Lesson 1Initiative: Identity, Access, and Privilege Management — objectives, stakeholders, enforceable controls (SSO, MFA, least privilege, PAM), KPIs (stale privileged accounts, MFA coverage)This section defines the identity, access, and privilege initiative, clarifying objectives, key stakeholders, and enforceable controls, while establishing practical KPIs to monitor access risks, privileged misuse, and authentication coverage over time.
Defining initiative scope and business alignmentStakeholder roles across IT, HR, and business unitsSSO and MFA rollout strategy and governanceLeast privilege, RBAC, and PAM control designKPIs for stale accounts and MFA coverageLesson 2Initiative: Cloud Security and Configuration Management — objectives, owners, baseline controls (CSPM, IaC scanning, storage hardening), KPIs (misconfiguration counts, time-to-remediate)This section defines the cloud security and configuration initiative, clarifying ownership, baseline controls, and tooling. It explains how to use CSPM, IaC scanning, and hardening standards, with KPIs that track misconfigurations and remediation speed.
Cloud security ownership and accountability modelBaseline policies for multi-cloud environmentsCSPM deployment and alert tuningIaC scanning in build and deployment stagesKPIs for misconfigs and remediation timeLesson 3Initiative: Secure Software Development and DevSecOps — objectives, stakeholders, CI/CD integration points (SAST, DAST, SCA), KPIs (vulnerabilities introduced per release, mean-time-to-fix)This section details the secure development and DevSecOps initiative, aligning objectives with delivery speed, defining stakeholders, embedding security into CI/CD, and selecting KPIs that track vulnerability trends, fix times, and pipeline security quality.
Objectives balancing speed and securityRACI for engineering, security, and productSecurity gates in CI/CD pipelinesSAST, DAST, and SCA integration strategyKPIs for defects, MTTR, and release riskLesson 4Initiative: Enterprise Risk Management — objectives, stakeholders, risk register design, acceptance criteria and KPIs (top risks tracked, residual risk levels)This section frames the enterprise risk management initiative, linking security to business risk. It covers objectives, stakeholders, risk register design, scoring, acceptance criteria, and KPIs that track top risks, trends, and residual exposure levels.
Aligning cyber risk with enterprise risk appetiteRisk register structure and taxonomyQualitative and quantitative risk scoringRisk acceptance, transfer, and mitigationKPIs for top risks and residual exposureLesson 5Initiative: Compliance and Audit Readiness (ISO 27001, SOC 2, GDPR) — objectives, stakeholders, mapping controls, KPIs (audit findings, control maturity)This section defines the compliance and audit readiness initiative, aligning objectives with business obligations. It covers control mapping, evidence management, stakeholder roles, and KPIs that track findings, maturity, and remediation progress.
Regulatory and customer requirement mappingControl framework selection and scopingEvidence collection and documentationInternal audits and readiness assessmentsKPIs for findings and control maturityLesson 6Initiative: Security Awareness, Culture, and Enablement — objectives, stakeholders, program elements, KPIs (phish-prone percentage, training completion, security champion coverage)This section outlines the security awareness and culture initiative, defining objectives, audiences, and ownership. It covers program elements, champions, behavioural nudges, and KPIs such as phish-prone rate, training completion, and engagement.
Program goals and target behaviorsStakeholders in HR, comms, and leadershipTraining formats and content strategySecurity champions and local advocatesKPIs for phishing, training, and cultureLesson 7Initiative: Third-Party and Supply Chain Risk Management — objectives, stakeholders, assessment cadence, KPIs (third-party risk ratings, contractual remediation SLAs)This section details the third-party and supply chain risk initiative, defining objectives, owners, and assessment cadence. It explains due diligence, continuous monitoring, contracts, and KPIs for vendor risk ratings and remediation SLAs.
Vendor inventory and criticality tiersPre-contract due diligence and screeningOngoing assessments and monitoringSecurity clauses and remediation SLAsKPIs for vendor risk and closure timeLesson 8Initiative: Incident Response and Crisis Management — objectives, stakeholders, playbooks, tabletop cadence, KPIs (MTTR, time-to-detection, incident cost estimates)This section defines the incident response and crisis initiative, clarifying objectives, stakeholders, and governance. It covers playbook design, tabletop cadence, communications, and KPIs such as MTTR, detection time, and business impact metrics.
IR objectives and executive sponsorshipRoles, RACI, and escalation pathsPlaybook development and maintenanceTabletop exercises and lessons learnedKPIs for MTTR, detection, and impact
