- CPA to Cybersecurity
- Posts
- Your Career Plan: Cybersecurity GRC
Your Career Plan: Cybersecurity GRC
Steve McMichael
January 03, 2024
Table of Contents
What are specific steps you can take to break into Cybersecurity Governance Risk & Compliance?
#1 The Growth Cycle
In this article “a simple way to map out your career ambitions” it says that to Grow Yourself Faster, The research is clear: use a combination of on-the-job, social, and formal learning, known as the 70-20-10 model.
First thing I find interesting here is that the focus is not all certs. In fact it’s 90% NOT certs. The second thing is this quote:
Think of growth as a cycle — where you successfully perform, get feedback, and perform again even better.
I like the broad strokes of that, but it’s too sugarcoated. Yes, growth is a cycle where feedback leads to better performance, but no, I wouldn’t expect to successfully perform something well the first time. Learning curve’s aren’t easy.
So for more candor, and telling us what we need to hear and not what we want to hear, we need Ray Dalio, the Billionaire hedge fund CEO and leadership guru. Ray’s into radical candor and radical transparency, which can be very uncomfortable. but it’s how good people and companies get to be great. And it works well in an environment of trust, respect and psychological safety with you manager.
It seems to me that the personal evolutionary process takes place in five distinct steps. If you can do those five things well, you will almost certainly be successful.
Together, these five steps make up a loop, like the one here. #principleofthedaytwitter.com/i/web/status/1…
— Ray Dalio (@RayDalio)
2:40 PM • Oct 23, 2023
Step 2 of 5 is Problems!
You can see in this diagram, he says that step 2 of the 5 step process to get what you want out of life: is problems!
Right off the bat you can expect discomfort and failure, growth is hard. But the key is to not get discouraged, be persistent and keep iterating. Just keep showing up.
Career Development Plan (CDP) Template
Next, it says here that the first step to grow is to determine your from/to. So fire up Notion, Google Docs or wherever you write stuff down, and at the top of the page write down your target job:
Next: what skills do you need, in the next 3 months, 6 months, 1 or two years, to be a GRC analyst. Also what’s your goal in 10 years, and how’s GRC analyst going to help get you get that job?
Start writing that down. It’s going to help you get organized and focus your energy in the right direction. It’s also going to make an ice breaker for coaching conversations with your manager, or mentors, or both.
After you write down your target job description with a timeline, the next career development plan step is to Inventory what skills you have and what skills you need. And to find out what the required skills are for the job, the best place to look is job postings. Fire up one of the popular job posting sites, and get hunting for something that energizes you.
Narrowing Down Target Job, Industry, Company Size, Location and More
Also consider the industry, company size and location you’re targeting. And a super helpful reference that I used for that in 2020 is this Your Cyber Path mind map, out on Twitter:
We put together this #mindmap to help people get their first #cybersecurityjob. What do you think? 💻🖥️🗺️ #infosec@WSJCyber@cyber@gcluley@briankrebs@Raj_Samani@Beaker
— YourCyberPath (@CyberPathMaker)
7:34 PM • Mar 7, 2020
It breaks down
Different types of employer: consulting, non-tech, tech, self, government,
Size: large and small
Another great place to hunt for jobs and skills is Cyberseek.org, which aggregates lots of job postings into summary roles.
Under career pathways, entry level, I’ll start with IT Auditor, which was part of my prior job in Sarbanes Oxley Compliance. From 6,092 job openings it says the average salary is $99k, and It says requested education is 77% bachelors degree, 19% graduate degree.
What if you don’t have a degree?
A great thing about cybersecurity, when compared to a profession like accounting, is that degrees are less of a barrier. In cyber If you have hands on keyboard experience and have built cool projects to reduce cyber risk that counts for a lot.
It’s not how you stand beside your car, it’s how you race your car. For more on this concept, watch the Fast and the Furious, obviously. Also check out Darknet Diaries Episode 60: DOGYG. It’s about the meritocracy of bug bounties and has an inspiring story.
IT Auditor Certs and Skills
According to Cyberseek as the day I checked, top certifications requested for IT auditor are:
CISA
CIA
CISSP
CPA
CISM
There it is! There’s the answer to the number one question hiring managers are asked, and I’ve asked hiring managers myself: what cert should I get? The answer is not one size fits all. it depends on your circumstances and the target job. But a good source to guide you and be a compass is job postings.
Of the ones on the screen here, I’d recommend CISA, CISSP and CISM.
For GRC, CIA or CPA are great if you have them, but if you don’t, focus on other areas that are faster and lower cost to get, and have a higher return on investment for GRC work.
Top Skills Requested
Auditing
Accounting
Internal Auditing
Internal Controls
Risk Analysis
Finance
Information Systems
Project Management
Public Accounting
Numbers 1,3,5,7 and 8 are good to highlight or bold as skill areas to develop.
Then put related goals for these in the relationship and experience sections of your CDP. Think about people, tasks, conferences, Discord servers, blogs, volunteering, YouTube channels, anything that can get you these skills or closer to them.
For example, does your company have a GRC or an audit department, and have you talked to those people? You could say “hey I’m working on my career development plan, I want to learn more about GRC, could you meet for 30 minutes to tell me about it and to help me find ways to get relevant skills.”
Next let’s keep moving on Cyberseek to mid-Level. I didn’t see GRC Analyst the day I checked so I hit Cybersecurity Analyst which I expect to be pretty close.
If I want more granular precision another free resource to check out is the Cyber Career Pathway Tool from the National Initiative for Cybersecurity Careers and Studies. Check out Security Control Assessor and IT Program Auditor.
Cybersecurity Analyst Certs and Skills
Back in Cyberseek, Cybersecurity Analyst has 23,951 jobs with an average salary of 107k. it wants a degree 88% of the time - but not a dealbreaker, Top Certs requested are:
CISSP
GIAC Certs
Security+
CISA
CISA
Notice we don’t see CIA or CPA here.
Top Skills Requested for a cybersecurity analyst are:
Cyber Security
Vulnerability - that’s one of the specific cybersecurity domains
Computer Science -
Auditing
Incident Response
Risk Analysis
Information Systems
Security Controls
Security Information And Event Management
Yes to all of these. On Computer Science you’ve got to respect it. It’s an advantage if you have it, but it’s not a hard requirement in GRC, as one of the least technical roles at an entry level. It’s getting more technical quickly however, including with the emergence of GRC Engineering.
Next, same drill as I told you for IT auditor: you want to get closer to these skills. If you’re at a company today with departments doing these things, try to network with those people to see how you can help each other.
10% Education
If you’re a student or not employed, you can get after certs like Security+ and CISA to start learning about these topics and practicing related skills.
Wrapping up education:
David Bombal’s Network training quotes Nelson Mandela, saying Education is the most powerful weapon which you can use to change the world. I love that and here are some really great cert up and don’t give up type motivational videos that he’s put out there:
It’s not important how many times you’ve stumbled. It’s not important how many times you’ve failed. What’s important is how many times you pick yourself up and try and reach your goals.
Isn’t it interesting that this is the same advice we heard from Ray Dalio? I think this is because these are true principles that worked for them and can also work for you.
20% Relationships and 70% Experience
When it comes to relationships and experiences in your Career Development Plan, I think you’ll find that one unlocks opportunities with the other, they go hand in hand.
Mentors
Here’s an example: You cold call a mentor. And you do a good job because you followed Daniel Miessler’s tips in this article that I’ll link to, which he wrote after receiving thousands of requests over 20 years.
My favorite line is that “starstruck Padawan is not a strategy.” He lays out the formula for how to do it right and how to get where you want to go.
Keeping in mind that your goal is to add things to your 70% experience bucket, when you get that first mentor meeting don’t just shoot the breeze. Ask for stretch assignments.
There’s 3 kinds of mentor: coaches, sponsors, and connectors. Decide which of these you need, to get access to the skills you want, and bake it into your plan
Another relationship idea is reverse mentoring. If you’re mid or late career, carve out some time to meet with junior people and ask them to help you understand the latest trending tools. This can be when they ask you to be a mentor, and you do some quid pro quo! I’ve had co-op students with pen testing backgrounds, blow my mind with some eye opening stuff that taught me a lot.
Job Shadowing
Another one is Job shadowing. If your company has a Security Operations Centre and you want to learn about that, email them or talk to them at the water cooler and say hey, can I please ride along with you for an hour of job shadowing? I just want to learn more about what a day in the life of a SOC is, to round out my skills, and who knows maybe we could find something that I can help with as a stretch assignment, which advances our mutual goals.
Or take it a step further. Say hey, I heard you need to document some processes, can I help with that as a stretch assignment? My manager approved 2 hours a week I could spend on it, which would free you up to do more interesting things than documentation. Win-win!
Hopefully I’m painting a picture here that, gets your ideas flowing. Adding to that I’ve compiled a laundry list of more brainstorm ideas that you might want to apply:
More Ideas to Fill Up Your CDP
1. Kip Boyle and Jason Dion’s Udemy course was the key catalyst for me to break in. For example, it taught me what GRC was.
2. They’ve also got a great podcast called Your Cyber Path. I’m in episode 79 if you want to hear more about that.
3. Gerald Auger has a GRC Masterclass that’s great. He also has an excellent and very successful Youtube channel and Discord Server, called Simply Cyber.
4. Follow influencers on LinkedIn, Youtube, Twitter, etc. My Mount Rushmore shortlist of people I look up to is Daniel Miessler, Kip Boyle, Jason Dion, Gerald Auger, Jen Easterly, Malcom Harkins, Rob Black, Naiomi brockwell, Naiomi Buckwalter, David Bombal, Network Chuck. That’s way more than 4. It was a hard list to make. But I have no hesitation offering these as names to follow if you want to learn more about the industry.
5. Check out securitycreators.video
6. You can download for free, and check out some cybersecurity frameworks and controls: NIST CSF, NIST SP 800-53A, or the SOC2 trust services criteria
7. Go to conferences and BSides events. And you’re going to get out of these what you put into them.
8. Start a home lab or a virtual lab
9. Start a blog
10. Publish your projects
11. Offer to help with an audit
12. Run a security awareness campaign, e.g. with these resources:
13. Volunteer at a not-for profit board of directors, and help them with basic cyber hygiene
I’m going to saw this topic off here for today. Questions and feedback are welcome.
Thanks for reading and good luck getting after it!