Beginner-to-job-ready roadmap
Eleven stages, sequenced. Each stage is short enough to finish in a week and ends with a lab or analysis task that proves what you learned.
Intro to Cybersecurity
Build a working mental model of how security teams operate and where GRC fits.
- How modern security teams are organized30m
- Offensive vs defensive vs GRC25m
- The CIA Triad in real workflows30m
- Common attacker techniques (overview)45m
GRC Foundations
Understand what governance, risk, and compliance mean in practice and how they connect.
- What is GRC really?25m
- Governance, risk, compliance — separate but interlocking30m
- The GRC analyst's day30m
- Common GRC tooling landscape35m
Risk Management
Be able to facilitate a risk assessment end-to-end and maintain a register.
- Risk vocabulary: asset, threat, vulnerability, impact, likelihood40m
- Inherent vs residual; control effectiveness30m
- Scoring scales without lying to yourself35m
- Treat / transfer / tolerate / terminate30m
- Lab: build your first risk register60m
Governance & Documentation
Write policies, standards, and procedures people will actually follow.
- The policy / standard / procedure hierarchy30m
- Anatomy of a usable policy30m
- Document lifecycles and review cadence25m
- Lab: draft an Access Control Policy60m
Controls & Control Testing
Design, document, and test controls so they pass audit.
- Preventive / detective / corrective25m
- Writing a control narrative30m
- Sample selection and population evidence35m
- Lab: test a quarterly access review control60m
Compliance & Audits
Run an audit cycle without it eating your life.
- The audit lifecycle30m
- Managing the PBC list30m
- Walkthrough prep and findings response35m
- Lab: build an audit-prep checklist45m
Frameworks Deep Dive
Know NIST CSF, NIST RMF, ISO 27001, SOC 2, PCI, HIPAA, GDPR well enough to navigate any conversation.
- NIST CSF 2.0 walkthrough60m
- ISO 27001 ISMS mechanics60m
- SOC 2 Trust Services Criteria60m
- PCI DSS, HIPAA, GDPR essentials75m
- Lab: framework crosswalk45m
Third-Party Risk
Run a TPRM program: tiering, questionnaires, ongoing monitoring.
- Tiering vendors by risk25m
- Reading a SOC 2 report well40m
- Lab: review a vendor questionnaire60m
Reporting & Communication
Write executive summaries and metrics leadership actually reads.
- The one-page exec summary30m
- KPIs vs KRIs vs vanity metrics30m
- Lab: write an exec summary from raw findings60m
Practice Labs
Apply everything to realistic seeded company scenarios.
- Company Analyzer: SaaS scenario90m
- Company Analyzer: Healthcare scenario90m
- Company Analyzer: Fintech scenario90m
Career Readiness
Translate skills into resume bullets, portfolio artifacts, and interview answers.
- Entry-level GRC titles and ladders25m
- Resume bullets that signal real work30m
- Scenario interview drills60m
- Build a portfolio with your lab outputs45m