Leadership Laboratory
- Leadership Lab: STI Degree Candidates' Leadership Essays
SANS Technology Institute's mission is to develop the leaders of the future for the information security industry. One of our admission requirements is that an applicant complete an essay describing leadership qualities they have demonstrated in the past.
SANS Technology Institute’s Admission Essay on Leadership - June 5th, 2007
Leadership Essay SANS Technology Institute - May 27th, 2010
Leadership Essay SANS Technology Institute - May 23rd, 2009
Leadership Essay SANS Technology Institute - June 3rd, 2010
Leadership Essay SANS Technology Institute - June 5th, 2010
Leadership Essay SANS Technology Institute - May 22nd, 2009
Leadership Essay SANS Technology Institute - February 17th, 2009
Leadership Essay SANS Technology Institute - May 23rd, 2009
Leadership Essay SANS Technology Institute - July 24th, 2008
Leadership Essay SANS Technology Institute - May 23rd, 2009
Leadership Essay SANS Technology Institute - May 13th, 2008
Leadership Essay SANS Technology Institute - April 16th, 2008
Leadership Essay SANS Technology Institute - August 27th, 2008
Leadership Essay SANS Technology Institute - February 22nd, 2008
Leadership Essay SANS Technology Institute - February 8th, 2008
Leadership Essay SANS Technology Institute - December 7th, 2007
Leadership Essay SANS Technology Institute - September 14th, 2007
Leading to Patch Management - June 27th, 2007
Leadership in Consulting - June 8th, 2007
Leading from the Front - May 4th, 2007
Leading Through Mentoring and Coaching - January 10th, 2007
SANS Technology Institute Leadership Essay - December 26th, 2006
Leadership Essay SANS Technology Institute
February 17th, 2009
By Algis Kibirkstis
Leadership in the information systems security world can cover a multitude of aspects and may also take on many different forms. While qualities such as demonstrable competence, integrity, the ability to delegate, communication skills and perseverance – not to mention an almost fanatical sense of passionate enthusiasm – are commonly found in today’s successful infosec leader, other traits are developed and demonstrated based on the working environments to which one is exposed. The successful leader is one that can drive requirements and objectives to their successful fruition, all while respecting business needs and corporate culture.
The telephony industry is one such environment. Due to contractually defined “five nines” expectations, they are historically sensitive to availability issues and would commonly go to great lengths to safeguard that promise to the marketplace.
One of the greatest challenges met by telephony over the last decade has been the inevitable and progressive migration from closed private networks towards the open un-trusted telecommunications network of the Internet, for this necessitated a fundamental change in the way they view their production environment, but this change did not come easily. Their operating systems and network configurations, once protected by restricted physical access and obscure protocol implementations, had become extremely vulnerable once exposed to hostile surroundings. The need to consider confidentiality and integrity along with availability was difficult to assimilate for many old-school telephony archetypes, for in the past availability simply trumped all, and anything new that could jeopardize service availability could be summarily dropped in order to limit perceived risk to the core business – including the introduction of basic security-related mechanisms.
But times had to change. Working in a team to develop bleeding-edge telco-grade server systems, I was asked to make sense of a shopping list of security requirements coming from a high-profile customer. After gaining support from a receptive group of middle and senior managers, I was given the opportunity to lead a team to develop a comprehensive standards-based strategy for safeguarding the system and its assets, one that could be tuned and reused by other research & development teams in the company.
Starting small with an eager teammate, I was able to secure our attendance to a string of three SANS conferences over a period of 9 months, where we received invaluable training in different aspects of information systems security. During this time, as my colleague developed strategies and procedures for implementing and configuring operating systems and utilities, I provided guidance and prepared a security rule-set foundation that could provide the direction in developing more secure products, in a format and in language adapted to the culture and operations of the organization. I also spent a significant amount of time driving the program by evangelizing, raising awareness and networking with peers from other groups and departments, in order to come up with a strategy that could be supported in the short-term by consensus, if not by corporate policy.
Once the next product development cycle came up, I sat down with my colleague to hash out a man-hour estimate that withstood a tremendous amount of scrutiny from archetypes resisting change. My group then took on two interns who helped us implement, test, integrate, audit and document the delivery of the first product release at our company that addressed security as part of overall system design and development. The results exceeded expectations: we delivered on time and on budget, and the few trouble tickets we had received during system testing were quickly and effectively resolved. The rollback procedures that had been developed to quell persistent concerns were tested and deemed effective, but were never required once in production.
When our security-related progress was presented to a group consisting of various leads of other product development projects and the high-profile customer, my initiative was singled out as a model on how to address security in future projects, in that we respected the intent of customer requirements while also taking on the responsibility to develop and implement a comprehensive security plan for our product.