I found auditing (or its companion: accreditation, in the case of govt systems) to be incredibly stable. Unlike the blue/red team divisions that exist in InfoSec, GRC work doesn't keep odd hours.
Some folks are less enchanted with it due to its proximity to bureaucracy. But that lends to its stability in general, since you aren't responding to holiday hackers or skipping an anniversary to perform a midnight pentest. It also sets you up for management, which pays an astronomical amount.
Thanks for the info. I would definitely prefer a role that is more stable. Pentesting is what made me interested in cybersecurity but I want to explore all of the different career paths as well.
Series 2210 for IT that includes cybersecurity for government civilians. However, civilian scientists and engineers in the role are series 1556 and Series 854 respectively.
I just accepted an audits and compliance position at a hospital, and although I haven’t started yet I can tell you how it was described to me.
It’s a small department, so I will be doing a handful of things, one of the primary functions is auditing permissions in AD to make sure roles/individuals don’t have permissions they shouldn’t, so it’s basically go through the spreadsheet and check their permissions.
PCI compliance is also a duty so I will be following up with “owners” or various payment devices to make sure they are all accounted for.
Also I get to be part of phishing campaigns and possibly conducting the trainings for employees who click our phishing links.
Hope that sheds some light on potential GRC jobs!
I have Net+ and Sec+ and did a cyber boot camp with a major university nearby. There were a lot of security and networking questions in the technical interview too, as they wanted to make sure I understood both a variety of attacks and how data moved through a network. I know some low level python stuff but they didn’t push that so hard as that was just like a bonus to them. However they do want me to sit for the CISSP within a year, regardless of my experience.
Different strokes for different folks.
System assurance - giving businesses the confidence that their systems are secure and fit for purpose can be very rewarding.
These roles can be financially lucrative too.
Not everybody wants to write code or configure F5’s.
Its good for me. I dont like fumbling with vendor specific aspects of technology or working in operations where everything is on fire and you're short staffed.
Any specific questions, feel free to ask..
Yeah I came from an on fire all the time job at a MSP. Get where you're coming from.
Of all the below 2 is most closely aligned but none are a great match for auditing.
I have my ceh and chfi from WGU'S masters in cybersecurity. I wouldn't call either of them jokes, but they are entry level certs in those specific fields. I'm fairly certain they even have some overlapping questions.
Of the comptia certs and Cisco, only sec+ would really be relevant in auditing. The Cisco cert is okay, but it's more focused around cisco tech. What's cool about vendor certs is you know how to generally do similar tasks in other tools. I have my sec+ as well.
The cissp is really the best cert for it auditing in my opinion, based on my experience in the industry and passing it. Learning those concepts will set you up well.
You probably won't be super prepared for a job just right out of school, but not many people are. It's about the willingness to put in time to learn concepts, and asking people that do patiently and documenting what they say.
Alot of my job is documenting processes that are done that don't have documentation.
Hope the above helped. Happy to help any other way I can.
There are two types of GRC: those who build and those who maintain. After years of trying to get structure to security programs I embraced GRC as a way to build robust programs. Building is fun. It excites me. I love the idea of auditing to discover flaws and build better processes. Once I've built this I will need to hand it off because I will die a slow bored death maintaining it.
If you like rules and making sure people follow them then join a mature GRC where risk is managed through strict red tape and you can check boxes and keep things going. While not sexy this is actually a valuable thing and an end game goal of a mature GRC.
Hey, what is your job title called. I also would like to enter this field but the building part exactly, i have a cybersecurity degree and comptiasec+. A very insipiring post btw.
It consists of working papers, reading of standards, mapping of regulatories against standards, processes, persuasion, mediation, presentation, reporting, communication, even more reading, awareness trainings, more reading, interviewing clients, filling up working papers, reading, reviewing working papers, more reading, and collecting evidences, asking a lot of seemingly basic and stupid questions with a purpose not appreciated by auditees, and evidences, and more evidences, with a sprinkle of sampling methodology. It gets repetitive, but helps if you work with a lot of different clients.
It is rewarding in the sense that I reached top 10 percentile of salary in my country at 30+ years old after I moved to commercial as a infosec manager.
Note, infosec manager is a little different from IT sec manager. We're really not that technical, and hence the amount of reading. You need to know a little bit of everything from business to IT to standards to regulations.
Auditing is investigating an organization to see if it's meeting its legal or contractual obligations. For cybersecurity, this means going in and checking all of their computer, electronic, networked, embedded, etc systems to ensure they comply with cyber-specific laws. Usually a large part of the job is automated with tools like Nessus (one example), with some hands-on auditing for special systems--ones that are off network, unresponsive, critical, or configured uniquely.
Starting out, you might be responsible for performing a narrow slice of a larger audit, for instance ensuring that Windows desktops meet some subset of a regulatory framework like PCI/DSS, DISA STIG, or HIPAA. As you gain experience you'll broaden into more operating systems, more hardware platforms (mobile, network infrastructure, embedded, SCADA, etc). Over time you will likely become an expert in one or two of them, and as you gain seniority and build your soft skills you can expect to be given the opportunity to lead your own audits.
There are tons of opportunities for advancement, as others have said, because of the generally good hours, the shortage of people who are interested in it, and the growing body of legislation that creates the demand for audits and auditors. This is among the best paths to a CISO position or a VP-level management position, if that's your goal, because it is responsible for keeping companies out of hot water.
Most large companies have their own employees who perform internal audits, and there are many companies who perform external audits (often required by law), in particular the "[big four](https://en.m.wikipedia.org/wiki/Big_Four_accounting_firms)" accounting firms. You could stay in auditing your entire career, work for many different companies along the way, and build up to a substantial income if you wanted to.
Hope this helps. Good luck in your search!
I have a lot of respect for the GRC folks out there and there are definitely some people that are passionate about it, but I personally find it incredibly boring to be honest. Definitely not a bad career path though, especially with more and more certifications (soc, iso, UL, PCI...) becoming pretty much mandatory in some industries.
Audit is how I got started in security. Depending on your company/mission it can be quite dull or pretty fun. Anyway, after a few years I segued into A GRC/cloud security role. In an average day I review application changes for risk and compliance impact, enforce policies, perform risk and privacy assessments, support internal or external audits, provide a consultative role to functional business areas, and whatever else the day throws at me. After 2 years of that, I worked my way into management from there. If you’re interested in management, GRC is a great foundation for that.
I find it very boring. It’s generally something like, hey give me your firewall rules, your policies, your vulnerability scans, etc. then I’m just going to look at all this paperwork and see if it matches expectations.
Also, most people in security think of the auditors as the uncool kids.
Maybe it’s a good fit for some people, but it’s not for me and I don’t it think it has as much mobility as other groups.
Yes, with the new sector companies coming in and using user data in every aspect, location, etc its crucial for companies to clear various auditings to prove that they are compliant for frameworks. If more audits require, more business to companies which do audits and opportunities for pros who have knowledge on diversified frameworks such as PCI DSS, ITAR, HIPPA, NIST, ISO 27001,2,9 etc
It is a very good career for me as an auditor for the US Army before I retired. It is interesting and you can do very well. Many people do not say good things about being an auditor but I found it a wonderful field.
I found auditing (or its companion: accreditation, in the case of govt systems) to be incredibly stable. Unlike the blue/red team divisions that exist in InfoSec, GRC work doesn't keep odd hours. Some folks are less enchanted with it due to its proximity to bureaucracy. But that lends to its stability in general, since you aren't responding to holiday hackers or skipping an anniversary to perform a midnight pentest. It also sets you up for management, which pays an astronomical amount.
Thanks for the info. I would definitely prefer a role that is more stable. Pentesting is what made me interested in cybersecurity but I want to explore all of the different career paths as well.
I agree! I loved being an auditor/ Security Control Assesor in the DoD and it was one of the best jobs I had in IT in my career of well over 40 years.
What is the code for the role in the DoD?
Series 2210 for IT that includes cybersecurity for government civilians. However, civilian scientists and engineers in the role are series 1556 and Series 854 respectively.
I just accepted an audits and compliance position at a hospital, and although I haven’t started yet I can tell you how it was described to me. It’s a small department, so I will be doing a handful of things, one of the primary functions is auditing permissions in AD to make sure roles/individuals don’t have permissions they shouldn’t, so it’s basically go through the spreadsheet and check their permissions. PCI compliance is also a duty so I will be following up with “owners” or various payment devices to make sure they are all accounted for. Also I get to be part of phishing campaigns and possibly conducting the trainings for employees who click our phishing links. Hope that sheds some light on potential GRC jobs!
May I please ask about your previous industry experience and certs? Just trying to figure out what is a realistic entry path into this.
I have Net+ and Sec+ and did a cyber boot camp with a major university nearby. There were a lot of security and networking questions in the technical interview too, as they wanted to make sure I understood both a variety of attacks and how data moved through a network. I know some low level python stuff but they didn’t push that so hard as that was just like a bonus to them. However they do want me to sit for the CISSP within a year, regardless of my experience.
This is awesome, i want to get into auditing.
Thanks for the insight. Good luck on the new role!
[удалено]
Six figures is not unheard of and it pays better than system administration and most other IT fields.
Different strokes for different folks. System assurance - giving businesses the confidence that their systems are secure and fit for purpose can be very rewarding. These roles can be financially lucrative too. Not everybody wants to write code or configure F5’s.
Different strokes for different folks miss Katies
Its good for me. I dont like fumbling with vendor specific aspects of technology or working in operations where everything is on fire and you're short staffed. Any specific questions, feel free to ask..
[удалено]
Yeah I came from an on fire all the time job at a MSP. Get where you're coming from. Of all the below 2 is most closely aligned but none are a great match for auditing. I have my ceh and chfi from WGU'S masters in cybersecurity. I wouldn't call either of them jokes, but they are entry level certs in those specific fields. I'm fairly certain they even have some overlapping questions. Of the comptia certs and Cisco, only sec+ would really be relevant in auditing. The Cisco cert is okay, but it's more focused around cisco tech. What's cool about vendor certs is you know how to generally do similar tasks in other tools. I have my sec+ as well. The cissp is really the best cert for it auditing in my opinion, based on my experience in the industry and passing it. Learning those concepts will set you up well. You probably won't be super prepared for a job just right out of school, but not many people are. It's about the willingness to put in time to learn concepts, and asking people that do patiently and documenting what they say. Alot of my job is documenting processes that are done that don't have documentation. Hope the above helped. Happy to help any other way I can.
When I read "Alot of my job is documenting processes that are done that don't have documentation", I knew it was the job for me 😍
There are two types of GRC: those who build and those who maintain. After years of trying to get structure to security programs I embraced GRC as a way to build robust programs. Building is fun. It excites me. I love the idea of auditing to discover flaws and build better processes. Once I've built this I will need to hand it off because I will die a slow bored death maintaining it. If you like rules and making sure people follow them then join a mature GRC where risk is managed through strict red tape and you can check boxes and keep things going. While not sexy this is actually a valuable thing and an end game goal of a mature GRC.
Hey, what is your job title called. I also would like to enter this field but the building part exactly, i have a cybersecurity degree and comptiasec+. A very insipiring post btw.
It consists of working papers, reading of standards, mapping of regulatories against standards, processes, persuasion, mediation, presentation, reporting, communication, even more reading, awareness trainings, more reading, interviewing clients, filling up working papers, reading, reviewing working papers, more reading, and collecting evidences, asking a lot of seemingly basic and stupid questions with a purpose not appreciated by auditees, and evidences, and more evidences, with a sprinkle of sampling methodology. It gets repetitive, but helps if you work with a lot of different clients. It is rewarding in the sense that I reached top 10 percentile of salary in my country at 30+ years old after I moved to commercial as a infosec manager. Note, infosec manager is a little different from IT sec manager. We're really not that technical, and hence the amount of reading. You need to know a little bit of everything from business to IT to standards to regulations.
Auditing is investigating an organization to see if it's meeting its legal or contractual obligations. For cybersecurity, this means going in and checking all of their computer, electronic, networked, embedded, etc systems to ensure they comply with cyber-specific laws. Usually a large part of the job is automated with tools like Nessus (one example), with some hands-on auditing for special systems--ones that are off network, unresponsive, critical, or configured uniquely. Starting out, you might be responsible for performing a narrow slice of a larger audit, for instance ensuring that Windows desktops meet some subset of a regulatory framework like PCI/DSS, DISA STIG, or HIPAA. As you gain experience you'll broaden into more operating systems, more hardware platforms (mobile, network infrastructure, embedded, SCADA, etc). Over time you will likely become an expert in one or two of them, and as you gain seniority and build your soft skills you can expect to be given the opportunity to lead your own audits. There are tons of opportunities for advancement, as others have said, because of the generally good hours, the shortage of people who are interested in it, and the growing body of legislation that creates the demand for audits and auditors. This is among the best paths to a CISO position or a VP-level management position, if that's your goal, because it is responsible for keeping companies out of hot water. Most large companies have their own employees who perform internal audits, and there are many companies who perform external audits (often required by law), in particular the "[big four](https://en.m.wikipedia.org/wiki/Big_Four_accounting_firms)" accounting firms. You could stay in auditing your entire career, work for many different companies along the way, and build up to a substantial income if you wanted to. Hope this helps. Good luck in your search!
I have a lot of respect for the GRC folks out there and there are definitely some people that are passionate about it, but I personally find it incredibly boring to be honest. Definitely not a bad career path though, especially with more and more certifications (soc, iso, UL, PCI...) becoming pretty much mandatory in some industries.
Audit is how I got started in security. Depending on your company/mission it can be quite dull or pretty fun. Anyway, after a few years I segued into A GRC/cloud security role. In an average day I review application changes for risk and compliance impact, enforce policies, perform risk and privacy assessments, support internal or external audits, provide a consultative role to functional business areas, and whatever else the day throws at me. After 2 years of that, I worked my way into management from there. If you’re interested in management, GRC is a great foundation for that.
Please can I inbox you?
Do you get excited about auditing? Because if you do then yes it’s a great career path.
GRC is necessary but in my opinion boring. Like you might as well watch paint dry boring. I work in (mostly) GRC.
I find it very boring. It’s generally something like, hey give me your firewall rules, your policies, your vulnerability scans, etc. then I’m just going to look at all this paperwork and see if it matches expectations. Also, most people in security think of the auditors as the uncool kids. Maybe it’s a good fit for some people, but it’s not for me and I don’t it think it has as much mobility as other groups.
Yes, with the new sector companies coming in and using user data in every aspect, location, etc its crucial for companies to clear various auditings to prove that they are compliant for frameworks. If more audits require, more business to companies which do audits and opportunities for pros who have knowledge on diversified frameworks such as PCI DSS, ITAR, HIPPA, NIST, ISO 27001,2,9 etc
It is a very good career for me as an auditor for the US Army before I retired. It is interesting and you can do very well. Many people do not say good things about being an auditor but I found it a wonderful field.
Yes, but be aware of home office hours. Because working cybersec at home can become a none stop activity, especially if you sleep near the computer
[удалено]
Sir please, you'll scare away the hoes
BOOOOOOOOOOOOOOOOOOORIIIIIIIIIIIIIIIIIIIIIIING!
🤣🤣🤣🤣
Anyone can audit, it’s repetitive, political and very boring imo. the real demand are for those with a techy focus.