A Day in the Life of a GRC Practice Lead: Navigating Compliance, Culture, and Cybersecurity Strategy

If you had told me a few years ago that my calendar would be split between virtual CISO responsibilities, mentoring team members, and crafting cybersecurity campaign content with a marketing team, I might have raised an eyebrow. But today, that’s just a regular Tuesday. As the Practice Lead for NIST, SOC2, and CIS GRC Services at a cybersecurity consulting firm, no two days look exactly alike, and that’s exactly what makes the role both challenging and rewarding. However, my day has looked like this before and this includes most of my responsibilities.

8:00 – 8:30 AM – Staying Informed: News and Threat Intelligence

My day starts with a quiet half-hour to catch up on industry news, new vulnerabilities, and evolving threat intelligence. I’m scanning for anything that could impact my clients — a new zero-day, an updated regulatory requirement, or even a data breach that signals a shift in attacker tactics. Staying informed ensures that I can proactively communicate relevant risks and mitigation strategies before they become issues.

8:30 – 10:00 AM – Morning Sync and Client Check-ins

My day usually kicks off with a quick review of emails and dashboards over coffee. I serve as a virtual Chief Information Security Officer (vCISO) for a handful of clients, so staying ahead of their evolving needs is critical. Some mornings start with a strategy session where I guide a client through implementing a NIST CSF roadmap. Other days, I may be preparing for a board-level presentation on their latest SOC 2 readiness status. My goal? Keep security aligned with business objectives and always moving forward.

10:00 AM – Framework Assessments and Deep Dives

Late mornings are often reserved for framework assessments. Whether I’m evaluating a manufacturer’s readiness against the CMMC Level 2 standard, or mapping a services organization to SOC2, this is where the technical meets the strategic. Every organization has a unique risk posture and operational maturity and tailoring our assessment methodology to meet that reality is key.

These assessments aren’t just box-checking exercises. They’re about uncovering risk, aligning controls with regulatory expectations, and translating complex requirements into actionable security improvements. When I deliver findings, it’s not just about compliance, it’s about strengthening trust and resilience.

12:00 PM – Lunch & Learn, Literally

Every other week, I step into a different role of internal educator / organizer. I run our company’s Lunch and Learn program, which brings teams together to explore everything from threat intelligence trends to consulting best practices. It’s a chance to pause, learn, and grow as a team.

Being a Practice Lead isn’t just about technical mastery. It’s also about building culture. These sessions are one of the ways I help foster continuous learning across our organization and keep security top of mind across departments.

1:30 PM – Internal Growth and Practice Development

A big part of my role is shaping and scaling the very services I lead. That means standardizing delivery methodologies for our NIST and SOC 2 engagements, refining our assessment tools, or developing reusable templates that increase efficiency and consistency across client projects.

Whether I’m tweaking how we deliver CIS Controls assessments or building new internal training for junior consultants, I’m focused on quality, scalability, and helping our team deliver with confidence.

3:00 PM – Marketing Collaboration

Yes, I’m a security practitioner. But I also speak “marketing.” A few times a week, I collaborate with our marketing team to build out educational content (blogs, campaign ideas, webinars) that help demystify frameworks like NIST CSF or CMMC for our clients and prospects.

Our goal is to provide value, not fear. Marketing cybersecurity services should empower organizations, not overwhelm them. I take pride in helping tell the story of why governance, risk, and compliance matter in a world of accelerating threats.

4:00 PM – Mentoring and Being Mentored

Toward the end of the day, I often make time for one-on-one mentoring sessions. As a mentor, I help emerging consultants navigate client work, develop domain knowledge, and think more strategically about their careers. But I’m also a mentee myself. No matter how senior you get, there’s always more to learn whether it’s leadership skills, communication strategies, or a new take on risk scoring.

Before I ‘Clock Out’ – Wrapping Up, Looking Ahead

By early evening, I review my notes, check in on any outstanding deliverables, and prepare for tomorrow’s priorities. Some days I’m neck-deep in policy documentation. Others, I’m advising a CEO on how to structure their cybersecurity governance model. Every day, I’m helping clients and colleagues alike mature in their security posture and clarity.

Final Thoughts

Being a Practice Lead isn’t about being the smartest person in the room, it’s about enabling others to thrive. It’s about translating security jargon into business value, building bridges between departments, and keeping pace with both regulatory change and technological innovation.

Every day in this role is a mix of strategic thinking, hands-on assessments, creative communication, and people leadership. And honestly? I wouldn’t have it any other way.

Jimmy Armour is a cybersecurity and compliance professional specializing in NIST, SOC 2, and CIS GRC frameworks. As a Practice Lead, he guides cross-functional teams to streamline audit processes, strengthen security posture, and meet rigorous regulatory requirements—always staying on the cutting edge of emerging cybersecurity trends.

Outside of his professional pursuits, Jimmy is deeply involved in Harrisburg Young Professionals Sports—playing kickball, dodgeball, and bowling—while also participating in the 247Kickball leagues. Some years even take him to national kickball tournaments. All of which are experiences he finds mirrors the same camaraderie and teamwork that drive his success in the workplace.