From Sales Floors to Security Frameworks: My Journey into GRC

If you had met me a few years ago, you probably wouldn’t have guessed I’d end up in cybersecurity and governance, risk and compliance (GRC). I started my career in sales, not in tech. I was more familiar with targets, territories and trade promotions than with risk registers and ISO standards. But looking back, every step in my journey quietly pushed me toward GRC and cybersecurity—even when I didn’t realize it.

My career began at PZ Cussons Nigeria, working in sales. At that time my world was meeting customers and distributors, negotiating shelf space and prices, and hitting monthly and quarterly sales targets. I spent a lot of time in markets and shops, listening to customers and solving problems on the spot. I was learning how businesses really run on the ground, how to understand impact, how to weigh risks versus rewards, and how to build trust with people. Those skills are at the heart of GRC, I just didn’t have the language for it yet.

After PZ, I moved to Unilever. This was a big step for me. I wasn’t just selling; I was leading a national team and helping drive the launch of an innovative storage-type water purifier. That project changed how I thought about work. It wasn’t only “How do we sell more?” anymore. I had to think about whether the product was safe and trusted, whether we were following health standards and regulations, and whether our distributors understood how to present it properly. I spent a lot of time making sure that what we promised matched what we delivered. Without calling it that, I was already doing governance and risk work—putting structure around how we sold and supported the product, aligning different teams, and watching for things that could go wrong before they did.

My next chapter was at Bosch. Bosch is an engineering company at its core, and that mindset rubbed off on me. I worked across wholesale, retail and project-based sales with power tools, machines and later thermotechnology solutions. This sharpened my systems thinking. I developed a strong respect for standards, safety and documentation. Working with contractors and project teams showed me how one small failure—whether in planning, process or safety—could turn into a serious issue. Once again, I was learning to see risk early and think in terms of controls and long-term impact, even though my job title still said “sales.”

My clearest move into governance came when I joined the British Council as Commercial Manager. Here my responsibilities went far beyond meeting sales numbers. I had to think about risk registers, third-party relationships and contracts. I worked closely with risks to operations, revenue, partners and projects, and helped keep the risk register up to date. I also became more involved in third-party risk management, asking questions like: Who are we working with? What access do they have? What happens if they fail or something goes wrong on their side? That was my first obvious step into GRC. I enjoyed not just growing the business, but protecting it.

Then came a big personal and professional shift: relocating to Canada. Moving countries forced me to pause and ask what I really wanted to do long term. I knew I didn’t want to throw away my years of commercial and leadership experience. At the same time, I felt strongly drawn to cybersecurity, especially the area that sits between technology, controls, policies and people: GRC. The world is becoming more digital, more connected and more regulated. Suddenly, everything I had done around structure, risk, vendors and governance started to make sense in this new context.

To make the change real, I began formal studies in cybersecurity, including a Cybersecurity diploma at AEC in Canada. There I learned the basics of networks, systems and security controls, how attacks happen and how defenses are built, and the language of frameworks, standards and compliance. What surprised me was how natural it felt. When we discussed risk assessments, controls, policies and vendor risk, I could link the theory to situations I’d already lived through at the British Council, Bosch, Unilever and PZ. I realised I wasn’t starting from zero—I was translating my past into a new field.

Today I see my path much more clearly. PZ Cussons taught me people, markets and real-world business pressure. Unilever taught me how to lead, launch and quietly govern complex projects. Bosch taught me discipline, systems thinking and respect for standards. The British Council gave me direct experience with risk registers, third-party risk and governance. Moving to Canada and studying cybersecurity is giving me the technical foundation and vocabulary to connect all of that inside GRC.

I’m not the typical cybersecurity professional who started with coding or networking. My path came through business, sales and leadership. But that’s exactly why I believe I can add value in GRC. I understand how decisions are made in the real world. I know what it feels like to own a target and a budget. And I care about building controls that actually work for the business, not just on paper.

Right now, I’m focused on deepening my knowledge of GRC frameworks and tools, building and sharing practical projects, and positioning myself where I can help organizations reduce cyber and compliance risk while still growing confidently. If you’ve ever wondered whether it’s possible to move from a commercial, non-technical background into cybersecurity and GRC, my answer is yes. It doesn’t happen overnight, but every role and every project can prepare you for it—sometimes without you even knowing.

This blog is where I’ll share that journey: the wins, the lessons and the practical ideas that might help someone else trying to make a similar shift.