CSSRA® (Certified SecurityStudio Risk Assessor)

Overview

The Certified SecurityStudio Risk Assessor (CSSRA) program is a comprehensive, hands‑on certification designed to prepare professionals to confidently and consistently conduct risk assessments using the SecurityStudio risk assessment platform. This course provides a clear, structured path for anyone looking to deepen their understanding of objective, defensible risk assessment practices.

CSSRA is ideal for security leaders, IT professionals, vCISOs, auditors, consultants, and anyone responsible for evaluating organizational risk. Whether you’re new to formal assessments or looking to standardize your approach, this course equips you with the methodology, tools, and practical skills needed to deliver high‑quality assessments every time.

Learners will gain a strong foundation in SecurityStudio’s risk assessment methodology, develop the ability to gather and validate evidence, practice scoring and analysis within the S2 platform, and learn how to produce clear, actionable reports for stakeholders. By the end of the course, graduates will be fully prepared — and authorized — to conduct SecurityStudio risk assessments with accuracy, consistency, and professional confidence.

This includes 15 months (3 month cohort + 12 month annual subscription) of access to course materials, mentorship opportunities, exclusive content, and valuable networking opportunities to help students deepen their expertise, stay current, and further support their professional risk assessment capabilities.

Schedule

Registration for the CvCISO® Foundations course is open, which gives you access to the course content as soon as it becomes available, allowing you to start learning as soon as possible.

LIVE classes are taught Monday, Tuesday, and Wednesday evenings from 4-6pm PST / 6-8pm CST / 7-8pm EST and run for 10 weeks. For an optimal learning experience, students are expected to review lesson material BEFORE attending the corresponding class. Attending classes is not required to complete the course but are strongly encouraged to get the most from the course. Classes are taught LIVE, spending time reviewing lesson content, asking questions, collaborating with fellow students, and getting time with various subject matter experts to learn even more.

Additional support is available through our Office Hours, every Tuesday from 10-11am PST / 12-1pm CST / 1-2pm EST, and emailing us is always an option.

Course Outline

There are 13 modules in the CSSRA® course. Each module covers one or more topics that are essential to the success of a CSSRA® graduate.

Course Length

The CvCISO® Foundations course runs for 10 weeks and includes 13 instructor-led 2-hour sessions (26 classroom hours in total). In addition to the classroom hours, students are expected to complete additional practical assignments and study (to be successful).

Course Cost

The cost of the course is $3,000 per student, per cohort. This includes 15 months of:

• Continued Access to CSSRA® Curriculum
  This is the curriculum taught in this course.
  ‍
• SecurityStudio Control Group Instruction Videos
  This series of videos walk through the SecurityStudio Risk Assessment platform, covering what they are, what they mean, an analogy of the control (in real-world scenarios), and additional information in support of the spirit of each particular control group.
  ‍
• NFR SecurityStudio License (Not for resale)
  Retain hands-on access to SecurityStudio’s Risk Assessment platform for practice, exploration, experience, and further skill development.
  ‍
• Live Class Attendance
  Members of the CSSRA® with an active subscription can re-attend LIVE classes, to revisit and/or make up for previously missed classes.
  ‍
• Community Access
  
  • CvCISO® Discord Server – Engage in real-time discussions and peer support.
  • CvCISO® LinkedIn Group – Expand your professional network and share insights.
• Additional Resources
  SecurityStudio Academy is continuously developing resources in support of continued education and professional development. These resources are shared with CvCISO® graduates through this subscription.
  ‍
• Exclusive Discounts
  Receive special pricing on future training courses, workshops, and events.

Experience Requirements

There are no prerequisites for the CSSRA® course. Deep technical expertise is NOT required, but the more familiar the student is with technology, the better. The ability to think critically and good communication skills is helpful; however, we’ll do our best to teach this skill throughout the course as well.

‍

Class 1 - Introduction to SecurityStudio & SecurityStudio Academy

(1 Lesson/2 Hours)

1. Welcome to SecurityStudio
2. Welcome to SecurityStudio Academy
3. Purpose of the SecurityStudio methodology
4. Ethical guidelines & professionalism
5. Why objectivity and defensibility matter
6. Role of the CSSRA
7. What This Certification Authorizes You to Do (and Not Do)
8. Certification Requirements & Expectations
9. Overview of the SecurityStudio Risk Assessment platform

Class 2 - Foundations of a Risk Assessment

(1 Lesson/2 Hours)

1. Introduction to information security risk management
2. Assessments vs. Audits
3. Qualitative vs. Quantitative risk analysis
4. Risk assessment frameworks and standards (NIST CSF, CIS, ISO, HIPAA, etc.)
5. Key terminology and core risk concepts (threats, vulnerabilities, likelihood, impact)
6. Understanding Risk vs Compliance vs Maturity
7. Risk assessment methodology
8. Risk assessment lifecycle
9. The role of a risk assessor
10. Common Risk Assessment Pitfalls

Class 3 - SecurityStudio Platform Orientation

(1 Lesson/2 Hours)

1. SecurityStudio Risk Model Overview (what Risk Means in SecurityStudio)
2. Platform interface and navigation
3. Assessment types (S2Org, S2Vendor, S2Team, etc.)
4. SecurityStudio’s scoring model
5. Creating a New Risk Assessment (Drafts vs. Current)
6. Control Mapping and Risk Reduction
7. Data Inputs and Their Impact (interviews, scans)
8. Control Mapping and Risk Reduction
9. Platform administration basics
10. User roles and permissions
11. Assessment lifecycle overview (updates, snapshots, etc.)
12. Dashboard and reporting capabilities
13. Integration with other security tools

Class 4 - Best Practices and Case Studies

(1 Lesson/2 Hours)

1. Industry-specific considerations
2. Common pitfalls and how to avoid them
3. Real-world case studies using SecurityStudio
4. Ethical considerations and professional standards

Class 5 - Preparing for an Assessment

(1 Lesson/2 Hours)

1. Defining assessment scope and boundaries
2. Understanding roles and responsibilities (stakeholders, third Parties, etc.)
3. Documentation Best Practices
4. Pre-assessment questionnaires
5. Communicating expectations (roles, responsibilities, process, timelines, etc.)
6. Assessment scheduling
7. Data collection (administrative, i.e. policies, insurance, etc.)
8. Asset Identification (technical, i.e. subnets, on-prem/cloud environments, etc.)

Class 6 - Conducting an Assessment

(1 Lesson/2 Hours)

1. Interviewing techniques (be positive, know your audience, use analogies/examples)
2. Evidence collection (interviews, scans, note taking, crime index, natural disaster)
3. Scoring methodology (true, false, N/A)
4. Avoiding bias and maintaining consistency
5. Exercise Professional Judgment
6. When in doubt, ask!
7. Implement QA principles into assessment process

Class 7 - Reviewing & Completing an Assessment

(1 Lesson/2 Hours)

1. Review scoring accuracy
2. Validate completeness
3. Understanding assessment results
4. Identifying Outliers and Anomalies
5. Validate results with stakeholders (if appropriate)
6. Adjusting inputs responsibly
7. Assessment recommendations & remediation planning (default vs. custom)
8. Benefits of a peer driven QA review
9. Prepare reports for delivery
10. Lessons learned, common mistakes, and how to avoid them