50+ Cyber Security Courses at SANS 2020 in Orlando! Save up to $150 thru 3/4.

Chicago 2014

Chicago, IL | Sun, Aug 24 - Fri, Aug 29, 2014
This event is over,
but there are more training opportunities.

MGT514: IT Security Strategic Planning, Policy and Leadership

Sun, August 24 - Thu, August 28, 2014

Really good case studies and examples which prompted useful class discussion -this helps to --- understanding.

Alexis Brownings, CERT-UK

As I progress in my career within cybersecurity I find that courses such as MGT 514 will allow me to plan and lead organizations forward.

Eric Burgan, Idaho National Labs

Mastering the Strategic Planning Process

Strategic planning is hard for people in IT and IT Security because we spend so much time responding and reacting. Some of us have been exposed to a SWOT or something similar in an MBA course, but we almost never get to practice until we get promoted to a senior position, and then we are not equipped with the skills we need to run with the pack.

In this course you will learn the entire strategic planning process: what it is and how to do it; what lends itself to virtual teams; and what needs to be done face to face. We will practice building those skills in class. Topics covered in depth include how to plan the plan, horizon analysis, visioning, environmental scans (SWOT, PEST, Porter's etc.), historical analysis, mission, vision, and value statements. We will also discuss the planning process core, candidate initiatives, the prioritization process, resource and IT change management in planning, how to build the roadmap, setting up assessments, and revising the plan.

We will see examples and hear stories from businesses, especially IT and security oriented businesses, and then work together on labs. Business needs change, the environment changes, new risks are always on the horizon, and critical systems are continually exposed to new vulnerabilities. Strategic planning is a never-ending process. The planning section is hands-on and there is exercise-intensive work on writing, implementing, and assessing strategic plans.

Creating Effective Information Security Policy

Policy is a manager's opportunity to express expectations for the workforce, to set the boundaries of acceptable behavior and empower people to do what they ought to be doing. It is easy to get wrong. Have you ever seen a policy and your response was, "No way, I am not going to do that?" Policy must be aligned with an organization's culture. We will break down the steps to policy development so that you have the ability to develop and assess policy successfully.

Developing Management and Leadership Skills

The third focus of the course is on management and leadership competencies. Leadership is a capability that must be learned, exercised and developed to better ensure organizational success. Strong leadership is brought about primarily through selfless devotion to the organization and staff, tireless effort in setting the example, and the vision to see and effectively use available resources toward the end goal. However, leaders and followers influence each other toward the goal; it is a two-way street where all parties perform their functions to reach a common objective.

Effective leadership entails persuading team members to accomplish their objectives while removing obstacles and maintaining the well-being of the team in support of the organization's mission. Grooming effective leaders is critical to all types of organizations, as the most effective teams are cohesive units that work together toward common goals with camaraderie and a can-do spirit!

Leadership tends to be a bit "squishy" and courses covering the topic are often based upon the opinions of people who were successful in the marketplace. However, success can be as much a factor of luck as skill, so we base this part of the course on five decades of the research of social scientists and their experiments going as far back as Maslow and on research as current as Sunstein and Thaler. We discuss leadership skills that apply to commercial business, non-profit, for-profit, or other organizations. This course is designed to develop existing and new supervisors and managers who aspire to go beyond being the boss. It will help you build leadership skills to enhance the organization's climate and team-building skills to support the organization's mission, its growth in productivity, workplace attitude/satisfaction, and staff and customer relationships.

Course Syllabus

Mark Williams
Sun Aug 24th, 2014
9:00 AM - 5:00 PM


Our approach to strategic planning is that there are activities that can be done virtually in advance of a retreat, and then other activities are best done in a retreat setting. On the first day, we will talk about some of the activities that can be done virtually.

CPE/CMU Credits: 6

  • How to plan the plan
  • Historical analysis
  • Horizon analysis
  • Visioning
  • Environmental scans (SWOT, PEST, Porters etc.)
  • Mission, vision, and value statements

Mark Williams
Mon Aug 25th, 2014
9:00 AM - 5:00 PM


This will include the retreat section of the course where we do the core planning activities of candidate selection, prioritization, and development of the roadmap.

CPE/CMU Credits: 6

Mark Williams
Tue Aug 26th, 2014
9:00 AM - 5:00 PM


You will experience the most in-depth coverage of security policy ever developed. By the end of the course your head will be spinning. Students and other SANS instructors who have seen the scope of the material have the same comment, "I never realized there is so much to know about security policy." Any security manager, anyone assigned to review, write, assess or support security policy and procedure, can benefit from Policy in Depth. You will learn what policy is, positive and negative tone, consistency of policy bullets, how to balance the level of specificity to the problem at hand, the role of policy, awareness and training, and the SMART approach to policy development and assessment. We cover different levels of policy from Information Security Management System (ISMS) governing policy to detailed issue-specific policies like acceptable use, approved encryption and end of life disposal of IT assets.

CPE/CMU Credits: 6

  • Policy establishes bounds for behavior
  • Policy empowers users to do the right thing
  • Should and shall, guidelines and policy
  • ISMS as governing policy
  • Policy versus procedure
  • Policy needs assessment process
  • Organizational Assumptions, Beliefs and Values (ABVs)
  • Relationship of mission statement to policy
  • Organizational culture

Mark Williams
Wed Aug 27th, 2014
9:00 AM - 5:00 PM


In the policy section of the course, you will be exposed to over 100 different policies through an instructional delivery methodology that balances lecture, labs, and in-class discussion. We will emphasize techniques to create successful policy that users will read and follow; policy that will be accepted by the business units because it is sensitive to the organizational culture; and policy that uses the psychology of information security to guide implementation.

CPE/CMU Credits: 6

  • Using the principles of psychology to implement policy
  • Applying the SMART Method to policy
  • How policy protects people, organizations and information
  • Case study, the process to handle a new risk (Sexting)
  • Policy header components and how to use them
  • Issue-specific policies
  • Behavior related polices, acceptable use, ethics
  • Warning banners
  • Policy development process
  • Policy review and assessment process
  • Wrap-up, the six golden nuggets of policy

Mark Williams
Thu Aug 28th, 2014
9:00 AM - 5:00 PM


Essential leadership topics covered here include: leadership development, coaching and training, employee involvement, conflict resolution, change management, vision development, motivation, communication skills, self-direction, brainstorming techniques, benefits, and the ten core leadership competencies. In a nutshell, you'll learn the critical processes that should be employed to develop the skills and techniques to select, train, equip, and develop a team into a single cohesive unit with defined roles that operate together in harmony toward team-objective accomplishment.

There are three goals for the leadership component of this course:

  • Establish a minimum standard for knowledge, skills, and abilities required to develop leadership
  • Understand and leverage the motivational requirements of employees
  • Establish a baseline understanding of the skills necessary to migrate from being a manager to being a leader

CPE/CMU Credits: 6

  • Leadership building blocks
  • Coaching & training
  • Change management
  • Team development
  • Motivating
  • Developing the vision
  • Leadership development
  • Building competencies
  • Importance of communication
  • Self-direction
  • Brainstorming
  • Relationship building
  • Teamwork concepts
  • Leader qualities
  • Leadership benefits

Additional Information

Pencil and paper would suffice for the labs, but we recommend a laptop with a word processor.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

This course is designed and taught for existing, recently appointed, and aspiring IT and IT Security managers and supervisors who desire to enhance their leadership and governance skills to develop their staff into a more productive and cohesive team.

  • Calculate the half life of information
  • Establish a strategic planning horizon appropriate for your organization
  • Conduct any of the well known environmental scans ( SWOT, Porters 5, Pest and many others )
  • Facilitate out of the box thinking (brainstorming, reverse brainstorming, synergetics)
  • Select between candidate initiatives and preform √ʬ¬back of the envelope√ʬ¬ planning
  • Understand how policy is used and when it is needed or not needed
  • Manage the policy creation process
  • Develop policy for difficult topics such as social media
  • Evaluate policy using using the SMART methodology
  • Understand the use of leadership competencies in developing leadership skills
  • Select a few competencies to work on to further your effectiveness

Author Statement

This is the course I wish I had taken 30 years ago. Colleagues, it doesn't make sense to wait till you are in a management position to focus on your governance, management, and leadership skills. If one can improve by one or two percent each year, it is a major achievement. Leadership is a race of endurance, not a sprint; start early and be persistent. This course will set you on the path. It is a solid blend of tons of research as well as personal experience from a number of leaders in information security. I had read about SWOTs for years, but was shocked by how difficult it was to create a strategic plan and get it approved. Some executives or auditors would say it doesn't look out far enough, others would say it isn't realistic to look out so far, some would say you are too bold, others you are too tame. One strategic plan I did the heavy lift on went through 18 revisions and still had only mixed approval. I was reading everything I could on planning and looking at published plans, and finally I saw the key - "plan the plan." It is the same basic notion as "plan the dive, dive the plan." Since senior management generally signs off on policy, you want to write balanced, defendable policy that gets approved the first time. The goal of both the planning and policy sections is simple: to give you the tools to create repeatable, successful products. The final section will help you build management and leadership skills to enhance the organization's climate as well as team-building skills to support the organization's mission and its growth in productivity.

- Stephen Northcutt