The SANS Technology Institute

Security Laboratory

Security Laboratory: Thought Leaders

Stephen Northcutt from the security laboratory conducts in depth interviews with the thought leaders in information security. For every novel security product, there is a thought leader, a man or woman of vision that sees the need and guides the creation of the security product. If there is someone missing whose voice you feel should be heard, drop me a note, stephen@sans.edu

What is a Security Thought Leader - March 22nd, 2008
Amrit Williams, Chief Technology Officer, BigFix - June 30th, 2008
Andrew Hay, Q1 Labs - May 13th, 2008
Gene Schultz, CTO of High Tower - April 4th, 2008
Tomasz Kojm, original author of ClamAV - April 3rd, 2008
Bill Johnson, CEO TDI - April 2nd, 2008
Gene Kim, Tripwire - March 14th, 2008
Kevin Kenan, Managing Director, K2 Digital Defense - March 14th, 2008
Leigh Purdie, InterSect Alliance, co-founder of Snare - March 7th, 2008
Marty Roesch, Sourcefire CEO and Snort creator - February 26th, 2008
Dr. Anton Chuvakin, Chief Logging Evangelist with LogLogic - January 28th, 2008
Kishore Kumar, CEO of Pari Networks - Updated January 28th, 2008
Ivan Arce, CTO of Core Security Technologies - October 26th, 2007
Mike Weider, CTO for Watchfire - Updated July 23rd, 2007
Jeremiah Grossman, Founder and CTO of WhiteHat Security - July 12th, 2007
Interview with authors of The Art of Software Security Assessment - Updated July 9th, 2007
Ryan Barnett, Director of Application Security Training at Breach Security, Inc. - June 29th, 2007
Dinis Cruz, Director of Advanced Technology, Ounce Labs - June 11th, 2007
Brian Chess, Chief Scientist for Fortify Software - June 9th, 2007
Caleb Sima, CTO for SPI Dynamics - Updated May 29th, 2007
An Interview with David Hoelzer, author of DAD, a log aggregator - May 1st, 2007
An Interview with Ron Gula from Tenable about the role of a vulnerability scanner in protecting sensitive information - March 22nd, 2007

What is a Security Thought Leader

March 22nd, 2008
By Stephen Northcutt

The SANS.edu Security Thought Leader project began with a simple Google query. I had landed on a web page of Cisco' titled: Cisco Federal Security Thought Leadership.[1] I looked at the page and did a double take. It had topics, it had pictures, but it did not have people, well John Stewart was at the very bottom. So, I started wondering, just how does one define "security thought leadership"? I went to Wikipedia and their opening statement is: "Thought leader is a buzzword or article of jargon used to describe a futurist or person who is recognized among their peers and mentors for innovative ideas and demonstrates the confidence to promote or share those ideas as actionable distilled insights (thinklets)."[2]

I do not totally agree with the definition, but since it is Wikipedia, it will evolve. But, key points of thought leadership clearly include:

• Person - things cannot be leaders
• Recognized by their peers, a person is not a thought leader simply because they call themselves that
• Mentors, a thought leader passes their information on to help others
• Innovative ideas, so we have the concept of intellectual leadership
• Shares ideas as actionable distilled insights, I was never big on the whole thinklet craze, but actionable makes all the sense in the world to me

In our industry, information security, we tend to overuse the term. I did a Google search, March 20, 2008 for security thought leader and there were 2,430,000 results.[3] That's a lot of leadership. Or misuse of the term. Oh, I forgot, use quotes. I redid the search as "security thought leader" and the number dropped way down. Oddly, another thing ended up as page one, hit one from Google, a press release for "Oracle Recognizes Integrity as Oracle Applications Security Thought Leader". This is a bit scary, some company I have never heard of leads the entire planet as the number one, security thought leader. It isn't Gene Spafford, Richard Clarke, Marcus Sachs, Amit Yuran, Marty Roesch, Anton Chuvakin, or even Oracle's own Mary Ann Davidson. This needs to be fixed!

So, I have started the Security Thought Leader project. Over the years I hope to introduce you to some really great men and women. They will each meet the criteria we have defined ( with Wikipedia's help ) for thought leadership. And I could certainly use your help, what are the chances I know everyone that is a real thought leader for a field the size of information security in a world as vast as ours? ZERO. So, if you know someone special that has made a major contribution to the field, give me an introduction please, stephen@sans.edu.

1. http://www.cisco.com/web/strategy/government/usfed_security_leadership.html
2. http://en.wikipedia.org/wiki/Thought_leader
3. http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=bs9&q=security+thought+leader&btnG=Search
4. http://www.integrigy.com/news/press-releases/integrigy-thought-leader/
5. http://www.sans.edu/resources/securitylab/marty_roesch_int.php
6. http://www.sans.edu/resources/securitylab/loglogic_chuvakin.php
7. http://www.sans.edu/resources/securitylab/41/