Top Cybersecurity Instructors and Best Offers of the Year Available Now - Learn More!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Sorry! The requested paper could not be found.

Management & Leadership

Featuring 54 Papers as of October 8, 2020

  • A Startups Guide to Implementing a Security Program by Vanessa Pegueros - October 8, 2020 

    Startups struggle to balance survival with the practical implementation of a security program. There are numerous obstacles facing founders who want to generate a solid security foundation, including limited cash, lack of support from investors or the board, and conflicting priorities such as generating revenue. Despite these obstacles, customers and potential customers continue to demand a base level of security controls. This drive from customers, especially enterprise customers, for solid security programs has forced startups to develop a practical approach to security that works within the boundaries of their constraints. Implementation of key controls and processes can establish a solid security foundation and meet the needs of customers.

  • Women in Cybersecurity: Spanning the Career Life Cycle Analyst Paper (requires membership in community)
    by Heather Mahalik - March 16, 2020 

    In this paper, survey author and SANS instructor Heather Mahalik explores key results of our survey of successful women in varied roles within the cybersecurity community and draws on experiences of such women to provide practical advice to women all along their career life cycle.

  • Essential Requirements for Cloud-Based Endpoint Security Analyst Paper (requires membership in community)
    by Barbara Filkins - September 11, 2018 

    Next-generation endpoint security (NGES) strives to combine prevention, detection, response and IT operations into a single platform, allowing for the consolidation of the endpoint footprint while substantially increasing endpoint protection. For those ready to replace their traditional antivirus with NGES, SANS has developed this evaluation guide for assessing NGES tools against your organization's requirements before making capital investments in NGES.

  • Updated: Out with the Old, In with the New: Replacing Traditional Antivirus Analyst Paper (requires membership in community)
    by Barbara Filkins - December 1, 2017 

    This updated version of the 2016 paper that included the SANS guide to evaluating next-generation antivirus provides the background information organizations need to assist them in their efforts to procure next-generation antivirus. Review this document to establish your overall road map and help resolve any questions you may have on the procurement process after reading the companion piece: "SANS Step-by-Step Guide for Procuring Next-Generation Antivirus".

  • Step by Step Guide for Procuring Next-Generation Antivirus Analyst Paper (requires membership in community)
    by Barbara Filkins - November 30, 2017 

    This document outlines a procurement process you can use and customize when upgrading to NGAV. The key steps to successful procurement do not change and should apply to any NGAV procurement project.

  • NGAV RFP Analyst Paper (requires membership in community)
    by Barbara Filkins - November 30, 2017 

    This document is a standalone RFP for selecting a next-generation antivirus (NGAV) solution. For more information on how to procure NGAV, be sure to access the Step by Step Guide for Procuring Next-Generation Antivirus.

  • NGAV RFP Evaluation Master Template Analyst Paper (requires membership in community)
    by Barbara Filkins - November 30, 2017 

    Click on the link in this file to access the Excel spreadsheet designed to help you compare the vendors from whom you have collected RFP information.

  • Complement a Vulnerability Management Program with PowerShell Graduate Student Research
    by Colm Kennedy - August 10, 2017 

    A vulnerability management program is a critical task that all organizations should be running. Part of this program involves the need to patch systems regularly and to keep installed software up to date. Once a vulnerability program is in place organizations need to remediate discovered vulnerabilities quickly. Occasionally some discovered vulnerabilities are false positives. The problem with false positives is that manually vetting them is time-consuming. There are tools available, which assist in showing what patches may be missing, like SCCM, but can be rather costly. For organizations concerned that these types of programs hurt their budgets, there are free options available. PowerShell is free software that, if utilized, can complement an organization's vulnerability management program by assisting in scanning for unpatched systems. This paper presents a PowerShell script that provides Administrators with further insight into what systems are unpatched and streamlines investigations of possible false positives, with no additional cost.

  • Lateral Leadership and Information Security by Stefan Krampe - July 19, 2017 

    In almost every company, a defined hierarchy, job description and organizational chart defines who is in charge of a certain issue. Nevertheless, most employees will recall situations, in which teams without a predefined leader had to collaborate. Being able to navigate these settings effectively is extremely helpful for the information security professional. More often than not, different departments and heterogenous groups have to work together to improve the security posture of a corporation. An open mind, real interest in the ideas of colleagues as well as a reasonable distribution of responsibilities and tasks is needed. Well known principles in information security are actually quite well suited for these circumstances.

  • No Safe Harbor: Collecting and Storing European Personal Information in the U.S. Graduate Student Research
    by Alyssa Robinson - April 24, 2017 

    When the European Court of Justice nullified the Safe Harbor Framework in October of 2015, it left more than 4,000 companies in legal limbo regarding their transfer of personal data for millions of European customers (Nakashima, 2015). The acceptance of the Privacy Shield Framework in July of 2016 expands the options for U.S. companies that need to transfer EU personal data to the US but does little to ameliorate the upheaval caused by the Safe Harbor annulment. This paper covers the history of data privacy negotiations between the Europe and the United States, providing an understanding of how the current compromises were reached and what threats they may face. It outlines the available mechanisms for data transfer, including Binding Corporate Rules, Standard Contractual Clauses, and the Privacy Shield Framework and compares their requirements, advantages, and risks. With this information, US organizations considering storing or processing European personal data can choose the transfer mechanism best suited to their situation.

  • Show Me the Money! From Finding to Fixed to Funded Graduate Student Research
    by Robert J. Mavretich - April 24, 2017 

    Corporations both large and small, whether public or private, can always benefit from an information security audit to improve their security posture. This security audit will highlight vulnerabilities and provide prescriptive guidance on how to fix them within a formal report. The ability to motivate organizational teams to complete the necessary work has historically been a challenge. While tracking of these findings using a workflow management tool has its value, most organizations stop at simply tracking the deficiencies, rather than take the necessary steps to remediate them in a timely manner. Thus, vulnerabilities from a decade ago are still causing disruption in our present day hyper-connected world. By applying an economic incentive system to the resolution of those findings, much like a sales division incentive program, a company can create a remediation bounty program. This will assist in motivating non-managerial staff to conceive of innovative ways to apply necessary fixes quickly, and to manage systems that are less susceptible to nefarious actors and their less than honorable intentions.

  • In-Depth Look at Tuckman's Ladder and Subsequent Works as a Tool for Managing a Project Team Graduate Student Research
    by Aron Warren - March 1, 2017 

    Bruce Tuckman's 1965 research on modeling group development, titled "Developmental Sequence in Small Groups," laid out a framework consisting of four stages a group will transition between while members interact with each other: forming, storming, norming, and performing. This paper will describe in detail the original Tuckman model as well as derivative research in group development models. Traditional and virtual team environments will both be addressed to assist IT project managers in understanding how a team evolves over time with a goal of achieving a successful project outcome.

  • Reducing Attack Surface: SANS’ Second Survey on Continuous Monitoring Programs Analyst Paper (requires membership in community)
    by Barbara Filkins - November 14, 2016 

    Continuous monitoring is not a single activity. Rather, it is a set of activities, tools and processes (asset and configuration management, host and network inventories, and continuous vulnerability scanning) that must be integrated and automated all the way down to the remediation workflow. Although CM is shifting focus and slowly improving, it still has a way to go to attain the maturity needed to become a critical part of an organization’s business strategy.

  • Bill Gates and Trustworthy Computing: A Case Study in Transformational Leadership by Preston S. Ackerman - September 20, 2016 

    The notion that IT security is a serious issue is non-controversial. The market for cybersecurity spending topped $75 billion in 2015, and analysts expect it to exceed $170 billion by 2020 (Morgan 2016). With the advent of cloud computing, the explosion of mobile devices, and the emergence of increasingly sophisticated adversaries from organized crime and nation-state actors, businesses and the industry as a whole will require the vision of great leaders to keep pace with the threats. We can look to the industry's rich history to see examples of such transformational leadership in the past. An enlightening case study is the Microsoft Trustworthy Computing initiative, launched by an insightful and stimulating memo Bill Gates sent on January 15, 2002. The initiative would not only transform culture, procedures, and policy surrounding security at Microsoft, but would in fact cause a dramatic shift for the entire industry. The idealized influence in the leadership shown by Gates can serve as a model for today's leaders.

  • Investing in Information Security: A Case Study in Community Banking by Wes Earnest - August 12, 2016 

    Small businesses, such as community banks, often do not have resources dedicated to information technology, much less resources dedicated to information security. Despite larger financial institutions having more resources to invest in information security, they are also attempting to secure much larger, more complex environments. Community banks, with a smaller footprint of computer systems and networks, have the opportunity to produce even greater results with a comparatively smaller investment. This case study shows how one small community bank enjoyed the successes of transitioning from an environment of constant reactionary troubleshooting to implementing an information security strategy that focused not only on improving the information technology environment but also business operations and regulatory compliance for the bank. First Sentence: Small businesses, such as community banks, often do not have resources dedicated to information technology, much less resources dedicated to information security.

  • Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey Analyst Paper (requires membership in community)
    by Barbara Filkins - June 20, 2016 

    Results of this survey, conducted in conjunction with Advisen, Ltd., make it clear that the effort to achieve a common understanding of cyber insurance and derive value from it will require focused attention from all sides. This study also sets a direction toward a common, achievable goal: reducing the risk of financial loss from a cyber incident. The gaps identified in this survey come together to form the building blocks needed to achieve this goal.

  • Quantifying Risk: Closing the Chasm Between Cybersecurity and Cyber Insurance Analyst Paper (requires membership in community)
    by Barbara Filkins - February 25, 2016 

    Sponsored by PivotPoint Risk Analytics, in conjunction with Advisen.

  • Selling Your Information Security Strategy Graduate Student Research
    by David Todd - February 18, 2016 

    It is the Chief Information Security Officer’s (CISO) responsibility to identify the gaps between the most significant security threats and vulnerabilities, compared with the organization's current state. The CISO should develop an information security strategy that aligns with the strategic goals of the organization and sells the gap mitigation strategy to executive management and the board of directors. Before embarking on this new adventure, clearly articulate what success looks like to your organization. What is the result you are driving to accomplish? Then develop a strategy to get you there. Take a play directly from the Sales organization’s playbook – Know yourself; know your customer; and know the benefits from your customer’s perspective. Following this simple strategy will help the CISO close the deal of selling your Information Security Strategy.

  • IT Security Spending Trends Analyst Paper (requires membership in community)
    by Barbara Filkins - February 2, 2016 

    This paper assumes security budgeting occurs as part of each organization's yearly cost management cycle. Readers will explore the what, why, where and how of IT security spending and will get advice on how to better meet the challenge of aligning security spending processes with organizational needs.

  • Security Risk Communication Tools Graduate Student Research
    by Andrew Baze - September 16, 2015 

    The effective communication of risks is a serious challenge faced by every security risk management professional in today's dynamic cybersecurity environment. Business executives expect communication in their language, focusing on financial gain, risk, or loss. Security professionals often speak in technical terms, describing threats or vulnerability in the context of confidentiality, integrity and availability. A key challenge is to translate common security metrics into risk statements using the language of business so that executives with limited security knowledge can make the best, risk-informed decisions. One of the reasons security risk management is a unique challenge is because the language of security is often relatively technical. An in-depth security discussion often requires a level of engineering understanding that one should not generally expect of executives. It is the responsibility of the security risk professional to translate relevant risk metrics, details, and descriptions into the language of their business leaders, whose understanding could directly affect the future of the business.

  • Defense-in-Policy begets Defense-in-Depth by Matthew Greenwell - April 3, 2015 

    Defense-in-depth is a commonly cited "best practices" strategy for achieving "Information Assurance".

  • A Plan for How to Get There and What to Do When You Arrive: Practical Advice on Establishing a Security Information Management Program within Healthcare Graduate Student Research
    by Barbara Filkins - January 26, 2015 

    Health care, as an industry, is stressed from all sides as it tries to improve its privacy and security posture in the age of the electronic health record (EHR).

  • Security Skills Assessment and Training: The Critical Security Control that can make or break all others Graduate Student Research
    by Paul Hershberger - December 2, 2014 

    Across the security community, 2013 has been noted as the year of the breach. Symantec reported 8 breaches with more than 10M identities exposed per breach representing a 700% increase from the year prior(Symantec Corporation, 2014). The year was filled with salacious headlines pulling readers across into the latest exploits of cyber crime and espionage rings.

  • Continuous Diagnostics and Mitigation : Making it Work Analyst Paper (requires membership in community)
    by John Pescatore - August 6, 2014 

    Security professionals in federal, state and local agencies face many unique challenges in protecting critical systems and information. The CDM program has tremendous potential for both increasing the security levels at those agencies and reducing the cost of demonstrating compliance. However, to be successful, the program must address the following: lack of awareness, low inspector general awareness and lack of information on how to use the program. For use of the program to result in better security, additional staffing and skills are needed, as are success stories to guide organizations attempting to implement CDM.

  • Calculating Total Cost of Ownership on Intrusion Prevention Technology Analyst Paper (requires membership in community)
    by J. Michael Butler, Dave Shackleford - February 17, 2014 

    Calculate the value of specific automation features in NGIPSes with which organizations can achieve savings in total cost of ownership TCO

  • Bridging the Gantt Graduate Student Research
    by Erik Couture - December 23, 2013 

    To Project Management (PM) novices, the Gantt chart is often seen as the central tool of the project management process.

  • Layered Security: Why It Works Analyst Paper (requires membership in community)
    by Jerry Shenk - December 9, 2013 

    How a layered approach to security provides better protection of your organization’s IT assets.

  • Managing Threats and Compliance While Automating the CSCs: EiQ SecureVue Review Analyst Paper (requires membership in community)
    by Jerry Shenk - November 11, 2013 

    Product review of EiQ SecureVue - a solution to provide advanced log management and security information and event management (SIEM) capabilities for the SMB-sized organizations.

  • Building and Maintaining a "Certifiable" Workforce Graduate Student Research
    by Robert J. Mavretich - September 23, 2013 

    When picking up a newspaper or reading an online journal, (CNN, Fox, WSJ, New York Times, etc.) it is hard to escape the unemployment statistics both domestically and internationally.

  • Corporate vs. Product Security by Philip Watson - May 22, 2013 

    When people hear "I deal with security" from any employee, the typical thought is that they are defending the enterprise, the web servers, the corporate email, and corporate secrets.

  • Managing the Implementation of a BYOD Policy Graduate Student Research
    by Jim Horwath - May 6, 2013 

    Mobile devices are consumer-oriented devices that are changing the way people do business.

  • Information Risks & Risk Management by John Wurzler - May 1, 2013 

    In a relatively short period of time, data in the business world has moved from paper files, carbon copies, and filing cabinets to electronic files stored on very powerful computers.

  • Using Teambuilding to Improve Performance for Geographically Distributed Information Security Professionals by Julie Kent - January 21, 2013 

    In recent years there has been a focus on work being done in teams rather than individually.

  • Recovering Security in Program Management by Howard Thomas - October 3, 2012 

    Few Information Security (InfoSec) professionals get the opportunity to build a program from the ground up. Whether brought in to maintain, enhance, or fix an existing environment, most inherit a security situation not of their own making.

  • A Process for Continuous Improvement Using Log Analysis by David Swift - October 26, 2011 

    A great deal of money has been spent by organizations on security technology, with only moderate success. Technology is often installed, but often left untuned and unmonitored. Though vendors have touted self-defending networks (Gleichauf, 2005), and claimed their products are impervious, reality teaches otherwise.

  • Net Neutrality, Rest in Peace by James Mosier - October 11, 2011 

    No one would argue that the Internet has become an instrumental part of society. With broad- band access in a large percentage of homes, WiFi freely available in many places of business, and smart phones connected via mobile service providers, our access to the information portal has become nearly an always-on experience.

  • Scoping Security Assessments - A Project Management Approach by Ahmed Abdel-Aziz - June 7, 2011 

    Security assessments can mean different things to different people. This paper will explore what a security assessment is, why it should be done, and how it is different than a security audit.

  • Creating a monthly Information Security Scorecard for CIO and CFO Graduate Student Research
    by Michael Hoehl - January 4, 2011 

    Identifying the specific security metrics desired by executives ultimately accountable for information security financials and organization risk management is a daunting task. Common security metrics report how well policies, processes, or controls are functioning. Though this operational perspective is important, additional insight may be desired to reveal the capability maturity of the organization’s security practice (right way), assure I.T. investments are being made based on risk management (right amount and order), and confirm the organization’s business objectives are being advanced (right outcome).

  • Get Out of Your Own Head: Mindful Listening for Project Managers Graduate Student Research
    by Charlie Scott - December 20, 2010 

    It is important for project managers to have interpersonal skills in order to develop a project team (Novello, 2008; Frisk, 2009; Project Management Institute, 2008; Heldman, 2009). The Project Management Institute (2008) summarizes the need for interpersonal skills in a project manager as follows

  • Practical Approaches to Organizational Information Security Management by Raees Khan - December 20, 2010 

    All around the world, it has become a well-known fact, that a majority of the world’s leading global organizations, across all industries, are constantly challenged in successfully achieving their strategic and tactical business and technology objectives in an effort to provide true-value to their stakeholders (COBIT, 2005). These leading global organizations increasingly rely on a variety of information assets, such as skilled personnel, complex business processes and the latest technology, to perform various functions across all divisions. These factors, when correctly provisioned, ultimately contribute towards successfully achieving the organizational objectives. However, one of the most compelling challenges encountered by these leading global organizations is the lack of clear and concise enterprise-wide view of organizational information security across the board (ISO/IEC 17799:2000/27002:2005).

  • Creating Robust IT Security and Efficiency by Reducing Infrastructure Complexity in Higher Education by Keith Lard - November 17, 2010 

    Recent economic conditions have created a business problem unique to higher education and its IT infrastructure. In the past ten years, IT systems and infrastructure have experienced a rapid change in complexity as a result of moving from mainframes to web services (Weinschenk, 2003). The technical landscape continues to become more complex as technology advances and application sophistication increases more rapidly, creating a greater dependency on IT services. To stay competitive and efficient, private and for-profit businesses have spent the last ten years keeping up with technology and training their staff. However, the university has been insulated in its own microcosm, having the luxury of ignoring business cycles, as the product offered has not changed drastically. Now, recent economic conditions and rapid advancement in technology have created the perfect storm within the university setting.

  • Determining the Role of the IA/Security Engineer by Brian Dutcher - October 14, 2010 

    What is your view of the role performed by an IA/Security Engineer? Is it focused on securing the network perimeter through the operations of the firewall, virtual private networks (VPNs), intrusion detection system/intrusion prevention system (IDS/IPS), network access control (NAC), data loss prevention (DLP) and enterprise anti-virus solutions? Is it the network specialist responsible for the secure design of the local area network (LAN), virtual LAN (VLAN), wide area network (WAN) and all endpoints? Is it the systems designer or operator responsible for the security of all clients and servers? Is it a software developer specializing in developing and hardening custom applications? Is the IA/Security Engineer someone who is an expert in all these areas? Is the IA/Security Engineer a specialized single technology (i.e. Cisco) expert, or is the position technologically agnostic, working at a higher level where specific detailed technology is irrelevant in the bigger scheme of things?

  • Brains for Hire / Blame for Hire - The Life and Challenges of a Consulting Project Manager Graduate Student Research
    by Rob VandenBrink - May 7, 2010 

    This paper explores many aspects of project management that are unique to consulting, and consulting Project Managers in particular. Discussions will include how consultants managing projects face different challenges than those in the “normal” in-house project management situation. We’ll explore some of the ways to maximize the chances of project success when consulting. We’ll also discuss how the Process Groups defined within Project Management Body of Knowledge (PMBOK) can be combined, modified, or sometimes outright skipped, under the unique pressures of the consulting situation.

  • The Evolving Role of Security Structures by Dale Emel - January 28, 2010 

    Suggestions for extensions and additions to the security management structures covered in the SANS Management 512 course, Security Leadership Essentials for Managers (The SANS Institute, 2009).

  • Gathering Security Metrics and Reaping the Rewards by Dan Rathbun - November 16, 2009 

    Far from being another treatise on detailed metric formulas or data analysis techniques, this is a practical roadmap for initiating a brand new security metrics program or strengthening an existing one.

  • Women in IT Security Project Management by Gurdeep Kaur - October 27, 2009 

    This paper will provide information about specific skills, which may have developed or acquired within the IT security field.

  • Tackling ISO 27001: A Project to Build an ISMS by David Henning - July 22, 2009 

    The ISO 27001/27002 standards for implementing an Information Security Management System (ISMS) often present a challenging set of activities to be performed. When a security professional is tasked with implementing a project of this nature, success hinges on the ability to organize, prepare, and plan effectively. This paper addresses the implementation of an ISO 27001 ISMS using the Project Management Body of Knowledge known as the PMBOK Guide published by Project Management Institute, Inc. This paper explores the process of implementing an Information Security Management System capable of being certified against ISO 27001. It also provides real world concrete examples of the 44 processes in the PMBOK Guide as applied to an information security project at a satellite broadband ISP.

  • Quantifying Business Value of Information Security by Eric Poole - July 14, 2009 

    Some organizations forgo implementing information security controls that could bring a positive return on investment to their organization. The goal of this paper is to familiarize the reader with risk management terminology, and present a quantitative risk management valuation process to show the benefit of a security control to the business. The impact of security controls are on the bottom line of the organization.

  • Effective Time and Communication Management Graduate Student Research
    by Brad Ruppert - June 9, 2009 

    This paper will discuss how to manage your time to ensure you are focusing your work on the business rather than in the business.

  • Beer - The Key Ingredient to Team Development Graduate Student Research
    by Brad Ruppert - May 20, 2009 

    This paper will discuss the importance of building a social connection with your team members to effectively communicate, problem-solve, and ultimately work together as a team.

  • Improving the Management of Information Security in Canadian Government Departments by Ken Fogalin - April 13, 2009 

    Taking Lessons from the ISO/IEC 27001 Standard to Make Continuous, Incremental, and Enduring Improvements

  • Leading the Transformation of a Security Organization as a New Security Manager by Robert Mayhugh - August 19, 2008 

    This paper will document my experience and provide insight into my assignment as a new security manager tasked with improving network security and making things happen.

  • Successfully Building Security into Business Projects by Alex Clayton - August 7, 2008 

    Argument to persuade project managers to bake security into their projects.

  • The Death of Leadership in Management by Dana Hudnall - September 12, 2007 

    The intention of this paper is to outline the author's views on leadership techniques when it comes to the management of personnel. It will also describe the differences one faces between managing personnel and managing processes to include what qualities one should possess for each. Some possible misconceptions are also addressed concerning the meaning of "management" and "leadership" and how these two processes greatly differ.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.