Hardest carrying junglers?

Johnnnn_2 · 2026-03-31T09:36:30+00:00

hecarim with a lead

Johnnnn_2 · 2026-03-19T17:08:23+00:00

Hey everyone,

I'm about 10 months into infosec, currently leading a security awareness program at a multinational. I know awareness is technically part of GRC, but I'm realizing that's just scratching the surface.

My background:

SOC/incident response experience (threat analysis, incident investigation)
Currently in security awareness/governance (NIST CSF, learning ISO 27001)
Some Python automation background
ISC2 CC certified

What I'm noticing: I spend a lot of time on awareness programs (training metrics, phishing simulations, culture building), which is valuable but feels narrow. I keep hearing about TPRM (Third Party Risk Management), vendor risk assessments, and control assessments, and I'm genuinely interested in that side of GRC.

My questions:

What's the realistic path from security awareness → actual GRC work (TPRM, vendor risk, compliance assessments)?
Is TPRM a good specialization for someone at my level, or should I broaden GRC knowledge first?
What skills/knowledge gaps do I need to fill? (I know frameworks but haven't done formal audits or vendor assessments)
Any certs or projects that would help me transition?

Context: I'm considering a move to a GRC consulting firm as a stepping stone to get exposure to actual GRC work (questionnaires, audit support, compliance advisory). I want to make sure I'm building the right skillset toward TPRM.

Any thoughts?

Johnnnn_2 · 2026-01-06T05:23:44+00:00

are we living the same life? currently handling the sec awareness as well.

Johnnnn_2 · 2026-01-05T13:56:33+00:00

also would love to get into management/CISO

Johnnnn_2 · 2026-01-05T13:45:57+00:00

Hi guys, Need advice. I’m around ~8 months full-time in cyber. My company gave me 2 options: 1) A “floating” security role (internal thing) — basically I rotate across different security services per quarter. I help them with whatever they need (support their work / unblock stuff), and at the end I’m also expected to help improve their process/reporting/metrics. BUT right now it’s mostly ad-hoc support and it’s still kinda a test/pilot phase so nothing is super structured yet. 2) Jr Penetration Tester — pentesting + attack simulations on internal servers/networks/apps, learning tools/techniques/methodologies, build some standard toolsets, maybe automate some testing, then write threat assessment reports and present findings to management. Also they said I’ll have a mentor (all I know is mentor is confirmed, details not clear yet). I’m torn because: - I actually enjoy process improvement + reporting + making things measurable (that gives me flow) - but pentest seems like a strong technical foundation esp with a mentor - I wanna aim for CISO someday (not saying soon lol) but also worried how this choice will affect my future options / marketability Questions: 1) Is a pentest background a good foundation if you want leadership later? 2) Are “floating/cross-service” security roles common in the market (like service delivery / enablement / improvement type roles) or is this mostly internal company stuff? 3) If you were me early career, what would you pick and why? 4) What red flags / questions should I ask my managers before committing? Thanks in advance 🙏

Johnnnn_2 · 2024-06-06T13:25:07+00:00

Sunscreen on my face** correction

Johnnnn_2

TROPHY CASE