How to Break into Cybersecurity GRC: 3 First Steps

Rant Epilogue Part 1

Table of Contents

People are engaging in the GRC careers conversation

A Reddit post of my rant part 1 about why GRC is underrated, in 48 hours got: 92 thousand views, 231 shares, 195 upvotes and 143 comments. If you’ve already joined into that discussion thank you, this is super cool to be bringing newcomers into the conversation. And if you haven’t yet, jump on in.

See if GRC is a good fit for you, either for the long haul or as a temporary rotation to enrich your skills that you bring somewhere else. I’ve found it to be a great place for meaningful work and meaningful relationships – which is what it’s all about, and I think more people can do the same - if as a community, can give candidates a realistic job preview of what GRC is and what it isn’t.

Today I’ll hit the big question that came in over and over again: How do I break into GRC?

And I’ll do that with some foundational first steps that I personally took:

  • Immersion in Books, Podcasts and Blogs

  • Target a Job and Identify Your Gaps

  • Make a 70-20-10 Career Development Plan

Then in a future part 2 and maybe even a part 3, I’ll hit some other great topics and themes that came up in the discussion.

But today with some urgency I want to help you get started, if you’re coming from the outside, on how to take your foundational first steps. And how to learn more to see if it’s a good path for you.

The best time to plant a tree was 20 years ago. The second best time is right now. So let’s go.

Top Question: How to Break into GRC?

Some specific questions here:

How did you transition into GRC?

I want in, any tips?

I like MeanGreenClean’s tip about familiarizing yourself with frameworks. A great free one to download that I’d start with NIST CSF 1.1:

What’s the best way to get into GRC?

Any certs?

One cert I’ll mention is the CISA - Certified Information Systems Auditor – that I found to be surprisingly impactful to my breaking in.

I’m involved with Sarbanes Oxley, ISO27001 and SOC2 audits and this cert helped me upskill for these. I did it to be a Financial IT auditor, without even knowing that it was going to help be get into Security later, but that’s exactly what it did.

I think to my Cybersecirity hiring manager it demonstrated some credibility that this this business guy bean counter from Finance knows some basics about IT.

I also found it helpful when during an external ISO27001 audit I was asked for professional qualifications, to pass a competency control.

How do I transition from an engineering role?

In the subreddit, Ched replied to check out jobs for GRC Analyst, Risk Specialist or ISO auditor, which I think is a good reply.

What about manufacturing operations?

In response to this question, I’d suggest to target Compliance as a GRC entry point and then working your way up to Risk. Compliance is an entry level feeder role, especially if you’re renewing an already mature control environment (which I call “farming” as opposed to “hunting,” since you get to review last years file of workpapers as a starting point.

Using that file you can then prepare a checklist of questions to ask a control owner who has probably been through the drill before, so they know what to expect and what to do. Of course this checklist based approach is a common source of issues and complaints if the auditor doesn’t have a sufficient understanding of the control subject matter, but that’s a bigger topic for another day.

You’re junior, starting with a limited knowledge of the technical controls your testing (For example Core Networking, Contract Management or Site Reliability Engineering), but your knowledge grows as you work the checklists and as you study and OSINT whatever the topic are that you’re auditing. Google search and affordable IT courses are your friend.

Then building from that foundation you can elevate into Risk, because now you have better technical chops, a better understanding of the business and the people, and you can identify the questions that are missing from the checklists.

You can also ask better questions about what can go wrong in risk assessments, grounded in the experience you gained from compliance.

Next we’ve got a person who went from software Engineer to PM to IT manager to GRC, who’s loving it. They note that:

The field is not remotely as boring as you think. You keep learning new stuff every day.

I agree. Then as replies:

What are the minimum requirements to get into GRC?

How did you transition into GRC?

Commentor NachosCyber layers in how GRC can round you out for a progression to the top job - CISO.

They say the pay and work/life balance are great. But You need experience and certs. And You need to be able to analyze, gather and present well, otherwise GRC is not where you want to be.

These are some great points here to consider in your pros and cons and fit analysis. I agree with them. I’d also pile on to this thought that just like any other job, GRC can be very different, depending on the industry, the company, the team and the culture. So there’s no one size fits all answers, “it depends”.

An SMB or a startup would be one end of the scale, and a Fortune 500 or government entity would be on the other. Also, most teams have a mix of finders, minders and grinders. So we of course have to consider personality traits and team dynamics.

Critical thinking though, is definitely the key skill. If you can solve hairy problems with integrative thinking, bring order to the chaos, you’ll go far.

Concrete first steps to break into GRC

Step 1: Immersion in Books, Podcasts and Blogs

Step 1 for me was to starting to immerse myself the real life, spy vs spy, and cyber-criminal stories, a portion of which are on the slide here. This is the cyber cannon website, which is a vetted list of books Telling great stories about what’s going on the world in cyberspace.

These stories are fascinating, and for me were incredibly eye opening, to learn that cybersecurity is a private public partnership to fight crime, espionage and war, in the fifth domain of cyberspace. So after land sea, air and space, the first 4 domains, we need cybersecurity people to join the fight in the fifth domain, to protect our economy and national security. Wow, now that’s a compelling mission!

Getting the big picture from these stories, then helped pull me through the weeds of studying later on. For example, I when I first saw the SMB protocol - Server Message Block – it was in a death by PowerPoint – eye chart slide, super dry slide and I had zero retention of it. Didn’t understand what it was, didn’t care. It was just letters in an alphabet soup.

Then in these books, I learned that SMB has famous exploits, that were used in the Wannacry ransomware attack, which ransomed 230,000 computers in 150 countries, and NotPetya, which the White House says is the most costly cyberattack in history.

Learning this made me want to go back to that boring slide and learn all about SMB. And it made the training fun.

And then as you start getting pulled into the mission of wanting to protect people, after hearing the stories in these books. You can pour some gasoline on those flames of your curiosity, with some great podcasts that are out there.

Darknet diaries tells real hacking stories, often with real hackers, some of them reformed criminals, in a very attention grabbing way

400,000 people subscribe to this. It’s very popular. And then Risky.Biz is another top podcast I never miss, with weekly news.

There’s an ocean of great podcasts out there, but these are just two that I started with and stuck with, that are very easy to recommend to people that want to take some first steps.

One more podcast I’ll add to this super short list is Unsupervised Learning from Daniel Miessler.

I first learned of it in 2020, in a how to land your dream cybersecurity job course, that I’ll show you in the next slide, where his blog post: “how to build a cybersecurity career” was recommended reading.

When you ask how to break in, if I could only send one link it would be this blog post.

Next, That course where I discovered Unsupervised Learning, was this one with Kip Boyle, and since then he’s teamed up with Jason Dion. Two awesome guys that that have helped a lot of people break in.

Step 2: Target a Job and Identify Skill Gaps

One of the first things I worked through in this course, that you might find helpful is the Your Cyber Path mind map out on Twitter

From Start Here I said I’m mid-career, non-IT, working at a technology company. I’m doing some IT auditing which is neat to see connected to Cybersecurity – I didn’t realize that I was already doing Cybersecurity work while in Finance. But I guess that makes sense because there’s a lot of IT systems in finance that need protection.

This aligns to some advice from a mentor once, who was way up in upper management, who said to try and find branches on the same tree trunk of your career, ss opposed to starting an offshoot of growing a new tree. And this mind map helped me find a branch on the trunk of my career tree, that I didn’t even know existed. And I think a lot of people in business and accounting would be in the same boat. There’s the branch here of Cybersecurity GRC that they’d be good at, and they don’t even know that it’s there.

GRC Analyst is written on this page, but when I went through it I didn’t know what GRC stood for. It was weeks later in the course where I learned what it was, had an epiphany, locked my sights on GRC, chased after it, got in, went out of the frying pan into the fire, persevered, learned lots, had fun, made lifetime friendships, got good outcomes and the rest is history.

Step 3: Create a 70-20-10 Career Development Plans

More on both step 2 and 3 are currently on my YouTube channel and will be summarized in more detail in future blog posts.