Leadership Laboratory

Leadership Lab: STI Degree Candidates' Leadership Essays

SANS Technology Institute's mission is to develop the leaders of the future for the information security industry. One of our admission requirements is that an applicant complete an essay describing leadership qualities they have demonstrated in the past.

SANS Technology Institute's Leadership Essay - June 5th, 2007
Leadership Essay SANS Technology Institute - April 16th, 2008
Leadership Essay SANS Technology Institute - February 22nd, 2008
Leadership Essay SANS Technology Institute - February 8th, 2008
Leadership Essay SANS Technology Institute - December 7th, 2007
Leadership Essay SANS Technology Institute - September 14th, 2007
Leading to Patch Management - June 27th, 2007
Leadership in Consulting - June 8th, 2007
Leading from the Front - May 4th, 2007
Leading Through Mentoring and Coaching - January 10th, 2007
SANS Technology Institute Leadership Essay - December 26th, 2006

Leading to Patch Management

June 27th, 2007
By Brad Ruppert



The Information Security group at my company wasn’t always considered the most effective, hardest working team in the enterprise; it has only been elevated to that status over the course of the past three years. Under a new director and the addition of several extremely motivated individuals, including myself, we’ve turned the group from a technology-heavy, operating out of reactive-mode team, to a strategic, well focused, and energetic group of achievers. Our advice is sought by the business leaders of our company as well as the most seasoned system administrators. We have become known as the ‘group that can deliver’.


Several years ago, our company had no strategy for patching our systems and when tasked with performing an audit of our enterprise, it was disturbing to note that close to ninety percent of our Windows and Linux machines were six to seven months behind in patches. To resolve this issue, our executive management needed to be made aware of our current state and the risks involved with the failure to patch our systems. Through our Information Security Steering Committee (ISSC) we were able to have our executive management provide full support for us to create a patch management strategy that would take precedence over a great majority of other projects or persons that might give us pushback.


To ensure this project was a success, I needed to coordinate with the system administrators and application engineers to outline all the details involved with patching and rebooting our systems. I also had to determine why patching strategies failed in the past and ensure that the same pitfalls did not happen again. According to our operations group, the biggest obstacle to overcome in the past was the company's relentless desire to supersede maintenance issues for production rollout releases. Typically system administrators would not have a strong enough backing by themselves to alert the business of a need to upgrade or patch our systems. Now that we had executive support from the ISSC we could go to the change management board and push past the bureaucratic system. Another component to add strength to our cause was uniformity. I was able to gather all system administrators and get them to agree upon a common strategy to patch all our systems instead of just one business or I.T. unit.


The next task was to document the required processes, timelines, roles, responsibilities, and exceptions into a patch management procedure. This document would be the guideline for the next component which was to establish a patch management committee. Through hard work and leadership I was able to comprise a group of system administrators, application engineers, configuration management, network/system operations, project managers, information security, and change management. Roles were defined, timelines were agreed upon, and responsibilities were dolled out. The committee would be tasked with ensuring all components of patching were addressed and for any issues that came about, they would be resolved as a group.


Over the course of a three month period I was able to coordinate with all the technical and business representatives of each division and get their acceptance to the patch management procedure. Once that was completed we held our first meeting of the Patch Management Committee where we discussed and agreed upon our first enterprise patching weekend. Despite some minor glitches during the reboot phase on some machines, overall the enterprise patching was a huge success. The committee reconvened several days after the patching weekend to iron out any issues with process or responsibilities. Since then the committee has been able to meet once a month and each time the patching becomes more routine and has less problems. Communication during the patching weekend has increased tremendously and the executives are made aware of the tremendous change in our overall security posture.


Along with providing a solution to patch management I am also involved with incident response, security design reviews, and security awareness. As the CSIRT (Computer Security Incident Response Team) lead I’ve coordinated with my group to identify, isolate and contain multiple incidents that have hit our company. I’ve written processes and procedures to handle security outbreaks, compiled guidelines and resource tools to eradicate incidents, and written executive summaries to encapsulate our findings and provide lessons learned. I’ve also headed up our annual Enterprise Security Assessment with our security team, prioritized our findings, and provided executive summaries to our Information Security Steering Committee (ISSC).


With a background in J2EE programming, I’ve developed multiple three tier enterprise web applications, worked as a team lead and liaison to the business, helped provide security guidelines and procedures, configured and installed digital certificates, and established security monitoring and reporting tools. I am interested in expanding my educational background and knowledge base by earning a master’s degree. I look forward to having an opportunity to prove to myself that I can complete the requirements for a master’s degree.