🎯 Key Takeaways for quick navigation: 00:00 🎯 Gerald Auger introduces the topic of GRC (Governance, Risk, and Compliance) in cybersecurity and aims to answer questions about it in the video. 01:11 🏢 GRC (Governance, Risk, and Compliance) is a crucial aspect of cybersecurity and offers a great career path, allowing professionals to engage with the business side of an organization. 05:48 📜 Compliance Analysts focus on checking whether specific controls are in place, while Risk Analysts assess the likelihood and impact of potential risks, enabling a smooth career progression in the GRC field. 08:42 🧩 GRC fits into an organization under the CISO, handling governance, policy, procedures, and audit aspects, while Security Operations (SecOps) handles incident response and blue team functions. 10:47 🌟 Entry-level GRC roles, like Compliance Analyst positions, are a great on-ramp into cybersecurity, especially for individuals without an IT background. Federal IT contractors often offer entry-level GRC positions and are open to training candidates. 19:41 💼 CMMC (Cybersecurity Maturity Model Certification) is becoming crucial for organizations working with the government, and being certified or familiar with it can be a valuable skill for cybersecurity professionals. 21:05 🎓 Recommended certifications for GRC Analysts include CISA (Certified Information Systems Auditor) and HIPAA-related certifications. 22:01 🛡️ GRC roles require some basic technical knowledge, such as understanding networking and operating systems, to ensure effective audits and assessments. 23:24 📚 NIST (National Institute of Standards and Technology) Cybersecurity Framework is a great starting point for learning GRC standards and best practices. 24:22 💼 Practical Enterprise Risk Assessment course by the speaker is a resource for learning compliance auditing and risk assessment in GRC. 25:51 📝 Excellent written and verbal communication skills are essential for GRC Analysts to effectively communicate with the organization and information security teams. 29:51 💡 NIST CSF (Cybersecurity Framework) and ISO 27001 are recommended standards for GRC, with CSF having more community collaboration and industry practice behind it. 30:06 🔀 CMMC (Cybersecurity Maturity Model Certification) is a subset of controls within NIST CSF, and compliance with CSF would cover the requirements of CMMC. 34:10 📚 NIST Special Publications 800 series provides comprehensive documentation on various cybersecurity topics, including risk assessments and supply chain risk management. 39:03 🗣 Effective communication skills are critical for GRC Analysts to bridge the gap between information security and the organization's business needs. 41:48 ☁️ Cloud security and identity and access management are in-demand areas within cybersecurity, making certifications in these fields valuable for GRC-focused roles. 42:31 📑 GRC (Governance, Risk, and Compliance) is a great entry point into cybersecurity and offers an easier on-ramp. 43:12 🎓 Recommended certifications for GRC include CMMC certified practitioner, ISACA CISA, and industry-specific compliance certifications. 43:41 🚀 GRC roles do not require a minimum certification, making it a flexible and forgiving career path. 45:34 💡 Transitioning from a network security role to GRC can involve integrating GRC-type activities into your current role to showcase expertise and interest. 46:59 📝 Before conducting any assessment, create an audit plan, identify key stakeholders, and schedule focused interviews to gather necessary information. 51:14 📊 Familiarize yourself with risk management frameworks like MITRE ATT&CK and NIST 800-171 to enhance your understanding of GRC processes. 52:10 📝 Don't be overly attached to risk assessments, as some organizations may not prioritize cybersecurity until they face a significant incident. 57:35 🏛 Made with HARPA AI
Thank You! I have been making this too hard! I am actually working in a GRC environment and didnt know it... I am a contractor for BAH, working with the VA hospital. You have simplified my approach to my job... Thank you !
Thank you for this. Contemplating to pivot careers from the academe/research to cybersecurity and I have very minimal technical know-how and your discussion of this path is very helpful. :)
Looking to pivot to GRC. My background is in business / finance. The company I work for has an internal program to get certificates and training on new roles. (One of which is GRC Analyst) Glad i found your channel :)
Grc is my specialty. I don’t normally plug my course but if ur looking (and ur company is paying) my course has 20000 students and I haven’t heard a bad word, worth checking out ($60). SimplyCyber.teachable.com
Good morning Gerald...I have a meeting coming up with VA Vocational rehab (disabled veteran(and I need a plan I have taken isc2 training not taken the exam yet, and I have been taking withyouwithme courses on cyber security analyst and business analyst...I also killed our only working PC in the process (long story)...My goal is to find and entry level role in GRC, Info Sec, auditing space...any suggestions?
Love your videos! I'm learning so much from each video. Could you please do a video on explaining Auditing in more detail and the tools needed for the role. Preferably a day in the life of an Auditor would be great. My background is software tester and BA on SDLC (Waterfall and Agile), and I would like to switch to Cyber Security and deciding on which role. Audit seems interesting, but I'm open to other roles. I prefer non-coding roles.
I have a second phase of Compliance analyst interview. Could you please give some examples of some challenges a compliance analyst could face at work? Than you.
Non compliance, lip service from mgmt, shadow IT, lack of compliance audit, access control reviews not being done (so ppl keep access they don’t need, happens ALL the time) best wishes on interview
I would be moving into IT - Risk Application Governance role. I was from Financial Services ( Operations ) field, but, yes I had a very good inclination towards Risk. I gathered info and found that Risk and Governance and Compliance go hand in hand. I am looking to get some experience in my job, and then, side by side, would be trying to get certified in CRISK from ISACA. Please tell me if i am going in right direction and what approach should I follow to enrich my experience, exponentially grow in this sector and can see myself valued Professional after 5-6 years from now. I gaurantee that I do enjoy learning things. Please guide. Also, thank you very much for this beautiful video 🙏
@@SimplyCyber Since you have experience I want to ask you. I have an IT Bachelors Degree, 2 years of IT Helpdesk/Specialist II experience, Security+, CISA (passed exam don't have experience requirement), and am studying for the CRISC currently. Roughly how much can I expect to make with No GRC experience before getting the CRISC as of right now, and after I get it? From different sources it seems consistent I'd be able to get 6 figures or close to it with these things on my side currently, am I correct? Your insight would be appreciated.
@@ichigo8000 salarys alwasy depend on location and industry so its hard to say. Experience is supreme, but those certs are valuable. w/o knowing more about your situation or where the job is, id say 6 figures may be uncommon. if i had to SWAG id say 72-80k range would be common for entry level grc analyst 1. but there are a lot of factors that would influence it.
@@SimplyCyber Thanks for replying! I’m in the DC, MD, VA area if that helps, also I’m familiar with a decent amount of frameworks and I interview well. I’ve been scraping together what I can related to GRC info online (your playlist is on my radar after the CRISC) and have done 2 interviews in the field when I only had Sec+. Either way, I’m highly motivated. I believe the fields a good fit for my personality/skill strengths. Any suggestions to maximize my leverage after the certs?
Also I have some experience with physical security especially as it pertains to hospital security, health care, and inpatient psychiatry, I have an Associates in Cardiovascular Technology (specialty in vascular ultrasound) and familiarity with HIPAA...I am a very strong report writer and very good at finding errors as well as I have strong analytical thinking and pattern recognition and also very steong on customer service...
Hi Dr. Auger, I'm not sure if you answered this yet but you mentioned having a class coming soon, would that be the grc masterclass you have available on your website?
Hi Gerald. I am new to GRC. I have 5YOE on internal audit and finance compliance. One of my coworkers, who was a IT auditor got a lead GRC analyst job and since then trying to talk me into the area too, as she felt that I have really good sense. My question is as a CPA, will it be a good route for me? And for me without a solid IT background, will there be a bottleneck in terms of career advancement? I am willing to learn more about IT control and cyber security, maybe getting a CISA but going back to school to get an IT degree won't be a choice for me now. Thanks
Is there any option like I can search job outside of my organization. What knowledge and skills are necessary to prove them I'm capable for GRC analyst role.
Hello Sir, what is the difference between an ISSO and a GRC Analyst? Can you make a video comparing the 2? If you could also reply to this comment, that would help me tremendously 🙏
My understanding would be similar roles. Grc would be org wide risk and an isso would be just one system or application or capability. Typically in a very large org
Is there a KPI or scorecard that can be established to measure success(or performance) of GRC teams or analysts? Great episode by the way. Looking forward to be able to join live next time!
Hi Gerald. Thank you for the high quality video. I have a BBA in Cybersecurity and recently got Security+ and Rangeforce SOC Analyst 1 badge. Unfortunately I have no job experience or internship. I do have a home lab and I mention it in my resume. Do you think I should go ahead and start as a IT support or try my luck for an entry GRC role? Thank you.
It won't hurt to go that route, but you can go directly into cybersecurity also. depends on your financials and responsbilities on whether you have to take an IT job. Make sure you are networking within the community. its critically valuable.
I'm a school teacher looking to switch careers and it sounds like GRC analyst is the job for me, right now I'm working to get my Security+ certification and I have two interviews at the end of this week. Do you have any advice or hints for me. I really would like to get one of these jobs. My experience comes from what I did teaching and how I interned with the IT support at my schools
join the discord discord.gg/simplycyber check out the k-12 teacher to cyber on the channel join the daily threat briefings simplycyber.io/streams If you want GRC role, check out the GRC course simplycyber.teachable.com that should be a great start.
I have been your follower, but this is my first time asking/commenting, I am very confused on what cert. I should go for, I am very much interested in GRC and I have Security+, also working on my BA in Cybersecurity, would u pls suggest if any cert out there I should start studying? thanks. and what is your intake on cloud Security? u think it is very technical ? WHAT DO U THINK GRC WITH THIS PATH?
Isaca CISA is for audit. CRISC is for risk analysts. Those may be good ones. I have a GRC course dropping this week. No cert but it’s pretty useful for developing practical skills (imo)
Hi Gerald. I was a business analyst, and I moved to overseas to finish my degree (from school in Illinois). So I’ve developed those soft skills. Do you think that grc is a good stepping stone to becoming more technical?
Self development on skills based training would get you more technical. A lot of GRC work is not very technical so you wouldnt really be getting more technical in that role. You would get exposed to people using technology and you'd have to begin to understand at a high level, but much less hands on keyboard configuring, breaking, hardening.
Is it possibly for a technical writer to get into GRC? I write documentation for software provided by a leading data and identity security vendor. I wonder if writing highly technical documents and working with subject matter experts to gather information for users would be considered enough skills to break in.
🎯 Key Takeaways for quick navigation:
00:00 🎯 Gerald Auger introduces the topic of GRC (Governance, Risk, and Compliance) in cybersecurity and aims to answer questions about it in the video.
01:11 🏢 GRC (Governance, Risk, and Compliance) is a crucial aspect of cybersecurity and offers a great career path, allowing professionals to engage with the business side of an organization.
05:48 📜 Compliance Analysts focus on checking whether specific controls are in place, while Risk Analysts assess the likelihood and impact of potential risks, enabling a smooth career progression in the GRC field.
08:42 🧩 GRC fits into an organization under the CISO, handling governance, policy, procedures, and audit aspects, while Security Operations (SecOps) handles incident response and blue team functions.
10:47 🌟 Entry-level GRC roles, like Compliance Analyst positions, are a great on-ramp into cybersecurity, especially for individuals without an IT background. Federal IT contractors often offer entry-level GRC positions and are open to training candidates.
19:41 💼 CMMC (Cybersecurity Maturity Model Certification) is becoming crucial for organizations working with the government, and being certified or familiar with it can be a valuable skill for cybersecurity professionals.
21:05 🎓 Recommended certifications for GRC Analysts include CISA (Certified Information Systems Auditor) and HIPAA-related certifications.
22:01 🛡️ GRC roles require some basic technical knowledge, such as understanding networking and operating systems, to ensure effective audits and assessments.
23:24 📚 NIST (National Institute of Standards and Technology) Cybersecurity Framework is a great starting point for learning GRC standards and best practices.
24:22 💼 Practical Enterprise Risk Assessment course by the speaker is a resource for learning compliance auditing and risk assessment in GRC.
25:51 📝 Excellent written and verbal communication skills are essential for GRC Analysts to effectively communicate with the organization and information security teams.
29:51 💡 NIST CSF (Cybersecurity Framework) and ISO 27001 are recommended standards for GRC, with CSF having more community collaboration and industry practice behind it.
30:06 🔀 CMMC (Cybersecurity Maturity Model Certification) is a subset of controls within NIST CSF, and compliance with CSF would cover the requirements of CMMC.
34:10 📚 NIST Special Publications 800 series provides comprehensive documentation on various cybersecurity topics, including risk assessments and supply chain risk management.
39:03 🗣 Effective communication skills are critical for GRC Analysts to bridge the gap between information security and the organization's business needs.
41:48 ☁️ Cloud security and identity and access management are in-demand areas within cybersecurity, making certifications in these fields valuable for GRC-focused roles.
42:31 📑 GRC (Governance, Risk, and Compliance) is a great entry point into cybersecurity and offers an easier on-ramp.
43:12 🎓 Recommended certifications for GRC include CMMC certified practitioner, ISACA CISA, and industry-specific compliance certifications.
43:41 🚀 GRC roles do not require a minimum certification, making it a flexible and forgiving career path.
45:34 💡 Transitioning from a network security role to GRC can involve integrating GRC-type activities into your current role to showcase expertise and interest.
46:59 📝 Before conducting any assessment, create an audit plan, identify key stakeholders, and schedule focused interviews to gather necessary information.
51:14 📊 Familiarize yourself with risk management frameworks like MITRE ATT&CK and NIST 800-171 to enhance your understanding of GRC processes.
52:10 📝 Don't be overly attached to risk assessments, as some organizations may not prioritize cybersecurity until they face a significant incident.
57:35 🏛
Made with HARPA AI
Thx for timestanps friend. Pinned
welcome Brother, I finished your course@@SimplyCyber
Thank You! I have been making this too hard! I am actually working in a GRC environment and didnt know it... I am a contractor for BAH, working with the VA hospital. You have simplified my approach to my job... Thank you !
Great. I was w Booz for years and loved the experience. You def are in the right spot.
Thank you for this. Contemplating to pivot careers from the academe/research to cybersecurity and I have very minimal technical know-how and your discussion of this path is very helpful. :)
Loved the balance between the GRC talk and the kids demanding attention. Thanks!
Real life is real.
Thanks Gerald. I am struggling with my current role in GRC. Watching your videos to know more lay my feet firmer.
Excellent! Glad to hear it! (that its giving you better footing, not that you are struggling a bit)
Looking to pivot to GRC. My background is in business / finance. The company I work for has an internal program to get certificates and training on new roles. (One of which is GRC Analyst) Glad i found your channel :)
Grc is my specialty. I don’t normally plug my course but if ur looking (and ur company is paying) my course has 20000 students and I haven’t heard a bad word, worth checking out ($60). SimplyCyber.teachable.com
Hey Gerald,what are the tools to succeed as a GSC Analyst coming from a zero background in IT?
Good morning Gerald...I have a meeting coming up with VA Vocational rehab (disabled veteran(and I need a plan
I have taken isc2 training not taken the exam yet, and I have been taking withyouwithme courses on cyber security analyst and business analyst...I also killed our only working PC in the process (long story)...My goal is to find and entry level role in GRC, Info Sec, auditing space...any suggestions?
Thanks for posting. Looking forward for more GRC career content soon. Will you do a GRC interview questions/how to crush a GRC interview video?
What do you mean grc q a? This was a qa. Do you mean a job interview?
@@SimplyCyber Yes. A job interview. Sorry if my question wasn't clear.
Love your videos! I'm learning so much from each video. Could you please do a video on explaining Auditing in more detail and the tools needed for the role. Preferably a day in the life of an Auditor would be great. My background is software tester and BA on SDLC (Waterfall and Agile), and I would like to switch to Cyber Security and deciding on which role. Audit seems interesting, but I'm open to other roles. I prefer non-coding roles.
That’s a good video idea. Adding to wueue
I have a second phase of Compliance analyst interview. Could you please give some examples of some challenges a compliance analyst could face at work?
Than you.
Non compliance, lip service from mgmt, shadow IT, lack of compliance audit, access control reviews not being done (so ppl keep access they don’t need, happens ALL the time) best wishes on interview
Hi Gerald. Have you been able to create the Practical Risk Assessment course? I already bought your Definitive Guide to GRC course.
Not yet. 2024. I’m trying to find a client that will allow me to also document
Very informative video. Thanks for sharing it with the world!
Great content. Amazing setup. Thanks
Any pointers for someone who just starting off and looking for a break through with entry-level.
Hi Gerald, I went to the link and noticed the CMMC level 3 guide is unavailable as of now. Any idea when it will be available for download?
Awesome video to watch in conjunction with The Definitive GRC Master Plan
Can you do another one of these please?😊
Great work!
Thank you!
Are SIEM skills valuable for risk analysis?
Hey! Don Junior will be our GRC coach! Haha!
Excellent. Any online resources for NIST
I would be moving into IT - Risk Application Governance role. I was from Financial Services ( Operations ) field, but, yes I had a very good inclination towards Risk. I gathered info and found that Risk and Governance and Compliance go hand in hand. I am looking to get some experience in my job, and then, side by side, would be trying to get certified in CRISK from ISACA. Please tell me if i am going in right direction and what approach should I follow to enrich my experience, exponentially grow in this sector and can see myself valued Professional after 5-6 years from now. I gaurantee that I do enjoy learning things. Please guide. Also, thank you very much for this beautiful video 🙏
This is an absolutely solid plan for GRC path
@@SimplyCyber thanks for confirming
@@SimplyCyber Since you have experience I want to ask you. I have an IT Bachelors Degree, 2 years of IT Helpdesk/Specialist II experience, Security+, CISA (passed exam don't have experience requirement), and am studying for the CRISC currently. Roughly how much can I expect to make with No GRC experience before getting the CRISC as of right now, and after I get it? From different sources it seems consistent I'd be able to get 6 figures or close to it with these things on my side currently, am I correct? Your insight would be appreciated.
@@ichigo8000 salarys alwasy depend on location and industry so its hard to say. Experience is supreme, but those certs are valuable. w/o knowing more about your situation or where the job is, id say 6 figures may be uncommon. if i had to SWAG id say 72-80k range would be common for entry level grc analyst 1. but there are a lot of factors that would influence it.
@@SimplyCyber Thanks for replying! I’m in the DC, MD, VA area if that helps, also I’m familiar with a decent amount of frameworks and I interview well. I’ve been scraping together what I can related to GRC info online (your playlist is on my radar after the CRISC) and have done 2 interviews in the field when I only had Sec+. Either way, I’m highly motivated. I believe the fields a good fit for my personality/skill strengths. Any suggestions to maximize my leverage after the certs?
Also I have some experience with physical security especially as it pertains to hospital security, health care, and inpatient psychiatry, I have an Associates in Cardiovascular Technology (specialty in vascular ultrasound) and familiarity with HIPAA...I am a very strong report writer and very good at finding errors as well as I have strong analytical thinking and pattern recognition and also very steong on customer service...
Hi Dr. Auger, I'm not sure if you answered this yet but you mentioned having a class coming soon, would that be the grc masterclass you have available on your website?
Yes. That’s the grc class I mentioned
Thank you Mr. Auger, great AND timely content. You are appreciated
Hi Gerald. I am new to GRC. I have 5YOE on internal audit and finance compliance. One of my coworkers, who was a IT auditor got a lead GRC analyst job and since then trying to talk me into the area too, as she felt that I have really good sense. My question is as a CPA, will it be a good route for me? And for me without a solid IT background, will there be a bottleneck in terms of career advancement? I am willing to learn more about IT control and cyber security, maybe getting a CISA but going back to school to get an IT degree won't be a choice for me now. Thanks
What's the difference between GRC AUDET and GRC analysis?
Hello, thank you for sharing.
What’s your thoughts on getting a nonprofit compliance with no framework in place?
It’s possible but compliant w what standard? That’s the question to ask before you could tell. A framework is just a methodology not a standard
Wow what an amazing video!!
I have working in SOC for 3+ years. I need to move into GRC. What can I do to start from the scratch
Identify opportunities at your company to move laterally and see if that works. most companies have some form of GRC.
Is there any option like I can search job outside of my organization. What knowledge and skills are necessary to prove them I'm capable for GRC analyst role.
Thank You Gerald
I live in dc and I’m going to take a grc bootcamp what are the chances I’ll find a high paying job to start?
in DC, pretty good. look at professional services companies that support federal it clients (like booz allen, pwc, deloitte, saic, etc.)
Hello Sir, what is the difference between an ISSO and a GRC Analyst? Can you make a video comparing the 2? If you could also reply to this comment, that would help me tremendously 🙏
My understanding would be similar roles. Grc would be org wide risk and an isso would be just one system or application or capability. Typically in a very large org
@@SimplyCyber thank you for your reply!!!
Is there a KPI or scorecard that can be established to measure success(or performance) of GRC teams or analysts?
Great episode by the way. Looking forward to be able to join live next time!
You can get that in a typical GRC tool like serviceNow etc.
Hi Gerald. Thank you for the high quality video.
I have a BBA in Cybersecurity and recently got Security+ and Rangeforce SOC Analyst 1 badge. Unfortunately I have no job experience or internship. I do have a home lab and I mention it in my resume.
Do you think I should go ahead and start as a IT support or try my luck for an entry GRC role?
Thank you.
It won't hurt to go that route, but you can go directly into cybersecurity also. depends on your financials and responsbilities on whether you have to take an IT job. Make sure you are networking within the community. its critically valuable.
What would the career path between GRC analyst and CISO be?
Thanks for this informative video, see you next time.
You bet. Thanks Stefan. Hope the new role is exceeding your expectations.
I'm a school teacher looking to switch careers and it sounds like GRC analyst is the job for me, right now I'm working to get my Security+ certification and I have two interviews at the end of this week. Do you have any advice or hints for me. I really would like to get one of these jobs. My experience comes from what I did teaching and how I interned with the IT support at my schools
join the discord discord.gg/simplycyber
check out the k-12 teacher to cyber on the channel
join the daily threat briefings simplycyber.io/streams
If you want GRC role, check out the GRC course simplycyber.teachable.com
that should be a great start.
Loved this! You mention DISCORD, STREAM...I'm lost! But want to join worthwhile communities etc. Guidance appreciated.
hello. discord.gg/simplycyber should take you right to simply cyber discord. get in here and say hi. you'll love it.
I have been your follower, but this is my first time asking/commenting, I am very confused on what cert. I should go for, I am very much interested in GRC and I have Security+, also working on my BA in Cybersecurity, would u pls suggest if any cert out there I should start studying? thanks.
and what is your intake on cloud Security? u think it is very technical ? WHAT DO U THINK GRC WITH THIS PATH?
Isaca CISA is for audit. CRISC is for risk analysts. Those may be good ones. I have a GRC course dropping this week. No cert but it’s pretty useful for developing practical skills (imo)
@@SimplyCyber that will be excellent . Thanks.
Hi Gerald. I was a business analyst, and I moved to overseas to finish my degree (from school in Illinois). So I’ve developed those soft skills.
Do you think that grc is a good stepping stone to becoming more technical?
Self development on skills based training would get you more technical. A lot of GRC work is not very technical so you wouldnt really be getting more technical in that role. You would get exposed to people using technology and you'd have to begin to understand at a high level, but much less hands on keyboard configuring, breaking, hardening.
@@SimplyCyber thanks Gerald. It is still not a bad place to get started from.
@@francisfrancis1153 not at all. Great place
How do you like living in Charleston?
thanky you
My pleasure.
Im new here.i want to learn how to be a grc Analyst.
Ur in the right spot. Welcome!
using threat intelligence
Is it possibly for a technical writer to get into GRC? I write documentation for software provided by a leading data and identity security vendor. I wonder if writing highly technical documents and working with subject matter experts to gather information for users would be considered enough skills to break in.
Keep the chat please.
Can a non-IT guy make career in GRC?
Definitely. You will have to learn a lil bit but you can do it.
18:56
#TeamReplay
Lol working from home!
16min in and it sounds absolutely horrible and confusing.
GRC def is not for everyone. Less tech; less action; slower pace
#TeamReplay