Interactive Courses + DFIR NetWars Available During SANS Cyber Security Central in June. Save $300 thru 5/12.

San Antonio: Virtual Edition 2021 - Live Online

Virtual, US Central | Mon, Aug 16 - Sat, Aug 21, 2021

MGT512: Security Leadership Essentials for Managers

Mon, August 16 - Fri, August 20, 2021

Associated Certification: GIAC Security Leadership (GSLC)

 Watch a free preview of this course

Course Syllabus  ·  30 CPEs  ·   Lab Requirements
Instructor: G. Mark Hardy  ·  Price: 6,850 USD

Leading Security Initiatives to Manage Information Risk


Security managers need both technical knowledge and management skills to gain the respect of technical team members, understand what technical staff are actually doing, and appropriately plan and manage security projects and initiatives. This is a big and important job that requires an understanding of a wide array of security topics.

This course empowers you to become an effective security manager and get up to speed quickly on information security issues and terminology. You won't just learn about security, you will learn how to manage security. MGT512 covers a wide range of security topics across the entire security stack. Data, network, host, application, and user controls are covered in conjunction with key management topics that address the overall security lifecycle, including governance and technical controls focused on protecting, detecting, and responding to security issues.

This course will prepare you to:

  • Make sense of different cybersecurity frameworks
  • Understand and analyze risk
  • Understand the pros and cons of different reporting relationships
  • Manage technical personnel
  • Build a vulnerability management program
  • Inject security into modern DevOps workflows
  • Strategically leverage a SIEM
  • Lead a Security Operations Center (SOC)
  • Change behavior and build a security-aware culture
  • Effectively manage security projects
  • Enable modern security architectures and the cloud
  • Become an effective information security manager
  • Get up to speed quickly on information security issues and terminology
  • Establish a minimum standard of security knowledge, skills, and abilities
  • Speak the same language as technical security professionals


MGT512 uses case scenarios, group discussions, team-based exercises, in-class games, and a security leadership simulation to help students absorb both technical and management topics.

The course uses the Cyber42 leadership simulation game. This web application based game is a continuous tabletop exercise where students play to improve security culture, manage budget and schedule, and improve security capabilities at a fictional organization. This puts you in real-world scenarios that spur discussion and critical thinking of situations that you will encounter at work.


  • Electronic courseware containing the entire course content
  • Printed course books
  • Access to the Cyber42 security leadership simulation web app
  • MP3 audio files of the complete course lecture


Some course material for SEC401 and MGT512 may overlap. SANS recommends SEC401 for those interested in a more technical course of study, and MGT512 for those primarily interested in a leadership-oriented but less technical learning experience.

This course prepares you for the GIAC Security Leadership Certification (GSLC), which meets the requirement of DoD 8570 IAM Levels 1, 2, and 3.


Cyber42 Security Leadership Simulation Game Days

Transformational Cybersecurity Leader Triad

Rekt Casino Hack Assessment Transformational Series ? Weak Security Program, Unprotected Systems, and Poor Detection & Response


MGT514: Security Strategic Planning, Policy, and Leadership

MGT521: Leading Cybersecurity Change: Building a Security-Based Culture

Course Syllabus

G. Mark Hardy
Mon Aug 16th, 2021
9:00 AM - 5:00 PM CT


The course starts with a tour of the information that effective security managers and leaders must know to function in the modern security environment. This includes an understanding of the different types of cybersecurity frameworks available to structure your security team and program. Risk is central to effective information security management, so we'll discuss key risk concepts in order to lay the foundation for effective risk assessment and management. Security policy is a key tool that security managers use to manage risk. We'll cover approaches to policy to help you plan and manage your policy process. Finally, we'll discuss security functions, reporting relationships, and roles and responsibilities to give the advancing manager a view into effective security team and program structure.

CPE/CMU Credits: 6

  • Security Frameworks

    • Control, Program, and Risk Frameworks
  • Understanding Risk
    • Risk Concepts
    • Calibration
    • Risk Assessment and Management
  • Security Policy
    • Purpose of Policy
    • Risk Appetite Statement
    • Policy Planning
    • Managing Policy
  • Program Structure
    • Reporting Relationships
    • Three Lines of Defense
    • Roles and Responsibilities
    • Security Functions

G. Mark Hardy
Tue Aug 17th, 2021
9:00 AM - 5:00 PM CT


Day two provides foundational knowledge to protect networks and systems. This includes a thorough discussion of network security that is modeled around the various layers of the network stack. This leads into a discussion on building a vulnerability management program and the associated process to successfully find and fix vulnerabilities. Finally, we cover malware and attack examples and corresponding host security controls for the endpoint and server. These topics give managers a deeper understanding of what their teams are talking about and where various issues and protections lay within the seven layers of the network model.

CPE/CMU Credits: 6

  • Network Security
    • Layer 1 and 2: Overview and Attacks
    • Layer 3
      • VPNs and IPSec
      • IPv6 considerations
    • Layer 4: TCP and UDP
    • Application Layer

      • Proxies, NGFW, IDS, NSM
  • Vulnerability Management
    • PIACT Process
    • Vulnerability Overview
    • Finding and Fixing Vulnerabilities
    • Communicating and Managing Vulnerabilities
  • Host Security
    • Malware and Attack Examples
    • Host Security Controls

G. Mark Hardy
Wed Aug 18th, 2021
9:00 AM - 5:00 PM CT


Day three focuses on protecting data and systems. This includes building an understanding of cryptography concepts, encryption algorithms, and applications of cryptography. Since encrypting data alone is not sufficient, we discuss the distinction between privacy and security to give managers a primer on key privacy concepts. To implement new initiatives, security leaders must also develop negotiating skills and the ability to manage highly technical team members. Finally, we cover security awareness, which is a huge component of any security program that must drive activities that lead to changes in human behavior and create a more risk-aware and security-aware culture.

CPE/CMU Credits: 6

  • Data Protection
    • Cryptography Concepts
    • Encryption Algorithms
    • Encryption Applications
  • Negotiations Primer

    • Negotiations Strategies
  • Privacy Primer
    • Privacy and Security
    • Requirements and Regulations
  • Security Awareness
    • Maturity Model
    • Human Risks

G. Mark Hardy
Thu Aug 19th, 2021
9:00 AM - 5:00 PM CT


Day four covers what managers need to know about leading modern security initiatives. Managers must be knowledgeable about software development processes, issues, and application vulnerabilities. We'll look at the secure SDLC, OWASP Top Ten, and leading-edge development processes built on DevSecOps. For any project or initiative, security leaders must also be able to drive effective project execution. Having a well-grounded understanding of the project management process makes it easier to move these projects forward. We'll also discuss modern infrastructure-as-code approaches and tools to automate consistent deployment of standard configurations. The cloud is a major initiative that many organizations are either tackling now or planning to undertake. To get ready for these initiatives, we'll provide an overview of Amazon Web Services (AWS) to serve as a reference point and discuss key cloud security issues. The cloud, the rise of mobile devices, and other factors are highlighting weaknesses in traditional, perimeter-oriented security architectures. This leads to a discussion of the Zero Trust Model.

CPE/CMU Credits: 6

  • Application Security
    • Secure SDLC
    • OWASP Top Ten
  • DevSecOps

    • DevOps Toolchain and Pipeline
  • Project Management
    • Projects, Programs, and Portfolios
    • Project Management Process
  • Infrastructure as Code
    • Configuration Management
    • Containers and Docker Overview
  • Cloud Security
    • Cloud Security Issues
    • Amazon Web Services Overview
    • Moving to the Cloud
  • Modern Security Architecture

    • Zero Trust Model

G. Mark Hardy
Fri Aug 20th, 2021
9:00 AM - 5:00 PM CT


Day five focuses on detection and response capabilities. This includes gaining appropriate visibility via logging, monitoring, and strategic thinking about a security information and event management (SIEM) system. When making a large investment, such as a SIEM, managers must also conduct a thorough analysis of vendors. Once implemented, the logs in a SIEM are a core component of any Security Operations Center (SOC). We'll discuss the key functions of a SOC along with how to manage and organize your organization's security operations. The incident response process is discussed in relation to identifying, containing, eradicating, and recovering from security incidents. This leads into a discussion of longer-term business continuity planning and disaster recovery. Managers must also understand physical security controls that, when not implemented appropriately, can cause technical security controls to fail or be bypassed. The course ends with a war game that simulates an actual incident. This tabletop simulation contains a number of injects or points at which students are presented with additional information to which they can respond. After dealing with the incident itself, the simulation concludes with a game focused on choosing appropriate security controls to mitigate future incidents.

CPE/CMU Credits: 6

  • Logging and Monitoring

    • SIEM Goals
  • Vendor Analysis

    • Product Analysis and Selection
  • Security Operations Center (SOC)
    • SOC Functional Components
    • Models and Structure
    • Managing and Organizing a SOC
  • Incident Response

    • The Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned (PICERL) Process
  • Contingency Planning
    • Business Continuity Planning
    • Disaster Recovery
  • Physical Security

    • Issues and Controls

Additional Information

A laptop or mobile device with the latest web browser is required to play the Cyber42 leadership simulation game.

The Cyber42 game used in this course is hosted on Amazon Web Services (AWS). Students must have a computer that does not restrict access to AWS services. Corporate machines may have a VPN, intercepting proxy, or egress firewall filter causes connection issues communicating with AWS. Students must be able to configure or disable these services to be able to access the Cyber42 game.

If you have additional questions about the laptop specifications, please contact

If you have additional questions about the laptop specifications, please contact

  • Security Managers
    • Newly appointed information security officers
    • Recently promoted security leaders who want to build a security foundation for leading and building teams
  • Security Professionals
    • Technically skilled security administrators who have recently been given leadership responsibilities
    • Team leads with responsibility for a specific security function who want to understand what other teams are doing and broaden their knowledge
  • Managers
    • Managers who want to understand what technical people are telling them
    • Leaders who need an understanding of security from a management perspective

"The [Cyber42] 'game' we are playing makes you think about real world problems and the different teams show how different groups will come up with their own solutions for the same problem. One of the few 'games' that actually forces some decisions based on previous decisions." - Max Harris, AF

This course covers the core areas of security leadership and assumes a basic understanding of technology, networks, and security. For those who are new to the field and have no background knowledge, the recommended starting point is the SEC301: Introduction to Information Security course. While SEC301 is not a prerequisite, it will provide the introductory knowledge to maximize the experience with MGT512.

"The activities are excellent! The discussion and student involvement are both motivating and enlightening. This course is, by far, is the most useful course Iâve ever taken." - Bill Brown, Intuit

"SANS MGT512 course has been instrumental in bridging the gaps in my knowledge & has prepared me to take on bigger responsibilities." - Mir Shajee, Accenture

"Was able to merge management skills and technical materials in one simple format." - Abdulaziz Al-Sultan, Saudi Electric Company

"This course is highly useful for giving me a sound baseline of technical and general skills to help me manage an effective team." - Richard Ward, REA Group

"I will be leading a team of security experts. This course will enable me to better understand their concerns and provide better and more supportive leadership." - Kathie Anderson, QA Training

"This course is 100% applicable to my work every day. Could not have designed a better course for someone in my situation; a new manager in cybersecurity risk." - Charlotte Ware, USPS

"It covers all areas of modern security, providing valuable knowledge to key aspects of the cybersecurity world at work." - Reece Edney, CLS Services LTD

Author Statement

"Technical professionals who are thrust into management roles need to learn how to convey security concepts in ways that non-technical people can understand. At the same time, managers who are new to security need to learn more about the different domains of cybersecurity. In both cases, there is a need to learn about the work of managing security. That is why this course focuses on the big picture of securing the enterprise, from governance all the way to the technical security topics that serve as the foundation for any security manager. Ultimately, the goal of the course is to ensure that you, the advancing manager, can make informed choices to improve security at your organization."

- Frank Kim

"Frank was outstanding. Easy to follow. It shows that he has done this for a long time and was a very good instructor." - Ed Moore, Moore Consulting