Cybersecurity Mentors Podcast

SOC vs GRC: Which Cybersecurity Career Path Is Right for You?

Cybersecurity Mentors Season 6 Episode 16

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 25:49

Send us Fan Mail and we can reply directly!

Trying to break into cybersecurity but not sure whether you should pursue a SOC Analyst role or a GRC (Governance, Risk, and Compliance) position?

In this episode of The Cybersecurity Mentors Podcast, we break down the differences between SOC and GRC careers, the skills needed for each path, and how to determine which one fits your strengths, interests, and long-term goals.

Whether you're a career changer, recent graduate, IT professional, or someone trying to land your first cybersecurity job, this episode will help you make a more informed decision about your future.

Tell us in the comments:

If you had to choose today, would you pick SOC or GRC, and why?

Come hang out with us in the Cybersecurity Mentors Skool community. It’s free to join.


Cold Open Purple Perspective

SPEAKER_01

I'm in both worlds all the time, so I can see both sides. Just like I've done red team and blue team, I I can speak both sides. I'm I'm in the purple. I'm a purple person.

SPEAKER_02

Could you teach me? First learn stand, then learn fly. Nature rule done, your son, not the mind. I know what you're trying to do. I'm trying to free your mind, Neo. But I can only show you the door. You're the one that has to walk through it. What is the most inspiring thing I ever said to you? Don't be an idiot. Changed my life.

SOC Vs GRC Framing The Choice

SPEAKER_01

All right, welcome back to another episode of the Cybersecurity Mentors Podcast. On today's episode, we're going to talk about SOC versus GRC. Which path should I take? Which one is the right one? Which one's easier? What? You know, what about these things? Because this is kind of one of those topics that are that are happening, that that are trending right now, that you can see that are people are asking the question: should I go this way or should I go that way? Which one pays better? Which one is has different skills that I can obtain easier? And we're going to dive into it, you know, and and what first I'll say that that's not that is a good question, but it's not the only question. There are other questions that you need to ask about what you're trying to become. Right, Steve?

SPEAKER_00

Yeah, I completely agree. You know, you hear a lot of people trying to get into cyber and they think, hey, GRC is the easiest way in because they're not trying to go down the more technical route. Or there's others that are like, hey, I hate policy work. I hate dealing with documents and that stuff. So yeah, I'd rather, you know, do an investigation or do this or do that, which is more technical. But it really depends. So yeah, I agree. I'm excited to talk about this topic.

Choose Strengths Not Easy

SPEAKER_00

So we'll start it off with um, you know, don't pick the easier path, pick the path that fits your strengths. So what would you say about that, John?

SPEAKER_01

Yeah, you know, I actually did a talk that was called uh choose your own adventure, how to become a CISO or something like that. And as a CISO, in my opinion, you do need both sides, both paths need to cross at some point. A lot of CISOs come up the risk and compliance path. Mostly, I would say the majority come up the risk path, the GRC path. I came up the operational path. And and we say SOC versus GRC, it's really the analyst type role versus the more technical role versus the more risk and compliance roles, right? I'm in both worlds all the time. So I can see both sides. Just like I've done red team and blue team, I I can speak both sides. I'm I'm in the purple, I'm a purple person, right? So that helps me to speak to this a lot of like what your strengths are. If you are choosing this just because you think one is easier initially, but you hate life, once you get in there, what are your strengths? Are your strengths around technical? Do you like doing the technical? Really, it comes down to what you what you're passionate about and what you like doing, because what you like doing is going to help you continue to improve and want to improve. If you hate life, and you let me not take it from a hate, let's say you you could couldn't write your way for a compliance standard out of a paper bag, or you couldn't write a policy to save your life, or you just would dread doing that because you are not skilled or haven't haven't that um affinity to doing that, then maybe that path is not a good option for you. Now, we talked about this in our school community about documentation and with our group coaching, like how important documentation is. So either side, you need to be good at documentation. But there is a there's a strength here that you should evaluate where you lie. Now, if you love technical things and you're and that it you have an affinity to do that, you like doing the technical things, you like being at the command line. If you hate, here's a good, here's a good uh separator. If you hate the command line, which we have some of these people that hate, they're like, I hate the command line, then maybe the operational path is the not a good path for you. It may be that thing, like, hey, do I like typing it using the command line and running Linux and Windows commands? And like if you hate that, then I would say that's not your strength. So you should evaluate that and consider, well, yeah, maybe let me look at what skills I need matching to where I am and what strengths I have. Um, last thing I'll say, and then I'll I'll pitch it back to you. There's a tool called a strengths finder. Now it's not a strengths finder in the sense of are you technical or non-technical, but it can help you see, are you analytical? You know, how are you with dealing with uncertainty and analyzing data to find things that stand out? Right? Is that your mindset? Or are you very concise and organized and prepared, and you're good at taking information and putting that in a format that you can present it. And you need to do this on both sides, but especially on the policy GRC side because you're taking compliance controls that you need to decipher and put that into actionable speak that we need to go do. And here's why. On the technical side, you need to be able to decipher technical controls or technical things and put that into speak of like here's how we implement this, this is why we need to do this, this is the business risk. So it's just different strengths on on each side.

SPEAKER_00

Yeah, I would agree. I think just for our listeners, just to clarify.

What SOC Work Looks Like

SPEAKER_00

So if you end up going down the sock role or the more technical role, you know, you are someone who likes to investigate problems, you know, and and in this point, technical problems. You like to look through logs, look through alerts. You're asking the, you know, what happened here? Why did this happen? Let's get to the root cause of the problem. You know, you like maybe you like working under pressure, or you don't mind working under pressure. And you like to use some security tools and just, you know, kind of um add that technology to your arsenal, and then kind of just following the breadcrumbs, right? From start to finish, trying to figure out what happened, who did it, why, and how can we prevent this from happening again. That is what, in my opinion, um, would be a good sock technical individual to begin with. On the opposite side, you have the GRC side. So that is again more from an administrative standpoint, more uh, you know, working with um stakeholders, communicating different um to different teams, but also communicating the problem in a more high-level sense, right? Not too technical, not too digging down to the needy greedy, but just big picture kind of speak. You're able to write clearly, you're able to communicate clearly and understand the risk and how that risk affects the business. Um, and then, you know, helping, you know, leadership or helping other individuals uh make the right decisions on what will help the organization as a whole. So you are thinking about things more of, you know, not just security and trying to stop the bleeding or stop the problem, but you're thinking about um, you know, how can what we are doing now help us now, but help us in the future, um, as well as, you know, helping with anything across the legal spectrum, you know, think about IT, legal, audit, privacy, anything around those lines. So it is definitely somebody a little bit more administrative. Yes, I I like to, and John too, we like to joke around that it's boring. Um, but that's because we came up the more technical sock side of the house. But like John mentioned, you know, if you are trying to climb the corporate ladder and move up within a security organization, you know, like he said, most CISOs, not all, but most, end up coming through the GRC route. So it might be something that maybe you don't start there, but you will, your, your path will take you there. And then from there, it'll help you kind of move on. And it's um, it's something I'm not, you know, too excited about myself, but I know that I want to be a CISO one day. So it's something I need to tackle and be more involved in and learn and be uh, you know, more confident with. So if you are starting trying to get into cybersecurity, depending on your current background, especially if you are someone who's transitioning from previous work, a previous career into cyber, you know, there might be areas that might be a little easier for you and um, you know, to get your foot in the door. So it's definitely stuff to consider.

SPEAKER_01

Yep. That's great. Thank you. All right.

Build Skills For Both Paths

SPEAKER_01

Uh point number two don't just choose a job title, choose the skills you want to build. So that they're soc and GRC are not just roles, they're paths generally. Right. So if you're thinking about the path that you're gonna climb, what um which path is is for you. Steve, I'll let you go first.

SPEAKER_00

Yeah, well, we kind of talked a little bit about that, but I I see it to be very just to simplify it as simple as as possibly can. If you are more technical, definitely go with the sock route. If you are more administrative, um more project management focus, go the GRC route. Now, with that being said, um, you know, people kind of tend to think, oh, GRC will be easier because I don't have to be very technical, I don't have to know this, I don't have to know that. Well, that just means you're gonna be a half-assed GRC professional, because a good GRC professional, and in my opinion, somebody who will be very successful knows some of the technical aspects of it. Because how are you going to be responsible on determining if your organization is doing what they're supposed to be doing to stay compliant? If when they show you their evidence, it's like you have no idea what the heck they're showing you, or you can't speak to speak, or you can't really understand when they're telling you in a meeting, yes, John, we are doing this, and we are doing this by doing this X, Y, Z, and having and using these tools, using these processes, doing this, whatever. And it's just like just goes over your head. Because look, I've been in situations, not in my core and not in my current organization, but I've been in certain situations where organizations, it's like, dude, I'm I'm trying to pass, I'm trying to pass this this audit. So even if it's just doing the bare minimum, they're gonna be like, yep, we're doing that, and tell them we are and make and convince them we are, so we can move on. So, I mean, it's it can get a little tricky out there for sure. So if you don't really understand what you're asking, like what the question you're asking, if you don't really understand it from a technical standpoint, or if they try to like, you know, give you this little white lie that, oh yeah, we're doing we're doing encryption and we're using tenable Nessus scanner to do it, and you don't understand the difference there, or you don't understand what tool is used for what, then you're gonna believe it, right? Because you're assuming this individual who's technical knows what they're talking about. But if you can't validate it, then you're gonna be the one in trouble. So you you do need to know some technical in order to be a good, strong prof uh GRC professional. Flipping the switch here, if you are going to be, in my opinion, a good technical individual, you also need to understand some of the things that might be asked of you from a GRC standpoint in order to identify risk, or in order to stop the risk, or in order to, you know, be compliant with an audit, or if you're trying to follow a framework, your organization is trying to follow a framework, you know, you might have somebody who is not very uh technical coming to you from the GRC team telling you, hey, we need to do this because this is what it takes for us to be compliant. And you can be like, hold on, Joe Schmo, do you even know what the heck you're talking about? Because that's impossible. And then you, you know, you you need to be able to defend yourself on both sides. So, in order for you to be just a good, strong, successful professional, no matter what route you take, you need to know a little bit of both worlds.

SPEAKER_01

Yeah, I'll speak to that. That's one of the things that I do a lot is that the um translator of the well, that's what this the compliance folks can be very focused on what compliance says. This says we have to do X, but if they've never been a technical in the technical role and they don't understand their world as that translator, well, you know, I've been there, I've had that, I've done that, then they don't know exactly what they're talking about. They're just looking at the bullet point that says, well, you gotta do this and not do that. Okay, well, this is what that means when you were to enable the thing that it says enable, or will you were disable. And again, I, you know, for me being a jack of all trades, and I do think this is the better way if you can do both sides of as many sides as you can get some experience in, honestly. Because I can, I've been in that role. I've been in their shoes. And whenever they say that, I'm actually an advocate for them. I'm like, I'm not saying that they shouldn't do something, but I'm like, yes, the compliance thing says this, but really what it means is this, and this is also what the negative consequences are on the technical side. So I think being good at it to continue to be a professional, a cybersecurity professional, you should think about both sides of the house skills-wise. It's easy to get caught in your lane, easy to stay in your lane, but your perspective is also narrowed, narrow. Um, so I think that that covers that. I mean, skill-wise, I'll just kind of go through the list, right, of skills that you are going to get better at in each tree or each path for an operational, right, log analysis, alert triage, incident response, threat detection, endpoint and network investigation, scripting, automation, technical troubleshooting, evidence gathering, right? Those are the technical SOC type skills. GRC, risk assessment, control mapping, understanding the control frameworks, audit event evidence collection. Hey, you got to show us that you did this control and have implemented it, making sure that you read it. That also had adds some technical capability so you know what they gave you is legit. Policy development, vendor risk review, third-party management, security questionnaires, compliance. I mentioned that earlier, executive communication. So putting that in in both sides, I think, but maybe a little bit more on the GRC side is the executive communication.

SPEAKER_00

Yeah, I would

SOC And GRC Need Each Other

SPEAKER_00

also like to just clarify. Um I feel like maybe we we're a little too too uh negative with our GRC uh folks. No, listen, if GRC floats your boat, go forth and conquer, my friends. Um, but one thing I will say is um if you are in the GRC world and if you are in the operational technical world, it takes both of your groups to work together to be to create a strong organization and a strong overall security team for sure. You know, don't look at it, hey, I'm on the SOC team and the enemy is the GRC team, not at all. Now, listen, there's been situations where I would have loved to take in the person that was auditing us to the top floor of the building, open a window and kick them out of it, trust me. But it really requires both groups to work together to make sure that you are both doing what you're supposed to be doing, you know, from the GRC side, making sure that the organization as a whole is following the regulations, being compliant. Um, and on the operational side, you know, you are doing what you're supposed to do from a technical standpoint, whether that's with security tools, with processes, with procedures, you know, showing them that, hey, yeah, we are we are doing that. Here's my my evidence, my proof. So it does require that both groups work together. So so yeah, they're don't don't look at it as one against the other and not at all. It you both both groups are required to have a successful security team and a secure organization.

SPEAKER_01

Yeah, absolutely.

Plan For Five Years And Beyond

SPEAKER_01

Um, last point choosing your your path based off of your five-year plan or a plan, not just what your first job is gonna be. Because if you really want to do GRC, but you're choosing the sock route because you think that's gonna be easier, then it's gonna be, yes, your foot is in the door, but your next logical step is another sock type position, not bounce over to GRC. So that's why you need to consider which one you like, which one you favor, which one you think you wanna be, uh you want to make your five-year plan or a longer term option. Um, choose the path that you want to go through, right? Did you have a point there?

SPEAKER_00

Well, yeah, no, absolutely. You know, we're well, I I completely agree with you, John. Definitely everyone should have, hey, this is my five-year plan, at least. This is what I would like for my professional career to look like in five years. This is the route I want to take. And yes, if you see your yourself and, you know, maybe not ending, but moving into the GRC side. And the only reason you are even giving the technical any attention is because you see there's a lot more sock jobs out there than GRC jobs, and you think that's the way you're gonna get your foot in the door. Yes, potentially, but that's a lot of work to do to get your foot in the door just to end up in GRC. Um, but I I get where people are making these decisions. Um, because right now the market's not doing great. You know, it's very, it's very difficult. It's it's it's there's a lot of competition, and there's a lot of individuals, and we've talked to a lot of them that are like, listen, I don't care. I just want to get my foot in the door. I don't care how I do it, whether it's general IT, whether it's working in the knock and the help desk, whether it's cybersecurity, whether it's GRC, it does not matter. I just want to get my foot in the door and get a job. I get that. I get where you're coming from. And sometimes you do have to make those sacrifices, but do it in a way where you're not veering too far off your five-year lane. Um, you know, and and you like you're not veering too far off, so you're not wasting too much time and too much effort to then have to leap back to where you actually want to be. Um that that's that's kind of all I was gonna add to that point.

SPEAKER_01

Yeah, I agree. Um, I I think that if you want to be CISO, here's what I would recommend. And not everybody wants to be CISO, but if you want to be CISO, if you go the route like I went, I went up the technical route, weave in more GRC along the way. Now I was like, you know, garlic with vampires and a cross against GRC when I was coming up the technical route. I was like, just stay away, right? Now I wish I had not, I wish I had been more involved with those frameworks and involved with the risk side so that when I got to where I was, I didn't have to just kind of not start from zero, but you know, really focus on building those skills and build out the understanding and build those things. Um if you'd weaved it in along the way, same thing with GRC. If you wanted to be that and mostly do that, and that's what you love, weave in the technical. Don't just be all risk and be all compliance. My opinion, either way, that's gonna make you better, just like Steve said earlier. But weave that in so that when you get to that level, you have you can speak both sides, you understand both sides. You may not be an expert in one or the other. I'm not an expert in compliance. I am not, and I'll tell people that. I'm an expert in security and technical ability. And but I also understand both, I do both, I have to do both, and I you have to. There's no way around it. You have to, especially as a CISO. So that would be my recommendation. That's part of my whole talk, the choose your own adventure. It, in my opinion, it is good to do both. But as far as starting out, pick something that you are passionate about, pick something that you love. So when you land in there in that role, you're not regretting it, you're not wishing, man, I really this sucks. I don't like this. Um, and pick something based off of your strengths.

SPEAKER_00

All right. Uh so yeah, so just one thing I wanted to add to kind of help people if they are trying to figure out which route

Match Your Background To A Route

SPEAKER_00

to take. And that is, you know, if you're a person with help desk, um, some help desk skills, right? If you decided to go up the help desk route, again, just trying to get your foot in the door and just general IT to then jump over to cyber. If you've done some help desk work, if you've done some networking, if you've done some system admin, um, that would naturally gravitate you towards the SOC, towards SOC work. But you could also do GRC work. And actually, if you end up going to the GRC route, you already have some technical experience under your belt that can help you be a strong GRC candidate. Now, if you have some project management, if you have some audits, some compliance, some teaching, even some military leadership experience or just business operations like running a store, managerial stuff, um, you would be a great fit for general GRC work. Um, but again, that's just to give you an idea of kind of where you're coming from and where you want to go. Also taking into consideration a lot of those people that are transitioning from previous work, previous careers into cyber. Those are just a few that we mentioned. You know, there's definitely a lot more. And if you would like to sit down and talk to us in more detail, join our school community, join us on one of our Friday hangouts, or try and set up a one-on-one time with us. We'd be happy to talk to you about this in more detail, give you some advice on where you should go, how you should do it. Um, but I think that's that is it for today, unless you got anything else, John.

SPEAKER_01

No, this is good. I get it. I get why people are looking at both of these with the job market right now. Um, but I do think, you know, we covered the points of things to consider. So thanks everybody for listening. I hope it's helpful. If you have comments or feedback, we're always open to hear it. Have a good one.

Closing Subscribe And Community Invite

SPEAKER_00

Thank you for tuning in to today's episode of the Cybersecurity Mentors Podcast.

SPEAKER_01

Remember to subscribe to our podcast on your favorite platform so you get all the episodes. Join us next time as we continue to unlock the secrets of cybersecurity mentorship.

SPEAKER_00

Have questions, topic ideas, or want to share your cybersecurity journey? Join our school community, the Cybersecurity Mentors, where you don't have to do this alone. Connect with us there and on YouTube. We'd love to hear from you. Until next time, I'm John Hoyt. And I'm Steve Higgeretta. Thank you for listening.