Course 2025-2026 a.y.

The course explores how organizations can integrate cybersecurity governance and strategy into their broader digital transformation efforts. Students will learn how to:
- connect business strategy to cyber risk management decisions;
- use frameworks such as NIST to structure governance processes;
- engage boards and executives in cyber risk oversight;
- manage communication and leadership during cyber crises through simulations and case studies.

Part 1| Understanding the context for cyber risk governance and strategy.  

• Cyber Risk Governance (CRG) as a new field. CRG, Corporate Governance, Enterprise Risk Management, IT Risk Management, IT Governance.
• Current Challenges in Cyber and Information Security.
• Business Strategy in the era of Digital Transformation: how to derive business drivers for Cyber Risk Governance and Strategy. Identifying the crown jewels in transforming organizations: the Real Madrid Case Study.
• Identifying the crown jewels in transforming organizations: the GE Case Study.
• Linking Business Strategy to Cyber Risk Strategy: the SOI case study.
• From strategy to execution: the role of international frameworks. The NIST cybersecurity Framework.
• The NIST cybersecurity framework in action.
• Simulation: Design and execute the Cyber Strategy @ Morpheus Pharma.

Part 2 | Cyber risk governance processes, frameworks and tools. 

• Cyber Risk Governance: leadership structures, organization and processes 
• The Board's role in Cyber Risk Governance.
• Simulation: Build a Cybersecurity Toolkit for Your Board
• CISO: role and responsibilities. Cyber risk management operations.
• Removing vulnerabilities through people and culture.
• Cyber Risk Governance Indicators: KPI and KRI.
• Simulation: Your first 90 days as CISO
• Cyber Leadership & Communication
• Incident Reponse Plan
• Simulation: Your first Cyber Crisis.
• Interactive session with CISOs

• Interpret the interconnections between Corporate Governance, Enterprise Risk Management, IT Governance, IT Risk Management, and Cyber Risk Governance.

• Align Digitalization and Digital Transformation strategies with Cyber Risk Governance and Strategy.

• Engage Board Members and Executives in defining and implementing Cyber Risk Governance, according to their respective roles and responsibilities.

• Foster a culture of cyber awareness and shared responsibility across the organization.

• Apply major frameworks and tools for Cyber Risk Governance (e.g., NIST Cybersecurity Framework).

• Manage and respond effectively to cyber incidents through structured approaches and leadership practices.

• Design a Cyber Risk Governance process aligned with the organization’s Corporate Governance, Enterprise Risk Management IT Governance and IT Risk Management.

• Derive, from the key frameworks and tools for Cyber Risk Governance, a specific approach to protect the organization.

• Implement a Cyber Risk Governance and a Cyber Risk Strategy with an open, collaborative and tech-savvy approach.

• Build a measurement system for Cyber Risk.

• Build a Cyber Risk Roadmap with budget constraints.

• Design, implement and test an Incident Response Plan.

• Lectures
• Guest speaker's talks (in class or in distance)
• Collaborative Works / Assignments
• Interaction/Gamification

• Standard Lectures, where instructors present course content and discuss practical case studies.
• Guest speaker's talks (in class or in distance). Students have the chance to interact with experienced managers and executives dealing with Cyber Risk in order to discuss the main issues and trends in the field
• Case studies /Incidents. Discussions around relevant case studies build a common understanding of the topics introduced by the instructor.
• Group assignments aimed at developing an engagement toolkit for Board Members and designing a company’s Cyber Strategy.
• Interactive class activities (role playing, business game, simulation, online forum, instant polls). 

Attending students will be evaluated based on their ability to translate key concepts and tools into actionable outcomes.

They will be required to take two individual partial exams:

• An essay question on the first part of the course, aimed at assessing their ability to align Digitalization and Digital Transformation strategies with Cyber Risk Governance and Strategy.

• An essay question at the end of the second part of the course, aimed at evaluating their capability to design a Cyber Risk Governance structure and to implement an Incident Response Plan.

The course adopts a pragmatic, hands-on approach, therefore attending students will also take part in two graded in-class group assignments:

• Designing a toolkit for Board Members, to effectively inform and engage them in Cyber Risk Governance.

• Developing a Cyber Risk Strategy for a large organization, including a three-year financial plan.

The assessment for not attending students is based on an open essay question aimed at testing:

• The overall understanding of the key concepst and principles related to Cyber Risk Governance and Strategy;
• The capacity to critically read the Corporate and Digital Strategy of a Company and to desgin a consistent Cyber Risk Strategy;
• The ability to effectively apply the tools and methods for the onboarding of Executives and Board Members in Cyber Risk Governance, as explainde in the book for Not Attending Students.

Cases, readings, slides, and other material available through Bboard.

Parenty T.J., Domet J.J., A Leader's Guide to Cybersecurity: Why Boards Need to Lead--and How to Do It, Harvard Business School Publishing, 2019 (Full Book)