1. Enterprise Risk Management
    1. Lines of Defense
      1. 3. Audit
        1. SOC1/SOC2
      2. 1. Process Owners
      3. 2. Risk Mgmt Group
    2. Risk Treatment Actions
    3. Risk Appetite
    4. Cyber Insurance
    5. BCP/DR
    6. Crisis Management
    7. Risk Acceptance Statement
    8. Risk Register
  2. Security Architecture
    1. Network Design
      1. DDoS Prevention
    2. Security Engineering
    3. Data Protection
      1. Data Leakage Prevention
    4. Access Control
      1. Identity Management
        1. Privileged Access Management
        2. Identity & Access Management
      2. Federated Identity
      3. MFA & SSO
    5. Cloud Security
    6. Secure System Build
      1. Baseline Configuration
      2. Patch Management
    7. Cryptography
      1. Key and Secret Management
        1. Vaulting
        2. HSM
      2. Encryption Standards
      3. Certificate Management
    8. Endpoint Hygiene
    9. Container Security
  3. Security Operation
    1. Security Operation Centers
    2. Incident Response
      1. Breach Notification
      2. Containment
      3. Eradication
      4. Investigation
        1. Forensics
      5. Blue Team
      6. Red Team
      7. Detection
    3. SIEM
      1. SOAR
    4. Vulnerability Management
    5. Active Defense
    6. Threat Hunting
  4. Physical Security
    1. IoT Security
  5. Threat Intelligence
    1. Internal
      1. IOCs
      2. Intel. Sharing
    2. External
      1. Contextual
  6. Risk Assessment
    1. 3rd Party Risk
      1. 4th Party Risk
    2. Penetration test
      1. Infrastructure (Network and Systems)
      2. Application Pen Tests
      3. Social Engineering
      4. DAST
    3. Vulnerability scan
    4. Assets Inventory
    5. Risk Monitoring Services (Risk score)
  7. Application Security
    1. S-SDLC
      1. "Shift Left"
        1. CI/CD integration
    2. Source Code Scan
      1. Open Source Scan
      2. SAST
    3. Data-Flow Diagram
    4. API Security
    5. Security UX
    6. Security QA
  8. User Education
    1. Training (new skills)
    2. Awareness (reinforcement)
    3. Cyber security table-top exercise
  9. Career Development
    1. Training
    2. Certifications
    3. Conferences
    4. Peer Groups
    5. Self Study
    6. Coaches and Role Models
  10. Frameworks and Standards
    1. NIST Cybersecurity Framework
    2. ISO 27001 27017 27018
    3. OWASP Top 10 (WebApp & API)
    4. CIS Top 20 Controls CIS Benchmarks
    5. MITRE ATT&CK Framework
  11. Governance
    1. Laws and Regulations
      1. Regional
        1. CCPA
        2. NYS-DFS 23 NYCRR 500
      2. Central Government
        1. GDPR
        2. GLBA
      3. Industry Specific
        1. PCI
        2. HIPAA
    2. Company's Written Policies
      1. Policy
      2. Procedure
      3. Standard
      4. Guideline
      5. Compliance & Enforcement
    3. Executive Management Involvement
      1. Reports and Scorecards
        1. KPIs/KRIs
      2. Risk Informed