this post was submitted on 05 Sep 2024
15 points (100.0% liked)

Cybersecurity

5612 readers
67 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 1 year ago
MODERATORS
 

I'm looking to start a career in GRC. Been searching a bunch of different things (e.g. cybersecurity internal audit, GRC analyst, cyber audit, risk analyst, etc.) but everything that's coming up is mid-senior positions, manager positions, etc.

top 9 comments
sorted by: hot top controversial new old
[–] [email protected] 3 points 1 month ago (1 children)

If you are located in the US and aren't currently a complete fuck-up, the Federal Government can be a way into the GRC side of cybersecurity. Between civilian and DoD sites, they have analysts and auditors all over the place and always seemed in need of folks willing to pour over checklists and OQE artifacts. This first place to look for positions in that vein would be on usajobs.gov. Though unfortunately, the FedGov made the decision to classify both GRC and sysadmin positions under the 2210 category; so, you'll probably have to dig through a lot of sysadmin listings.

Another path into similar positions is to look for FedGov/DoD facilities in your area. Once you find one, take a drive around the area and look for the names of businesses in the area and start researching those businesses and their open positions. There will almost certainly be the big ones, like Booze-Allen Hamilton, BAE, Boeing (yes, that Boeing. They do a lot outside of crashing aircraft), etc. But there will be a plethora of smaller companies with seemingly random names and little public facing who supply the local site with hordes of contractors. And, while these are contractor positions, they are a lot more stable than contract positions in the private sector. I spent 6 years as such a contractor and only stopped being one when I took a job elsewhere.

I will say that "entry level" is going to be harder. No one wants to hire an train someone without experience, which puts you in a catch-22. For all the suck involved, you may want to consider putting in some time working a help desk. At minimum, it keeps you in proximity to the field, teaches you something about systems and provides related, if not direct, cybersecurity experience.

Best of luck.

[–] [email protected] 1 points 1 month ago

Not American, but hopefully someone else can take inspiration from this. I'll look into help desk positions, thanks for the tip.

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago) (1 children)

Do you have any certs? ISC2 is a good starting point, but getting a specific certs around NIST or ISA will help you get in the door. Reading and understanding the regulations around the industries you're targeting would help too.

[–] [email protected] 1 points 1 month ago (1 children)

No certs as of current. Trying to figure out if there's even an entry-level pathway available before I dump more money into education. NIST and ISA: are these international certs or America specific? The latter won't help me much unless I get a remote job. As for regulations, that should be easy enough. I'm already good at research, so.

[–] [email protected] 1 points 1 month ago (1 children)

They're America specific, but every region will have similar frameworks. ISO27001 is world wide I believe.

[–] [email protected] 1 points 1 month ago (1 children)

I've actually just done a bit of digging on it and it seems that CISSP is used in Canada, so I might pull the trigger on that. I'm also considering Unixguy's GRC Mastery course. Happen to know anything about it? I don't think it counts as a certification proper, but it might be good to show employers what I'm interested in and that I've already put in some work.

[–] [email protected] 1 points 1 month ago (1 children)

You need five years of experience in cybersecurity, or sponsorship from another CISSP to get certified. NIST and ISO are followed by lots of companies, and ISA-62443 is a big one for OT cyber.

[–] [email protected] 1 points 1 month ago

Guess I shoulda done more digging lol. Thanks for the help. Btw, do you know much about PECB's courses? They have some ISO stuff that's GRC specific, might look into it.

[–] [email protected] 1 points 1 month ago

I haven’t looked myself, but maybe see if the Big 4 audit companies accept entry level roles?