Re: Introduction & Seeking Guidance on GRC Career ...

MurrayLichoro

Hello Folks,

I’m thrilled to join this community and eager to learn from professionals in the cybersecurity and GRC space.

I’m currently halfway through the ISC2 Certified in Cybersecurity (CC) Foundation program and preparing to book my exam soon. Since this program is freely offered, I wanted to hear your thoughts on its relevance to a GRC career:

With the CC certification, would I be well-positioned to start as a GRC analyst, or are there additional certifications, skills, or experience I should focus on?
What are the best entry paths into GRC, especially for someone looking to break into the field?
Are there any valuable resources, mentorship opportunities, or industry trends I should pay close attention to?

I’d appreciate any insights or advice you can share, and I look forward to engaging with and learning from this community.

Best regards,
Murray Lichoro

Spirnia

I would study up on regulations for a career in GRC.

I would try to narrow down the industry you’d like to work in.

Then, become well-rounded.

Read up on regulations for that industry: for example, Banking has SOX and healthcare has HIPAA.

Read up on GDPR of the EU.

Then, read up on a few state privacy laws to familiarize yourself with that. California is one you’d want to learn about.

The CC is very much only foundational knowledge.

If you have the time, learn the CISSP curriculum. You won’t earn the certification without the work requirements, but you will have a broad exposure to topics.

You really cannot earn the certifications for GRC until you’ve worked in the field: ISACA has certifications, ISC2 has one, and for privacy certifications look into IAPP.

Learn about the cloud too. There is the cloud security alliance with free documents you can download and read.

Learn the content of certifications you are interested in.

Forget about not being able to earn the certifications for the moment.

And post about what you are learning and doing.

That’s my advice.

MurrayLichoro

Hello Spirnia,
I hope you're doing well! I wanted to reach out personally to thank you again for the valuable advice you shared in the community. It's been really helpful as I continue my journey into the GRC space.
I’m based in Kenya, Africa, and I’m looking for ways to connect with professionals in the industry, especially those who can provide guidance and share insights based on their experience. If you’re open to it, I would love to network with you and perhaps receive some additional guidance as I navigate my career path in GRC.
Would you be open to offering mentorship or providing advice along the way? I’d appreciate any help you could offer as I work towards my goals.
Thank you!

Spirnia

I would be happy to answer questions posted to this forum to the best of my knowlege.

I do not go off platform.

I am not aware of regulations and laws in Kenya.

ISC2 does have a chapter in Kenya. You may want to participate in that: https://community.isc2.org/t5/Europe-Middle-East-Africa/ct-p/EMEAChapterGroups

Your best bet would be to do online research and learn local information in addition to major Europe, Asia, and US regulations.

And I would recommend starting out in a small organization. Large organizations may not be as suitable for someone switching careers and starting out in GRC.

You could create a YouTube channel and make short videos about what you are learning and your aspirations. Post links to your videos on LinkedIn, and attract an audience, and build followers. Become a thought leader so that you stand out in your community.

emb021

Take a look at what @Spirnia has posted.

Most of the people I know of who are involved in GRC are involved with ISACA which is an international organization with chapters around the world. In fact, ISACA has a GRC Conference. And it has a chapter in Kenya.

People in this space get certs like CISA, CRISC, and CGEIT. If you are involved with infosec, having complementary certs like Sec+, CC, and CISSP is good.

They learn about regulations for security and privacy, which varies from country to country, and learn about international security frameworks like ISO/IEC 27001, NIST CSF, CIS Critical Controls, and the like.

Hope this helps

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow

nkeaton

@emb021 I think that ISC2's CGRC is also a good certification and possibly their ISSEP which feel follows it better than the CISSP. I hold both of those as well as a CISM and ISSMP which believe all complement each other other on frameworks and governance..

Spirnia

Those interested in GRC may find this webpage of interest to them: https://sprinto.com/blog/grc-cybersecurity-career-roadmap/

The images are from the linked article.

AI would be good to learn too as it pertains to GRC auditing roles.

emb021

@nkeaton I would disagree on CGRC as AFAIK ISC2 has not made any changes to it from the prior NIST RMF-focused CAP certification. Until they rework it to cover more frameworks such as CIS Controls, ISO 27001, NIST CSF etc, I personally wouldn't recommend it. Honestly, I think SANS/GIAC's GCCC would be better as it DOES cover multiple frameworks.

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow

emb021

@Spirnia Good set of info. HOWEVER, I have some problems with the last picture with the frameworks. "NIST" is NOT a framework, but a government institute. It provides SEVERAL frameworks including the NIST CSF, NIST RMF, NIST SP800-171 which is the basis for CMMC, and the NIST Privacy Framework. So I have no idea which framework this chart is talking about. Its either the NIST CSF or the RMF. Am guessing probably the CSF as too many people refer to the NIST CSF as just NIST.

AND GDPR and HIPAA are NOT frameworks but regulations.

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow

Spirnia

Well-stated!

I completely agree!

Introduction & Seeking Guidance on GRC Career Path