Insights 1 Year Later: Your GRC Career Development Plan

New Simply Cyber Video!

Hey there, đź‘‹ 

I recently had the privilege of discussing how to break into Cybersecurity Governance, Risk and Compliance with some awesome members of the Simply Cyber community. Check out our impromptu/renegade podcast that explores opportunities to stand out from the crowd.

The discussion is anchored around the "break into GRC" videos below that are now about a year old. In revisiting these, several core themes still resonate strongly to launch or lift a GRC career:

Build a strong foundation. 🏗️ Aspiring GRC professionals need a solid base of knowledge in both information security concepts and business fundamentals. Resources like Securitycreators.video, NIST's Cybersecurity Framework and introductory training in the GRC Certification Roadmap provides an essential grounding. But it's equally critical to understand the drivers, objectives and operations of the business.

Develop T-shaped skills. 🏋️‍♀️ Effective GRC practitioners combine deep subject matter expertise in at least 1-2 security domains (for me it was access and change management controls), with broad, general knowledge across the rest. Focus on developing deep, differentiating strengths in 1-2 technical competencies in the GRC Career Development Plan template.

Pursue meaningful projects. 🔧 Hands-on, practical experience is the most powerful way to build skills and demonstrate value to employers. Look for opportunities to take on relevant projects, whether through your current role, volunteer work, or independent study. Clone the grcAssist.py tool and get it up and running.

Try the same with Fabric and then run create_threat_model for a fictitious R&D lab environment that needs remote access. Now try create_stride_threat_model, and blog about how it went.

Make a Cyber Risk Scorecard that Wins Hearts and Minds to refine your NIST CSF and data analysis skills.

If you get stuck, ask for help from the community in Simply Cyber Discord. Email me if you could use more details on how.

Cultivate communication skills. đź’¬ The ability to articulate cybersecurity risks and recommendations to a non-technical audience is immensely valuable. Practice translating complex issues into simple terms and connecting security to business objectives. Learn to tailor your message for executives, managers, and end users. Storytelling, presentation and interpersonal skills will serve you well.

Build relationships and a reputation. 🤝 GRC is a field where who you know matters as much as what you know. Network authentically both within and outside your organization. That’s why I just encouraged you to engage on the Simply Cyber Discord server. Also attend industry events and don't hesitate to reach out to practitioners you respect for advice and conversation. Focus on giving more than you get. Over time, your helpfulness, curiosity and passion will be noticed.

Embrace continual learning. đź“š Our profession changes too rapidly for skills to remain stagnant. Regularly scan the horizon for emerging issues, tools and practices. Keep your knowledge fresh through ongoing training, conferences and hands-on exploration. Be willing to challenge your own assumptions and adapt based on new information.

The GRC field is awesome and underrated. âś¨ By dedicating yourself to these timeless principles – building a strong foundation, developing T-shaped skills, pursuing meaningful projects, cultivating communication abilities, investing in relationships, and committing to continual learning – you'll position yourself well to break into this dynamic profession and make a real difference.

Be safe, be well,

Steve

March 21 AMA Agenda

Thanks Rim, Luigi and Arun!

What’s standing in the way of your career crossover into cybersecurity?

Have you heard of the Governance Risk & Compliance (GRC) function, or that’s awesome and underrated? In solving the catch 22 problem of cybersecurity hiring managers wanting experienced applicants to add value from day one, and applicants wanting a shot to get that experience, GRC is a great feeder role for you to break through.

About Your Instructor

Instructor Steve McMichael from Simply Cyber Academy is committed to helping YOU accelerate your cybersecurity career.

Steve is passionate about guiding students, from backgrounds as diverse as accounting, into cybersecurity GRC. He successfully made this shift himself and shares his journey in the popular blog, CPA to Cybersecurity.

Steve holds advanced degrees in business (BBA, MBA), along with cybersecurity certifications (CCRP, CRMP, CISSP, CISA), and is a Chartered Professional Accountant (CPA). With nearly 20 years of experience in tech, he currently serves as the Director of Governance, Risk, and Compliance at BlackBerry.

(Views expressed are my own)

Dec 2023: How to Break into Cybersecurity GRC? 3 First Steps

Summary

Some other key insights:

  • Compliance a good entry point role in the entry point team of GRC.

  • Critical thinking and problem solving skills go a long way in GRC, if you can bring “order to chaos.”

  • Same for understanding the business and the underlying technology

  • GRC jobs can vary widely by industry, company, team and culture - it’s a spectrum from startup to large enterprise, public, private and government.

Reflections 1 Year Later

Principles in this Daniel Miessler essay still stand out and resonate:

You Are Your Projects / Have a Presence

This is where the book knowledge stops and creativity begins. You should always be working on projects.

As a beginner, or even as an advanced practitioner, nobody should ever ask you what you’re working on and you say, "Nothing." Unless you’re taking a break in-between, of course.

Projects tend to cross significantly into programming. The idea is that you come up with a tool or utility that might be useful to people, and you go and make it.

And while you’re learning, don’t worry too much if someone has already done something beforehand. It’s fun to create, and you want to get used to the thrill of going from concept to completion using code.

Daniel Miessler
  • And if not coding, learn in public with a blog

On Certifications

Yes, certifications matter. And so do college degrees. And so does experience. And so does anything else that people think matters.

…I like to explain infosec certifications like so: You need your CISSP, you should get an audit cert (CISA/CISM), and you should get a technical cert (SANS)

Daniel Miessler

Landing Your First Job

Entry-level positions don’t really exist in cybersecurity.

In order to be useful to a team you have to be useful on the first day, and that requires you to have some combination of these three things:

1. A degree in CS and/or something InfoSec related.

2. A good set of certifications that show knowledge similar to a degree.

3. A body of practical, tangible project work that shows you can actually do the things you’ll be asked to do on the job.

For most people reading this, #1 isn’t an option for you at this moment (otherwise you’d already have a position). So you’re most likely going to need a combination of #2 and #3.

Daniel Miessler
  • I didn’t have #1 and in the past was told that it’s a dealbreaker

    • But it’s not in GRC

âťť

I also want to point out that a lot of people are pivoting into cybersecurity. You've worked in marketing for 15 years? Or you left the workforce to be a stay-at home parent? Welcome to the business! If you’re a lifelong learner, GRC is where you want to go.

Dr. Gerald Auger

Mastering Professionalism

Failing at this means your content can be world-class and you can still go unnoticed or be passed over.

Daniel Miessler
  • Compliance is held to a higher standard of ethics

  • I think this is an overlooked area where you can differentiate yourself

We create trust by living by our values:

- Act with integrity

- Foster excellence

- Be accountable

- Work collaboratively

- Respect others

Get Specific About Jobs to Apply To

âťť

Saying you want to work in cyber security is like saying you want to work in science...

..niche down

Dr. Gerald Auger

I’ve Jumped to the Daily Cyber Threat Brief over Risky.biz and Similar Podcasts

Jan 2024: Your 70-20-10 Career Development Plan

Summary

  1. Determine your target job and timeline (e.g. GRC Analyst in 1-2 years). Write this down in a career development plan.

  2. Identify the skills needed for that target role by looking at:

    • Job postings on popular job sites

    • Summaries on cyberseek.org under Career Pathways

    • The Cyber Career Pathways tool from NICCS

  3. Set goals to gain those skills using a 70-20-10 model:

    • 70% from on-the-job (or volunteering) experience

      • Get stretch assignments related to GRC

      • Job shadow the GRC team if your company has one

      • Volunteer to help with audits, security awareness, etc.

    • 20% from relationships

      • Network with people in GRC roles

      • Find a mentor

      • Consider reverse mentoring

      • Engage in learning communities: Discord, YouTube, conferences and events

    • 10% from education

      • Get after courses and certifications

Continuously iterate on performing, getting feedback, and improving. Expect some discomfort and failure as part of the growth process.

The key is inventorying the skills you have vs. need, setting goals to gain experience, relationships and education in those areas, and persistently working the plan.

Reflections

Bumping into this statement “it’s tough”

Yes, I've watched many of your videos and they are great. I just keep bumping up again this statement "it's tough", not just from you but from everyone in the cyber field. I have… [redacted]. Why is this so tough? I am not "yelling" I promise. I just can't seem to understand what it is that makes me not a candidate.

GRC job seeker

May 2024: GRC Certification Roadmap

Summary

The roadmap covers a 4-5 year progression through beginner, intermediate and expert level certifications:

Beginner (Year 1) - Focus on foundational knowledge

  • Goal: Know enough to be part of a GRC team

  • Resources:

  • Certifications:

    • CompTIA Security+ or equivalent for foundational technical knowledge

    • AKYLADE Certified Cyber Resilience Foundation (A/CCRF) for NIST Cybersecurity Framework knowledge

Intermediate (Years 2-3) - Become an independent consultant and leader

  • Elevate understanding of fundamentals and terminology

  • Develop practitioner skills to lead GRC assessments and programs

  • Certifications:

    • ISACA Certified Information Systems Auditor (CISA)

    • AKYLADE Certified Cyber Resilience Practitioner (A/CCRP)

Expert (Years 4-5)

  • Certification:

    • (ISC)2 Certified Information Systems Security Professional (CISSP)

Reflections

  • Education is still just 10% of a career development plan, but increase if you have less experience

  • There’s value in testing yourself

  • Once you have a foundational technical acumen to “speak the language”, focus on practical GRC application

    • GRC isn’t a Capture the Flag

    • It’s solving business problems

    • Leading the orchestra / eating the elephant of audits

    • Interfacing with the business

    • Having defensible due care and due diligence

Ideas for Your Portfolio

Start a Blog and Learn GRC in Public

Start a Github Repo by cloning grcAssist.py

  • Then include it with your job applications

Here’s mine (same link as earlier):

Try Fabric prompts/patterns for AI augmented risk assessments

Make a Cyber Risk Scorecard