How hard is it to move from technical InfoSec to Management/GRC?

An interesting opportunity was presented to me at the beginning of the month, and first I had declined the chance to be submitted for it, and then over the weekend I ended up letting the recruiter know I actually would consider it.

Right now I'm working in an information security governance/risk/compliance role with one of the world's largest financial firms. Making in the $70s base, plus bonus. FTE.

The position I was submitted for is a very technical information security role with the state, in one of the states largest departments. It pays a little over $100k W2. It's a 12 month contract with multiple extensions as it's a 4+ year project. The position entails network security; eventually reviewing the current network architecture and developing a plan to simplify it and create a layered network security structure as well; network risk assessments; systems and overall security risk assessments; monitoring, configuring and implementing new malware scanning and vulnerability scanning tools; penetration testing of the network, systems, software, etc; a complete software refresh bringing up the operating systems to either Windows 7 or 8; bring all the systems up to at least conform to current FISMA standards, and then there is policy and procedural work. I need to inquire to see if there is any more GRC component to job as well as that is my bread and butter. It would require me to move from Tampa to Tallahassee, but I honestly wouldn't mind that at all. Basically the network, systems, and security for this department is all out of sorts and needs to be completely revamped top to bottom. Hence the four or more year long project.

This is the opposite of what I am doing right now on the GRC side of things, however I have a huge interest in doing this kind of technical work. And from the description, this is the kind of thing that can really make a resume, especially if I do higher end security certs like OSCP, CCNP Security, and such.

I've found it extremely difficult to break into a very technical security role with my experience being in IAM/GRC, so should this pan out, it would be tough to turn down. And the raise is nice too. However my much longer term goal is to get into management, or a really high level GRC position. So if I were to move from GRC, to technical security for say 4-10 years, would it then be too difficult to move either into management or back into a GRC role? I'm wondering if our InfoSec folks here have any experience with that or thoughts.

Find more posts tagged with

Comments

the_Grinch

I'm in a GRC role and honestly without the technical background I wouldn't be able to do my job. I believe you would be more then fine moving to a technical role and then back to GRC after sometime.

lsud00d

No personal experience but it sounds like a great opportunity and an excellent progression for professional experience. In addition, since you are GRC currently, GRC + very technical would make for a great manager combination. Or, segue back into GRC with an even better breadth of knowledge than held prior.

colemic

With such a large raise, I'd do it in a second, even if I had to crawl/walk/run into the position. Especially if you get state bennies/retirement (not sure)

chickenlicken09

jojo this one is for you, how important do you think it is to have a business background also for the grc route?

JoJoCal19

eddo1 wrote: »

jojo this one is for you, how important do you think it is to have a business background also for the grc route?

While I don't think it's a must, I do think in today's economy it helps. I think companies definitely like someone who understands the business side of things. Anytime you can try and translate technical needs, or on the GRC side identifying and fixing gaps or ensuring compliance, into cost savings for the company, that's a huge positive.

As an update to this post, I am in a role that has more technical duties but nowhere near what I was hoping to move to. Sadly the network team handles the bulk of firewall and IDS/IPS stuff, and we just audit what they are doing. I was hoping to be able to get into more hands on in that area. Depending on how the next two years go, I see myself ending back up in the GRC world.

GoodBishop

Something to keep in mind - make sure the contract work pays benefits. If you're only getting paid 100k, and your 70k job has, say, 30k of benefits, then it's pretty much a wash then, correct?

N2IT

Benny's usually average out at 15 - 17. Usually

Cyberscum

You have to somehow gauge the hiring personnel/organization and make sure they are getting you into the advertised role. I know of a few people (including myself) that were given the old bait and switch to get a GRC guy. If you know for a fact that you are getting into a tech role do it in a heart beat.