Description

This curriculum spans the design and operationalization of risk governance frameworks, threat modeling, and control prioritization across complex environments, comparable in scope to a multi-phase advisory engagement addressing enterprise-wide security risk management.

Module 1: Establishing Risk Governance Frameworks

Selecting between ISO 27001, NIST CSF, and CIS Controls based on organizational maturity and regulatory obligations
Defining risk appetite thresholds in collaboration with executive leadership and board-level stakeholders
Assigning ownership for risk domains across business units and IT functions
Integrating risk governance into enterprise architecture review processes
Designing escalation paths for high-impact risks that exceed predefined tolerances
Aligning risk governance with existing compliance programs (e.g., SOX, GDPR)
Documenting risk decision rationales to support audit and regulatory scrutiny
Implementing version control and change management for governance policies

Module 2: Threat Modeling and Risk Assessment

Conducting STRIDE or PASTA assessments for new application deployments
Mapping threat actors to specific systems and data repositories based on historical incident data
Quantifying likelihood and impact using FAIR methodology in high-stakes environments
Updating threat models after infrastructure changes such as cloud migration
Facilitating cross-functional workshops to identify overlooked attack vectors
Integrating threat intelligence feeds into ongoing risk scoring processes
Adjusting assessment frequency based on system criticality and threat landscape shifts
Validating assumptions in risk models through red team exercises

Module 3: Security Controls Selection and Prioritization

Mapping NIST 800-53 controls to specific risk scenarios rather than applying controls generically
Choosing compensating controls when technical limitations prevent standard implementation
Justifying investment in detective versus preventive controls based on breach recovery costs
Adjusting control strength in response to third-party audit findings
Implementing layered controls for crown jewel assets with multi-factor access and monitoring
Disabling legacy controls that create alert fatigue without reducing risk
Coordinating control deployment with change management windows to minimize business disruption
Documenting control effectiveness metrics for quarterly governance reporting

Module 4: Third-Party Risk Management

Classifying vendors based on data access, system integration, and operational criticality
Requiring third parties to provide evidence of security controls through SOC 2 or ISO reports
Conducting on-site assessments for high-risk suppliers with access to core systems
Enforcing contractual clauses for breach notification and liability allocation
Monitoring vendor security posture changes via continuous assessment platforms
Managing risk for subcontractors not directly visible in primary vendor agreements
Deciding whether to accept residual risk or terminate contracts based on remediation timelines
Integrating vendor risk scores into procurement approval workflows

Module 5: Incident Response and Escalation Protocols

Defining criteria for declaring a security incident versus an operational anomaly
Activating incident response teams based on predefined severity levels and business impact
Coordinating legal, PR, and executive communications during active breaches
Preserving forensic evidence while maintaining system availability for critical operations
Engaging external forensics firms under pre-negotiated contracts during major incidents
Updating incident playbooks based on post-mortem findings and tabletop exercise outcomes
Reporting incidents to regulators within mandated timeframes (e.g., 72 hours under GDPR)
Conducting executive briefings with risk context, not technical details, during crisis response

Module 6: Risk Reporting and Executive Communication

Translating technical vulnerabilities into business impact metrics for board presentations
Selecting KPIs and KRIs that reflect strategic risk exposure (e.g., mean time to detect)
Designing dashboards that distinguish between operational security metrics and governance risks
Adjusting reporting frequency based on ongoing projects or threat environment changes
Presenting risk treatment options with cost, effort, and residual risk comparisons
Handling executive pushback on risk mitigation investments with scenario-based analysis
Archiving risk reports to demonstrate due diligence in regulatory audits
Aligning risk terminology across departments to prevent misinterpretation

Module 7: Regulatory and Compliance Integration

Mapping overlapping requirements from multiple regulations to avoid redundant controls
Updating compliance posture when entering new geographic markets with local laws
Responding to regulatory inquiries with documented risk-based exceptions
Conducting gap assessments after major regulatory updates (e.g., SEC cybersecurity rules)
Using compliance audits as opportunities to validate risk mitigation effectiveness
Managing conflicts between regulatory mandates and operational efficiency
Documenting compensating controls for audit findings with extended remediation timelines
Integrating compliance tracking into GRC platforms for centralized oversight

Module 8: Risk-Based Vulnerability Management

Prioritizing patch deployment based on exploit availability and asset criticality
Accepting vulnerabilities in end-of-life systems with documented risk acceptance forms
Coordinating patching schedules with application owners to avoid downtime
Using threat intelligence to identify which CVEs are actively exploited in the wild
Adjusting scanning frequency for internet-facing versus internal systems
Integrating vulnerability data with asset management systems for accurate context
Managing false positives in vulnerability reports to maintain team credibility
Reporting remediation progress against SLAs tied to risk severity tiers

Module 9: Continuous Monitoring and Risk Adaptation

Configuring SIEM correlation rules to detect anomalous behavior tied to high-risk systems
Adjusting monitoring scope based on changes in business operations or threat intelligence
Validating detection capabilities through purple teaming and adversary emulation
Responding to alert fatigue by tuning thresholds and suppressing low-value alerts
Integrating user behavior analytics (UBA) to identify insider threat indicators
Updating risk models when new data sources (e.g., cloud logs) become available
Conducting quarterly risk reassessments to reflect changes in IT environment
Archiving monitoring data to meet legal hold and e-discovery requirements

Module 10: Governance of Emerging Technologies

Assessing risk implications of adopting generative AI in customer-facing applications
Establishing data handling policies for cloud-native serverless and containerized workloads
Extending identity governance to IoT and OT devices with limited security capabilities
Applying zero trust principles to hybrid workforce models with personal devices
Managing encryption key governance in multi-cloud environments with shared responsibility
Conducting privacy impact assessments for AI-driven analytics on personal data
Defining access control models for decentralized identity and blockchain systems
Updating risk frameworks to address quantum computing readiness and crypto-agility