Transcript

Hey, do you want to work in cybersecurity governance risk compliance, GRC? Well, risk is the heart and center of it. And looking at different career paths like you see at CyberSeek.org here, risk skills are a good area to focus on in a progression from starting level to advanced level roles.

My path went from finance on the left here as a feeder role to break in to an appropriately placed position on the bottom of the map and the bottom of the totem pole as a junior IT auditor. As I work my way up and to the right into cybersecurity management, I'm now my fourth year as director of GRC at a software company, I've experienced and witnessed firsthand how risk management skills can open doors.

They can make the difference between just working compliance checklists and implementing other people's decisions to having your work influence the decision. And this is not some controversial hot take. You'll hear the same advice if you ask seasoned veterans out in industry and you hear them talking about career progression.

It's pretty common for mentors to advise people from technical backgrounds like IT support, networking, or engineering to take risk training to boost their business skills on the path to leadership, maybe even to CISO. Or to tell people from business backgrounds like me to take risk training too, because it's a good entry point into cybersecurity where lots of transferable skills, maybe a surprising amount, from business backgrounds are a good fit for the work.

But what does it really mean to have skill for cyber risk? How do we get the risk analysis and risk management skills that can launch and lift a career? Finding the answer to that question took me hundreds of hours to produce this 14-hour course. I've broken it up into 107 all-killer, no-filler videos based on my real-world GRC leadership experience.

I also ground everything in industry-standard guidance, like NIST Special Pub 839, Managing Information Security Risk, Organization, Mission, and Information System View, where not just tactically at a system level, we get right up to the organizational level. Then the big one, Special Pub 837, Risk Management Framework, RMF, maybe you've heard of it. And then the one I reference most frequently on a day-to-day basis, 830, the Guide for Conducting Risk Assessments.

Cybersecurity Framework is in there, of course, and there's a long list of more, getting to 37 in total. Then to validate risk skills systematically, I partnered again with Accolade, founded by Jason Dion. You might have seen him before. He's to date trained, through various learning platforms, 2.5 million students.

I'm an authorized instructor for Accolade in this and two other courses. And since before then, I've been a member of their advisory council of hiring managers. We're a cross-section of practitioners and managers across industry focused on filling skill gaps we want to see in our teams that the legacy certification bodies are not meeting.

In this course, I'll take you soup to nuts through all five domains that Accolade has outlined for cyber risk management foundations. You can see the full list in the course outline, but I'll quickly introduce you to the five domains here.

So domain one is to understand the foundations of risk management and its importance in cybersecurity. Know the terms so you can speak the language, know the concepts, and see that there's no need to reinvent the wheel.

Then we start with why in domain two, getting into strategy. Like Richard Syerson says in the course, he makes a few cameo appearances, it's a much more fun way to live when you're helping people, and it makes for a much more fruitful career to be measuring and focusing on the right stuff. Get aligned to business objectives and get strategic.

Then risk identification and analysis. Here we get comfortable threat modeling, understanding the underlying technology and the business we want to protect and enable, and being that compass to help management make smart trade-offs and decisions.

Risk response and mitigation is answering my favorite question, so what, what's next? And of course, there's risk monitoring communication. This is not a one and done, and not something we do in isolation.

Related jobs for the skills we cover in this course include junior risk analyst, IT compliance specialists, where I started, and GRC analysts, with salaries ranging from around $50,000 to $100,000. And then this foundation course is a prerequisite on the path to the next one, Cyber Risk Management Practitioner, where we see salaries for related job roles ranging from $85,000 to $400,000, according to the Indeed Cybersecurity Salary Guide.

Now, am I saying that certs alone will help you get these jobs? No, of course not, but they can help, right? Education is a small yet powerful part of a 70-20-10 career development plan. 70% experiences, 20% relationships, and 10% education. But don't undervalue that 10% education component. It's small but mighty, introducing you to new skills, methods, and people that unlock opportunities for relationships and experiences.

Check out the course outline for more details on the material we cover and watch for yellow stars for lectures with special guests. If you're watching right now on YouTube, you can find that course outline in the course in two awesome places. One is accolade.com with the full 13 hours of lessons, including almost two of those being with Dr. Gerald Ogier, either in videos with me or in his mini TED Talks from the SANS Difference Maker of the Year award winning Daily Cyber Threat Briefing.

The second place you can find the course is Simply Cyber Academy, which has 14 bonus videos featuring Jerry adding another 90 minutes. Also in the academy, you'd get his name on the CP certificate, plus support in the Simply Cyber Discord, which has 16,000 members.

Both of those options come with seven practice exams, so you can be well prepared to crush it when you get to the real exam in your first attempt. The bottom line for this course is that it's all about your transitioning from tactical to strategic work, from implementing other people's decisions to making them yourself, and taking your career to the next level.

Thank you so much for being here. It is a privilege to be your instructor in Simply Cyber Academy. Are you ready to upskill in cyber risk management? Start learning now in the next lesson.