Believe me, it is uncomfortable, intrusive, invasive and you'll wonder how it is legal. They have teams of people who will interview friends, family, significant others they'll ask those people for more people who know you to interview them.
Makes the Sec+ exam look like a walk in the park.
On that note, use multiple test banks to get a more diverse mindset. Dion training, Mike Chappel and Professor Messer.
https://www.udemy.com/course/securityplus/
https://www.amazon.com/CompTIA-Security-Certification-Kit-SY0-601/dp/1119794005/
Absolutely does make sense.
First... a bit of a disclaimer. As I'm sure you're aware (digging into the GRC side of things as you are) cybersecurity is a whole field of numerous roles without just one path. To this end, hopefully this will be a good way of painting the security landscape and setting up the security program (in whatever capacity management has the apatite for).
You're not going to be able to do it all yourself, but you will be able to identify some easy wins, some efforts that are acceptable to management, etc. However trying to dip your toes into dozens of roles across the security landscape is a big task. Don't be intimidated, but recognize this, and help your management recognize this.
And if this post is too long... the TL;DR is start with Security+. That will give you the best, high level, conceptual overview of what security is, and what you should do. However if you're tasked with building out the company's security program, know there's more to do, but you can't be expected to be an expert of everything.
Hopefully this post will give you a survey of what it all looks like. Then it's up to you and your management to decide what steps to take.
---
The first lesson to know (again, which you might already know) is security for security's sake is pointless, it's about mitigating risk to the degree that leadership agrees with the cost/benefit of. However management will expect you to help them to understand the risk, and the cost/benefit. Security programs are always a failure if not bought into by management, which is a shame since they're ultimately about them, and the risk they wish to take on.
So this is going to be somewhat an overload... but hopefully some good resources. Most of these only cost your time, but those that do cost should be within your budget.