Nobody teaches you this in GRC

INTERVIEW with Imi Farkas on the skills infosec professionals need, but never get trained on.

THE GAP NOBODY TALKS ABOUT

Let's start with the obvious question. You work with GRC and infosec professionals every day. What's the gap you keep seeing?

The same one, always. Someone technically excellent: knows the frameworks, understands the risks, produces solid work - and still can't get anything approved. Their recommendations land and nothing happens. Or they get a "not now" for the third quarter in a row.

That's not a knowledge problem. They know enough. It's a judgment and communication problem. And nobody trains for that. The whole professional development ecosystem in this space is built around knowledge acquisition. Almost nothing is built around the skills you actually need once you're in the room.

What skills do GRC professionals need beyond technical knowledge?

Three things that keep coming up. First: situational judgment — reading what's actually happening in an organizational situation, not just what's technically happening. Who has real authority, who's blocking, what's the real constraint. Second: making a call with incomplete information. Real decisions never have all the data. Third: communicating in a way that moves people, not just informs them.

None of these are on any certification exam. All of them are learnable. And all of them require practice in realistic conditions.

GETTING RECOMMENDATIONS APPROVED

Why do technically correct recommendations keep failing?

Because being right is not sufficient. Organizations don't make decisions based on who's technically correct. They make decisions based on priorities, politics, relationships, and timing.

A technically correct recommendation that arrives at the wrong moment, through the wrong channel, framed the wrong way, to the wrong person fails. Every time. And most infosec professionals spend 90% of their energy on being right and almost none on the other half.

How do you get stakeholders to make a security decision when they keep deferring?

Connecting the issue to something the decision-maker is already accountable for. A CFO cares about financial exposure. A COO cares about operations. A board member cares about liability and reputation. Same security issue, four different conversations.

And attaching a decision to it. Not "we should implement X" but "here's what happens if we don't, by when, and what I'm asking you to approve." That last part, a specific ask with a specific deadline, is what separates an actionable recommendation from a conversation that goes nowhere.

What about when nobody wants to decide? Or the perpetual "not now"?

Make deferral uncomfortable. Not aggressive, just explicit. What does non-decision mean? Who is accountable for the risk that accumulates while the conversation continues? What gets harder or more expensive the longer it waits?

Sometimes it means escalating. Not as a threat, but as a process. "I need a decision by this date. If we can't get there at this level, I'll need to bring it to the next level." That's not confrontational. That's just governance functioning the way it's supposed to.

STAKEHOLDER COMMUNICATION

How do you communicate security risk to executives who don't want to hear about it?

Drop the technical framing entirely. Executives don't process CVEs or CVSS scores. They process business exposure. The formula that works: here's what could happen, here's how likely it is, here's what it would cost, here's what we'd need to prevent it. Four sentences. That's the whole conversation.

Where most infosec communication fails: 80% of the time on the technical "what," almost no time on the business "so what." Executives aren't dismissing security, they're responding to a communication that wasn't designed for them.

What actually builds infosec credibility with stakeholders over time?

Being present before the crisis. The professionals who actually influence decisions show up in conversations before something goes wrong, not just when there's bad news and a budget ask.

Also: being accurate about what you know and honest about what you don't. Stakeholders calibrate trust based on track record. One overconfident recommendation that doesn't pan out costs more credibility than ten accurate ones earn.

DEVELOPING JUDGMENT

You talk a lot about judgment. Can decision making skills be trained in security professionals?

Yes. But not through study. Judgment develops through decisions and feedback. The problem in most professional environments is that the feedback loop is too slow — you make a decision, something happens six months later, and by then you've lost the connection.

The fastest way to develop judgment: put yourself in situations where you have to make decisions, get immediate feedback on the consequences, and repeat. That's why case-based workshop formats work. They compress the cycle. You get months of decision-making experience in a few hours of structured conversation.

What's the difference between knowing a security framework and being able to apply it?

Knowing a framework means you can describe it. Applying it means you can use it to make a real decision, in a real organization, with real constraints, under real pressure, in a room full of people who have other priorities.

The gap between those two things is enormous and consistently underestimated. Most GRC and infused certifications test the first. Almost none test the second. Real organizations have legacy systems, political constraints, budget limitations, and people who don't behave the way the framework assumes they will. Navigating that is a practice skill, not a study skill.

CAREER AND THE UPHILL BATTLE

Why does infosec feel like an uphill battle in most organizations?

Because it structurally is. Security asks organizations to spend money, change behavior, and accept friction, in exchange for preventing things that may never happen. That's a hard sell anywhere the default incentive is to ship faster, cut costs, and avoid anything that slows things down.

The professional who understands this stops being frustrated by it and starts working with it. The question shifts from "why won't they listen" to "what would make this easy for them to say yes to." That shift from technical advocate to organizational "navigator" is where infosec careers either get stuck or break through.

What separates a good GRC analyst from a trusted security advisor?

Trust. Which is built through track record, consistency, and showing up before the crisis.

A good analyst produces accurate, well-structured work. A trusted advisor produces accurate work and has earned the credibility to have it acted on. Those are different things, and one doesn't automatically lead to the other.

The other difference: advisors know how to be useful to the people they advise, not just accurate. That means understanding what pressures the stakeholder is under, what they need to be able to say to their own leadership, and what kind of support makes their life easier. That orientation toward the stakeholder's problem, not just the security problem, is what gets you from analyst to advisor.

Last question. What do you wish someone had told you earlier in your career as a security professional?

That the technical work is the easy part. Not because it's simple - it's not - but because it's learnable in a straightforward way. Study, practice, pass the exam, done.

The hard part is everything that happens after you know the answer. The room. The politics. The stakeholder who's already decided. The decision that keeps getting deferred. Nobody teaches you that. You figure it out the hard way, usually by failing at it a few times in high-stakes situations.

That's why I built GRC: Live. Not to teach frameworks, because there are plenty of places for that, but to give GRC and infosec professionals a place to practice the hard part before it costs them something real.

PRACTICE THE HARD PART

"GRC: Live" is an online, small-group case discussion workshop for infosec and GRC professionals. 7 sessions. 13 real scenarios. 

Check it out at https://cybercamp.hu/en/ibf-elesben-grc-live

Hungarian workshops: https://cybercamp.hu/ibf-elesben-grc-live

Share your thoughts on this article on LinkedIn: https://www.linkedin.com/pulse/nobody-teaches-you-grc-farkas-imre-oweof

Imi Farkas is a partner at FORTIX Consulting and the creator of CyberCamp Hungary , a GRC and cybersecurity training brand. He works with infosec professionals across Europe and MEA on NIS2, DORA, ISO 27001, and TISAX compliance, and on the organizational skills that determine whether any of it actually gets implemented.