The SmartCyber Leadership Program for Critical Infrastructure

Specialized Courses for the Expertise You Need

Our specialized courses give participants expert guidance and hands-on practice in applying proven approaches to the organization’s key cybersecurity challenges.

Each two-day course is scenario-based. Through a multi-part “tabletop” simulation, participants explore critical considerations and processes, address common obstacles, acquire best-practice-based approaches, and experience the communication and collaboration necessary for success. As they “process” the experience, each utilizes a Playbook template to record lessons learned, prioritize individual and organizational action items, and begin implementation planning for their own organization.

Depending on the organization’s cybersecurity challenges and his or her individual role, a participant may choose to build a body of expertise by completing a series of courses or to take a single course to address a pressing concern.

Courses may be taken in any order. There are no prerequisites.


Any course or set of courses can be presented on site at your location, anywhere in the U.S. or around the world. In addition to realizing significant savings, your organization can benefit by having courses tailored or customized to address your specific industry and organizational needs and challenges.

Implementing the NIST Framework: A Hands-On Approach

This course provides a deep dive into how best to utilize the NIST Cybersecurity Framework for Improving Critical Infrastructure to assess your organization’s current cybersecurity vulnerabilities and capabilities, set target goals for improvement, and measure your organization’s progress. While the NIST Framework is a voluntary guideline, it has been shaped by considerable research and information sharing. It draws on the standards and rubrics established by various bodies to identify and present proven best practices in terms of five functions—Identify, Protect, Detect, Respond, and Recover—that span the lifecycle of managing organizational cybersecurity risk. When applied astutely, with an understanding of its strengths and limitations, the Framework provides a head start on all these endeavors, and a roadmap to success.

Designed for both business and technical leaders, this course will give you a preview of the “NIST Framework 2.0” soon to be released as it prepares you to:

  • Successfully articulate the importance of cybersecurity to your organization, and the business impact and benefit of specific cybersecurity measures
  • Assess your organization’s cybersecurity state
  • Create and implement a plan to improve your organization’s cybersecurity posture, and assess its progress
  • Help your organization prioritize and validate cybersecurity investments from a well-informed risk-management perspective

Who Will Benefit:

  • All individuals charged with formulating or supporting a cybersecurity implementation effort—or who receive credit for cybersecurity success or blame for cybersecurity failure
  • Technical and nontechnical executives and business leaders, including C-level executives, VPs, and directors

Cybersecurity and Enterprise Risk Management: Addressing Potential Business Impact

It has been said that risk management is the process of knowing your enemy, knowing yourself, and acting appropriately based on that knowledge. In the cybersecurity context that means sizing up the range of cyber threats to which your organization’s systems and assets may be subject, and thoroughly understanding your organization’s vulnerabilities, in order to assess risk quantitatively and qualitatively. It then means acting upon those risk assessments to craft and implement sound cyber risk management plans, programs, and processes at the strategic, operational, and tactical levels. Crucially important, given an organization’s high degree of dependence on cyber infrastructure and the potentially disastrous consequences of a cyber event, it means ensuring that cybersecurity risk management is an integral part of enterprise risk management.

This course will prepare you to:

  • Ask the right questions in order to reach sound cyber risk assessments
  • Integrate cybersecurity considerations and cyber risk assessments into enterprise-level risk assessment, management, and decision making
  • Develop policies and programs to ensure that cyber risk is managed routinely, consistently, and continuously as part of the function or operation for which you are responsible
  • Understand the value of and determine or recommend the role that cyber insurance should play in your organization’s risk management strategy

Who Will Benefit:

  • All individuals who have fiduciary responsibility for or a role in identifying and managing enterprise risk at any level—or whose job could be in jeopardy in the event of a risk management failure
  • All those responsible for the organization’s cybersecurity, including CIOs, CSOs, CISOs, other C-level leaders, and their direct reports
  • Other technical leaders and managers

Incident Response and Crisis Management: Best Practices

No matter how robust its preventive and defensive cybersecurity measures, every organization must have in place similarly robust incident response and crisis management plans. As cyber threats continually and rapidly evolve, no organization should consider itself immune to successful attack; every organization must have in place a thorough plan for responding quickly, intelligently, and efficiently to a serious cyber event. Beyond simply addressing initial emergency-response procedures, the plan must align with the organization’s overall corporate crisis management plan, business continuity processes, and internal and external communications strategies.

This course will prepare you to:

  • Approach incident response and crisis management planning both strategically and tactically
  • Develop a comprehensive cybersecurity incident response and crisis management plan that aligns with your organization’s overall crisis management and corporate communications policies and practices
  • Build into the plan specific for escalation to senior management levels for appropriate decision making and action
  • Determine how best to vet the plan, obtain necessary approvals, and conduct exercises in its application

Who Will Benefit:

  • All individuals with responsibility for cybersecurity incident-response planning and execution
  • C-level executives and their direct reports, including CIOs, CSOs, and CISOs
  • Legal, financial, public relations, and corporate communications teams

Active Defense: Informed, Forward-thinking Decision Making

The rapid proliferation and increasing sophistication of cyber attacks on public and private sector entities has raised new and urgent questions concerning what actions are technically feasible, legally permissible, and ultimately prudent to take in defending an organization. When and how should an organization “hack back” or “go on the offensive” to protect its systems, data, and people? While there is a growing consensus that, given what is at stake, critical infrastructure organizations must employ active defense measures, serious issues remain to be resolved. This course explores the full range of legal and practical implications of active defense. It demonstrates how to employ active defense successfully to proactively predict attacks, assess the attributes of computer network exploitation, and create actionable defense strategies.

Upon completing the course, you will be able to:

  • Identify the major legal, policy, and pragmatic issues that arise concerning active defense in the context of your critical infrastructure sector and your organization’s systems and operations
  • Understand all phases of the active defense operations, planning, and management lifecycle in the context of your sector and organization
  • Draw on all relevant sources of intelligence and information to recognize and assess human and technical indicators and warnings
  • Differentiate among passive, offensive, hacking back, and other specific measures, and identify  the circumstances in which these types of measures should or should not be used
  • Develop a plan for protecting your organization’s business operations through the informed, judicious use of passive, offense, hacking back, and other active defense measures

Who Will Benefit:

  • CIOs, CSOs, CISOs, and other C-level executives, and their direct reports
  • General counsel and legal staff
  • Technical leaders and staff members

Supply Chain Cybersecurity: Strengthening the Vendor Links

While third-party and lower-tier vendors are essential contributors to business outcomes, they also present substantial cybersecurity risk in an environment that relies on electronic transactions and communications as well as extensive data sharing. That risk is particularly challenging to address when an organization’s supply chain spans many different companies and countries. This course explores top strategic and operational approaches to securing the critical infrastructure supply chain. Participants examine how business, operational, and technical leaders can work together to secure the supply chain by assessing and prioritizing risks, addressing supply chain design and structure, building trusted systems, and sharing responsibility for transparency and accountability with vendors and customers alike.

This learning experience will enable you to:

  • Identify the full range of ways in which your organization’s supply chain is susceptible to the introduction of cybersecurity risk
  • Map the organizational supply chain structure for which you have or share responsibility, indicating the points at which security most needs to be strengthened
  • Determine specific procedural changes that can improve your organization’s supply chain-related cybersecurity
  • Develop approaches to ensuring that responsibility and accountability for cybersecurity is allocated appropriately among relevant stakeholders

Who Will Benefit:

  • VPs, directors, and their staffs
  • CIOs, CSOs, and CISOs and their direct reports
  • Procurement, contracting, and logistics leaders and staffs
  • Business development and partner management teams
  • Individuals whose career success depends on effective vendor management