Strong governance is the cornerstone of effective cyber security leadership. In this topic, learners will explore how cyber security must be governed at the highest levels of an organisation—and why executive oversight, structural clarity, and shared accountability are essential in managing cyber risk at scale. This topic introduces learners to key governance models, including the Three Lines of Defence, and examines the responsibilities of senior management in shaping enterprise-wide cyber security programs. It unpacks how leaders must work across risk, compliance, IT, and operational teams to establish robust governance structures, clear reporting lines, and aligned responsibilities. Learners will also explore global governance frameworks such as the NIST Cybersecurity Framework (CSF), NIST SP 800-53, and the CIS Critical Security Controls, building practical familiarity with their categories, control objectives, and assessment tools. These frameworks provide the structure to define, implement, and evaluate cyber programs aligned with business priorities and risk appetite. By the end of this topic, learners will be able to demonstrate how governance frameworks support strategic oversight, guide risk management decisions, and ensure cyber security is embedded as a shared organisational responsibility—from the boardroom to the frontlines.

Cybersecurity is ultimately about managing risk. In this topic, learners will develop the mindset and methods needed to lead cyber risk management efforts across an organisation—balancing security controls with operational needs and business priorities. Building on governance principles, this topic explores the core concepts of cyber risk, including threat modelling, asset classification, risk tolerance, and the evolving nature of digital threats. Learners will walk through structured risk assessment processes, learning how to identify vulnerabilities, assess likelihood and impact, and prioritise mitigation strategies. Through the lens of the Cyber Risk Process Hierarchy, participants will understand how risk management cascades from board-level policy through to day-to-day operational controls. The topic also reinforces the governance structures introduced in Topic 2, such as the Three Lines of Defence (3LOD) model, demonstrating how leadership, management, and assurance functions work together to reduce exposure. By the end of this topic, learners will be equipped to contribute meaningfully to cyber risk discussions, make informed decisions about risk trade-offs, and embed risk-informed thinking into cyber strategy and security programs.

In a world of escalating threats and limited resources, effective cybersecurity leadership demands more than intuition—it requires evidence-based decision-making. This topic equips learners with the skills to quantify cyber risks, allowing organisations to prioritise investments and remediation efforts with clarity and confidence. Learners will explore the importance of risk quantification and its role in demonstrating the value of cybersecurity to boards and business leaders. The topic introduces both qualitative and quantitative assessment models, offering a comparison of methods used to calculate risk likelihood, impact, and exposure in financial and operational terms. From risk management concepts to control selection and implementation, learners will evaluate how different frameworks—such as FAIR and NIST—can guide consistent and defensible risk measurement. They will also consider how risk maturity modelling supports continuous improvement and long-term strategy alignment. By the end of this topic, learners will be able to assess organisational risk posture, compare remediation options based on data, and communicate cyber risk in terms that resonate with stakeholders—from executives to regulators.

In today’s volatile threat landscape, cyber attacks are not a matter of “if”—but “when.” For senior leaders, the true test of cyber resilience lies not just in technical defences, but in how they lead through disruption. This topic arms executive decision-makers with the strategic insights and response frameworks needed to manage cyber crises with confidence. Learners will explore the evolution of cyber attacks, examining real-world case studies and the shifting motivations of attackers—from criminal syndicates to nation-state actors. The topic delves into the cyber kill chain and the anatomy of common attacks, offering practical frameworks for analysis and response. Critically, this topic focuses on the role of senior management in both preparation and response. Learners will examine how leaders make time-critical decisions during incidents, set organisational tone, and coordinate communications with internal and external stakeholders. Through this lens, cyber resilience becomes a leadership responsibility—where risk management, strategic foresight, and trust-building intersect. By the end of the topic, learners will understand the strategic implications of attacks, develop leadership-aligned response strategies, and be ready to build a resilient organisational culture prepared for the next inevitable breach.