- CPA to Cybersecurity
- Posts
- Insights 1 Year Later: Your GRC Career Development Plan
Insights 1 Year Later: Your GRC Career Development Plan
New Simply Cyber Video!
Steve McMichael
March 28, 2025
Hey there, đź‘‹
I recently had the privilege of discussing how to break into Cybersecurity Governance, Risk and Compliance with some awesome members of the Simply Cyber community. Check out our impromptu/renegade podcast that explores opportunities to stand out from the crowd.
The discussion is anchored around the "break into GRC" videos below that are now about a year old. In revisiting these, several core themes still resonate strongly to launch or lift a GRC career:
Build a strong foundation. 🏗️ Aspiring GRC professionals need a solid base of knowledge in both information security concepts and business fundamentals. Resources like Securitycreators.video, NIST's Cybersecurity Framework and introductory training in the GRC Certification Roadmap provides an essential grounding. But it's equally critical to understand the drivers, objectives and operations of the business.
Develop T-shaped skills. 🏋️‍♀️ Effective GRC practitioners combine deep subject matter expertise in at least 1-2 security domains (for me it was access and change management controls), with broad, general knowledge across the rest. Focus on developing deep, differentiating strengths in 1-2 technical competencies in the GRC Career Development Plan template.
Pursue meaningful projects. 🔧 Hands-on, practical experience is the most powerful way to build skills and demonstrate value to employers. Look for opportunities to take on relevant projects, whether through your current role, volunteer work, or independent study. Clone the grcAssist.py tool and get it up and running.
Try the same with Fabric and then run create_threat_model for a fictitious R&D lab environment that needs remote access. Now try create_stride_threat_model, and blog about how it went.
Make a Cyber Risk Scorecard that Wins Hearts and Minds to refine your NIST CSF and data analysis skills.
If you get stuck, ask for help from the community in Simply Cyber Discord. Email me if you could use more details on how.
Cultivate communication skills. đź’¬ The ability to articulate cybersecurity risks and recommendations to a non-technical audience is immensely valuable. Practice translating complex issues into simple terms and connecting security to business objectives. Learn to tailor your message for executives, managers, and end users. Storytelling, presentation and interpersonal skills will serve you well.
Build relationships and a reputation. 🤝 GRC is a field where who you know matters as much as what you know. Network authentically both within and outside your organization. That’s why I just encouraged you to engage on the Simply Cyber Discord server. Also attend industry events and don't hesitate to reach out to practitioners you respect for advice and conversation. Focus on giving more than you get. Over time, your helpfulness, curiosity and passion will be noticed.
Embrace continual learning. đź“š Our profession changes too rapidly for skills to remain stagnant. Regularly scan the horizon for emerging issues, tools and practices. Keep your knowledge fresh through ongoing training, conferences and hands-on exploration. Be willing to challenge your own assumptions and adapt based on new information.
The GRC field is awesome and underrated. ✨ By dedicating yourself to these timeless principles – building a strong foundation, developing T-shaped skills, pursuing meaningful projects, cultivating communication abilities, investing in relationships, and committing to continual learning – you'll position yourself well to break into this dynamic profession and make a real difference.
Be safe, be well,
Steve
March 21 AMA Agenda
Thanks Rim, Luigi and Arun!
What’s standing in the way of your career crossover into cybersecurity?
Have you heard of the Governance Risk & Compliance (GRC) function, or that’s awesome and underrated? In solving the catch 22 problem of cybersecurity hiring managers wanting experienced applicants to add value from day one, and applicants wanting a shot to get that experience, GRC is a great feeder role for you to break through.
About Your Instructor
Instructor Steve McMichael from Simply Cyber Academy is committed to helping YOU accelerate your cybersecurity career.
Steve is passionate about guiding students, from backgrounds as diverse as accounting, into cybersecurity GRC. He successfully made this shift himself and shares his journey in the popular blog, CPA to Cybersecurity.
Steve holds advanced degrees in business (BBA, MBA), along with cybersecurity certifications (CCRP, CRMP, CISSP, CISA), and is a Chartered Professional Accountant (CPA). With nearly 20 years of experience in tech, he currently serves as the Director of Governance, Risk, and Compliance at BlackBerry.
(Views expressed are my own)
Dec 2023: How to Break into Cybersecurity GRC? 3 First Steps
Summary
Some other key insights:
Compliance a good entry point role in the entry point team of GRC.
Critical thinking and problem solving skills go a long way in GRC, if you can bring “order to chaos.”
Same for understanding the business and the underlying technology
GRC jobs can vary widely by industry, company, team and culture - it’s a spectrum from startup to large enterprise, public, private and government.
Reflections 1 Year Later
Principles in this Daniel Miessler essay still stand out and resonate:
You Are Your Projects / Have a Presence
This is where the book knowledge stops and creativity begins. You should always be working on projects.
As a beginner, or even as an advanced practitioner, nobody should ever ask you what you’re working on and you say, "Nothing." Unless you’re taking a break in-between, of course.
Projects tend to cross significantly into programming. The idea is that you come up with a tool or utility that might be useful to people, and you go and make it.
And while you’re learning, don’t worry too much if someone has already done something beforehand. It’s fun to create, and you want to get used to the thrill of going from concept to completion using code.
And if not coding, learn in public with a blog
On Certifications
Yes, certifications matter. And so do college degrees. And so does experience. And so does anything else that people think matters.
…I like to explain infosec certifications like so: You need your CISSP, you should get an audit cert (CISA/CISM), and you should get a technical cert (SANS)
Landing Your First Job
Entry-level positions don’t really exist in cybersecurity.
In order to be useful to a team you have to be useful on the first day, and that requires you to have some combination of these three things:
1. A degree in CS and/or something InfoSec related.
2. A good set of certifications that show knowledge similar to a degree.
3. A body of practical, tangible project work that shows you can actually do the things you’ll be asked to do on the job.
For most people reading this, #1 isn’t an option for you at this moment (otherwise you’d already have a position). So you’re most likely going to need a combination of #2 and #3.
I didn’t have #1 and in the past was told that it’s a dealbreaker
But it’s not in GRC
I also want to point out that a lot of people are pivoting into cybersecurity. You've worked in marketing for 15 years? Or you left the workforce to be a stay-at home parent? Welcome to the business! If you’re a lifelong learner, GRC is where you want to go.
Mastering Professionalism
Failing at this means your content can be world-class and you can still go unnoticed or be passed over.
Compliance is held to a higher standard of ethics
I think this is an overlooked area where you can differentiate yourself
We create trust by living by our values:
- Act with integrity
- Foster excellence
- Be accountable
- Work collaboratively
- Respect others
Get Specific About Jobs to Apply To
Saying you want to work in cyber security is like saying you want to work in science...
..niche down
We put together this #mindmap to help people get their first #cybersecurityjob. What do you think? 💻🖥️🗺️ #infosec@WSJCyber@cyber @gcluley @briankrebs@Raj_Samani@Beaker
— YourCyberPath (@CyberPathMaker)
7:34 PM • Mar 7, 2020
I’ve Jumped to the Daily Cyber Threat Brief over Risky.biz and Similar Podcasts
Jan 2024: Your 70-20-10 Career Development Plan
Summary
Determine your target job and timeline (e.g. GRC Analyst in 1-2 years). Write this down in a career development plan.
Identify the skills needed for that target role by looking at:
Job postings on popular job sites
Summaries on cyberseek.org under Career Pathways
The Cyber Career Pathways tool from NICCS
Set goals to gain those skills using a 70-20-10 model:
70% from on-the-job (or volunteering) experience
Get stretch assignments related to GRC
Job shadow the GRC team if your company has one
Volunteer to help with audits, security awareness, etc.
20% from relationships
Network with people in GRC roles
Find a mentor
Consider reverse mentoring
Engage in learning communities: Discord, YouTube, conferences and events
10% from education
Get after courses and certifications
Continuously iterate on performing, getting feedback, and improving. Expect some discomfort and failure as part of the growth process.
It seems to me that the personal evolutionary process takes place in five distinct steps. If you can do those five things well, you will almost certainly be successful.
Together, these five steps make up a loop, like the one here. #principleoftheday
— Ray Dalio (@RayDalio)
2:40 PM • Oct 23, 2023
The key is inventorying the skills you have vs. need, setting goals to gain experience, relationships and education in those areas, and persistently working the plan.
Reflections
Bumping into this statement “it’s tough”
Yes, I've watched many of your videos and they are great. I just keep bumping up again this statement "it's tough", not just from you but from everyone in the cyber field. I have… [redacted]. Why is this so tough? I am not "yelling" I promise. I just can't seem to understand what it is that makes me not a candidate.
May 2024: GRC Certification Roadmap
Summary
The roadmap covers a 4-5 year progression through beginner, intermediate and expert level certifications:
Beginner (Year 1) - Focus on foundational knowledge
Goal: Know enough to be part of a GRC team
Resources:
SecurityCreators.video for free introductory content
Cybersecurity Canon audiobooks for engaging stories
Simply Cyber and Simply Cyber Academy
Certifications:
CompTIA Security+ or equivalent for foundational technical knowledge
AKYLADE Certified Cyber Resilience Foundation (A/CCRF) for NIST Cybersecurity Framework knowledge
Intermediate (Years 2-3) - Become an independent consultant and leader
Elevate understanding of fundamentals and terminology
Develop practitioner skills to lead GRC assessments and programs
Certifications:
ISACA Certified Information Systems Auditor (CISA)
AKYLADE Certified Cyber Resilience Practitioner (A/CCRP)
Expert (Years 4-5)
Certification:
(ISC)2 Certified Information Systems Security Professional (CISSP)
Reflections
Education is still just 10% of a career development plan, but increase if you have less experience
There’s value in testing yourself
Once you have a foundational technical acumen to “speak the language”, focus on practical GRC application
GRC isn’t a Capture the Flag
It’s solving business problems
Be a compass to help management navigate and make decisions that protect and enable business objectives
Leading the orchestra / eating the elephant of audits
Interfacing with the business
Having defensible due care and due diligence
Ideas for Your Portfolio
Start a Blog and Learn GRC in Public
Courses
Discord servers https://discord.gg/SimplyCyber
Start a Github Repo by cloning grcAssist.py
Then include it with your job applications
Here’s mine (same link as earlier):
