Security Education for Senior Execs CMU's New Masters in IA Targets the C-Suite

IT security executives face knowledge gaps, but they also struggle with the time they can commit to continuing education. So, Carnegie Mellon University came up with a new program to meet their needs.

CMU's new Executive Master of Science in Information Assurance program was developed to allow full-time working professionals the opportunity to attend a graduate program for current and aspiring C-level IT security executives.

The program, which begins in fall 2012, integrates time on campus, face-to-face time with faculty and other students, and collaborative work online, says Dena Haritos Tsamitis, director of education, training and outreach for CMU's CyLab.

According to Tsamitis, the ExecMSIA fills several gaps in the market. "Currently, education programs are very narrowly focused," she says in an interview with Information Security Media Group's Tom Field [transcript below]. "What this program aims to do is lay a broad technical and management foundation for information assurance professionals."

Training, Tsamitis says, tends to focus on a particular problem or tool. Yet over time, those problems and tools change. "We're really preparing leaders to reason about problems that they'll face repeatedly at the strategic level and it allows them to adapt to changing technologies and changing environments," she says.

In an exclusive interview about CMU's ExecMSIA, Tsamitis discusses:

  • Gaps in current executive education efforts;
  • How this new program will fill those gaps;
  • The ExecMSIA's unique delivery model.

Tsamitis heads the Information Networking Institute, a global, interdisciplinary department within the College of Engineering at Carnegie Mellon University. She oversees the INI graduate programs in information networking, information security technology and management, information technology and information technology strategy, as well as a new executive program in information assurance. Under her leadership, the INI has offered its programs in global locations, including Athens, Greece; Kobe, Japan; and Lisbon and Aveiro, Portugal. More recently, she led the innovative design of bicoastal programs in collaboration with Carnegie Mellon Silicon Valley that positioned the INI to offer three new master's degrees in information technology in the areas of mobility, information security and software management.

Tsamitis also directs education, training and outreach for CyLab. She leads the MySecureCyberspace initiative to raise "cyberawareness" in Internet users of all ages through a portal, game and curriculum. She serves as the principle investigator on three federally funded grants for educational programs that support full-tuition scholarships for students and workforce development initiatives in information assurance.

Information Networking Institute

TOM FIELD: Give our audience a sense of what your department is about and some of the new programs you're offering now?

DENA TSAMITIS: The Information Networking Institute is the department of the College of Engineering at Carnegie Mellon, but although it just resides in one college it offers inter-disciplinary programs in information networking, information security, software management and mobility. It has core courses in computer science and engineering, but it also integrates the business and policy courses into the mix. Our students come out being strong technologists and strong engineers, but they also have the business acumen and the policy insights necessary to be leaders in the field.

ExecMSIA Program

FIELD: You've got a new master's program for senior leaders I'm really fascinated by. Can you tell us a little bit about that?

TSAMITIS: This fall we're launching the ExecMSIA, Executive Master of Science in Information Assurance program. I'm really excited about this program because we have been working on it for several years now, and the reason for the program is in the last decade, since offering our graduate program in information security, we've had a lot of interest from companies wanting to send their employees to get a graduate degree from Carnegie Mellon University in the field, but they can't release their employees for two years. There's a myriad of online programs out there but we didn't want to offer an online program. Instead, we decided to come up with a program that integrates time on campus, face-to-face time with our faculty where students interact with a peer group and continue their course work of study through online collaborative technologies, but the program is designed for full-time working professionals. You don't have to stop working to enroll in this program. Over the 20-month period of the degree program, there's only a requirement of 24 days on campus, and this is spread across eight visits. There are short emersion periods of about two days. The program starts with a four-day emersion period. Students have the opportunity to interact with each other, interact with the faculty and then continue their course of study remotely.

FIELD: Who would be your ideal candidate for this program?

TSAMITIS: An ideal candidate would be somebody who has at least ten years of experience in the field of information technology. They're practitioners and they're looking to excel their careers. We're really looking to enroll current and aspiring C-level executives, basically aspiring and current chief information officers or chief technology officers, chief risk officers, people on those career paths.

Current Issues with Training

FIELD:Let's take a step back and talk about training. What's wrong with how these senior leaders are getting their training now?

TSAMITIS: I think the operative word here is training. This master's degree is not a training program. It's an education program. We're preparing leaders to address these kinds of information assurance issues at the strategic level and at the enterprise level. Training generally focuses on a particular problem or a particular tool and over time tools change and technologies change, becoming obsolete. We're really preparing leaders to reason about problems that they'll face repeatedly at the strategic level and it allows them to adapt to changing technologies and changing environments.

FIELD: Where do you find they're receiving their education now in the absence of this program, and where do you see the gaps that you can fill?

TSAMITIS: Security professionals seek industry certifications and these are great. Industry recognizes these certifications. As I mentioned, I think these programs are good, but they're really not helping these professionals advance to those senior levels as effectively as I think a graduate program will. The ExecMSIA fills gaps in the market. I think currently education programs are very narrowly focused. What this program aims to do is lay a broad technical and management foundation for information assurance professionals. In the core courses, in the management core, you see courses such as business management, leadership theory to practice, telecommunications management and policy and introduction to risk management. It lays out these core areas very nicely so that all students have this as a starting point. The technical core consists of a telecommunications networks class, information assurance introduction class and then distributive systems in service security. There's a strong technical core embedded within this program.

Then there are two areas that we identified as being hot areas in the field through our market research with both companies and government agencies. The CFIR track - or the Cyber Forensics and Incident Response track - deals with the network intrusion, social engineering, insider threats, a variety of threats, and it actually has exercises that students engage with where they have hands-on experience and opportunities to deal with these kind of at that level, but it also puts these kinds of issues in the context of an organization, so the kinds of things that leaders in the field - the C-level executives - have to be concerned with in managing their organizations.

The second area of concentration that we've identified as key importance is resilience management. This brings together concepts of business continuity and information security risk management, and the types of courses that are covered there are enterprise security governance, risk ethics, information security risk management, and then there's a capstone course. Another area that will be emphasized in this concentration is the economic issues associated with risk management, really assessing the economic impact of not investing in this area to an organization.

ExecMSIA's Delivery Model

FIELD: I know there are a number of elements that are unique about this program, but one I would like to hear especially about is the delivery model. What can you tell us?

TSAMITIS: I think the best part of the delivery model is that it combines the short emersion periods with online sessions, so students again will be full-time working professionals. They don't have to stop working. They'll come to campus for two-day periods at the beginning of the semester, at the end of the semester for a total of 24 days across the 20 months, and then they'll have online recitations on a couple Saturdays each semester. The great thing is, they're going to be enrolled with a cohort of peers, and these peers will bring a lot of experience, a lot of knowledge to the environment. We will have aspiring CTOs, CIOs, risk officers, etc., in the classrooms, so they'll bring a variety of perspective. Students will start the program together, finish the program together and they will in some sense be in the trenches together because they're going to go through the entire program as a small group.

I believe this really allows the students to form a cohesive bond, but the greatest thing is the peer insights, the sharing of peer insights, learning from each other almost as much as they're learning from the faculty in the course of engaging in these learning activities. And the learning activities aren't going to be lecture-based as they are in traditional graduate programs, but rather they will be more interactive and project-based. There will be case study analysis and activities that really engage the learner in an active way, rather than students sitting passively in a lecture hall. This really requires them to invest themselves in the learning process.

FIELD: Who will be the faculty members that will be teaching these courses?

TSAMITIS: The faculty members are core faculty who teach in our traditional graduate programs. These are faculty drawn from the School of Computer Science, from the College of Engineering, the Tepper School of Business, the Heinz College of Public Policy and Management, and also leading the two areas of concentration will be senior technical staff from the CERT Program at the Software Engineering Institute of Carnegie Mellon. I already mentioned my colleague Rich Nolan. My colleague who heads the resilience management concentration is Rich Caralli, and he's the Technical Director of the CERT Cyber Enterprise and Workforce Management Directorate. We have strong partnership with the CERT program here and we're engaging multiple academic units across the university to deliver this unique intra-disciplinary executive master's in information assurance program.

Measuring Program's Success

FIELD: It's unique and it's exciting. How do you expect that the success of the program ultimately is going to be measured?

TSAMITIS: It will be measured through the immediate and direct impact that these participants will have on their organizations. I believe that this will be seen and felt by these organizations while the participants are still students in the program, because of the nature of the course work that they'll be doing. They'll have the opportunity to immediately take what they're learning in a particular course, in a particular module, and apply it to a problem that they're addressing at work. But in the long term, I think for the individual, this will provide them with a very strong credential aside from the knowledge that they have attained, a very strong credential that will help propel them and advance their careers.

Evolution of Executive Education

FIELD: Beyond this program, at a time when education awareness is so emphasized across many industries, how do you see executive education evolving?

TSAMITIS: I believe that executive education will need to grow. I oversee the Scholarship for Service Program at Carnegie Mellon, which provides scholarship support for students aspiring to government service and information assurance, and what's notable about that program is that it does a great job of getting students placed at entry-level positions, getting them through the front door. And traditional graduate programs have a great track record of that as well, but what executive programs do is they're assuming that students already have a strong educational foundation and they have an abundance of experiences and a very strong knowledge base from their careers.

But what they really need is to take that learning that they already have and build upon it. Using a constructivist approach as this program does, it allows students to bring in that knowledge base and take in these new concepts. It really advances a student's, a participant's, knowledge to the next level, and this is going to be required in today's workforce and it's required just by the nature of information assurance itself, how new technologies come up and new threats come up. But in order to keep up with all of this, we need these executive education training programs and Carnegie Mellon is uniquely positioned to offer such a program in this area.

FIELD: Two quick final questions. When does the program start, and where can individuals get more information about it?

TSAMITIS: The ExecMSIA starts August 2012. We have two application deadlines. One is April 30 and the second is June 30. You could learn more about it at our website,

Around the Network