The SANS Technology Institute

Musings

So, you're thinking about taking Management 512, SANS Security Leadership Essentials For Managers with Knowledge Compression

May 3rd, 2007
By Stephen Northcutt

We have received a lot of email lately about the course we author and teach, Management 512, SANS Security Leadership Essentials For Managers with Knowledge Compression,[1] so we will try to answer those questions in this article, and we will make every effort to be accurate and not sound like a marketing engine. If we screw it up, drop us a note, stephen@sans.edu and we will adjust.

In your writings you often say "we". Who is we, or is this just a writing quirk that you have?
We are a team both in terms of authoring and presenting. Before an instructor is approved to teach MGT 512 they meet other certain criteria (sorry, can't spell them out, that is a business trade secret[2]) and they usually go thorough a "check ride" with the lead instructor for the course, Stephen Northcutt.[3] In terms of the writing team, it has changed over the years, but Stephen Northcutt is actively writing, with help from Lori Homsher,[4] John Bambenek and Lorna Hutcheson[5].

What is the relationship to the postings on the Security Laboratory and Leadership laboratory to Management 512?
There are three major reasons for the labs:

• A place to put read ahead material so we can send students coming to Management 512 a list of some of the material to begin getting ready.
• A place to put updated material, so alumni can stay up to date
• A place to put ideas out to "try"; people have been good about writing us back, so this gives us something we can give the community

How important is reading the material before coming to class?
If you are a newly appointed security manager or leader and do not have extensive security experience, it is very important. If you are planning to take the GSLC[6] exam to meet 8570[7] requirements, it is pretty important. And face it, this is an expensive course; if you want to get your money's worth, the read ahead is carefully selected.

Who is this course designed for, who should attend?
That is changing; the course was originally designed for senior executives, vice presidents and CxOs. Then the DoD listed the GSLC as one of the acceptable certifications for anyone with 8570 Information Assurance Management responsibilities. That changed the demographics overnight, so we complained bitterly for a couple of days, and started on a new Job Task Analysis[8] and have adjusted the course to better meet the needs of the warfighter. The current demographic is about 25% DoD managers, a few international folks, and the rest leaders and managers in private industry. Overall, these students seem to fall into three main categories:

• Managers that have been managers for a long time who want to reacquaint themselves with security technology
• Technical people who have been promoted to management and want to pick up some of the leadership soft skills
• Successful managers from other fields who were asked to move to security because the previous security manager was ineffective; the organization knows they are effective, they get things done, and believe they can pick up the security technology information quickly.

The good news is that all the groups seem to be getting along; the folks with lots of management experience offer tips from their background and the folks with technical backgrounds have their insights to add. And, even after adjusting the course to beef things up for the warfighter, no one seems to mind - everyone connected to the Internet is a cyberwarrior to some degree.

What can I expect to get out of this course, what makes it different from other security courses?
Management 512 has a few distinctives. It is pretty densely packed with information and, if you have not taken a SANS course lately, you may be surprised by the amount of information. MGT 512 covers both relevant historical and breaking topics to try to build a sense of perspective, and a considerable amount of the course is built upon a foundation of intentionally choosing a defense in depth architecture:
http://www.sans.edu/resources/securitylab/367.php
http://www.sans.edu/resources/securitylab/372.php
http://www.sans.edu/resources/securitylab/321.php
http://www.sans.edu/resources/securitylab/316.php
http://www.sans.edu/resources/securitylab/311.php
We keep coming back to these intentional architectures as we consider threats and countermeasures.

As to what you will get out of this course, keep in mind the famous Grace Hopper quote, "Some day, on the corporate balance sheet, there will be an entry which reads, "Information"; for in most cases, the information is more valuable than the hardware which processes it". Our objective will be for you to develop a much sharper understanding of what information security protects and how to find the crucial assets, assess the risk to them and choose a defense in depth architecture to protect them.[9]

We believe you will increase your ability to understand what technical people are telling you and ask the right questions to make sure you are getting the entire picture from the people that report to you. A major focus of the course is the wise spending of money; we discuss in detail what works, what doesn't and how to stretch your budget. And, we spend a lot of time discussing proven strategies to improve your skills at selling security to senior management and peers.

That proven strategies bit sounds a bit like marketing to me . . . who proves them?
Like everything else you get back if you invest. Alumni of the course get an option to join an alumni mailing list; it is not very high traffic, but it is helpful for those that use it. People ask questions and get answers, and we make note of what works and put it into the course for the future.

Is there an in-depth list of what you cover?
The best coverage would be the course description on the web.[10]

A friend of mine took your course and said that you made him read a packet, is that true? How many questions about reading a packet are on the exam?
Ah yes, that famous story. We do teach our students to evaluate whether their network administrator is able to read a packet using a well known tool;[11] we have no expectation of Management 512 alumni pulling traffic off the network with Wireshark[12]and doing hexadecimal math in their heads - that is what the Intrusion Detection In-Depth[13] students do. As far as how many exam questions cover packet reading, there are two exams; each exam is 75 questions long and covers three days of material, about 600 pages of content when you remove the filler such as section dividers. Since all the major topics have to be covered, if you do the math, it would be one at most; unless the exam engine really, really disliked you, then it could possibly be two questions.

Any advice on which SANS class I should take if I don't take this one?
No canned advice, but if you drop stephen@sans.edu a note with enough information about your background, situation and desired educational outcome, we will try to help you.


1. http://www.sans.org/training/description.php?tid=452
2. http://www.sans.edu/resources/leadershiplab/ip_trade_secrets.php
3. http://www.sans.org/training/instructors.php#Northcutt
4. http://www.sans.org/sanfrancisco07_cs/faculty.php
5. http://www.sans.org/bridgeport06/faculty.php
6. http://www.giac.org/certifications/security/gslc.php
7. http://www.sans.org/training/dod8570.php
8. http://www.sans.edu/resources/leadershiplab/77.php
9. http://www.sans.edu/resources/leadershiplab/ip_ten_steps.php
10. http://www.sans.org/training/description.php?tid=452
11. http://www.sans.org/info/3871
12. http://www.wireshark.org/
13. http://www.sans.org/training/description.php?tid=242