CISO: Heinz College Trains Guardians Of The Security Galaxy
By Scottie Barsotti
These days, the question is not if your company’s information will be threatened, or even when. The reality facing firms now is: You’ve been hacked, you just don’t know it yet. Every organization, no matter its size, needs a Chief Information Security Officer (CISO) to ensure and maintain cyber and information security.
Imagine a room full of cybersecurity officers from retail giants, manufacturers, universities, energy companies, health care systems, and all levels of government (including the FBI)—a place where these leaders come together to collaborate, talk about risks, share ideas, and solve complex problems in information security. It’s not a fantasy, these collectives form throughout the year thanks to Heinz College’s executive education programs.
One such offering is the CISO Certificate Program, where top security professionals from all sectors come to Carnegie Mellon University to learn from the best.
Massive data breaches are in the news every week—the attack on Sony Pictures was estimated to cost the production house at least $35 million, the Target breach cost the retailer $162 million, and the hacks of the Democratic National Committee are seen as attempts to undermine American democracy—but there are thousands upon thousands of cyber incidents every year that don’t make headlines.
The cost of cyber crime is projected to reach upwards of $2 trillion by 2019, and IBM CEO Ginni Rometty has called cyber crime the greatest threat to every industry and company in the world. Whether your organization is a Fortune 500 company, a government agency, or a non-profit, the CISO (or equivalent) role is more important now than ever before, and will continue to grow in relevance and influence as the opportunities and challenges in cyber evolve.
Heinz College has designed a cybersecurity leadership program for the future...a future that will increasingly rely on superb minds to tackle cyber risk.Alan Levine | CISO | Arconic, Inc.
Risk and security with a practical approach
The CISO Certificate Program is designed for current and future leaders with professional experience—past participants include the CISOs from Discover, Coca-Cola, and the FBI, as well as top Information Security and Risk Management officials from Microsoft, Lowes, and Blue Cross Blue Shield.
The six-month program consists of 13 modules on topics such as Security Investment and Measurement, Effective Incident Response, and Insider Threats. Most of the CISO Program is completed online through a virtual learning platform, but the cohort comes together on campus several times throughout the process—for orientation, for a mid-program meeting, and then once more for the Practicum, a three-day event on CMU’s main campus in Pittsburgh that serves as the culmination of the program.
Practical application is at the core of Heinz College’s philosophy; for the Practicum, the participants are assigned a real-world cyber incident to analyze—major, high-profile incidents like the recent hacks of Home Depot, Yahoo, or the aforementioned breaches at Sony or Target. The teams are asked: How would you assess the threat? How would you identify it? How would you move forward? If you were in this situation, what would you have done?
The participants work together to determine solutions using a combination of the knowledge gained through the program as well as their own distinct professional experiences. During the Practicum, each team presents their work and recommendations to the CISO Practicum Committee, a mock board of directors composed of experts from Heinz College and various industries.
Ari Lightman, Heinz College Professor and Co-Director of the CISO Program, says the Practicum is a key experience.
“If you’re an information security executive, or even involved with an information security program, you’re going to have to develop something that you could present to a slew of different stakeholders, specifically your C-suite and a board of directors,” he said.
Previous Practicum Committee members include Greg Shannon, Chief Scientist at CERT; Alan Levine, CISO at Arconic; and Randy Miskanic, Executive Director of the Group Information Security Office at UBS and former CISO at USPS.
Heinz College and SEI: a security supergroup
The CISO Program is administered in partnership with the CERT Division of the Software Engineering Institute (SEI), a federally-funded crucible of research and development in security technologies and advancement, whose frequent collaborators include the U.S. Department of Defense, the U.S. Department of Homeland Security, the FBI, and the American intelligence community.
“We [at Heinz College] bring our expertise in policy and data analytics,” said Lightman, “Combining that together with the folks at SEI, with their understanding of the security vein from a practical perspective and their connections to agencies around the world, creates a powerful program.”
This proximity to SEI and CERT provides a value to participants that truly cannot be replicated elsewhere.
As a student, I received the necessary education and tools to ensure my success as a CISO. As a coach and instructor, my network continues to expand as I have been involved in every cohort.Tom Pageler | CRO/CSO | Neustar, Inc.
A new, growing collective of experts
Participants in each cohort come not only from varied sectors, but from varied backgrounds—many come directly from the security domain, while many others come from areas such as administration, law, privacy, and operations. Lightman says the “right student” for the CISO Program is someone who, regardless of their specific role, wants to understand how to develop a security culture across their organization.
Even though the CISO Program participants are working professionals with demanding schedules, they tend to be eager to come to campus as often as possible. The opportunity to forge meaningful and lasting connections with other top influencers in the field is a hallmark of the CISO experience.
In addition, many CISO Program alumni have voluntarily entered into a social network of sorts, a connected group of professionals with the egalitarian view that information security is more than a business or civic goal—it’s a moral struggle, one that cannot be fought in isolation.
“Across [sectors], they’re dealing with threat attempts on a continuous basis. By sharing intel, they become better aware of state-of-the-art techniques and current risks,” said Lightman. “They might compete to some extent, but security’s impacting everybody.”
