News Stay informed about the latest enterprise technology news and product updates.

GRC professionals' salaries increase as demand for their skills rises

As businesses expand their IT security and compliance focus, GRC professionals are seeing salary increases with their broadened responsibilities.

In recent years, expanding regulatory compliance rules and seemingly endless IT security risks stemming from multiple data sources make an effective GRC program vital to the modern organization's success.

As a result, governance, risk management and compliance (GRC) professionals have seen their roles dramatically increase in importance in the past several years. Salaries are now starting to catch up with this increased onus on GRC, according to the TechTarget IT Salary Survey 2013. From a sample size of 242 respondents who specialize in GRC and IT security, 59% received a raise and 35% received a bonus in 2013. Fifty-seven percent of respondents expect a raise in 2014 as well.

As factors such as mobility and the cloud create new data security risks, GRC professionals should continue to expect their skill sets to be highly sought after, said Derek Gascon, executive director of the Compliance, Governance & Oversight Council.

"Their skills are going to be unique, at least for a while," Gascon said. "All of the data that is being distributed through those mechanisms has to be managed somehow, and the governance people understand what kinds of policies are going to be necessary."

The number of opportunities in the GRC field appears to be growing as well: Although the majority of respondents had been in the IT field for 11 to 20 years (44%) or 21 to 30 years (21%), 56% said they had only been in their current position for one year to five years.

For those in their position less than one year, 19% said they sought the new job for more money. This trend could very well continue as opportunities for those in the GRC field grow in the coming years, said Ram Karumuri, a senior manager of IT audits for a banking organization.

"The days of ignoring compliance and audits are gone," Karumuri said. "In our organization, we plan to dedicate a few more people to audits because the environment for it is increasing."

New and emerging risk factors, including those stemming from mobile technology and cloud use, will only intensify the spotlight on data-related GRC processes, Karumuri added.

Risk strategies are different now when we don't have data in our own facility and we don't know who is dealing with it for us.
Ram Karumuri

"Previously, we had everything in our data center," he said. "Governance of this and risk strategies are different now when we don't have data in our own facility and we don't know who is dealing with it for us."

As organizations' IT security and compliance efforts expand and morph into new areas, those in these fields can expect more interaction with senior management, said Keith West, an information systems security officer at the Centers for Disease Control and Prevention.

The 2013 Salary Survey found that of those in the compliance and IT security field, 20% report to the CIO, CTO or the equivalent, while 40% report to an IT executive or manager. Another 11% of respondents report directly to the CEO.

And with this rise in visibility across the business, 25% of respondents are counting on moving up in their current organization in the next three to five years. GRC positions will also expand beyond traditional roles, as the skill sets for IT security and compliance prove useful in other departments, Gascon said.

More on the IT Salary Survey

  • Stats show modest growth in IT sector salary
  • IT Salary Survey 2012 examines salary, job satisfaction trends

"They may find themselves having their skill set utilized elsewhere in the organization for higher-level information management activities, just because of their knowledge base," Gascon said, adding that new and expanding college courses on GRC and related information governance processes show that the number of professionals with top-down IT security and compliance skills is on the rise.

"I think what we will see are more people coming into the workforce with that type of background and education," Gascon said. "They are going to be highly sought after -- I think we will see their opportunities grow."

Let us know what you think about the story; email Ben Cole, site editor. For more regulatory compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Dig Deeper on Managing governance and compliance

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Has your organization's IT security and compliance team seen increased responsibilities in recent years? How has this change influenced salaries?

If security is not properly factored into the design of how an application works, the resulting vulnerabilities are typically very difficult to fix. Examples of poor architecture include weak forms of encryption or improper key storage Conducting regular audits will ensure that security policies are on track and will help to identify irregularities It directly influences their employment security challenging work benefits cash compensation


Challenging. Work. Benefits.

As with many jobs, we continually expect more and more from IT as technology continues to advance. Their skill set has definitely expanded over the years as our demands have increased. And as with many other jobs, their salaries have remained stagnant.

Unfortunately, most of the jobs here are much the same. Know more, do more, handle more complex tasks. Do it better, do it faster, stay late, come in on Saturday. But none of those great expectations come with an increased salary. It's a shame.

The enterprise has grown more complex and dependent on IT for security and compliance. But salaries haven't grown to match the ever-expanding job definition.
Data threats and compliance needs will no doubt continue to be increasingly complex, so dependence on IT for GRC processes will grow as well. It will be interesting to see if companies start to realize this dependence and make IT personnel salaries on par with their diverse responsibilities.
Yes the annual cap on fines for security data breaches also cyber threats as well
Yes, I think that anyone working in security has quite a bit of weight on their shoulders. The role has increased responsibility and scrutiny. Of course, security professionals are also in high demand and therefore highly compensated. 
Reduce cost and optimize how the capital allocation to GRC is done so that it is better aligned to the business.The central management tracks required tasks and costs associated with compliance. Integrations with continuous control monitoring applications, provides visualization of automated detected and preventive controls.
I wasn't quite sure how to react to this article.  The headline reads like basic economics, demand goes up, resources scarce, cost of limited supply thus goes up.

That's why I don't work in the "Audit" department they are the ones responsible for the risk management process Sorry