Do you have any suggestions for finding entry level GRC roles? Any particular phrases or skills that you might be able to suggest for LinkedIn? Excellent video for breaking down this area of cybersecurity.
This was amazing. Almost finished my Google cybersecurity cert and this role or cloud stood out. I have 10 years of military experience so I hope it helps my career. Great video!
(ISC)2 recently changed their Certified in Authorization (CAP) to Certified in Governance, Risk and Compliance (CGRC). I had the CAP and had my cert changed over, I was grandfathered in more or less to the new cert. If anyone is interested and ready, you can sit for and get certified in GRC!
Such a great explainer. This is one of the least-loved parts of IS and doesn't show up often on a lot of "security" focused exams--even then it is only mentioned briefly. I wish I had a video like this years ago when I was getting started!
Thanks DJ. I agree. The concept of Governance is abstract and difficult to understand unless someone explains it to you. Especially since governance has different forms at different organizations. Appreciate taking the time to comment.
You've explained this better than any of the other content I have seen. Especially breaking down what grc means individually. The explanation and application were very helpful. I want be in tech.
One skill that I find most important in GRC is communication (written, spoken, listening, and reading). There are fewer technical things to do. Coming from a tech mindset, I struggled somehow in GRC, even though I understand it.
Thanks for making this, Gerry. This was a great overview of GRC and how it fits into the bigger picture. Killer soundtrack by the way. I am always down for some synthwave / outrun. There were a couple times it was a little hard to understand you, so it may be worth lower the volume on the backing track just a little bit. Anyway, great video and I look forward to more of your content.
Thanks Jimmy. The masses have spoke and I wont be doing music in my future videos. It was just a fun idea to add some dimension to the video. Seems people just want infosec info served piping hot.
Great explanation! I personally love this career field, though it's interesting to be working to people who went to school or have a background emphasized in CS. I have a Master's of accounting and come from an audit background so I focus on process, quantitative analysis, and business impact side more than the tech side. If I need specifics, I'll speak to an SME. In my experience, the conceptual side of GRC is more difficult for those with a tech heavy background whereas it's the reverse for myself (I understand and breakdown the process for a gap analysis but am not hands on keyboard). To add to your explanation if I may: Governance is ownership; ownership of culture, processes, policy, risks, etc. You can identify risks and controls and implement, but if there is no ownership then who is going to be accountable for it? It's like having a CAP/POAM with no identified owner. I would add that buy-in is also part of governance. Risk is always a super fun conversation: "Oh this XYZ is high for us" Based on what? What quantitative data do you have to verify that XYZ will result in a greater loss event than ABC? Spot on with your statement on, at the governance level, 17% being acceptable. GRC is not the business or operations. It's not our risk so we can't make risk treatment decisions (though some very much want to). Compliance, imo, is moving away from regulatory compliance or at least being less emphasized because "Added Value". As more orgs move to enterprise ICFs (800-53/ISO27K/COBIT/Etc.), they map the regulatory controls to the ICF to reduce compliance overhead. Smart move, but tedious to get started. So my questions for you Gerald: 1. How have you (if you have dealt with) people in this industry that don't seem to understand the GRC process? For example, I hear many times that a control is high/low risk which is not a correct statement. Or I will hear/see a risk description which is in no way a risk description ("Event caused by X will result in Y" or some similar variation). 2. I have seen several companies/leaders want to move from a low maturity (processes only somewhat documented/not standardized) to a high maturity (continuous monitoring) in very short period of time, but do not want to provide the resources for that maturity growth within the deliverable time frame. Literally from no/barely a program to quantitative analysis with no aligned culture. How do you combat this mindset?
Thanks for the additional info and appreciate your support of my channel. To your questions: 1. There are two audiences that fall into this, business side and IT folks. Business side gets the risk bit, but they have a tough time understanding what risk they are explicitly or implicitly accepting. Many see cyber as a on/off state where its WAY more gradient then that and is actually less about security and more about resiliency. Other is IT, and trying to convey the risk of not following policy/process. Its quick and easy with elevated access to knock out IT tasking, but it introduces risk. Definitely has to be a relationship that develops not a point in time conversation with a stick as a motivator. 2. The mindset is easy. Business speaks money. You can go from 0-5 but it will cost THIS much. That number will be outrageous if you are trying to do it in a unrealistic time frame. Then show the multi-year plan with year over year costs, and the the priority of high risk mitigations, and show the value of risk posture reducing over time. That wins.
@@SimplyCyber 1. Completely agree. The hurdles I have experienced is more people on either side, more or less, "Talking the talk, but not walking the walk." They are using risk terms, but in the incorrect manner. This has led to issues with methodology. For example, you don't measure the risk of a control not being in place. You measure the risk of a loss event for an asset/process and then measure the "amount of risk" a control(s) will mitigate (ie increase your resiliency) to determine to determine the ROI of each. 2. That's my approach, unfortunately I would say easier said than done. I get looks of shock at timelines (labor hours = cost) sometimes like the process should only take a couple weeks to identify assets, measure risks, map and document processes, etc.
I really loved your message as someone new learning cyber security but coming from a data background. The extended explanation definitely makes sense! And also helpful in understanding where additional focus can be put into GRC! Thank you!
Thx for feedback. Hope you stick around w the channel. I ran a survey back a few months as I was experimenting with the show including the channel. Majority of ppl preferred no music, so I stopped doing it. Very few episodes have music. Cheers!
Hello @Gerald! I have 6+ years of experience in Vulnerability assessment and now want to learn and explore GRC. Please share recommendations for an online course which could be also impactful for employers and could be shared on LinkedIn and resumes (skills). Thank You! 🙂
Hi Gerry, Thank you for taking the time to make this video! I'm a current graduate student in legal studies and am hoping to get into GRC. I have an interview coming up for a GRC compliance analyst intern position and it will be my first interview in this area. Do you have any recommendations or tips for me? I appreciate any insight you have, thanks!
It is striking to me how much of a similar situation I am in (compared to when you posted this a year ago). How did things workout for you/are working out for you?
Thanks for the interesting video. Currently taking my MSc in cyber security & looking into entry level GRC roles. What do you think about the CIPM (Certified Information Privacy Manager) certification ?
Hi Gerald! Great video and such a great explanation. I've discovered your channel thanks a recommendation from my mentor. Now I know I really want to get into GRC. Do you have some recommendations, please? Thank you so much for the video and, of course, already subscribed!
Check out NIST SP 800-30; and NIST SP 800-37; just google, they will come up. They are dry but its the nuts and bolts and comprehensive. I'd also familiarize yourself with NIST Cybersecurity Framework. Audit is another easy onramp to GRC world. look for "risk analyst" or "FISMA Auditor" or "HIPAA Auditor" type roles. lots of entry level there.
Gerry, thanks for the effort to explain GRC in simple terms as it can be. Nice examples and the time to take a different perspective to complete a job well. Beeps at the swearing is a small aberration :-), but shouldn't matter much. Overall nice video. Thanks for making it.
Thanks its very uncommon to have curse words in my videos. censor beep is in there. if it is i prob did swore by accident and just didnt want to upset hte YT gods.
So im attending college for an MSIS degree (with a concentration in cyber) what are some ofthe good out of college jobs that i should look out for, im interested in IT Auding and Mmybe being a SOC analyst. About halfway done with college too, so if there is any good training or "years of experience " i can gain while in college with online content please let me know. The video was great, and im looking forward to this niche part of cybersecurity.
Are there any GRC related trainings online that you know of that would work an enthusiast through the process of carrying out GRC in an organization using structured walkthrough projects? There seems to be less trainings focused on GRC. Even BOOTCAMPS barely focus on those. Your help will be highly appreciated
GRC can be a bit tougher due to the abstract of tools and hands-on keyboard related activities. It also depends on industry. The best I could suggest is G--> governance doesnt really have training as its more related to culture and company attitude toward security policy and enforcement. R--> this can be qualitative/quantitative. This one has the most content for training. Check these out: csrc.nist.gov/projects/risk-management/rmf-overview. www.nist.gov/cyberframework www.fairinstitute.org/about www.amazon.com/How-Measure-Anything-Intangibles-Business-ebook/dp/B00INUYS2U If you google any of those topics those links point to you can find videos, various trainings. C --> this is standard specific. Some popular ones to get familiar with would be HIPAA (healthcare), PCI (payment card data), and GDPR (privacy in EU). you can also check out "CIS 2O CONTROLS" for a basic set of controls an org could implement to start a cybersecurity program and start to comply with and structure the governance. Best wishes!
I've been trying to find a job on vulnerability research.I've got the OSED certification from offensive security but every job requires a security clearance or being a US or UK citizen it's VERY VERY FRUSTRATING. Do you have any tips? Im thinking about setting for GRC or SOC if things keep going the way they are. Anyways thanks for video your channel is amazing.
I am looking to start a new career in cyber security and I want to start in GRC. I am looking to get in as a starting point and way to network with those in red/ blue teams to eventually move up with an understanding of why they do what they do and make better decisions within the teams. What is the best way to get started? Training? Certs?
Hey David. Security+ is a fine cert to start with. You may eyeball ISACA CISA also as its well recognized and respected. Basically clears you as an auditor. One tried and true approach to GRC career is to get in via audit. Any compliance standard needs to be audited, so there is always work like that. Plus if you pick a niche industry like healthcare you can focus on HIPAA regulation as a standard. If you want to understand risk as a process check out the NIST Special Publication 800-37 (macro level) and 800-30 (transactional level). Best wishes.
@@SimplyCyber thanks, great information and a good place to start. This is a late life career change and is a bit overwhelming at times to try to get my head around. So just having a start point is good.
@@davidezzell4190 Connect w/ me on LinkedIn. I post about jobs I find in my network often and can shape up a query for your geo/requirements to give you an idea of what options look like and their quals (that way you can reverse it and develop a plan to get from where you are to where that job is).
is this the most important part of information security because you need to start with it. to establish the bigger picture then you will do the operational part : Pen-Testing, ....etc
IMO: if you want the clearest path to leading a program ine day and engaging the business (which is critical) GRC is the right path. Blue and red and engineering can get there but typically it’s the engineer (hands on keyboard fighting fires or starting them) vs analysis and strategy. Grc is by far less exciting but has growth potential.
I'm sure your content is great because you're helping so many people. I find your presenting style really hard to track and remember because there's so much distraction and really loud talking.
Ummm. I’d scoop that. Get exp and money. You can do firewalls on own time or befriend sectech and networking. $110 at graduation!!! 2002 Gerry would weep w happiness
Auditing is a component of GRC. Think of it like Marketing is one aspect of a business (GRC), and managing social media is a component of the marketing dept.
Thank you Gerald, great video. I just bagged a Msc in Cybersecurity technology and, am looking to go into GRC as a specification. I have not really had much of practical experience in these areas, I have just been busy "passing exams." I'm looking to "start all over" again and, this time around, am looking at GRC. Please what professional courses and fundamentals do I need to dive into this industry? Please advise.......cheers
This is a plug but honestly the best answer. I made a grc master course you can take here. Gives practical and theory grc education. Simplycyber.teachable.com
So not normally and this is not me trying to sell you in anyway. This video is a bit older. I got asked this question a lot and actually made a full course to address the gap in grc training and my course has multiple labs. And it’s 40% off coincidentally til 8/27/23 at 11:59pm est w code BACKTOSCHOOL at SimplyCyber.teachable.com
Interesting question. Not really but I will say you can get educated and show it (maybe not w a very) in FAIR risk assessment. Check it out, qualitatively quantitative risk assessment process that’s less subjective than low medium high. It’s becoming wider sought out.
Thanks for this video, Gerald! In your opinion, how's the job security in GRC, considering the advent of AI tools like ChatGPT? Please keep these videos coming!
Very different. Grc is the overall function within the business of managing cyber risk, clarifying what cyber risk is (which changes as threats and the business change), and ensuring approach and compliance are in line with business goals. Rmf is just one framework to implement a structured cyber sec program. Think of it like this grc is the rules and best practices of building a house and rmf is one home model you could build to achieve the business goal of protection and a place to sleep (biz goals) Cheers friend!
@@SimplyCyber okay so question if you come from an security assessor position and want to transition into a grc analyst position how do you navigate that interview process because it is different
@@Holiwood31 you should introduce threat intel into your day to day so you’re not just assessing the efficacy of the control but what is the threats to not having it and then learning to qualify the likelihood and impact of that threat being realized
No prior grc job yes. No prior experience will be tough. You need to study, leans, practice. All this can be done before the job, but given the candidate pool for jr level roles def want some hands on keyboard / lab type stories to tell and put on the resume
Awesome! Thanks for the compliment. It’s tough to break complex topics down into digestible bite sized lectures so to say it’s the equivalent of the search engine that gives you exactly what your asking for is spot on. Thanks for supporting the channel. Cheers!
Hello sir,I'm from srilanka in srilanka my life alone life with sounds in my ears unknown human body machines user in srilanka follow me to put sounds In my ears both face no ears in srilanka famous people enter my family life and put sounds in my ears in my room president ranil wikrmasinha?Singer justin Beiber?Singer amal perera ?Singer thushara sadakalum?Singer romesh sugathapala?only mind brain use find my ears and body daily find no action Actor hemal ranasinha,singer nilan hettiarachchi,sir???thushara priyankara,actress nilanthi dias,actress chat hu rajapaksha,actress nilushi pawanya,minister namal rajapaksha,sanjula ravishmi,actress sujani menaka,actress rashibraba sandipani Himasha hasanthika 1999.02.16
Do you have any suggestions for finding entry level GRC roles? Any particular phrases or skills that you might be able to suggest for LinkedIn? Excellent video for breaking down this area of cybersecurity.
This video helped a lot! My specialisation focused on GRC and IT management. Glad to see GRC mentioned and explained so well in cybersecurity context!
This was amazing. Almost finished my Google cybersecurity cert and this role or cloud stood out. I have 10 years of military experience so I hope it helps my career. Great video!
(ISC)2 recently changed their Certified in Authorization (CAP) to Certified in Governance, Risk and Compliance (CGRC). I had the CAP and had my cert changed over, I was grandfathered in more or less to the new cert. If anyone is interested and ready, you can sit for and get certified in GRC!
Such a great explainer. This is one of the least-loved parts of IS and doesn't show up often on a lot of "security" focused exams--even then it is only mentioned briefly. I wish I had a video like this years ago when I was getting started!
Thanks DJ. I agree. The concept of Governance is abstract and difficult to understand unless someone explains it to you. Especially since governance has different forms at different organizations. Appreciate taking the time to comment.
You've explained this better than any of the other content I have seen. Especially breaking down what grc means individually. The explanation and application were very helpful. I want be in tech.
One skill that I find most important in GRC is communication (written, spoken, listening, and reading).
There are fewer technical things to do.
Coming from a tech mindset, I struggled somehow in GRC, even though I understand it.
Legend, explained it all very well and made it easier to understand. Thumbs up
Love your content! You make GRC more fun and enjoyable!
Thank you for giving us GRC guys some love!
Of course. SimplyCyber is an all the things cybers channel. :)
Thanks for making this, Gerry. This was a great overview of GRC and how it fits into the bigger picture. Killer soundtrack by the way. I am always down for some synthwave / outrun. There were a couple times it was a little hard to understand you, so it may be worth lower the volume on the backing track just a little bit. Anyway, great video and I look forward to more of your content.
Thanks Jimmy. The masses have spoke and I wont be doing music in my future videos. It was just a fun idea to add some dimension to the video. Seems people just want infosec info served piping hot.
Great explanation! I personally love this career field, though it's interesting to be working to people who went to school or have a background emphasized in CS. I have a Master's of accounting and come from an audit background so I focus on process, quantitative analysis, and business impact side more than the tech side. If I need specifics, I'll speak to an SME. In my experience, the conceptual side of GRC is more difficult for those with a tech heavy background whereas it's the reverse for myself (I understand and breakdown the process for a gap analysis but am not hands on keyboard).
To add to your explanation if I may:
Governance is ownership; ownership of culture, processes, policy, risks, etc. You can identify risks and controls and implement, but if there is no ownership then who is going to be accountable for it? It's like having a CAP/POAM with no identified owner. I would add that buy-in is also part of governance.
Risk is always a super fun conversation: "Oh this XYZ is high for us" Based on what? What quantitative data do you have to verify that XYZ will result in a greater loss event than ABC?
Spot on with your statement on, at the governance level, 17% being acceptable. GRC is not the business or operations. It's not our risk so we can't make risk treatment decisions (though some very much want to).
Compliance, imo, is moving away from regulatory compliance or at least being less emphasized because "Added Value". As more orgs move to enterprise ICFs (800-53/ISO27K/COBIT/Etc.), they map the regulatory controls to the ICF to reduce compliance overhead. Smart move, but tedious to get started.
So my questions for you Gerald:
1. How have you (if you have dealt with) people in this industry that don't seem to understand the GRC process? For example, I hear many times that a control is high/low risk which is not a correct statement. Or I will hear/see a risk description which is in no way a risk description ("Event caused by X will result in Y" or some similar variation).
2. I have seen several companies/leaders want to move from a low maturity (processes only somewhat documented/not standardized) to a high maturity (continuous monitoring) in very short period of time, but do not want to provide the resources for that maturity growth within the deliverable time frame. Literally from no/barely a program to quantitative analysis with no aligned culture. How do you combat this mindset?
Thanks for the additional info and appreciate your support of my channel.
To your questions:
1. There are two audiences that fall into this, business side and IT folks. Business side gets the risk bit, but they have a tough time understanding what risk they are explicitly or implicitly accepting. Many see cyber as a on/off state where its WAY more gradient then that and is actually less about security and more about resiliency. Other is IT, and trying to convey the risk of not following policy/process. Its quick and easy with elevated access to knock out IT tasking, but it introduces risk. Definitely has to be a relationship that develops not a point in time conversation with a stick as a motivator.
2. The mindset is easy. Business speaks money. You can go from 0-5 but it will cost THIS much. That number will be outrageous if you are trying to do it in a unrealistic time frame. Then show the multi-year plan with year over year costs, and the the priority of high risk mitigations, and show the value of risk posture reducing over time. That wins.
@@SimplyCyber
1. Completely agree. The hurdles I have experienced is more people on either side, more or less, "Talking the talk, but not walking the walk." They are using risk terms, but in the incorrect manner. This has led to issues with methodology. For example, you don't measure the risk of a control not being in place. You measure the risk of a loss event for an asset/process and then measure the "amount of risk" a control(s) will mitigate (ie increase your resiliency) to determine to determine the ROI of each.
2. That's my approach, unfortunately I would say easier said than done. I get looks of shock at timelines (labor hours = cost) sometimes like the process should only take a couple weeks to identify assets, measure risks, map and document processes, etc.
I really loved your message as someone new learning cyber security but coming from a data background. The extended explanation definitely makes sense! And also helpful in understanding where additional focus can be put into GRC! Thank you!
Marshal Mathers gave a GREAT explanation of GRC.
What...my name is....Huh....my name.... GRC
@@SimplyCyber Ha Ha 😎
This helps me get a jist of what is going on in the tech industry
Governance is the.most misunderstood. Thank you
This is exactly what I want to do. Thank you for sharing.
Fantastic Explanation! learning GRC was never this fun
Interesting...but cut out the background music.
Thx for feedback. Hope you stick around w the channel. I ran a survey back a few months as I was experimenting with the show including the channel. Majority of ppl preferred no music, so I stopped doing it. Very few episodes have music. Cheers!
*including music for the episodes on the channel
Thank you for explaining in a very easy way
Excellent video Gerald.
Well explained, Thanks
Thanks for taking a minute to comment and let me know. Glad you thought so.
Very informative bro 🙏🏾
Hi Gerald, it is a super informative video! Thank you 😅
I just started my journey into transitioning into GRC tech role today with this video and shall update this comment in the next 6months.
Yasss!!! Can’t wait
This is very informative , Good job
How do you think a technical writer could break into this? Is it possible with a degree unrelated to cybersecurity?
Hi Gerald , thank you for this awesome content .. Please discuss examples of GRC plans created from past experience.
Fun idea Kate. Thanks will add something aligned w this in a future video. 😊
I just finished the Google Cyberseurity course on Coursera and i am interested in learning GRC. Where do i begin?
Great video. I learned a lot!
Hello @Gerald! I have 6+ years of experience in Vulnerability assessment and now want to learn and explore GRC. Please share recommendations for an online course which could be also impactful for employers and could be shared on LinkedIn and resumes (skills). Thank You! 🙂
Wow! Great video
Hi Gerry,
Thank you for taking the time to make this video! I'm a current graduate student in legal studies and am hoping to get into GRC. I have an interview coming up for a GRC compliance analyst intern position and it will be my first interview in this area. Do you have any recommendations or tips for me? I appreciate any insight you have, thanks!
Find out what that org needs to be compliant w/. Familiarize yourself w that, then wow them!
It is striking to me how much of a similar situation I am in (compared to when you posted this a year ago). How did things workout for you/are working out for you?
I have an interview on Monday. 😊
Thanks for the interesting video. Currently taking my MSc in cyber security & looking into entry level GRC roles. What do you think about the CIPM (Certified Information Privacy Manager) certification ?
Hi Gerald! Great video and such a great explanation. I've discovered your channel thanks a recommendation from my mentor. Now I know I really want to get into GRC. Do you have some recommendations, please? Thank you so much for the video and, of course, already subscribed!
Thank you
Hey thanks for the awesome video.Can you also help with how one can land a job in GRC domain and what knowledge and resources one needs to know.
Check out NIST SP 800-30; and NIST SP 800-37; just google, they will come up. They are dry but its the nuts and bolts and comprehensive. I'd also familiarize yourself with NIST Cybersecurity Framework. Audit is another easy onramp to GRC world. look for "risk analyst" or "FISMA Auditor" or "HIPAA Auditor" type roles. lots of entry level there.
Gerry, thanks for the effort to explain GRC in simple terms as it can be. Nice examples and the time to take a different perspective to complete a job well. Beeps at the swearing is a small aberration :-), but shouldn't matter much. Overall nice video. Thanks for making it.
Thanks its very uncommon to have curse words in my videos. censor beep is in there. if it is i prob did swore by accident and just didnt want to upset hte YT gods.
So im attending college for an MSIS degree (with a concentration in cyber) what are some ofthe good out of college jobs that i should look out for, im interested in IT Auding and Mmybe being a SOC analyst. About halfway done with college too, so if there is any good training or "years of experience " i can gain while in college with online content please let me know. The video was great, and im looking forward to this niche part of cybersecurity.
Are there any GRC related trainings online that you know of that would work an enthusiast through the process of carrying out GRC in an organization using structured walkthrough projects? There seems to be less trainings focused on GRC. Even BOOTCAMPS barely focus on those. Your help will be highly appreciated
GRC can be a bit tougher due to the abstract of tools and hands-on keyboard related activities. It also depends on industry. The best I could suggest is
G--> governance doesnt really have training as its more related to culture and company attitude toward security policy and enforcement.
R--> this can be qualitative/quantitative. This one has the most content for training. Check these out:
csrc.nist.gov/projects/risk-management/rmf-overview.
www.nist.gov/cyberframework
www.fairinstitute.org/about
www.amazon.com/How-Measure-Anything-Intangibles-Business-ebook/dp/B00INUYS2U
If you google any of those topics those links point to you can find videos, various trainings.
C --> this is standard specific. Some popular ones to get familiar with would be HIPAA (healthcare), PCI (payment card data), and GDPR (privacy in EU). you can also check out "CIS 2O CONTROLS" for a basic set of controls an org could implement to start a cybersecurity program and start to comply with and structure the governance.
Best wishes!
@@SimplyCyber Thank you for the response. I appreciate. I will work out a plan of approach based off your suggestions.
Dear Friends,
I have a question: in GRC framework, Could you talk How the Risk management activity will work?. Thank you.
I've been trying to find a job on vulnerability research.I've got the OSED certification from offensive security but every job requires a security clearance or being a US or UK citizen it's VERY VERY FRUSTRATING. Do you have any tips? Im thinking about setting for GRC or SOC if things keep going the way they are. Anyways thanks for video your channel is amazing.
I am looking to start a new career in cyber security and I want to start in GRC. I am looking to get in as a starting point and way to network with those in red/ blue teams to eventually move up with an understanding of why they do what they do and make better decisions within the teams. What is the best way to get started? Training? Certs?
Hey David. Security+ is a fine cert to start with. You may eyeball ISACA CISA also as its well recognized and respected. Basically clears you as an auditor. One tried and true approach to GRC career is to get in via audit. Any compliance standard needs to be audited, so there is always work like that. Plus if you pick a niche industry like healthcare you can focus on HIPAA regulation as a standard. If you want to understand risk as a process check out the NIST Special Publication 800-37 (macro level) and 800-30 (transactional level). Best wishes.
@@SimplyCyber thanks, great information and a good place to start. This is a late life career change and is a bit overwhelming at times to try to get my head around. So just having a start point is good.
@@davidezzell4190 Connect w/ me on LinkedIn. I post about jobs I find in my network often and can shape up a query for your geo/requirements to give you an idea of what options look like and their quals (that way you can reverse it and develop a plan to get from where you are to where that job is).
@@SimplyCyber Hello @Geraldplease can I aslo connect too?, my case is similar to David's
is this the most important part of information security because you need to start with it. to establish the bigger picture then you will do the operational part : Pen-Testing, ....etc
IMO: if you want the clearest path to leading a program ine day and engaging the business (which is critical) GRC is the right path. Blue and red and engineering can get there but typically it’s the engineer (hands on keyboard fighting fires or starting them) vs analysis and strategy.
Grc is by far less exciting but has growth potential.
I'm sure your content is great because you're helping so many people. I find your presenting style really hard to track and remember because there's so much distraction and really loud talking.
Great video, but technically there is many governance GitHub repos out there.
good morning Dr. Gerald, how can i be your protegee? i am just entry into cybersecurity.
Was offered a GRC job today for 110k just after graduation but i want to work with firewalls, the money is really getting me though.
Ummm. I’d scoop that. Get exp and money. You can do firewalls on own time or befriend sectech and networking. $110 at graduation!!! 2002 Gerry would weep w happiness
Why shouldn't large enterprises have 400ish policies for compliance?
Hi Gerry, is GRC a part of IT Auditing, or GRC and IT Audit are both different things?
Auditing is a component of GRC. Think of it like Marketing is one aspect of a business (GRC), and managing social media is a component of the marketing dept.
Thank you Gerald, great video. I just bagged a Msc in Cybersecurity technology and, am looking to go into GRC as a specification. I have not really had much of practical experience in these areas, I have just been busy "passing exams." I'm looking to "start all over" again and, this time around, am looking at GRC. Please what professional courses and fundamentals do I need to dive into this industry? Please advise.......cheers
This is a plug but honestly the best answer. I made a grc master course you can take here. Gives practical and theory grc education. Simplycyber.teachable.com
did you study at northumbria university in london?!!!!!
Is there a certification for GCR or just industry training? I would like to get a job in this field
Yes. The GRCP certification by OCEG
Hey Gerald,
I realized that there are Labs, for instance, for Offensive and Defensive Security. Do you know if thee are any Labs for practicing GRC?
So not normally and this is not me trying to sell you in anyway. This video is a bit older. I got asked this question a lot and actually made a full course to address the gap in grc training and my course has multiple labs. And it’s 40% off coincidentally til 8/27/23 at 11:59pm est w code BACKTOSCHOOL at SimplyCyber.teachable.com
@@SimplyCyber Thank you for the coupon, Just bought the course :-)
@@SimplyCyber This was a wealth of information. Do you have a video anywhere that goes through a "Reporting" Lab? I think it would be very helpful.
@@malukabeehow is the course bro?
@nahidsarker69 the best thing you will see on the internet regarding GRC, you should try it
The background music is very distracting . The information is great though .
Thx. Was experimenting to see if having music made it more “catchy”, had the info was valuable
Did you publish your phD?
Are there any good entry level GRC certs?
Interesting question. Not really but I will say you can get educated and show it (maybe not w a very) in FAIR risk assessment. Check it out, qualitatively quantitative risk assessment process that’s less subjective than low medium high. It’s becoming wider sought out.
Thanks for this video, Gerald! In your opinion, how's the job security in GRC, considering the advent of AI tools like ChatGPT?
Please keep these videos coming!
Strong Opinion on ChatGPT impact on GRC? #cyber #cybersecurity
How is grc and rmf one in the same? Or are they different
Very different. Grc is the overall function within the business of managing cyber risk, clarifying what cyber risk is (which changes as threats and the business change), and ensuring approach and compliance are in line with business goals. Rmf is just one framework to implement a structured cyber sec program.
Think of it like this grc is the rules and best practices of building a house and rmf is one home model you could build to achieve the business goal of protection and a place to sleep (biz goals)
Cheers friend!
@@SimplyCyber Thank you so much my friend
@@SimplyCyber okay so question if you come from an security assessor position and want to transition into a grc analyst position how do you navigate that interview process because it is different
@@Holiwood31 you should introduce threat intel into your day to day so you’re not just assessing the efficacy of the control but what is the threats to not having it and then learning to qualify the likelihood and impact of that threat being realized
Do u recommend any GRC course online pls!?
Mine is well received. Simplycyber.teachable.com
@@SimplyCyber Do I have lifetime access to your GRC course after purchase?
@@kay2666 Yes.
@@SimplyCyber Thanks
Can you get grc job with no experience?
No prior grc job yes. No prior experience will be tough. You need to study, leans, practice. All this can be done before the job, but given the candidate pool for jr level roles def want some hands on keyboard / lab type stories to tell and put on the resume
You should launch a Simply Cyber magazine.
thanks for pausing that crappy music @5:20 for a short time. I don't understand what makes you to put any music for GRC intro videos?
Thanks . As a creator I try diff things to see what works and what doesn’t. Appreciate the engagement
Is this guy Eminem ?
Sounds like you just googled GRC
Awesome! Thanks for the compliment. It’s tough to break complex topics down into digestible bite sized lectures so to say it’s the equivalent of the search engine that gives you exactly what your asking for is spot on. Thanks for supporting the channel. Cheers!
Hello sir,I'm from srilanka in srilanka my life alone life with sounds in my ears unknown human body machines user in srilanka follow me to put sounds In my ears both face no ears in srilanka famous people enter my family life and put sounds in my ears in my room president ranil wikrmasinha?Singer justin Beiber?Singer amal perera ?Singer thushara sadakalum?Singer romesh sugathapala?only mind brain use find my ears and body daily find no action
Actor hemal ranasinha,singer nilan hettiarachchi,sir???thushara priyankara,actress nilanthi dias,actress chat hu rajapaksha,actress nilushi pawanya,minister namal rajapaksha,sanjula ravishmi,actress sujani menaka,actress rashibraba sandipani
Himasha hasanthika 1999.02.16