For anyone working in GRC (Governance, Risk, Compliance) field?

How did you get started and what title do you now hold? Do you find it an interesting area and are there good career prospects?

Where would be my starting point? I will be doing security+ soon anyway as i find the material interesting.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

JoJoCal19

I just left my GRC position at one of the worlds largest financial firms. My title was AVP-Information Security Risk Management. I moved into GRC from IAM. What helped me is my varied experience including business, as well as my business undergrad degree, and of course the CISSP and ITIL were of interest to the hiring manager.

I did, and still do find GRC interesting and while I have left the GRC world, I definitely see myself re-entering at some point down the road after I get my MBA. I think ultimately whether you think it's interesting or you are happy, will depend on the specific role and company you work for. In the role I just left, I was not challenged near enough and I mastered everything within months. I do think career prospects are great for GRC and specifically risk management. If you want to know whether it's something that will interest you, hop on Indeed.com and search for security risk management, or search for CISSP and then click on the job listings for risk or compliance jobs and look at the duties. Also pick up a security risk management or security compliance book and read through it to see if the topics interest you.

Cyberscum

I got started through military channels in the National Guard. I joined in the cyber space realm (Cyber Surety) and they gave me the training and clearances I needed to literally get a GRC job anywhere. I worked for the military full time right after my training school as a GS-11 and got hired by other federal agencies to where I am now. I had a hard time in the GS-11 role because I learned the material so quickly that I got really freakin bored. I am now in a role that is heavily based on R&S and emerging and new technologies so I literally love it because everything is so diverse and continually changing.

Also, in the world I work in now we work with technologies that do not abide by many rules, so we make the rules up as we go and use our security background to be a secure as possible moving forward. In my other roles in GRC, the policies where used to usually stop new technologies, now we enable the use of new technologies through security design. I am much happier in the role I am in now, so it depends a lot on the role you are in. BTW I am an ISSM/ISSO/Security design.

I started with zero IT knowledge and got security+ first.

chickenlicken09

looks like security+ and then the cissp so. have ye guys got sox experience? how would i get it? seems to be required for
a few roles within this area.

pinkydapimp

eddo1 wrote: »

looks like security+ and then the cissp so. have ye guys got sox experience? how would i get it? seems to be required for
a few roles within this area.

For this space, your going to want to familiarize yourself with all the major regulatory requirements like SOX, FINRA, PCI, GLBA, EU privacy, etc. All this info is public so google is your friend there. The requirements are always changing as well so your going to want to find some good blogs and subscribe to them to keep up.

But to answer your question. CISSP will be a great start as it gives you a nice wide base of knowledge in the security space. Sec+ cant hurt either, also ccna security is really really easy so id grab that as well to pad your resume.

chickenlicken09

yeah i would be aiming to get into a fairly basic role first with the opportunities available.

pinkydapimp

eddo1 wrote: »

yeah i would be aiming to get into a fairly basic role first with the opportunities available.

thats ok. in this space, you want to have knowledge of the basics as well as the big picture. Thats why a strong networking and os foundation is great in infosec.

chickenlicken09

im thinking security+, itil, ccna(i have) and ccna security, maybe linux+ too. would this be a good foundation? i also have my degree and currently 5 years experience.

pinkydapimp

eddo1 wrote: »

im thinking security+, itil, ccna(i have) and ccna security, maybe linux+ too. would this be a good foundation? i also have my degree and currently 5 years experience.

thats plenty.

GoodBishop

I'm a GRC Manager for a large corporation. I started my career at help desk, then moved to sr. minion, then spent some time in audit, and moved over here.

If you're looking for a analyst role, look at stuff like Security+/CISSP (skip the SSCP)/CISA/CISM route.

It is a very interesting field and there are excellent career prospects!

chickenlicken09

i would be afraid of spending my time doing cissp only to not get anywhere. is this the best/more direct route even for someone just trying to break into this area?

chickenlicken09

hey, so this role i came across looks like something i would like to get into. does it seem like a good role?
for this particular role do you think they would take the cissp alone or would all of them be required?

https://standardlife.taleo.net/careersection/global+sl+external+career+site+eng/jobdetail.ftl?job=1401521

pinkydapimp

eddo1 wrote: »

i would be afraid of spending my time doing cissp only to not get anywhere. is this the best/more direct route even for someone just trying to break into this area?

Yes. But you need the experience to get a CISSP.

pinkydapimp

eddo1 wrote: »

hey, so this role i came across looks like something i would like to get into. does it seem like a good role?
for this particular role do you think they would take the cissp alone or would all of them be required?

https://standardlife.taleo.net/careersection/global+sl+external+career+site+eng/jobdetail.ftl?job=1401521

Yes that seems like a great role. Now, work to get some of those requirements and you will be on your way. Looks like its asking for any of those certs. Not all of them. Obviously having all might give you a leg up on the competition though. All of those certs require a good amount of experience to achieve though. So keep that in mind.

chickenlicken09

ya thats my problem, experience in this area. i dont know where to start! (any ideas) if i was to apply at the moment with a cissp i imagine i would not be looked at.

Cyberscum

The verification of experience for the CISSP is a joke. That whole cert has lost alot of cred as of late.

You said you have a degree and 5 years exp....So whats the prob

chickenlicken09

sorry i meant no experience directly related to that particular role, do you reckon they may consider me for it?
my background is mainly i.t support/network admin.

Cyberscum

eddo1 wrote: »

sorry i meant no experience directly related to that particular role, do you reckon they may consider me for it?my background is mainly i.t support/network admin.

For the job you posted. Explain what you do in you IT sup/Net Admin role?Do you have (CISA)(CISM)(CRISC)(CISSP)(or equivalent) Does your job entail any of this:

IT experience in one or some of the following areas:
- IT “first line” role either as technician, delivery or management/leadership
- IT “2^nd line” role – providing risk support, review and challenge to an IT functional area
- IT “3^rd line” role – auditing an IT functional area

Part of getting a job is selling yourself…Well more than just part, maybe all of it. I can literally take any part of my job and have it apply to various roles I would like to be in. I am sure in a net admin role you deal with sec policies, securing network devices, teaching users about security etc… Apply and see what happens.

chickenlicken09

cheers, i prefer the edited reply

yes no harm in applying.

chickenlicken09

how important is it to skill up in the GRC area compared to the technical area?

the_Grinch

I am a regulator who works in the IT realm. I got into the position through my technical knowledge. Build a firm base in the technical realm and work on the CISSP/CISA then you'll be in good shape.

Cyberscum

eddo1 wrote: »

how important is it to skill up in the GRC area compared to the technical area?

Depends on the job.

You could have a job that does HIPPA/PII compliance that req zero tech abilities other than general knowledge. Or, you could have the same job for a smaller company where you would have to run the scanning tools and design the security structure for compliance.

My advice is this…

1. Figure out where you would like to have a job ie: Hospitals, Social media, Law offices, Banks, Gov, Startups, ISP etc…
2. Search job listings for the specific job you want and note the qualifications they are asking for.
3. Acquire those skills and apply like a madman.

Asking what skills I should have to get a GRC role in security is like asking which car I should work on to become a mechanic. There are many different roles of security and there is no one answer for this question. You need to have a more specific idea of what you want to do to get a better answer.