The Programme — GRC-X X-Core

Tier 1

Profiling Risk

Mastering the art of identifying and communicating emerging risk before it becomes hindsight. Security teams often sense danger early but struggle to be heard.

7 lessons 2 live workshops 9.5 CPE available Models: Altitudes · THOR · TVI-Q · LOSS Map

What you will achieve in this tier

Identify emerging risk before it becomes hindsight
Spot the drivers of security risk amidst the change environment
Cut through bias so risk isn't dismissed because it feels inconvenient
Explain risk in a language the business understands
Engage on security risk early and get the business to act

Learning Outcomes

Understand what risk means to the business and why it is so difficult to communicate effectively

Recognise the challenges associated with profiling risk in complex, high-pressure environments

The opening lesson. Sets the stakes. Explores the gap between what security teams know and what leadership hears — and why that gap exists.

0.5 CPE on completion

Learning Outcomes

Shift from control-checking to consequence-led thinking in your approach to security risk

Develop a mindset that prioritises uncertainty, judgement and material impact over technical compliance

How businesses weigh up security risk — cost vs loss — and how real-world pressures distort rational risk acceptance. The thinking shift that changes everything.

0.5 CPE on completion

Learning Outcomes

Identify the change forces driving emerging security risk across strategic, operational and tactical levels

Distinguish business-critical risks from operational noise using the Three Altitudes framework

How changes in external forces, business focus and risk appetite create a cascade of new threats. The Altitudes model gives practitioners a structured way to see the full risk landscape.

0.5 CPE on completion

Learning Outcomes

Apply the THOR lens to increase your risk awareness across Technical, Human, Operational and Regulatory domains

Analyse risks through a multi-domain perspective to identify blind spots and hidden exposures

How to view risks through Technical, Human, Operational and Regulatory lenses simultaneously. THOR prevents the single-domain thinking that leaves organisations exposed.

0.5 CPE on completion

Learning Outcomes

Strengthen your analysis of risk through the most critical lenses — Threat, Vulnerability and Impact

Learn to ask the three critical questions that get to the heart of any security risk quickly and credibly

How to develop a powerful, fast way of assessing risk using TVI-Q — the three-question method that cuts through complexity and surfaces what actually matters.

0.5 CPE on completion

Learning Outcomes

Translate technical scenarios into tangible business consequences that decision-makers can act on

Learn to conduct business impact interviews with risk owners to build credible, evidence-based loss scenarios

How to identify and quantify real business harm and build clear loss scenarios grounded in operational reality. The foundation of every credible risk conversation.

0.5 CPE on completion

Learning Outcomes

Build a defensible argument for proportionate mitigation that leadership will take seriously

Evaluate when treatment is justified versus when risk acceptance is a viable and responsible position

Determining risk ratings and required mitigations to bring risk to a level the business is prepared to accept. How to close the profiling loop and move to action.

0.5 CPE on completion

Signature Models Introduced in Tier 1

Three Altitudes of Risk

Risk Framework

THOR

Multi-Domain Analysis

TVI-Q

Risk Calculation

LOSS Map

Business Impact Translation

Tier 2

Decision Influence

Calculating loss in real terms and getting the business to act. Decision-makers are shaped by bias, pressure and competing priorities — good escalations fall flat without the right structure.

6 lessons 2 live workshops 9 CPE available Models: LOSS Map · Bias Models · FACTR · SCARF

What you will achieve in this tier

Communicate with authority to senior leaders and decision makers
Translate risk into clear loss projections that drive movement, not debate
Tackle avoidance bias by grounding conversations in tangible data
Handle difficult security conversations with greater authority and confidence

Learning Outcomes

Understand why credible risk insight does not automatically drive action at leadership level

Recognise the behavioural factors shaping executive decisions on security risk

How influencing decisions early strengthens security's position and accelerates action. Why the best risk analysis in the world fails without the right communication architecture.

0.5 CPE on completion

Learning Outcomes

Estimate potential loss using structured scenario thinking that executives find credible

Differentiate between speculative impact and defensible loss modelling that drives decisions

How to identify impact variables, assign unit costs and build clear, credible loss scenarios. The difference between a guess and a case.

0.5 CPE on completion

Learning Outcomes

Identify the ten common cognitive biases that shape stakeholder reactions to security risk

Adapt your messaging to counter underreaction and overreaction in leadership conversations

How to recognise the ten common biases that shape stakeholder reactions to risk — and how to navigate each one without confrontation.

0.5 CPE on completion

Learning Outcomes

Structure risk communication using a disciplined narrative flow that gets decisions made

Present risk in a way that supports decision clarity and ownership at leadership level

How to structure a persuasive risk escalation using FACTR — Facts, Analysis, Consequence, Treatment, Request — and present a clear loss-driven case.

0.5 CPE on completion

Learning Outcomes

Strengthen emotional awareness in high-stakes security conversations with senior leaders

Use emotional intelligence to manage tension and resistance without losing strategic momentum

How to apply the five components of emotional intelligence to strengthen gravitas and influence when the stakes are highest.

0.5 CPE on completion

Learning Outcomes

Anticipate typical objections to security proposals before they derail the conversation

Respond constructively while maintaining strategic intent and keeping ownership on the table

How to handle challenging stakeholder questions and maintain control of the discussion when the business pushes back on security recommendations.

0.5 CPE on completion

Signature Models in Tier 2

LOSS Map

Business Impact Translation

Bias Models

Behavioural Intelligence

FACTR

Risk Communication

SCARF

Influence & Persuasion

Tier 3

Building Alliances

Increasing security resilience through powerful business partnerships. Security often struggles not because of weak controls, but because the people who own the risk aren't engaged.

8 lessons 2 live workshops 10 CPE available Models: Constellation · SCARF

What you will achieve in this tier

Win hearts and minds on security matters and gain powerful allies
Overcome apathy and indifference toward security and build advocacy
Handle stakeholder conflicts with confidence and drive security adoption
Build a network of supporters who make security a shared responsibility

Learning Outcomes

Recognise why security cannot succeed in isolation from the business it is designed to protect

Understand the strategic value of distributed advocacy and how it amplifies security's reach

Why security depends on strong cross-business alliances and how shared ownership accelerates action. The case for building relationships before you need them.

0.5 CPE on completion

Learning Outcomes

Identify critical stakeholders across business functions and map their relationship to security

Visualise influence pathways beyond IT and security to find hidden allies and blockers

How to map security's actual relationship footprint and identify where trust and collaboration are weak. The Constellation model makes the invisible visible.

0.5 CPE on completion

Learning Outcomes

Enable business units to take visible ownership of risk and champion security in their areas

Position security as an enabler rather than a blocker in day-to-day business operations

How to identify supporters, adversaries, conspirators, disciples and fence-sitters — and how to move each one toward active security advocacy.

0.5 CPE on completion

Learning Outcomes

Analyse stakeholder motivations and constraints to understand what drives their behaviour

Tailor engagement strategies to different interest profiles for maximum influence

How to read both public behaviour and private intent to understand what each stakeholder really wants — and use that understanding to build genuine alignment.

0.5 CPE on completion

Learning Outcomes

Build trust through deliberate relationship management across security and business functions

Adjust communication style to increase alignment and buy-in with different stakeholder types

How to reduce emotional threat, create psychological safety, and turn confrontations into collaboration — the social skills that separate great security leaders from average ones.

0.5 CPE on completion

Learning Outcomes

Diagnose the root causes of resistance to security change in your organisation

Reframe conflict into collaborative problem-solving using the SCARF influence model

How to strengthen security's reputation through consistent deposits of goodwill and shared wins — and how to use SCARF to de-escalate resistance before it becomes obstruction.

0.5 CPE on completion

Learning Outcomes

Clarify the distinctions between accountability and responsibility across risk and control domains

Establish sustainable ownership models for risk treatment that survive operational pressure

How to achieve win-win outcomes and establish shared responsibility for risk across the business — without security carrying everything alone.

0.5 CPE on completion

Learning Outcomes

Facilitate shared accountability across business domains through structured negotiation

Create ownership agreements that survive the pressure of competing business priorities

Practical negotiation for securing buy-in and ongoing ownership from business partners who have their own priorities and pressures.

0.5 CPE on completion

Signature Models in Tier 3

Security Constellation

Stakeholder Mapping

SCARF

Influence & Persuasion

Tier 4

Security Consulting

Strengthening security posture through insight, problem-solving and collaboration. Security teams that enforce policy meet resistance. Those who diagnose and guide earn trust.

10 lessons 2 live workshops 11 CPE available Model: PULSE

What you will achieve in this tier

Get a seat at the table early and security prioritised from the outset
Challenge assumptions and surface core issues without creating defensiveness
Shape solutions stakeholders want to adopt, not ones they feel are imposed
Lead security discussions that create clarity and momentum

Learning Outcomes

Understand the difference between advisory and directive security roles and their impact on trust

Recognise the impact of structured problem engagement on security outcomes and stakeholder relationships

How moving from policy-enforcer to trusted consultant increases influence, trust and impact. The mindset shift that changes how the business sees security.

0.5 CPE on completion

Learning Outcomes

Adopt a constructive challenger posture that opens doors rather than closes them

Encourage learning and adaptation under uncertainty within security and business teams

How to shift from telling to challenging — and use pain vs gain conversations to reframe security problems as business opportunities.

0.5 CPE on completion

Learning Outcomes

Apply the five-stage PULSE model in security engagements to structure every conversation from positioning to execution

Navigate complex security problems with a repeatable consulting methodology that builds confidence and trust

The flagship model of the Security Consulting tier. Position, Unpack, Lockdown, Solve, Execute — a complete consulting methodology built for security practitioners.

0.5 CPE on completion

Learning Outcomes

Frame purpose and outcomes at the start of engagements before the discussion drifts

Establish credibility and direction early in conversations to maintain control throughout

How to frame security conversations, set purpose and create the conditions for a productive meeting — before someone else sets the agenda for you.

0.5 CPE on completion

Learning Outcomes

Use structured questioning to surface real problems beneath the symptoms being presented

Differentiate symptoms from underlying issues using horizontal, vertical and Socratic questioning

The art of discovery. How to use the right questions at the right moment to expose the real security problem — not the one that was described.

0.5 CPE on completion

Learning Outcomes

Apply vertical questioning to identify root causes and separate them from surface-level symptoms

Achieve agreement on the core issue to be solved before moving to solution design

How to define the core issue, remove ambiguity and get commitment to what must be solved — before the conversation moves to solutions nobody will own.

0.5 CPE on completion

Learning Outcomes

Develop proportionate solutions aligned to business context that stakeholders want to adopt

Integrate SMART controls, collaboration and compliance effectively into practical security design

How to build SMART controls, apply the THOR lens and stress-test solutions with Force-Field Analysis — designing security that fits the business, not the textbook.

0.5 CPE on completion

Learning Outcomes

Translate solution design into actionable commitments with named owners and real timelines

Confirm buy-in and define measurable next steps that close the consulting loop

How to assign responsibilities, secure 1st-line ownership and plan for successful delivery — so solutions don't die in the follow-up.

0.5 CPE on completion

Learning Outcomes

Manage stakeholder resistance during solution delivery without losing the relationship

Maintain clarity and confidence under challenge when the business questions security recommendations

Managing resistance after the solution has been agreed — the moment most practitioners lose ground. How to hold the line without burning the bridge.

0.5 CPE on completion

Learning Outcomes

Integrate all five PULSE stages in real-world security scenarios from first contact to confirmed action

Reflect on effectiveness and refine your practitioner behaviour based on the full PULSE simulation

The PULSE capstone. A full consulting simulation — determining risk ratings and mitigations in practice, using everything from this tier in a live scenario.

0.5 CPE on completion

Signature Model in Tier 4

PULSE

Security Consulting Methodology

Tier 5

Mitigating Risk

Making risk mitigation a business enabler, not just a defensive tactic. Mitigation fails when leaders don't see the urgency or understand what the plan is trying to achieve.

10 lessons 2 live workshops 11 CPE available Models: THOR · PDC Controls · FACTR

What you will achieve in this tier

Remove weaknesses in planning that cause mitigations to fail
Build SMART controls that treat the main source of the risk
Apply the 80/20 rule to ownership and ensure controls are sustained
Apply the FACTR method to secure buy-in and ownership

Learning Outcomes

Distinguish between theoretical and operational mitigation and why most plans fail at the delivery stage

Recognise the characteristics of high-value risk treatment that leadership will fund and support

Where risk mitigation fails and the consequences of getting it wrong. The case for treating mitigation as a business discipline, not a technical afterthought.

0.5 CPE on completion

Learning Outcomes

Evaluate the 4T's — Treat, Transfer, Tolerate, Terminate — and select proportionate responses

Select proportionate responses based on exposure level, business context and available resource

The four treatment options and how to choose between them. When tolerance is a valid position and when it is simply avoidance with better branding.

0.5 CPE on completion

Learning Outcomes

Structure mitigation plans with clarity, accountability and measurable outcomes leadership can track

Align timelines, ownership and success criteria from the outset to prevent plan collapse

How to plan mitigation — not guess it. The architecture of a plan that survives first contact with the business.

0.5 CPE on completion

Learning Outcomes

Write concise, decision-ready risk statements that leadership can act on immediately

Ensure clarity between cause, event and consequence to remove ambiguity from the risk narrative

The one paragraph that has to land. How to structure a compelling risk narrative that drives decision, not debate.

0.5 CPE on completion

Learning Outcomes

Design mitigation across threat, vulnerability and impact layers to address risk at its source

Avoid single-control dependency in treatment strategies that creates hidden exposure

How to design stronger mitigations combining Technical, Human, Operational and Regulatory controls — building resilience across all four domains simultaneously.

0.5 CPE on completion

Learning Outcomes

Map preventive, detective and corrective controls systematically across the risk landscape

Identify control gaps and overlaps that leave the organisation exposed or over-invested

How to convert mitigation ideas into real controls using Prevent–Detect–Correct — the three-layer control architecture that closes gaps before they become incidents.

0.5 CPE on completion

Learning Outcomes

Focus mitigation effort where leverage is highest and stop security carrying what the business should own

Prioritise actions that drive disproportionate impact with the resources available

How to assign only the 20% security should own and shift the remaining 80% to first-line teams — the ownership model that makes mitigation sustainable.

0.5 CPE on completion

Learning Outcomes

Test mitigation credibility under realistic conditions before presenting to leadership

Validate whether controls would actually hold under operational stress and adversarial pressure

The stress test every mitigation plan needs before it goes anywhere near a board. How to find the holes before the attacker does.

0.5 CPE on completion

Learning Outcomes

Secure genuine business commitment to mitigation execution — not just sign-off

Reinforce accountability through structured follow-up that keeps ownership alive under pressure

How to secure real commitment to mitigation delivery — not just box-ticking agreement — and keep that commitment alive when the business gets busy.

0.5 CPE on completion

Learning Outcomes

Articulate resource needs in business terms that CFOs and CIOs understand and respond to

Build a persuasive case for investment and capacity that connects security spend to business outcomes

How to build the business case for security investment — in language that finance and leadership actually respond to.

0.5 CPE on completion

Signature Models in Tier 5

THOR

Multi-Domain Analysis

PDC Controls

Controls Framework

FACTR

Risk Communication

Tier 6

Driving Resilience

Strengthening security posture through insight, problem-solving and collaboration. Security initiatives often fail in delivery, not design. This tier closes the gap.

8 lessons 2 live workshops 10 CPE available Model: 4R's of Resilience

What you will achieve in this tier

Close the gap between planned security initiatives and real-world adoption
Address barriers, blockages and bottlenecks that hamper security delivery
Design security plans that fit naturally into business workflows
Lead delivery conversations confidently so solutions hold up under pressure

Learning Outcomes

Understand the key factors that determine whether security initiatives succeed or fail at the delivery stage

Recognise the link between security posture and operational continuity in complex organisations

The critical challenges practitioners face when trying to embed lasting security change — and why so many well-designed programmes never achieve their intended impact.

0.5 CPE on completion

Learning Outcomes

Embed security thinking early in change initiatives before the design is locked and costs are sunk

Prevent downstream remediation through proactive security design from day one

How real-world pressures influence risk acceptance and the business case for designing security in from the start — before it becomes an expensive afterthought.

0.5 CPE on completion

Learning Outcomes

Identify structural constraints limiting security effectiveness and diagnose their root causes

Diagnose process and behavioural blockers to resilience and build a plan to address them

How external forces and risk appetite create cascades of new threats — and how to identify and clear the blockages that stop security programmes from delivering.

0.5 CPE on completion

Learning Outcomes

Systematically evaluate security initiatives, controls and processes against current risk reality

Identify where risk treatment no longer reflects the threat landscape and needs to evolve

How to examine an existing security initiative through a diagnostic lens to identify what's working, what's broken, and what needs to change.

0.5 CPE on completion

Learning Outcomes

Reinterpret security problems through a business lens to find the real requirement behind the noise

Renew the requirements based on change factors and reset the initiative for current conditions

How to challenge assumptions and restate the initiative's purpose with clarity — so the security programme addresses reality, not a problem that no longer exists.

0.5 CPE on completion

Learning Outcomes

Redesign controls and processes for practical effectiveness and operational alignment

Improve alignment between security requirements and business operational flow

How to strengthen and streamline an initiative by removing friction and aligning to business needs — so security programmes get adopted instead of ignored.

0.5 CPE on completion

Learning Outcomes

Eliminate redundant or low-value security activities that consume resource without reducing risk

Simplify the security environment to strengthen resilience and focus effort where it matters

How to confidently identify and decommission low-value, legacy or duplicated activities — freeing resource for what actually makes the organisation more secure.

0.5 CPE on completion

Learning Outcomes

Apply design principles to build security from scratch into new initiatives and business processes

Build long-term resilience through user-centred design and stakeholder engagement from day one

The capstone of the programme. How to apply everything learned across all six tiers to design security that becomes part of the fabric of the organisation — not a layer bolted on top.

0.5 CPE on completion

Signature Model in Tier 6

4R's of Resilience

Review · Reframe · Rework · Remove

The
Programme.

Profiling Risk

Decision Influence

Building Alliances

Security Consulting

Mitigating Risk

Driving Resilience

Start with Lesson 1.
No card required.

TheProgramme.

Profiling Risk

Decision Influence

Building Alliances

Security Consulting

Mitigating Risk

Driving Resilience

Start with Lesson 1.No card required.

The
Programme.

Start with Lesson 1.
No card required.