GRC Certification Roadmap

Recommended Training and Certs v1.0

Author

Steve McMichael
May 17, 2024

Version 1.2 Updates Sept 24, 2024:

  1. Updated Appendix 2: Prep + Exam Costs

Version 1.1 Updates on August 11, 2024:

  1. Moved GRC Masterclass to Beginner from Intermediate I

  2. Moved A/CRMF to Intermediate I from Beginner

  3. Added A/CAISF and A/CAISP

Table of Contents

Do We Really Need More Cybersecurity Certs?

The cybersecurity certification landscape has exploded in recent years, with new training offerings popping up seemingly every month. Hiring managers often prefer certified candidates because employee loyalty isn’t what it used to be, but do we really need more certs after this alphabet soup?!

Security Certification Roadmap - Paul Jerimy Media

IT Security Certification Roadmap charting security implementation, architecture, management, analysis, offensive, and defensive operation certifications.

pauljerimy.com/security-certification-roadmap

Some experts say yes, citing issues with existing certifications being created in a vacuum without hiring manager input, focusing too much on knowledge and not enough on practical skills, and rising costs. But what really determines the value of a certification?

It comes down to employer recognition and demand. If a cert isn't on the job description, hiring managers might not know what it is, or worse, your resume might not even make it past the applicant tracking system (ATS). It's frustrating for applicants, but understandable given the high volume of applications employers receive.

That said, less well known certifications and courses can still be valuable. They unlock resume bullets that get recognized and teach you new skills to apply in your current role, opening up new opportunities to add value. That’s been my experience in bringing the NIST Cybersecurity Framework (CSF) back to my day job, or starting to make videos for Security Awareness training after taking the GRC Masterclass, as one example.

So what certs are in demand? According to job postings on Cyberseek, Security+ dominates a top 6 list as follows:

The certification landscape has evolved significantly since 4th placed Certified Information Systems Auditor (CISA) launched in 1978, with significant price increases as the industry has grown. Some consider higher prices a "cash grab” by now bureaucratic large organizations.

Year

Company

Cert or Course

1978

ISACA

CISA

1994

ISC2

CISSP

2002

Comptia

Security+

2005

BSI

Lead Auditor ISO27001

2012

SANS

GCCC

2015

ISC2

CCSP

2022

Simply Cyber

GRC Analyst Masterclass

2023

Google

Cybersecurity Professional Certificate

2023

Simply Cyber

Cyber 101

2024

AKYLADE

Certified Cyber Resilience Fundamentals (CCRF)

2024

AKYLADE

Certified Cyber Resilience Practitioner (A/CCRP)

2024

AKYLADE

Certified Risk Management Fundamentals (CRMF)

2024

AKYLADE

Certified Risk Management Practitioner (CRMP)

2024

AKYLADE

Certified AI Security Fundamentals (CAISF)

2024

AKYLADE

Certified AI Security Practitioner (CAISP)

Enter innovative startups like Simply Cyber and AKYLADE, aiming to provide leaner, practitioner-focused offerings at lower costs. They're able to get closer to what hiring managers actually need today, which is why they’re central in my GRC Cert Roadmap below and my affiliation with them.

And they may not be as recognizable as the ones in the ATS, but the resume bullet points they unlock are.

Simply Cyber Academy

Cyber 101 propels you through the essentials, while GRC Analyst Master Class equips you to navigate the complexities of risk management. Join students across the world!

www.cpatocybersecurity.com/c/sc

AKYLADE NIST Cybersecurity Framework 2.0 Certifications

AKYLADE’s certifications are designed to be affordable, relevant, and focused on a candidate’s ability to be successful in applying the NIST Cybersecurity Framework 2.0 to their organizations.

www.cpatocybersecurity.com/c/akylade

Bottom-Line

Of course, certifications alone don't qualify you to do the job - that's the "paper tiger" problem. Certs have gotten a bad rap because of this, but writing them off entirely means missing opportunities. They're a starting point for getting your foot in the door, especially if you lack experience. And you might actually learn something useful! Education is the smallest but a crucial part of a 70-20-10 Career Development Plan.

Career Development Plan Template

www.cpatocybersecurity.com/p/cdp

Certs will get you the interview, not the job

Jason Dion, Co-Founder, AKYLADE

What Certs Are Best for GRC?

Great question for which I’ve made this roadmap and compiled some cost comparisons below. Views expressed are my own and feedback is welcome. Which ones are you getting after and which ones did I miss? Let me know in a YouTube comment, subscribe to my blog and reply to the welcome email, or find me outside 9×5 on the Simply Cyber Discord under grc-team-life.

Appendix 1: GRC Certification Roadmap

Beginner

Intermediate I

Intermediate II

Expert

Appendix 2: Prep + Exam Costs

Runners Up

Table

Year Introduced

On the DoD 8140 List?

Accredited, Practical Exams to Help Solve the Experience Catch-22

To Break In: Immerse Yourself, Get Validated, Show Your Work

www.cpatocybersecurity.com/p/catch-22