Description

This curriculum spans the design and governance of enterprise-wide cybersecurity risk programs, comparable in scope to a multi-phase advisory engagement supporting integration of cyber risk into strategic decision-making across legal, financial, operational, and technical functions.

Module 1: Integrating Cybersecurity Risk into Enterprise Risk Management (ERM)

Decide whether cybersecurity risk reporting will reside under the Chief Information Security Officer (CISO), Chief Risk Officer (CRO), or both, based on organizational structure and risk appetite.
Map NIST CSF or ISO 27001 controls to existing ERM risk categories to ensure consistent risk scoring and aggregation.
Establish thresholds for when cybersecurity incidents must escalate to the board or executive risk committee.
Implement a unified risk taxonomy that allows IT risk data to be interpreted alongside financial, operational, and strategic risks.
Negotiate ownership of cyber risk quantification between finance and IT teams when using FAIR or similar models.
Define integration points between GRC platforms and enterprise risk registers to avoid duplicate data entry and reporting delays.
Assess whether cyber risk insurance deductibles and coverage limits are aligned with quantified risk exposure from ERM models.
Balance the need for real-time cyber risk dashboards with the ERM team’s quarterly reporting cycle.

Module 2: Regulatory and Compliance Alignment Across Jurisdictions

Map GDPR, CCPA, HIPAA, and NIS2 requirements to specific technical controls and data handling processes in multinational operations.
Determine whether to adopt a "lowest common denominator" compliance strategy or maintain jurisdiction-specific control sets.
Implement data residency controls in cloud configurations to meet local data sovereignty laws.
Assign responsibility for monitoring regulatory change alerts across regions to legal, compliance, or security teams.
Conduct gap assessments between existing SOC 2 controls and new requirements under evolving frameworks like ISO 42001.
Decide whether to centralize compliance evidence collection or allow business units to maintain localized documentation.
Configure automated alerting in GRC tools when new regulations affect existing control frameworks.
Negotiate audit scope with third-party assessors to avoid redundant testing across overlapping standards.

Module 3: Third-Party and Supply Chain Risk Governance

Select a vendor risk scoring model (e.g., SIG, VRMMM) and customize it to reflect criticality of data access and system integration.
Enforce contractual clauses requiring third parties to report breaches within 24 hours of discovery.
Decide whether to require penetration test results from high-risk vendors or accept SOC 2 reports as sufficient.
Implement continuous monitoring of vendor security posture using automated tools like BitSight or SecurityScorecard.
Determine the threshold for terminating contracts based on repeated control deficiencies or lack of remediation progress.
Integrate vendor risk scores into procurement workflows to block purchases from non-compliant suppliers.
Assess whether software bill of materials (SBOMs) are required for all critical software vendors.
Establish a process for validating that subcontractors used by vendors are also within the scope of risk assessments.

Module 4: Board-Level Cyber Risk Reporting and Metrics

Select KPIs that translate technical risk into business impact, such as mean time to detect (MTTD) and potential revenue at risk.
Decide between narrative reports and standardized dashboards for presenting cyber risk to non-technical board members.
Define what constitutes a "material" cyber incident requiring immediate board notification.
Balance transparency about vulnerabilities with concerns about exposing legal or competitive risk in written reports.
Align cyber risk reporting frequency with board meeting schedules without sacrificing timeliness.
Integrate cyber risk metrics into enterprise-wide risk heat maps for comparative analysis.
Train board members on interpreting cyber risk quantification models like FAIR without oversimplifying uncertainty.
Document board decisions on risk acceptance to support audit and regulatory requirements.

Module 5: Identity and Access Governance at Scale

Implement role-based access control (RBAC) or attribute-based access control (ABAC) based on application complexity and user diversity.
Define review cycles for access certifications: quarterly for privileged accounts, annually for standard users.
Decide whether to enforce just-in-time (JIT) access for cloud administrators or maintain standing privileges with monitoring.
Integrate identity governance and administration (IGA) tools with HR systems to automate onboarding and offboarding.
Establish thresholds for triggering access revocation based on inactivity or role changes.
Negotiate ownership of access review approvals between IT and business unit managers.
Implement segregation of duties (SoD) rules to prevent conflicts in financial and operational systems.
Monitor for excessive entitlements in cloud IAM policies using automated drift detection tools.

Module 6: Incident Response Governance and Escalation Protocols

Define criteria for activating the incident response team, including thresholds for data volume, system downtime, or ransom demands.
Assign decision authority for paying ransoms to a crisis management committee, not IT alone.
Establish communication protocols for notifying regulators, customers, and law enforcement within mandated timeframes.
Conduct tabletop exercises with legal, PR, and executive teams to validate escalation workflows.
Document post-incident decisions, including root cause, containment actions, and recovery timelines for audit purposes.
Integrate threat intelligence feeds into SIEM to reduce mean time to detect (MTTD) during active incidents.
Decide whether to retain third-party forensic firms on retainer or engage them ad hoc during breaches.
Implement immutable logging for incident response activities to preserve chain of custody.

Module 7: Cloud Security Posture and Configuration Governance

Enforce infrastructure-as-code (IaC) scanning in CI/CD pipelines to prevent misconfigurations in cloud deployments.
Decide whether to allow developers direct access to production cloud environments or require peer review.
Implement guardrails using AWS Config, Azure Policy, or GCP Organization Policies to block non-compliant configurations.
Assign ownership of cloud security monitoring between central security teams and application owners.
Define naming, tagging, and resource grouping standards to enable cost and risk tracking across cloud accounts.
Conduct regular reviews of public-facing resources (e.g., S3 buckets, VMs) to prevent accidental exposure.
Integrate cloud security posture management (CSPM) tools with ticketing systems to automate remediation workflows.
Establish approval workflows for exceptions to cloud security policies, including duration and oversight.

Module 8: Zero Trust Architecture Implementation Governance

Define the scope of initial Zero Trust rollout: remote access, data centers, or cloud environments.
Select identity provider (IdP) and device compliance tools that support continuous authentication and posture checks.
Decide whether to require mutual TLS or certificate-based authentication for internal service-to-service communication.
Implement micro-segmentation policies based on application dependencies, not network topology.
Negotiate acceptable performance trade-offs when enforcing least privilege at the workload level.
Establish logging and monitoring requirements for all access decisions in the policy enforcement point (PEP).
Define fallback mechanisms for authentication outages without reverting to permissive access.
Conduct regular reviews of policy drift in Zero Trust configurations using automated compliance tools.

Module 9: Cyber Risk Quantification and Decision Modeling

Select a cyber risk quantification model (e.g., FAIR, Factor Analysis of Information Risk) based on data availability and stakeholder needs.
Define probability and impact ranges for threat scenarios using historical incident data and industry benchmarks.
Decide whether to express risk in financial terms (e.g., ALE) or qualitative levels (e.g., high/medium/low).
Integrate loss tables from cyber insurance claims data into risk models to improve accuracy.
Validate model assumptions with red teaming or expert elicitation to reduce bias.
Use Monte Carlo simulations to model uncertainty in breach likelihood and financial impact.
Present quantified risk results to executives in the context of capital investment trade-offs.
Update risk models quarterly or after major incidents to reflect changing threat landscapes.

Module 10: Mergers, Acquisitions, and Cybersecurity Integration

Conduct pre-acquisition cyber due diligence using standardized assessment frameworks like NIST 800-161.
Decide whether to defer integration of IT systems until post-close or require immediate alignment.
Map the target company’s control environment to the acquirer’s risk framework to identify critical gaps.
Establish a transition timeline for migrating data, identities, and network access to centralized systems.
Negotiate retention of the target’s CISO or security team based on expertise and cultural fit.
Implement monitoring for data exfiltration or unauthorized access during the integration period.
Consolidate security tools and vendors to reduce complexity, balancing cost savings with operational risk.
Conduct a joint tabletop exercise post-integration to validate unified incident response capabilities.