reflect typical paths for someone with strong communication and 10–15 hrs/week of focused study.

05 · Salary explorer

What it pays.

Ranges are directional. Currency: USD · annual. Last updated: 2025.

06 · Certifications

The cert sequence that won't bankrupt you.

ISC2 CC

ISC2

Free via 1MCC. $50 AMF after passing. The only free ground-floor cyber cert.

Free starter

Free

CompTIA Security+

CompTIA

Vocabulary baseline. Often listed as a screening filter.

Recommended

$425 · ₦638k

ISO 27001 Lead Implementer

PECB

Differentiator for ISO 27001 shops. Range $1k–$1.8k.

Recommended

$1400 · ₦2100k

CISA

ISACA

Manager-track. $575 ISACA member, $760 non-member.

Eventually needed

$760 · ₦1140k

CRISC

ISACA

Risk-management lane. Take after 2–3 years.

Nice-to-have

$760 · ₦1140k

CISM

ISACA

Required at manager level for most banks.

Eventually needed

$760 · ₦1140k

07 · Remote-friendliness

Working from Lagos, Abuja, or anywhere.

5/5

Remote-native field. Best contractor platforms from Lagos: Deel, Remote.com, Toptal, Wellfound, Himalayas, Andela.

08 · Trade-offs

The good, the gritty, and who this suits.

Pros

+Most non-coding-friendly path in cyber.
+Remote-native field.
+Clear ladder to CISO.
+Writers and producers genuinely thrive here.

Cons

−Bureaucratic and meeting-heavy.
−Local Nigerian salaries lag remote-from-Africa.
−Source material can be dry.

Personality fit

If you read terms of service for fun and have opinions about file naming conventions, GRC is your home.

09 · Watch this

Three to five hours that beat any cert.

MOST Honest 'Day in the Life' GRC Cyber Analyst

Simply Cyber

Why watch. Honest framing — what this job actually feels like.

The Complete GRC Analyst Day in the Life

Black Hills Infosec

Why watch. Gerald Auger walks through a full GRC day end-to-end.

How to Become a GRC Analyst in 2025! (Beginner Roadmap)

UnixGuy

Why watch. Specifically for beginners with no IT background.

FASTEST Way to Learn GRC and ACTUALLY Get a Job (2026)

UnixGuy

Why watch. Up-to-date 2026 hiring landscape advice.

10 · Next step for this path

Do this by Friday.

This week: enrol in ISC2's free 1MCC track. By Sunday, write a 300-word LinkedIn post on what the NDPA means for Nigerian fintechs — that's a public artifact of your thinking before any cert.