Chief Information Security Officer (CISO) Certificate

The CISO program helped me to step into my role as a Chief Information Security Officer. The program prepared me to address the many challenges facing a CISO—operational resilience, threat management, cyber risk management, insider threat. The practicum allowed me to work with cyber experts from great organizations and guided us in framing the communications necessary to lead an organization through cybersecurity problems, and communicate with our Boards. Greg Crabb | Chief Information Security Officer, Vice President | United States Postal Service

• Cohort 27 (Fall 2026) Program Dates & Schedule

  Virtual Orientation: 12:00 - 5:00 p.m. EDT
  September 8-10, 2026

  Virtual Modules: 4:00 - 9:00 p.m. EDT
  (Note: all virtual class dates are Thursdays)
  September 24 (2026)
  October 8, 15, 22, 29 (2026)

  Program Mid-Session: 9:00 a.m. - 5:00 p.m. EDT (Pittsburgh, PA; virtual option available)
  November 3-5, 2026

  Virtual Modules: 4:00 - 9:00 p.m. EST
  (Note: all virtual class dates are Thursdays)
  November 12, 19 (2026)
  December 3, 10, 17 (2026)
  January 7, 14, 21, 28 (2027)

  Practicum: 9:00 a.m.- 5:00 p.m. EST (Pittsburgh, PA; virtual option available)
  February 24-25, 2027

• Cohort 26 (Spring 2026) Program Dates & Schedule

  Virtual Orientation: 12:00 - 5:00 p.m. EST
  January 14-16, 2026

  Virtual Modules: 4:00 - 9:00 p.m. EST
  (Note: all virtual class dates are Thursdays)
  January 22, 29 (2026)
  February 5, 12, 19 (2026)

  Program Mid-Session: 9:00 a.m. - 5:00 p.m. EDT (Pittsburgh, PA; virtual option available)
  March 9-11, 2026

  Virtual Modules: 4:00 - 9:00 p.m. EDT
  (Note: all virtual class dates are Thursdays)
  March 26 (2026)
  April 2, 9, 23 (2026)
  May 7, 14, 21 (2026)
  June 4, 11 (2026)

  Practicum: 9:00 a.m.- 5:00 p.m. EDT (Pittsburgh, PA; virtual option available)
  June 17-18, 2026

• Class Location
  The program mid-session and practicum will be held in person at our main campus in Pittsburgh:
  
  Heinz College of Information Systems and Public Policy
  Carnegie Mellon University
  4800 Forbes Avenue
  Pittsburgh, PA 15213
  
  A virtual option will be offered for the program mid-session and practicum; students will not be required to travel to complete the program.
• The Executive Advantage Program

  Earning your executive education certificate is just the beginning of a lifelong relationship with CMU; we're here to help you advance your career throughout your professional life. The Heinz College Executive Advantage program is meant for people who always want to be ahead of the curve—those who want to lead the conversation, not just be a part of it. 

  Executive Advantage was designed with you—C-suite executives and lifelong learners—in mind. In addition to the valuable skills you gain through our executive certificate programs, you now have access to workshops, leadership summits, and conferences. 

• Role of the CISO

  Instructor: 
  Alan Levine | Board Chair, Carnegie Mellon University CISO Executive Program

  This module is focused on discussing the CISO roles and responsibilities; how the CISO integrates effectively in organizational governance and operations; and leadership and management practices that enhance the ability of today’s CISO to succeed in any organization. This module will help to set the stage for the overall CISO certificate program and the modules that follow.

• Advanced Cyber Risk Management

  Instructor: 
  Dr. Earl Crane | Owner, Risk Executive/Strategic Advisor, Earl Crane LLC

  This module will provide an overview of cyber risk management concepts and techniques, and then provide a tangible deep-dive into real-world examples and scenarios. Students will be asked to bring their real-world expertise and risk management challenges to share with their colleagues. Discussions will include an overview of cyber risk management frameworks, relevant regulations, and available tools. We will cover the three lines of defense, the latest thinking in risk-based assessments, and how to represent cyber risk as a decision-making framework for business unit leaders, executives, and your board.

• Cyber Risk Quantification with the FAIR Method

  Instructor:
  Jack Jones | Executive Advisor, Risk Management Insight

  This module will assist students, via the FAIR methodology, to accurately assess IT and cybersecurity loss exposure, to learn how to identify the significance of control weaknesses, determine how to optimize security budgets and priorities, and understand how to support governance and compliance requirements.

• SCRM and Operational Resilience

  Instructor: 
  Matt Butkovic | Technical Director of Cybersecurity Risk and Resilience, CERT Division of SEI

  This module is focused on an increasingly common challenge; how to ensure the security and resilience of your organization’s critical services when many of the assets – technology, people, facilities, and information – required to deliver the service are provided by outside entities. This module is also intended to provide an overview of the concept of resilience, operational resilience, resilience management, and related subjects and challenges.

• Insider Threat

  Instructor:
  Randy Trzeciak | Director, CERT Insider Threat Center at SEI

  Insider threats are influenced by a combination of technical, behavioral, and organizational issues and must be addressed by policies, procedures, and technologies. Decision makers across the enterprise should understand the overall scope of the insider threat problem and communicate it to all the organization’s employees.

  This module discusses how organizations can effectively mitigate the potential of insider threats and build an effective program.

• Cybersecurity First Principles: A Reboot of Strategy and Tactics

  Instructor: 
  Rick Howard | Chief Security Officer, N2K

  In today’s rapidly evolving threat landscape, CISOs must move beyond reactive defense and incremental controls. This module provides a strategic reset by returning to core cybersecurity "first principles"—foundational truths that endure regardless of new technologies or attack vectors. Participants will explore how to apply these principles to reframe both strategy and day-to-day tactics in a way that aligns with business objectives, reduces complexity, and increases resilience. By stripping security down to its essence—understanding what truly must be protected, why, and how—CISOs can better drive clarity, influence leadership, and architect scalable, adaptive security programs.

• CISO Org Structure and Operations

  Instructor:
  Omar Khawaja | CISO, Databricks

  This module is an overview of practical “day-to-day" operations. The module will cover how to properly plan, structure, and report on your security team, as well as obtain “buy-in” from your organization. This clear outline of the security structure will better enable CISOs to demonstrate the charter and effectiveness of the security team to their organizations.

• Security Metrics and Reporting

  Instructor: 
  Summer Fowler | CISO, Torc Robotics

  In this module, students will use real-world strategic objectives to develop specific business goals and the applicable questions, indicators, and actionable metrics that they can implement at their own organizations to improve their ability to manage operational risks, particularly cybersecurity risks.

• Executive Communications

  Instructor:
  Chris Labash | Associate Teaching Professor, Carnegie Mellon University's Heinz College

  This module will discuss effective ways to communicate security related organizational goals to the board. Incident summary board presentations will also occur during this module delivery, with the instructors and invited guests providing constructive feedback to the teams as they are delivered.

• Business of Cyber

  Instructor:
  Brigadier General (ret.) Gregory J. Touhill | Director, CERT Division at the Software Engineering Institute

  This module is focused on the requirement for today’s CISOs to develop a budget that aligns with the annual strategic planning process and is supported by key organizational stakeholders. This often needs to be developed in environments with significant third-party managed services and where growth strategies include regular business acquisitions and divestitures.

• Cybersecurity Architecture and Tooling
  Instructor: 
  Dennis Allen | Director – Security Programs, Strategy & Risk, Stratascale
  
  This module is designed to equip students with the knowledge and skills necessary to understand, design, and implement robust cybersecurity architectures and leverage essential cybersecurity tools effectively. The module will guide you through the tooling selection process and discuss configuration and implementation best practices of the right technologies based on your needs.
• Cloud Security Strategy

  Instructor:
  Rich Friedberg | CISO, Live Oak Bank

  As more organizations embrace the benefits of cloud-based infrastructures and services, they face significant challenges in how to secure their information and applications. In addition, new pressures are placed on security teams to automate and deliver at speed, while key security roles and responsibilities move into development teams.

  This module will examine the changes to risks, threats, and vulnerabilities when companies move from on-prem to cloud services. The module will also discuss how to develop a business-focused security strategy to balance enabling transformation with protecting the organization through their cloud journey.

• CISO's Guide to Software and Product Security

  Instructor:
  Josh Corman | Adjunct Instructor, Carnegie Mellon University's Heinz College

  This module teaches students to recognize the knowledge area critical to software security and product assurance to secure the organization and to support its strategic mission.

• Securing Cyber-Physical Systems

  Instructor: 
  Mark Fabro | President and Chief Security Strategist, Lofty Perch, Inc.

  This module will address specific OT and IIOT concerns faced by organizations and their supply-chain partners. It is designed to explore best practices used by industry to ensure that OT and IIOT achieves functional goals and meets security requirements.

• Data-Driven Threat Intelligence

  Instructor: 
  Bob Rudis | V.P. Data Science, Security Research, & Detection Engineering, GreyNoise Intelligence

  In an era of rapidly evolving threats, data-driven threat intelligence is essential for proactive and informed cybersecurity leadership. This module equips CISOs with the frameworks and tools to harness internal and external data sources—such as telemetry, behavioral analytics, open-source intelligence (OSINT), and threat feeds—to generate actionable insights. Participants will explore methods for operationalizing threat intelligence, integrating it into risk management strategies, and aligning intelligence programs with business objectives. Through case studies and practical exercises, the module emphasizes the strategic value of intelligence-led decision-making in anticipating threats, reducing risk, and enhancing organizational resilience.

• Securing AI and AI for Cyber

  Instructor: 
  Omar Khawaja | Field CISO, Databricks

  As artificial intelligence becomes deeply integrated into enterprise systems and critical infrastructure, securing AI and leveraging AI for cybersecurity have emerged as dual imperatives for today’s CISOs. This module explores the unique risks posed by AI systems—such as data poisoning, model inversion, and adversarial attacks—while also examining how AI can be a powerful tool for enhancing cyber defense capabilities. Participants will gain practical insights into threat modeling for AI systems, governance frameworks, and the ethical considerations of AI deployment. Real-world case studies and hands-on exercises will prepare CISOs to lead secure AI adoption while strengthening overall cyber resilience.

• Effective Incident Management

  Instructor:
  Greg Porter | Adjunct Professor, Carnegie Mellon University's Heinz College; Founder, Allegheny Digital

  This module will begin with an overview of the current threat landscape and examine the array of adversary classes facing organizations. The session will then provide CISO students with a pragmatic overview of common issues and challenges in developing, maintaining, and operating an effective incident management and forensics capability. The module will also cover the current state of security operations center best practices, and will conclude with an overview of supporting frameworks, and the types of tools and infrastructure needed to be effective to respond to cyber incidents and increase end-users' resilience.

• Cyber Law

  Instructor:
  Matthew Meade | Chair, Cybersecurity, Data Protection & Privacy Group, Eckert Seamans

  While CISOs are well-prepared to handle IT and forensic issues, guidance on the legal consequences and legal obligations is often siloed to in-house counsel and not part of a collaborative effort. Through this practical and interactive session, students will learn about the following:

  (1) the legal aspects of a proactive approach to cybersecurity;

  (2) state and federal law issues associated with responding and reacting to a security incident; and

  (3) litigation and regulatory investigations arising from data breaches.

• Crisis Communications

  Instructor:
  Larry Kamer | CEO, Kamer Consulting Group

  This module explores the CISO’s role in developing and executing an effective internal and external communications strategy when faced with a large scale breach that impacts the operations of the organization. This module will reference various relevant case studies to help students develop a comprehensive approach.