LDR512: Security Leadership Essentials for Managers

GIAC Security Leadership (GSLC)
GIAC Security Leadership (GSLC)
  • In Person (5 days)
  • Online
30 CPEs

Security leaders need both technical knowledge and leadership skills to gain the respect of technical team members, understand what technical staff are actually doing, and appropriately plan and manage security projects and initiatives. This security managers training course will teach leaders about the key elements of any modern security program. Learn to quickly grasp critical cybersecurity issues and terminology, with a focus on security frameworks, security architecture, security engineering, computer/network security, vulnerability management, cryptography, data protection, security awareness, application security, DevSecOps, cloud security, and security operations. This is more than security training. You will learn how to lead security teams and manage programs by playing through twenty-three Cyber42 activities throughout the class, approximately 60-80 minutes daily.

Course Authors:

What You Will Learn

What is Security Management?

Security management is all about managing information risk. This means that you need the appropriate level of technical knowledge and leadership skills to gain the respect of technical team members, understand what technical staff are actually doing, and appropriately plan and manage security projects and initiatives. This is a big and important job that requires an understanding of a wide array of security topics. Being an effective security leader requires you to get up to speed quickly on information security issues and terminology to build a modern security program. Creating a high performing security team means that you can anticipate what security capabilities need to built to enable the business and mitigate threats.

Leading Security Initiatives to Manage Information Risk

Take this security management course to learn the key elements of any modern security program. LDR512 covers a wide range of security topics across the entire security stack. Learn to quickly grasp critical information security issues and terminology, with a focus on security frameworks, security architecture, security engineering, computer/network security, vulnerability management, cryptography, data protection, security awareness, application security, DevSecOps, cloud security, and security operations.

The training course uses the Cyber42 leadership simulation game to put you in real-world scenarios that spur discussion and critical thinking of situations that you will encounter at work. Throughout the class you will participate in twenty-three Cyber42 activities.

"I would recommend this course as it is a great intro to both the business and technical aspects of aspiring CISO work." - Ian D., US Military

Business Takeaways

This course will help your organization:

  • Develop leaders that know how to build a modern security program
  • Anticipate what security capabilities need to built to enable the business and mitigate threats
  • Create higher performing security teams

Skills Learned

  • Make sense of different cybersecurity frameworks
  • Understand and analyze risk
  • Understand the pros and cons of different reporting relationships
  • Manage and lead technical teams and projects
  • Build a vulnerability management program
  • Inject security into modern DevOps workflows
  • Strategically leverage a SIEM
  • Lead a Security Operations Center (SOC)
  • Change behavior and build a security-aware culture
  • Effectively manage security projects
  • Enable modern security architectures and the cloud
  • Build security engineering capabilities using automation and Infrastructure as Code (IaC)
  • Get up to speed quickly on information security issues and terminology
  • Establish a minimum standard of security knowledge, skills, and abilities
  • Speak the same language as technical security professionals

Hands-On Security Manager Training

This leadership focused security training course uses case scenarios, group discussions, team-based exercises, in-class games, and a security leadership simulation to help students absorb both technical and management topics.

About 60-80 minutes per day is dedicated to these learning experiences using the Cyber42 leadership simulation game.

This web application based game is a continuous tabletop exercise where students play to improve security culture, manage budget and schedule, and improve security capabilities at a fictional organization. This puts you in real-world scenarios that spur discussion and critical thinking of situations that you will encounter at work.

  • Section 1: Cyber42 Watt's Warehouse Company Overview, Calibration Lab, Round 1 Initiative Selection, Events 1-3: Whither Watt's Warehouse, Institutionalizing Security, Board Briefing
  • Section 2: Cyber42 Round 1 Events 4-6: Network Security Implementation, End User Security, To Serve and Protect
  • Section 3: Cyber42 Round 2 Initiative Selection, Round 2 Events 7-10: Industry Breach, Shadow IT, Security Misconfiguration, Miracle on DevOps Way
  • Section 4: Cyber42 Round 3 Initiative Selection, Round 3 Events 11-14: Patching Problems, Let It Be Known!, Tough Negotiations, Managing Resistance
  • Section 5: Cyber42 Round 4 Initiative Selection, Round 4 Events 15-18: New Guy in Town, Cost Cutting, Ransomware Response, Opportunity Knocks

"The [Cyber42] 'game' we are playing makes you think about real world problems and the different teams show how different groups will come up with their own solutions for the same problem. One of the few 'games' that actually forces some decisions based on previous decisions." - Max H., US Military

"I'm really enjoying the flow between the content delivery and the Cyber42 game." - Jamil A., US Government

"Loved the Cyber 42 game. Lots to think about when playing." - Doris Landreville, CSE

Syllabus Summary

  • Section 1 - Governance to plan your security program
  • Section 2 - Architecture to design your security capabilities
  • Section 3 - Engineering to build your security capabilities
  • Section 4 - Build and lead the team, process, and culture
  • Section 5 - Run operations to manage and mitigate attacks

Additional Free Resources

What You Will Receive

  • Electronic courseware containing the entire course content
  • Printed course books
  • Access to the Cyber42 security leadership simulation web app
  • MP3 audio files of the complete course lecture

What Comes Next

NOTE: Some course material for SEC401 and LDR512 may overlap. SANS recommends SEC401 for those interested in a more technical course of study, and LDR512 for those primarily interested in a leadership-oriented but less technical learning experience.

Syllabus (30 CPEs)

Download PDF
  • Overview

    The course starts with a tour of the information that effective security managers and leaders must know to function in the modern security environment. This includes an understanding of the different types of cybersecurity frameworks available to structure your security team and program. Risk is central to effective information security management, so we'll discuss key risk concepts in order to lay the foundation for effective risk assessment and management. Security policy is a key tool that security managers use to manage risk. We'll cover approaches to policy to help you plan and manage your policy process. Finally, we'll discuss security functions, reporting relationships, and roles and responsibilities to give the advancing manager a view into effective security team and program structure.

    • Cyber42 Watt's Warehouse Company Overview
    • Calibration Lab
    • Cyber42 Round 1 Initiative Selection
    • Cyber42 Round 1 Event #1: Whither Watt's Warehouse
    • Cyber42 Round 1 Event #2: Institutionalizing Security
    • Cyber42 Round 1 Event #3: Board Briefing

    Security Frameworks

    • Control, Program, and Risk Frameworks

    Understanding Risk

    • Risk Concepts
    • Calibration
    • Risk Assessment and Management

    Security Policy

    • Purpose of Policy
    • Risk Appetite Statement
    • Policy Planning
    • Managing Policy

    Program Structure

    • Reporting Relationships
    • Three Lines of Defense
    • Roles and Responsibilities
    • Security Functions
  • Overview

    Section Two provides coverage of traditional and modern security architectures focused on technical topics. This includes a thorough discussion of network security that is modeled around the various layers of the network stack. As modern attacks are also focused on the computing devices we cover malware and attack examples along with corresponding host security controls for the endpoint and server. The cloud is a major initiative that many organizations is changing the way organizations operate and design their controls. To get ready for these initiatives, we provide an overview of Amazon Web Services (AWS) to serve as a reference point and discuss key cloud security issues. The cloud, the rise of mobile devices, and other factors are highlighting weaknesses in traditional, perimeter-oriented security architecture which leads into a discussion of the Zero Trust Model.

    • Cyber42 Round 1 Event #4: Network Security Implementation
    • Cyber42 Round 1 Event #5: End User Security
    • Cyber42 Round 1 Event #6: To Serve and Protect

    Security Architecture Overview

    • Models and Trends
    • Security Architecture Frameworks
    • Cyber Defense Matrix

    Network Security

    • Layer 1 and 2

      • Overview and Attacks
    • Layer 3

      • VPNs and IPSec
    • Layer 4

      • TCP and UDP
    • Application Layer

      • Proxies, NGFW, IDS/IPS, NSM

    Host Security

    • Malware and Attack Examples
    • Host Security Controls

      • EPP, EDR, HIDS/HIPS, FIM, Allowlisting, Sandboxing

    Cloud Security

    • Cloud Security Fundamentals
    • AWS Security Reference Architecture
    • AWS Overview
    • Cloud Security Attack Example and Controls
    • Cloud Security Tools

      • CSPM, CWPP, CASB
    • Cloud Security Models

      • Cloud Security Alliance (CSA) Guidance, Well-Architected Frameworks, Cloud Apoption Frameworks

    Zero Trust

    • Principles and Best Practices
    • Zero Trust Network Access (ZTNA)
    • Variable Trust
  • Overview

    Section Three focuses on security engineering best practices. This includes building an understanding of cryptography concepts, encryption algorithms, and applications of cryptography which are foundational elements of building any secure system. Since encrypting data alone is not sufficient, we discuss the distinction between privacy and security to give managers a primer on key privacy concepts. Managers must also be knowledgeable about software development processes, issues, and application vulnerabilities. We cover application security and leadin development processes built on DevSecOps. Current engineering approaches also include modern Infrastructure as Code (IaC) approaches and tools to automate consistent deployment of standard configurations.

    • Cyber42 Round 2 Initiative Selection
    • Cyber42 Round 2 Event #7: Industry Breach
    • Cyber42 Round 2 Event #8: Shadow IT
    • Cyber42 Round 2 Event #9: Security Misconfiguration
    • Cyber42 Round 2 Event #10: Miracle on DevOps Way

    Security Engineering

    • Overview

    Data Protection

    • Cryptography Concepts

      • Confidentiality, Integrity, Authentication, Non-Repudiation
    • Encryption Algorithms

      • Symmetric, Asymmetric, Key Exchange, Hashing, Digital Signature
    • Encryption Applications

      • TLS, PKI, Blockchain, Quantum

    Privacy Primer

    • Privacy and Security
    • Requirements and Regulations

    Privacy Engineering

  • Overview

    Section Four covers what managers need to know about leading security initiatives. Every security leader should know how to build a vulnerability management program and the associated process to successfully find and fix vulnerabilities. Additionally, security awareness is a huge component of any security program that helps drive activities to change human behavior and create a more risk-aware and security-aware culture. To implement new initiatives, security leaders must also develop negotiation skills and conduct thorough analysist of vendors. Finally, for any project or initiative, security leaders must also be able to drive effective project execution. Having a well-grounded understanding of the management and leadership practices makes it easier to move your projects forward.

    • Cyber42 Round 3 Initiative Selection
    • Cyber42 Round 3 Event #11: Patching Problems
    • Cyber42 Round 3 Event #12: Let It Be Known!
    • Cyber42 Round 3 Event #13: Tough Negotiations
    • Cyber42 Round 3 Event #14: Managing Resistance

    Vulnerability Management

    • PIACT Process
    • Prioritizing Vulnerabilities

      • Common Vulnerability Scoring System (CVSS)
    • Finding and Fixing Vulnerabilities
    • Communicating and Managing Vulnerabilities

    Security Awareness

    • Maturity Model
    • Human Risks

    Negotiations Primer

    • Negotiations Strategies

    Vendor Analysis

    • Product Analysis and Selection
    • Analytical Hierachy Process (AHP)

    Managing and Leading Teams

    • Managing Projects
    • Leading Teams
    • Going From Good to Great
  • Overview

    Section Five focuses on detection and response capabilities. This includes gaining appropriate visibility via logging, monitoring, and strategic thinking about a security information and event management (SIEM) system. Once implemented, the logs in a SIEM are a core component of any Security Operations Center (SOC). We'll discuss the key functions of a SOC along with how to manage and organize your organization's security operations. The incident response process is discussed in relation to identifying, containing, eradicating, and recovering from security incidents. This leads into a discussion of longer-term business continuity planning and disaster recovery. Managers must also understand physical security controls that, when not implemented appropriately, can cause technical security controls to fail or be bypassed.

    • Cyber42 Round 4 Initiative Selection
    • Cyber42 Round 4 Event #15: New Guy in Town
    • Cyber42 Round 4 Event #16: Cost Cutting
    • Cyber42 Round 4 Event #17: Ransomware Response
    • Cyber42 Round 4 Event #18: Opportunity Knocks

    Logging and Monitoring

    • SIEM Deployment Best Practices

    Security Operations Center (SOC)

    • SOC Functional Components
    • Models and Structure
    • Tiered vs. Tierless SOCs
    • Managing and Organizing a SOC

    Incident Handling

    • PICERL Process
    • Incident Handling Lifecycle

    Contingency Planning

    • Business Continuity Planning (BCP)
    • Disaster Recovery (DR)

    Physical Security

    • Issues and Controls

GIAC Security Leadership

The GIAC Security Leadership (GSLC) certification validates a practitioner's understanding of governance and technical controls focused on protecting, detecting, and responding to security issues. GSLC certification holders have demonstrated knowledge of data, network, host, application, and user controls along with key management topics that address the overall security lifecycle.

  • Building a security program that meets business needs
  • Managing security operations and teams
  • Managing security projects and the lifecycle of the program
More Certification Details


This security management course covers the core areas of security leadership and assumes a basic understanding of technology, networks, and security. For those who are new to the field and have no background knowledge, the recommended starting point is the SEC301: Introduction to Information Security course. While SEC301 is not a prerequisite, it will provide the introductory knowledge to maximize the experience with LDR512.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org

Author Statement

"Technical professionals who are thrust into management roles need to learn how to convey security concepts in ways that non-technical people can understand. At the same time, managers who are new to security need to learn more about the different domains of cybersecurity. In both cases, there is a need to learn about the work of managing security. That is why this security manager course focuses on the big picture of securing the enterprise, from governance all the way to the technical security topics that serve as the foundation for any security manager. Ultimately, the goal of the course is to ensure that you, the advancing manager, can make informed choices to improve security at your organization."

- Frank Kim

"Frank was outstanding. Easy to follow. It shows that he has done this for a long time and was a very good instructor." - Ed Moore, Moore Consulting


This course continues to challenge and develop leadership capabilities to better prepare individuals to help their organizations thrive within the cyberspace.
Christopher Burk
Southern California Edison
The content makes us truly understand why and what we should be doing as a cybersecurity leader.
Saranya Mekratri
Bank of Thailand
For a Security Manager, this class is spot on!
George Chetupuzha

    Register for LDR512


    All pricing excludes applicable taxes