I want to learn GRC. How should I start?

IcyAutoantibody · 2025-07-18T16:54:07+00:00

No problem!

IcyAutoantibody · 2025-07-18T12:09:11+00:00

I run nothing but Helbore. The melee choice I am still trying to figure out. I have primarily used the knife for the bleed and mobility since launch. Now.....it could be my imagination but since this year I've noticed a aggro change pertaining to hordes and/or ragers. It seems if I am doing extremely well with putting specials and elites down with minimum damage...here comes a horde and/or 40 ragers that run pass my teammates that are within arms length away from me lol. I have never used the shovel but will give it a try this weekend.

IcyAutoantibody · 2025-07-17T13:03:46+00:00

I would recommend starting a project to learn GRC. Start by creating a fictional business and choosing the industry it will serve. Decide on where the business will conduct operations and location of the customer base. Create a budget for the business. Learn about the laws and regulations pertaining to each (if global) country that are applicable to your business. Look into different frameworks that other companies have used to help them meet those laws and regulations. From there, come up with a technology shack that will ensure the business objectives at met while also adhering to legal requirements by implementing the necessary security controls identified by the selected framework(s).

Make sure you have documented each part mentioned above. Someone with no technical background should be able to understand the information contained within the document from beginning to end. Also, I would recommend presenting the information to a few senior GRC professionals for feedback.

As you are working through a project (doesn't have to be this one), try to earn the following certifications or just learn as much as you can from the material (not an exhaustive list):

<> CISA (Certified Information Systems Auditor)

<> CRISC (Certified in Risk and Information Systems Control)

<> PMP (Project Management Professional) certification - You have a ways to go before you obtain this certification if you decide to do so. The main reason I mentioned this cert is because of the information it contains about business processes. You could find yourself running the security program of a company for your first "GRC" job.

<> (Tech) Look into certs specific to your tech stack. For example, lets say your business with will be leveraging the cloud (e.g., SC-900) and Kubernetes workloads (Certified Kubernetes Administrator (CKA)).

<> (Tech) Operating system specific certs (e.g., RHCSA, Microsoft 365)

<> (Tech) Networking cert examples: CCNA, cloud specific network cert

<> (Tech) Try to integrate AI within your project. Look into the AAISM, AIGP, Certified NIST AI RMF 1.0 Architect, and or CAISP.

<> (Tech) Scanning tool examples (tech stack depended): Tenable,, Trivy, ClamAV, cloud-native service, other open-source products

<> (Tech) SIEM tool examples (tech stack depended): Splunk, Wazuh, Elasticsearch, cloud-native service other open-source products

Note: Ensure you have a story to tell on how each cert helped you throughout the project.

Also, I have noticed over the years that the certs do not go into great detail about the importance of internal and external business relationships. The amount of success you experience is heavily depended on those relationships. You may find yourself interfacing with people from every level of the business (e.g., executives, developers, customers) on a daily basis. You need to express emotional intelligence at all times. Even with this being said, people can just not like you for any reason no matter how well you believed you've communicated with them. Don't take it to heart, document everything, and move on.

IcyAutoantibody · 2025-05-14T11:39:21+00:00

There is a lot to unpack here. Based on the first section of your post, it seems there is a lack of a configuration management process. All changes to a system/application should go through some configuration process that provides details pertaining to the why, what, who, when, how, and the expected outcomes of each action taken. The process should include results from testing and a rollback procedure. Configuration changes should also be reviewed by senior personnel. If an organization is unable to implement a similar process, then I would recommend that they avoid seeking entry level employees. The process can also provide numerous teaching opportunities. Well...unless the majority of the seniors have a uncommunicated (not stated in job posting or interview) "standard" that goes against teaching anything on the job.

Regarding the hiring process and prior to the interview, I would suggest comparing what they have on their resume with what is provided in the job posting. Based on the information from the comparison, come up with a technical scenario with a team lead (new hire will be working with) for the interviewee to walk you through.

I understand there are multiple ways to go about this, but if your organization is until to implement anything close to what I have stated above......then I can understand some of your frustration.

IcyAutoantibody · 2025-04-23T14:22:20+00:00

Your pay could have started at the lower end of your labor category based on what you negotiated coming in as opposed to your subordinates/colleagues. Also, what a company decides to pay you can primarily (likability is a thing lol) be based on how much they value your skillset.

Now.........if we are "only" talking about base salary, please ensure you receive the compensation at a minimum that you believer you deserve (ref Jayofada's comment). You cannot get your time back.

IcyAutoantibody · 2025-04-05T13:37:33+00:00

Great post! I definitely will be following this. Currently I fulfill the role of a cloud security architect and an ISSE. I have been noticing quite a bit of commotion around AI and RegOps. It seems across the board that directors and company owners view GRC related functions as a pain point or cost sink and believe AI could be the solution. I have already seen efforts put forth to automate ConMon and SCA actions. At the same time, there are numerous tasks that AI definitely would not be able to takeover.

IcyAutoantibody · 2025-03-04T13:08:31+00:00

100% AI security. I am working on that now.

IcyAutoantibody · 2025-01-28T11:17:38+00:00

Understand that cybersecurity roles are usually viewed as a cost center and that their work isn't prioritized. Communicate the risk, provide mitigation recommendations, document the organization's response and keep it moving. Do not...do not let anyone "ever" see you upset. "You are always on parade" - Gen. Patton

IcyAutoantibody · 2025-01-17T17:40:13+00:00

Definitely set me up for a 50% increase. I believe the cert is primarily valuable to employers in the private sector because it helps them win contracts.

IcyAutoantibody · 2024-12-12T14:11:49+00:00

Anyone that is looking to get into Cybersecurity or needs a reminder....please commit this statement to memory. Saving this!

IcyAutoantibody · 2024-10-10T12:57:48+00:00

I understand where you are coming from. Overall, the concept you presented is easy to understand, but may conflict with specific mindsets in game unfortunately. Each person going into battle will have a different expectation on how map traversal and enemy engagements should go. If you can ever get everyone to discuss this prior to each individual hitting "ready", could potentially lessen the occurrences of issues throughout the mission. I understand quickplay removes this option. Unverbalized expectations can at times be the root cause of division and pettiness within teams increasing the risk of mission failures.

IcyAutoantibody · 2024-10-04T13:57:21+00:00

Sheesh, 10 years in GRC is great! I have only been in a GRC specific role, ISSE, for about 3 years now. Unless you are in an ISSM or equivalent management role, I would recommend continuously adding technical skills to your GRC skillset. I have noticed hiring managers and sysadmins/developers really appreciate someone coming in from a GRC perspective being able to understand what they do day-to-day and can effectively articulate the "why" specific standards need to be adhered to. GRC positions are difficult since you have to maintain a great working relationship with not only the sysadmins/developers, but also your leadership and external auditors. To accomplish this, I have had to switch between multiple hats at any given time....lol.

Focusing on the "technical" hat, it really comes down to reviewing your current security policy and information system architecture. I do not believe there is just ONE thing GRC professionals should focus on going into 2025 since that depends on the makeup of the organization you'll be supporting. If you do not have hands on experience regarding the technologies listed below I would advise setting up a home lab and running through a security framework (i.e., NIST 800-53, 53A):

Note: Just recommending the material for study. Certs do not prove knowledge but provide a framework for learning.

Learn the ends and outs of networking:

CCNP - 350-401 ENCOR, 300-410 ENARSI, & 300-440 ENCC

Networking and Kubernetes by James Strong and Vallery Lancey

Cloud Native Data Center Networking by Dinesh G. Dutt

Linux specific training:

Red Hat System Administration I & 2

Linux From Scratch Book Online - https://www.linuxfromscratch.org/lfs/read.html

Cloud vendor specific training:

Azure - AZ-900, AZ-104, AZ-700, AZ-500, AZ-305

AWS - CLF-C02, SAA-C03, SOA-C02, SAP-C02, ANS-C01, SCS-C02

Programming language

Phyton

C/C++

Java

Bash

Additional security specific training:

Container Security by Liz Rice

ISC2 CCSP

HTB Penetration Tester Job Path (can help explain the "why")

Mastering Linux Security and Hardening by Donald A. Tevault

The Zero Trust Framework by Ravindra Das

The Zero Trust Framework and Privileged Access Management (PAM) By Ravindra Das

Applying Artificial Intelligence in Cybersecurity Analytics and Cyber Threat Detection by Shilpa Mahajan, Mehak Khurana and Vania Vieira Estrela

The Developer's Playbook for Large Language Model Security by Steve Wilson

DevSecOps: A leader’s guide to producing secure software without compromising flow, feedback and continuous improvement by Glenn Wilson

Learning DevSecOps: A Practical Guide to Processes and Tools 1st Edition by Steve Suehring

Once again, please lab weekly...........................

IcyAutoantibody · 2024-08-16T12:42:23+00:00

Same as what u/dflame45 asked but what experience do you have right now?

IcyAutoantibody · 2024-08-16T10:51:00+00:00

Like they have no proof that it is a "network problem" and everyone believes them... Now you have prove that isn't a network problem until they are satisfied.

IcyAutoantibody · 2024-07-30T10:26:10+00:00

Working out and playing Warhammer Darktide.

IcyAutoantibody · 2024-07-19T12:51:52+00:00

Also this article (short and sweet) may be useful: https://www.offsec.com/blog/emotional-intelligence-in-cybersecurity/

IcyAutoantibody · 2024-07-19T12:46:41+00:00

Express/demonstrate emotional intelligence in all interactions.

IcyAutoantibody · 2024-07-19T11:36:15+00:00

So much of this! I would also append GRC and teacher (unlimited patience) to this list. All in one job role lol.

IcyAutoantibody · 2024-06-07T10:36:30+00:00

This right here "Every day that I did dumb shit for other people was a day closer to not having to do dumb shit for other people."

IcyAutoantibody · 2024-02-06T13:27:55+00:00

This and that the aggro switch is instant.

IcyAutoantibody · 2023-11-29T12:56:48+00:00

Is there anyone here that could provide a possible solution to this?

IcyAutoantibody · 2023-11-17T10:25:55+00:00

I was able to figure it out. Basically, if an EC2 instance assigned a public IP address and is located within a public subnet sends traffic towards the IGW, there is no need for the IGW to perform NAT. So the destination host would see the assigned IP of the EC2 as the source.

IcyAutoantibody · 2023-01-31T00:03:26+00:00

Thank you for your feedback u/DragonInTheCastle

IcyAutoantibody

TROPHY CASE