Your Name:

Target Role:

Target Timeline (months)

Date Created:

COMPLIANCE & AUDIT

Audit Planning & Execution

1 2 3 4 5

Yes/No

Evidence Collection & Testing

1 2 3 4 5

Yes/No

Control Documentation

1 2 3 4 5

Yes/No

Regulatory Requirements (SOC 2, ISO, HIPAA, etc.)

1 2 3 4 5

Yes/No

RISK MANAGEMENT

Risk Assessment Methodology

1 2 3 4 5

Yes/No

Third-Party/Vendor Risk

1 2 3 4 5

Yes/No

Risk Quantification & Reporting

1 2 3 4 5

Yes/No

Risk Treatment & Remediation Tracking

1 2 3 4 5

Yes/No

GOVERNANCE

Policy & Procedure Development

1 2 3 4 5

Yes/No

Security Awareness Program

1 2 3 4 5

Yes/No

Framework Alignment (NIST CSF, CIS, ISO)

1 2 3 4 5

Yes/No

Metrics & Executive Reporting

1 2 3 4 5

Yes/No

TECHNICAL FOUNDATIONS

Networking Basics (TCP/IP, DNS, Firewalls)

1 2 3 4 5

Yes/No

Cloud Security Concepts (AWS/Azure/GCP)

1 2 3 4 5

Yes/No

Identity & Access Management

1 2 3 4 5

Yes/No

Security Operations Basics

1 2 3 4 5

Yes/No

PROFESSIONALISM

Ethical Judgment & Integrity

1 2 3 4 5

Yes/No

Professional Skepticism

1 2 3 4 5

Yes/No

Attention to Detail

1 2 3 4 5

Yes/No

COMMUNICATION

Written Communication (Reports, Policies)

1 2 3 4 5

Yes/No

Presentation & Executive Briefing

1 2 3 4 5

Yes/No

Translating Tech to Business Language

1 2 3 4 5

Yes/No

Active Listening

1 2 3 4 5

Yes/No

COLLABORATION

Cross-Functional Teamwork

1 2 3 4 5

Yes/No

Stakeholder Relationship Building

1 2 3 4 5

Yes/No

Project Management

1 2 3 4 5

Yes/No

PROBLEM SOLVING

Issue Identification & Root Cause Analysis

1 2 3 4 5

Yes/No

Developing Recommendations

1 2 3 4 5

Yes/No

Driving Implementation & Change

1 2 3 4 5

Yes/No

ADAPTABILITY

Continuous Learning Mindset

1 2 3 4 5

Yes/No

Resilience Under Pressure

1 2 3 4 5

Yes/No

Initiative & Self-Direction

1 2 3 4 5

Yes/No

1.

Done?

2.

Done?

3.

Done?

Daniel Miessler

Newsletter/Blog

Started writing about security in 1999; now runs Unsupervised Learning with 100K+ subscribers. Proof that consistent content compounds. - danielmiessler.com

Tyler Ramsbey

YouTube

Built "Hack Smarter" channel to 39K+ subscribers while working in offensive security. Founded a 9,000+ member community. Offers resume reviews, mock interviews, and free courses. - youtube.com/@TylerRamsbey - hacksmarter.org/catalog

Brews n Hacks

YouTube

Cybersecurity tutorials and home lab insights. Part of Simply Cyber Discord. Demonstrates that authenticity builds audience. - youtube.com/@BrewsnHacks

1

Take ownership of security questionnaire responses

Immediate value-add; exposes you to customer security requirements and your org's controls

2

Volunteer to help prepare for the next audit

Front-row seat to evidence collection, control testing, and auditor interactions

3

Shadow a risk assessment or vendor review

Learn methodology by observation before leading one yourself

4

Offer to update a policy or procedure document

Low-risk writing experience; forces you to understand the control environment

5

Document a process that only exists in someone's head

Creates immediate value; builds relationships with subject matter experts

6

Run an internal phishing simulation campaign

Cross-functional project with measurable outcomes

7

Create or improve a security awareness training module

Combines communication skills with security knowledge

8

Propose a small GRC improvement project

Demonstrates initiative; builds project management experience

1

Contribute to CSF Profile Assessment Database

GitHub portfolio starter (no coding required). Listed on NIST.gov's official community resources. - github.com/CPAtoCybersecurity/csf_profile

2

Start a blog/YouTube documenting your learning journey

See "Learn in Public" section above

3

Create a Cybersecurity Framework profile assessment and action plan for a small business

Real deliverable you can show in interviews; helps someone who needs it

4

Volunteer for to join the Board of a nonprofit

Real-world governance experience; builds your network

5

Build a GRC automation project and document it publicly

Shows technical aptitude; GitHub portfolio piece

6

Complete Hack Smarter pentesting labs

Understanding offensive techniques sharpens your risk assessment instincts - hacksmarter.org

7

Respond to a Call for Papers at a local security conference

Forces you to synthesize learning; builds speaking experience

1.

Done?

2.

Done?

1

Identify a mentor

Look for people 2-3 steps ahead (not executives). Active on LinkedIn or in communities you've joined.

2

Engage with their content first

Comment thoughtfully on their posts for 2-3 weeks before asking for anything.

3

Send a specific, low-commitment ask

"Could I ask you one question about my blog post?" not "Will you be my mentor?"

4

Offer value before asking

Share an article, insight, or genuine appreciation for their work.

5

Propose monthly 30-minute check-ins

Only after initial connection is established. Come prepared with specific questions.

1

Comment thoughtfully on LinkedIn posts in your target space

5 posts/week

2

Share your learning journey publicly

1 post/week minimum

3

Attend one security meetup (virtual or in-person)

Monthly

4

Send one genuine outreach message to a new connection

Weekly

5

Participate actively in Discord/community discussions

Daily (even 5 minutes)

Simply Cyber Con

GRC-focused virtual conference. Career development, networking, practitioner talks. - simplycybercon.org

Free

BSides (Local)

Community security conference

Free-$50

ISACA Chapter Events

GRC-focused

Free with membership

Security Field Day

Vendor-neutral deep dives

Free (virtual)

InfoSec-Conferences.com

Comprehensive conference list

Varies

1.

Done?

2.

Done?

1

NIST Cybersecurity Framework 2.0

The Rosetta Stone of security frameworks. Every GRC job expects familiarity. - nist.gov/cyberframework

2

CIS Controls v8

Prioritized, actionable security controls. Great for understanding what "good security" looks like. - cisecurity.org/controls

3

NIST SP 800-30

Guide to Conducting Risk Assessments. The methodology behind most risk programs. - csrc.nist.gov

4

SOC 2 Trust Services Criteria

Free overview from AICPA. Essential for SaaS/cloud company GRC roles.

5

ISO 27001 Overview

International ISMS standard. Full standard requires purchase; free overviews available.

6

NIST Risk Management Framework (RMF)

Comprehensive approach, especially for federal/government work. - https://csrc.nist.gov/pubs/sp/800/30/r1/final

1

Daily Cyber Threat Brief (DCTB)

Simply Cyber YouTube, every weekday. Stay current on threats. - youtube.com/@SimplyCyber

2

Unsupervised Learning

Daniel Miessler's newsletter. Security, AI, and technology trends. - newsletter.danielmiessler.com

3

SANS NewsBites

Curated security news digest, twice weekly. - sans.org/newsletters

4

Krebs on Security

Investigative security journalism. - krebsonsecurity.com

5

Dark Reading

Broad security news coverage. - darkreading.com

6

The Hacker News

Breaking security news. - thehackernews.com

1

Professor Messer Security+ (SY0-701)

Technical security foundations. Even if you don't take the exam, this is essential knowledge.

2

Inside Cloud and Security CISSP

Risk management, security architecture, governance concepts.

3

Hack Smarter Free Courses

Career development, pentesting fundamentals, practical skills. - hacksmarter.org/catalog

4

NetworkChuck CCNA

Networking fundamentals. Only if networking is a gap.

6

freeCodeCamp Cybersecurity Courses

Various foundational topics.

1

Darknet Diaries

Engaging breach stories and case studies. Great for understanding real-world incidents.

2

Simply Cyber Podcast

GRC perspectives, career advice, industry insights.

3

Risky Business

Industry news and expert analysis. Australian perspective.

4

CISO Series

Leadership perspective on security programs.

5

Security Now

Steve Gibson's technical deep dives made accessible.

1

Verizon DBIR

Data-driven breach analysis. Essential for risk conversations. - verizon.com/dbir

2

IBM Cost of a Data Breach

Financial impact quantification by industry. Great for business cases. - ibm.com/security/data-breach

3

Mandiant M-Trends

Threat landscape and incident response trends. - mandiant.com

4

CrowdStrike Global Threat Report

Nation-state and criminal threat intelligence.

1

How to Measure Anything in Cybersecurity Risk by Hubbard & Seiersen

Quantitative risk management. Game-changer for GRC credibility.

2

Security Engineering by Ross Anderson

Comprehensive security principles. Free online.

3

The CISO Handbook by Gentile et al.

Leadership perspective on security programs.

4

Practical Information Security Management by Tony Campbell

Real-world security management.

5

Cybersecurity Canon

Curated list of must-read security books. - icdt.osu.edu/cybercanon

Entry

CompTIA Security+, ISC2 CC, Google Cybersecurity Certificate

GRC-Specific

ISACA CISA, ISACA CRISC, ISO 27001 Lead Implementer/Auditor

Advanced

CISSP, CISM