Cybersecurity Management - Leading Change

What You Will Learn

Build and Measure a Strong Security Culture to Secure Your Workforce.

Cybersecurity management is no longer just about technology. It is ultimately about organizational change - change not only in how people think about security but in what they prioritize and how they act, from the Board of Directors to every corner of the organization. Organizational change is a field of management study that enables leaders to analyze, plan, and then improve their operations and structures by focusing on people and culture.

Drawing on real-world lessons from around the world, the SANS MGT521 course will teach you how to leverage the principles of organizational change in order to develop, maintain, and measure a security-driven culture. Through hands-on instruction and a series of interactive labs and exercises, you will apply the concepts of organizational change to a variety of different security initiatives and quickly learn how to embed security into your organization's culture.

MGT521: Leading Cybersecurity Change: Building a Security-Based Culture WILL PREPARE YOU TO:

More effectively communicate to your Board of Directors and executives, collaborate with your peers, and engage your workforce
Explain what culture is, its importance to cybersecurity, and how to map and measure both your organization's overall culture and security culture
Align your cybersecurity culture to your organization's strategy, including how to leverage different security frameworks and maturity models
Explain what organizational change is, identify different models for creating change, and learn how to apply those models
Enable and secure your workforce by integrating cybersecurity into all aspects of your organization's culture
Dramatically improve both the effectiveness and impact of large-scale security initiatives
Create and effectively communicate business cases to leadership and gain their support for your security initiatives and security in general
Leverage numerous templates and resources from the Digital Download Package and Community Forum that are part of the course and which you can then build on right away

LAB INFORMATION

This five-session course includes 17 interactive labs that walk you through exercises and apply the lessons learned to a variety of typical real-world situations and challenges. Many of the labs are carried out as teams, ensuring that you learn not only from the course materials but from other students and their experiences. Culture is a very human and global challenge, and as such we want to expose you to as many different situations and perspectives as possible. No Laptop Required. "Labs" are group case studies with no computers needed.

NOTICE TO STUDENTS

The course is recommended for more senior and/or more experienced cybersecurity managers, officers, and awareness professionals. If you are new to cybersecurity, we recommend some of SANS's more basic courses, such as SEC301, SEC401, or MGT433.

WHAT YOU WILL RECEIVE

Printed Course Books
Digital Download Package: A collection of templates, checklists, matrices, reports, and other resources that will help you in your cybersecurity career. This package is continually updated and is based on resources that real cybersecurity leaders have used in developing their own cybersecurity cultures. Why reinvent the wheel when you can reuse or reshape what has worked for others!
Community Forum: An opportunity to join the private, invitation-only Community Forum dedicated to the human element. The forum currently has over 1,500 active members!
One 90-day license to the full SSA library of content. Read the FAQ here.

ADDITIONAL RESOURCES

For those of you who are looking to get involved in this field, or are already involved but looking to grow, consider reading this blog on how to develop your career path.
Rekt Casino Hack Assessment Transformational Series Feeble Security Culture Disconnected from Business Objectives
Transformational Cybersecurity Leadership Triad

WHAT TO TAKE NEXT

MGT512: Security Leadership Essentials for Managers

MGT514: Security Strategic Planning, Policy, and Leadership

SANS Video

Syllabus (30 CPEs)

Download PDF

Overview
Section 1 begins by demonstrating how cybersecurity management is ultimately about organizational change. Technology alone will no longer solve security problems. We explain what culture is and how it applies to cybersecurity, how to map your organization's overall culture, and then determine the security culture you want and how to align it with your organization's culture. We will then cover organizational change and different models for changing an organizational culture.
Exercises
- Exercise 1.1: Map Your Organization's Culture
- Exercise 1.2: Survey Your Security Culture
- Exercise 1.3: Define Your Desired Security Culture
- Case Study: Project Charter: Vulnerability Management Case Study
Topics
- Human Side of Security
- Case Study - Equifax Congressional Report
- Defining Culture
- Mapping Organizational Culture
- Defining and Mapping Security Culture
- Identifying Desired Security Culture
- Defining and Leveraging Change Management Frameworks
- Project Charters
Overview
Section 2 focuses on motivating people and explaining the "why" in change. Far too often, security fails because it dictates what people must do and how to do it but never explains why. As a result, there is a great deal of resistance to attempts to change workforce behavior and implement security initiatives such as DevSecOps or vulnerability management. In this section, we'll walk you through the key elements of explaining why change is needed, including leveraging marketing models, implementing incentive programs, and targeting both specific and global audiences.
Exercises
- Exercise 2.1: Password Management Deployment
- Exercise 2.2: Developer Personas
- Exercise 2.3: Marketing DevSecOps
Topics
- Safety: Survive vs. Thrive
- Start With Why
  - WIIFM
- Know Your Audience
  - Marketing Personas
- Marketing Change
  - AIDA Marketing Model
- Motivating Global Change
  - Security Ambassadors
- Incentivizing Change
  - Recognition
- Motivating Stakeholders
  - Stakeholder Support Matrix
Overview
Communicating with people and engaging and motivating them is only half the battle. We also have to enable people to change. This begins with imparting knowledge - that is, training people and providing them with the skills to be successful. We then simplify what is expected of them by making security as easy as possible. Far too often, the policies, processes, and procedures we create are complex, intimidating, or difficult to follow. Finally, we'll cover how to track, measure, and communicate the impact of your change.
Exercises
- Exercise 3.1: Learning Objectives
- Exercise 3.2: Human Sensor Network
- Exercise 3.3: Security Culture Survey Design
Topics
Cognitive Biases
- Curse of Knowlege
Building Knowledge
- ADDIE Model
- Learning Objectives
- Kirkpatrick Evaluation Model
Simplifying Security
- System 1 vs. System 2
- Choice Overload/Defaults
- Policy Design
Measuring Change
- Capturing Metrics
- Communicating Metrics
Overview
Up to this point we have covered how to communicate with your workforce and engage and motivate various departments. In this section we cover how to do the same thing with your business leadership. A strong cybersecurity culture depends on the support of your executives, but to get their support you have to speak their language. In this section we cover the key elements and frameworks for putting together a high-impact business case, including a dive into financials.
Exercises
- Exercise 4.1: Develop a Clear Business Case
- Exercise 4.2: Create a Multi-Year Budget
Topics
Building Your Business Case
- Anatomy of a Business Case
- Executive Summary
- Definition of the Problem
- Comparison of Solutions
- Recommendation
- Moving Your Business Case Forward
Financing Your Business Case
- Finance 101
- CFO 101
Communicating Your Business Case
What Will This Make Possible?
Overview
In this final course section you will combine and apply everything you have learned through a series of labs. Your mission is to work as teams to make some very tough decisions as you attempt to secure Linden Insurance during a crisis. The decisions you and your team make in each lab will impact your team's Culture Score. Each of the six labs builds on the previous labs, with the decisions you make in each lab impacting not only your score but what decisions you can make in future labs - just like in real life!
Exercises
- Exercise 5.1: Define Culture
- Exercise 5.2: Identify and Define Training Topics
- Exercise 5.3: How to Engage and Motivate
- Exercise 5.4: How to Train and Enable
- Exercise 5.5: Define Metrics
- Exercise 5.6: Create and Present a Business Case

Prerequisites

Three to five years of experiences in cybersecurity
Having taken SANS MGT433: SANS Security Awareness: How to Build, Maintain, and Measure a Mature Awareness Program, while not required, will be helpful. In addition, MGT521 is aligned with and designed to complement and partner both MGT512: Security Leadership Essentials for Managers and MGT514 : Security Strategic Planning, Policy, and Leadership.

Author Statement

"For far too long, cybersecurity has been perceived as purely a technical challenge. Organizations and leaders are now realizing that we also have to address the human side of cybersecurity management. From securing your workforce's behavior to engaging and training developers, IT staff, and other departments, security today depends on your ability to engage and partner with others. In other words, your security culture is becoming just as important as your technology. MGT521 will provide the frameworks, roadmaps, and skills you need to successfully embed a comprehensive, organization-wide cybersecurity culture. In addition, the course will provide you the resources to measure and communicate the impact to members of your leadership, ensuring their long-term support."

- Lance Spitzner and Russell Eubanks

"Lance has the best knowledge and experience to share in this field." - Lindsay O'Bannon, Deloitte Global

Ways to Learn

OnDemand

Study and prepare for GIAC Certification with four months of online access to SANS OnDemand courses. Includes labs and exercises, and SME support.

Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

Who Should Attend MGT521?

Chief Information Security Officers
Chief Risk Officers/Risk Management Leaders
Security Awareness/Engagement Managers
Senior Security Managers Who Lead Large-scale Security Initiatives
Information Security Managers, Officers, and Directors
Information Security Architects and Consultants
Aspiring Information Security Leaders
Business Continuity/Disaster Recover Leaders
Privacy/Ethics Officers

"Lots of great take away material, it wasn't bloated and drove home the messaging effectively." - Mike Melo, LifeLabs

See prerequisites

Reviews

Lance was fantastic! He made the course super engaging and covered all information thoroughly, making sure to draw in and leverage student experience to make the course richer.

Anna Troutman

Entertaining and thought provoking and helped me understand what actions I can take to change the culture of my company.

Kevin Nicholl

Entertaining and thought provoking and helped me understand what actions I can take to change the culture of my company.

Kevin Nicholl

I am just so happy with this material focusing on embedding secure values into our global culture - exactly what my company needs help with NOW.

Lindsay O'Bannon

Deloitte Global

MGT521: Leading Cybersecurity Change: Building a Security-Based Culture

Course Authors:

Lance Spitzner

Russell Eubanks

What You Will Learn

Syllabus (30 CPEs)

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Prerequisites

Author Statement

Ways to Learn

Who Should Attend MGT521?

Reviews

Find ways to take this course