So you want to become a GRC Analyst?

Awesome! Here’s a free Career Development Plan template full of resources that I think you’ll find helpful.

It’s the best-of-the-best I’ve discovered in my mid-career transition to GRC, broken into Harvard’s recommended ratio to grow yourself faster of:

• 10% Education

• 20% Relationships

• 70% Experiences

This template format and the menu of resources inside it would also be helpful to a broad range of other target job areas and career stages.

Table of Contents

• TARGET JOB

• SKILL ASSESSMENT

  • TECHNICAL COMPETENCIES

    • Compliance & Audit (CISA Domains)

    • Assess Risk (CISSP Domains)

    • Instill Governance

    • Speak ‘Security’ With the Business

  • ENABLING COMPETENCIES

    • Acting Ethically & Professionally

    • Leading

    • Collaborating

    • Managing Self

    • Adding Value

    • Solving Problems & Making Decisions

    • Communicating

• ACTION PLAN

  • 70% EXPERIENCES

    • Hunt (e.g. ask a Mentor) for GRC Stretch Assignmen …

    • Internships, co-ops, entry level roles

    • Start a Blog and/or YouTube channel

    • Volunteer

  • 20% RELATIONSHIPS

    • Mentorship

    • Peer learning

    • Security Community

  • 10% EDUCATION

    • (Audio)books

    • Podcasts

    • Blogs/Newsletters

    • YouTube

    • Free Industry Resources

    • Paid Courses

    • Micro-Certs

    • Certs

TARGET JOB

SKILL ASSESSMENT

Rate your current skill level on a scale from 1 (weakest) to 5 (strongest)

TECHNICAL COMPETENCIES

Compliance & Audit (CISA Domains)

Trust but verify. Are we provably compliant?

• Domain 1. Information Systems (IS) Auditing Process

• Domain 2. Governance & Management of IT

• Domain 3. IS Acquisition, Development & Implementation

• Domain 4. IS Operations & Business Resilience

• Domain 5. Protection of Information Assets

Assess Risk (CISSP Domains)

Is risk level within tolerance?

• Domain 1. Security & Risk Management

• Domain 2. Asset Security

• Domain 3. Security Architecture and Engineering

• Domain 4. Communication & Network Security

• Domain 5. Identity & Access Management

• Domain 6. Security Assessment & Testing

• Domain 7. Security Operations

• Domain 8. Software Development Security

Instill Governance

Does everyone know the company’s risk appetite, and make decisions aligned to it?

• Policies

• Procedures

• Standards

Speak ‘Security’ With the Business

• Cyber Risk Management Action Plan (CR-MAP)

• Customer Security Assurance & Trust Center

ENABLING COMPETENCIES

Source: CPA Competancy Map, which applies perfectly to GRC and many other professions

Acting Ethically & Professionally

• Ethical Behvaviour

• Integrity & Trustworthiness

• Questioning Mindset

• Due Care

• Objectivity

Leading

• Strategic focus

• Risk Management

• Organizational Culture Advocacy

• Influence and Consensus Building

Collaborating

• Inclusivity

• Teamwork

• Relationship Building

• Project Management

Managing Self

• Adaptability, Resilience & Agility

• Initiative

• Continuous Improvement

• Talent Management

Adding Value

• Business Context

• Creativity and Innovation

• Performance Evaluation and Accountability

Solving Problems & Making Decisions

• Issue Identification

• Analysis

• Recommendations

• Implementation and Change Management

Communicating

• Audience and effectiveness

• Active Listening

• Communication

ACTION PLAN

70% EXPERIENCES

Resume bullets to show you can add value from day 1

Hunt (e.g. ask a Mentor) for GRC Stretch Assignments:

• Prepare for and manage an audit through planning, execution and reporting phases

  • Write a SOC2 System Description or ISO27001 Statement of Applicability

  • Check-in with control owners to document or update control narratives and test a sample

  • Manage a gantt chart and weekly status reports

• Perform Third Party Risk Assessments

  • Review intake forms and work with requestor to complete risk assessment

  • Send questionnaires to the vendor and/or review their Trust Centre materials

• Perform Security Risk Assessments

  • Meet with business requestors to fill out a Risk Assessment template and create a Data Flow Diagram

• Create or review security policies and standards with subject matter experts

• Run and report on an internal phishing campaign

• Run a Tabletop Exercise

• Create a Security Awareness campaign focused on CISA.gov Cyber Safety tips

• Run and mature the Security Questionnaire process

• Document Security Operations Centre processes

Internships, co-ops, entry level roles

Start a Blog and/or YouTube channel

As an aspiring cybersecurity professional:

• Learn in public

• Share your story to help others find their path

• Show your skills

Volunteer

• Help not-for-profit organizations, small businesses or sports teams with basic cyber hygiene

• Join a not-for-profit Board of Directors

• Visit a school to talk to students about careers

20% RELATIONSHIPS

Mentorship

• Find and/or Become a Mentor

  • Types: coach, sponsor or connector (link)

  • Top priorities: (1) make it win-win and optimize use of their time (link), find stretch assignments, get CDP feedback,

• Reverse Mentor (link)

Peer learning

• Job shadow

  • GRC, Information Security, Product Security, Internal Audit, IT to learn about their day-to-day responsibilities

Security Community

• Comment on GRC discussions on Linkedin, YouTube, X and social media platforms

• Join Discord server communities

  • Simply Cyber (link): join the community and engage with what you have. No judgment. Everybody starts somewhere.

  • Look for sc-toronto-gta if you’re in Canada

• Attend Conferences

  • Infosec-Conferences (link)

  • Take the initiative to break the ice and network

  • Respond to a Call For Papers

• Join Professional Organizations like

  • ISACA (link)

  • ISC2 (link)

  • ISSA (link)

10% EDUCATION

(Audio)books

• Cybersecurity Cannon (link)

Podcasts

• Darknet Diaries (link)

• Risky.biz (link)

• Life of a CISO (link)

Blogs/Newsletters

• Get and stay informed on current events: helpful for job interviews, daily work and networking

  • Unsupervised Learning (link)

  • Simply Cyber Daily Cyber Threat Brief (link)

  • SANS NewsBites (link)

YouTube

• CompTIA SY0-701 Security+ Training Course // Professor Messer (link)

• CCNA 200-301 // Complete Course // NetworkChuck (link)

• TCM Pentesting for n00bs (link)

• CISSP Exam Cram // Inside Cloud and Security (link)

• Google Cybersecurity Certificate (link)

Free Industry Resources

• NIST Cybersecurity Framework (link)

• SANS Information Security Policy Templates (link)

• NIST SP800-30 Guide to Conducting Risk Assessments (link)

• SOC2 Trust Services Criteria (link)

• CIS Benchmarks (link)

• CIS Controls (link)

Paid Courses

• Simply Cyber: GRC Analyst Master Class (link)

• Simply Cyber: Cyber 101 (link)

Micro-Certs

• AKYLADE Certified Cyber Resilience Fundamentals (A/CCRF) (link)

• AKYLADE Certified Cyber Resilience Practitioner (A/CCRP) (link)

Certs

• Security+ (link)

• CISA (link)

• CISSP (link)

• Cybersecurity Certification Roadmap (link)