As I mentioned in the last post, Day 2 gets pretty technical. However, for this class, the importance is to understand the concepts so that, as a manager, you can make educated decisions around technical concepts. You don’t have to know the math for Elliptic Curve Cryptography, nor do you have to memorize the seven layers of the OSI stack. You should be able to understand when someone says, ” This is a layer 7 firewall.” though.
Day 2 is titled Protecting Data and Networks so, unsurprisingly, that’s the focus of the day. This day, similar to day 1, lays a foundation for security that covers the concepts and tools that we need to secure our data as well as the network infrastructure. The network portion also gives us the basic knowledge we need as managers to be able to understand why we would want to encrypt something at layer 3 vs. layer 7.
The day is pretty much split in half, with the focus of the first half being on encryption and privacy, and the second half being on networking. Encryption looks at:
- Encryption Concepts (things like symmetric vs. asymmetric encryption)
- Encryption algorithms; enough to have an understanding of how they work, but without having to do really hard math.
- Encryption applications; things like VPNs and Email encryption
- There’s also a short unit on privacy where we discuss the overlap of privacy and security and what some of the key privacy concepts are (PII, Consent, and some legal precedents)
The network section is a bit of a deeper dive as it’s good for managers of technical staff to have a slightly deeper knowledge base. With this knowledge you will have to ask fewer questions and you’ll be better prepared to discuss products with vendors and concepts with non-IT management. The sections are broken up in layers (TCP/IP stack layers, not OSI stack layers) and are as follows:
- Layers 1 and 2 overview and attacks
- Layer 3; more discussion on VPNs and encryption at this layer, as well as an introduction to IP version 6.
- Layer 4 with discussion of both TCP and UDP.
- Application layer discussing proxies, firewalls, and other technologies that apply to network layer security
Day 2 is a heavy day and your head will be very full by the end of it. However, I’m pretty confident that you’ll find it is either an excellent refresher for those who once knew this stuff really well, or a solid, practical, introduction for those who may have come from non-technical areas of the business. In either case, it does a great job of preparing you for the topics around system security that come on day 3.
If you’re not familiar with it, this class is very true to it’s full name: Security Leadership Essentials. It’s designed primarily for two types of audience; 1) Non-technical managers who have to manage technical security people and, 2) technical people who are now managers but haven’t had much formal management training. It works for a lot of other types of security professional too, but those are for whom it is really perfect.
This duality of audience means that the class has a bit of a duality itself. You’ll learn about the essential security concepts that security managers need, and you’ll get an introduction to management with a focus on managing a security program. For the management “half” the focus is, now more than in previous iterations, on managing a security program and interfacing with the business. We all know that security managers today need to understand and communicate in terms the business understands and this class helps with that. The technical “half” is designed to help you understand the key concepts that the teams you’ll manage deal with on a day-to-day basis. This helps to ensure that you and your team are communicating effectively, just as you must with management.
So what does day 1 bring? Day 1 is all about building a program; We understand that today, security isn’t just about buying fancy toys, but it also includes communicating risk to the business and measuring how well you are identifying and mitigating those risks. This day is, like day 1 in most SANS classes, all about building the foundation for what is to come the rest of the week. The security program is the fundamental piece for the week. Topics include:
- Security Frameworks. Specifically control, risk, and program frameworks including introductions to the CIS 20 Critical Security Controls, NIST Cybersecurity Framework, and the FAIR model for quantitative risk measurement.
- Understanding Risk. How do we define, communicate, and measure it?
- Security Policy. While not everyone’s favorite, nor most thrilling topic, it is one that is crucial to the foundation of an effective security program. This section includes material from SANS MGT514 – Strategic Planning, Policy, and Leadership, also written by Frank Kim.
- The day ends with material focused on the Who, What, Why, and How or, the Program Structure. It delves into what all of the pieces of the program are and how you put people and process together into a workable format. This helps to ensure you have all of the necessary duties covered and an organizational structure that fits your company.
Along with those topics, there are some group discussions to alleviate what can seem like an endless number of slides. These discussions help you to better understand the frameworks you use, how you can quantify risk, and where you might have gaps in your policies. Day 2 gets technical pretty fast, so get ready.
Want an excuse to spend a week in New York City this summer? SANS is bringing MGMT512 – Security Leadership Essentials for Managers to New York in the Community format. Find details here.
After a great time in Nashville (minus all the problems caused by snow the week prior) I’m heading to Toronto to teach another round of 566. If you are looking to implement or audit the 20 Critical Controls, you need to register for this class. The SANS material is excellent and gives you plenty of tools to start the process on your own. The Toronto course runs April 13-17, details here.
A quick teaching update. SANS MGMT512 in Ottawa/Gatineau was a great group last month, thanks to those of you who attended. If you’re interested in implementing the 20 Critical Controls, I’ll be teaching SANS SEC566 (Implementing and Auditing the 20 Critical Controls) in Nashville starting March 9. If you’re in Canada, watch for Canadian events coming soon.