Description

This curriculum spans the design and coordination of a multi-workshop security transformation program, integrating risk, policy, identity, operations, and cultural change initiatives across technology and business functions.

Module 1: Risk Assessment and Threat Modeling

Conduct asset inventory validation across hybrid cloud and on-premises environments to ensure critical systems are not omitted from risk scoring.
Select and apply a threat modeling methodology (e.g., STRIDE or PASTA) based on system architecture and regulatory context.
Define risk appetite thresholds in collaboration with business unit leaders to align security priorities with operational tolerance.
Integrate third-party vendor risk data into enterprise risk registers, including audit reports and security questionnaires.
Perform red team simulation scoping to identify high-impact attack paths without disrupting production systems.
Document and socialize risk treatment decisions (accept, mitigate, transfer, avoid) with legal and compliance stakeholders.

Module 2: Security Governance and Policy Development

Map existing security controls to regulatory frameworks (e.g., NIST, ISO 27001, GDPR) to identify compliance coverage gaps.
Draft role-based access control (RBAC) policies that reflect least privilege while accommodating legacy system constraints.
Establish a security policy review cadence aligned with audit cycles and organizational change events.
Negotiate policy enforcement exceptions with business units, requiring documented compensating controls and executive sign-off.
Integrate security KPIs into executive dashboards to maintain visibility at the board level.
Coordinate cross-functional policy change management involving IT, HR, and legal departments for consistent enforcement.

Module 3: Identity and Access Management (IAM) Implementation

Design federated identity architecture supporting SSO across cloud applications while maintaining MFA enforcement.
Implement privileged access management (PAM) for shared administrative accounts with session monitoring and just-in-time access.
Enforce lifecycle management integration between HR offboarding systems and IAM platforms to prevent orphaned accounts.
Configure adaptive authentication rules based on user behavior, location, and device posture.
Resolve conflicts between application-specific access models and enterprise-wide IAM standards during integration projects.
Audit access entitlements quarterly for high-risk roles, including segregation of duties (SoD) validation.

Module 4: Security Operations and Incident Response

Define and test incident escalation paths that include legal, PR, and regulatory reporting obligations.
Configure SIEM correlation rules to reduce false positives while maintaining detection coverage for known TTPs.
Establish a threat intelligence sharing agreement with industry ISACs while managing liability and data handling requirements.
Conduct tabletop exercises simulating ransomware scenarios with IT recovery teams and business continuity planners.
Deploy EDR agents across endpoints with performance tuning to minimize impact on user productivity.
Document post-incident remediation tasks and verify closure through independent validation.

Module 5: Data Protection and Encryption Strategy

Classify data by sensitivity level and map protection requirements to storage and transmission controls.
Implement tokenization or masking for PII in non-production environments used for development and testing.
Deploy DLP policies that balance data visibility with operational needs, avoiding overblocking critical workflows.
Manage encryption key lifecycle across cloud KMS and on-prem HSMs with documented recovery procedures.
Enforce encryption for data in transit using TLS 1.2+ with certificate pinning for high-risk applications.
Assess data residency requirements for global operations and configure geo-fencing in cloud storage policies.

Module 6: Secure Architecture and System Design

Review application design proposals for adherence to secure coding standards before development begins.
Enforce network segmentation using zero trust principles, including micro-segmentation in data centers.
Integrate security requirements into DevOps pipelines using automated SAST and DAST tools.
Evaluate cloud shared responsibility model implications for IaaS, PaaS, and SaaS deployments.
Design API security controls including rate limiting, authentication, and input validation for external integrations.
Perform architecture risk reviews for mergers and acquisitions to identify integration security gaps.

Module 7: Third-Party and Supply Chain Risk Management

Conduct on-site security assessments for critical vendors with access to core systems or sensitive data.
Negotiate contractual security clauses covering breach notification, audit rights, and liability allocation.
Monitor vendor compliance status continuously using automated security rating platforms.
Implement software bill of materials (SBOM) requirements for custom-developed applications from third parties.
Assess open-source component risks using dependency scanning tools in the build process.
Establish incident response coordination protocols with key suppliers for joint breach scenarios.

Module 8: Security Awareness and Organizational Change

Develop role-specific training content for finance, HR, and engineering teams based on phishing and social engineering risks.
Measure training effectiveness using metrics such as phishing click-through rates and reported incidents.
Coordinate simulated phishing campaigns with legal to avoid employee relations issues.
Engage business unit leaders as security champions to drive cultural adoption beyond IT.
Update onboarding and offboarding checklists to include security training and access revocation steps.
Align security messaging with corporate communication strategies to maintain consistent tone and urgency.