SANS SA Blog 12/6/19

Organizations are realizing and acting on the fact that cybersecurity is no longer just a technical challenge, but a human challenge as well.  As such, security teams around the world are looking for trained professionals in the field of human security, such as security awareness, engagement and culture.  For those of you who are looking to get involved in this field, or are already involved but looking to grow, SANS offers key courses to help develop your career path. 

Where to Start:

If you are new to the world of information security and / or security awareness, the very first class you will want to start with is: 

  • MGT433: SANS Security Awareness: How to Build, Maintain, and Measure a Mature Awareness Program:  This two-day class lays the foundation of security awareness, managing human risk and ultimately changing organization behavior. Course content is based on lessons learned from hundreds of security awareness programs from around the world. In addition, you will learn not only from your instructor, but from extensive interaction with your peers. Finally, through a series of labs and exercises, you will develop your own custom security awareness plan that you can implement as soon as you return to your organization.

What Next:

Once you have the basics down and want to develop yourself and your career, you may need to develop your security expertise if you do not have a technical or security background.  Understanding the fundamentals will not only help you better understand the risks and the behaviors that manage those risks but empower you to more effectively communicate with your security team and security leadership. There are two different five-day courses to consider at this stage in your career.  Each has their advantages, depending on what you hope to achieve.

  • MGT512: Security Leadership Essentials For Managers: This course empowers you to become an effective security manager and get up to speed quickly on information security issues and terminology. You won't just learn about security, you will learn how to manage security. To accomplish this goal, MGT512 covers a wide range of security topics across the entire security stack. Data, network, host, application, and user controls are covered in conjunction with key management topics that address the overall security lifecycle. This also includes governance and technical controls focused on protecting, detecting, and responding to security issues.
  • SEC301: Introduction to Cybersecurity: Jump-start your security knowledge by receiving insight and instruction on critical introductory topics that are fundamental to cyber security. This five-day takes a technical approach for those new to cybersecurity.  It  covers everything from core terminology to the basics of computer function & networks, security policies, password usage, cryptographic principles, network attacks & malware, wireless security, firewalls and many other security technologies, web & browser security, backups, virtual machines & cloud computing.  All topics are covered at an introductory level. The hands-on, step-by-step teaching approach enables you to grasp all the information presented, even if some of the topics are new to you. You'll learn real-world cybersecurity fundamentals to serve as the foundation of your career skills and knowledge for years to come.

Not sure which one of these two courses to take? If you are looking for more of a high-level or management perspective to the world of information security, I recommend MGT512.  If you want a more hands-on, technical introduction to the tools and technology of cybersecurity, then I recommend SEC301.

Intermediate Level

Once you have 2-4 years of experience in security awareness and feel confident in the concepts of both cybersecurity and organizational behavior,  MGT521 is what I recommend next.

  • MGT521: Driving Cybersecurity Change - Establishing a Culture of Protect, Detect and Respond: Cybersecurity is no longer just about technology it is ultimately about organizational change. Change in not only how people think about security but what they prioritize and how they act, from the Board of Directors on down. Organizational change is a field of management study that enables organizations to analyze, plan, and then improve their operations and structures by focusing on people and culture. SANS course MGT521 will teach leaders how to leverage the principles of organizational change, enabling them to develop, maintain and measure a security driven culture. Through hands-on, real-world instruction and a series of interactive labs and exercises in which you will apply the concepts of organizational change to a variety of different security initiatives, you will quickly learn how to embed cybersecurity into your organizational culture.

Advanced Level

Once you have 5-7 years of experience and want to truly develop your security leadership skills, consider this course.  This will walk you through the strategic planning process and challenges CISOs face.  Many people consider this the “CISO Course”, helping develop new and experienced Chief Information Security Officers to become better security leaders.  By better understanding CISO challenges, priorities and concerns, you can more effectively collaborate with them and communicate in their terms and language.

  • MGT514: Security Strategic Planning, Policy, and Leadership: This course gives you tools to become a security business leader who can build and execute strategic plans that resonate with other business executives, create an effective information security policy, and develop management and leadership skills to better lead, inspire, and motivate your teams.

By actively growing your skills and knowledge, not only can you become a more effective leader, but also dramatically improve and broaden your career opportunities.  In addition, we highly recommend you attend the two-day SANS Security Awareness Summit this 5/6 August in Austin, Texas.  Come meet and learn from over 300 security awareness professionals as we share lessons learned, resources and build a network to better support you.