Management Laboratory

Management Laboratory

Leadership Lab: Management Competencies

Other Related Articles in Leadership Lab: Management Competencies

Creating the Next Generation of Cyber Security Leaders

Richard Hammer

On April 19th, 2007 a warning shot was fired on Capitol Hill acknowledging the failure of our nation's cyber security program. Our national leaders are finally realizing that we cannot ignore this problem any longer.[1]

Two weeks earlier these cyber security failures and solutions were brought forth by Alan Paller in his commencement speech at the first ever SANS Technology Institute's graduation ceremony. His speech was powerful and shocking. He pointed out that, so far, most of the money spent on cyber security has not worked; organized crime, terrorists and nation states have started using computer technology to raise money and position themselves to win information warfare battles:

"President Northcutt, Dr. Eric Cole, Dr. Johannes Ullrich, esteemed faculty, students, guests and all the members of the SANS community that are here tonight, everything that happens tonight will be the beginning of a tradition. The one thing you’ll all be able to say throughout your lives is I was there the night the SANS Technology Institute had its first graduation. What we’re here to commit to is to make that a statement that everyone in the room will be very proud to say because what we are about to do with the SANS Technology Institute is something we hope will make a major difference in the security of our nation and our world. I have some bad news to share with you and some good news to share with you, and then I’ll turn it over to President Northcutt.

The bad news is that many of the things that the alarmists were saying might happen are actually happening. Without going into terrible detail, the organized crime wave growth has dwarfed the business community’s ability to fight back. Organized crime’s use of computer technology to take money is now almost the same as its use of the drug trade to raise money. Nation states have decided that the next war won’t be fought with conventional weapons, so they’re getting ahead of the game by penetrating other nations’ computers to take them over so that when the next war happens, they’ll own the other nations’ computers. Terrorists have discovered that it’s easier to make money to buy the bombs by stealing money from cyber space than it is to get the money by robbing jewelry stores. So we are at this moment in time when most of what we have been doing the last decade or two is about to be seen as having failed. When the idea of the SANS Technology Institute was being talked about, the question was, with a hundred organizations doing graduate degrees in information assurance, what special need was there that we actually would be able to do that others wouldn’t be able to do? What was it that could be done that others couldn’t do? And the answer is leadership. What is going to happen is that there’ll be hearings in two weeks on the Hill that will just shock the nation. What’s about to happen is that the people who lead our country and other countries are just about to, and some of them have over the last few months, discover that, "Oops! We didn’t secure anything." The systems have been open to attack, they’ve been used by our enemies; almost all of the money they’ve been spending on security hasn’t actually worked. And when that happens, three questions get asked, three questions that we’ve known about for a long time, but they weren’t asking them very loudly for a lot of years. The first question they ask is: Well, what do I have to do to protect a computer? The second question is: how much is enough, when do I stop? And the third question is: whom can I trust?

The SANS Technology Institute’s mission is to create that cadre of people who are the answer to the third question. Who can I trust to tell me what do I need to do and how much is enough? What we’re trying to be is the answer to a question that hadn’t been asked very often before, but I believe some of you were smiling when I listed those questions because you’re hearing them exactly that way now. Somebody’s got to be able to answer the question, what do I have to do to protect the systems, how much is enough, and I’m the person that you can trust. The SANS Technology Institute’s purpose in life is to create the people, not ten people, not a hundred people, at least a thousand people, maybe ten thousand people, but the people who can be trusted to answer that question with authority but with the skills to make that authority acceptable to the people who have to make the decisions and allocate the resources and do the hard things that it’s actually going to take to secure the nation. So, I am enormously proud to be up here on this dais with people who are national leaders in security and the people in the faculty equally so, it’s an honor to be here among you. We have a major quest ahead of us. It’s not at all easy. It’s very much troubling when you’ve been telling people for a long time, you ought to be doing something, you ought to be doing something, you ought to be doing something, and they turn around and say, okay, you were right. Now what do I do?

That’s what the next decade is going to be all about, and that’s the role of the SANS Technology Institute, to help create the people who can answer that question."[2]

Alan offered the three questions that will be asked:
  1. What do we have to do to protect our computers?
  2. How much security is enough?
  3. Whom do I trust to answer the first two question?
A disconnect exists between the people that understand the answers to the first two questions and the people that actually control the resources, those who make the final decisions on cyber security issues. Historical stereotypes never allowed the computer nerd and the upper level managers to mingle, understand and respect each other. Computer nerds do not dress, talk or act like managers. Their cubicles are located in the basement server rooms, far away from public view. Upper level managers dress for success, speak in a politically correct manner, and live in nice offices with secretaries that manage their schedule. Seldom will a nerd ask for or be granted a meeting with upper level managers unless dire problems exist.

To answer the current cyber security wake-up call it is imperative that we bridge this gap between the technical experts and upper level managers, either by giving managers more technical skills or by giving technical people better leadership skills.

The SANS Technology Institute's (STI) sole purpose is to create the next generation of cyber security leaders, people with both the technical ability and the communication skills to speak with authority on cyber security solutions. STI currently offers two degrees; Master of Science in Information Security Management (MSISM) is designed to give mangers more technical skills, and Master of Science in Information Security Engineering (MSISE) is designed to give technical people better leadership skills.

Being the first STI MSISE I am in a unique position to address how STI plans to create the next generation of cyber security leaders. First and foremost, STI calls on the expert SANS instructors to give, in my opinion, the best technical cyber security training available. Both degree programs require a mix of technical courses and management courses, but it is the community project requirement that is going to mold the next generation of cyber security leaders.

The STI community project requirements are designed to take the student out of their comfort zone and make them perform. To earn the MSISM and MSISE degrees, students are required to work together, overcome obstacles, and perform under pressure to deliver products.

The first residential institute requires students to work from 6AM until 9PM for a week at a large SANS conference. It is a taxing experience to do all that is required to run a large conference; setting up, stocking and working the bookstore, registering students, being a traffic cop, working the door of a classroom, volunteering for evening courses, working evening events, and figuring out how to get something to eat for lunch since you will be watching the Instructor's computer during the lunch break. At some point during the week, an hour break will be granted so the student can give a presentation on one of their gold papers. Photographers will be snapping pictures, distracting your attention from the audience, the very people that are grading the presentation. Preparation is the key to success since the topic of the presentation was chosen months in advance, yet no time is available during the conference for presentation refinement or practice. The entire week is an exercise in working hard, getting along, and helping the conference succeed. It is truly amazing how SANS can run these large conferences with a mostly volunteer work force.

The group project is assigned at another residential institute. Everything about the group project is unknown until you arrive at the conference, including the topic, partners, time frame, location and make-up of the audience. Once the topic is assigned the group will have 24 hours to write a paper, executive summary, and presentation for the topic. The group then must chose one person to give the presentation; this is more difficult than imagined since everyone in the program wants to be the leader. Once the presenter is selected, a location will be determined; in my case an unsuspecting GCIA class was selected to be my audience. Everything about the group written project requires interaction, cooperation, and negotiation; the research is the easy part. Picking the correct person to present is a difficult and important decision since a passing grade cannot be achieved if the presenter bombs; since everyone wants to control their own destiny, this part of the project could be the most challenging for future students.

The joint written project is similar to the group project except that team members will be located in different time zones. All communication will be via e-mail, phone, or instant messenger. A topic is assigned and the group will have 30 days to deliver the project. The group creates a time line and the project progress is tracked using project management tools. Coordinating the activities of people with different skills, who also live in different time zones and have different schedules, requires a complete team effort.

The final residential institute requires creating and presenting another gold topic. The student will work closely with STI staff refining their presenting skills and fixing mistakes made during the first presentation. This is the step where the geek is beaten out of the MSISEs and STI students are taught how to prepare a great presentation. I was very fortunate to be able to work with Allen Paller, probably because I had a lot of geek to beaten out of me. He raised my ability to reach people by giving me some simple advice, "Give them what they need in a form they can understand it." STI students learn how to prepare a talk for the audience instead of for themselves! At the conference, STI students will proctor a technical track and work on their tutoring skills. A week of helping SANS students requires technical understanding of the material, as well as good communication skills and patience.

One of the most satisfying community requirements is presenting the "Stay Sharp Course" in the student's local community. This requires finding a location to sponsor the presentation and selling the idea. I was fortunate that the Los Alamos Small Business Center was willing to host the event for me. It was an eye opening experience to teach a class and see people begin to understand what is required to really secure a system or network.

Requiring MSISEs to take the management courses forces the nerds to face project management, policy, and leadership training. For the first time in my career I understand that "Out of Scope" does not mean it is not important, just that it was not included in the project. The policy course shows that policies and procedures do not need to be cumbersome if written properly. The leadership course forces students to understand and acknowledge that leadership is a skill that can be learned.

The next generation of cyber security leaders must understand the technology and be able to communicate. A google search shows that top level DoD cyber security positions require the following skills:
  • Review system/enclave/network design for potential security concerns
  • Design/Develop or Select IA products for integration and use
  • Ensure OS and Software Apps adequately address security concerns
  • Develop requirements/select cross domain solution
  • Design/Develop Cross Domain Solutions
  • Design/Develop High Integrity or High Availability systems
  • Provide Security Engineering Support to Developers
  • Develop Interface specs
  • Develop system level mitigation plans (risk balancing)
  • Monitor IAVA and other notices for impact on design during development and are implemented on delivery
  • Assess Threats/Vulnerabilities of System/Enclave/Network
  • Assess effectiveness of Protection measures
  • Design/Develop/Conduct Certification and Accreditation Testing
  • Develop C&A Documentation (SSAA,CONOPS, Security Architecture, Privileged Users Guide, Requirements Traceability Matrix, System Specific Incident Handling Plan, System Specific Backup and Recovery Plan, System-level COOP Plan, General User Security Features Guide, System Specific Security Training for Privileged and General Users)
  • Handle security violations/incidents during development/implementation (pre-operation)
  • Integrate system/enclave into existing security architectures
Suddenly top level cyber security directors must have good technical skills; no longer will only being politically savvy qualify someone as a cyber security director. Students who successfully complete the STI graduate program will be armed with the skills required to lead us out of the current cyber security emergency.

2. Transcribed text of Alan Paller's speech given at SANS Technology Institute graduation ceremony, April 3, 2007, San Diego, CA.