Governance and Compliance

Russ5813Russ5813 Member Posts: 123 ■■■□□□□□□□
Hello everyone. I've a long-term career goal of moving into InfoSec; specifically, governance and compliance. I have a background in law enforcement where I was a supervisor for several small, specialized teams (10-15 members). As a supervisor, I was responsible for knowing organizational SOP's, federal/state laws, jurisdictions, and implementing appropriate training. I also wrote several LOI's and SOP's for my sections. I enjoy reading/writing policy and training people, and I'm hoping to some day apply this experience to my IT career, which is currently in it's infant stages.

I understand that I'll need to put in the time to gain more real-world IT experience, but I also want to be prepared for when that opportunity finally arises. I follow groups/people/trends that pertain to InfoSec and try to stay sharp by reading publications from NIST, PCI, HIPAA, etc.. I think I'm on the right track, but I'd like to hear recommendations from the seasoned pros out there-- Are there any resources I could be tapping into to make myself stand out, or better prepare myself? What do you look for in an applicant applying for these sorts of jobs? What sort of jobs, certifications, or training do you view as good prep for moving into a governance/compliance career?

Looking forward to hearing from you guys :)


  • TheFORCETheFORCE Senior Member Member Posts: 2,298 ■■■■■■■■□□
    Look on LinkedIn or search for the term "GRC" (Governance, Risk, Compliance). Most people in that field have either Sec+ as a minimum or CISSP as a recommended and then the ISACA certifications like CISA, CGEIT, CRISC, CISM. Don't look at only the certifications though, for GRC it usually helps to have like you said knowledge of controls and you need to be somewhat business oriented as a lot of the things you will deal with, will have to do with the business side. GRC is not very technical but technical knowledge will give you an edge for sure. So far you are in a good path, look into those certifications and see which one aligns with your goals more or which one is more relevant in the industry now.
  • 636-555-3226636-555-3226 Member Posts: 976 ■■■■■□□□□□
    Policies are simple, high-level statements regarding the organization's position on a topic. No real security knowledge needed here, just business and personal acumen as you've got to talk to the business to find out what their position is. Something like "Organization puts forth a reasonable effort to keep its systems free of malware." (I prefer "soft" policies, if you couldn't tell. Convinced they're better b/c they're more realistic). In a candidate working on policies I'd look for business and management-relationships experience. That said, I wouldn't interview you because you'd take my job, and we can't have that, now can we!!!

    Standards do require some more technical know-how as you need to set the minimum expected behaviour required to support the policy you created above. Here's where you need to get into the 101 and 201 level. 301 is too deep. Security+ is a good starting point. I generally self-promote my thread at
    Here I'm looking for someone with that security 101/201 level and, perhaps more importantly, knows that material exists to help set these standards (NIST SP800 series, COBIT, ISO 27k, Shared Assessments, PCI, whatever your org's flavor is). You really just need to know which of these baselines to adopt (usually based off of a framework if the org has adopted one, which they usually haven't) and how to interpret what's written in that baseline. And then translate those technicalities back into business speak when you're doing your regularly scheduled (monthly/quarterly) meeting with your security steering committee made up of very high-level execs.
  • Russ5813Russ5813 Member Posts: 123 ■■■□□□□□□□
    Thanks gents, I appreciate the feedback!

    @TheFORCE, I've looked into CISA in the past and unfortunately do not meet the work experience requirements, yet (although I'm definitely interested). I've looked at CISSP as well, whose domain requirements are a little more ambiguous than CISA's, and am wondering if my past experience in LE and security (asset protection, phys sec, access control, etc) would qualify. My only concern then is that, even if my experience was accepted and I certified, how it would look to potential employers. I worry that a CISSP with only a year of actual IT experience may be viewed unfavorably by employers.

    @6, surely if I were interviewing for your job, it would mean you've moved on to bigger and better things! I have read your thread in the past and it was certainly helpful. I hadn't really thought about COBIT, but it makes sense. I don't know if I'll certify unless a job specifically requires it, but I'll definitely add their foundation book to my reading list. To your point about business speak: I had a talent for translating "legalese" into vernacular readily absorbed by the general public. It sounds like a talent that would serve me well in this realm :)
  • TheFORCETheFORCE Senior Member Member Posts: 2,298 ■■■■■■■■□□
    Try an get an entry IT level job and do it for 2-3 years. Your Security+ will take away 1 year experience. But you still need 3-4 depending on the certificate you take. Fortunately for you, any entry IT level job will touch on many domains that are covered by the certificates. Some of your experience will also count. Unfortunately the higher certificates do require you to put in the time to get some relevant IT experience. No other way around it.
Sign In or Register to comment.