Leadership Laboratory

Leadership Lab: STI Degree Candidates' Leadership Essays

SANS Technology Institute's mission is to develop the leaders of the future for the information security industry. One of our admission requirements is that an applicant complete an essay describing leadership qualities they have demonstrated in the past.

SANS Technology Institute's Leadership Essay - June 5th, 2007
Leadership Essay SANS Technology Institute - May 13th, 2008
Leadership Essay SANS Technology Institute - April 16th, 2008
Leadership Essay SANS Technology Institute - February 22nd, 2008
Leadership Essay SANS Technology Institute - February 8th, 2008
Leadership Essay SANS Technology Institute - December 7th, 2007
Leadership Essay SANS Technology Institute - September 14th, 2007
Leading to Patch Management - June 27th, 2007
Leadership in Consulting - June 8th, 2007
Leading from the Front - May 4th, 2007
Leading Through Mentoring and Coaching - January 10th, 2007
SANS Technology Institute Leadership Essay - December 26th, 2006

SANS Technology Institute's Leadership Essay

June 5th, 2007
By Stephen Northcutt



Why does SANS Technology Institute require a leadership essay for admission, and why do you post the essays on the STI Leadership Lab?

We have received several notes to this effect in the past few weeks so let's try to address both questions. First, a bit of background: the two master's degrees we offer are very technical, most people feel they are the two most technical Master of Science in Information Security degrees offered. And, while that is great, it is not our primary focus. Take a minute to consider the SANS Technology Institute (STI) mission statement:

The mission of the SANS Technology Institute is to develop the information security technology leaders needed to help strengthen the defensive information community all over the world by improving the security of cyberspace. SANS seeks to prepare both the managers of information security groups and the technical leaders who direct security technology programs. SANS Technology Institute's primary functional emphasis is instruction, but the Institute faculty and students will engage in research and public service programs that contribute to the learning process.[1]

You can clearly see the focus is to develop leaders. Everything we have done in building SANS and GIAC has been a lesson in leadership. The faculty of SANS are the thought leaders of information security: they have written many of the leading security books, they are speakers at events, they help guide the industry. Originally, we found these folks through a fairly barbaric process. It was essentially a contest and only the very best made it to the top; for every Ed Skoudis that succeeded, 99 other candidates washed out of the program. And, in some sense, that mirrors the real world of business.

Surely when you read about 99% of candidates failing to complete a program's objective, you were thinking, "there had to be a better way" - only the most flawed process rejects 99%. And there is a better way. Leaders to a very large extent are made, they can be taught to speak and present well, to write well, to conduct research, to take a lead role in crisis. In recent years we have adapted our processes to find SANS instructors. Today, everyone that gets an 85 or higher average score on their GIAC exams is offered a chance to begin training and preparing. It would be nice to say our success rate is 99%; sadly that is not true, but we are getting better and better at helping people reach their leadership potential. That is why we call this a leadership laboratory. And we are trying to take what we learn in the business of information security to the academic world of information assurance.

Focus on the best
There will never be more GSEs (GIAC's highest level of certification) than CISSP'sor GSECs, but, in general, a GSE will command a higher salary and greater responsibility than someone who holds the lesser certification. GSE is proof of being the best. In the same way, with an academic program, you have to raise the bar pretty high at the entrance if you want the graduates of your program to get the same kind of respect in the industry that a GSE receives. In addition to our other requirements for admission, including Gold level completion of a curriculum-related GIAC certifiication, we require a leadership essay. It is partly a writing sample, but when the admissions committee looks at it, they are mostly looking for evidence of leadership experience and potential. This is part of the process to focus on the best.

Staying the best
If you make claims of being the best, you need to be ready to prove it. Every one claims to be the industry leader, to be the best. We are so inured to this that we automatically filter out that sort of language. Yet, at the same time, we appreciate sports heroes, thought leaders, companies and academic organizations that quietly, confidently say they are the best when the preponderance of evidence backs that up. If you ask a faculty member of Harvard Business School if they are the best, they will say yes. And it is not puffery; they are. The difference between Harvard and some generic MBA program is the difficulty to get into the program, the quality of the graduates, and the research performance of the faculty. The last bit is key. In the same way a sports hero has to continue to perform game after game, the Harvard faculty continues to demonstrate they are the thought leaders of the business world. You see it in everything they do, from the seminars they hold to the many publications they contribute to, including Harvard Business Review: they show that they are on top of business. As we said earlier, when it comes to technical mastery of information security, because of its SANS heritage, STI simply cannot be challenged. STI has the preponderance of evidence that supports that.

Becoming the best
What about leadership in information security? STI cannot possibly claim to be the world recognized authority in producing leaders in information security. It is too new, there is no preponderance of evidence. And more, we are still trying to improve the process of producing leaders. We need to conduct more research, present findings, search for answers and build community acceptance, one success at a time. This is why we post the leadership essay. The entire world can see the student we are accepting, the level of leadership they have at this point and, hopefully, as they develop through the system, what they become. The strength of an academic institution is measured by the success of its alumni. When the STI alumni are recognized as a group that are consistently leaders in information security, then, and only then, will we be able to say we are meeting the goals of our mission statement and taking our place as the best academic institution for students to learn information security.


1. http://www.sans.edu/