Leadership Laboratory

Leadership Lab: STI Degree Candidates' Leadership Essays

SANS Technology Institute's mission is to develop the leaders of the future for the information security industry. One of our admission requirements is that an applicant complete an essay describing leadership qualities they have demonstrated in the past.

SANS Technology Institute's Leadership Essay - June 5th, 2007
Leadership Essay SANS Technology Institute - May 13th, 2008
Leadership Essay SANS Technology Institute - April 16th, 2008
Leadership Essay SANS Technology Institute - February 22nd, 2008
Leadership Essay SANS Technology Institute - February 8th, 2008
Leadership Essay SANS Technology Institute - December 7th, 2007
Leadership Essay SANS Technology Institute - September 14th, 2007
Leading to Patch Management - June 27th, 2007
Leadership in Consulting - June 8th, 2007
Leading from the Front - May 4th, 2007
Leading Through Mentoring and Coaching - January 10th, 2007
SANS Technology Institute Leadership Essay - December 26th, 2006

Leadership Essay SANS Technology Institute

December 7th, 2007
By Jim Beechey


Leadership, while being one of the most important ingredients in advancing one’s career, is one of the more difficult qualities to define and measure. Leadership is certainly more of an art than a science and requires adaptability depending upon the individuals involved and situation encountered. One size does not fit all. While leadership in general presents challenges, I believe that leading an information security organization brings its own unique challenges and requires special attention to key areas. In my organization, information security consists of a one person, autonomous group within the larger IT organization. Therefore, the person filling this role must cover various security related responsibilities including: policy maker, technology implementer, auditor and security evangelist. In the most general terms, I have shown my leadership skills in the creation and development of an extensive information security program from the ground up. This essay will highlight my personal experiences during this process and will focus on some of the key leadership qualities an information security professional should possess.

A leader pushes toward fixing the problem, not placing blame. One process I instituted at our organization was walkthroughs of office areas at night to check for proper physical security of documents containing sensitive data. The first time these walkthroughs occurred, the intent was to gauge where the organization was regarding this issue. Unfortunately, we found significant amounts of unprotected, sensitive data. Instead of simply providing senior management with a list of offenders we did the following. First, we spoke to each and every individual who had sensitive data not properly secured. We explained why this issue was important and what they could do to fix the problem. Second, we attended several departmental meetings to discuss the issue further with certain staff members. Third, we did not hand over a list of offenders to anyone. This was my rationale: how can we expect our employees to secure documents when we don't have a policy in place telling them what needs to be secured and how to do it? Fourth, we developed a written policy covering the issues. I believe that our focus on fixing the issue rather that passing blame was the main reason people spent time addressing the issue rather than getting defensive and shutting down. The proof came in follow up walkthroughs where no significant issues were found.

A leader develops others without fear. Technical staff members are typically very interested in learning and experiencing new technologies. I rely heavily on staff in other areas of IT to help make our systems secure. Therefore, I believe I have a responsibility to help develop those individuals who have an interest in the security area. I accomplish this in several ways. One, when new security related projects or technologies are implemented, I look for people in other areas to be part of an implementation team rather than just completing the project myself. In addition, typically there will be a scheduled walkthrough of the new system for others to see once it has been implemented. Second, I regularly share articles of interest or new tools with people who may find them interesting. Third, I recommend and support staff in attending security related training. For instance, two staff members recently took the SANS GSEC course. One of our IT Director’s favorite sayings to our management team is that we should always be looking to develop people so they are prepared to take over for us if we decide to leave. I believe this statement rings true in security leadership, not just from an operational coverage perspective, but those who follow this mantra also help to infuse security into the culture of the IT department.

Leaders make decisions collaboratively. Information security is an area where things are not always black and white. Decisions can be guided by many things such as regulations, organizational policy, risk tolerance, and, at times, good old fashioned gut feeling. Whenever possible, I try to involve others in the decision making process or at least run things by someone else for a sanity check. When we work on large evaluations such as risk assessments or system audits, I always try to involve people from across various areas of the organization. For instance, I was responsible for creating an IT Disaster Recovery Plan. We kicked off the process by gathering all IT staff into a large room, divided into functional groups and gave staff the scenario that our main data center had burned to the ground last night. Groups were tasked with determining, in order, what services and equipment should be brought back online. In addition, we asked for a cost estimate for technical equipment replacement and if there was an available manual process for key administrative functions. This exercise and the input from others brought many things to my attention that would not have otherwise been discovered. In addition, people continued to come up with ideas long after the exercise was over. Getting others involved created a collaborative environment and, in the end, a better plan.

The preceding examples highlight three characteristics of leadership that I have exhibited in my career and believe are important to the success of an information security professional. Clearly, leadership skills development is a journey that never ends. There is no shortage of new experiences or educational materials on the subject. The key to success is to constantly evaluate your own leadership skills, attain feedback from peers or a mentor, adapt strategies to meet situational or personal needs and enjoy the ride.