As a long-time fan of CISO Tradecraft, I jumped at the chance to meet G. Mark Hardy. We got into removing barriers to breaking into cybersecurity GRC, and in the last 10 minutes I shared csf_profile, an entry-level project I started with Gerald Auger for Cybersecurity Framework profile assessments. If you’re looking to break in or level up, it makes a great addition to your toolkit and career development plan. 👇

The path into GRC can be hard to see from the outside, and a show built for security executives putting a spotlight on how newcomers contribute real work is exactly the kind of signal that helps people find it. So let me lay it out the way it came up on the show, and how you can put it on your own Career Development Plan this week.

It's called the CSF Profile Assessment Database, a companion resource to the NIST Cybersecurity Framework included in NIST.gov community resources. The idea started with John Masserini's NIST CSF Maturity Toolkit, which a CISO sent me back in the day to help our GRC practice, and it grew from there.

CSF itself is the clearest guidance I've found for organizing security work: six functions, 22 categories and 106 sub-categories you work through, lather, rinse, repeat, across all of governance, risk, and compliance.

As Dr. Gerald Auger puts it:

The csf_profile assessment database takes that guidance out of NIST's loose spreadsheets like this:

And transforms it into formats you can better apply and build on.

It's all open and still evolving, which is exactly what makes it a great place to jump in.

Here's the opportunity, framed as a stretch assignment you can write into your Career Development Plan. There are three ways in, depending on where you're standing, and each one pays off differently.

Use the spreadsheets, Notion, or Atlassian templates to organize compliance, risk and governance practices. Run quarterly CSF profile reporting. Map your risk assessments to CSF subcategories. Pull implementation examples for audit test procedures. Drop the flattened CSF data into a Custom GPT, a Gem, or a Claude Project for quick lookup and drafting. You can start adding value with it the same day - no procurement, no license.

Install and spin up the React app, start an assessment from scratch, and run it against the Alma Security case. Produce a work product - something like this cybersecurity audit report. You come away with proof you can do the work, against a company realistic enough to be convincing, without the access problems that usually keep volunteers out of real environments. Want a step-by-step? Here's the onramp for a first contribution.

Zoom out from GRC entirely. In the age of AI agents, a GitHub portfolio is genuinely worth having, and csf_profile is a friendly entry-level project for a first contribution - either documentation (no code) or code (add a feature, squash a bug).

The on-ramp is simple: open the repo, go to the Issues tab, filter for good first issue. You'll find a mix of "squash this bug," "add this feature," and the one people tend to overlook - no code required. Pick a subcategory of the framework and answer two questions: what test procedures would you request, and what artifacts would you provide? Do it against Alma Security. That's a contribution, and your name goes on it.

Here's a one-page map of how the pieces fit together.

On the show, G. Mark put the payoff well:

A quick word for anyone who assumes this isn't for them, because that was me once.

Aspire towards a 20% technical depth across the domains, plus one domain you go deeper on. GRC isn't a functional expert stuck in a swim lane - it's a generalist who sees the whole board, a bit like an outside auditor. The CSF Profile work is a place to show both at once.

GRC isn't paperwork or the department of no. At its best it's decision support - a compass that helps the business see its real, calibrated risk so it can move fast with control. G. Mark shared the metaphor that what lets you drive a car faster isn't the bigger engine, it's the better brakes.

The work nobody volunteers for is often the easiest way in. Documentation, test procedures, time with the framework. It's not the leftover task; it's open territory with little competition. Fill your boots.

Here's an order that works:

1. Open a Career Development Plan. Map your skills against the GRC competencies and find your gap. Template here.

2. Pick one on-ramp above. For most career-changers, that's #2.

3. Run one assessment against Alma Security, or claim one good first issue on the repo.

4. Ship it somewhere a hiring manager can see: a public repo, a Notion page, a blog post.

There's plenty of room to make this better: clearer example assessments, smoother templates, a friendlier runway for the next person. Pick up a piece and improve it, and you help everyone who comes after you while building proof of your own.

The path in is real, and so is the work. Other people told me it was possible, I made it through to the other side, and the same is open to you. Bring your questions to the Simply Cyber community, or reach out to me directly.

---

Watch the full conversation on CISO Tradecraft with G. Mark Hardy. The book is How to Break Into GRC: Mindset, Methods, and Skills. The project is the CSF Profile Assessment Database.