The Entry Point
Building the Foundation
Security requires breaking things to see how they work. Before hunting attackers, you need a solid grasp of the basics. This means knowing hardware, operating systems, and networks.
The internet relies on Linux. Navigating a terminal is mandatory. You need to understand what happens under the hood instead of just clicking buttons on a dashboard.
Networking acts as the physics of the digital world. If you don't know normal traffic patterns, you can't spot the abnormal ones. This level turns complex technical jargon into simple concepts you can explain easily.
Certifications
Google Cybersecurity Certificate
Coursera / Google
What it teaches
A broad and accessible start to security. It guides you from the absolute basics of networking and the Linux command line through to fundamental threat detection and simple Python scripting.
Why at this level
This is the best generalist starting point because it doesn't bog you down with overly dense engineering details. More importantly, finishing it proves to employers that you have the discipline to finish a multi-month course. HR departments universally recognize the Google brand, which helps with your initial resume screening.
TCM Practical Security Fundamentals
TCM Security Academy
What it teaches
A hands-on course that focuses on real-world demonstrations rather than dry slide decks. It shows you exactly how the modern digital world works and then logically takes it apart.
Why at this level
This is for learners who prefer doing over watching. If you want to see how networks and operating systems actually break from day one, this is your best choice. It focuses on the fundamental 'how' of security rather than just the academic theory.
Skills & Labs
Networking (TCP/IP)
Core Knowledge
What it is
The fundamental language of how data moves across a network, including DNS, DHCP, and Subnetting.
Why you need it here
You can't defend what you don't understand. If you don't know how a DNS request is supposed to look, you'll never spot a malicious server hiding in plain sight. This is the physics of the digital world.
Resources
Free Resources
The gold standard for clear, free networking education with zero fluff.
An high-energy, visual way to learn complex networking concepts.
Paid / Professional
The best exam prep if you plan on actually taking the Network+ certification.
OS Fundamentals
Operating Systems
What it is
Deep knowledge of how operating systems manage files, processes, and users across Windows and Linux environments.
Why you need it here
You need to know what 'Normal' looks like to identify 'Abnormal.' Attackers hide in system folders or create hidden users. If you don't know your way around the Linux filesystem, you are a blind defender.
Resources
Free Resources
A free book that is widely considered the bible for terminal beginners.
Hands-on labs to get you over the fear of the black command prompt.
Paid / Professional
Practical, video-led instructions from people who use Linux every day.
Scripting Basics
Automation
What it is
Using code like Python or Bash to automate repetitive tasks and process large datasets.
Why you need it here
Speed is your greatest weapon. You don't want to manually check 500 logs. You want to write a 10-line script to do it in 5 seconds. Automating the boring stuff leaves you time for actual hunting.
Resources
Free Resources
The most practical Python guide ever written for non-programmers.
A world-class introduction to Python from Harvard University.
Paid / Professional
Python explained specifically through the lens of a security professional.
Junior GRC Analyst
Evidence & Documentation
Your first year in GRC involves a lot of documentation. You are building the institutional memory of your company. Expect to collect screenshots of access controls, pull audit logs, chase engineers for questionnaires, and organize evidence for SOC 2 reviews. This matters because missing evidence means an automatic audit finding.
You are now executing GRC instead of just studying it. You must prove your organization follows specific frameworks. You will get a compliance platform, a control list, and a tight deadline. Your job is to translate compliance requirements into actual documented proof.
Your biggest goal is learning to identify high quality evidence. Anyone can drop a log file in a folder. The best analysts know exactly what satisfies an auditor without inviting more questions. Master this instinct to move forward.
Certifications
GRC Mastery
RootAccess
What it teaches
Technical GRC execution from the ground up. You learn to map frameworks (NIST, ISO) to real-world controls, automate evidence collection with Vanta/Drata, and draft policies that survive actual audit scrutiny.
Why at this level
This is the 'Zero to One' for GRC. While generic certs focus on multiple choice theory, GRC Mastery focuses on the actual deliverables—gap analysis, audit defense, and control operationalization. This is what you put on your resume to prove you can do the job on Day 1.
CompTIA Security+
CompTIA
What it teaches
Covers threat detection, identity and access management, cryptography, network security, and risk management fundamentals. It is broad by design — this is a survey of the technical landscape GRC sits on top of.
Why at this level
Most ATS systems filter for this cert before a human ever reads your resume. Beyond the filter, it gives you the technical vocabulary you need to have credible conversations with engineers when you are auditing their controls. It's a solid technical alternative if you need the HR checkmark.
Skills & Resources
Evidence Collection
Audit Operations
What it is
The process of gathering, organizing, and validating proof that a security control is operating as documented. This means pulling access logs, config exports, training records, and vendor contracts.
Why you need it here
At this level, evidence collection is literally the job description. You make sure the auditor's request doesn't turn into a fire drill. A missed or weak piece of evidence gets a finding. Enough findings and your organization fails the audit. It is that direct.
Resources
Free Resources
The official guide to what 'assessing a control' actually means. Read this to understand exactly what auditors are looking for.
Spin it up locally and build a mock compliance program. The fastest way to understand how controls map to evidence before doing it in production.
Paid / Professional
Structured hands-on labs that walk through real evidence collection and control assessment scenarios, not just theory.
Policy Writing
Governance
What it is
Drafting the internal documents that define how a company's employees and systems are supposed to behave (AUP, Data Classification, IR, etc.) written to survive external audit scrutiny.
Why you need it here
Every framework requires documented policies. No policy, automatic finding. More importantly, a badly written or out-of-date policy creates legal and audit exposure. Junior analysts who can write tight, auditable policies stand out immediately.
Resources
Free Resources
SANS offers a full library of free, peer-reviewed policy templates. Use them to understand the structure and required components before adapting them.
Read the Govern function. That section is essentially a checklist of every governance document your organization needs.
Paid / Professional
Gerald Auger covers policy writing from a practitioner's perspective, including what auditors actually check versus what looks good on paper.
Framework Literacy
Compliance
What it is
The ability to read a framework requirement (ISO 27001, NIST CSF) and translate it into a concrete question: 'What does this organization need to have in place, and how would we prove it?'
Why you need it here
You will be mapping controls and identifying gaps from day one. If you cannot read a framework requirement and immediately understand what it is asking for, every task downstream is slower and more error-prone.
Resources
Free Resources
The interactive online version lets you browse functions and implementation examples. Spend an afternoon mapping a fictional company's controls against it.
The most consistently practical free GRC content online. Start with any audit scenario or framework mapping exercise.
Paid / Professional
A structured walkthrough of the standard before you try to work with it in a job context. Cheap and sufficient at this level.
GRC Analyst
Audit Ownership & Risk Lifecycle
By year two, something changes. You have survived a full audit cycle. You have felt the panic of missing evidence and seen findings issued over simple errors. Now, you understand the game well enough to spot gaps before an auditor does. This instinct separates junior analysts from seniors.
At this level, you take ownership. You lead audit cycles, run vendor assessments, and build the gap analysis that tells leadership where they are exposed. You are the one explaining to engineering leads why they need a change management log. More importantly, you get them to actually do it. GRC at this stage is just as much about influence as it is about analysis.
Before moving to Lead, you must master closing the loop. It is not enough to just find a gap. You must assign owners, track the fix, and produce a final report showing the difference. Finding a problem without driving the solution holds your career back. Own the problem from start to finish.
Certifications
CISA — Certified Information Systems Auditor
ISACA
What it teaches
The industry gold standard for auditing information systems. Covers the full audit lifecycle — planning, fieldwork, reporting, and follow-up — across systems, controls, and governance.
Why at this level
CISA is the credential that tells a hiring manager or client that you can own an audit, not just participate in one. It is on more mid-to-senior GRC job descriptions than any other single cert. Study now and sit it the moment you are eligible.
ISO 27001 Lead Implementer
ISO
What it teaches
How to design, implement, and manage an ISMS from scratch. Covers scope definition, risk assessment methodology, Statement of Applicability, and internal audit process.
Why at this level
CISA proves you can audit an existing program; Lead Implementer proves you can build one. If you are in consulting or helping organizations achieve certification, this is more immediately useful. Strong signal for international markets.
Skills & Resources
Gap Analysis
Risk Strategy
What it is
A structured comparison of what a framework requires against what an organization has in place. The output is a prioritized list of control gaps — ranked by risk exposure and tied to remediation.
Why you need it here
Gap analysis is the deliverable that justifies GRC's seat at the table. It translates abstract requirements into a concrete list of decisions leadership needs to make. If an executive can read it in ten minutes and understand their exposure, you are valuable.
Resources
Free Resources
The reference standard for control requirements. Build a mock gap analysis using this catalog against a fictional organization; it is the best way to understand assessment rigor.
Government-published templates that show the output format auditors and regulators actually expect to see.
Paid / Professional
The control assessment methodology in this manual is the practical framework for conducting rigorous gap analysis.
Vendor Risk Management
Third-Party Risk
What it is
Evaluating the security posture of third-party vendors (questionnaires, reviewing SOC 2 reports, etc.) and making risk-based recommendations on vendor relationships.
Why you need it here
Most data breaches involve a third party. If your organization can't demonstrate it has reviewed its critical vendors, that is a significant finding. You need to know how to identify exceptions and missing controls in a SOC 2 report.
Resources
Free Resources
The authoritative source on what a SOC 2 report is. Read this before reviewing a vendor's report or you will miss the Trust Service Criteria that matter.
The industry-standard vendor security questionnaire. Understand its structure to build a mature third-party risk program.
Paid / Professional
Practical walkthrough of the full vendor assessment lifecycle from intake to handling a vendor who fails your assessment.
Risk Lifecycle Management
Risk Operations
What it is
Taking a risk from first identification to board-level reporting: logging it, assigning owners, tracking mitigation, and validating that remediation actually closed the gap.
Why you need it here
A lot of junior analysts identify risk and hand it off. At this level you are accountable for the full loop. The analysts who close the loop are the ones who get asked to run programs. This is how you build Lead credibility.
Resources
Free Resources
The definitive reference for how a risk lifecycle should be structured. The six-step process is the clearest articulation of end-to-end risk management.
Free personal developer instance. Build a mock risk register and dashboard; hands-on ServiceNow experience is a massive differentiator.
Paid / Professional
The risk lifecycle content in this manual is the clearest practitioner-level explanation of how enterprise risk works in mature organizations.
GRC Lead
Program Design & Executive Influence
The hardest transition in GRC is moving from analyst to lead. The methodical execution that got you here is no longer enough. Now, your job is deciding what the program prioritizes and convincing senior leadership to act. The CFO does not care about your spreadsheet. The board ignores NIST subcategories. You must translate technical details into clear business decisions.
At this stage, you build the entire program architecture. You decide which frameworks to adopt. You work with the CISO and CFO to define exactly how much risk the organization will accept. You select the tooling, establish the standards, and build the reports. Every analyst on your team executes against the blueprint you designed.
The defining skill of a Lead is moving from colors to numbers. Saying ransomware is a "high" risk means nothing. Saying it represents a three million dollar loss that can be mitigated for two hundred thousand dollars is actionable. Executives respond to numbers. Master quantitative risk analysis because it is the language of leadership.
Certifications
CISSP — Certified Information Systems Security Professional
ISC2
What it teaches
Eight domains spanning the full security landscape. The broadest security credential available, globally recognized cross-industry and by executives who may not know specialized certs.
Why at this level
CISSP is the credential that travels. If your Lead role spans both GRC and technical teams — or if you are in a market where brand recognition matters most — CISSP signals authority at a level others do not.
CRISC — Certified in Risk and Information Systems Control
ISACA
What it teaches
Enterprise-level IT risk identification, response, and reporting. Covers risk appetite definition, control design, and how to produce metrics that drive board-level decisions.
Why at this level
CRISC is the credential that signals you can run a risk program, not just work in one. It sits on Head of GRC or Senior Risk Manager job descriptions. It is the clearest signal to the CISO that you think at a program level.
Skills & Resources
GRC Program Design
Program Architecture
What it is
Designing the end-to-end governance program from the ground up: selecting frameworks, establishing risk appetite, choosing tooling, and setting evidence standards.
Why you need it here
Every analyst-level skill exists within a program someone designed. At Lead, you are the one designing it. The first question is always: 'What are we actually trying to accomplish, and what is the simplest structure that gets us there?' Answering that is the entire job.
Resources
Free Resources
The Govern function in CSF 2.0 is essentially a blueprint for a mature GRC program structure. Read it as a design checklist, not just a reference.
COBIT is the governance framework that underpins how GRC connects to business objectives. Understanding it gives you the architecture for C-suite conversations.
Paid / Professional
At Lead level you need to know how to configure and run a GRC platform at organizational scale. Covers IRM implementation from a program architect's perspective.
Quantitative Risk Analysis (FAIR)
Risk Strategy
What it is
A methodology for quantifying risk in financial terms (Factor Analysis of Information Risk). It produces a range of probable financial loss outcomes that executives can weigh against mitigation costs.
Why you need it here
Qualitative ratings (color maps) get ignored in boardrooms. If you can say 'this risk represents $1.8M in annualized loss expectancy and we can reduce it by 70% with a $300K investment,' you are no longer a cost center. You are a business advisor.
Resources
Free Resources
The nonprofit that stewards the standard publishes free introductory material and case studies. Start here to see how practitioners apply FAIR to real scenarios.
The formal technical specification of the FAIR taxonomy and model. The authoritative reference for practitioners.
Paid / Professional
The most direct path to practical FAIR fluency. Non-negotiable if your organization is considering a quantitative risk platform.
Executive & Board Reporting
Strategic Communication
What it is
Translating program complexity into concise, decision-ready formats: risk posture scores, trend data, and prioritized residual risks requiring board decisions — without GRC jargon.
Why you need it here
Everything your team does is in service of this output. If the board cannot understand your report, they cannot make informed decisions. The ability to communicate risk in business language is the most career-defining skill at this level.
Resources
Free Resources
Conversations from working CISOs on what executives actually want to hear versus what security teams tend to report.
Written for board directors, this tells you exactly how boards think about cyber risk. Read the audience's own handbook to learn how to write for them.
Paid / Professional
Covers executive risk metrics and board reporting formats in more practical depth than any standalone course.