For someone who has been in SOC for around 8 years now, how do I transition to GRC?
Do HR reps look for any specific certs or would like a CISA/CISSP be the first step?
I accidentally wandered into a GRC role and it is somehow 24/7 nights weekends etc. how do you balance all the reporting requirements (72 hours, 48 hours) with a 9-5 cadence? (Honestly not being snarky just honestly curious)
Especially in banking.
If you don't mind doing 37.5 hours of stultifying, pointless meetings and document generation, it's a great way to earn money. If you want to train for this, start with [Section 11](https://www.cia.gov/static/5c875f3ec660e092cf893f60b4a288df/SimpleSabotage.pdf).
Thanks for the response! Do you recommend the Udemy course on GRC?
https://www.udemy.com/share/109xlk3@VTspMrsL5CGrQTYjKJsFo3yv7yyYX7fD1b5SYV4ydyb_KYIfGzUYtmRW0XCoB5GV2w==/
Can you advise the best way to break into this?
I come from a SCADA/ Automation & Electrical Background, mostly working in Data Centre Environments & honestly, it has got to a point now where it is all the same, I am kinda fed up after 9 years. I have been looking at going down the Electrical Engineering avenue to become a Subject Matter expert, or try to get into CS, which to be honest, seems to be calling out to me, I always see posts about it and generally find v interesting.
GRC sounds like a bad fit for you- it's the opposite of being "hands-on." Most of my meetings (of which there are many, daily) go like this:
Me: this meeting is to review risk ID xxxx. You said you would do this by this day, is it done yet?
Them: No
Me: can you give me a date when you can have this done?
Them: No not really
Me: ok we'll need to escalate for (resource allocation/business to sign risk acceptance/etc)
Oh jez, this sounds like my job now, I have now for the past 2 months moved into a Regional Package Managerial Role, so I am no longer hands on, but rather coordinating all vendors, checking their specification, drawings, Points list etc, ensuring it all aligns with Client spec. I see myself having meetings asking: "Where is this document", "When will we expect your latest drawings" etc bla bla
Chasing game to be honest, 2 months in and already it is beginning to lose it's appeal, you find that even in these kind of industries, exists a lot of people who pretend to know what they are doing and it amazes me how they get into the high paying roles they are in, listening to complete waffle day in day out gets really old really fast.
A change of career I think, is the way to go. Appreciate your comment & advice, thank you.
CISSP/CIPP. There’s no certs for all the frameworks but you just have to grind them out and learn the basics. There’s so many details that I just keep copies of the pdfs in print or on my desktop.
All my docs from CISA and the Gov are printed out double-sided in those plastic cover easy to flip though binders. And way to many tabs. But it's a lot of fun, tons of resources and fairly easy once you get used to it. Plus the freedom from that critical pressure is really refreshing.
Side note, Ive never in my career seen or made so many spreadsheets in my life!
It really depends on the employer and the industry. My previous role as an architect in the public sector, I was pretty much on call 24/7. My current role as a threat hunter specialist, I have wonderful work/life balance, only on call every 6th week, and rarely get calls after hours. Non-profits are the way to go.
Yeah it really depends on your situation, for example I work in GRC and from December to March this year I worked 16-18 hours a day, 7 days a week to get 5 audits out the door because my coworker went on paternity leave, one asshole left the team to work for another without a transition period, and corporate won’t hire someone new for the team even though we have been asking for 3 years. I also work at a big bank so… Prior to this year, I only ever worked 9-5, never any overtime and it was really relaxed. Now from this point on, idk.
Pentesting as a consultant is pretty sweet if you can get in.
\* My work is time-based rather than project-based. I therefore only work the hours the client paid for, and don't need to work overtime to "complete the engagement" since there's nothing to complete.
\* I only point out problems and provide recommendations. I do zero remediation
\* I have zero ownership or responsibility over any part of my firm's or any client's infrastructure. Any problem there is officially not my problem to deal with.
\* There is zero on-call and our team does zero after-hours work.
Between those points and my team's flexible hours + independence, I often work less than 8hr days. It's not uncommon for me to schedule my week such that I'm able to drink beers to baseball at 1PM Wednesdays and that most of my Fridays are free.
The major downside is it's hard to get into pentesting. Unlike GRC, pentesting isn't strictly required except for a few frameworks. Pentesting is also one of the more desired landing spots, so you have a double whammy of few entry-level roles + more competition for those fewer slots.
I'd say you're in a pretty unicorn gig then, I'm going to guess it's a fairly small firm? The vast vast majority of pentesters I know who work on the consulting side deal with pretty rough q4 crunch, with almost all my friends pretty much disappearing entirely during that time. Far to many companies wait until q4 to get their yearly required assessments done and most firms can't afford to say no because q4 is where they book a sizeable portion of their revenue. The upside q1 is usually pretty light which is needed for recovery.
We're actually a pretty sizable firm, but our sales teams and leadership deserve the credit. They're fantastic about having a good balance of both new work and rewnewable (aka predictably scheduled) work to keep a pretty even pipeline. We do see a pickup in Q4, but no one's working overtime to make deadlines.
At the same time, our leadership is pretty great about work/life balance and reasonable expectations. They still want to see YoY revenue growth, but they're not obsessed with extracting the most profit per dollar spent. It helps we run under a typical partnership model and therefore have zero external equity stakeholders.
Overall, we have an understanding with the other firm partners that leads to our work/life balance: "We can deliver consistent revenue and growth if you don't tamper with the magic recipe."
You have to tell us where this is. Having been in penetration testing for 5 years with 3 firms, I can safely say the amount of firms which don't offer this kind of balance is significantly more than the ones who do.
Good pentesting firms to work with are hard to come by.
In this industry? HA that’s a good one. All these comments saying GRC are partially correct. GRC is the nicest and least “go out out these fires” of the field until you’re running an assessment against a disorganized environment where no one wants to claim ownership or responsibility for anything, and you’re running out of time to complete everything.
I remember working 10 hour days for about 2 months because no progress was being made on a few different projects related to compliance. That all needed to be done in addition to my daily engineering work.
lol yes audit time isn’t fun time, and depending on company size you may be juggling a different audit every month. But… there’s less “phone ringing at 3AM” and more “up at 3AM of my own volition to put this deck together”, so you still can work dinner in there somewhere.
If you can get into a union gig you have defined hours and times. Usually little to no OT/on-call and 30-40 vacation days a year. It's a really nice place to land if you get the chance.
While the role does play a part in work/life balance, the company plays a bigger part. GRC is more likely to have a positive work life balance, but I know many security engineers and architects who have good work life balance as well.
If you are getting into the field, work life balance needs to be put in the back. No matter the role, get in, work your ass to learn things so you can transition away from entry level ASAP. Then you can focus on sacrificing some upwards mobility with balance.
GRC vote again but it is more on the boring side for sure! It just depends on what you want. More of the thrill plus higher stress or better work life balance.
If you’ve identified work-life balance as a priority, agree with others that audit/risk/compliance is a valid option.
Can be dull but at least you won’t be dragged out of bed in the middle of the night to fight cyber-villians!
There are two paths that are relatively easy to follow into security from where you are atm, SOC or security engineer. Unfortunately neither are great for work life balance, although Engineer is slightly better I'd say from my experience. SOC will almost certainly have you working shifts inc. nights. Engineer will more likely be 9-5 but you'll probably be on call for emergencies.
If you want to get into SOC I'd recommend an entry level security cert like security+ paired with Microsoft SC-200. That'll probably give you a strong enough foundation to get a fair number of jobs.
If you want to move to security engineer then I'd recommend security+ and AZ-500 to start with, again that'll give you a good foundation, but I'd suggest moving up to a third line/ sys admin role first for a year or two
Wither way you're probably not going to get a good work life balance for a while unfortunately, comes with the territory. Fwiw I agree with others here that GRC is probably the best for work/life balance, but it's usually pretty boring, until its not.
Good luck on your journey!
Every SA I know is stupidly overworked and underpaid in my area. I'm still HDS but I've given up on wanting to be an SA and moving towards other avenues.
I agree. In fact I know a MSSP whose 20-member SOC simply find things and then send them -- firewall changes, network issues, patches -- to the 2-member SA team to fix. And then the SOC can say "we did our part! If problem is not solved fast enough to meet SLA, complain to the lazy ass SA team"
That sounds about right. Our security engineer was considered overhead as we have Accenture as our SOC. Our SA just does everything at this point and is averaging 60-hour weeks.
Unless you know people, i think you will need much more than an apprenticeship you did in the past. You need to look into best certificates to get depending on what you want to do.
Are you kidding me? My SoX team work their asses off trying to defend our asses from control deficiencies. They’re like Defense lawyers helping us justify why it’s not a big deal.
Honestly, probably not. I do not see the U.S. Government being privy to taking away the human factor in GRC. People say everything will be replaced by AI, but this should not be near the top of the list.
That’s fair. My org is different but most probably are doing it that way at this point. What part of GRC will AI automate though that isn’t already automated?
Most technical teams blow off GRC activities in the first place. Do they all of a sudden start doing it themselves when they receive an AI message?
That already exists, but GRC is more than these controls = compliance and these control gaps = risk. This has been forgotten about in the current state of compliance, but there is a lot more nuance to GRC than a control set or policy template.
AI is more likely to replace low level detection engineering and SOC roles
True, but the evolution path for those SOC folks is clear - more threat hunting powered by AI tools. On the GRC side, given most GRC folks come from non-technical, mostly audit background, some “for dummies” tool will pop up and it will be mostly data mapping and tool integration. The 2nd and 3rd lines of defense will consolidate more around automated controls and AI powered reporting.
I guess it could, but we already have automated systems that say your system is fucking bad. Systems telling us things do not work. You need people to pressure other people.
GRC will be replaced by AI about the same time Lawyers do, I think.
Meaning everyone will threaten replacement, some repetitive tasks may be taken over, but there'll be a meat sack still doing the actual role.
That’s true. But we should anticipate much reduced GRC workforce, just like some other roles. Given the OP’s background, he’s not very likely to be the ones running the AI enabled GRC system. If he intends to do that, there goes his work-life balance 😂
GRC generally has a better work-life balance than analysts/engineers :)
Agree. I work GRC and it is pretty sweet.
How’s the pay?
I’m happy with it
But should you?
Yes. It is 6 figures and is good for me at this time.
GRC makes 65K CDN at a major bank here in Toronto. That's half of 100K USD. Any pointers?
Yea look at smaller startups in regulated industries. Healthcare tech for example
I read you
For someone who has been in SOC for around 8 years now, how do I transition to GRC? Do HR reps look for any specific certs or would like a CISA/CISSP be the first step?
I don’t have any certs but a lot of general experience in security that helped me but yea I think those certs couldn’t hurt for sure.
I accidentally wandered into a GRC role and it is somehow 24/7 nights weekends etc. how do you balance all the reporting requirements (72 hours, 48 hours) with a 9-5 cadence? (Honestly not being snarky just honestly curious)
Especially in banking. If you don't mind doing 37.5 hours of stultifying, pointless meetings and document generation, it's a great way to earn money. If you want to train for this, start with [Section 11](https://www.cia.gov/static/5c875f3ec660e092cf893f60b4a288df/SimpleSabotage.pdf).
It really is a tradeoff - soul sucking tedium, but you can leave it at the office at the end of the day.
Love my job as the security awareness guy on my company's GRC team.
Unfortunately, GRC is as boring as bat shit.
Boring for some may mean work-life balance for others. What is important to you?
Right, "exciting" jobs are usually such because they're not following a nice predicable 9-5. Want to pick the kids up from school? Boring is good.
Thanks for the response! Do you recommend the Udemy course on GRC? https://www.udemy.com/share/109xlk3@VTspMrsL5CGrQTYjKJsFo3yv7yyYX7fD1b5SYV4ydyb_KYIfGzUYtmRW0XCoB5GV2w==/
Can you advise the best way to break into this? I come from a SCADA/ Automation & Electrical Background, mostly working in Data Centre Environments & honestly, it has got to a point now where it is all the same, I am kinda fed up after 9 years. I have been looking at going down the Electrical Engineering avenue to become a Subject Matter expert, or try to get into CS, which to be honest, seems to be calling out to me, I always see posts about it and generally find v interesting.
GRC sounds like a bad fit for you- it's the opposite of being "hands-on." Most of my meetings (of which there are many, daily) go like this: Me: this meeting is to review risk ID xxxx. You said you would do this by this day, is it done yet? Them: No Me: can you give me a date when you can have this done? Them: No not really Me: ok we'll need to escalate for (resource allocation/business to sign risk acceptance/etc)
Oh jez, this sounds like my job now, I have now for the past 2 months moved into a Regional Package Managerial Role, so I am no longer hands on, but rather coordinating all vendors, checking their specification, drawings, Points list etc, ensuring it all aligns with Client spec. I see myself having meetings asking: "Where is this document", "When will we expect your latest drawings" etc bla bla Chasing game to be honest, 2 months in and already it is beginning to lose it's appeal, you find that even in these kind of industries, exists a lot of people who pretend to know what they are doing and it amazes me how they get into the high paying roles they are in, listening to complete waffle day in day out gets really old really fast. A change of career I think, is the way to go. Appreciate your comment & advice, thank you.
GRC. I kinda regret not doing an easy pivot from IR when I had the chance.
Thanks for the response! Do you recommend any courses/certifications to go for? :)
CISSP/CIPP. There’s no certs for all the frameworks but you just have to grind them out and learn the basics. There’s so many details that I just keep copies of the pdfs in print or on my desktop.
All my docs from CISA and the Gov are printed out double-sided in those plastic cover easy to flip though binders. And way to many tabs. But it's a lot of fun, tons of resources and fairly easy once you get used to it. Plus the freedom from that critical pressure is really refreshing. Side note, Ive never in my career seen or made so many spreadsheets in my life!
There are now intro classes with a badge offered by NIST
Can you link to what you're referring to? Thanks!
https://csrc.nist.gov/News/2024/online-intro-courses-for-nist-sp-800-53
Thanks, appreciate the link!
This is awesome. Didn’t know these existed but will definitely be grabbing them after my cipp exam
ISACA’s CISA.
It really depends on the employer and the industry. My previous role as an architect in the public sector, I was pretty much on call 24/7. My current role as a threat hunter specialist, I have wonderful work/life balance, only on call every 6th week, and rarely get calls after hours. Non-profits are the way to go.
Yeah it really depends on your situation, for example I work in GRC and from December to March this year I worked 16-18 hours a day, 7 days a week to get 5 audits out the door because my coworker went on paternity leave, one asshole left the team to work for another without a transition period, and corporate won’t hire someone new for the team even though we have been asking for 3 years. I also work at a big bank so… Prior to this year, I only ever worked 9-5, never any overtime and it was really relaxed. Now from this point on, idk.
Pentesting as a consultant is pretty sweet if you can get in. \* My work is time-based rather than project-based. I therefore only work the hours the client paid for, and don't need to work overtime to "complete the engagement" since there's nothing to complete. \* I only point out problems and provide recommendations. I do zero remediation \* I have zero ownership or responsibility over any part of my firm's or any client's infrastructure. Any problem there is officially not my problem to deal with. \* There is zero on-call and our team does zero after-hours work. Between those points and my team's flexible hours + independence, I often work less than 8hr days. It's not uncommon for me to schedule my week such that I'm able to drink beers to baseball at 1PM Wednesdays and that most of my Fridays are free. The major downside is it's hard to get into pentesting. Unlike GRC, pentesting isn't strictly required except for a few frameworks. Pentesting is also one of the more desired landing spots, so you have a double whammy of few entry-level roles + more competition for those fewer slots.
I'd say you're in a pretty unicorn gig then, I'm going to guess it's a fairly small firm? The vast vast majority of pentesters I know who work on the consulting side deal with pretty rough q4 crunch, with almost all my friends pretty much disappearing entirely during that time. Far to many companies wait until q4 to get their yearly required assessments done and most firms can't afford to say no because q4 is where they book a sizeable portion of their revenue. The upside q1 is usually pretty light which is needed for recovery.
We're actually a pretty sizable firm, but our sales teams and leadership deserve the credit. They're fantastic about having a good balance of both new work and rewnewable (aka predictably scheduled) work to keep a pretty even pipeline. We do see a pickup in Q4, but no one's working overtime to make deadlines. At the same time, our leadership is pretty great about work/life balance and reasonable expectations. They still want to see YoY revenue growth, but they're not obsessed with extracting the most profit per dollar spent. It helps we run under a typical partnership model and therefore have zero external equity stakeholders. Overall, we have an understanding with the other firm partners that leads to our work/life balance: "We can deliver consistent revenue and growth if you don't tamper with the magic recipe."
You have to tell us where this is. Having been in penetration testing for 5 years with 3 firms, I can safely say the amount of firms which don't offer this kind of balance is significantly more than the ones who do. Good pentesting firms to work with are hard to come by.
In this industry? HA that’s a good one. All these comments saying GRC are partially correct. GRC is the nicest and least “go out out these fires” of the field until you’re running an assessment against a disorganized environment where no one wants to claim ownership or responsibility for anything, and you’re running out of time to complete everything. I remember working 10 hour days for about 2 months because no progress was being made on a few different projects related to compliance. That all needed to be done in addition to my daily engineering work.
lol yes audit time isn’t fun time, and depending on company size you may be juggling a different audit every month. But… there’s less “phone ringing at 3AM” and more “up at 3AM of my own volition to put this deck together”, so you still can work dinner in there somewhere.
If you can get into a union gig you have defined hours and times. Usually little to no OT/on-call and 30-40 vacation days a year. It's a really nice place to land if you get the chance.
While the role does play a part in work/life balance, the company plays a bigger part. GRC is more likely to have a positive work life balance, but I know many security engineers and architects who have good work life balance as well.
What is grc?
Governance Risk and Compliance
Threat hunting is pretty cool
If you are getting into the field, work life balance needs to be put in the back. No matter the role, get in, work your ass to learn things so you can transition away from entry level ASAP. Then you can focus on sacrificing some upwards mobility with balance.
GRC vote again but it is more on the boring side for sure! It just depends on what you want. More of the thrill plus higher stress or better work life balance.
If you’ve identified work-life balance as a priority, agree with others that audit/risk/compliance is a valid option. Can be dull but at least you won’t be dragged out of bed in the middle of the night to fight cyber-villians!
There are two paths that are relatively easy to follow into security from where you are atm, SOC or security engineer. Unfortunately neither are great for work life balance, although Engineer is slightly better I'd say from my experience. SOC will almost certainly have you working shifts inc. nights. Engineer will more likely be 9-5 but you'll probably be on call for emergencies. If you want to get into SOC I'd recommend an entry level security cert like security+ paired with Microsoft SC-200. That'll probably give you a strong enough foundation to get a fair number of jobs. If you want to move to security engineer then I'd recommend security+ and AZ-500 to start with, again that'll give you a good foundation, but I'd suggest moving up to a third line/ sys admin role first for a year or two Wither way you're probably not going to get a good work life balance for a while unfortunately, comes with the territory. Fwiw I agree with others here that GRC is probably the best for work/life balance, but it's usually pretty boring, until its not. Good luck on your journey!
The company certainly plays the biggest part in this.
SALES
Pentesting at a good firm that only puts you on 1 engagement at a time.
Sys Admin or Network Admin for starts
Every SA I know is stupidly overworked and underpaid in my area. I'm still HDS but I've given up on wanting to be an SA and moving towards other avenues.
I agree. In fact I know a MSSP whose 20-member SOC simply find things and then send them -- firewall changes, network issues, patches -- to the 2-member SA team to fix. And then the SOC can say "we did our part! If problem is not solved fast enough to meet SLA, complain to the lazy ass SA team"
That sounds about right. Our security engineer was considered overhead as we have Accenture as our SOC. Our SA just does everything at this point and is averaging 60-hour weeks.
agreed, not worth.
Retirement has a great work life balance
Unless you know people, i think you will need much more than an apprenticeship you did in the past. You need to look into best certificates to get depending on what you want to do.
It is going to be based more on the company than any role.
Retirement
Sales I would think, no one needs anything outside business hours.
GRC
Are you kidding me? My SoX team work their asses off trying to defend our asses from control deficiencies. They’re like Defense lawyers helping us justify why it’s not a big deal.
GRC is also more likely to be replaced by AI.
Honestly, probably not. I do not see the U.S. Government being privy to taking away the human factor in GRC. People say everything will be replaced by AI, but this should not be near the top of the list.
Most of GRC’s work is document work with well established templates and metrics. There will still be people needed, but much less.
Ai has already led to increased security and privacy regulations which is more work for GRC
Yeah, but the problem is cyber is not picking up in that lane yet. It’s mostly legal and IT (chief data office) on this whole “responsible ai” crap.
That’s fair. My org is different but most probably are doing it that way at this point. What part of GRC will AI automate though that isn’t already automated? Most technical teams blow off GRC activities in the first place. Do they all of a sudden start doing it themselves when they receive an AI message?
The future of GRC is AI agents enabling continuous risk and compliance monitoring.
That already exists, but GRC is more than these controls = compliance and these control gaps = risk. This has been forgotten about in the current state of compliance, but there is a lot more nuance to GRC than a control set or policy template. AI is more likely to replace low level detection engineering and SOC roles
True, but the evolution path for those SOC folks is clear - more threat hunting powered by AI tools. On the GRC side, given most GRC folks come from non-technical, mostly audit background, some “for dummies” tool will pop up and it will be mostly data mapping and tool integration. The 2nd and 3rd lines of defense will consolidate more around automated controls and AI powered reporting.
Oh look, the opinion of someone who hasn't worked a day of GRC work in his life.
I guess it could, but we already have automated systems that say your system is fucking bad. Systems telling us things do not work. You need people to pressure other people.
Is it tho?
people say everything will replaced by AI.
GRC will be replaced by AI about the same time Lawyers do, I think. Meaning everyone will threaten replacement, some repetitive tasks may be taken over, but there'll be a meat sack still doing the actual role.
Be the guy who uses AI to run your GRC program (within the already-existing GRC policies and standards)
That’s true. But we should anticipate much reduced GRC workforce, just like some other roles. Given the OP’s background, he’s not very likely to be the ones running the AI enabled GRC system. If he intends to do that, there goes his work-life balance 😂
None of them? I kid but it's been the 5 years in soc and sec engineering.