I’ve been authoring and teaching security courses with SANS Institute for over ten years. While helping to develop the overall curriculum we’ve tried to create a number of successful courses. But what do we mean by “successful”? 

Many courses can have success but let’s focus on the big winners. The courses that become wildly successful. What does it take to create a blockbuster?

Topic

“When a great team meets a lousy market, market wins. When a lousy team meets a great market, market wins.”

- Andy Rachleff

The most important element in producing a wildly successful cybersecurity course is to choose the right topic. If it’s too niche people won’t attend. If it seems too dull then people won’t be interested. Take compliance as an example. Nearly every organization has some compliance requirements they have to meet. As a result, there are plenty of people who have compliance responsibilities. Despite this potentially large target audience, I have not seen a compliance focused course attain blockbuster status. Such items are often best served by sandwiching these “boring” but necessary topics in between sexier topics.

The best courses have a theme. Something that holds the course together from beginning to end. This theme is also evident in each of the individual learning objectives and helps drives the direction of the overall content. This is how you make something like compliance sexier. It’s just one part of the overall story. 

The theme might not be obvious at first. As a kid I had a hard time finding the theme or unifying idea for my essays. Similarly, the theme for a course often won’t be obvious from the start. I’ve found that it can take months of iteration to land on a clear theme. 

So, how do you find a great course topic and corresponding theme? You might be thinking, “Just find a problem that people are having.” Of course! But, this is much harder than it sounds. It’s not enough that you think people are having a problem. It matters what your students and customers are actually doing. To figure this out you need evidence.

Create situations where you can get market feedback. See what conference talks are highly attended. Run your own webcasts. For me the most interesting part of any talk are the questions asked by the audience. If you take the time to truly listen, these questions provide critical insight into the problems that people are having.

Talk to people but, more importantly, see what they do. Are there unexpected people with specific job roles attending certain classes or events? Are senior managers attending highly technical sessions? If so, it could point to an unmet need.

You’ll know when you’ve landed on a great topic. People will seemingly just show up.

Team

“When a great team meets a great market, something special happens.”

- Andy Rachleff

It’s actually pretty rare for a course to just become a blockbuster. More often you have a blockbuster idea but it takes hard work to turn it into a success. This is why the team is so important. When writing a course, the authorship team can have one or multiple authors.

First off, a course author has to have a deep love for the topic. You can’t teach this. They have been working in that specific area, have seen the problems first hand, and want to share with the world how to solve those problems. 

Writing a course is extremely hard work. It’s one of the more difficult things I’ve done professionally. It takes a certain mindset to see a course to completion. Part of this is understanding that a successful course is a never-ending journey. The course is never “done” because it has to adapt to changing conditions and requires regular updates. You almost have to be thinking about it constantly. It truly is a labor of love.

The most successful course authors just get stuff done (#GSD). How do you know if someone is action oriented? There are small indicators like proactively identifying next steps and starting them even before the meeting ends. There are also more important indicators like taking the time to build a relationship with their co-authors and reaching out on a regular basis to get feedback on new material. Being open to feedback can be hard for some people. Prioritizing the feedback and acting on it can be even harder. 

Things like work ethic, discipline, and being a lifelong learner matter. Combine these with the love and you have a winning combination. If the team doesn’t have these characteristics the course still might be successful but it usually becomes evident at some point the course won’t “cross the chasm” and fulfill its ultimate potential. 

Timing

“You’ll break your pick for years trying to find customers who don’t exist for your marvelous product, and your wonderful team will eventually get demoralized and quit, and your startup will die.”

- Marc Andreessen

It’s possible to have a great topic and a great team but the course still doesn’t do well. Usually this is because of poor market timing. You don’t want to be too early but you don’t want to be too late. 

How can you tell if your timing is good? Based on your research, talking to customers, and observing their behavior you should have a good sense of industry trends. But for a cybersecurity course you want to identify entrenched industry trends. It doesn’t do you any good to be right about a nascent trend because there won’t be enough students. For example, everyone knows the cloud is now inevitable. But if you created a cloud security curriculum the year after AWS launched you weren’t likely to get much traction. There also needs to be a market catalyst. For cloud that is digital transformation and the need for companies to move faster, change cost structure, and take advantage of accelerated macro trends.

So, how do you know if you have a blockbuster on your hands? That’s the trick. Topic, team, and timing. These are simple ideas but it turns out that they’re not so simple to get right.

This article was originally published on the RSA Conference site.

How should cybersecurity leadership be adjusting and reacting as cloud strategies and systems expand within their organizations?

When moving to the cloud, the question for CISOs becomes: How do we make sure that our cloud is at least as secure, if not more secure, than the legacy on-premises environment from which we’re moving? It’s an essential question to answer. After all, data from the SANS 2020 IT Cybersecurity Spending Survey shows the biggest factor that is causing existing security architectures to break, and thus causing much of the new security spending, is the rapid movement of business apps and services to cloud-based technologies.

That’s because a move to the cloud is about much more than just migrating workloads to servers hosted by a third party; the cloud represents a new way of doing business, new technologies supporting the business, new rules around ownership and responsibility, and new cybersecurity considerations to take into account.

For CISOs, the path forward into the cloud must be predated by strategy. As you’re devising your cloud security plan, here are five things to keep in mind.

1) Understand Your Business Drivers

Step one for CISOs is figuring out your cloud roadmap, which means you need to assess your organization’s risk appetite and business drivers. There are many different ways to adopt the cloud—you can go with a single cloud provider, multi-cloud or a hybrid cloud architecture; you can dip your toes in by moving one workload to the cloud, take a phased approach or go whole hog into the cloud. From a leadership perspective, it’s really about understanding your business drivers and what critical security controls need to be in place to support these goals. Once you’re able to identify your reasons for moving to the cloud, you’ll be better able to lay out your objectives and roadmap to accomplish what you need to in year one, two, etc.

2) Build a Deep Technical Bench

With the move to cloud, cybersecurity needs to be prepared to evolve. It’s gotten to the point, in terms of industry momentum, where every cybersecurity professional has to be knowledgeable about the cloud to varying degrees. As a CISO, you need to make sure that your security team is staffed with people who know about the features of the various clouds you are deploying, what those services are used for and the configuration settings for that particular cloud. With the current shortage of skilled workers, many CISOs are getting creative and investing in cloud-focused cybersecurity training to reskill current staff.

3) Enable Automation

One of the big concepts of the cloud is that it makes automation substantially easier compared to the pre-cloud environment where people had to set up their own duplicative infrastructures to spin things up. You’re not taking full advantage of all the cloud benefits if you’re not implementing automation and DevOps, too.

4) Focus on Applications

The move to the cloud has abstracted the servers and hardware away, changing the rules of the game when it comes to ownership. Cloud providers operate on a shared responsibility model, where the provider is responsible for certain layers, but the customer is responsible for data and applications. In order to keep all your organization’s information secured, prepare your team to focus more on understanding the application layer, where their responsibilities likely lie. The issue of shared responsibility had a spotlight shined on it last year with the highly publicized Capital One data breach that brought into question whether AWS or Capital One was at fault.

5) Enhance Visibility

In the wake of that Capital One data breach, AWS enhanced some of its services that had played a part in this breach occurring. It also added some tagging functionality that identifies which version of the service is being used. That extra data gives companies more insight into the things that could be going wrong. Visibility — one of the top cloud concerns expressed by respondents to the SANS 2019 Cloud Security Survey — is key in the cloud. This ties back to the need to build a deep team with technical knowledge base. Yes, your team needs to know what attacker behavior and common attacks look like, but they also need to know what features are available within the cloud services that would ultimately help you detect malicious and anomalous behavior. 

I was having a drink with a friend. He took a sip, slowly placed his half full glass on the table and said, “I finally realize what I hate about DevOps. It’s just another excuse for developers to have root access in production.”

Why did he say this? Why did my friend have such a negative perception about a movement and a way of working that is transforming development and information technology?

To answer these questions and build modern security programs CISOs and security leaders must understand, support, and adopt DevOps practices.

Understand DevOps

At the heart of DevOps is the automated CI/CD pipeline.

CI stands for Continuous Integration. It’s the phase where the application is automatically built and packaged.

CD stands for either Continuous Deployment or Continuous Delivery.

In Continuous Deployment changes are automatically pushed to production. This is what my friend had a negative reaction to. In this scenario developers can check in code and push changes all the way to production, seemingly giving them root or administrative access in production (depending on your point of view).

Continuous Delivery, on the other hand, requires the operations team to pull changes and deploy them to production. The application is always ready to be deployed but a manual step is required to release changes.

The key point, because the application is ready to be deployed at any time, is that technology is no longer a limiting factor in how fast an organization can move. Choosing one approach over the other is based on compliance, regulatory, and other business drivers.

Support DevOps

I have heard respected security leaders state that developers should not push code to production. Period. I don’t agree.

The decision of when code gets pushed to production, how frequently updates are made, and who performs this work is a business decision. Period.

Organizations want to get products and features to market faster. As a result, the DevOps CI/CD pipeline must run quickly and efficiently. This means that we can’t run security tests and scans that take weeks, days, or hours. Sometimes a scan that takes even just a few minutes at the wrong point in the pipeline can be a bottleneck.

Similarly, technology should no longer be a limiting factor on how fast we can patch critical security vulnerabilities. You’ve probably seen it before. A simple SQL Injection vulnerability is found on your web site. It takes the developer less than an hour to fix it. But, before it goes into production it has to go through QA testing, acceptance review, management review, business review, CAB approval, and a host of other process items that, depending on the organization, can take hours, days, or even weeks.

Security teams must understand the different phases of the DevOps pipeline and the appropriate processes and tools that can be injected into the Pre-Commit, Commit, Acceptance, and Production phases.

For reference, we put together a poster that lists a number of free tools that can be used in your DevOps pipeline. Click on the image to download a high resolution version.

Adopt DevOps

For years the security industry has struggled to mature foundational security capabilities.

When I ask my students and clients if they have a mature and comprehensive asset inventory less than 5% answer affirmatively. Tracking via spreadsheets and de-conflicting multiple sources of data remain big challenges. With modern practices like Infrastructure as Code we have the potential to know about every system that is deployed via the DevOps pipeline.  

Implementing secure configurations has also been elusive. Using configuration management tools we can now ensure that systems are deployed from the beginning with standards settings.

There is a lot of great work happening in the security orchestration and automation space. It’s exactly this type of approach that is the foundation of DevOps. But, it requires security teams to embrace modern DevOps practices such as Continuous Delivery, Infrastructure as Code, and functionality exposed via APIs to automate tedious and error prone work.

Understanding, supporting, and adopting DevOps practices helps us take steps in the direction of continuous security. Embracing DevOps ensures that you won’t miss the boat of a movement that is going to happen with or without you. And you just might see that the glass is actually half full, not half empty. 

Thanks to Jaynie Bunnell for reading drafts and providing feedback on this article.