The Harsh Reality of Working in GRC In Cybersecurity That No One tells You

Thanks, Nicole! Years ago, our cybersecurity team updated GRC rules and changes that disrupted many systems. As many more people in our large organization have better "cyber hygiene" practices today, most clients understand the importance of GRC (and the technical applications of it). My guess is that after several years of being "in the trenches", working in GRC would be a positive change for many cybersecurity professionals. I'm glad to hear you are enjoying it!

stevecochrane

After 20 years of being in IT and troubleshooting, I am so ready to be bored. I completed UnixGuy's GRC course in March. I am now in a NIST CSF course. Been a bit frustrating looking for a job. I see so many "entry-level" GRC Analyst\IT Audit jobs asking for 3 years of experience. I would not even apply, but that changes today. I will apply anyway. As the saying goes, "You miss 100% of the shots you do not take."

johnleejones

My dilemma is that I like the technical side, and a lot. Since I started a deep-dive transition into cybersecurity, I have tried a couple of CTF challenges, and I can't say that I didn't enjoy the experience. So... What's the problem? It's too involving, and I've been the type of individual who does not 'go to bed' until a problem gets fixed. And that can be a problem. Mainly, at my age. I am over 50 and I know it's harder to keep up with the technical stuff. Besides, I have been in leadership roles for most of my career until I was laid off. So now that I want to re-enter the workforce but in a cybersecurity-related role, I know that GRC is the way to go. But... I love the technical aspect, too. I wish I was 30 to dive deep into it, but I don't feel I can keep up. And that's my dilemma. Thanks for the Video!

morisn

Thanks Nicole. I love the flowers on your porch!

johnczech

Awesome content....good to see other folks working in the same field having similar challenges. One good perk of working in GRC is that you don't called at 12:00am at night to perform emergency audits or assessments.

artccie

You're just like me, though I'm much older.

Tired of troubleshooting, tired of being on call, and the threat of a breach means I'll never see the outside of the office thanks to some 9-5'er clicking on a fake email link some foreign actor sent. My boss would panic call me every five minutes while I'm driving to a site. Also some of our catty end users I can also do away with. I go home stressed on a bad day, and even the Sunday morning dread starts to creep in. It takes a full weekend for me to destress from the week.

We're focusing more on HIPAA and I've done a lionshare of documentation and reports via email and Excel. Just need to get better memorize NIST standards and other words. Have IT experience and Sec+, though more places are demanding CISSP (overkill, but ok).

Glenningway

I went from being a SysAdmin to GRC fairly early in my career. I didn't want the stress + having to be on call. I have worked for bleeding edge tech companies, so I still needed to stay up to date with technical stuff, even if I wasn't going to master said technologies or tools etc. It works for me, at least for now.

RespectfullyCurious

At least GRC isn’t an “on call” position like a SOC analyst is. You worked your scheduled hours and then you fuck off home. No qualms about it.

The negative stigma of a “dull” career certainly outweighs that of a stressful and entropy-riddled workload. 🙃

ryu

I've been working in the IT field as a Helpdesk analyst for around 4-5 years and I'm ready to transition from IT to GRC in a heartbeat. The stress working in IT is killing me. I don't want to do Helpdesk anymore. Just my honest opinion.

rl

Thank you for this. I am trying to move from a cybersecurity engineer to a GRC role.

yellowxj

I like both GRC and Technical. I am an IT Manager, but sometimes I go out and do Tech stuff to help my guys. ✊🏼😎

TheITCornerbyJR

GRC is the most important aspect of security, full stop! Thanks for your insight @nicoleenesse

InclusiveCyber

I have sales operations/deal desk ops experience and all we do it evaluate risk and compliance for deals and what states we can serve in. I wanna do GRC because I’m tired of the “everything is an emergency” atmosphere of sales. 😂

beamerb

Nicole, I have a Master's in Cyber Security from USD (san diego), Network+, Security+, and I have just about given up on getting a job in cyber. I have a renewed interest in GRC. I am planning on studying/passing the CISA then move forward to CISM and hopefully land a job sometime on that pathway as I will be applying as I pass study for these exams. Any suggestions? FYI, I have been an ICU nurse for the past 14 years so my ears perked up when you mentioned nurse in the video.

robertschmid

I'd love more information on how to break into GRC. Also, if you don't mind, I'd like to get a copy of my resume to you.

tonyaustin

How did you transition from 'High tech' to 'low tech(GRC)' ? Can you post or DM some pointers or advice?

danimat

I've been doing this job, very well treated and everything goes well, but I am now trying my best to do the transition to cloud architecture. GRC is drying my brain!!

dieglhix

hey great video! What technical experience is valuable before getting into grc? I heard cloud and/or security exp would be valuable.

cyberaddict

The gold rush for non-technical cyber security ended about two years ago in my opinion. There's no shortage of people who can do this job, and it usually pays pretty well.

My experiences with the market thus far are forcing me to add the ability to code on top of penetration testing so that I can differentiate myself from the competition.

jamesmckee

Hi Nicole, Good Day! Thank you for sharing your experience working in GRC. I have 5+ years of experience working as System Administrator. As you mentioned in the video if someone already has a technical background, it'll be easier to get a job in GRC. I would like to know how easy/difficult it would be for me to pivot from System Administrator to GRC field? How can I tackle the question on my past experience since I don't have any prior experience working in GRC? Should I apply for entry level jobs? Kindly please guide
Thank you!

tushargupta