The Art of Approaching IIBA® CCA™: A Founder’s Perspective on Building Cybersecurity Capability for Business Analysts

Over the years, working at the intersection of cybersecurity advocacy and business analysis, I’ve seen a consistent pattern. Cybersecurity is increasingly shaping business decisions and yet most training still treats it as a technical specialism, not a business capability. That gap is exactly why the IIBA® Certificate in Cybersecurity Analysis (CCA™) exists and why how it is taught matters far more than most realise. Our approach to teaching CCA is not accidental. It’s the result of years of observation, experimentation, and refinement.

From Knowledge to Expertise: How Our Approach Was Formed

I firmly believe that expertise is not knowledge alone. Expertise is built when:

• Knowledge is truly understood
• That understanding is internalised through real-world context
• Learners develop the confidence to apply it efficiently and effectively

Through years of working with Business Analysts, delivery teams, and organisations navigating cybersecurity challenges, I arrived at a simple realisation: Business Analysts don’t need more cybersecurity information, they need the right way to think about it. That realisation shaped the teaching model we now use in our trainings.

Why Traditional Cybersecurity Training Doesn’t Work for BAs

Most cybersecurity training:

• Assumes technical backgrounds
• Focuses on tools and controls
• Misses the decision-making context

The IIBA CCA curriculum doesn’t do this and neither do we. Our training treats cybersecurity as a business analysis discipline, grounded in:

• Risk and impact
• Trade-offs and constraints
• Governance, ownership, and accountability

This is exactly how the CCA exam is designed and how organisations operate.

Our Teaching Philosophy: Scenario First, Terminology Second

I designed our CCA training to mirror how professionals really learn.

We teach using:

• Realistic business scenarios
• BA focal points from the syllabus
• Hands-on decision and prioritisation exercises

Only after learners experience the problem do we introduce:

• Formal terminology
• Framework language
• Exam phrasing

This is how understanding turns into capability not memorisation.

What Organisations See in Practice

“This training fundamentally changed how our Business Analysts engage with cybersecurity teams. They are not trying to become security experts but are asking better questions and supporting better decisions. They feel confident in collaborating with the cybersecurity team”

— Lead Business Analyst, Information Services, the national system integrator of the Republic of Bulgaria.

That feedback reinforces why this approach works.

Why Organisations Partner with us

Organisations choose to work with us because we:

• Acknowledge and respect the existing strengths of Business Analysts
• Build capability, not dependency on experts
• Make cybersecurity accessible without oversimplifying it

The outcome is a workforce that:

• Thinks clearly about cybersecurity risk
• Engages confidently with security stakeholders
• Applies learning beyond the certification

Final Thought

The IIBA CCA certification is not about creating cybersecurity specialists. It’s about developing expertise in cybersecurity analysis - the ability to understand risk, evaluate impact, and support informed business decisions. That balance between depth and accessibility is the art of approaching IIBA CCA. It’s the approach I’ve built, refined, and now teach through our trainings.