Chief Information Security Officer (CISO) Certificate

Although I entered the CISO Certificate Program at Carnegie Mellon with over five years of experience as a Chief Information Security Officer, I found many rich learning opportunities through the program. The lectures were delivered by industry experts who brought valuable perspectives, and the format of the program encouraged dialogue that provided me with new ideas that I could immediately apply in my role at Duke Health. I would strongly recommend the program for existing CISOs, as well as experienced IT and information security professionals who aspire to move into a CISO role in the future. Chuck Kesler | Chief Information Security Officer | Duke Health

• Fall 2018 Class Dates & Schedule

  Orientation: Pittsburgh, PA
  September 11-13, 2018

  Virtual Classes: 4:00 - 9:00pm EST
  (Note: all virtual class dates are Thursdays)
  October 4, 11, 18
  November 1, 8
  December 6, 13, 20
  January 3, 10, 17 (2019)

  Optional Group Project Work Session: Pittsburgh, PA
  November 15-16, 2018

  Practicum: Pittsburgh, PA
  February 5-7, 2019 (Cohort A)
  February 11-13, 2019 (Cohort B)

• Spring 2019 Class Dates & Schedule

  Orientation: Pittsburgh, PA
  January 15-17, 2019

  Virtual Classes: 4:00 - 9:00pm EST
  (Note: all virtual class dates are Thursdays)
  February 7, 21, 28
  March 14, 28
  April 4, 11, 18
  May 2, 9, 16

  Optional Group Project Work Session: Pittsburgh, PA
  March 19-20, 2019

  Practicum: Pittsburgh, PA
  June 11-13, 2019

• Class Location

  Orientation and practicum sessions are held at our main campus in Pittsburgh:

  Heinz College of Information Systems and Public Policy
  Carnegie Mellon University
  4800 Forbes Avenue
  Pittsburgh, PA 15213

  Optional group project work sessions are held either at our Pittsburgh campus, or our SEI site in Arlington, VA: 

  Software Engineering Institute
  4301 Wilson Boulevard, 2nd Floor
  Arlington, VA 22203

  Please note: The CISO Certificate Program involves two mandatory on-campus sessions in Pittsburgh.

• Program Costs
  • $18,750 for the entire program
  • $15,000 discounted rate for Carnegie Mellon alumni—including CIO and CRO programs—U.S. government employees, veterans, and employees of non-profit organizations
  • Fee includes all program materials and daily continental breakfast, lunch, and refreshments during on-campus sessions.
  • Optional credit card installment payment plan is available

  Please note: Due to the non-credit bearing nature of the CISO Certificate Program, students are unable to apply for tuition assistance, scholarship, or VA benefits.

  Cancellation/Refund Policy

  A non-refundable, non-transferable deposit of 1/6 of the total program cost is required to reserve a seat in the program.

  Should a student withdraw from the program after the deposit has been paid but prior to the program start date, students may have 5/6 of the program costs either refunded to them or transferred to the following cohort of the program.

  After the program start date, no refunds will be issued. However, under extenuating circumstances and with program director approval, students may petition to postpone their attendance to a future cohort and have 5/6 of the program costs applied accordingly.

• Deadlines

  Applications are currently being accepting for the Spring 2019 cohort with responses to be issued by September 2018. If you are interested in participating in the Fall 2018 cohort, we encourage you to apply now to be considered for the Fall waitlist.

  Apply Now

• Enterprise Security Governance

  Instructor: Dr. Earl Crane

  This class will discuss the current state of cybersecurity enterprise governance & strategic planning. This will include a discussion of the impact of cybersecurity risk management on critical infrastructure sectors and other critical sectors, including an overview of risk management frameworks, regulations, and the use of security metrics. This class will also discuss current models to build an organization’s cyber-risk management strategy, including maturity models, resiliency, and data privacy.

• Security Structure & Operations

  Instructor: Omar Khawaja

  This module is an overview of practical “day-to-day” CISO operations. The module will cover how to properly plan, budget, structure, obtain organizational “buy-in”, and report on your security team. This clear outline of the security structure will better enable CISOs to demonstrate the charter and effectiveness of the security team to their organizations.

  Through a combination of lecture material, exercises, and discussion, module participants are exposed to core security investment and measurement concepts and practices, the application of these practices to making decisions about investments in security practices, controls, and operations, and the development of sound business cases for security that align with the organization’s mission, goals, and objectives.

• Effective Crisis Communication Strategies

  Instructor: Larry Kamer

  When a crisis hits, there’s a big difference between managing effectively and leading successfully. Through case studies and in-session discussions, attendees will get practical advice and gain a personal action plan for managing well in crisis and becoming a stronger, successful leader.

  This module explores the CISO’s role in developing and executing an effective internal and external communications strategy when faced with a large scale breach that has impacted the operations of the organization. The module will reference various relevant case studies to help students develop a comprehensive approach.

• Operational Resilience and External Dependency Management

  Instructor: Matt Butkovic

  This module is intended to provide an overview of the concept of resilience, operational resilience, resilience management, and related subjects and challenges. Through a combination of lecture material, exercises, and discussion, participants are exposed to core operational resilience management concepts, the implementation and institutionalization of these concepts, and the ways in which organizations can use the concept of resilience to unify and align core risk management activities toward common goals. The module is also focused on an increasingly common challenge; how to ensure the security and resilience of your organization’s critical services when many of the assets—technology, people, facilities, and information—required to deliver the service are provided by outside entities.

• Managing Operational Threat

  Instructor: Josh Corman

  Operational threats have changed dramatically in recent years; yet our programs have changed very little. With more than a breach a week from state sponsored adversaries and ideologically fueled chaotic actors, once “best practices” aren’t anymore. In a constantly shifting landscape, the odds favor the adaptive. We will enumerate the five major sources of change impacting our operational threat management. Within this framework we will outline our current array of adversary classes, IT evolutions, and developing methods for adapting to these challenges. Since modern programs necessitate working smarter, we will look at specific, asymmetric gains to be had by teaming outside of OpSec to invest in defensible infrastructure, IT operational excellence, and situational awareness required having a fighting chance.

  Through a combination of lecture material, exercises, and discussion, module participants are exposed to modern and emerging operational threat management concepts, the implementation and institutionalization of these concepts, and the ways in which organizations can use them to positively affect risk management activities toward common goals.

• Building an Insider Threat Program

  Instructor: Randy Trzeciak

  The CERT Program at Carnegie Mellon University's Software Engineering Institute has been researching insider threats since 2002. This module provides a thorough understanding of the organizational models for an insider threat program, the necessary components to have an effective program, the key stakeholders who need to be involved in the process, and basic education on the implementation and guidance of the program.

• Cyber Risk Management

  Instructor: Gen. Gregory Touhill

  Operational risk management broadly defines the process used by organizations to identify, analyze, and address risks that can interrupt or disrupt the organization’s ability to carry out its core functions and meet its mission. Unlike other types of enterprise risks, operational risks emanate from the day-to-day activities and business processes used to meet the strategic objectives of the organization. A continuous risk management process ensures that organizations are integrating risk management into daily management activities and regular business rhythms.

  Managing operational risk and information security risk both rely upon activities that are not performed in an organizational or operational unit vacuum. Information security, systems development, business continuity, and IT operations all contribute to meeting operational objectives and therefore are sources of operational risk. Ensuring that all functional areas of the organization are operating from the same set of risk drivers is one of the fundamental principles of risk management.

  This module will explore the connection between risks, issues, controls, and information security through lecture, discussions, and case studies.

• Threat and Incident Response

  Instructor: Greg Porter

  This module provides CISO’s with a pragmatic overview of common issues and challenges in developing, maintaining, and operating an effective Computer Security Incident Response Team (CSIRT). The module begins by discussing the current state of incident response and provides insight into the work that CSIRT staff may be expected to handle. The module also provides prospective or current managers with an overview of the incident handling process, supporting IR frameworks, and the types of tools and infrastructure needed to be effective.

• Information Security

  Instructor: Matthew Meade

  It seems that almost every day we hear reports of another data breach impacting another business, hospital, government agency or educational institution. Data breaches can be the result of an escalating series of non-technical failures which include lack of preparation, lack of adequate employee training designed to increase awareness of risky behavior and incomplete or non-existent evaluations and protections involving vendors and other third parties who receive valuable data from the organization. While CISO’s are well-prepared to handle IT and forensic issues, guidance on the legal consequences and legal obligations is often siloed to in-house counsel and not part of a collaborative effort. Through this practical and interactive session participants will learn about the following: (1) the legal aspects of a proactive approach to cyber security; (2) state and federal law issues associated with responding and reacting to a security incident; and (3) litigation and regulatory investigations arising from data breaches. We will conclude with hypothetical incidents where the participants will be able to apply what they learn.

• A Realistic View of Security Technology

  Instructor: Chris Valasek

  Understanding the limitations of protection technologies and strategies in addition to the focus of attackers can permit executives to focus attention on highly targeted entry points, instead of spreading resources thin by focusing on all possible attack surfaces. This module will familiarize participants with current security protection technologies to understand their abilities and deficiencies, along with analyzing attacker motives and patterns when targeting an organization. Attack examples, real and theoretical, will be provided followed by discussions on how to best protect against certain intrusion attempts. Through a combination of security knowledge and attacker analysis module participants will be better able to focus security attention on highly targeted assets.

• Digital Transformation (DT): Security Implications

  Instructor: Ari Lightman

  DT deals with the increasing levels of digital interactions, on-line processes, platforms and applications as well as the inundation of data in both our consumer and professional lives. Successful efforts at digitalization in the work environment have to keep both technical and managerial aspects in mind. This brings new and often unanticipated challenges for security. Behavior patterns, signal detection, enforcement and a slew of other task needs to be re-examined to ensure business continuity as the organization adapts to changes from increasingly digital employees, partners and customers. This module is designed to examine four areas that are rapidly changing due to DT. The class is designed to assess security implications for each area, present case studies on companies dealing with these issues, and build a framework interactively with the class.

  Key topics:

  Digital Identity and Privacy – As we explore and interact online, we leave digital breadcrumbs across the open web. Malicious actors can re-create our identity using these little bits of code. From cookie profiling to canvas fingerprinting, we will examine what privacy means in our increasingly digital lives. How can security professionals educate their organizations, lower the risk of exposure while allowing employees to take advantage of these new digital platforms.

  Pervasive Computing and Sensing Technologies – The Internet of Things is coming and will quickly swamp the amount of unstructured data we currently generate. As we race to get equipment, products, and devices online, how can security keep up with a new set of systemic and persistent threats across the organization.

  Social and Collaborative Computing – Social networks, mobile apps and cloud technologies are invading the workforce. Facebook, the largest personal social network, is now making a move into the enterprise. As social technologies and an increasingly mobile workforce become a part of work, how can organization develop a culture around security?

  Next Generation of Digital Worker – Generation Z (folks born 1994 and later) will soon be entering the workforce. This generation works much differently than previous generations. In addition, they are entering the workplace when engagement at work is at an all-time low. With different attitudes and even skills than we have seen before, how will this new set of workers impact security and should processes adapt to their needs?

• Security Metrics and CISO/BoD Communications

  Instructor: Summer Fowler

  It is critical to measure the right things in order to make informed management decisions, take the appropriate actions, and change behaviors. But how do managers figure out what those right things are? Public and private organizations today often base cyber risk management decisions on fear, uncertainty, and doubt and the latest attack; compliance mandates such as HIPAA, FISMA, SOX, and PCI; and security risk frameworks that typically have little to do with the way the rest of the organization measures risk and prioritizes operational risk management activities. CISOs need information risk management approaches that align with business objectives. A measurement approach tied to strategic business objectives will ensure that planning, budgeting, and the allocation of operational resources are focused on what matters most to the organization. In addition, a shift to such an approach will help identify metrics that are expensive to collect and may not be worth the investment.

  Students in this module will use real-world strategic objectives to develop specific business goals and the applicable questions, indicators, and actionable metrics that they can implement at their own organizations to improve their ability to manage operational risks, particularly cybersecurity risks.

• Security Financial Management and Acquisition Planning for Operations

  Instructor: Davor Brkovich

  Not only is the threat and technology landscape continuously evolving, CISO’s are challenged to operate a security and compliance function that is financially aligned with the strategic planning process and seamlessly integrates acquisitions. This module is focused on the requirement for today’s CISO to develop a budget that aligns with the annual strategic planning process and is supported by key organizational stakeholders. This often needs to be developed in environments with significant third party managed services and where growth strategies include regular business acquisitions and divestitures.

• Security Strategy and Innovation

  Instructor: Tim Zak

  This module is directed at current and future senior executives who will lead organizations and therefore help to establish its strategy to “win”. It will provide a foundational perspective of strategy development throughout history to highlight timeless frameworks, approaches, and methodologies. The discussion will include a discussion of “power shifts” that are simultaneously complicating the formulation and effective execution of corporate strategy, creating seemingly limitless opportunities to thrive, and threatening the very survival of established firms. Finally, insights into the future of strategy development will be introduced with an emphasis on building organizations that can thrive in a world of digitization, volatility, randomness, disorder, and shocks.