Scenario — TrailBlaze Adventures Expansion Crisis
TrailBlaze Adventures is entering a phase of rapid global expansion, launching new travel experiences in South America, Southeast Asia, and Africa.
To support growth, the company is:
- Partnering with local operators and guides
- Integrating new regional payment providers
- Expanding its social platform with real-time sharing features
- Collecting additional customer data, including health information, geolocation tracking, and emergency contact data
External pressure
- Regulatory requirements (GDPR, regional privacy laws)
- Customer expectations regarding safety and privacy
- Investors demanding rapid scaling
- Recent cybersecurity incidents in the travel sector, including data breaches, ransomware, and social platform abuse
Internal struggle
- Inconsistent security policies across regions
- Limited visibility into third-party risks
- Unclear ownership of data and risk decisions
- Growing tension between business agility and security controls
Student assignment
Investigate the case
Analyze the TrailBlaze scenario and identify key challenges related to security and risk management.
- What are the most critical assets?
- What types of risks are emerging?
- Where are responsibilities unclear?
- What governance gaps exist?
- Which external pressures affect security decisions?
Identify Domain 1 challenges
Students should group their findings under governance, risk management, compliance, responsibilities, and policy-control structure.
Link challenges to Domain 1 concepts
Students must connect each identified challenge to CISSP Domain 1 concepts and explain why the concept is relevant.
Domain 1 challenges to investigate
Governance & Strategy
- Lack of centralized security governance
- No clearly defined risk appetite or tolerance
- Misalignment between business growth and security strategy
Risk Management
- No consistent risk assessment process across regions
- Difficulty evaluating third-party and supply chain risks
- Incomplete risk register
Compliance & Legal
- Exposure to GDPR violations due to personal and health data
- Lack of clarity on regional regulatory requirements
- Insufficient privacy controls
Roles & Responsibilities
- Undefined data ownership
- Weak accountability structures
- Limited security awareness among global staff and partners
Policy & Control Framework
- Inconsistent policies, standards, and procedures
- Lack of enforcement and monitoring
- Weak integration between policy and operations
Link challenges to Domain 1 concepts
Students must connect each identified challenge to CISSP Domain 1 concepts.
| Challenge | Domain 1 Concept | Explanation |
|---|---|---|
| No clear ownership of customer data | Data Ownership / Accountability | Without defined ownership, no one is responsible for protecting or classifying sensitive data. |
| Inconsistent regional security policies | Security Governance | Governance ensures policies are defined, enforced, and aligned globally. |
| Expansion without risk analysis | Risk Assessment / Risk Management | New markets introduce threats that must be evaluated before launch. |
| Third-party logistics providers | Third-Party Risk Management | External partners introduce additional risk exposure. |
| Health and location data collection | Privacy / Data Protection | Sensitive personal data requires strict legal and ethical controls. |
| Rapid growth pressure | Risk Appetite / Risk Tolerance | Organization must define how much risk it is willing to accept for growth. |
| No unified risk tracking | Risk Register | Risks must be documented, tracked, and prioritized. |
| Weak employee awareness | Security Awareness & Training | Human factors are a major risk vector. |
| Regulatory uncertainty | Compliance / Due Diligence | Organization must actively ensure adherence to laws. |
| Lack of structured policies | Policy / Standards / Procedures | Formal structure is needed to guide consistent behavior. |
Learning outcomes
Identify risks
Identify organizational security risks in a complex global environment.
Apply frameworks
Apply risk management frameworks to real-world situations.
Understand governance
Understand the role of governance and policy in cybersecurity.
Analyze strategy
Analyze the relationship between business strategy, compliance, and security decisions.
Instructor tip
Use this case in three phases:
Exploration
Students brainstorm risks freely.
Structuring
Introduce Domain 1 concepts.
Mapping
Students connect theory to practice.