mit sdm thesis

Tuition and Fees

Due to the flexible nature of SDM’s programs, student costs for tuition and fees vary. 

Tuition for the forthcoming academic year is set each April in consultation with the MIT Corporation based on a recommendation from Academic Council.

Master’s Program 

2024-2025 rates.

MIT sets the rates for internship tuition and the student life fee. These rates are effective from 6/1/2024 to 5/31/2025.

Your total cost per year will vary depending on how many terms (semesters) you take to complete the degree and the number of units you take each semester. MIT charges based on actual units enrolled. SDM strives to keep the cost of tuition balanced for the complete degree for parity between full-time and part-time students. More information on the total units (credits) required for graduation can be found on our curriculum pages.

Example costs:

For general information on tuition and fees related to registration, please visit the MIT Registrar’s website .

Certificate Program

2023-2024 rates.

Certificate students may also make a single upfront payment of $28,800 for the entire program, including both fall and spring terms and the summer capstone term. These rates are effective from 9/1/2023 to 8/31/2024.

Certificate students may also make a single upfront payment of $29,700 for the entire program, including both fall and spring terms and the summer capstone term. These rates are effective from 9/1/2024 to 8/31/2025.

Health Insurance

The MIT Student Medical plan is included in the cost of tuition and covers most services at  MIT Health . All students are also automatically enrolled in the MIT Student Health Insurance Plan which meets state and federal health insurance requirements. If you have private insurance (for example, through your employer) which meets these same requirements, you may choose to waive the cost of the MIT Student Health Insurance Plan. Learn more about  MIT Student Health Insurance Plan rates and coverage.

Associated Costs

In addition to tuition, students will have costs associated with either on-campus or distance options. Program-related costs can be broken down into three categories:

• Costs associated with attending sessions on the MIT campus, including travel, lodging (for distance students) and meals
• General  housing costs  as needed 
• Connection costs related to distance learning

MIT has estimated the following costs for the 2024-2025 academic year for students taking the on-campus option. Please note that these are estimates and will vary depending on housing (on-campus or off-campus), courses taken, etc. SDM does not have a required summer term, but if you plan to stay in the Cambridge area over the summer the 12-month cost may apply.

For more detailed information regarding these categories, including the explanation of each category, please  visit the SFS website.

Financing Your Education

SDM does not have designated scholarships or fellowships for students in the master’s degree program or graduate certificate program. Students may explore the following options to assist in financing their education. These options are not overseen by SDM and may have further restrictions or qualifications not listed here.

Teaching or Research Assistantships

Many master’s degree students are able to secure funding through a teaching or research assistantship (TA/RA) during their time in the program. 

TA and RA opportunities vary widely and are dependent upon the funding from the sponsoring faculty; however, they typically cover a large portion of the tuition and include a living stipend. 

Assistantships are very difficult to secure for the first semester, but there are significant options once you are on campus. Many SDM students are able to secure TA or RA appointments beginning in their second semester, though this is not guaranteed. 

For more information on TA and RA appointments, please visit the Student Financial Services website and the Office of Graduate Education website .

Competitive Fellowships

There are fellowships at MIT funded by donors, corporations, and outside entities. These fellowships are open competitively to all graduate students at the Institute. SDM students may apply for these opportunities if they meet the criteria of the individual fellowships. For more information, please visit the SFS website and the OGE Fellowships website .

Some graduate students may need loans to finance part or all of the cost of their education at MIT. For information about loans and the application process, please visit the SFS website .

Additional Information 

Students may audit subjects as a listener for self-enrichment. These courses do not count toward degree requirements. SDM has set the following limits of units that may be taken as a listener:

High tuition: 36 units maximum Medium tuition: 24 units maximum Low tuition: 12 units maximum

For more information on listener status, please visit the MIT Registrar’s Office website .

SDM students who complete their thesis early or withdraw during the term may qualify for tuition proration .

For additional information or to inquire about specific tuition situations, please use our contact form .

Last updated August 30, 2024.

• Who’s Teaching What
• Subject Updates
• MEng program
• Opportunities
• Minor in Computer Science
• Resources for Current Students
• Program objectives and accreditation
• Graduate program requirements
• Admission process
• Degree programs
• Graduate research
• EECS Graduate Funding
• Resources for current students
• Student profiles
• Instructors
• DEI data and documents
• Recruitment and outreach
• Community and resources
• Get involved / self-education
• Rising Stars in EECS
• Graduate Application Assistance Program (GAAP)
• MIT Summer Research Program (MSRP)
• Sloan-MIT University Center for Exemplary Mentoring (UCEM)
• Electrical Engineering
• Computer Science
• Artificial Intelligence + Decision-making
• AI and Society
• AI for Healthcare and Life Sciences
• Artificial Intelligence and Machine Learning
• Biological and Medical Devices and Systems
• Communications Systems
• Computational Biology
• Computational Fabrication and Manufacturing
• Computer Architecture
• Educational Technology
• Electronic, Magnetic, Optical and Quantum Materials and Devices
• Graphics and Vision
• Human-Computer Interaction
• Information Science and Systems
• Integrated Circuits and Systems
• Nanoscale Materials, Devices, and Systems
• Natural Language and Speech Processing
• Optics + Photonics
• Optimization and Game Theory
• Programming Languages and Software Engineering
• Quantum Computing, Communication, and Sensing
• Security and Cryptography
• Signal Processing
• Systems and Networking
• Systems Theory, Control, and Autonomy
• Theory of Computation
• Departmental History
• Departmental Organization
• Visiting Committee
• Undergraduate programs
• Thesis Proposal
• Past Terms' Subject Updates and WTW
• Subject numbering
• FAQ about Fall 2024 Changes
• 2022 Curriculum Transition
• 6-1: Electrical Science and Engineering
• 6-2: Electrical Engineering and Computer Science
• 6-3: Computer Science and Engineering
• 6-4: Artificial Intelligence and Decision Making
• 6-5: Electrical Engineering with Computing
• 6-7: Computer Science and Molecular Biology
• 6-9: Computation and Cognition
• 11-6: Urban Science and Planning with Computer Science
• 6-14: Computer Science, Economics, and Data Science
• Requirements
• Application, Acceptance, and Deferral
• MEng Thesis
• UROP and SuperUROP
• Study Abroad
• USAGE Members, 2023-24
• 6-A Industrial Program
• Degree Audits and Departmental Petitions
• Space on Campus
• Resources for International Students
• Resources for Incoming Double Majors
• Resources for Advisors
• Graduate Admissions FAQs
• Graduate Admissions Information Letter
• What faculty members are looking for in a grad school statement of objectives.
• Conditions of Appointment as a Teaching Assistant or Fellow
• RA Appointments
• Fellowship Appointments
• Materials and Forms for Graduate Students
• Subject Updates Fall 2024
• Subject Updates Spring 2024
• Subject Updates Fall 2023
• Subject Updates Spring 2023
• Subject Updates Fall 2022
• Subject Updates Spring 2022
• Subject Updates Fall 2021

The EECS Department requires that students submit a thesis proposal during their first semester as MEng students, before they have begun substantial work on the thesis. Thesis proposals are brief documents (1500-2500 words) which focus on the ultimate, novel goals of your research project. While it is nearly impossible to extrapolate exactly what could (or will) happen during the course of your research, your proposal serves as a thoughtful approximation of the impact that your project could have as new work in the field, as well as an agreement between you and your thesis research advisor on the scope of your thesis.

Finding a Thesis Research Advisor

MEng thesis research advisors are not required to be EECS faculty members; however, research advisors from other departments, or non-faculty research advisors, must be approved by the EECS Undergraduate Office .

It is the sole responsibility of a student in the MEng program to find a thesis research advisor. There are many ways to go about this process:

• If you are still an undergraduate, look for UROP or SuperUROP opportunities . Many MEng projects stem from UROPs.
• Consider what areas you might be interested in working in, and search relevant lab webpages for people working in those areas. Many EECS MEng students work in RLE, CSAIL, MTL, LIDS, or the Media Lab, but you don’t need to limit your search to these labs. If you find a person whom you think might be a good match, reach out to them with a short email explaining why you’d be interested in MEng opportunities with their group.
• Attend seminars held by research labs that interest you.
• Reach out to instructors you know who teach in the area you’re interested in, as they may be able to point you in a useful direction. Instructors that you’ve gotten to know well (even if they don’t work in your area of interest) as well as your advisor are also useful resources, for the same reasons.
• Keep an open mind to opportunities that are outside of your area. Many students do very interesting MEng projects with faculty from other departments.
• Subscribe to the EECS Opportunities List , which often has advertisements for MEng projects.

Writing Your Proposal

Once you’ve found a thesis research advisor, you should get to work proposing a thesis. Your thesis proposal should be completed while you are in continual conversation with your research advisor. The proposal itself should be divided into five sections:

• The introduction, to introduce the reader to the topic of your thesis.
• Related work, which describes previously-published work that is relevant to your thesis.
• Proposed work, which describes the work you will be doing for your thesis.
• Timeline, which breaks down your proposed work into concrete steps, each with an approximate due date. At a minimum, you should describe what you plan to do each semester of your MEng, but many students give a timeline that is broken down by months, not semesters.
• A bibliography

The EECS Communication Lab provides additional support for thesis proposal writing. You can see more detailed guidelines, as well as examples of previous MEng thesis proposals, here .

Submitting Your Proposal

The thesis proposal, and research advisor approval of the proposal, are typically due on the last day of classes each semester (see here for official deadlines) and there are no formatting requirements for the thesis proposal. When you are ready to submit, you can do so here . If you change your topic or research advisor, you should submit a new proposal.

6-A students must also submit a thesis proposal release letter. These letters can be sent to [email protected] and should follow one of the two templates below.

• For 6-A companies
• For non-6-A companies

Hire MIT Sloan Talent.

Smart. Open. Grounded. Inventive. Read our Ideas Made to Matter.

Which program is right for you?

Through intellectual rigor and experiential learning, this full-time, two-year MBA program develops leaders who make a difference in the world.

Earn your MBA and SM in engineering with this transformative two-year program.

A rigorous, hands-on program that prepares adaptive problem solvers for premier finance careers.

A 12-month program focused on applying the tools of modern data science, optimization and machine learning to solve real-world business problems.

Combine an international MBA with a deep dive into management science. A special opportunity for partner and affiliate schools only.

A doctoral program that produces outstanding scholars who are leading in their fields of research.

Bring a business perspective to your technical and quantitative expertise with a bachelor’s degree in management, business analytics, or finance.

Apply now and work for two to five years. We'll save you a seat in our MBA class when you're ready to come back to campus for your degree.

Executive Programs

The 20-month program teaches the science of management to mid-career leaders who want to move from success to significance.

A full-time MBA program for mid-career leaders eager to dedicate one year of discovery for a lifetime of impact.

A joint program for mid-career professionals that integrates engineering and systems thinking. Earn your master’s degree in engineering and management.

Non-degree programs for senior executives and high-potential managers.

A non-degree, customizable program for mid-career professionals.

An Entrepreneurial Mindset for Literary Success

Sloanies Recognized With MIT Alumni Association Leadership Awards

Supporting Baby Feeding Through Partnership

Cybersecurity

Stephen Boyer, SDM ’08

Aug 30, 2024

In this episode of Sloanies Talking with Sloanies , host Christopher Reichert, MOT ’04, interviews Stephen Boyer , SDM ’08, co-founder and chief innovation officer at Bitsight . The conversation reflects on the evolution of cybersecurity, including the complexity of cyber threats and the challenges companies face in managing risks. Boyer shares insights from his career, discussing the importance of transparency in cybersecurity incidents and the role of AI in enhancing security practices. He also emphasizes the value of a mission-driven career and the need for continuous learning.

Boyer also discusses his experiences at MIT Sloan, highlighting the impact of the MIT 100K competition and the broader MIT ecosystem on his entrepreneurial journey. He offers advice to prospective Sloanies, encouraging them to immerse themselves fully in the MIT environment and to align their studies with their long-term career goals. The episode provides a blend of practical cybersecurity advice and reflections on the significance of strategic thinking and innovation in one's career.

Sloanies Talking with Sloanies is a conversational podcast with alumni and faculty about the MIT Sloan experience and how it influences what they’re doing today. Subscribe and listen on Apple Podcasts , Google , and Spotify .

Episode Transcript

Christopher Reichert: Hi, I'm your host, Christopher Reichert, and welcome to Sloanies talking with Sloanies. My guest today is Stephen Boyer, a 2008 MIT Sloan System Design and Management graduate. Welcome.

Stephen Boyer : Thank you.

Christopher Reichert: This is a special podcast episode because for a few reasons. First, Stephen and I are in person, which is, I think the first, uh, episode I've done in person in years. It feels like pre-COVID, actually.

Stephen Boyer: Throwback episode.

Christopher Reichert: And it's also our sixth year of doing this podcast, and we're in the same building where we started. So, we've come full circle. And I was thinking that, you know, I think Smoots. You know smoots?

Stephen Boyer : Sure.

Christopher Reichert: I think they measure distance, but I would think that I think we need a unit of Smoot that measures time. And so I was thinking, how would we possibly do that? And I was thinking, well, let's see, Oli Smoot was 18. I'm going to assume when he got measured as a smoot.

Stephen Boyer: Yeah, the first year.

Christopher Reichert: So we've been doing this now for six years. So I guess I would call this we're one third of a smoot old as a podcast. What do you think? Is that going to stick?

Christopher Reichert: Maybe it needs more work.

Stephen Boyer: Why not?

Christopher Reichert: Well. Welcome again. So I'm going to give some listeners some background about you. So in 2011 Stephen co-founded and as Chief Innovation Officer at Bitsight. And four out of five top investment firms use Bitsight and almost 40% of Fortune 500 companies do it. Unless it's changed and Bitsight is focused on identity exposure, prioritizing investment, communicating with stakeholders and mitigating risk in an expanding digital ecosystem. So more on that shortly.

So prior to Bitsight, Stephen was the president and co-founder of Saporix, a company spun out of MIT Lincoln Labs. So, good MIT connection. There he worked with the Cyber Systems and Technology Group, focused on vulnerability and network topology, risk analysis, and led R&D programs solving large scale national cybersecurity problems. I sense a theme here.

Stephen Boyer : Yes.

Christopher Reichert: Stephen is a member of the CNBC Technology Executive Council. And interesting. You've been chair or at least a part of the supervisory committee at MIT Federal Credit Union for over 20 years now. That's great. I have some money there. So since my days.

Stephen Boyer : We’re watching out for you.

Christopher Reichert: Great. You also held a Bachelor of Science in computer science from Brigham Young University. So did I miss anything?

Stephen Boyer : That's probably. That's pretty good, actually. I'm impressed.

Christopher Reichert: Excellent. So how do you how do you relax and unwind after all those stressful topics of cybersecurity and national security problems?

Stephen Boyer : Yeah. So I have really a passion for mountaineering. And I used to climb bigger mountains. Maybe that's a different podcast on some of those things. And then during the pandemic, I picked up piano again. And I had played growing up learning the Suzuki method. So maybe some of the listeners remember that it was very auditory, but I never learned to sight read. And so you can pick songs up by kind of plugging away from by sound.

But I just it's really hard to just sight read. So I taught myself how to sight read. And so I played the piano. I find it very cathartic. I'm not any good, so don't ask me to perform. But I just find it's a really great way to de-stress. And I've just developed a passion and love for the kind of the classics, which I hated growing up. I wanted to play like Axel F and journey on the piano, and I couldn't because I was playing, you know, the old song. And I just really appreciate kind of like just the brilliance and genius of some of the masters. So, hey, that's one of the ways I like to relax. And I'm living in Lisbon, Portugal, until we get to go see the sights to around and learn some of the history.

Christopher Reichert: So let's see, how about we start with some startling facts, just to get us all scared out of our wits. Every week, every day we hear about data hacks and leaks. It's almost the norm, not the exception. And I looked up the top ten and it made my hair stand on end.

So the number one was MGM Resort breach, where hackers claim to have exfiltrated data threatening to expose information unless a significant ransom was paid.

Christopher Reichert: Then there was First American Financial Corp. 900 more or less million files containing sensitive data from over a 16-year -period were exposed. UnitedHealth. Just recently…

Stephen Boyer : You got it…

Christopher Reichert: …paid a ransom in 2024, and the list goes on Twitter, Quora, Facebook, Cambridge Analytica. And it's all of what you say is that cybersecurity is a potentially existential risk to organizations both large and small, and governments. It's also hugely complex with ever changing threat landscape, but it's also potentially lucrative if ransoms are paid. So because it's so common, it doesn't seem like the shame, like in the early days when you had a breach it was this shameful event for an organization, but now it seems doesn't that doesn't seem to be much of a deterrent. Am I getting that wrong?

Stephen Boyer : So I'm not sure if the shame factor is completely gone, but there was historically a very much a mentality of blame the victim, and what I mean by that is, hey, it's your fault that somebody came in and took your stuff, right? Like you should have kept the door locked with three deadbolts instead of two, right? I think we've come a long way in recognizing that these gaps happen.

I think it's more the question will come, how do companies respond? What was their thinking? What was their risk management process? What was their controls culture? And I think where the market is much more accepting is when people say, hey, we did the best we could, and here's what we did and here's how we communicated and were transparent in that response. Where the market has punished a little bit more has been less transparency. Or in some cases, you know, there's a lawsuit right now against the CSO at SolarWinds, which was another major breach going after an individual. And so it's an interesting one. What the SEC is claiming is that they weren't transparent in their disclosures or didn't follow the proper disclosures. And so I think the trend it will be towards more transparency.

And I think the market will recognize that there is no perfect system. But the question will be, hey, did you have the right risk management process in place? Did you follow that? You know, did you have the right governance? Because I think we have car accidents. We have other sorts of, you know, other sorts of accidents. Over time, I think, you know, air accidents have gone way down. Right. And it's high, you know, high degrees of safety there. We still have them, but we kind of learned where we put the black box in. You had to report the National Transport Safety Board. So we got to learn like where the accidents were.

I think there's an opportunity for that in cybersecurity, which is as companies become more open about it and share best practices. Hey, here's what happened to us. Hopefully that doesn't happen to you. I think we can make a lot of progress. But yes, for a while there it was. Hey, it's your fault. It's embarrassing for you. Uh, where I think some of the stigma is down. However, like for UnitedHealthCare, they predict that's going to cost them $1.6 billion. Right?

Christopher Reichert: In market?

Stephen Boyer : Well, they just in cost, right? In cost to fix it. And then revenue loss etc. And so that may go down as of right now, the single largest, most expensive, MGM Grand was about 100 million. Um, and so it can be very costly. Right. So that could be, you know, some other things that, that hits for more than just kind of perception that may really impact the viability of the company.

Christopher Reichert: So this so they paid the ransom as far as.

Stephen Boyer : As far as I know they did. But it's still a disruption.

Christopher Reichert: Absolutely. Yeah. So it's the old it's not the crime. It's the cover up that punishes.

Stephen Boyer : It's a really interesting debate. And maybe that's another podcast around pain or not. But as you say, MGM decided not to pay and it cost them $100 million. And Caesars, which almost nobody knows about around the same time, did pay, and it was about a $30 million ransom. The disruption is oftentimes much more costly than paying the ransom. Now, you could argue, well, that just enables the criminals to do it again, right? But if you're a rational person, you may say, well, what's the trade off? Right.

So there was a case in Australia where attackers got a hold of medical information. A company called Medibank in Australia, and they said, hey, if you don't pay the ransom, we're going to release it. And that medical information had information about abortions, cancer, etc.. And they decided not to pay. In Australia, they reported 10,000 plus crimes that were directly linked to that information that was leaked. And so, you know, I sit in my seat and I think, hey, if I were in that, I'd probably want to go to each one of those people and say, hey, I did everything I could, including paying the ransom, right? But hey, but they also, you know, they had their own reasons for not doing it. So it's a really tough call. I think the FBI officially says don't pay, but I think each organization is going to have to decide, hey, what's the best for our particular situation?

Christopher Reichert: Right. I imagine it might be. Well, I had two thoughts on this. One was, you know, the with the profit imperative of organizations to quickly get to market or be the best in the market, or in Facebook's parlance, you know, break things, you know.

Stephen Boyer : Go fast...

Christopher Reichert: Go fast and break things. You know, whether it's domestic competition or international competition, you want to kind of like be dominant in in the digital market because it is international. And I wonder, you know, and there's a winner takes all component to that. Right. If you are you know, let's not say monopolistic but close to it. You know, you can really, you know, cream off a lot of the profits. I wonder if that's like a, a built in incentive to not be as rigorous as you could be.

Stephen Boyer : Well, so that that is a really interesting debate was are there market incentives that will incentivize the right behaviors? We certainly participate in that to some degree at Bitsight. We can talk about that a little bit more. But, I think the incentive to go fast, break things, but really grab market share is we're probably investing more in capability and digitizing.

There's huge amount of investment that's happened in digital transformation even in the last five years with the pandemic, but what there isn't, we get all the benefits of that. But if you don't invest in a commensurate level in the controls, you open up to a lot more risks, right? And so I think we've learned in risk management and a lot of other disciplines that for everything you do, there's a tradeoff. And I need to be able to manage that risk a little bit better. And so I think what we're starting to see in cybersecurity is yes, you'll get a lot of those benefits, but there's a downside risk on that. And I think you need to invest some commensurate amount of whatever you're putting towards the move fast and break things. Well, what if something goes wrong? What if we break something and it really goes south? Did we, you know, invest in this other side of it? I think it's still early days in an area called cyber risk quantification, which is well, how big is that risk really in terms of financial terms? Because I think that's how boards and regulators will think about it. It's still early days, but that's one way to be thinking about what is the risk that we're taking here, even though we're investing and trying to grab market share and put out capability, what could really go wrong? And some people will transfer that risk and insurance, or they'll hire or they'll invest in other sorts of controls.

So, there's definitely market pressure to avoid it. But I think that what we're also seeing is increased regulation, which is the SEC new disclosure rules, etc. are going to make it so you can't.

Christopher Reichert: Yeah, I was thinking about the, you know, the safest possible car, for example, you know, is not something we would probably want to buy. Right. Because it's and the same thing might be true for data security. You know, back in 2010, Mark Zuckerberg famously said, he said that the rise of social networking online meant that people were no longer should have an expectation of privacy.

Stephen Boyer : I remember that.

Christopher Reichert: Yeah. I mean, there was a hew and cry, right? But there was also like a he's probably right, darn it.

But I also think that, you know, with the rise of online activities, everything from B to B, B to C, C to C, everything that we do is so much online. Is it reasonable to say the tradeoff is a lot of our information is given away for free in return for some services. You may say that's not a great value, but it seems convenient for us, right? But there's also a lot of our personal information that's out there that I wonder if that's leveraged. I mean, it obviously is leveraged by, you know, the building blocks of identity theft. If they can take bits of information about you, then it can just it can make it even worse. So all these data breaches at MGM or UnitedHealthCare or any one of the other ones, it's not so much the specific information that's captured in that one breach. It's how it goes into the big stew of information that's out there that then gets put together by nefarious minds.

Stephen Boyer : Yeah. So if you take MGM, for example, it was a social engineering attack initially, and at least as reported by the Wall Street Journal, one of the attackers said that they found the information to impersonate the employee in the dark web. All right. Hey, I found their background. Whatever information they gave to the IT group to reset the password was legitimate. It was real. Right.

And so one breach can actually facilitate the next. And that's, you know, kind of what's happened here. I think the horse has probably left the barn in terms of getting that information digitized. Right. We have so many benefits by moving to digital healthcare that the question of this next decade is, how do we secure that? Right? How do we manage that? How do we put the right incentives and because of the damage, can be pretty big. I just use that example in Australia. But I also think that the benefits are so high by making that available, by storing that information. I mean, you think about, hey, how do you protect that and use that in a reasonable way?

We can get to AI maybe a little bit later, but those AI models rely on huge data sets. How do you make sure that none of that data leaks when somebody queries it a certain way? So I think we have huge benefits that we've reaped from, from the digitization. And I just think that now it's become really clear. I mean, maybe ten years ago there were inklings of it and people rumblings, I think today that there's not a board that's not worried about cyber risk. Right. And so I think that could be regulatory or reputation or revenue hits. But I think that's where it's like, okay, which data do we have. Do we need to keep it. Where are we collecting it on. Right. And where is it geographically. So I think some of those conversations have definitely shifted.

Christopher Reichert: You invented the cyber ratings industry and you recently partnered with Moody's. So tell us a bit about how that works. I read that you have the largest risk data set. You monitor over 40 million organizations and over 44 trillion, with a T, events, and you combine that with a correlated cybersecurity risk engine, some AI you mentioned and then obviously human insights. So tie that together for us how that all...

Stephen Boyer : Yeah. So the gap that we were really focused on, I think, and I take it back to what we talk about with advice to other Sloanies, which is we try to understand where there was pain in the market, and it came not just from our own observation, but we were doing something else that we had spun out of MIT and someone came to us and said, you know, it's really hard to figure out is how good the other guy is at cyber. Like, I can look at my own stuff, I can audit myself, but it's really hard to know looking at somebody else, how somebody, how good somebody else is. And so we went and studied and looked around and said, hey, what is a successful model where people have been able to do that? And it turns out consumer credit ratings has been fantastically effective at being able to issue credit by figuring out how good somebody else is, but not relying on their own disclosure, because what people were worried about is, of course, I'm going to ask you, Christopher, how good are you paying your bills?

And you're going to say, I'm amazing. I pay them all, all day, every. I have never had an issue. It's like, well, how do I know? Right. I was like, well, let me go check the record. And so in cyber, there was no equivalent to that. It was mostly everybody attesting to how good they were. And so there was very little trust but verify. And so like, hey, we looked at some of those other models and worked with people who had that pain and said, hey, what if we came up with a novel way of providing that? And the nice thing about the model was we looked at what the credit bureaus are doing, and they were collecting data not from you, but from other places that when no information about you, they're not asking you to submit a spreadsheet in your budget. They're collecting information about your spending patterns and paying back debt. And by doing that and by building those models over time, they've gotten pretty good at the risk of issuing credit to an individual. But from a risk management standpoint, it's actually pretty powerful. And so we really took that model and said, okay, what information can we collect about organizations, not individuals, that's going to give us an idea of how well they're implementing their cybersecurity practices? Can we watch it over time instead of waiting for an annual test or an audit opinion? Can we get something that's much more real time and empirical, as opposed to something that's more episodic and we would call subjective or in some cases aspirational.

Christopher Reichert: And so that's like a second leg of the stool. So Moody’s for example would be sort of financial and governance perhaps. And so this is this is your data governance policies.

Stephen Boyer : Yeah. So what we can we can observe very directly. And let's just take MIT for example. It's a very open campus big IP address space because education owns a huge amount of the internet. We can see what kind of services MIT is running. We can connect to them. You can query them. Of course, Google crawls and we crawl some of the other protocols and we can learn how are they doing, how quickly do they update when new vulnerabilities are announced? How long does it take MIT to patch? It could take them 30 days, 90 days, 180 days. How long it takes them actually says something about the sophistication, their processes, their people. And then you just look at that and you can compare.

That's the type of thing that was really hard to be able to do. When you think about the Moody's partnership, they see cyber risk as a key financial risk, which absolutely makes sense today, which is if you're going to look at credit risk, if somebody's not paying back the debt on time and in full. Well, we think about MGM. Not everybody can handle a $100 million revenue loss. Right? We'll see how it works for UnitedHealthCare. And so they're trying to account. We're working with them to build models to at some future point cyber will factor into the credit rating. And so when somebody goes into the market they'll need to be able to understand how's the governance, how the financials how's the cyber? Which I think is super important as you just started the whole conversation out, hey, cyber risk has a business component and a business risk to it, right. And so blending those two together is really important. So when we tied up with them it's really like, hey this is an important business risk that needs to be accounted for and priced. And a lot of people believe that it just hasn't been priced well because they just haven't had the visibility. So for us, it's about being able to provide that visibility and transparency instead of analytics to make those good cyber risk decisions.

Christopher Reichert: And so talking about artificial intelligence, is that, for Bitsight, a matter of accessing this huge amount of data that you have and making sense of it more rapidly than you ever could before?

Stephen Boyer : There are actually several, several layers, which I think with artificial intelligence, every organization is going to have to bring in and espouse best practices. I don't think anyone today brags about we use spreadsheets. I think a lot of this will happen is you'll have businesses learn to embrace a high degrees of efficiency automation. Gartner's predicted that I think 70 plus percent of developers are going to be using AI coding tools to develop their software. I have good friend, at a major software company, his productivity went up by 10x, he said, by starting to use some of these tools. So I think you have that kind of layer, which is, hey, how do we just get good at doing the things we do? We just need to be able to do that.

The next layer is how do we provide those capabilities to our customers? How do you provide a better experience? Do you have better insights and just make sure that you have better outcomes? Maybe that's lower cost or higher degrees of efficiency. And so we're obviously investing in to be able to provide those to the customers. And then, you know, stay tuned. But I think there's opportunities for a real leap ahead. And for us because we believe our one of one of the key things that we have is data sets. And the data sets drive the models. Right? And so if you have really good data, you're going to be able to provide really interesting models and capabilities. So I think I'm optimistic.

But where I'm most optimistic right now is human, plus AI. What we'll see is huge productivity gains, high degrees of automation, etc., which we've done in a lot of other ways of technology.

Christopher Reichert: Yeah, I mean, one of the things that we talked about it when I was at MIT was the notion of creative destruction. And, you know, it sounds very well. It sounds exciting.

Stephen Boyer : But will that replace the human at this point? I don't see it. I think people using the actual tools know that there are a lot of limitations, but they're actually pretty powerful for some things. And so that's where I think, hey, if you can combine the human and the AI would be for generation of ideas or for support, uh, I think you're making some advancements.

Christopher Reichert: So you had a computer science degree at Brigham Young. And then how did you decide to to get your master's degree for systems design management?

Stephen Boyer : Yeah. So a couple of examples. So I was going to school during the dot com boom, which if you were alive at that time, was magical.

It was truly magical. People were becoming rich off of IPOs. I went to this event. It was a Java one, which was run by Sun at the time, and it was a big event in San Francisco. And there was literally a sign that said, write your app in Java, go public, get rich.

And so I got to live through that time. And I was an engineer. And so I got to see how it worked out from the business. We did go public, which was which was pretty interesting. But I also got to see some mistakes that we made where I was frustrated. And so during that time I decided, hey, I want to go do something a little different. I have an opportunity to work at MIT Lincoln Laboratory in Lexington and work in cybersecurity, which is an area that I was fascinated by. And I saw that as, hey, that's going to be an interesting area of future, and we would work on really some interesting next generation projects for mostly Department of Defense. We got to live the cyber world decades before a lot of the commercial market did.

And so we invented some really cool things. And where I got a little bit frustrated is we would invent something that was really cool. And then we had to shelve it because the funding winds changed, right? It's like, hey, time for that project. Now we're moving on to the next project. And we would disclose some of those things to the MIT Technology Licensing office. And one time we had a group of VCs come in and they said,” hey, we're thinking about licensing this, what's the business model?”

And I thought, hey, for me to really have the impact that I want to have for the things that I work on, we really need to be able to take things that are in the lab and make sure that they're commercialized. And so I applied and got what's called the Lincoln Fellows program to be able to go back and participate. And I chose the SDM program because I thought, hey, that combination of the technical side pulling together these different systems and sort of on the on the business side, have a really interesting, powerful combination.

Ed Roberts was my thesis advisor and I really kind of looked at, okay, how do you take these things and what kind of systems do you need to put in place to have this have a real impact? And so I decided after I wrote it that I needed to walk the walk, you know, can you really go do it? And so we did. We actually spun out some of the patents that we had worked on. And so I left, you know, that company got acquired pretty early on. And that's where we got the ideas for, for Bitsight.

Christopher Reichert: So you were at MIT Technology at the Lincoln Lab and then you came to Sloan.

Stephen Boyer : Exactly. Yeah. And I was taking some courses in Course 6 because I thought I wanted to do more of that. And it's an area that really fascinated me, but it was this other angle that I thought, hey, you could do the best technology, but if you don't have a way to give the business model, you may not have the impact you want.

Christopher Reichert: So is that is that if you look back on your time at Sloan, do you think that's the change that that transformed you, that you came from a technology background?

Stephen Boyer : I think I think I had an idea of what I wanted to do, and I did want to do more entrepreneurship at the time. And so that was motivating.

I think one of the key things for me was the MIT 100K competition. I was able to participate in that and get really exposed to the broader MIT ecosystem, which was fascinating, right? I really enjoyed that. We took second, it was a not-for-profit healthcare company that was going to save the world from disease. And how do you get to compete with that with, you know, cybersecurity. But I think it really just ignited my passion, and it really gave me a vision for where things could go, right.

I mean, we had mentors. We got to get feedback. I was taking the new enterprises course and so I think it gave me a real vision of, hey, I could do this right. And I think it really gave me the confidence and really the support from an ecosystem that really exists here that's really strong. You know, there's the nuts and bolts of business, you know, plan courses. You know, I was taking. And so I'd say that was really helpful. And then of course, I met the people around me. And even just, you know, today was with, you know, several former entrepreneurs that I got to meet.

There's the founder of HubSpot or the founder of Okta. We're all there. We're all there at the same time. And so it's a really great, you know, ecosystem that existed at the time that I think was very inspirational.

Christopher Reichert: So if you think back on your time at Sloan and it was a two year program, right?

Christopher Reichert: And you've been out now for a few years. Do you look back and go, wow, I wish I'd taken that course, or I wish I had studied harder on that?

Stephen Boyer : I don't have many regrets. Actually, I've really just loved my time, and I feel like I had to be very selective of where to spend it, because you can do so many things. I didn't ever do a track. I guess maybe that would have been fun. However, I was spending time talking with potential customers, building my business plan and deck for the 100K competition. Right? So you're going to have to trade some things off because there are so many opportunities here at MIT. There's Sloan and there's the broader MIT, as well. So you have to you'll have to be selective.

I found that by having a vision of where I wanted to go after helped me be really selective. One thing I wanted to know is like, how did venture and private equity work? So I volunteered for the private equity symposium and helped out with that. Where you can volunteer and spend your time, it gives you a lot of opportunities to learn. So I'd say I don't have really any regrets. I feel like I just had to be really selective because you just can't do it all. There are so many different, really cool opportunities, and some of it is maybe there are things that I just didn't know about that I could have taken advantage of. But I feel like the people that I met, the experiences that I had, the engagement with the faculty was fantastic. And I think maybe the single most fulfilling thing was a club. You could call that the student run MIT 100K competition. And so I think you may or may not have that vision when you come in, but I think you can get exposed to a lot of things very quickly. And so it's, you know, spend the time to go get that exposure.

But I did not anticipate how valuable the business school curriculum would be. A lot of people are like, I want to go and get the degree and that sort of thing. But I think the curriculum and the, the content was like, okay, I want to do that. And so I want this content. It wasn’t I just need to get through this to get the degree, to go get the job. It was like, I need this content to be able to do the things that I want to do afterward. And so I think that really helped me structure the decisions that I needed to make to decide what to take and what to participate in.

Christopher Reichert: And you started Bitsight here in Boston?

Christopher Reichert: And when did you move to Portugal?

Stephen Boyer : About a year and a half ago. It's temporary, really, to just focus on our customers and growth in Europe. What we got feedback from our team was that we were too US-centric. When you're there in country, you're there with the customers. You get to read the local news, you get to understand what are the regulations and what are people facing. So it really gave me a higher degree of empathy for that particular market and the customers in it. So I think that's been great.

And then also our teammates, what are they going through? What are the political situations? What are the taxes? What are the cost of living? And by being there, it's very different than showing up and seeing if you have taken a few meetings and staying in the hotel as opposed to being there. And so I think for me, it's just been a real big dose of empathy for our customers and our teammates that I think has been really helpful. So so stay tuned.

Christopher Reichert: So I have two last questions for you. And you can answer one or both. What is your personal definition of success. That's one. And the other one is do you have any advice for prospective Sloanies?

Stephen Boyer : So what I talk to our teammates is about is most of the studies around humans and where they find happiness is around having some sort of mission, being part of some mission that you really care about.

Do you think it's having some sort of great impact and being part of something bigger than yourself? So I think being able to find that is hugely successful. The other one is kind of like mastery and okay, am I doing something? Am I good at what I do? Right. I think it's like, hey, am I can I be really great at what I do? And I think the third one is, hey, do I have some degree of autonomy? Do I get to decide my fate? Do I get to decide what I want to be really good at, and what kind of mission I want to do? And I think if you do those sorts of things and can align with your values to be able to do those things, and hey, if I really value these things and I can do that while going after those missions, I think that's a pretty, you know, successful career. I feel very fortunate that, you know, what I've been able to do. And I think if you're creating it well, you get to forge those values, right? I mean, by founding the company, we were very deliberate on the culture that we wanted to create and that we wanted to be a part of.

And so I think that's one of one of the benefits. But you can change that culture and create those values wherever you may go. So I'd say, hey, you know, join a mission that you really can believe in. Become really good at what you do, and you're never done with that. And then, you know, work to have some degree of autonomy. If you're really good, you're going to have some amount of decision rights and ability to decide what you want to work on.

Christopher Reichert: That's great. And for prospective Sloanies in terms of choosing, you know, the different programs and for that matter, MIT?

Stephen Boyer: I mean, there's probably not anything that I haven't heard, but you can really immerse yourself in the ecosystem here, which is just fantastic. So many different ways that you can go. I'd say if you're just focusing on the coursework, you're missing out. I mean, you're going to miss out some things. I think the coursework is fantastic, but I think so much more that's going to be enriching to you will be found outside the classroom.

The other thing I would just say is, hey, the content and the experience will be much more beneficial if you know why you're doing it. It's like, I need it because I want to go here, and I know some people go to business school to kind of do a transition or they're not quite sure what they want to do, but I'd say it is really helpful to say, I need this. I'm taking this finance course because I need to know this thing. I'm taking this new business course because I'm doing this thing. Um, and I think that could just make it just that much more beneficial and enriching.

Christopher Reichert: That's great. Well, I'm so glad we caught you on your trip back from Portugal, passing through Boston. So thank you to Stephen Boyer, a 2008 MIT Sloan System Design and Management graduate, for joining us on this episode of Sloanies talking with Sloanies.

Christopher Reichert: You can learn more about Stephen and Bitsight at bitsight.com and contact him at [email protected] and you can also learn more about the System Design and Management program at sdm.mit.edu.

So thanks for joining us and thank you very much.

Stephen Boyer : Pleasure.

Christopher Reichert: Sloanies Talking with Sloanies is produced by the Office of External relations at MIT Sloan School of Management. You can subscribe to this podcast by visiting our website, mitsloan.mit.edu/alumni , or wherever you find your favorite podcasts. Support for this podcast comes in part from the Sloan Annual Fund, which provides essential flexible funding to ensure that our community can pursue excellence. Make your gift today by visiting giving.mit.edu/sloan .

To support this show or if you have an idea for a topic or a guest you think we should feature, drop us a note at [email protected] .

Related Posts