(Volume 6, Number 2)
written by Dr. Mary Culnan edited by Dr. Gwanhoo Lee and Ms. Marianne Du
1.
Presentations
 Dr. Mary Culnan, Senior Research Fellow, CITGE & Professor Emeritus,
Bentley University
 Jules Polonetsky, Co-Chair and Director, Future of Privacy Forum
2.
Panel Discussion
 Allen Brandt, Corporate Counsel & Chief Privacy Officer, Graduate
Management Admissions Council
 John Kropf, Deputy Counsel for Privacy & Information Governance, Reed
Elsevier
 Harriet Pearson, Partner, Hogan Lovells
 Dr. Ken Clark, Director, Information Sharing & Intelligence Enterprise
Management, U.S. Department of Homeland Security
 Dr. Mary Culnan, Moderator
3.
Group Discussion
Facilitated by Dr. Richard J. Schroth, Executive-in-Residence, CITGE

CITGE Executive Workshop April 1, 2013
By Dr. Mary Culnan, Senior Research Fellow, CITGE
Culnan provided an overview of privacy which has emerged as an important information risk management issue for all organizations. Within the past year, both the White House and the
Federal Trade Commission issued major reports laying out their policy agendas related to privacy. Mobile and social applications, smart devices and big data all pose new business opportunities and new privacy challenges. The Huffington Post declared 2012 as “The Year of
Privacy,” and speculates that 2013 may be “The Year of Privacy on Steroids.” Increasingly, regulators and the public expect organizations to have governance programs to assure that they handle personal information responsibly. As the headlines illustrate, failure to do so can result in
“privacy by disaster” in the form of lawsuits, fines, reputational damage and/or other organizational nightmares.
Information technology has always been a big driver of privacy issues because of the data IT applications generate. Privacy issues often arise when people are surprised or harmed by the use of their information. Originally, privacy concerns resulted by transactions originated by individuals when people explicitly “raised their hands” by making a purchase, using a loyalty card, requesting information or being the subject of a public record. The Internet made it possible to track people when they were browsing, and to create profiles from their web surfing and use the profiles to serve them targeted ads. Today, social media, mobile and smart devices present a new set of challenges (and business opportunities) for organizations. IT is at the heart of this because of their role in creating the applications.
There is no consensus definition of information privacy. The AICPA defines privacy as encompassing the rights and obligations of individuals and organizations with respect to the collection, use, disclosure and retention of personally identifiable information.
- 1 -
© 2013 Center for IT and the Global Economy, Kogod School of Business, American University

CITGE Executive Workshop April 1, 2013
The focus of this workshop is the organizational perspective, and the processes organizations implement to insure personal information is used responsibly. At the center of governance is the
US version of fair information principles:

Notice: people should know what personal information is being collected and how it is used

Choice: people should be able to object when their personal information is used ways that are unrelated to the original purpose for collecting the information

Access: people should be able to see their personal information and correct errors

Security: Organizations need to protect personal information from unauthorized access during transmission and when it is store

Accountability: Organizations are responsible for being good stewards of the personal information they collect.
For a longer version of fair information practices principles developed by the OECD in 1980, see: http://www.oecd.org/sti/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonald atabackground.htm
Privacy is often incorrectly equated with security. Privacy is about use and permission and includes security but is broader. You can protect personal information and still make bad decisions about how it is used that result in a privacy issue.
A robust data governance program helps avoid self-inflicted privacy disasters. At a minimum, every organization should have a privacy policy and ensure that its practices match the policy.
You should conduct reviews before adopting new technologies and new uses for existing information to avoid surprising people. Privacy needs to be built into applications development from the beginning. You should ensure that your business partners play by your rules with your information. Essentially, you should treat personal information like the valuable asset it is.
- 2 -
© 2013 Center for IT and the Global Economy, Kogod School of Business, American University

CITGE Executive Workshop April 1, 2013
By Jules Polonetsky. Co-Chair and Director, Future of Privacy Forum
Polonetsky began by describing how privacy issues remind him of his experience enforcing consumer protection laws in New York City. From the consumer’s perspective, he characterized many of the business practices as “chuptzpah” or unmitigated gall. Similarly with privacy, companies can fully comply with the letter of the law, while still outraging consumers and attracting negative media attention. Many consumers do not understand new technologies, especially those on the cutting edge. It can also be very difficult for technologists and lawyers to understand how systems may be misused.
Consider the example of Path Inc., a new social media platform which in February 2013 settled charges with the Federal Trade Commission that it deceived consumers and improperly collected personal information from the users’ mobile address books. Path was designed to be a mobilefriendly platform limited to 50 friends with a simple interface. On an Android phone, people clicked through permissions that Path would access their contacts. However, the IOS interface required the consumer to learn that their friends were preloaded into the app by reading the privacy policy. Users would have freely provided the information if asked, but were furious it was done without their knowledge. The designers thought they were being helpful by providing a seamless user experience, but they failed to recognize that people see their mobile devices as intimate and personal, and are very sensitive to what they perceive as improper access and data sharing. See: http://www.ftc.gov/opa/2013/02/path.shtm
.
Big Data also highlights some of the current privacy challenges where there is a giant and growing divide between technologists and privacy advocates. Regulators see the need for more enforcement, fearing massive corporate abuses. Tech companies believe open data sharing is necessary for technological and economic progress. For example, lots of data sharing is needed to target people efficiently and effectively. There are also differences between regulatory approaches to privacy in the US versus Europe where privacy is viewed as a fundamental human and there is a cultural aversion to profiling and targeting due to historical abuses of data during
WWII. As a result, the EU is heavy on privacy law and light on enforcement, while in the US it is the opposite with a greater reliance on self-regulation with government enforcement for the worst offenses. Big Data is exacerbating privacy concerns in Europe and as a result, Europe is moving toward even more restrictive privacy laws.
One approach to avoiding privacy problems is to ask for permission. However, many users are conditioned to reject even reasonable requests to provide or use their personal information, particularly when the context is a new or uncertain platform. Consider the example of
Facebook’s Newsfeed which outraged users and privacy advocates when it was first introduced.
In Facebook’s view, nothing had changed since full access to the same information was a few clicks away. The initial negative reaction eventually became positive and is now a defining
- 3 -
© 2013 Center for IT and the Global Economy, Kogod School of Business, American University

CITGE Executive Workshop April 1, 2013 feature of Facebook. Newsfeed illustrated the challenge of getting it right and how to set the right balance. Facebook’s other innovation, Beacon, failed on privacy grounds and never recovered.
Companies need to decide what proper behavior is, and when data is being used for good purposes. For example, there is a company that uses a simple device to externally scan homes and create heat maps. They charge a small fee to subscribers and have strong privacy controls related to who can access the information, such as prospective buyers of a home. However, utility companies offered to purchase the data to identify when meter hacking was occurring in foreclosed homes, often in low-income neighborhoods. Would this be using data for good? It is hard to come up with a code of conduct, and data processing algorithms are not (yet) smart enough to figure out what’s o.k. But do we want algorithms with a “conscience”? Can data use be turned into a feature where people have access to their data, are educated and have full understanding of how their data is used? Algorithms should be exposed for public debate.
Decisions about use should not be secret.
A major challenge to avoiding the privacy concerns raised by new technologies is that norms lag innovation. One of the earliest privacy issues was raised by the advent of personal cameras and the paranoia of being photographed. Over time, norms develop as people adjust to new technology. As a result, firms are playing catch-up as we confront new, powerful tools. Today,
Google Glasses represents the latest innovation lacking social norms for appropriate use.
Regulators are trying to solve problems now, but do not always fully understand the situation and its nuances, or legitimate exceptions. Privacy involves confidentiality, respect for rules, and not making private information public, but it is just as much about social norms, psychology, understanding brand communication and bringing users along with you, and managing innovation expectations. And it is a very exciting place to be right now.
- 4 -
© 2013 Center for IT and the Global Economy, Kogod School of Business, American University

CITGE Executive Workshop April 1, 2013
Allen Brandt, Graduate Management Admissions Council
John Kropf, Reed Elsevier (formerly Department of Homeland Security)
Harriet Pearson, Hogan Lovells (formerly IBM)
Dr. Ken Clark, Department of Homeland Security
Dr. Mary Culnan, CITGE, Moderator
The panel discussion focused on three topics: 1) what does privacy governance look like, 2) what are the challenges to implementing privacy governance programs in complex organizations, and 3) what can organizations do to help avoid privacy “disasters”?
What does privacy governance look like?
Pearson described the elements of a privacy governance program based on her experience in creating the program at IBM:

Support from the top is essential to win acceptance across the organization. Her appointment was announced by Lou Gerstner, IBM’s Chairman and CEO. This helped get all divisions on board. Pearson was the first CPO at a Fortune 1000 company

Three pillars: technology, policy and procedures/practices. Many companies overlook technology

Need a cross functional team in order to give IBM a balanced approach (legal vs. ethical issues). This team was the capstone of the governance program

Technology and business change quickly, so it was always a race to ensure correct policies were in place, and the strategy was forward-looking. Policy setting is the leading edge of privacy governance.

Vendors need to be on board. You need to ensure their practices comply with your policies

Procedures/practices is the most active pillar and involves non-automated decision making.

Modern privacy programs have a strong incident response component. All organizations will have an incident at some point.

Still no market pull for thinking strategically about privacy. This can make it a hard sell to upper management. Sometimes privacy only gets management attention after an incident.
How is the privacy function organized in different organizations and what challenges do complex organizations face in implementing privacy governance?
At DHS, the CPO is a White House appointment not requiring congressional approval who reports directly to the Secretary. The CPO is seen as a prominent policy advisor with a direct line to senior leadership.
- 5 -
© 2013 Center for IT and the Global Economy, Kogod School of Business, American University

CITGE Executive Workshop April 1, 2013

Has Office of Inspector General power with quasi-independent status, but prefers to be seen as a value adding advisory body.

Integrates compliance, oversight, investigations and data sharing specialists.

Prepares an annual report to congress that cannot be edited by others in DHS
 Proactive approach, emphasizes “privacy by design” where privacy protection is built in early before problems emerge. Privacy impact assessments (PIA’s) are required for starting or modifying DHS programs. (Privacy by design and PIA’s will be discussed below.)

Incorporated fair information practice principles into the privacy policy including a data minimization requirement to only collect the bare minimum of information needed for a particular application

Major partner with IT, sits on same committees as CIO. Very close relationship between
IT security and privacy office. Privacy and ITSEC collaborate on development, testing and budgeting.

See: http://www.dhs.gov/topic/privacy
At the Graduate Management Admissions Council (GMAC), the CPO is an attorney because of the heavy focus on policy and government/regulator relations.

CPO position includes security duties, a hybrid position between legal and IT

GMAC CPO also needs to address regulatory issues in all countries where they offer testing.

The privacy and security group is chaired by the CPO and includes legal, HR, physical security and IT. Physical security issues arise from “unpopular” GMAT results.

See: http://www.gmac.com/about-us/privacy-center.aspx
Reed Elsevier is a global information company comprised of two parent companies based in the
UK and the Netherlands. At Reed Elsevier, you are likely to find a different approach to privacy in each of its companies. Typically, privacy duties most often fall within legal, followed by IT.
No CPO, privacy duties are distributed across different business units

Complex relationship between privacy and IT security

Cannot issue edicts; seek privacy team approach to create enterprise-wide privacy policy.
When team was first formed, goal was to develop a unified privacy policy. This required a large-scale inventory of company, as well as building trust and overcoming skepticism within the organization. Main challenge for privacy team was overcoming perceptions as a cost center, and convincing company it could deliver efficiency and risk reduction benefits.

See: http://www.reedelsevier.com/Pages/PrivacyPolicy.aspx
At IBM, size posed particular challenges to the CPO.
- 6 -
© 2013 Center for IT and the Global Economy, Kogod School of Business, American University

CITGE Executive Workshop April 1, 2013

Challenge to CPO was identifying which processes involved personal information and coordinating with process owner and IT. Size made it impossible to manually look at all processes and ensure compliance with global IBM privacy policy and privacy laws.

Needed to automate compliance. Created conditional logic based on the location where data was collected to comply with local data protection laws. This was built into an interactive process. Process creators would then fill out a checklist and the privacy application would return a privacy “cookbook” with a privacy plan for managing risk.

See: http://ibmprivacy.com/
What can organizations do to help avoid privacy “disasters”?
There are two tools: privacy impact assessments (PIA) and privacy by design (PBD).
PIA’s are a decision making tool used to assess the privacy risks of a particular use of personal information. It should be used before system start-up or major modifications. DHS makes its assessment templates and the results of its PIAs available to the public on its website. See: http://www.dhs.gov/privacy-compliance .
PBD is an approach to ensuring privacy is baked in across the lifecycle of IT systems, accountable business practices and physical design and networked infrastructure. PBD is based on seven principles (See: http://www.privacybydesign.ca/ )
1.
Proactive not reactive, preventative not remedial
2.
Privacy as the default setting
3.
Privacy embedded into design
4.
Full functionality – Positive sum, not zero-sum. Think win-win
5.
End-to-end security, full lifecycle protection
6.
Visibility and transparency – keep it open
7.
Respect for user privacy – keep it user-centric.
- 7 -
© 2013 Center for IT and the Global Economy, Kogod School of Business, American University

CITGE Executive Workshop April 1, 2013
Schroth began the discussion by posing the following question to the audience: “What are the most egregious privacy violations you have experienced?” Responses included: o Republicans sending unsolicited texts o JHU not sharing data with study participants o TSA body scanners o Lawn companies using Google Maps to find sales leads o 14 year old daughter getting credit card solicitations
 Why can’t analytics be used to gauge privacy risks? Where does it become profiling?

Conversation focused on optimizing consumer protection, but also need to focus on ways to maximize data usage

CPO can add value to the organization by developing responsible ways to use personal data without exposing the company to liability

Big Data collection and tools for analysis are improving. This effectively creates new data through hybridization, which may not be traceable. As legislative requirements become stricter, does this become an unacceptable risk?

Department of Education is now publishing rules for anonymized data in research, as educational data is opened to outside researchers
 “Data in the wild” (e.g. data that has leaked outside the company) is a major challenge o Rise of social media and mobile devices makes it very hard to track breaches o Training is one of the most important tools to prevent data leaks. Making sure employees are well-trained (and retrained) can reduce liabilities and damages o Mitigation must be included as well, as breaches cannot be avoided entirely o Spoofing and impersonation is a huge threat as you never know who you’re dealing with online
- 8 -
© 2013 Center for IT and the Global Economy, Kogod School of Business, American University

CITGE Executive Workshop
Presenter Bios
Jules Polonetsky
Co-Chair and Director,
Future of Privacy Forum
April 1, 2013
Jules Polonetsky has served since November 2008 as Co-chair and Director of the Future of Privacy
Forum, a think tank seeking to improve the state of online privacy by advancing responsible data practices. FPF’s current projects to advance transparency and control in a business-practical manner focus on online data use, smart grid, mobile data, apps and social media. His previous roles have included serving as Chief Privacy Officer at AOL and before that at DoubleClick. He also served as
Consumer Affairs Commissioner for New York City, as an elected New York State Legislator and as a congressional staffer, and as an attorney.. He has served on the boards of groups such as TRUSTe, the
IAPP, the Network Advertising Initiative, the Privacy Projects, and the Better Business Bureau (NY
Region). Jules is a regular speaker at privacy and marketing industry events and has testified or presented as an industry expert before Congressional committees and the Federal Trade Commission. In 2011,
Jules was appointed to the Department of Homeland Security Data Privacy and Integrity Advisory
Committee
Allen Brandt
Corporate Counsel, Data Privacy & Security
Chief Privacy Officer.
Graduate Management Admissions Council
Allen Brandt is Corporate Counsel, Data Privacy & Security, and the Chief Privacy Official for the
Graduate Management Admission Council® (GMAC®), which owns the Graduate Management
Admission Test® (GMAT®), an exam delivered to prospective graduate business students in more than
110 countries worldwide. He provides legal guidance and counsel on US and domestic consumer privacy issues, creates data protection policies and procedures, and leads the Council’s privacy training program.
Allen is a Board Member for the International Association of Privacy Professionals (IAPP), and has both
US and European certifications from the organization (CIPP/US, CIPP/E), an Advisory Board member of the Future of Privacy Forum, a Washington, DC privacy think tank, and a member of the Membership
Ethics Advisory Panel for WOMMA, the Word of Mouth Marketing Association, an organization dedicated to advancing and advocating the discipline of credible word of mouth marketing, both offline and online.
- 9 -
© 2013 Center for IT and the Global Economy, Kogod School of Business, American University

CITGE Executive Workshop
John Kropf
Deputy Counsel for Privacy & Information Governance
Reed Elsevier
April 1, 2013
John Kropf joined Reed Elsevier in 2012 as Deputy Counsel for Privacy and Information Governance.
He is responsible developing strategic level privacy frameworks for the company and its business units, monitoring global developments on data privacy and maintaining relationships with regulators. John previously was a career member of the United States Senior Executive Service, and served as the Deputy
Chief Privacy Officer for the Department of Homeland Security's Privacy Office and senior adviser on
International Privacy Policy. Before joining DHS, John worked for 10 years as an international lawyer with the U.S. Department of State in the Office of the Legal Adviser. He also served two years with the
American Embassy in Turkmenistan as country director for USAID. John began his federal career as an attorney with the U.S. Department of Justice Honors Program. He is the author of the Guide to U.S.
Government Practice on Global Sharing of Personal Information as well as numerous articles on global and strategic privacy issues.
Harriet Pearson
Partner,
Hogan Lovells
Harriet Pearson is a Partner in the Washington office of Hogan Lovells. Her practice focuses on counseling clients on privacy and information security policy and compliance matters such as crossborder data transfers; data security incident response and remediation; and information and cybersecurity risk management and governance. Prior to joining Hogan Lovells in 2012, she served as Vice President,
Security Counsel, and Chief Privacy Officer where she was responsible for information policy and practices affecting over 400,000 employees and thousands of clients. Harriet led global teams of legal, data protection, and technical professionals providing legal, policy, and compliance services to internal clients. She also led IBM’s global engagement in public policy and industry initiatives relative to cybersecurity and data privacy. In addition, she counseled extensively on the global legal and policy issues surrounding business engagement with social media and the Internet. Harriet also recently completed a four-year adjunct faculty appointment at Georgetown University, where she taught a graduate seminar on Security, Privacy and Trust.
- 10 -
© 2013 Center for IT and the Global Economy, Kogod School of Business, American University

CITGE Executive Workshop April 1, 2013
Kenneth N. Clark
Director, Information Sharing and Intelligence Enterprise Management,
Department of Homeland Security
Dr. Kenneth (“Ken”) Clark was appointed to the position of Director, Information Sharing and
Intelligence Enterprise Management Division in the Office of Intelligence and Analysis (I&A), U.S.
Department of Homeland Security (DHS) on October 22, 2012. In this position, he leads the Division in providing expert policy, strategic planning, and program planning advice to I&A’s Under Secretary in the role as Chief Intelligence Officer for the Department’s Intelligence Enterprise and Lead for Information
Sharing and Safeguarding across DHS. Dr. Clark has over 30 years of professional experience in the
Federal Government and the private sector, working with organizations from the homeland security, defense, intelligence, law enforcement, and diplomatic communities.
Dr. Clark is a retired U.S. Air Force officer. During his military career, he served in positions that included Presidential Communications Officer and White House Military Office Director of Information
Technology Management under Presidents Clinton and Bush, and Commander of the National
Reconnaissance Office headquarters' telecommunications and information technology operations and maintenance organization. During the tragic events of September 11, 2001, he served as Communications
Response Officer to the Vice President. Dr. Clark holds a Ph.D. in public policy from The George
Washington University, a Master of Engineering degree in electronic engineering from the California
Polytechnic State University, a Bachelor of Science degree in electrical engineering from The University of New Mexico, and a Bachelor of Arts degree in physics from Whitman College.
Mary Culnan
Senior Research Fellow, CITGE, American University
Professor Emeritus, Bentley University
Mary Culnan is Professor Emeritus at Bentley University, a Senior Research Fellow at CITGE and a
Senior Fellow at the Future of Privacy Forum. She has more than 20 years experience in the privacy field. Mary has testified before Congress, the Massachusetts House and Senate, and various government agencies on a range of privacy issues, and is also the author of more than 90 articles. She currently serves as a member of the GAO’s Executive Committee on Management and Information Technology and as a member of FPF’s Advisory Board. Previously, Mary served as a commissioner on the President’s
Commission on Critical Infrastructure Protection. She is the author of the 1999 Georgetown Internet
Privacy Policy Survey, which the Federal Trade Commission used to make recommendations to
Congress, and she also served on the FTC’s Advisory Committee on Access and Security.
- 11 -
© 2013 Center for IT and the Global Economy, Kogod School of Business, American University

CITGE Executive Workshop
Richard Schroth
Executive-in-Residence, American University
CEO, Executive Insights
April 1, 2013
Dr. Schroth is one of the world’s top executive consultants, professional speakers, and private advisors on technology and business for leading corporations around the globe. Especially known for his creative viewpoints, break-through thinking, strong professional networks, and straightforward approach, Richard works closely with executives to help them create new value from an increasingly complex landscape of technology and changing business processes. His past clients include Marriott, Computer Sciences
Corporation, Pfizer, AB Volvo, GE Capital, Monsanto, Royal Dutch Shell, KPMG, Perot Systems, Banc
One, Heidrick and Struggles, and many other prestigious organizations. Rich’s professional experience covers a wide range of executive positions including CEO, Partner, CTO, member of corporate boards, as well as scholarly and entrepreneurial endeavors. Richard is currently an officer and CTO in a Fortune 500 global outsourcing company. He is also a member of the Duke Corporate Education extended faculty, a former Wharton Senior Executive Fellow, a long-term AT&T executive faculty member and one of the early technology executives of CSC Index Consulting. Richard J. Schroth holds a Doctorate from Indiana
University, an MS from the University of Illinois and a BS from Western Illinois University.
- 12 -
© 2013 Center for IT and the Global Economy, Kogod School of Business, American University

CITGE Executive Workshop
Program
Attendees (ordered by affiliation)
First name
Stacey
Mary
William
Andrew
Phaedra
Alberto
Itir
Gwanhoo
Shayna
Alexander
Kamalika
Richard
Melanie
Chika
Paritosh
Tim
Sung
Larry
Jean
Kenneth
Jules
Allen
Harriet
Joseph
Mohamoud Jibrell
Paul
Narayani
Tallon
Siva
Kathy Memenza
Leslie
Rick
Eric
Last name
Brandenburg
Culnan
DeLone
Eddington
Elliott
Espinosa
Karaesmen-
Aydin
Lee
Padovano
Ries
Sandell
Schroth
Teplinsky
Umeadi
Uttarwar
Walsh
Lee
Fitzpatrick
Yan
Clark
Polonetsky
Brandt
Pearson
Kraus
Scott
Gehringer
Wenger
Organization
American University
American University &
Bentley University
American University
American University
American Univeristy
American University
April 1, 2013
Title
Adjunct Professor of Law, Washington
College of Law
Senior Research Fellow and Professor
Emeritus
Professor
Student
Student
Professor
American University Professor
American Univeristy
American Univeristy
American Univeristy
Professor
Student
Student
American University
American University &
Executive Insights
Associate CIO
Executive-in-Residence & CEO
Adjunct Professor of Law, Washington
College of Law American University
American Univeristy
American University
American Univeristy
Carnegie Mellon University
Computech
Student
Student
Student
Researcher, Software Engineering
Institute
President
Department of Education Education Research Analyst
Dept. of Homeland
Security
Future of Privacy Forum
Graduate Management
Admissions Council
Director, Information Sharing and
Intelligence Enterprise Management
Co-Chair & Director
Corporate Counsel & Chief Privacy
Officer
Partner Hogan Lovells
Holocaust Memorial
Museum
Howard Hughes Medical
Institute
Loyola University
Lunarline, Inc
CIO
Vice President for Information
Technology
Professor
Associate Director, Privacy
Marriott
Marriott
Meridian Systems
Microsoft
Vice President, Enterprise Security
Vice President, Global Information
Resources
Strategic Program Executive
Policy Counsel
- 13 -
© 2013 Center for IT and the Global Economy, Kogod School of Business, American University

CITGE Executive Workshop
Curtis
Carol
Generous
Hayes
Oliver
John
Steve
Smith
Kropf
Cooper
April 1, 2013
Navy Federal Credit Union Chief Technology Officer
Navy Federal Credit Union Assistant Vice President, Enterprise Data
Navy Federal Credit Union
Strategy Services
Data Warehouse Architect, Enterprise
Data Strategy and Services
Reed Elsevier
The Strativest Group
Deputy Counsel for Privacy and
Information Governance
Partner
- 14 -
© 2013 Center for IT and the Global Economy, Kogod School of Business, American University

CITGE Executive Team
Dr. William H. DeLone
Executive Director, CITGE
Professor, Kogod School of
Business, American University
Dr. Gwanhoo Lee
Director, CITGE
Associate Professor, Kogod
School of Business, American
University
Dr. Richard J. Schroth
Executive-in-Residence, Kogod
School of Business, American
University
CEO, Executive Insights, Ltd.
Associated Faculty and Research Fellows
Dr. Erran Carmel
Professor, Kogod School of
Business, American University
Dr. J. Alberto Espinosa
Associate Professor, Kogod
School of Business, American
University
Dr. Peter Keen
Distinguished Research Fellow
Chairman, Keen Innovation
Dr. Mary Culnan
Senior Research Fellow
Slade Professor of Management and Information Technology,
Bentley College
Michael Carleton
Senior Research Fellow
Former CIO, U.S. Department of
Health and Human Services
Dr. Frank Armour
Research Fellow
CITGE Advisory Council
Steve Cooper
CIO, Air Traffic Organization,
Federal Aviation Administration
Bill DeLeo
Director of Release Engineering
Architecture, SAS
Mohamoud Jibrell
CIO, Howard Hughes Medical
Institute
Joe Kraus
CIO, U.S. Holocaust Memorial
Museum
Ed Trainor former CIO, AMTRAK
Susan Zankman
SVP of Information Resources
Finance and Management
Services, Marriott International