MORE THAN COMPLIANCE: WHAT AUSTRALIA'S GRC TALENT MARKET IS ACTUALLY TELLING US

e2 Cyber • July 9, 2026

Why GRC is Shifting to BAU

For years, governance, risk and compliance sat quietly in the background of cyber security, a necessary discipline that kept frameworks ticking over and auditors satisfied. That picture is being redrawn. In this month's blog, we sat down with e2 Cyber Senior Consultant Ben Rogalsky, known across the team for his direct, honest approach to recruitment, to talk about what Australia's Governance, Risk and Compliance talent market is actually telling us. GRC has moved from a project deliverable to business as usual, and the shift is reshaping who organisations hire, what they expect from them, and how long they are prepared to wait to find the right person.


From Project Work to Permanent Obligation

The biggest change Ben is seeing is not a single framework or regulation, it is a change in posture. As Ben puts it, "the biggest shift is moving from a project, deliverable sort of process to now BAU." GRC used to be treated as a body of work with a start and an end date, often delivered by contractors brought in to build a framework and then move on. Now it is something organisations have to keep up to standard every year, which means the work has shifted inward, with more of it being absorbed by internal teams rather than outsourced.


That does not mean Greenfield work has disappeared entirely. Ben still sees a meaningful share of project-based work, organisations building frameworks and policies from the ground up, particularly where a business is establishing a security function for the first time or responding to a new regulatory obligation. What has changed is the balance. Where Greenfield project work once dominated the GRC hiring conversation, it now sits alongside a much larger volume of maintenance work, the unglamorous task of keeping all required documentation and compliance information aligned and up to date for audits, as standards evolve and threat landscapes shift underneath them. Ben describes the overall market as plateauing rather than growing or shrinking, a sign that GRC has matured into a permanent fixture of how organisations operate rather than a discipline still finding its place.


Part of what makes this shift harder to read clearly is that, as Ben says, "GRC can mean so many different things across different frameworks, different industries." There is no single GRC career path or GRC job description, which is part of why hiring managers and recruiters alike struggle to pin down exactly what they are looking for. A GRC analyst at a mid-sized professional services firm and a GRC consultant working across SOCI-regulated critical infrastructure are, in practice, doing meaningfully different jobs, even if the title on the position description looks similar.


That shift sits alongside two forces pulling in the same direction. The expansion of the SOCI Act and critical infrastructure obligations has lifted the seniority of roles clients are trying to fill, while a steady widening of GRC's scope means the discipline now overlaps with positions that did not used to require it. A SOC lead might now be expected to carry GRC exposure across multiple frameworks while still doing the traditional advisory work. The old big four approach, a standard process copied across every client, no longer holds up, because, as Ben puts it, "everyone's got different requirements, different risk appetites, different areas as well."


Underneath all of it sits one constant. As Ben says, "the underlying factor with every single GRC position is stakeholder engagement," the ability to communicate risk clearly to people who do not necessarily want to hear about it, from senior leadership through to software development teams.


Where the Demand is Concentrated, and Where it Has Dropped Off

SOCI and critical infrastructure remain the standout growth area, driven by ongoing change in that regulatory space. APRA's CPS 230 and CPS 234 continue to anchor a large share of work across major financial institutions, and federal and state government remain consistent sources of demand as Essential Eight requirements move through consultation toward becoming the Essentials.


PCI, by contrast, has noticeably thinned out. Ben describes a real lack of activity in that space at present, a reminder that GRC demand is not evenly spread but tracks closely with where regulatory pressure and organisational maturity currently sit. For insight into current cyber salary benchmarks across the market, our salary and rate guide has just been updated and released for the new financial year.


The SOCI expansion is being compounded by a structural shift in how ASD approaches baseline cyber guidance itself. ASD is consulting with industry on an evolution of the Essential Eight, into a new Essentials series intended to give organisations greater flexibility in how they implement cyber security while still providing a clear path to strong cyber resilience. The first chapter, Essentials for enterprise IT, is open for consultation now. For Ben, that kind of change in the framework landscape is exactly what keeps seniority requirements climbing, organisations want advisors who can interpret a shifting baseline, not just apply a static checklist.


The Bridge That is Hard to Build

As technical and non-technical teams are pushed to integrate more closely, particularly where OT and IT have traditionally operated in isolation, GRC is increasingly being asked to act as the connective tissue between them. Ben describes it as the need for technical and non-technical teams to stop operating as separate functions altogether, "they should be forming into one key pillar." That requires a specific kind of hybrid capability, enough technical grounding to understand the systems in question, and enough relationship skill to translate risk for people who think about the problem completely differently. Finding people who can genuinely hold both sides of that bridge is, in Ben's experience, one of the harder briefs to fill.


The OT and IT split is a useful illustration of why this is structurally difficult, not just a matter of finding someone with the right resume. Operational technology environments, the industrial control systems running critical infrastructure, have their own engineering culture, risk tolerances and operational priorities, often shaped by decades of practice that predates modern cyber security as a discipline. IT teams, by contrast, operate on faster change cycles, different threat models and a different relationship with uptime and patching. A GRC professional sitting between the two needs enough fluency in both worlds to be credible to each, without belonging fully to either. That is a rare combination, and it is precisely the kind of role Ben describes organisations struggling to fill, because the people who have built genuine OT exposure are scarce, and the people with strong IT-side GRC experience often have no operational technology background to draw on at all.


It compounds an existing problem. Cyber security broadly is short on people coming through entry level pathways with solid infrastructure and IT grounding, and that shortage is sharper again in specialised GRC frameworks like SOCI, where the people who already have exposure are the only ones being considered. Ben sums up the resulting dynamic simply, "it's almost like a vicious cycle," one where the same narrow pool keeps getting chased and rates keep climbing as a result.


The Gap Between What Cyber Candidates Say and What Hiring Managers Need

A pattern Ben sees repeatedly is candidates who can speak fluently about frameworks they have worked alongside but have not actually owned. There is no shortage of people with exposure to pieces of a GRC programme. What is harder to find, in Ben's words, are the people who take genuine ownership, "it's really the people above them that are difficult to find," the senior advisors willing to run a project end to end while remaining hands on enough to still do some of the junior work themselves, and patient enough to bring less experienced people up to speed at the same time.


This is, in part, a consequence of how GRC briefs are written. Ben is seeing more roles that try to consolidate several areas of expertise into one position, asking for a SOC lead with exposure across multiple frameworks who is still expected to deliver traditional GRC activities on top of that. The intention is understandable, organisations want maximum coverage for one headcount, but the practical effect is a brief that is difficult to satisfy honestly. Candidates either stretch their own experience to fit the description, or hiring managers end up disappointed when the person who matched the position description on paper cannot deliver across every area listed. It is also why hiring managers often want someone operating at an advisory level who is simultaneously willing to do hands-on junior work, a combination that asks a senior person to step backward in scope as well as forward in seniority, and asks them to do it without the structure or support that usually comes with a more clearly defined role.


Genuine depth, in Ben's view, "is someone that's had exposure across multiple different frameworks," built across multiple environments, often through a period in consulting before a move in-house. People who have had to adapt their approach across different clients and different challenges tend to be the ones who can then apply that adaptability to a single organisation's problems.


The Soft Skill That Keeps Coming Up

Technical knowledge and cyber certifications matter, but the soft skill hiring managers consistently struggle to find is the ability to quantify risk without either understating it or reaching for worst case scenarios, and to do it with enough flexibility to adjust the message depending on the audience. Ben points to a tendency among more rigid GRC professionals to hold firmly to one explanation of why something needs to happen, without leaving room to reconsider when budgets, risk appetite or circumstances shift. He traces the strongest version of this skill back to something simpler, "confidence in the work you're doing and the drive you have at the end of the day."


When asked what a GRC unicorn looks like, Ben's answer was less about a checklist of certifications and more about a conversation. Can someone explain not just what their team delivered, but what they personally did, the obstacles they ran into, and how they worked through them. That kind of ownership, communicated clearly to someone without a deeply technical background, is what tends to stand out.


Cyber Salary Expectations are Settling, But Slowly

Candidate salary expectations remain higher than what many clients are prepared to pay, particularly in professional services, where organisations holding firm on specific years of tenure are finding themselves locked out of the market for longer than they would like. That said, Ben is seeing expectations gradually come down, with decisions increasingly shaped by hybrid working arrangements, the calibre of projects on offer and organisational culture rather than salary alone. This mirrors broader findings from our piece on the state of the cyber security job market, where non-salary factors are increasingly deciding moves across the sector.


Role duration tells its own story. Professional services positions, especially at senior manager level, tend to stay open longest, since five years of relevant experience across the right environments is a genuinely narrow pool. People often start their careers in professional services and leave before reaching that level, sometimes returning later at director or senior leadership level once they have built the breadth those roles demand, which leaves a persistent gap in the middle of the professional services talent pipeline. Critical infrastructure and OT-adjacent SOCI roles move somewhat faster, helped along by a smaller but more concentrated pool of candidates who already understand that environment.


Contract roles into federal government typically fill fastest of all, a dynamic Ben attributes largely to rate. Candidates considering this path can find more detail on what is involved, including AGSVA clearance requirements, on our candidate resources page. Where a contract role offers a stronger salary or day rate than a comparable permanent position, candidates move quickly, which tends to compress time to fill even when the underlying skill requirements are just as demanding as a permanent role would carry. Counterintuitively, some senior positions are now closing faster than junior ones, not because senior talent is more abundant, but because there is simply not enough talent moving through the junior to mid pipeline to meet demand at that level. The result is a market where recruiters are fielding regular, recurring approaches for the same kinds of mid-level roles, roles that should, in theory, be the easiest to fill.


Where GRC Talent Actually Comes From

Professional services remains the single biggest pipeline into GRC, alongside people moving across from IT infrastructure, business analysis and project management, all of whom tend to adapt well to the structure of GRC frameworks. Ben is also seeing a steady trickle of people from legal and risk backgrounds shifting into cyber risk, bringing strong framework and risk thinking with them, though they sometimes need to build technical depth before they can operate at full capacity.


That legal and risk pathway is worth dwelling on, because it cuts in both directions. People with a background in law or enterprise risk tend to arrive with genuinely strong instincts for framework interpretation and stakeholder communication, areas where more technically trained candidates sometimes fall short. What they often lack is the practical, hands-on familiarity with the systems and environments their frameworks are meant to govern, which can leave a gap between understanding what a control requires in theory and being able to assess whether it has actually been implemented well in practice. The candidates who make this transition most successfully tend to be the ones who treat the technical gap as something to actively close, through upskilling or close collaboration with technical colleagues, rather than something to work around indefinitely.


For candidates trying to break out of the squeezed middle, Ben's advice is straightforward. Find a mentor inside your organisation and absorb as much as you can from them. Where that is not realistic, get into the habit of asking why a given framework or regulation requires what it does, rather than accepting the requirement at face value. That deeper understanding is what eventually separates someone with framework familiarity from someone with genuine operational depth. For those weighing up the professional services or contracting route specifically, our recent piece on contractor versus consultant pathways digs further into that decision.


What is Next for GRC

Looking two years out, Ben expects AI governance to become one of the most sought after specialisations in the GRC space, "AI governance is going to be key in the future." Australia remains some way behind other markets in adopting AI governance frameworks, and as cyber and data governance functions work to catch up, GRC professionals who can speak to the risk implications of AI adoption, not just the cloud environments most are already comfortable with, will be well placed. ASD has already published guidance on engaging with artificial intelligence securely and, specifically for critical infrastructure, on integrating AI into operational technology environments, highly relevant reading for anyone building GRC capability in this space.


What This Means For Hiring Managers

For organisations on the other side of the hiring table, Ben's observations point to a few practical shifts worth making. The first is around investment of time, not just budget. Bringing someone into a GRC role and expecting them to absorb company culture, internal processes and institutional knowledge without structured support is, in Ben's view, a near guarantee of early attrition. That investment needs to be genuine and ongoing rather than a brief onboarding period, particularly for candidates moving into a discipline that depends so heavily on relationship building across the organisation.


The second is about pacing expectations realistically against the seniority being hired for. Ben sees hiring managers regularly bring people into mid-level GRC roles only to watch them struggle within six months, often because the role demanded a level of independent ownership the candidate had not yet had the chance to build. Matching seniority to genuine readiness, rather than to what a position description implies someone should be capable of, tends to produce better long-term outcomes than hiring against an idealised brief.

The third is buy-in. Ben's strongest piece of advice, both for candidates evaluating a move and for organisations trying to retain GRC talent, centres on whether an organisation genuinely backs its cyber function or treats it as a compliance obligation to be managed at arm's length, "you need buy-in from the culture for a lot of this cyber work." Candidates can tell the difference quickly, and a lack of buy-in from leadership is, in Ben's experience, one of the more common reasons people leave a role within the first year regardless of how well the role itself was scoped.


His closing observation was less about frameworks and more about retention. Attrition across junior to mid level GRC roles is high, often driven by candidates chasing modest salary increases without weighing up organisational culture and genuine buy-in to the cyber function. As Ben puts it plainly, "culture is massive for these organisations." The ones that invest properly in the people they hire, rather than treating GRC as a box to tick, are the ones most likely to hold on to the talent that is genuinely hard to replace.


Whether you are a GRC professional weighing up your next move or an organisation building out this capability, our team is here to help. Browse current GRC opportunities and resources for candidates, or get in touch to talk through your GRC hiring needs.


Let's Chat
Person completing a certification on a laptop in a warm-lit library
By e2 Cyber May 8, 2026
Discover the best cyber security certification in Australia to advance your career, build in demand skills, and stay competitive in a fast growing cyber job market.
Two men in black polo shirts review plans together at a table in an office-like setting.
By e2 Cyber May 5, 2026
Australia faces a cyber security skills gap with a need for qualified professionals. The problem is more complex than just certifications. e2 Cyber discusses.
Two people talking across a table in a warm, softly lit office setting
By e2 Cyber April 23, 2026
How budgets, candidate competitiveness, cyber security salaries and talent availability is currently affecting cyber security recruitment and hiring in Australia.
Two colleagues in branded shirts look at a laptop screen together in a softly lit, professional office environment.
By e2 Cyber April 14, 2026
Contractor or consultant? In Australian cyber security, the distinction matters more than most realise. Learn which model fits your needs, budget and outcome.