Results 1 to 13 of 13
  1. Junior Member
    Join Date
    Oct 2017
    Posts
    28
    #1

    What do I need to do/have if I want to work in GRC but skip SOC/NOC

    I am quite keen to work in GRC, TRA etc. but have limited exposure to GRC directly, infact very little. I have quite a few years experience of PC/Network and Physical security. I have worked on as Systems Admin and with Networking as well. Having spent 15 years in IT and cyber security, I want to move directly into GRC. But have been told by many that I do need to start at NOC/SOC level. I see this as a big step down and a bit discouraging.
    I am fully prepared to learn what it takes to come upto speed for GRC roles like Information Security Consultant be it getting certificates like CISM CISA etc. or get some specialized training and can even take a hit on my income for few weeks or months. The questions are
    1. is it possible for someone with limited infosec experience to jump straight into GRC and skip noc/soc altogether?
    2. if yes, what do I need to do or learn and from where? (may be learn real life experience from cissps/cisms working in this line?)


  2. Senior Member
    Join Date
    May 2013
    Posts
    1,471

    Certifications
    CISSP, CISA, GWAPT, GSEC
    #2
    1. Yes it’s possible...whoever told you that YOU HAVE TO START NOC/SOC are incorrect.

    2. Did I miss something? You said you had 15 years in IT and cyber security...can you explain that further? You should be working towards your CISSP and I would do CISA too. Additionally, you can start reviewing frameworks like NIST 800 series, COBIT, and any others that pertain to your organization you work in right now...ISO/HIPAA/PCI etc.

    What is the reason you want to be in GRC? Realize that in true GRC roles, your technical skills aren’t going to get used near as often...some people are ok with that and some hate it.

  3. Junior Member
    Join Date
    Oct 2017
    Posts
    28
    #3
    Originally Posted by TechGuru80
    2. Did I miss something? You said you had 15 years in IT and cyber security...can you explain that further?
    What is the reason you want to be in GRC? Realize that in true GRC roles, your technical skills aren’t going to get used near as often...some people are ok with that and some hate it.
    My time in IT and Infosec is limited to just some of the domains of ISC2. For example I hardly did any designing/ implementation of security framework, never did any TRA project, never applied principles of NIST HIPPA etc. I also never worked with DLM, UAM, QRadar, Arc sight etc. So limited cyber security experience and very very little or no GRC/TRA which excites me ....
    beacuse I am tired of working with machines. 15 years is a long time taking care of logs, devices, vulnerability assessments and so forth. I want to be involved in overall design, discussions of security mechanisms rather than being a foot soldier. Of course working with people is not easy but i want to give it a try.
    CISSP is done, cism hopefully before Christmas. may be crisc as well.
    I am also studying NIST/ISO/HIPAA frameworks, probably will hot PMP and ITIL early 2018.
    But my biggest concern is getting some in depth, real life experience of TSA and GRC - How do I get it? May be offer some money to members experienced in GRC and learn it virtually? Offer to volunteer to big organizations? Join some institute but how do I get real life experience?
    PS I have studied GRC Archer already. Should I study other similar offerings?

  4. Senior Member
    Join Date
    May 2007
    Location
    Chicago, IL
    Posts
    6,166

    Certifications
    GCFE, GCED, GCIH, CISSP, CCSP, and others that should never be mentioned
    #4
    I'm cringing as I read this because I hate GRC work, but I digress. GRC and technical roles are divergent for the most part. Whoever told you SOC/NOC belongs in your path either had no idea what he/she was saying or was trolling you. If I were you I would do the following:
    - Go to LinkedIn and search for some GRC professionals. Take a look at their profiles and particularly their paths
    - Go to Indeed and search for GRC roles. Look for the qualifications required. This will give you an idea of where to focus your effort
    - Just start applying to those roles that you find appealing. Don't sell your self short. Your experience and certs can certain be leveraged in many ways.

  5. Junior Member
    Join Date
    Oct 2017
    Posts
    28
    #5
    Originally Posted by cyberguypr
    I'm cringing as I read this because I hate GRC work, but I digress. GRC and technical roles are divergent for the most part. Whoever told you SOC/NOC belongs in your path either had no idea what he/she was saying or was trolling you. If I were you I would do the following:
    - Go to LinkedIn and search for some GRC professionals. Take a look at their profiles and particularly their paths
    - Go to Indeed and search for GRC roles. Look for the qualifications required. This will give you an idea of where to focus your effort
    - Just start applying to those roles that you find appealing. Don't sell your self short. Your experience and certs can certain be leveraged in many ways.
    cyberguypr
    Thank you very much for your detailed reply. You have touched some very good points to find out about the paths taken by other GRC practitioners. And I really liked your hint to leverage certs and expereince in different ways - indeed sometimes how we explain or perceive things can become a stumbling block.
    I would love to know why you cringe and hate GRC work? Is it because it involves too much theory, too much politics, too much client interfacing, too much BS?

  6. Junior Member
    Join Date
    Oct 2017
    Posts
    28
    #6
    I will really appreciate if someone can give me some pointers regarding the following so I can understand daily life of GRC professionals and make an educated guess as to whether it will be my cup of tea:
    "But my biggest concern is getting some in depth, real life experience of TSA and GRC - How do I get it? May be offer some money to members experienced in GRC and learn it virtually? Offer to volunteer to big organizations? Join some institute but how do I get real life experience?
    PS I have studied GRC Archer already. Should I study other similar offerings?"

  7. Senior Member
    Join Date
    May 2007
    Location
    Chicago, IL
    Posts
    6,166

    Certifications
    GCFE, GCED, GCIH, CISSP, CCSP, and others that should never be mentioned
    #7
    I'm a technical guy, so GRC bores me and makes we want to poke my eyeballs out. Don't get me wrong, many elements cross over into my area and that is fine, but I can't imagine myself doing solely GRC stuff.

  8. California Kid
    Join Date
    Mar 2009
    Location
    Jacksonville, FL
    Posts
    2,595

    Certifications
    CISSP, CISM, CISA, CRISC, GCIA, GSEC, AWS CCP, CEHv8, CHFIv8, ITIL-F, MSISA, BSBA
    #8
    GRC guy here. Whoever told you to start in a NOC/SOC, stop listening to them for career advice. For GRC roles it helps to have understanding of the business, policy and procedures, and frameworks such as COBIT/NIST/ISO, and then PCI/HIPAA/GLB/SOX regulations. Have knowledge of auditing and risk assessments.

    Like cyberguy said, some people are bored to death doing it. I love it though. I did the Sr Sec Engineer thing and you really have to devote a lot of time to staying up on the threat landscape, technology, etc if you want to actually be effective and at the top of your game. Even though it was "fun" and every day was different, I got burnt out. Working in the GRC/Audit side, its laid back. It comes to me much easier as well. Yea it can be "boring", but I like the laid back nature of it. Plus in the GRC side the job is usually deliverable based, so you just have things that need to get done and you can have a little to a lot of leeway to work how you want to. For me, I work fully remote, and work when, where, and how I want as long as deliverables are met. It's a sweet gig honestly. I arrange my day how I want and can run errands, attend school functions, and stuff like that. You don't get as much leeway with the technical side, so if that's something that is important to you, GRC is a good area to look at.
    Have: CISSP, CISM, CISA, CRISC, GCIA, GSEC, AWS CCP, CEHv8, CHFIv8, ITIL-F, BSBA - UF, MSISA - WGU
    Currently Working On: MS Cybersecurity, Learning: Linux/CLI, Git, Python, Pentesting
    Next Up:​ eJPT, eCPPTv2, OSCP
    Studying:​ Code Academy (CLI, Git, Python), eLearnSecurity PTSv3

  9. Junior Member
    Join Date
    Oct 2017
    Posts
    28
    #9
    Thanks for replying. Based on my disposition and the fact that I am tired of sitting on my derrier for years and years, I think GRC would be a better fit for next job.
    The one problem I will have to figure out is how to get real world experience such as case studies etc.
    Originally Posted by JoJoCal19
    GRC guy here. Whoever told you to start in a NOC/SOC, stop listening to them for career advice. For GRC roles it helps to have understanding of the business, policy and procedures, and frameworks such as COBIT/NIST/ISO, and then PCI/HIPAA/GLB/SOX regulations. Have knowledge of auditing and risk assessments.

    Like cyberguy said, some people are bored to death doing it. I love it though. I did the Sr Sec Engineer thing and you really have to devote a lot of time to staying up on the threat landscape, technology, etc if you want to actually be effective and at the top of your game. Even though it was "fun" and every day was different, I got burnt out. Working in the GRC/Audit side, its laid back. It comes to me much easier as well. Yea it can be "boring", but I like the laid back nature of it. Plus in the GRC side the job is usually deliverable based, so you just have things that need to get done and you can have a little to a lot of leeway to work how you want to. For me, I work fully remote, and work when, where, and how I want as long as deliverables are met. It's a sweet gig honestly. I arrange my day how I want and can run errands, attend school functions, and stuff like that. You don't get as much leeway with the technical side, so if that's something that is important to you, GRC is a good area to look at.

  10. Senior Member
    Join Date
    May 2013
    Posts
    1,471

    Certifications
    CISSP, CISA, GWAPT, GSEC
    #10
    Originally Posted by Snooper
    Thanks for replying. Based on my disposition and the fact that I am tired of sitting on my derrier for years and years, I think GRC would be a better fit for next job.
    The one problem I will have to figure out is how to get real world experience such as case studies etc.
    Apply to management and GRC roles...you will get experience right away. You aren’t going to get direct experience other than reading the documents (some like ISO cost) unless you get into a management, GRC, or a consultant role.

  11. Junior Member
    Join Date
    Oct 2017
    Posts
    28
    #11
    Originally Posted by TechGuru80
    Apply to management and GRC roles...you will get experience right away. You aren’t going to get direct experience other than reading the documents (some like ISO cost) unless you get into a management, GRC, or a consultant role.
    Thanks, yeah this is pretty much as infosec professionals that i met have told me so time to launch the assault. Thx for replying.

  12. Senior Member
    Join Date
    May 2006
    Posts
    2,159

    Certifications
    CISSP, CCSP, CCNA Cyber Ops, eJPT, ITIL,PA ACE,Qualys Certified Specialist, A+
    #12
    Start reading publicly available documents. NIST, ISO, government procedures and policies relating to IT etc, free documents from various companies that want to promote their tools etc. You will do fine. I've worked in GRC and its not as bad as it seems,

  13. Junior Member
    Join Date
    Nov 2017
    Posts
    10
    #13
    "Start reading publicly available documents. NIST, ISO, government procedures and policies relating to IT etc, free documents from various companies that want to promote their tools etc."
    Does anyone know where can I get some Information security Controls Audit check lists and sample reports to get a good grasp of what the auditors look for and suggest as re-mediation?


Social Networking & Bookmarks

best-it-exam-    | for-our-work-    | hottst-on-sale-    | it-sale-    | tast-dumps-us-    | test-king-number-    | pass-do-it-    | just-do-it-    | pass-with-us-    | passresults-everything-    | passtutor-our-dumps-    | realtests-us-exam-    | latest-update-source-for-    | cbtnuggets-sale-exam    | experts-revised-exam    | certguide-sale-exam    | test4actual-sale-exam    | get-well-prepared-    | certkiller-sale-exam    | buy-discount-dumps    | how-to-get-prepared-for-the    | in-an-easy-way    | brain-dumps-sale    | with-pass-exam-guarantee    | accurate-study-material    | at-first-try    | 100%-successful-rate    | get-certification-easily    | material-provider-exam    | real-exam-practice    | with-pass-score-guarantee    | certification-material-provider    | for-certification-professionals    | get-your-certification-successfully    | 100%-Pass-Rate    | in-pdf-file    | practice-exam-for    | it-study-guides    | study-material-sku    | study-guide-pdf    | prep-guide-demo    | certification-material-id    | actual-tests-demo    | brain-demos-test    | best-pdf-download    | our-certification-material    | best-practice-test    | leading-provider-on    | this-course-is-about    | the-most-reliable    | high-pass-rate-of    | money-back-guarantee    | high-pass-rate-demo    | recenty-updated-key    | only-for-students-free-download    | courseware-plus-kit-for    | accurate-answers-of    | the-most-reliable-id    | provide-training-for    | welcome-to-buy    | material-for-success-pass    | provide-free-support    | best-book-for-pass    | accuracy-of-the-answers    | pass-guarantee-id    |
http://garage-nessi.ch/    | http://garage-nessi.ch/    |