LDR521: Leading Cybersecurity Change: Building a Security-Based Culture

  • In Person (5 days)
  • Online
30 CPEs

** USE THIS VERSION FOR CLASSES AFTER AUGUST 31, 2023 ** Cybersecurity leadership is no longer just about technology. It is ultimately about organizational change - change not only in how people think about cybersecurity but in what they prioritize and how they act, from the Board of Directors to every corner of the organization. Students will learn how to build, manage, and measure a strong cybersecurity culture by leveraging the latest in organizational change models and real-world lessons learned. In addition, students will apply everything they learn through a series of 16 interactive labs and case studies.

What You Will Learn

IMPORTANT NOTICE: SANS is in process of changing course prefixes from “MGT” to “LDR”. There is no change in course content or pricing. MGT521 will run through August 31, 2023, then LDR521 will run thereafter. Course books may reflect the “MGT” prefix even for "LDR" classes of the course during the transition. If you would like to take the course before August 31, 2023 or via OnDemand, please visit the MGT521 course page.

Build and Measure a Strong Security Culture

Drawing on real-world lessons from around the world, the SANS LDR521 course will teach you how to leverage the principles of organizational change in order to develop, maintain, and measure a security-driven culture. Through hands-on instruction and a series of interactive labs and exercises, you will apply these concepts to a variety of different real-world security initiatives and quickly learn how to embed cybersecurity into your organization's culture immediately.

Apply findings from Daniel Kahneman's Nobel prize-winning research, Thayler and Sunstein's Nudge Theory, and Simon Sinek's Golden Circle. Learn how Spock, Homer Simpson, the Elephant and Rider and the Curse of Knowledge all are keys to building a strong cybersecurity culture at your company.

"This content is helping bring back concepts that get forgotten when you go from a doer to a senior leadership role. It brought back good concepts and a way to utilize them in the Security Context as well as getting leadership to think differently." - Michael Neuman


  • Create a far more secure workforce, both in their attitudes about cybersecurity and also in employee behaviors
  • Enable the security team to create far stronger partnerships with departments and regions throughout the organization
  • Dramatically improve the ROI of cybersecurity initiatives and projects through increased success and impact
  • Improve communication between the cybersecurity team and business leaders
  • Create stronger and more positive attitudes, perceptions and beliefs about the cybersecurity team


  • More effectively communicate the business value of cybersecurity to your Board of Directors and executives, improve collaborate with your peers, and more effectively engage your workforce
  • Explain what organizational culture is, its importance to cybersecurity, and how to map and measure both your organization's overall culture and security culture
  • Align your cybersecurity culture to your organization's strategy, including how to leverage different security frameworks and maturity models
  • Explain what organizational change is, identify different models for creating change, and learn how to apply those models
  • Enable and secure your workforce by integrating cybersecurity into all aspects of your organization's culture
  • Dramatically improve both the effectiveness and impact of your security initiatives, such as DevSecOps, Cloud migration, Vulnerability Management, Security Operations Center and other related security deployments
  • Create and effectively communicate business cases to leadership and gain their support for your security initiatives
  • How to measure your security culture and how to present the impact of a strong security culture to leadership
  • Leverage numerous templates and resources from the Digital Download Package and Community Forum that are part of the course and which you can then build on right away


This five-section course includes 16 interactive labs that walk you through exercises and apply the lessons learned to a variety of typical real-world security situations and challenges. Many of the labs are carried out as teams, ensuring that you learn not only from the course materials but from other students and their experiences. Finally, the last section is a capstone event as you work through a series of case studies to see which team can create the strongest security culture. Culture is a very human and global challenge, and as such we want to expose you to as many different situations and perspectives as possible.

No Laptop Required. "Labs" are group case studies with no computers needed.

"Labs are applicable to the coursework and can be used at my workplace immediately." - Jerome C., US Military

"I love the way each lab built on previous topics covered culminating in the last day where we could apply everything we learnt. Everytime we did a lab they were well explained and at no time did i feel rushed, or like we had too much time to complete them." - Helen Bupa, IPLS

"Labs today were fun. Made me think with a focused intent." - Chad Yancey


  • Section 1: Learn the fundamentals of organizational culture, security culture and organizational change.
  • Section 2: Communicate to, engage with, and motivate your workforce so cybersecurity is perceived as a positive enabler
  • Section 3: Train and enable your workforce so cybersecurity is simple for them.
  • Section 4: Learn how to build a business case for leadership, gaining their support for your security initiatives
  • Section 5: Apply everything you have learned in a series of five case-studies, competing as teams to see which team can build the strongest cybersecurity culture.


The course is recommended for more senior and/or more experienced cybersecurity leaders, managers, officers, and awareness professionals. If you are new to cybersecurity, we recommend some of SANS's more fundamental courses, such as SEC301: Introduction to Cyber Security, SEC401: Security Essentials: Network, Endpoint, and Cloud, or MGT433: Managing Human Risk: Mature Security Awareness Programs.


  • Printed Course Books
  • Digital Download Package: A collection of templates, checklists, matrices, reports, and other resources that will help you in your cybersecurity career. This package is continually updated and is based on resources that real cybersecurity leaders have used in developing their own cybersecurity cultures. Why reinvent the wheel when you can reuse or reshape what has worked for others!
  • Community Forum: An opportunity to join the private, invitation-only Community Forum dedicated to the human side of cybersecurity. The forum currently has over 2,000 active professionals from around the world!
  • One 90-day license to the entire SANS Security Awareness EndUser content library including sample learning paths. Read the FAQ here.


For additional cybersecurity leadership training courses, please visit our main SANS Cybersecurity Leadership curriculum page.

Syllabus (30 CPEs)

Download PDF
  • Overview

    Section 1 begins by demonstrating how cybersecurity is no longer just about technology but also about culture. We explain what organizational culture is, why it is so important and how it applies to cybersecurity. We then demonstrate how to map your organization's overall culture, identify your organization's current security culture, than determine the security culture you want to achieve. We will then cover organizational change and on how to achieve your desired, strong security culture.

    • 1.1: Map Your Organization's Culture
    • 1.2: Survey Your Security Culture
    • 1.3: Define Your Desired Security Culture
    • Case Study: Project Charter: Vulnerability Management Case Study

    Human Side of Security

    Case Study - Equifax Congressional Report

    Defining Culture

    Mapping Organizational Culture

    Defining and Mapping Security Culture

    Identifying Desired Security Culture

    Defining and Leveraging Change Management Frameworks

    • ADKAR
    • Kotter 8 Steps
    • CPNI's 5Es

    Project Charters

  • Overview

    Section 2 focuses on motivating people and explaining the "why" of cybersecurity. Far too often, security fails because security teams simply mandate what people must do and how to do it but never explains why. As a result, there is a great deal of resistance to attempts to change workforce behavior and implement security initiatives such as DevSecOps or vulnerability management. In this section, we'll walk you through the key elements of explaining why change is needed, including leveraging marketing models, implementing incentive programs, and targeting both specific and global audiences.

    • 2.1: Password Management Deployment
    • 2.2: Developer Personas
    • 2.3: Marketing DevSecOps

    Safety: Survive vs. Thrive

    Start With Why

    • WIIFM

    Know Your Audience

    • Marketing Personas

    Marketing Change

    • AIDA Marketing Model

    Motivating Global Change

    • Security Ambassadors

    Incentivizing Change

    • Recognition

    Motivating Stakeholders

    • Stakeholder Support Matrix
  • Overview

    Section 3 begins with enabling and the concept of Curse of Knowledge. Communicating to and engaging is only half the battle. We also have to enable people so security is simple for them. This begins with imparting knowledge - that is, training people and providing them with the skills to be successful. We then simplify what is expected of them by making security as easy as possible. Far too often, the policies, processes, and procedures we create are complex, intimidating, or difficult to follow. Finally, we'll cover how to track, measure, and communicate the impact of your change

    • 3.1: Learning Objectives
    • 3.2: Human Sensor Network
    • 3.3: Security Culture Survey Design

    Cognitive Biases

    • Curse of Knowledge

    Building Knowledge

    • ADDIE Model
    • Learning Objectives
    • Kirkpatrick Evaluation Model

    Simplifying Security

    • System 1 vs. System 2
    • Choice Overload/Defaults
    • Policy Design

    Measuring Change

    • Capturing Metrics
    • Communicating Metrics
  • Overview

    Up to this point we have covered how to communicate to, engage and motivate your workforce. In this section we cover how to do the same thing but with your business leadership. A strong cybersecurity culture depends on the support of your executives, but to get their support you have to speak their language. In this section we cover the key elements and frameworks for putting together a high-impact business case, including a dive into financials.

    • 4.1: Develop a Clear Business Case
    • 4.2: Create a Multi-Year Budget


    Building Your Business Case

    • Anatomy of a Business Case
    • Executive Summary
    • Definition of the Problem
    • Comparison of Solutions
    • Recommendation
    • Moving Your Business Case Forward

    Financing Your Business Case

    • Finance 101
    • CFO 101

    Communicating Your Business Case

    • What to present
    • How to present

    What Will This Make Possible?

  • Overview

    In this final course section you will combine and apply everything you have learned through a series of interactive, team labs. Your mission is to work as teams to make some very tough decisions as you attempt to create a strong security culture at Linden Insurance. The decisions you and your team make in each lab will impact your team's Culture Score. Each of the five labs builds on the previous labs, with the decisions you make in each lab impacting not only your score but what decisions you can make in future labs - just like in real life!

    • 5.1: Define Culture
    • 5.2: Identify and Define Training Topics
    • 5.3: How to Engage and Motivate
    • 5.4: How to Train and Enable
    • 5.5: Create and Present a Business Case


Author Statement

"For far too long, cybersecurity has been perceived as purely a technical challenge. Organizations and leaders are now realizing that we also have to address the human side of cybersecurity. From securing your workforce's behavior to engaging and training developers, IT staff, and other departments, security today depends on your ability to engage and partner with others. In other words, your security culture is becoming just as important as your technology. LDR521 will provide the frameworks, roadmaps, and skills you need to successfully embed a comprehensive, organization-wide cybersecurity culture. In addition, the course will provide you the resources to measure and communicate the impact to members of your leadership, ensuring their long-term support."

- Lance Spitzner and Russell Eubanks

"Lance has the best knowledge and experience to share in this field." - Lindsay O'Bannon, Deloitte Global

Register for LDR521