Why Saying ‘GRC Isn’t Technical’ Is Wrong
If you’ve ever been told that working in GRC makes you “non-technical,” this one’s for you. Because every cybersecurity team needs its Draymond Green. A person who sees the floor, calls out plays, and makes everyone else better.
I see this conversation come up more times than I can count:
“You’re not technical if you work in GRC.”
As someone who’s built a career specializing in Governance, Risk, and Compliance (GRC), that line used to hit me hard. It made me feel undervalued and even a little insecure about my own skill set.
In cybersecurity, there’s this unspoken hierarchy in people’s minds. The ones who code, hack, and reverse-engineer get all the shine. The rest of us? We’re the ones supposedly “watching from the sidelines.”
But one day, I started thinking about it differently. I stopped focusing on what people assumed I “can’t do.”
I reframed it.
We all make up a cybersecurity team.
And a team succeeds when its players fill specific, critical roles.
And every team needs its Draymond Green.
The Glue That Holds the Team Together
Draymond Green isn’t known for 40-point games or flashy three-pointers.
He’s not out there trying to be Steph or Klay.
He’s great because he makes everyone else better.
He reads the floor.
He sets screens.
He communicates.
He plays defense.
He’s the glue that keeps the team connected and accountable.
That’s GRC.
We’re not the ones writing code or configuring Active Directory, but when the team needs someone to translate complex security issues into clear business impact — that’s our lane.
It’s an important lane to have covered. I’ve worked with brilliant people who can red team, pen test, and review code — but struggle to communicate why those things matter to executives and decision-makers.
GRC helps that information cross the last mile.
We help the business see risk in context.
We connect technical details to strategic outcomes.
We make sure the organization doesn’t just move fast — it moves smart and safe.
That’s technical. Just in a different way.
Playing Defense Isn’t Always Flashy
Let’s be honest: GRC doesn’t always get the glory.
We’re the ones writing policies, chasing risk exceptions, and asking the tough questions that sometimes make people squirm.
But that’s the work that wins games.
And sometimes, like Draymond, we’ve got to get a little physical.
We push back.
We enforce boundaries.
We take the “technical fouls” so the rest of the team can play their game.
It’s not glamorous — but it’s essential.
That’s what I love about GRC: it’s not about spotlight plays, it’s about sustaining the team.
The Hall of Fame Has Room for Us Too
The more I thought about it, the more I realized:
Being in GRC doesn’t mean you’re “non-technical.”
It means your craft is different.
You’re the strategist.
The communicator.
The connector.
You see the full court.
You help people understand risk, influence decisions, and build trust.
And in a world where security is everyone’s responsibility — that’s a skill set worth celebrating.
So to all my GRC professionals out there:
You’re not on the sidelines.
You’re the Draymonds of cybersecurity: the glue, the grit, and the game-changers.
Different roles. Same mission. One team. 🏀💻
And if anyone still thinks GRC isn’t technical… tell them to check the scoreboard. 🏆