The cyber GRC hire is harder than the SOC hire

A pattern we keep seeing: a firm that has hired its first ten SOC analysts and security engineers competently - through a mixture of advertising, internal referrals and one or two recruiter relationships - tries to hire its first senior GRC professional using the same playbook. The role sits open for nine months. The shortlist, when one finally arrives, is a mixture of generalist auditors and aspirational SOC managers who have read up on ISO 27001 on the train in.

This is not a process failure. It is a market mismatch.

I - The operational market and the governance market are different markets

Security operations - SOC, threat hunting, incident response, detection engineering - has a relatively well-defined talent pipeline. The skills are technical, demonstrable, and accumulate visibly on a CV. Candidates can be assessed in a structured technical interview. There is enough volume in the market that contingent advertising will produce a reasonable longlist.

Governance, risk and compliance is a different shape entirely. The skills are part technical, part commercial, part political. The work depends on being able to translate between a regulator, an engineering team, a board, and an external auditor - sometimes within the same meeting. The candidates who do this well are, on average, more senior, less visible online, and considerably less inclined to respond to a cold recruiter approach. The pipeline has fewer obvious entry points, which means seniority distribution is bimodal: early-career generalists, then a hard step up to seasoned operators. The middle is thin.

II - Briefing the role for the right shape

The brief we see most often - a senior IC role with technical depth and a vague nod to “audit experience” - is the brief that fails. The honest brief picks one of two shapes:

• The seasoned operator. Someone who has run a GRC function at a comparable firm, knows the regulator, knows the auditors, and can write the policy as comfortably as they can defend it. This is not a five-year-out-of-university hire. The realistic candidate pool in any given city is small - well under fifty people at the band a serious GRC lead expects.
• The technical translator. Someone who has come up through security engineering and has the documentation, structured-thinking and stakeholder management to step into a GRC role. This is a more common hire but it is misnamed if it is hired as a senior IC. The work is hybrid by nature and the brief should reflect that.

Hiring for the first shape via a contingent recruiter is, in our experience, a failed search. Hiring for the second shape via the same channel can succeed but takes longer than expected and produces high churn.

III - Compensation as a signal, not a number

The other tell is compensation. The strongest GRC operators in regulated environments - banking, healthcare, defence-adjacent - are paid in a band that surprises firms whose previous reference point is their security engineering hires. The firms that try to hire the seasoned operator at the senior-engineer rate are signalling, before the conversation even begins, that they have not understood the role. The candidates who notice that signal - and the strongest ones do - decline to engage. The firms that have done the work to understand the band, even when it sits above their immediate intuition, are the firms that hire the people they want.

GRC is not glamorous. The work is unglamorously consequential - the difference between a board that sleeps and a board that does not. The market for it is small, network-driven and slow. Firms that treat the hire with the seriousness the function deserves close it inside ninety days. Firms that treat it as another technical hire keep the role open into the next financial year.