Path
Beginner-to-job-ready roadmap
Path

Beginner-to-job-ready roadmap

Eleven stages, sequenced. Each stage is short enough to finish in a week and ends with a lab or analysis task that proves what you learned.

Stage 1

Intro to Cybersecurity

complete
3–5 hours

Build a working mental model of how security teams operate and where GRC fits.

  • How modern security teams are organized30m
  • Offensive vs defensive vs GRC25m
  • The CIA Triad in real workflows30m
  • Common attacker techniques (overview)45m
Next: GRC Foundations
Stage 2

GRC Foundations

complete
4–6 hours

Understand what governance, risk, and compliance mean in practice and how they connect.

  • What is GRC really?25m
  • Governance, risk, compliance — separate but interlocking30m
  • The GRC analyst's day30m
  • Common GRC tooling landscape35m
Next: Risk Management
Stage 3

Risk Management

in progress
6–8 hours

Be able to facilitate a risk assessment end-to-end and maintain a register.

  • Risk vocabulary: asset, threat, vulnerability, impact, likelihood40m
  • Inherent vs residual; control effectiveness30m
  • Scoring scales without lying to yourself35m
  • Treat / transfer / tolerate / terminate30m
  • Lab: build your first risk register60m
Next: Governance & Documentation
Stage 4

Governance & Documentation

todo
4–5 hours

Write policies, standards, and procedures people will actually follow.

  • The policy / standard / procedure hierarchy30m
  • Anatomy of a usable policy30m
  • Document lifecycles and review cadence25m
  • Lab: draft an Access Control Policy60m
Next: Controls & Control Testing
Stage 5

Controls & Control Testing

todo
5–7 hours

Design, document, and test controls so they pass audit.

  • Preventive / detective / corrective25m
  • Writing a control narrative30m
  • Sample selection and population evidence35m
  • Lab: test a quarterly access review control60m
Next: Compliance & Audits
Stage 6

Compliance & Audits

todo
5–6 hours

Run an audit cycle without it eating your life.

  • The audit lifecycle30m
  • Managing the PBC list30m
  • Walkthrough prep and findings response35m
  • Lab: build an audit-prep checklist45m
Next: Frameworks
Stage 7

Frameworks Deep Dive

todo
8–10 hours

Know NIST CSF, NIST RMF, ISO 27001, SOC 2, PCI, HIPAA, GDPR well enough to navigate any conversation.

  • NIST CSF 2.0 walkthrough60m
  • ISO 27001 ISMS mechanics60m
  • SOC 2 Trust Services Criteria60m
  • PCI DSS, HIPAA, GDPR essentials75m
  • Lab: framework crosswalk45m
Next: Third-Party Risk
Stage 8

Third-Party Risk

todo
3–4 hours

Run a TPRM program: tiering, questionnaires, ongoing monitoring.

  • Tiering vendors by risk25m
  • Reading a SOC 2 report well40m
  • Lab: review a vendor questionnaire60m
Next: Reporting & Communication
Stage 9

Reporting & Communication

todo
3–4 hours

Write executive summaries and metrics leadership actually reads.

  • The one-page exec summary30m
  • KPIs vs KRIs vs vanity metrics30m
  • Lab: write an exec summary from raw findings60m
Next: Practice Labs
Stage 10

Practice Labs

todo
8–12 hours

Apply everything to realistic seeded company scenarios.

  • Company Analyzer: SaaS scenario90m
  • Company Analyzer: Healthcare scenario90m
  • Company Analyzer: Fintech scenario90m
Next: Career Readiness
Stage 11

Career Readiness

todo
4–6 hours

Translate skills into resume bullets, portfolio artifacts, and interview answers.

  • Entry-level GRC titles and ladders25m
  • Resume bullets that signal real work30m
  • Scenario interview drills60m
  • Build a portfolio with your lab outputs45m
Next: Apply!