- CPA to Cybersecurity
- Posts
- GRC Certification Roadmap
GRC Certification Roadmap
Recommended Training and Certs v1.0
Steve McMichael
May 17, 2024
Table of Contents
Do We Really Need More Cybersecurity Certs?
The cybersecurity certification landscape has exploded in recent years, with new training offerings popping up seemingly every month. Hiring managers often prefer certified candidates because employee loyalty isn’t what it used to be, but do we really need more certs after this alphabet soup?!
Some experts say yes, citing issues with existing certifications being created in a vacuum without hiring manager input, focusing too much on knowledge and not enough on practical skills, and rising costs. But what really determines the value of a certification?
It comes down to employer recognition and demand. If a cert isn't on the job description, hiring managers might not know what it is, or worse, your resume might not even make it past the applicant tracking system (ATS). It's frustrating for applicants, but understandable given the high volume of applications employers receive.
That said, less well known certifications and courses can still be valuable. They unlock resume bullets that get recognized and teach you new skills to apply in your current role, opening up new opportunities to add value. That’s been my experience in bringing the NIST Cybersecurity Framework (CSF) back to my day job, or starting to make videos for Security Awareness training after taking the GRC Masterclass, as one example.
So what certs are in demand? According to job postings on Cyberseek, Security+ dominates a top 6 list as follows:
The certification landscape has evolved significantly since 4th placed Certified Information Systems Auditor (CISA) launched in 1978, with significant price increases as the industry has grown. Some consider higher prices a "cash grab” by now bureaucratic large organizations.
Year | Company | Cert or Course |
|---|---|---|
1978 | ISACA | CISA |
1994 | ISC2 | CISSP |
2002 | Comptia | Security+ |
2005 | BSI | Lead Auditor ISO27001 |
2012 | SANS | GCCC |
2015 | ISC2 | CCSP |
2022 | Simply Cyber | GRC Analyst Masterclass |
2023 | Cybersecurity Professional Certificate | |
2023 | Simply Cyber | Cyber 101 |
2024 | AKYLADE | A/CCRF |
2024 | AKYLADE | A/CCRP |
2024 | AKYLADE | A/CRMF |
2024 | AKYLADE | A/CRMP |
Enter innovative startups like Simply Cyber and AKYLADE, aiming to provide leaner, practitioner-focused offerings at lower costs. They're able to get closer to what hiring managers actually need today, which is why they’re central in my GRC Cert Roadmap below and my affiliation with them.
And they may not be as recognizable as the ones in the ATS, but the resume bullet points they unlock are.
Bottom-Line
Of course, certifications alone don't qualify you to do the job - that's the "paper tiger" problem. Certs have gotten a bad rap because of this, but writing them off entirely means missing opportunities. They're a starting point for getting your foot in the door, especially if you lack experience. And you might actually learn something useful! Education is the smallest but a crucial part of a 70-20-10 Career Development Plan.
Certs will get you the interview, not the job
What Certs Are Best for GRC?
Great question for which I’ve made this roadmap and compiled some cost comparisons below. Views expressed are my own and feedback is welcome. Which ones are you getting after and which ones did I miss? Let me know in a YouTube comment, subscribe to my blog and reply to the welcome email, or find me outside 9×5 on the Simply Cyber Discord under grc-team-life.
Appendix 1: GRC Certification Roadmap
Beginner
Intermediate I
Intermediate II & Expert
Appendix 2: Prep + Exam Costs
Recommended
Runners Up
Summary Table
