What do I need to do/have if I want to work in GRC but skip SOC/NOC

I am quite keen to work in GRC, TRA etc. but have limited exposure to GRC directly, infact very little. I have quite a few years experience of PC/Network and Physical security. I have worked on as Systems Admin and with Networking as well. Having spent 15 years in IT and cyber security, I want to move directly into GRC. But have been told by many that I do need to start at NOC/SOC level. I see this as a big step down and a bit discouraging.
I am fully prepared to learn what it takes to come upto speed for GRC roles like Information Security Consultant be it getting certificates like CISM CISA etc. or get some specialized training and can even take a hit on my income for few weeks or months. The questions are
1. is it possible for someone with limited infosec experience to jump straight into GRC and skip noc/soc altogether?
2. if yes, what do I need to do or learn and from where? (may be learn real life experience from cissps/cisms working in this line?)

Find more posts tagged with

Comments

TechGuru80

1. Yes it’s possible...whoever told you that YOU HAVE TO START NOC/SOC are incorrect.

2. Did I miss something? You said you had 15 years in IT and cyber security...can you explain that further? You should be working towards your CISSP and I would do CISA too. Additionally, you can start reviewing frameworks like NIST 800 series, COBIT, and any others that pertain to your organization you work in right now...ISO/HIPAA/PCI etc.

What is the reason you want to be in GRC? Realize that in true GRC roles, your technical skills aren’t going to get used near as often...some people are ok with that and some hate it.

Snooper

TechGuru80 wrote: »

2. Did I miss something? You said you had 15 years in IT and cyber security...can you explain that further?
What is the reason you want to be in GRC? Realize that in true GRC roles, your technical skills aren’t going to get used near as often...some people are ok with that and some hate it.

My time in IT and Infosec is limited to just some of the domains of ISC2. For example I hardly did any designing/ implementation of security framework, never did any TRA project, never applied principles of NIST HIPPA etc. I also never worked with DLM, UAM, QRadar, Arc sight etc. So limited cyber security experience and very very little or no GRC/TRA which excites me ....
beacuse I am tired of working with machines. 15 years is a long time taking care of logs, devices, vulnerability assessments and so forth. I want to be involved in overall design, discussions of security mechanisms rather than being a foot soldier. Of course working with people is not easy but i want to give it a try.
CISSP is done, cism hopefully before Christmas. may be crisc as well.
I am also studying NIST/ISO/HIPAA frameworks, probably will hot PMP and ITIL early 2018.
But my biggest concern is getting some in depth, real life experience of TSA and GRC - How do I get it? May be offer some money to members experienced in GRC and learn it virtually? Offer to volunteer to big organizations? Join some institute but how do I get real life experience?
PS I have studied GRC Archer already. Should I study other similar offerings?

cyberguypr

I'm cringing as I read this because I hate GRC work, but I digress. GRC and technical roles are divergent for the most part. Whoever told you SOC/NOC belongs in your path either had no idea what he/she was saying or was trolling you. If I were you I would do the following:
- Go to LinkedIn and search for some GRC professionals. Take a look at their profiles and particularly their paths
- Go to Indeed and search for GRC roles. Look for the qualifications required. This will give you an idea of where to focus your effort
- Just start applying to those roles that you find appealing. Don't sell your self short. Your experience and certs can certain be leveraged in many ways.

Snooper

cyberguypr wrote: »

I'm cringing as I read this because I hate GRC work, but I digress. GRC and technical roles are divergent for the most part. Whoever told you SOC/NOC belongs in your path either had no idea what he/she was saying or was trolling you. If I were you I would do the following:
- Go to LinkedIn and search for some GRC professionals. Take a look at their profiles and particularly their paths
- Go to Indeed and search for GRC roles. Look for the qualifications required. This will give you an idea of where to focus your effort
- Just start applying to those roles that you find appealing. Don't sell your self short. Your experience and certs can certain be leveraged in many ways.

cyberguypr
Thank you very much for your detailed reply. You have touched some very good points to find out about the paths taken by other GRC practitioners. And I really liked your hint to leverage certs and expereince in different ways - indeed sometimes how we explain or perceive things can become a stumbling block.
I would love to know why you cringe and hate GRC work? Is it because it involves too much theory, too much politics, too much client interfacing, too much BS?

Snooper

I will really appreciate if someone can give me some pointers regarding the following so I can understand daily life of GRC professionals and make an educated guess as to whether it will be my cup of tea:
"But my biggest concern is getting some in depth, real life experience of TSA and GRC - How do I get it? May be offer some money to members experienced in GRC and learn it virtually? Offer to volunteer to big organizations? Join some institute but how do I get real life experience?
PS I have studied GRC Archer already. Should I study other similar offerings?"

cyberguypr

I'm a technical guy, so GRC bores me and makes we want to poke my eyeballs out. Don't get me wrong, many elements cross over into my area and that is fine, but I can't imagine myself doing solely GRC stuff.

JoJoCal19

GRC guy here. Whoever told you to start in a NOC/SOC, stop listening to them for career advice. For GRC roles it helps to have understanding of the business, policy and procedures, and frameworks such as COBIT/NIST/ISO, and then PCI/HIPAA/GLB/SOX regulations. Have knowledge of auditing and risk assessments.

Like cyberguy said, some people are bored to death doing it. I love it though. I did the Sr Sec Engineer thing and you really have to devote a lot of time to staying up on the threat landscape, technology, etc if you want to actually be effective and at the top of your game. Even though it was "fun" and every day was different, I got burnt out. Working in the GRC/Audit side, its laid back. It comes to me much easier as well. Yea it can be "boring", but I like the laid back nature of it. Plus in the GRC side the job is usually deliverable based, so you just have things that need to get done and you can have a little to a lot of leeway to work how you want to. For me, I work fully remote, and work when, where, and how I want as long as deliverables are met. It's a sweet gig honestly. I arrange my day how I want and can run errands, attend school functions, and stuff like that. You don't get as much leeway with the technical side, so if that's something that is important to you, GRC is a good area to look at.

Snooper

Thanks for replying. Based on my disposition and the fact that I am tired of sitting on my derrier for years and years, I think GRC would be a better fit for next job.
The one problem I will have to figure out is how to get real world experience such as case studies etc.

JoJoCal19 wrote: »

GRC guy here. Whoever told you to start in a NOC/SOC, stop listening to them for career advice. For GRC roles it helps to have understanding of the business, policy and procedures, and frameworks such as COBIT/NIST/ISO, and then PCI/HIPAA/GLB/SOX regulations. Have knowledge of auditing and risk assessments.

Like cyberguy said, some people are bored to death doing it. I love it though. I did the Sr Sec Engineer thing and you really have to devote a lot of time to staying up on the threat landscape, technology, etc if you want to actually be effective and at the top of your game. Even though it was "fun" and every day was different, I got burnt out. Working in the GRC/Audit side, its laid back. It comes to me much easier as well. Yea it can be "boring", but I like the laid back nature of it. Plus in the GRC side the job is usually deliverable based, so you just have things that need to get done and you can have a little to a lot of leeway to work how you want to. For me, I work fully remote, and work when, where, and how I want as long as deliverables are met. It's a sweet gig honestly. I arrange my day how I want and can run errands, attend school functions, and stuff like that. You don't get as much leeway with the technical side, so if that's something that is important to you, GRC is a good area to look at.

TechGuru80

Snooper wrote: »

Thanks for replying. Based on my disposition and the fact that I am tired of sitting on my derrier for years and years, I think GRC would be a better fit for next job.
The one problem I will have to figure out is how to get real world experience such as case studies etc.

Apply to management and GRC roles...you will get experience right away. You aren’t going to get direct experience other than reading the documents (some like ISO cost) unless you get into a management, GRC, or a consultant role.

Snooper

TechGuru80 wrote: »

Apply to management and GRC roles...you will get experience right away. You aren’t going to get direct experience other than reading the documents (some like ISO cost) unless you get into a management, GRC, or a consultant role.

Thanks, yeah this is pretty much as infosec professionals that i met have told me so time to launch the assault. Thx for replying.

TheFORCE

Start reading publicly available documents. NIST, ISO, government procedures and policies relating to IT etc, free documents from various companies that want to promote their tools etc. You will do fine. I've worked in GRC and its not as bad as it seems,

infosecs

"Start reading publicly available documents. NIST, ISO, government procedures and policies relating to IT etc, free documents from various companies that want to promote their tools etc."
Does anyone know where can I get some Information security Controls Audit check lists and sample reports to get a good grasp of what the auditors look for and suggest as re-mediation?

imadbaig

Hi Guys,

I guess I'm in the right place. I've been a sysadmin guy for 10 years + 2 years of training in between.. just took up a GRC position at a private university. I guess my soft skills got me the gig. I'm currently assigned to go thru infosec policies and procedures and to provide weekly awareness trainings sessions. More recently, I have been tasked to become a guru on archer rsa. I have zilch infosec experience but I'm excited to launch my career in this awesome world of cyber security. I think I like GRC for what it is, and I too have had enough of logs and code for one lifetime.. I want to grow in GRC, for better or for worse.. so give me advice.. please..

How do I master archer?
A colleague advised me to start with CISSP.. shall I?

What path shall I take? Any advice is appreciated.. thank you!

imadbaig

Hi,

Here's my story:

I've been a sysadmin guy for 10 years + 2 years of training in between.. just took up a GRC position at a private university. I guess my soft skills got me the gig. I'm currently assigned to go thru infosec policies and procedures and to provide weekly awareness trainings sessions. More recently, I have been tasked to become a guru on archer rsa. I have zilch infosec experience but I'm excited to launch my career in this awesome world of cyber security. I think I like GRC for what it is, and I too have had enough of logs and code for one lifetime.. I want to grow in GRC, for better or for worse.. so give me advice.. please..

How do I master archer?
A colleague advised me to start with CISSP.. shall I?

What path shall I take? Any advice is appreciated.. thank you!

bidsec

Wow, So glad I came across this thread. I am currently in that transit state in my career after spending close to 15 years as a Network/Systems Engineer.I have been looking at the IT Compliance, risk and governance path and honestly this thread is a great resource. Thanks for all the recommendations.

--chris--

I went from generalist/"network engineer" with a few years of experience to a GRC role that still does technical work simply by applying and being picky in the interview process.

The right opportunity is out there, you just need to keep your eyes open, network, and scour the job boards as a hobby.

LionelTeo

I wasn't sure why you would think that NOC/SOC work is required for GRC. While it can be beneficial, you can actually head straight to GRC work without touching much of the technical aspect. As many others had posted, getting into NOC/SOC is not a requirement for GRC workk.

Info_Sec_Wannabe

GRC guy here and I'm telling you that NOC/SOC background / work isn't necessary at all. If you're to ask me, I'd say you are in a much better position to transition to GRC (if you really want to), but as cyberguypr mentioned, it's not for everybody. I myself admit that I'm getting tired with all the documentation stuff and am looking to move into a more technical role (if the opportunity arises).

imadbaig

I wonder where 'snooper' in his quest for grc knowledge.. it's been 9 months since this thread first began.. I'd really find his advice helpful.. also 'jojoguy19' and 'cyberguypr'.. any help this newbie (me) can get is much appreciated! Thank you!

paul78

imadbaig wrote: »

... so give me advice.. please.. How do I master archer? A colleague advised me to start with CISSP.. shall I? What path shall I take? Any advice is appreciated.. thank you!

Welcome to TE. You probably would have got some feedback if you created a new thread so it's noticed.

Yes - starting with CISSP is a good approach since you are working with GRC. I imagine you will be working with assessors and auditors so understanding the common nomenclature used will be important. Another would be to check out some of the ISACA certs like CISM or CISA.

As for Archer - depending on your implementation, you are probably better off going to get that training from RSA. Most people that I know that use Archer have a love/hate relationship with the product.

Kapital

imadbaig wrote: »

Hi Guys,

I guess I'm in the right place. I've been a sysadmin guy for 10 years + 2 years of training in between.. just took up a GRC position at a private university. I guess my soft skills got me the gig. I'm currently assigned to go thru infosec policies and procedures and to provide weekly awareness trainings sessions. More recently, I have been tasked to become a guru on archer rsa. I have zilch infosec experience w do I master archer?
A colleague advised me to start with CISSP.. shall I?

What path shall I take? Any advice is appreciated.. thank you!

I think you are incredibly lucky and bet that this was an internal position change.
I can tell you no one would have even looked at your resume if you were applying for jobs externally. So make sure to make most of it.
CISSP would be first and excellent choice but it is mile wide....and covers technology way more than policies and procedures.