Chief Information Security Officer (CISO) Certificate

Although I entered the CISO Certificate Program at Carnegie Mellon with over five years of experience as a Chief Information Security Officer, I found many rich learning opportunities through the program. The lectures were delivered by industry experts who brought valuable perspectives, and the format of the program encouraged dialogue that provided me with new ideas that I could immediately apply in my role at Duke Health. I would strongly recommend the program for existing CISOs, as well as experienced IT and information security professionals who aspire to move into a CISO role in the future. Chuck Kesler | Chief Information Security Officer | Duke Health

• Fall 2018 Program Dates & Schedule

  Orientation: Pittsburgh, PA
  September 11-13, 2018

  Virtual Classes: 4:00 - 9:00pm EST
  (Note: all virtual class dates are Thursdays)
  October 4, 11, 18
  November 1, 8
  December 6, 13, 20
  January 3, 10, 17 (2019)

  Group Project Work Session: Pittsburgh, PA
  November 15-16, 2018

  Practicum: Pittsburgh, PA
  February 5-7, 2019 (Cohort A)
  February 11-13, 2019 (Cohort B)

• Spring 2019 Program Dates & Schedule

  Orientation: Pittsburgh, PA
  January 15-17, 2019

  Virtual Classes: 4:00 - 9:00pm EST
  (Note: all virtual class dates are Thursdays)
  February 7, 21, 28
  March 14, 28
  April 4, 11, 18
  May 2, 9, 16

  Group Project Work Session: Pittsburgh, PA
  March 19-20, 2019

  Practicum: Pittsburgh, PA
  Cohort A: June 11-13, 2019

  Cohort B: June 18-20, 2019

• Class Location

  Orientation, group project work sessions, and practicum sessions are held at our main campus in Pittsburgh:

  Heinz College of Information Systems and Public Policy
  Carnegie Mellon University
  4800 Forbes Avenue
  Pittsburgh, PA 15213

  Please note: The CISO Certificate Program involves three mandatory on-campus sessions in Pittsburgh.

• Program Costs
  • $18,750 for the entire program
  • $15,000 discounted rate for Carnegie Mellon alumni—including CIO and CRO programs—U.S. government employees, veterans, and employees of non-profit organizations
  • Fee includes all program materials and daily continental breakfast, lunch, and refreshments during on-campus sessions.
  • Optional credit card installment payment plan is available

  Please note: Due to the non-credit bearing nature of the CISO Certificate Program, students are unable to apply for tuition assistance, scholarship, or VA benefits.

  Cancellation/Refund Policy

  A non-refundable, non-transferable deposit of 1/6 of the total program cost is required to reserve a seat in the program.

  Should a student withdraw from the program after the deposit has been paid but prior to the program start date, students may have 5/6 of the program costs either refunded to them or transferred to the following cohort of the program.

  After the program start date, no refunds will be issued. However, under extenuating circumstances and with program director approval, students may petition to postpone their attendance to a future cohort and have 5/6 of the program costs applied accordingly.

• Deadlines

  Formal deadline* for the Spring 2019 Cohort has passed, however we are still considering applications on a first-come, first-served basis. Please submit your application as soon as possible for consideration.

  If space remains in the cohort after the deadline, we will continue to accept applications.

  Apply Now

• Role of the CISO

  Instructor: Gen. Gregory Touhill

  This module is focused on discussing the CISO roles and responsibilities; how the CISO integrates effectively in organizational governance and operations; and leadership and management practices that enhance the ability of today’s CISO to succeed in any organization. This module will help to set the stage for the overall CISO certificate program and the modules that follow.

• Cyber Policy and Security Metrics

  Instructor: Summer Fowler

  In this module students will use real-world strategic objectives to develop specific business goals as well as applicable questions, indicators, and actionable metrics that can be implemented at their own organizations to improve their ability to manage operational risks, particularly cybersecurity risks.

• Advanced Cyber Risk Management

  Instructor: Dr. Earl Crane

  This module will provide an overview of cyber risk management concepts and techniques, and then provide a tangible deep-dive into real-world examples and scenarios. Students will be asked to bring their real-world expertise and risk management challenges to share with their colleagues. Discussions will include an overview of cyber risk management frameworks, relevant regulations, and available tools. We will cover the three lines of defense, the latest thinking in risk-based assessments, and how to represent cyber risk as a decision-making framework for business unit leaders, executives, and your board.

• Operational Resilience and External Dependency Management

  Instructor: Matt Butkovic

  This module is intended to provide an overview of the concepts of resilience, operational resilience, resilience management, and related subjects and challenges. Through a combination of lecture material, exercises, and discussion, students are exposed to core operational resilience management concepts, the implementation and institutionalization of these concepts, and the ways in which organizations can use the concept of resilience to unify and align core risk management activities toward common goals.

  The module is also focused on an increasingly common challenge: how to ensure the security and resilience of your organization’s critical services when many of the assets required to deliver those services—technology, people, facilities, and information—are provided by outside entities.

• Security Structure and Operations

  Instructor: Omar Khawaja

  This module is an overview of practical “day-to-day" operations. The module will cover how to properly plan, structure, and report on your security team, as well as obtain “buy-in” from your organization. This clear outline of the security structure will better enable CISOs to demonstrate the charter and effectiveness of the security team to their organizations.

• Security Financial Management and Acquisition Planning for Operations

  Instructor: Davor Brkovich

  This module is focused on the requirement for today’s CISOs to develop a budget that aligns with the annual strategic planning process and is supported by key organizational stakeholders. This often needs to be developed in environments with significant third party managed services and where growth strategies include regular business acquisitions and divestitures.

• Effective Crisis Communication Strategies

  Instructor: Larry Kamer

  This module explores the CISO’s role in developing and executing an effective internal and external communications strategy when faced with a large scale breach that impacts the operations of the organization. This module will reference various relevant case studies to help students develop a comprehensive approach.

• Storytelling and CISO/Board Communications

  Instructor: Chris Labash & Summer Fowler

  This module will discuss effective ways to communicate security related organizational goals to the board. Incident summary board presentations will also occur during this module delivery, with the instructors and invited guests providing constructive feedback to the teams as they are delivered.

• Dealing With Change

  Instructor: Tom Pageler

  This module is designed to review the ongoing pressures that a CISO faces when dealing with constant change, such as: traditional change control, changes to company strategy, regulatory or industry changes, changes due to mergers and acquisitions, and organizational changes due to staff turnover.

• Effective Security Through Adversary Modeling

  Instructor: Josh Corman

  Since modern programs necessitate working smarter, we will look at specific asymmetric gains to be had by teaming outside of OpSec to invest in defensible infrastructure, IT operational excellence, and situational awareness required having a fighting chance. Through a combination of lecture material, exercises, and discussion, students are exposed to modern and emerging threat management concepts, the implementation and institutionalization of these concepts, and the ways in which organizations can use them to positively affect risk management activities toward common goals.

• A Realistic View of Security Technology

  Instructor: Chris Valasek

  This module will familiarize students with current security protection technologies in order to understand their abilities and deficiencies, along with analyzing attacker motives and patterns when targeting an organization. Through a combination of security knowledge and attacker analysis, students will be better able to focus security attention on highly targeted assets. The module will also discuss best practices for vendor relationship management.

• Building an Insider Threat Program

  Instructor: Randy Trzeciak

  Insider threats are influenced by a combination of technical, behavioral, and organizational issues and must be addressed by policies, procedures, and technologies. Decision makers across the enterprise should understand the overall scope of the insider threat problem and communicate it to all the organization’s employees.

  This module discusses how organizations can effectively mitigate the potential of insider threats and build an effective program.

• Effective Incident Management

  Instructor: Greg Porter

  This module will begin with an overview of the current threat landscape and examine the array of adversary classes facing organizations. The session will then provide CISO students with a pragmatic overview of common issues and challenges in developing, maintaining, and operating an effective incident management and forensics capability. The module will also cover the current state of security operations center best practices, and will conclude with an overview of supporting frameworks, and the types of tools and infrastructure needed to be effective to respond to cyber incidents and increase end-users' resilience.

• Information Security

  Instructor: Matthew Meade

  An Analysis of Legal Obligations, Legal Consequences, and Best Practices

  While CISOs are well-prepared to handle IT and forensic issues, guidance on the legal consequences and legal obligations is often siloed to in-house counsel and not part of a collaborative effort. Through this practical and interactive session, students will learn about the following:

  (1) the legal aspects of a proactive approach to cybersecurity;

  (2) state and federal law issues associated with responding and reacting to a security incident; and

  (3) litigation and regulatory investigations arising from data breaches.

  We will conclude with hypothetical incidents where the students will apply what they've learned.

• Digital Transformation: Security Implications

  Instructor: Ari Lightman

  DT deals with the increasing levels of digital interactions, online processes, platforms and applications as well as the inundation of data in both our consumer and professional lives. This module is designed to examine four areas that are rapidly changing due to DT. The session is designed to assess security implications for each area, present case studies on companies dealing with these issues, and build a framework interactively with the class.