Lesson 1Initiative: Identity, Access, and Privilege Management — objectives, stakeholders, enforceable controls (SSO, MFA, least privilege, PAM), KPIs (stale privileged accounts, MFA coverage)This part explains the identity, access, and privilege initiative, making clear the goals, key people involved, and controls you can enforce, while setting simple KPIs to watch access risks, misuse of privileges, and how well authentication covers everything over time.
Defining initiative scope and business alignmentStakeholder roles across IT, HR, and business unitsSSO and MFA rollout strategy and governanceLeast privilege, RBAC, and PAM control designKPIs for stale accounts and MFA coverageLesson 2Initiative: Cloud Security and Configuration Management — objectives, owners, baseline controls (CSPM, IaC scanning, storage hardening), KPIs (misconfiguration counts, time-to-remediate)This part explains the cloud security and configuration initiative, making clear who owns it, basic controls, and tools. It shows how to use CSPM, IaC scanning, and hardening standards, with KPIs that track mistakes in setup and how quick fixes are.
Cloud security ownership and accountability modelBaseline policies for multi-cloud environmentsCSPM deployment and alert tuningIaC scanning in build and deployment stagesKPIs for misconfigs and remediation timeLesson 3Initiative: Secure Software Development and DevSecOps — objectives, stakeholders, CI/CD integration points (SAST, DAST, SCA), KPIs (vulnerabilities introduced per release, mean-time-to-fix)This part covers the secure development and DevSecOps initiative, matching goals with fast delivery, defining who is involved, putting security into CI/CD, and picking KPIs that follow vulnerability patterns, fix times, and pipeline security quality.
Objectives balancing speed and securityRACI for engineering, security, and productSecurity gates in CI/CD pipelinesSAST, DAST, and SCA integration strategyKPIs for defects, MTTR, and release riskLesson 4Initiative: Enterprise Risk Management — objectives, stakeholders, risk register design, acceptance criteria and KPIs (top risks tracked, residual risk levels)This part sets up the enterprise risk management initiative, connecting security to business risk. It covers goals, people involved, risk register setup, scoring, acceptance rules, and KPIs that track top risks, patterns, and remaining exposure levels.
Aligning cyber risk with enterprise risk appetiteRisk register structure and taxonomyQualitative and quantitative risk scoringRisk acceptance, transfer, and mitigationKPIs for top risks and residual exposureLesson 5Initiative: Compliance and Audit Readiness (ISO 27001, SOC 2, GDPR) — objectives, stakeholders, mapping controls, KPIs (audit findings, control maturity)This part sets up the compliance and audit readiness initiative, matching goals with business duties. It covers mapping controls, managing evidence, roles of people involved, and KPIs that track findings, maturity, and progress on fixes.
Regulatory and customer requirement mappingControl framework selection and scopingEvidence collection and documentationInternal audits and readiness assessmentsKPIs for findings and control maturityLesson 6Initiative: Security Awareness, Culture, and Enablement — objectives, stakeholders, program elements, KPIs (phish-prone percentage, training completion, security champion coverage)This part outlines the security awareness and culture initiative, defining goals, audiences, and owners. It covers program parts, champions, behaviour nudges, and KPIs like phish-prone rate, training completion, and engagement levels.
Program goals and target behaviorsStakeholders in HR, comms, and leadershipTraining formats and content strategySecurity champions and local advocatesKPIs for phishing, training, and cultureLesson 7Initiative: Third-Party and Supply Chain Risk Management — objectives, stakeholders, assessment cadence, KPIs (third-party risk ratings, contractual remediation SLAs)This part details the third-party and supply chain risk initiative, defining goals, owners, and how often to assess. It explains due diligence, ongoing monitoring, contracts, and KPIs for vendor risk ratings and fix SLAs.
Vendor inventory and criticality tiersPre-contract due diligence and screeningOngoing assessments and monitoringSecurity clauses and remediation SLAsKPIs for vendor risk and closure timeLesson 8Initiative: Incident Response and Crisis Management — objectives, stakeholders, playbooks, tabletop cadence, KPIs (MTTR, time-to-detection, incident cost estimates)This part defines the incident response and crisis initiative, making clear goals, people involved, and governance. It covers playbook design, tabletop schedule, communications, and KPIs like MTTR, detection time, and business impact measures.
IR objectives and executive sponsorshipRoles, RACI, and escalation pathsPlaybook development and maintenanceTabletop exercises and lessons learnedKPIs for MTTR, detection, and impact
