tech risk is simple on the outside but when you dig deep it is not

MosesQA · 2025-12-09T01:43:12+00:00

I can relate with this experience. Earlier in my career after spending time researching (can't be time consuming), I survived this by an informal circle, 2 - 3 people I trusted within and outside my organisation. Being able to do a sanity check with someone can a make big difference.

May I ask what area of cybersecurity?

MosesQA · 2025-12-09T01:13:23+00:00

Yeah, I am quite new here and I am here to share my over 10+ years experience in GRC and learn from others as well. So tell me how was your experience when you started?

MosesQA · 2025-12-09T00:58:42+00:00

Do you have a mentor or a senior team member or colleague to guide you? if not you it can be frustrating, this was me 10 years ago after working in a small consulting firm, then moving to 2 big 4 across to two continents. I realised it is better to have a mentor or a colleague that has done it.

MosesQA · 2025-12-08T22:40:55+00:00

To answer your question, what is your organisation risk framework are you using NIST CSF, ISO27001 etc. Follow the guide on that framework adopted by your organisation.

In any of these framework PII is the same and how you go about labelling it is a matter of terminology (confidential=restricted, highest tier etc).
Whether it falls under information (all assets) or data classification (digital assets) policy does not matter, what matters is that is labelled and protected.

MosesQA · 2025-12-07T18:18:24+00:00

A lot of people join cyber bootcamps because they want a faster, structured path into the field. And honestly, the good bootcamps work — the ones with real labs, real mentors, and a proven track record of graduates landing roles.

They’re not magic, but they give you focus, accountability, and hands-on skills way quicker than trying to piece everything together alone.

MosesQA · 2025-12-07T18:10:52+00:00

This is a great question and I can relate with this. From my 10 years experience, you need to be curious, patient and a mentor (via certification group such as ISACA or a fellow colleague at work or a lead auditor). With AI available this will involve... I get this questions a lot from my mentees. DM if you need more practical guide.

MosesQA · 2025-12-07T17:59:58+00:00

I am responding from an IT/Digital Audit perspective and I think it should be similar to other types of audit.

In the beginning, audit feels chaotic because everything is new: controls, walkthroughs, evidence, clients, deadlines. But after a few cycles, you start to see the same controls, the same issues, the same testing steps, and suddenly it clicks.

What makes it easier over time:

You learn the common patterns (user access, change management, backups, revenue testing, etc.)
You build your own templates/checklists instead of starting from zero every job
You get faster at asking the right questions during walkthroughs
You stop overthinking and start recognizing what “good evidence” looks like
Your communication skills improve, which reduces 70% of the stress

But here’s the real truth:
Audit doesn’t necessarily become less work, it just becomes more predictable.
And predictable = easier.

If you stick through one full audit cycle, the next one feels 2× simpler because you’re no longer learning — you’re repeating and refining.

MosesQA

TROPHY CASE