Leadership Laboratory

Leadership Lab: STI Degree Candidates' Leadership Essays

SANS Technology Institute's mission is to develop the leaders of the future for the information security industry. One of our admission requirements is that an applicant complete an essay describing leadership qualities they have demonstrated in the past.

View Archives »

Leadership Essay SANS Technology Institute

Feb 17th, 2009
By Algis Kibirkstis
Leadership in the information systems security world can cover a multitude of aspects and may also take on many different forms. While qualities such as demonstrable competence, integrity, the ability to delegate, communication skills and perseverance – not to mention an almost fanatical sense of passionate enthusiasm – are commonly found in today’s successful infosec leader, other traits are developed and demonstrated based on the working environments to which one is exposed. The successful leader is one that can drive requirements and objectives to their successful fruition, all while respecting business needs and corporate culture.

The telephony industry is one such environment. Due to contractually defined “five nines” expectations, they are historically sensitive to availability issues and would commonly go to great lengths to safeguard that promise to the marketplace.

One of the greatest challenges met by telephony over the last decade has been the inevitable and progressive migration from closed private networks towards the open un-trusted telecommunications network of the Internet, for this necessitated a fundamental change in the way they view their production environment, but this change did not come easily. Their operating systems and network configurations, once protected by restricted physical access and obscure protocol implementations, had become extremely vulnerable once exposed to hostile surroundings. The need to consider confidentiality and integrity along with availability was difficult to assimilate for many old-school telephony archetypes, for in the past availability simply trumped all, and anything new that could jeopardize service availability could be summarily dropped in order to limit perceived risk to the core business – including the introduction of basic security-related mechanisms.

But times had to change. Working in a team to develop bleeding-edge telco-grade server systems, I was asked to make sense of a shopping list of security requirements coming from a high-profile customer. After gaining support from a receptive group of middle and senior managers, I was given the opportunity to lead a team to develop a comprehensive standards-based strategy for safeguarding the system and its assets, one that could be tuned and reused by other research & development teams in the company.

Starting small with an eager teammate, I was able to secure our attendance to a string of three SANS conferences over a period of 9 months, where we received invaluable training in different aspects of information systems security. During this time, as my colleague developed strategies and procedures for implementing and configuring operating systems and utilities, I provided guidance and prepared a security rule-set foundation that could provide the direction in developing more secure products, in a format and in language adapted to the culture and operations of the organization. I also spent a significant amount of time driving the program by evangelizing, raising awareness and networking with peers from other groups and departments, in order to come up with a strategy that could be supported in the short-term by consensus, if not by corporate policy.

Once the next product development cycle came up, I sat down with my colleague to hash out a man-hour estimate that withstood a tremendous amount of scrutiny from archetypes resisting change. My group then took on two interns who helped us implement, test, integrate, audit and document the delivery of the first product release at our company that addressed security as part of overall system design and development. The results exceeded expectations: we delivered on time and on budget, and the few trouble tickets we had received during system testing were quickly and effectively resolved. The rollback procedures that had been developed to quell persistent concerns were tested and deemed effective, but were never required once in production.

When our security-related progress was presented to a group consisting of various leads of other product development projects and the high-profile customer, my initiative was singled out as a model on how to address security in future projects, in that we respected the intent of customer requirements while also taking on the responsibility to develop and implement a comprehensive security plan for our product.

Questions?

Email us at info@sans.edu.

SANS AppSec 2012 Summit

Featured Research

Student Presentations

Expanding Response: Deeper Analysis for Incident Handlers
By Russ McRee | Nov 2011 | 622 KB

Detecting and Responding to Data Link Layer Attacks with Scapy
By TJ O'Connor | Sep 2011 | 2.44 MB

Scoping Security Assessments: A Project Management Approach
By Ahmed Abdel-Aziz | Sep 2011 | 387 KB

View More Student Presentations »

Featured Student/Alumni

TJ O'Connor STI Alumn

TJ O'Connor

TJ O'Connor is a member of the US Department of Defense and a former faculty member at the US Military Academy, where he taught courses on forensics, exploitation, and information assurance.

Click here to read more »

 

Internet Storm Center

View our Site Directory

Contact Us

Phone: (720) 941-4932
Questions: info@sans.edu
Web: webmaster@sans.edu

"After starting the program, I was promoted to Information Security Officer. I believe my involvement in the program was a contributing factor in that happening."
- John Brozycki, Alumni of SANS Technology Institute

"SANS is a 'giving back to the community factory.' SANS encourages and fosters growing security awareness and growing the security community."
- Rob VandenBrink, Alumni of SANS Technology Institute