π GRC Certification Killer to Filler Ratio Analysis
Transcript
Is GRC right for you? Awesome litmus test in quotes here.
Pick up NIST Subjective Framework and start reading it. If you fall asleep at phase five, it might not be a good fit for you.
So that's pretty good.
I'm biased and I really enjoy this work.
I appreciate it's not for everybody.
And I think having a realistic job preview is good.
In the next section of GRC Jumpstart, he talks about gaining initial experience and leveraging your current role.
This is certainly the strategy that I applied in terms of working in finance and asking for a mentor in information security, kind of cold calling them and saying, "Hey, I heard cybersecurity is cool. Here's my career development plan. I'm thinking about breaking in. Is there anything I can kind of help with?"
And I help with audits for sure.
I didn't help with policy development, but I think that's a good idea.
Risk assessments.
There's going to be a high volume of third party and security risk assessments that might need work and can always use help.
A different perspective on what are the threats and vulnerabilities and what's the residual risk level.
And just having a quarterback or someone to grab the template, talk to the business, get the information and bring it back to a security analyst to refine it and get the job done.
So if you have the benefit of a current role to leverage, great opportunity.
And I always say this, but I recommend your career development plan template as an icebreaker to ask for a mentor, to then ask for a GRC stretch assignment.
Now that's not going to work if you don't have a current role.
And in your career development plan of 10% education, 20% relationships, 70% experiences, you might have to overweight the education portion if that's where the immediate opportunities are.
And so we'll get into the alphabet soup there.
And I think I want to call on Dr. Auger for this.
Let's go get him.
STEVE: All right, Gerry, ready to talk certs?
GERRY: Oh yeah, it's a good one.
STEVE: So there's the alphabet soup.
And I took a look at the ones in the course and I took a look at the ones in my GRC cert roadmap.
And we're aligned, man.
My first thing I noticed was you're picking the ones that are on the job postings.
Boom, right there.
You're also picking the ones that are on the DoD 8140 list.
That said, even though they're on my list, they're old and expensive.
And when we talk about CISA and CISSP, even though I've got them, and even though they help me, I'm not saying I don't recommend them.
I think one of the key things I want to sink with you on is the very important metric of the killer to filler ratio.
So when you look at sys and system training, what do you think the ratio is of killer to filler?
GERRY: I would say the ratio is, I guess if killer's the numerator, it's incredibly low when I and this is going to be an exceptional hot take.
If you don't study the exact ISACA material, you are flirting with danger.
The way that they word their questions, the way that their answers are set up, what ISACA wants you to answer versus what you would do in a real business when you have other factors going on.
STEVE: Yeah, like, yeah, exactly.
All right.
So I want to keep unpacking more data points to figure out how we know where people should go.
So in an accounting firm to get to manager, you need one of the ISACAs or the CISSP, but you probably aren't ready for that.
So you don't need two in terms of the system, the CISM, you'd get one.
I haven't done the CISM though, and you have, so I don't know if that's a deal breaker,
GERRY: It's more executive level. Yeah.
STEVE: Okay. Interesting - gotcha.
The next bit is a lot of big costs with the different ones that I didn't have on my short list.
Here's why I've got my AKYLADE Cyber Resilience courses on there.
And I'm thinking about them in the context of the CISM and all the other, the alphabet soup.
So the reason you saw value in those searches around the job postings is where you do want to start and they do help.
So that's the reason you want to do them and I still recommend them.
But the thing is, and AKYLADE Search aren't on the job postings.
However, they're ISO certified, they expect to get on the DOD list.
So kind of maybe we'd take off more down the road.
I want to tell a story.
I had a member of my team that got the CISA and I got to tell you, it didn't move the needle at all on their ability to contribute to the team.
However, it's good on the resume, like it's still good that they did it.
But the focusing on the AKYLADE training actually did help more and was more impactful because it's more of the practical skills.
And it's not on the job postings, but it is, there is value, I think, in going and sitting down on an exam as opposed to self-studying that material.
And I like the material.
So anyways, in this 10% component of our CDP, I think there's a place for it.
So with that context in mind, it's been about a year.
Any thoughts on changing or refining the cert roadmap I had laid out?
GERRY: Give me a minute.
I'm going to have to review this again.
STEVE: Yeah, let's do it.
So I can zoom in.
So year one, Sec+ is very aligned to your course, GRC Jumpstart.
And you can do free and paid courses, including in Simply Cyber Academy and including with Jesse Johnson to get ready for that.
And I didn't do it.
And there's different ways to do it.
And there's CC we've got on the shortlist, not on the shortlist, but as a runner up.
Network Plus, A Plus are on runners up.
They're not on the shortlist.
You've reviewed the certificate here.
You've got your one-on-one course.
They're all kind of helping in that regard.
Master Class and CCRF, no real prerequisites, but you do benefit if you do have this foundation here.
Then...
GERRY: Well, hold on, hold on.
Let's just talk about the entry level first, right?
I feel like there's clear categories of, you know...
So first of all, I did just release this GRC Jumpstart, which basically isn't a full course.
It's a mini course.
And it says, essentially, what is GRC?
So you can wrap your head around it.
And then is it the right job for you?
Because as much as I want everybody to have a rewarding career in cybersecurity, some people may not enjoy GRC.
So wouldn't it be nice to get that at day one instead of day 180?
You know what I mean?
STEVE: Absolutely.
GERRY: I might even look at that before.
Almost like the first step, really, honestly.
And then secondly, and this is a little bit of a hot take, Steve, but I think maybe sprinkling in a little bit of AI awareness in here.
Now, Cyber 101 doesn't have AI.
And maybe there's an assumption here that you're getting some education around networking, operating systems, web applications, automatically in here.
But AI is so incendiary hot.
I mean, it's like societal shifting that I think having some exposure to it, maybe not developing your own LLMs, but at least having some concepts around how AIs are trained, how guardrails work.
STEVE: Andrej Karpathy, 3Blue1Brown, or whatever it is.
GERRY: Yeah.
STEVE: John V and the AI-ML chat in Simply Cyber Discord.
GERRY: Absolutely.
Yeah.
So I think that, you know, like, again, it's a little bit of a hot take because it's not directly related.
You're not going to have a job posting that says you're going to AI knowledge, but I just think it'll make you a better practitioner as well as, you know, look like you're on the cusp of like what is emerging from.
So when you're interviewing, you're showing that like you can do more than just be spoon fed like you're taking initiative.
STEVE: And you have another free course that could fit on here as well.
What's it called?
The Career Ladder course or something like that?
Oh, we talked about it.
GERRY: Career Launchpad.
STEVE: Yeah.
So easy, easy addition to this one.
That'd be great.
Okay.
GERRY: Yeah.
I forgot about that one.
Yeah.
The Launchpad is more like drinking from a fire hose, which by the way, is a perfect thing to start with.
I know that sounds kind of outrageous.
It is like if you're going to work in cyber, you're going to be basically drinking from a fire hose quite often.
So best start now.
STEVE: Like I remember looking at what is it called subnetting? Where you write down the ones and zeros right in the CCNA type training?
Never used it, but it was sure helpful to learn about networking, crimping network cables, like stuff like that.
That was just cool to dive in and try a bunch of stuff.
And then intermediate, more risk and more practitioner stuff and like big CSF profile assessment.
So not on the job postings or practical skills, and actually you can use it to help your portfolio and you can take the course or you can do the exam as well.
But I think they're good options.
GERRY: Yeah, they are. I would almost wish that somebody would, there would be some, well, I guess you have risk management fundamentals, something around a framework.
It doesn't have to be in a CSF, but in a CSF is free.
STEVE: I fad CSF in the intro level there with my A/CCRF here, of course, and the CSF document is free, and there's free training on it, and I have free training on it, and so do you, and it's in your masterclass.
But I think that I have lots of students that have given testimonials and I think they find value on CSF training in that (A/CCRF) course.
GERRY: Yeah. And just so people who are listening right now, you may not connect the dots on why it matters and we're just like, you know, offering up some free resources.
I feel like when you get free resources, if you don't understand the why behind it, it's like you just, you just sign up, you throw it in your, your backlog and then you forget about it.
When you're starting off in your career journey, you're getting a lot of like new terminology, new concepts like you're, you're learning so many like basic building blocks, right?
Fundamentals.
Well, when you go a little bit further and you're like, now you're going to learn a framework, a framework is going to show you the comprehensive, holistic picture of how you're going to introduce information security in a structured, deliberate, scalable fashion for business.
And the equivalent of this would be again, like you've got Lego.
So now you understand what a six block is and what like, you know, the techniques are and you can make a motor move and all this other stuff.
The framework is showing you like bigger pieces, like, okay, so if you add this motor and these cogs, you can make a, you know, a rotation engine type, right?
Like you're learning how to take fundamentals and put them into pieces where now you can structure the pieces together.
And that's what a framework does.
A framework allows you to, in my opinion, get your arms fully around from, from one end to the other of what the scope is, uh, of, of an information security program, the equivalent of final metaphor, the equivalent of putting the border around a jigsaw puzzle.
Like you understand now, okay, I get like, I'm working within just this space.
So now I can begin to focus it because otherwise, unless you get your head around this, you're going to feel overwhelmed because you're going to feel like, Oh my God, is there no end in sight to all of this?
Like every day I'm like hearing about something else, like, uh, like people just get overwhelmed because it's almost, it's almost too much information with a framework.
You can see where the pieces fall and where they sit and it, it can make more sense.
STEVE: Absolutely.
I think it really helped and clicked with me when you described cybersecurity framework and it's left and right of boom and it's just six functions.
It's like, Oh man, in those, all of those CISP domains being careers in themselves, that's like eight careers spinning around in this fundamentals area.
How, you know, how, how does it come together?
So put it together in a framework like CSF is the best one and then figure out how to use it to assess the top five risks in an organization and present a scorecard to management.
Now we're talking about how you can do, you know, make an impact.
So then I've got a CISA because it's on the job postings, but I wish it was more practical and value adding in terms of the content.
And that's why I surrounded it with the AKYLADE training, including the AI training that's coming out.
And then finally the CISSP stuff here.
So I think, yeah, like is this still it?
So we have some additions to the beginning, but otherwise, you know, anything else to change?
GERRY: No, I think that's pretty good.
When I took the CISA, you know, I had already been an auditor for a number of years, so it was almost like, yeah, oh yeah, like, oh yeah, I am doing best practices or like, oh, like maybe I should adjust this or whatever.
But no, that's definitely...
STEVE: I don't want to dunk on the CISA too hard.
I think it, cause you know, I did benefit from it and not beyond just the resume.
It was interesting from like a, you're talking about segregation of duties earlier and it's like, what's the answer to this question?
Why do we take vacations?
A, because we're friendly, B, because we think the employee might be committing fraud and we need to check.
It's B. It's like, whoa, I hadn't learned that in any other courses.
That's kind of interesting.
But I just, I do see room, I think my key point here is for the other things around those.
All right.
Well, I think that's it for certs.
Thank you for that.
I've got one more question and I'll see you there.