In recent years, expanding regulatory compliance rules and seemingly endless IT security risks stemming from multiple data sources make an effective GRC program vital to the modern organization's success.
As a result, governance, risk management and compliance (GRC) professionals have seen their roles dramatically increase in importance in the past several years. Salaries are now starting to catch up with this increased onus on GRC, according to the TechTarget IT Salary Survey 2013. From a sample size of 242 respondents who specialize in GRC and IT security, 59% received a raise and 35% received a bonus in 2013. Fifty-seven percent of respondents expect a raise in 2014 as well.
As factors such as mobility and the cloud create new data security risks, GRC professionals should continue to expect their skill sets to be highly sought after, said Derek Gascon, executive director of the Compliance, Governance & Oversight Council.
"Their skills are going to be unique, at least for a while," Gascon said. "All of the data that is being distributed through those mechanisms has to be managed somehow, and the governance people understand what kinds of policies are going to be necessary."
The number of opportunities in the GRC field appears to be growing as well: Although the majority of respondents had been in the IT field for 11 to 20 years (44%) or 21 to 30 years (21%), 56% said they had only been in their current position for one year to five years.
For those in their position less than one year, 19% said they sought the new job for more money. This trend could very well continue as opportunities for those in the GRC field grow in the coming years, said Ram Karumuri, a senior manager of IT audits for a banking organization.
"The days of ignoring compliance and audits are gone," Karumuri said. "In our organization, we plan to dedicate a few more people to audits because the environment for it is increasing."
"Previously, we had everything in our data center," he said. "Governance of this and risk strategies are different now when we don't have data in our own facility and we don't know who is dealing with it for us."
As organizations' IT security and compliance efforts expand and morph into new areas, those in these fields can expect more interaction with senior management, said Keith West, an information systems security officer at the Centers for Disease Control and Prevention.
The 2013 Salary Survey found that of those in the compliance and IT security field, 20% report to the CIO, CTO or the equivalent, while 40% report to an IT executive or manager. Another 11% of respondents report directly to the CEO.
And with this rise in visibility across the business, 25% of respondents are counting on moving up in their current organization in the next three to five years. GRC positions will also expand beyond traditional roles, as the skill sets for IT security and compliance prove useful in other departments, Gascon said.
"They may find themselves having their skill set utilized elsewhere in the organization for higher-level information management activities, just because of their knowledge base," Gascon said, adding that new and expanding college courses on GRC and related information governance processes show that the number of professionals with top-down IT security and compliance skills is on the rise.
"I think what we will see are more people coming into the workforce with that type of background and education," Gascon said. "They are going to be highly sought after -- I think we will see their opportunities grow."