Chief Information Security Officer (CISO) Certificate

Virtual Orientation: 12:00 - 5:00pm EST
January 10-12, 2023

Virtual Modules: 4:00 - 9:00pm EST
(Note: all virtual class dates are Thursdays)
January 26
February 9, 16, 23
March 2

Program Mid-Session: 9:00am - 5:00pm EST (Pittsburgh, PA)
March 14-16, 2023

Virtual Modules: 4:00 - 9:00pm EST
(Note: all virtual class dates are Thursdays)
March 30
April 13, 20, 27
May 11, 18, 25

Virtual Practicum: 
Cohort A: June 7-8, 2023

Cohort B: June 14-15, 2023

Please note: Students will be notified which practicum cohort they are assigned to during program orientation.

Please note: Students must complete all modules in sequence.

On-campus sessions are held at our main campus in Pittsburgh:

Heinz College of Information Systems and Public Policy
Carnegie Mellon University
4800 Forbes Avenue
Pittsburgh, PA 15213

Please note: CISO Certificate Program deliveries will be virtual for Cohorts 18 and 19; the program mid-session will be offered virtually with an optional in-person delivery, if possible, in accordance with public health guidance. Students will not be required to travel to complete the program.

• $18,750 for the entire program
• $15,000 discounted rate for Carnegie Mellon alumni—including CIO, CRO, CDataO, and CDigitalO programs—U.S. government employees, veterans, and employees of non-profit organizations
• Fee includes all program materials and daily continental breakfast, lunch, and refreshments during on-campus sessions.
• Optional credit card installment payment plan is available

Please note: Due to the non-credit bearing nature of the CISO Certificate Program, students are unable to apply for tuition assistance, scholarship, or VA benefits.

Cancellation/Refund Policy

A non-refundable, non-transferable deposit of 1/6 of the total program cost is required to reserve a seat in the program.

Should a student withdraw from the program after the deposit has been paid but prior to the program start date, students may have 5/6 of the program costs either refunded to them or transferred to the following cohort of the program.

After the program start date, no refunds will be issued. However, under extenuating circumstances and with program director approval, students may petition to postpone their attendance to a future cohort and have 5/6 of the program costs applied accordingly.

Formal deadline for Cohort 20 is January 3, 2023. Please submit your application as soon as possible for consideration.

If space remains in the cohort after the deadline, we will continue to accept applications on a first-come, first-served basis.

Apply Now

Instructor: 
Alan Levine | Board Chair, Carnegie Mellon University CISO Executive Program

This module is focused on discussing the CISO roles and responsibilities; how the CISO integrates effectively in organizational governance and operations; and leadership and management practices that enhance the ability of today’s CISO to succeed in any organization. This module will help to set the stage for the overall CISO certificate program and the modules that follow.

Instructor: 
Dr. Earl Crane | Cybersecurity Executive/Risk Advisor, Co-Founder, Emergynt

This module will provide an overview of cyber risk management concepts and techniques, and then provide a tangible deep-dive into real-world examples and scenarios. Students will be asked to bring their real-world expertise and risk management challenges to share with their colleagues. Discussions will include an overview of cyber risk management frameworks, relevant regulations, and available tools. We will cover the three lines of defense, the latest thinking in risk-based assessments, and how to represent cyber risk as a decision-making framework for business unit leaders, executives, and your board.

Instructor:
Jack Jones | Chairman, FAIR Institute

This module will assist students, via the FAIR methodology, to accurately assess IT and cybersecurity loss exposure, to learn how to identify the significance of control weaknesses, determine how to optimize security budgets and priorities, and understand how to support governance and compliance requirements.

Instructor: 
Matt Butkovic | Technical Director of Cybersecurity Risk and Resilience, CERT Division of SEI

This module is focused on an increasingly common challenge; how to ensure the security and resilience of your organization’s critical services when many of the assets – technology, people, facilities, and information – required to deliver the service are provided by outside entities. This module is also intended to provide an overview of the concept of resilience, operational resilience, resilience management, and related subjects and challenges.

Instructor:
Randy Trzeciak | Director, CERT Insider Threat Center at SEI

Insider threats are influenced by a combination of technical, behavioral, and organizational issues and must be addressed by policies, procedures, and technologies. Decision makers across the enterprise should understand the overall scope of the insider threat problem and communicate it to all the organization’s employees.

This module discusses how organizations can effectively mitigate the potential of insider threats and build an effective program.

Instructor:
Omar Khawaja | VP and CISO, Highmark Health

This module is an overview of practical “day-to-day" operations. The module will cover how to properly plan, structure, and report on your security team, as well as obtain “buy-in” from your organization. This clear outline of the security structure will better enable CISOs to demonstrate the charter and effectiveness of the security team to their organizations.

Instructor:
Brigadier General (ret.) Gregory J. Touhill | Director, CERT Division at the Software Engineering Institute

This module is focused on the requirement for today’s CISOs to develop a budget that aligns with the annual strategic planning process and is supported by key organizational stakeholders. This often needs to be developed in environments with significant third-party managed services and where growth strategies include regular business acquisitions and divestitures.

Instructor:
Chris Labash | Associate Teaching Professor, Carnegie Mellon University's Heinz College

This module will discuss effective ways to communicate security related organizational goals to the board. Incident summary board presentations will also occur during this module delivery, with the instructors and invited guests providing constructive feedback to the teams as they are delivered.

Instructor: 
Summer Fowler | CIO, Argo AI

In this module, students will use real-world strategic objectives to develop specific business goals and the applicable questions, indicators, and actionable metrics that they can implement at their own organizations to improve their ability to manage operational risks, particularly cybersecurity risks.

Instructors:
Ari Lightman | Distinguished Service Professor, Digital Media and Marketing, Carnegie Mellon University's Heinz College
Bob Rudis | V.P. Data Science, GreyNoise Intelligence

Data-driven security enables organizations to protect revenue, facilitate digital transforma­tion, comply with regulatory mandates and generate customer loyalty. Effective data-driv­en security can be a critical differentiator for today’s digital businesses. Data is at the heart of almost every organization, and keeping it protected while also facilitating effective us­age to drive business value is a key success factor. Security organizations are starting to understand the benefits of what data science techniques can provide as part of the overall security strategy. This module will discuss the latest data-driven security best practices that all CISOs need to be aware of to protect the business to achieve its objectives.

Instructor: 
Rick Howard | CSO, Senior Fellow, Chief Analyst, The Cyberwire

To understand the network defender's current strategy and toolset, it is more than helpful to understand what came before and how we got here. In order for you to build your own strategies and choose your own toolsets, you must understand the decisions that were made by your predecessors to judge for yourselves if they are still key and essential to the purpose of your own programs. This module will cover the history of the network defender movement from the early 1990s up to 2020, and end with the current set of best practices, strategies, and current thinking of the network defender community.

Instructor:
Rich Friedberg | CISO, Live Oak Bank

As more organizations embrace the benefits of cloud-based infrastructures and services, they face significant challenges in how to secure their information and applications. In addition, new pressures are placed on security teams to automate and deliver at speed, while key security roles and responsibilities move into development teams.

This module will examine the changes to risks, threats, and vulnerabilities when companies move from on-prem to cloud services. The module will also discuss how to develop a business-focused security strategy to balance enabling transformation with protecting the organization through their cloud journey.

Instructor:
Josh Corman | Adjunct Instructor, Carnegie Mellon University's Heinz College

This module teaches students to recognize the knowledge area critical to software security and product assurance to secure the organization and to support its strategic mission.

Instructor: 
Mark Fabro | President and Chief Security Strategist, Lofty Perch, Inc.

This module will address specific OT and IIOT concerns faced by organizations and their supply-chain partners. It is designed to explore best practices used by industry to ensure that OT and IIOT achieves functional goals and meets security requirements.

Instructor:
Greg Porter | Adjunct Professor, Carnegie Mellon University's Heinz College; Founder, Allegheny Digital

This module will begin with an overview of the current threat landscape and examine the array of adversary classes facing organizations. The session will then provide CISO students with a pragmatic overview of common issues and challenges in developing, maintaining, and operating an effective incident management and forensics capability. The module will also cover the current state of security operations center best practices, and will conclude with an overview of supporting frameworks, and the types of tools and infrastructure needed to be effective to respond to cyber incidents and increase end-users' resilience.

Instructor:
Matthew Meade | Member, Data Security and Privacy Group, Eckert Seamans Cherin

While CISOs are well-prepared to handle IT and forensic issues, guidance on the legal consequences and legal obligations is often siloed to in-house counsel and not part of a collaborative effort. Through this practical and interactive session, students will learn about the following:

(1) the legal aspects of a proactive approach to cybersecurity;

(2) state and federal law issues associated with responding and reacting to a security incident; and

(3) litigation and regulatory investigations arising from data breaches.

Instructor:
Larry Kamer | CEO, Kamer Consulting Group

This module explores the CISO’s role in developing and executing an effective internal and external communications strategy when faced with a large scale breach that impacts the operations of the organization. This module will reference various relevant case studies to help students develop a comprehensive approach.