I’m a sysadmin of 8+ years working for an MSP looking to transition into infosec particularly in risk management.
Experience is mostly technical but I did start our “security program” by applying NIST, ISO 27001/2 and CIS top 20 for selecting, implementing and assessing controls so familiar with these frameworks. Also helped some clients with achieving ISO27001 and GDPR compliance. I’d say I’ve been doing this for 5 years although it is not part of my day to day tasks.
Certs: A+, Net+, Sec+, AZ-500 and CISSP.
Is risk management / auditing a hard industry to get into if you have a more technical background?
Would getting a CISA hold more wait than my CISSP cert for this particular branch of infosec?
PS: I’m in Alberta, Canada if that helps.