Leadership Laboratory

Leadership Lab: STI Degree Candidates' Leadership Essays

SANS Technology Institute's mission is to develop the leaders of the future for the information security industry. One of our admission requirements is that an applicant complete an essay describing leadership qualities they have demonstrated in the past.

Leadership Essay SANS Technology Institute

Jul 24th, 2008
By Mark Baggett
Leaders motivate others to follow them in achieving their goals. One way that I like to do this is to use the power of ideas and causes. It is amazing to see the lengths to which people will go to follow an idea that they have been inspired to believe in. For example, those who believe in the protection of our planet from global warming will water their plants with their used bath water, spend money on hybrid vehicles without an ROI on fuel savings, or chain themselves to a tree in front of an oncoming bulldozer. My intention here is not to judge the merit of those actions, but instead to point out that they are not acts of convenience. Without the proper motivation, one would never pursue such actions. Most people will not take such actions because they want to achieve a particular business goal. But since preserving the planet is a core belief that defines them, they will tolerate inconvenience for their cause. In the same way, a security leader can inspire individuals to take an inconvenient course of action, to pursue the idea of achieving security. For example, it is far more convenient to set all of my passwords to my child’s birthday than to remember pass-phrases for every system I encounter. If the pursuit of ideas has led cult members to drink the Kool-Aid that they know will end their lives so that they can be saved by aliens, then security leaders should be able to convince people to choose a decent password. To inspire such belief, leaders must whole-heartedly believe in the idea themselves, or their integrity is questioned and no one will embrace their ideas.

Integrity: "The masterful leader cultivates the moral law, and strictly adheres to proper methods and discipline; thus it is in his power to control success." - Sun Tzu

A leader must maintain a high degree of personal integrity. No one wants to follow someone whom they do not trust. Nor do they want to assist someone in achieving an objective if they question the intention or legitimacy of the effort. Therefore, leaders must maintain a high degree of integrity. The more honesty, consistency, and virtue a leader exhibits, the more those that follow will trust that their cause is worth pursuing. A security leader holds strong to the belief in the importance of information security. In my opinion, far too many of today’s information security professionals are apologetic about the principles of security and do not stand firm in their belief. The CFO never apologizes for demanding a balanced budget. Likewise, the CISO should demand that the organization follow good information security practices, understand risk and make good business decisions. That is not to say that the CISO is someone who says "NO" to the needs of a changing business landscape. To the contrary, they must be nimble and have a deep understanding of the technology, so that they can offer solutions which appropriately mitigate risks in order to meet business objectives without compromising security.

Knowledge: "A general is skillful in attack whose opponent does not know what to defend; and he is skillful in defense whose opponent does not know what to attack." - Sun Tzu

A leader must have a high degree of knowledge of the area in which he leads. I would not allow my dentist to do my taxes or my lawyer to perform heart surgery on me. In the same way, we should expect our security leaders to have a high degree of specialized knowledge in information security. Information security leaders must understand the business and the risks that affect it. But if all they know is the business, information security leaders are ill-equipped to face the challenges of protecting data in today’s highly complex technology environments. They must also understand the principles of information security management; how attackers gain access to their network; and how to design, test, manage and maintain secure networks. A lack of understanding of technology and good security often results in professionals overlooking low cost mitigation techniques and simply accepting risks because they believe mitigation is too costly. Only by educating themselves and having a highly specialized understanding of information security can information security leaders be able to embrace the challenges of today’s business environment.

Embraces challenges and plans for success: "The enlightened ruler lays his plans well ahead; the good general cultivates his resources." - Sun Tzu

A leader humbly embraces challenges with healthy respect for the task a. hand and with confidence that his preparation and training will lead to his success. If a leader fails to embrace challenges that serve his ideas because they are too difficult, then he has ceased to lead. Instead, a leader should use his knowledge to develop a comprehensive plan which will ensure success, and inspire others to "dig deep" and accomplish more than they believed they were capable of.

These are all elements of leadership that I strive to achieve and maintain in my career and personal life. In humility, I must acknowledge that this is a difficult standard to achieve and even harder to maintain. But, there are some elements in my career that I am very proud of where I was able to at least give a glimpse of this lofty standard. In 2005, in an attempt to reach out to, organize and educate other security professionals, I began the process of forming a local chapter of the Information System Security Association (www.issa.org). At the time, I only knew two other security professionals in the area and I believed it would be very difficult to find the ten founding members required to establish a local chapter. But over a period of 6 months and with the assistance of a few key players, we were able to contact and find interest in a number of other local security professionals. In 2006, I became the founding president of the Greater Augusta ISSA chapter. The chapter has hosted numerous public educational seminars with as many as 150 attendees at events. The chapter has also spawned other local community groups to help define an Information Assurance degree curriculum at a local university and establish an Information Security Center of Excellence. In 2006, I was honored to be nominated by my peers for the ISE Information Security Executive of the Year. In 2008, my leadership in the local community was affirmed as my peers re-elected me as president of our ISSA chapter. Last year I mentored a SANS 504 session and this year our ISSA chapter will take part in the SANS COINS program. The COINS session will help to spread the word about a 401 session I will mentor, to once again bring high quality SANS training to local professionals.

I hope that you will accept my application into the SANS Masters program. In doing so, you will help me to achieve many of the leadership qualities I have outlined here on which I place such a premium. I will support the idea of maintaining high security by honing my skills and broadening my horizons. Through the Masters program I will, without a doubt, increase my knowledge of the security profession. In obtaining my Masters I will receive credentials that will help me to inspire others to pursue high security standards. I hope that you will allow me to embrace this challenge and achieve a goal that I have long wanted to achieve.