Getting into Governance

Raystafarian

I can't really seem to find anything about Governance or even GRC on these forums or basically anywhere else. What I'm wondering is, how does one get into governance? I assume this forum is one of the better places to gain insight from people in IT Governance..

The way I understand it:

1. Corporate Governance is basically aligning Risk Management with Corporate Strategy.
2. IT Governance is part of Corporate Governance in aligning IT Risk with IT Strategy and IT Strategy with Corporate Strategy.

That's how I put it, at least, but please correct me if I'm wrong.

If this is true, it seems the only way to get into governance and/or strategy would be through a specific area expertise/strategy or an expertise in Risk. How would someone set themselves up on that type of a career path?

I know the ISACA CGEIT requires 5 years of work in governance areas. How would you set yourself up for those jobs in the first place?

I ask because that's where I want to head. Right now I have about 4 years of Internal Audit and 2 years of IT Compliance work under my belt and a pending CISA cert. It seems everyone wants me to have the CISSP when I talk about jobs with them. This seems like it would be on the path toward technical (infosec) expertise rather than strategic expertise. Would a CRISC have a better opportunity at that type of path?

GoodBishop

Like you mention, some of the more common ways to get into governance is through both Internal Audit and IT compliance positions.

I think you've simplified your statement above around IT governance. In addition to what you mention, IT governance is about really making sure that things are being run effectively, efficiently, and in a compliant and secure manner.

For your statement on the CISSP, the CISSP isn't all technical. It's managerial. And in my opinion, it has a lot of governance-related items on it, even if they are not labeled governance.

You'll need some infosec expertise in a governance position, no two ways around it.