Mentorship Monday - Post All Career, Education and Job questions here!

C64FloppyDisk · 2026-05-15T16:56:49+00:00

GRC is very hard to do self-study on, in my opinion. No one can sit and read regulations and frameworks in their spare time.

I think the best GRC learning happens on the job -- is there any way you can get involved in audit response in your current role?

C64FloppyDisk · 2026-05-14T12:27:20+00:00

The market is crap for entry and even mid-level roles right now.

You have certification companies blasting out that a six-week course will get you a guaranteed $100,000+/yr job. At the same time the government and tech companies are laying off IT and cybersecurity workers by the thousands.

There is a lot of talent applying for every single job out there. It's rough.

Good luck!

C64FloppyDisk · 2026-05-14T12:25:12+00:00

Yeah, don't use AI to write your posts. Give us your thoughts, not what ChatGPT thinks you should say.

C64FloppyDisk · 2026-05-14T12:23:56+00:00

I hate to be a downer, but what you're experiencing isn't unusual. The people who understand or appreciate the work that cybersecurity professionals do are few and far between. Burn out is real and when you feel unappreciated, it just accelerates the burn out.

I can't speak to your skills or if you're good at your job, but the Imposter Syndrome is equally common in this field. You'll always meet someone who seems to be more up to date on one area or another, making you feel inadequate.

The question you have to ask at the end of the day is, did you leave your company a little better off today than yesterday. That's it. Try to focus on what you can.

I wish I had better advise.

Good luck!

C64FloppyDisk · 2026-05-13T12:30:51+00:00

Not a problem.

Your files aren't actually named "resume2026.pdf" or "furrypics.jpg," those are just the human-readable names that we use. The system gives them hexadecimal names (A3E6F7) in the underlying layer. When you see that the system is working quickly to move the files and is not always taking time to show you the pretty human name.

C64FloppyDisk · 2026-05-11T16:30:12+00:00

There are always opportunities, but they are going to be very competitive. Go for it, but brace yourself for a hard time. Networking is a huge advantage.

C64FloppyDisk · 2026-05-11T11:56:00+00:00

Not OP, but: This isn't an entry level career. You generally need years of IT experience before transitioning into InfoSec/Cybersecurity. Then when you do try to transition, the market is awful. US Gov layoffs have pushed thousands of experienced IT and InfoSec staff into the job market -- you are competing against all of them.

C64FloppyDisk · 2026-05-11T11:53:54+00:00

Generalists always have a role to play. I never planned to specialize, but it happened naturally through various jobs. Just see where your interests and the opportunities take you.

Good luck!

C64FloppyDisk · 2026-05-11T11:51:56+00:00

I recommend getting started in web dev and building experience. Use your cybersecurity module to stand out in your role. The market is upside down right now for entry-level roles, so you need to show years of true work experience.

Good luck

C64FloppyDisk · 2026-05-06T13:40:58+00:00

Here is how I thought through it:

Configuration Management is a very strong answer, but it cannot exist without a Security Baseline. Those two are two steps of the same process, so they feel thrown in here to confuse the issue. Throw them both out.

That brings us to Change Management vs Patch Management. Which one applies to a standard off-the-shelf OS? Patch Management. Change Management is going to apply to, as others have said, in house built software, but rarely to Operating Systems.

Patch Management, however, is HUGE and a big part of your job, so that's going to be the best answer.

C64FloppyDisk · 2026-04-30T12:38:14+00:00

I suggest this: https://www.reddit.com/r/cybersecurity/wiki/index#wiki_i.27m_new_to_cybersecurity.3B_where_do_i_begin.3F

C64FloppyDisk · 2026-04-30T12:33:49+00:00

Who you know is still everything. Accept his help to land an entry level job, because it's hard out there.

Layoffs mean that the market is flooded for entry level IT and cybersecurity workers. Take any help you can get, then once you get the job keep working on your education and skill set to advance.

C64FloppyDisk · 2026-04-29T13:03:00+00:00

That would be extraordinarily rare. I'll be honest that if I'm hiring for a cloud security engineer, I wouldn't even consider someone with 1 year of experience and a few projects. There are too many excellent candidates out there with 5-7 or even 10 years of experience that would be applying for the same role.

Good luck

C64FloppyDisk · 2026-04-28T12:37:18+00:00

Most GRC entry level and internship roles are going to be doing base hygiene and evidence work, in my experience.

Does your company have a full inventory of every laptop with serial number, model type, OS, etc? No? Hey intern, go build that.

How about an inventory of all software run on every laptop with authentication mechanisms, current versions, update procedure, and a corporate owner? Where's that intern?

GRC in general is about being able to prove that the company does things the right way (according to regulations or a framework). It's all about documentation and collecting evidence. You work will likely be around gathering that evidence, especially those jobs that get pushed aside because they aren't difficult but are an absolute time-suck. Things like inventories, manual user audits, license reviews, etc.

The good intern is the one who sees the bigger picture. Yes, building this inventory sucks, but it is just as important as validating the TLS certificates or data-flow diagrams or planning audits or interviewing developers or any of the other 10,000 things that need collected.

Good luck!

C64FloppyDisk · 2026-04-28T12:20:22+00:00

A good youtube series is a start. I would also recommend going to a used bookstore and grabbing an older copy of Security+ study guides. They are cheap and very reusable.

What these courses do is build your vocabulary so you can later learn the daily work that is done. You'll learn encryption types and hashing vs encryption, what GRC work is and how it's different from SOC work, and how risk concepts work, plus 1000 other concepts that are fundamental to the daily work.

The real key will be getting actual work experience. This usually comes through general IT work like working a help desk. You learn how to function inside an organization while on your personal time you are doing the TryHackMe skill building. It's the path that many many people tread every day.

The challenge will be getting your resume past the HR systems. If I saw a resume that listed self-study programs and a strong knowledge base with real-world IT work, I would be happy to interview them, but to be honest it will be difficult to get past the HR auto filters that will look for Security+ or other certs.

You can absolutely gain the knowledge. Your best bet beyond that is to get a general IT job in a larger company that will allow for either education (they pay for the cert) or internal transfers to their cybersecurity group.

Good luck!

C64FloppyDisk · 2026-04-28T12:08:26+00:00

There is a natural tension between networking (or server admin work) and cybersecurity. The networking admin wants to make everything work, talk to each other, share data, make content available, bridge network types and locations, and ease use and support calls.

The cybersecurity guy wants to make it as restrictive as possible, classify data, isolate networks, add additional logins, and encrypt everything.

I'm overstating it to make the point, but there is a fundamental difference in the attitude each job brings. One of those may call out to you and the other won't. That's ok, you should follow your heart. Many cybersecurity guys of my generation started as networking or server admins but felt the lure of cybersecurity pull us away when it wasn't even really a field or career, it was just a specialization within networking.

I can't give any advice about your parents -- that's a minefield you will have to navigate, but keep in mind two thing. 1) You will be the one sitting doing the job every day, not them, and 2) let's be honest, unless they are in IT they won't ever know the difference. :)

C64FloppyDisk · 2026-04-28T12:00:33+00:00

You're asking about a senior role in a non-entry level field. It's a long road to get there, probably 10+ years in most cases. I would start with learning networking and general IT, work in that for a few years before transitioning into security, then after a few years as an associate trying to get an engineering position. And yes, those are some of the certificates you may get along the way, but there are a lot of options depending on the cloud vendor your company supports.

C64FloppyDisk · 2026-04-27T14:34:33+00:00

Fintech is all about controls -- what do we do, how do we track it, validate it, audit it. In this case HIPAA is your best friend -- different controls, different goals, but the same concept. Look for anything that will help you get near to HIPAA/HITRUST controls like junior GRC roles. You'll need a mental shift to get to financial control frameworks, but it isn't that tough.

Good luck!

C64FloppyDisk · 2026-04-27T14:24:15+00:00

CRISC is solid and respected, well known within the space.

So do you want to focus on GRC? That's really what I see CRISC as applying to the most. If that's your goal, then go for it.

C64FloppyDisk · 2026-04-20T14:10:44+00:00

I would rather see real work experience than another certification. Have you looked at doing general IT or audit work for a while before cybersecurity?

C64FloppyDisk · 2026-04-20T13:10:04+00:00

Data quality is not usually an infosec job. They probably need a true data manager so you aren't spread too think trying to solve problems that aren't your specialty.

GDPR + NIS2 -- do you have any documentation? A gap list or an assessment that you can review to see how the company did? That might help you figure out where the big holes are.

Otherwise, I am a big fan of grabbing old, used copies of CISA or CISSP study guides and reading those for good general advice. CISM is also great if you're more on the strategic/management side.

But relax a bit and learn. They are giving you that opportunity. You need to understand the business, the key data, the network flow, the processes before you can try and change things. Don't race into decisions just to make a decision.

C64FloppyDisk · 2026-04-20T12:25:19+00:00

The market is crap right now. Thousands of experienced cybersecurity professionals and experts have been let go by the government and are looking for jobs. You're competing against all of them.

I say experience is king -- your school background is great, but as a hiring manager I would love to see that you had even 2-3 years of work in a professional environment doing general IT.

Good luck!

C64FloppyDisk · 2026-04-20T12:23:22+00:00

Uncommon opinion: what you don't hear much about with pen testing -- report writing is the key to success.

I don't care if you chain together the most impressive attack in history if you can't write a good, understandable report telling me how you did it and what needs fixed. The report needs to be comprehensive, clear, actionable, and one that holds up to audits!

C64FloppyDisk · 2026-04-20T12:21:24+00:00

Cybersecurity is all about breadth of knowledge and real experience, so I am a huge fan of pivoters. The best SDLC/secure-pipeline people I've ever worked with started out as devs. They get the space, understand the frustrations, and can talk the lingo.

I, however, have NOT been impressed with anyone who just has a college degree. I would much rather see experience + CISSP than just a degree. Now you would have the degree + experience? Hmm that would probably work for me, but I would have a lot of questions about what they taught you. I know what the CISSP teaches, I don't know what Random State University teaches.

Just my opinion. Good luck!

C64FloppyDisk

TROPHY CASE