🎯 Key Takeaways for quick navigation: 00:00 🎯 Gerald Auger introduces the topic of GRC (Governance, Risk, and Compliance) in cybersecurity and aims to answer questions about it in the video. 01:11 🏢 GRC (Governance, Risk, and Compliance) is a crucial aspect of cybersecurity and offers a great career path, allowing professionals to engage with the business side of an organization. 05:48 📜 Compliance Analysts focus on checking whether specific controls are in place, while Risk Analysts assess the likelihood and impact of potential risks, enabling a smooth career progression in the GRC field. 08:42 🧩 GRC fits into an organization under the CISO, handling governance, policy, procedures, and audit aspects, while Security Operations (SecOps) handles incident response and blue team functions. 10:47 🌟 Entry-level GRC roles, like Compliance Analyst positions, are a great on-ramp into cybersecurity, especially for individuals without an IT background. Federal IT contractors often offer entry-level GRC positions and are open to training candidates. 19:41 💼 CMMC (Cybersecurity Maturity Model Certification) is becoming crucial for organizations working with the government, and being certified or familiar with it can be a valuable skill for cybersecurity professionals. 21:05 🎓 Recommended certifications for GRC Analysts include CISA (Certified Information Systems Auditor) and HIPAA-related certifications. 22:01 🛡️ GRC roles require some basic technical knowledge, such as understanding networking and operating systems, to ensure effective audits and assessments. 23:24 📚 NIST (National Institute of Standards and Technology) Cybersecurity Framework is a great starting point for learning GRC standards and best practices. 24:22 💼 Practical Enterprise Risk Assessment course by the speaker is a resource for learning compliance auditing and risk assessment in GRC. 25:51 📝 Excellent written and verbal communication skills are essential for GRC Analysts to effectively communicate with the organization and information security teams. 29:51 💡 NIST CSF (Cybersecurity Framework) and ISO 27001 are recommended standards for GRC, with CSF having more community collaboration and industry practice behind it. 30:06 🔀 CMMC (Cybersecurity Maturity Model Certification) is a subset of controls within NIST CSF, and compliance with CSF would cover the requirements of CMMC. 34:10 📚 NIST Special Publications 800 series provides comprehensive documentation on various cybersecurity topics, including risk assessments and supply chain risk management. 39:03 🗣 Effective communication skills are critical for GRC Analysts to bridge the gap between information security and the organization's business needs. 41:48 ☁️ Cloud security and identity and access management are in-demand areas within cybersecurity, making certifications in these fields valuable for GRC-focused roles. 42:31 📑 GRC (Governance, Risk, and Compliance) is a great entry point into cybersecurity and offers an easier on-ramp. 43:12 🎓 Recommended certifications for GRC include CMMC certified practitioner, ISACA CISA, and industry-specific compliance certifications. 43:41 🚀 GRC roles do not require a minimum certification, making it a flexible and forgiving career path. 45:34 💡 Transitioning from a network security role to GRC can involve integrating GRC-type activities into your current role to showcase expertise and interest. 46:59 📝 Before conducting any assessment, create an audit plan, identify key stakeholders, and schedule focused interviews to gather necessary information. 51:14 📊 Familiarize yourself with risk management frameworks like MITRE ATT&CK and NIST 800-171 to enhance your understanding of GRC processes. 52:10 📝 Don't be overly attached to risk assessments, as some organizations may not prioritize cybersecurity until they face a significant incident. 57:35 🏛 Made with HARPA AI
Thank you for this. Contemplating to pivot careers from the academe/research to cybersecurity and I have very minimal technical know-how and your discussion of this path is very helpful. :)
Thank You! I have been making this too hard! I am actually working in a GRC environment and didnt know it... I am a contractor for BAH, working with the VA hospital. You have simplified my approach to my job... Thank you !
Looking to pivot to GRC. My background is in business / finance. The company I work for has an internal program to get certificates and training on new roles. (One of which is GRC Analyst) Glad i found your channel :)
Grc is my specialty. I don’t normally plug my course but if ur looking (and ur company is paying) my course has 20000 students and I haven’t heard a bad word, worth checking out ($60). SimplyCyber.teachable.com
Also I have some experience with physical security especially as it pertains to hospital security, health care, and inpatient psychiatry, I have an Associates in Cardiovascular Technology (specialty in vascular ultrasound) and familiarity with HIPAA...I am a very strong report writer and very good at finding errors as well as I have strong analytical thinking and pattern recognition and also very steong on customer service...
Hi Gerald. I am new to GRC. I have 5YOE on internal audit and finance compliance. One of my coworkers, who was a IT auditor got a lead GRC analyst job and since then trying to talk me into the area too, as she felt that I have really good sense. My question is as a CPA, will it be a good route for me? And for me without a solid IT background, will there be a bottleneck in terms of career advancement? I am willing to learn more about IT control and cyber security, maybe getting a CISA but going back to school to get an IT degree won't be a choice for me now. Thanks
Is there a KPI or scorecard that can be established to measure success(or performance) of GRC teams or analysts? Great episode by the way. Looking forward to be able to join live next time!
Hi Gerald. Thank you for the high quality video. I have a BBA in Cybersecurity and recently got Security+ and Rangeforce SOC Analyst 1 badge. Unfortunately I have no job experience or internship. I do have a home lab and I mention it in my resume. Do you think I should go ahead and start as a IT support or try my luck for an entry GRC role? Thank you.
It won't hurt to go that route, but you can go directly into cybersecurity also. depends on your financials and responsbilities on whether you have to take an IT job. Make sure you are networking within the community. its critically valuable.
Good morning Gerald...I have a meeting coming up with VA Vocational rehab (disabled veteran(and I need a plan I have taken isc2 training not taken the exam yet, and I have been taking withyouwithme courses on cyber security analyst and business analyst...I also killed our only working PC in the process (long story)...My goal is to find and entry level role in GRC, Info Sec, auditing space...any suggestions?
Hi Dr. Auger, I'm not sure if you answered this yet but you mentioned having a class coming soon, would that be the grc masterclass you have available on your website?
I have a second phase of Compliance analyst interview. Could you please give some examples of some challenges a compliance analyst could face at work? Than you.
Non compliance, lip service from mgmt, shadow IT, lack of compliance audit, access control reviews not being done (so ppl keep access they don’t need, happens ALL the time) best wishes on interview
I would be moving into IT - Risk Application Governance role. I was from Financial Services ( Operations ) field, but, yes I had a very good inclination towards Risk. I gathered info and found that Risk and Governance and Compliance go hand in hand. I am looking to get some experience in my job, and then, side by side, would be trying to get certified in CRISK from ISACA. Please tell me if i am going in right direction and what approach should I follow to enrich my experience, exponentially grow in this sector and can see myself valued Professional after 5-6 years from now. I gaurantee that I do enjoy learning things. Please guide. Also, thank you very much for this beautiful video 🙏
@@SimplyCyber Since you have experience I want to ask you. I have an IT Bachelors Degree, 2 years of IT Helpdesk/Specialist II experience, Security+, CISA (passed exam don't have experience requirement), and am studying for the CRISC currently. Roughly how much can I expect to make with No GRC experience before getting the CRISC as of right now, and after I get it? From different sources it seems consistent I'd be able to get 6 figures or close to it with these things on my side currently, am I correct? Your insight would be appreciated.
@@ichigo8000 salarys alwasy depend on location and industry so its hard to say. Experience is supreme, but those certs are valuable. w/o knowing more about your situation or where the job is, id say 6 figures may be uncommon. if i had to SWAG id say 72-80k range would be common for entry level grc analyst 1. but there are a lot of factors that would influence it.
@@SimplyCyber Thanks for replying! I’m in the DC, MD, VA area if that helps, also I’m familiar with a decent amount of frameworks and I interview well. I’ve been scraping together what I can related to GRC info online (your playlist is on my radar after the CRISC) and have done 2 interviews in the field when I only had Sec+. Either way, I’m highly motivated. I believe the fields a good fit for my personality/skill strengths. Any suggestions to maximize my leverage after the certs?
Hi Gerald. I was a business analyst, and I moved to overseas to finish my degree (from school in Illinois). So I’ve developed those soft skills. Do you think that grc is a good stepping stone to becoming more technical?
Self development on skills based training would get you more technical. A lot of GRC work is not very technical so you wouldnt really be getting more technical in that role. You would get exposed to people using technology and you'd have to begin to understand at a high level, but much less hands on keyboard configuring, breaking, hardening.
I have been your follower, but this is my first time asking/commenting, I am very confused on what cert. I should go for, I am very much interested in GRC and I have Security+, also working on my BA in Cybersecurity, would u pls suggest if any cert out there I should start studying? thanks. and what is your intake on cloud Security? u think it is very technical ? WHAT DO U THINK GRC WITH THIS PATH?
Isaca CISA is for audit. CRISC is for risk analysts. Those may be good ones. I have a GRC course dropping this week. No cert but it’s pretty useful for developing practical skills (imo)
Hello Sir, what is the difference between an ISSO and a GRC Analyst? Can you make a video comparing the 2? If you could also reply to this comment, that would help me tremendously 🙏
My understanding would be similar roles. Grc would be org wide risk and an isso would be just one system or application or capability. Typically in a very large org
I'm a school teacher looking to switch careers and it sounds like GRC analyst is the job for me, right now I'm working to get my Security+ certification and I have two interviews at the end of this week. Do you have any advice or hints for me. I really would like to get one of these jobs. My experience comes from what I did teaching and how I interned with the IT support at my schools
join the discord discord.gg/simplycyber check out the k-12 teacher to cyber on the channel join the daily threat briefings simplycyber.io/streams If you want GRC role, check out the GRC course simplycyber.teachable.com that should be a great start.
Is there any option like I can search job outside of my organization. What knowledge and skills are necessary to prove them I'm capable for GRC analyst role.
Is it possibly for a technical writer to get into GRC? I write documentation for software provided by a leading data and identity security vendor. I wonder if writing highly technical documents and working with subject matter experts to gather information for users would be considered enough skills to break in.
🎯 Key Takeaways for quick navigation:
00:00 🎯 Gerald Auger introduces the topic of GRC (Governance, Risk, and Compliance) in cybersecurity and aims to answer questions about it in the video.
01:11 🏢 GRC (Governance, Risk, and Compliance) is a crucial aspect of cybersecurity and offers a great career path, allowing professionals to engage with the business side of an organization.
05:48 📜 Compliance Analysts focus on checking whether specific controls are in place, while Risk Analysts assess the likelihood and impact of potential risks, enabling a smooth career progression in the GRC field.
08:42 🧩 GRC fits into an organization under the CISO, handling governance, policy, procedures, and audit aspects, while Security Operations (SecOps) handles incident response and blue team functions.
10:47 🌟 Entry-level GRC roles, like Compliance Analyst positions, are a great on-ramp into cybersecurity, especially for individuals without an IT background. Federal IT contractors often offer entry-level GRC positions and are open to training candidates.
19:41 💼 CMMC (Cybersecurity Maturity Model Certification) is becoming crucial for organizations working with the government, and being certified or familiar with it can be a valuable skill for cybersecurity professionals.
21:05 🎓 Recommended certifications for GRC Analysts include CISA (Certified Information Systems Auditor) and HIPAA-related certifications.
22:01 🛡️ GRC roles require some basic technical knowledge, such as understanding networking and operating systems, to ensure effective audits and assessments.
23:24 📚 NIST (National Institute of Standards and Technology) Cybersecurity Framework is a great starting point for learning GRC standards and best practices.
24:22 💼 Practical Enterprise Risk Assessment course by the speaker is a resource for learning compliance auditing and risk assessment in GRC.
25:51 📝 Excellent written and verbal communication skills are essential for GRC Analysts to effectively communicate with the organization and information security teams.
29:51 💡 NIST CSF (Cybersecurity Framework) and ISO 27001 are recommended standards for GRC, with CSF having more community collaboration and industry practice behind it.
30:06 🔀 CMMC (Cybersecurity Maturity Model Certification) is a subset of controls within NIST CSF, and compliance with CSF would cover the requirements of CMMC.
34:10 📚 NIST Special Publications 800 series provides comprehensive documentation on various cybersecurity topics, including risk assessments and supply chain risk management.
39:03 🗣 Effective communication skills are critical for GRC Analysts to bridge the gap between information security and the organization's business needs.
41:48 ☁️ Cloud security and identity and access management are in-demand areas within cybersecurity, making certifications in these fields valuable for GRC-focused roles.
42:31 📑 GRC (Governance, Risk, and Compliance) is a great entry point into cybersecurity and offers an easier on-ramp.
43:12 🎓 Recommended certifications for GRC include CMMC certified practitioner, ISACA CISA, and industry-specific compliance certifications.
43:41 🚀 GRC roles do not require a minimum certification, making it a flexible and forgiving career path.
45:34 💡 Transitioning from a network security role to GRC can involve integrating GRC-type activities into your current role to showcase expertise and interest.
46:59 📝 Before conducting any assessment, create an audit plan, identify key stakeholders, and schedule focused interviews to gather necessary information.
51:14 📊 Familiarize yourself with risk management frameworks like MITRE ATT&CK and NIST 800-171 to enhance your understanding of GRC processes.
52:10 📝 Don't be overly attached to risk assessments, as some organizations may not prioritize cybersecurity until they face a significant incident.
57:35 🏛
Made with HARPA AI
Thx for timestanps friend. Pinned
welcome Brother, I finished your course@@SimplyCyber
Thank you for this. Contemplating to pivot careers from the academe/research to cybersecurity and I have very minimal technical know-how and your discussion of this path is very helpful. :)
Thank You! I have been making this too hard! I am actually working in a GRC environment and didnt know it... I am a contractor for BAH, working with the VA hospital. You have simplified my approach to my job... Thank you !
Great. I was w Booz for years and loved the experience. You def are in the right spot.
Loved the balance between the GRC talk and the kids demanding attention. Thanks!
Real life is real.
Great content. Amazing setup. Thanks
Awesome video to watch in conjunction with The Definitive GRC Master Plan
Very informative video. Thanks for sharing it with the world!
Thank You Gerald
Thanks Gerald. I am struggling with my current role in GRC. Watching your videos to know more lay my feet firmer.
Excellent! Glad to hear it! (that its giving you better footing, not that you are struggling a bit)
Wow what an amazing video!!
Looking to pivot to GRC. My background is in business / finance. The company I work for has an internal program to get certificates and training on new roles. (One of which is GRC Analyst) Glad i found your channel :)
Grc is my specialty. I don’t normally plug my course but if ur looking (and ur company is paying) my course has 20000 students and I haven’t heard a bad word, worth checking out ($60). SimplyCyber.teachable.com
Thank you Mr. Auger, great AND timely content. You are appreciated
Thanks for posting. Looking forward for more GRC career content soon. Will you do a GRC interview questions/how to crush a GRC interview video?
What do you mean grc q a? This was a qa. Do you mean a job interview?
@@SimplyCyber Yes. A job interview. Sorry if my question wasn't clear.
Can you do another one of these please?😊
Hey Gerald,what are the tools to succeed as a GSC Analyst coming from a zero background in IT?
Also I have some experience with physical security especially as it pertains to hospital security, health care, and inpatient psychiatry, I have an Associates in Cardiovascular Technology (specialty in vascular ultrasound) and familiarity with HIPAA...I am a very strong report writer and very good at finding errors as well as I have strong analytical thinking and pattern recognition and also very steong on customer service...
Hi Gerald. I am new to GRC. I have 5YOE on internal audit and finance compliance. One of my coworkers, who was a IT auditor got a lead GRC analyst job and since then trying to talk me into the area too, as she felt that I have really good sense. My question is as a CPA, will it be a good route for me? And for me without a solid IT background, will there be a bottleneck in terms of career advancement? I am willing to learn more about IT control and cyber security, maybe getting a CISA but going back to school to get an IT degree won't be a choice for me now. Thanks
Thanks for this informative video, see you next time.
You bet. Thanks Stefan. Hope the new role is exceeding your expectations.
thanky you
My pleasure.
Excellent. Any online resources for NIST
Is there a KPI or scorecard that can be established to measure success(or performance) of GRC teams or analysts?
Great episode by the way. Looking forward to be able to join live next time!
You can get that in a typical GRC tool like serviceNow etc.
Hi Gerald, I went to the link and noticed the CMMC level 3 guide is unavailable as of now. Any idea when it will be available for download?
Hey! Don Junior will be our GRC coach! Haha!
What would the career path between GRC analyst and CISO be?
Any pointers for someone who just starting off and looking for a break through with entry-level.
Are SIEM skills valuable for risk analysis?
Hi Gerald. Thank you for the high quality video.
I have a BBA in Cybersecurity and recently got Security+ and Rangeforce SOC Analyst 1 badge. Unfortunately I have no job experience or internship. I do have a home lab and I mention it in my resume.
Do you think I should go ahead and start as a IT support or try my luck for an entry GRC role?
Thank you.
It won't hurt to go that route, but you can go directly into cybersecurity also. depends on your financials and responsbilities on whether you have to take an IT job. Make sure you are networking within the community. its critically valuable.
Good morning Gerald...I have a meeting coming up with VA Vocational rehab (disabled veteran(and I need a plan
I have taken isc2 training not taken the exam yet, and I have been taking withyouwithme courses on cyber security analyst and business analyst...I also killed our only working PC in the process (long story)...My goal is to find and entry level role in GRC, Info Sec, auditing space...any suggestions?
Hello, thank you for sharing.
What’s your thoughts on getting a nonprofit compliance with no framework in place?
It’s possible but compliant w what standard? That’s the question to ask before you could tell. A framework is just a methodology not a standard
What's the difference between GRC AUDET and GRC analysis?
Hi Dr. Auger, I'm not sure if you answered this yet but you mentioned having a class coming soon, would that be the grc masterclass you have available on your website?
Yes. That’s the grc class I mentioned
I have a second phase of Compliance analyst interview. Could you please give some examples of some challenges a compliance analyst could face at work?
Than you.
Non compliance, lip service from mgmt, shadow IT, lack of compliance audit, access control reviews not being done (so ppl keep access they don’t need, happens ALL the time) best wishes on interview
Keep the chat please.
I would be moving into IT - Risk Application Governance role. I was from Financial Services ( Operations ) field, but, yes I had a very good inclination towards Risk. I gathered info and found that Risk and Governance and Compliance go hand in hand. I am looking to get some experience in my job, and then, side by side, would be trying to get certified in CRISK from ISACA. Please tell me if i am going in right direction and what approach should I follow to enrich my experience, exponentially grow in this sector and can see myself valued Professional after 5-6 years from now. I gaurantee that I do enjoy learning things. Please guide. Also, thank you very much for this beautiful video 🙏
This is an absolutely solid plan for GRC path
@@SimplyCyber thanks for confirming
@@SimplyCyber Since you have experience I want to ask you. I have an IT Bachelors Degree, 2 years of IT Helpdesk/Specialist II experience, Security+, CISA (passed exam don't have experience requirement), and am studying for the CRISC currently. Roughly how much can I expect to make with No GRC experience before getting the CRISC as of right now, and after I get it? From different sources it seems consistent I'd be able to get 6 figures or close to it with these things on my side currently, am I correct? Your insight would be appreciated.
@@ichigo8000 salarys alwasy depend on location and industry so its hard to say. Experience is supreme, but those certs are valuable. w/o knowing more about your situation or where the job is, id say 6 figures may be uncommon. if i had to SWAG id say 72-80k range would be common for entry level grc analyst 1. but there are a lot of factors that would influence it.
@@SimplyCyber Thanks for replying! I’m in the DC, MD, VA area if that helps, also I’m familiar with a decent amount of frameworks and I interview well. I’ve been scraping together what I can related to GRC info online (your playlist is on my radar after the CRISC) and have done 2 interviews in the field when I only had Sec+. Either way, I’m highly motivated. I believe the fields a good fit for my personality/skill strengths. Any suggestions to maximize my leverage after the certs?
#TeamReplay
Hi Gerald. Have you been able to create the Practical Risk Assessment course? I already bought your Definitive Guide to GRC course.
Not yet. 2024. I’m trying to find a client that will allow me to also document
Hi Gerald. I was a business analyst, and I moved to overseas to finish my degree (from school in Illinois). So I’ve developed those soft skills.
Do you think that grc is a good stepping stone to becoming more technical?
Self development on skills based training would get you more technical. A lot of GRC work is not very technical so you wouldnt really be getting more technical in that role. You would get exposed to people using technology and you'd have to begin to understand at a high level, but much less hands on keyboard configuring, breaking, hardening.
@@SimplyCyber thanks Gerald. It is still not a bad place to get started from.
@@francisfrancis1153 not at all. Great place
I have been your follower, but this is my first time asking/commenting, I am very confused on what cert. I should go for, I am very much interested in GRC and I have Security+, also working on my BA in Cybersecurity, would u pls suggest if any cert out there I should start studying? thanks.
and what is your intake on cloud Security? u think it is very technical ? WHAT DO U THINK GRC WITH THIS PATH?
Isaca CISA is for audit. CRISC is for risk analysts. Those may be good ones. I have a GRC course dropping this week. No cert but it’s pretty useful for developing practical skills (imo)
@@SimplyCyber that will be excellent . Thanks.
Lol working from home!
How do you like living in Charleston?
Hello Sir, what is the difference between an ISSO and a GRC Analyst? Can you make a video comparing the 2? If you could also reply to this comment, that would help me tremendously 🙏
My understanding would be similar roles. Grc would be org wide risk and an isso would be just one system or application or capability. Typically in a very large org
@@SimplyCyber thank you for your reply!!!
I live in dc and I’m going to take a grc bootcamp what are the chances I’ll find a high paying job to start?
in DC, pretty good. look at professional services companies that support federal it clients (like booz allen, pwc, deloitte, saic, etc.)
I'm a school teacher looking to switch careers and it sounds like GRC analyst is the job for me, right now I'm working to get my Security+ certification and I have two interviews at the end of this week. Do you have any advice or hints for me. I really would like to get one of these jobs. My experience comes from what I did teaching and how I interned with the IT support at my schools
join the discord discord.gg/simplycyber
check out the k-12 teacher to cyber on the channel
join the daily threat briefings simplycyber.io/streams
If you want GRC role, check out the GRC course simplycyber.teachable.com
that should be a great start.
I have working in SOC for 3+ years. I need to move into GRC. What can I do to start from the scratch
Identify opportunities at your company to move laterally and see if that works. most companies have some form of GRC.
Is there any option like I can search job outside of my organization. What knowledge and skills are necessary to prove them I'm capable for GRC analyst role.
Im new here.i want to learn how to be a grc Analyst.
Ur in the right spot. Welcome!
Can a non-IT guy make career in GRC?
Definitely. You will have to learn a lil bit but you can do it.
Is it possibly for a technical writer to get into GRC? I write documentation for software provided by a leading data and identity security vendor. I wonder if writing highly technical documents and working with subject matter experts to gather information for users would be considered enough skills to break in.
16min in and it sounds absolutely horrible and confusing.
GRC def is not for everyone. Less tech; less action; slower pace
Loved this! You mention DISCORD, STREAM...I'm lost! But want to join worthwhile communities etc. Guidance appreciated.
hello. discord.gg/simplycyber should take you right to simply cyber discord. get in here and say hi. you'll love it.
#TeamReplay