Preface
SANS Technology Institute -- Preparing the technical leaders who will direct
corporate and national cyber defense in a world of accelerating cyber crime and cyber warfare
Two hundred years ago, as a young nation was recognizing that it would soon have to fight a war with a European power, the US established an academy at West Point to provide instruction in engineering and artillery. Today, a more mature United States is facing a new type of threat – cyber warfare and cyber crime -- primarily from hostile nation states, but also from organized crime and terrorist groups.
The extensive damage done through cyber attacks against government and industry has been the subject of multiple US Congressional Hearings. Adding to the military attacks, organized crime groups and terrorist groups are taking more than $10 billion each year from US companies and those of our allies – with some of the money being used to buy the bombs that are killing soldiers and innocent civilians. Tens of billions of dollars have been lost to organized crime. Cyber security is not simply a military problem; most of the attacks target commercial companies, civilian government and even individuals’ bank accounts. Where West Point could be a military academy, the institution that trains the next generation of leaders in cyber defense and cyber warfare must take on a broader audience. That is the role being shaped by SANS Technology Institute ("STI").
Non-technical managers are hindering progress in building better defenses. That is why STI’s security leadership programs will require each student to succeed in intensive technical courses as well as management courses. In other words, our goal is to shape leaders who have as complete a package as possible of technical and management skills and knowledge and the communications skills that make that other knowledge valuable.
These are all lofty goals and we recognize that we have much to learn in improving our graduate institution to accomplish such goals. The MSCHE Commission on Higher Education (MSCHE) application for candidacy process has helped us understand how much we have to learn and also has helped us make substantial progress. We look forward to continuing to improve and to learn as we move through the steps toward accreditation.
- Preface by Alan Paller, Chairman, STI Board
Brief History and Overview
The parent company of STI was established in 1989. The parent company, Escal Institute of Advanced Technologies, a Delaware corporation, was originally established to create multiple institutes in various areas of technology, but later its board of directors decided to focus on one technology area – cyber security. Therefore it does business as the SANS Institute, or more commonly simply as SANS. SANS' mission, from inception, was to provide graduate level education to the men and women who would become responsible for cyber security in corporations, universities, and government agencies. It is a privately held company, and its shareholders are Alan and Marsha Paller.
SANS began by providing short training classes in a few areas of cyber security. Over time, as the body of knowledge in cyber security grew and as the professionals in the field took on greater responsibilities, SANS courses kept pace, both in number and in depth. Today SANS offers more than 20 major courses. Newer courses have added management and legal and policy dimensions to round out the cyber security professionals’ capabilities. SANS also added optional research and writing projects for those who wanted to demonstrate a deeper understanding of the material. On average, more than 14,000 cyber security professionals complete at least one course from SANS each year. More than 85,000 people have completed at least one full length course.
Late in 2003, several SANS students approached their faculty members and asked whether SANS could make it possible for them to use SANS courses, in part, to fulfill requirements for graduate degrees they were pursuing or hoping to pursue. They maintained that the SANS courses they were taking were at least as rigorous and far more up-to-date than the courses in their graduate programs, and they also explained that their employers would allow them to take SANS courses covering a much larger part of cyber security, if SANS courses were part of a graduate program. In response, SANS approached the Maryland Higher Education Commission (MHEC) to pursue licensure as a graduate degree-granting institution. After an extensive review period and substantial improvements in SANS’ governance processes, on November 16, 2005, MHEC voted unanimously to authorize SANS to grant graduate degrees. SANS Technology Institute (STI) was born.
STI is not a typical brick and mortar institution. Rather, the courses are held at various "residential institutes" in hotel locations. Online training is available as well. More detail about the residential institutes and online training is provided later.
The following describes the relationship among STI, SANS, and GIAC. (GIAC is the acronym for the Global Information Assurance Certification). SANS is the parent of STI and of GIAC. SANS fosters original research in information security and codifies the results into high quality educational material. STI makes use of the SANS educational materials. STI uses the services of GIAC to assist in assessing mastery of the educational material through exams and papers. The GIAC certification exam is available for key areas of information security. When a person passes the GIAC certification exam, thereby earning GIAC Certification, it is evidence that the person has the knowledge needed for that area of information security. GIAC "Gold" Certification is earned when the person passes the paper related to the subject area. The following quote, by the out-of-state consultant used by the Maryland Commission on Higher Eucation to assist in its review of STI, is evidence of the quality of the educational materials:
Not only have SANS courses become a staple in security, they are mission-critical. And I use this phrase carefully and without exaggeration. SANS is the only educational environment that fully recognizes and appreciates the critical importance of currency and relevance. I should mention that as a computer scientist who specializes in Internet security, I attend SANS training several times a year to maintain currency. What is more, as Director of the School of Computer Science, I send three other PhD-level faculty to SANS courses as well. Like other universities, while our research and educational offerings are laudable, we simply cannot duplicate the infrastructure, expertise and technical staff to duplicate the SANS experience without incurring enormous additional expense. In a very real sense, SANS occupies a unique and indispensable role in digital security that even the leading computing programs in the world cannot duplicate.
Note: The "■" symbol is used throughout this document to indicate areas where we believe we need to improve or have recently improved. A summary of those areas is in the concluding chapter.
Chapter 1: Standard 1 - Mission and Goals
Mission: The mission of SANS Technology Institute (STI) is to develop the information security technology leaders needed to help strengthen the defensive information community all over the world by improving the security of cyberspace. STI seeks to prepare both the managers of information security groups and the technical leaders who direct security technology programs. STI's primary functional emphasis is instruction, but the Institute faculty and students will engage in research and public service programs that contribute to the learning process. (Please note that we place strong importance on the word "leaders" in our Mission Statement.)
Vision: Our goal is to create the next generation of leaders in the field of information security and risk management. We want to make strong efforts to attract applicants with leadership qualities, and provide them with training to enhance those leadership abilities.
The Mission Statement was adopted upon the origination of the college and is consistent with STI's authorization in its governing document. The Mission Statement has been approved by the STI Board and is appropriate to a degree granting institution of higher education for many reasons. Corporations desperately need security professionals who are both technically advanced and who have effective communications/management skills. While reviewing STI’s application to establish new Master of Science degree programs, the Maryland Higher Education Commission (MHEC) received several comments which provided overwhelming evidence that the demand for STI's graduates is very real and not being filled by other institutions. The Appendix ("App") summarizes the comments about need in App-1.
The Mission Statement is widely published and understood. It is included in the following: the governing document, the front page of the institution's website which is the institution's Catalog and Student Handbook, each year's Strategic Plan which is reviewed by the Committees/Board; the Faculty Handbook; and the STI Brief which is the presentation delivered at Residential Institutes to persons who are interested in learning more about STI. In December 2008, we sent out a survey asking if students were familiar with the mission statement. The survey questions are in App-31. Two new students said they were not familiar with the Mission Statement so we made the following improvement.
■ Recent Improvement. Materials for new students were revised to include information about the Mission Statement.
For a discussion about our review and assessment to determine if we are achieving our mission, see Chap. 7, p. 28.
STI benefits external constituencies by its training of the persons who can help organizations and governmental agencies defend the security of their information systems. As STI's Chair stated: when an organization or governmental agency realizes that it has not secured its systems sufficiently, it will ask these questions: What do I have to do to protect a computer, how much is enough, when do I stop, who can I trust? STI's mission is to create that cadre of people who can be trusted to answer those questions with authority and with the skills to make that authority acceptable to the people who have to make the decisions and allocate the resources and do the hard things that it actually will take to secure the organizations and the nation.
The following are some of the ways that STI benefits the defensive information security community, other external constituencies, students, and faculty. STI publishes articles in the Leadership Lab and Security Lab on its website; students' presentations and projects are posted to the website; STI manages the Internet Storm Center (ISC) which is an important research facility in this field and it has its own website. As stated in our Strategic Plan, we want to continue to increase our involvement in research that provides benefit to the defensive information security community, students, and faculty.
The following major strategic goals from our Strategic Plan (SP) are consistent with our mission:
Academic Program and Curriculum Review. At least annually, the institution will review its criteria for the admission of students, its academic programs, and curriculum. It will determine if they still are central to its mission, provide quality, meet demand, and are cost-effective. If it is determined that changes should be made, then those changes will be implemented.
Mentoring/Guidance Leadership Positions. We will provide mentoring/guidance to those graduates who would like support in achieving leadership positions.
■ Recent Improvement. Our SP for 2009 recently was approved and one of the new goals is as follows: Within five years after accreditation is earned, and within the first three years after graduation, 30% of those persons who have graduated from STI will be in leadership positions. We will provide mentoring/guidance to those graduates who would like support in achieving leadership positions as a strategy in achieving that goal.
* * * * *
Over-all Outcome Statement by Student. The Outcome Statement helps STI determine if an applicant's goals/interests fit STI's goals/interests, and if STI's goals/interests fit the applicant. It basically asks: If a person commits to successfully completing the master's program, what does that person expect the outcome in his/her life to be? We place a stronger focus on a student's goals than many institutions do. We believe we will create stronger leaders by doing so. We review the Outcome Statement as part of the admission review process; and after a student is accepted, we review it periodically (annually, and before assigning the group projects in order to try to tailor the project to the students' aspirations) to determine if progress is being made toward achieving the student's desired outcome. The penultimate review of the Outcome Statement takes place shortly before the student graduates. The effectiveness of the Outcome Statement is described in Chap. 14, p. 74.
Leadership Essay. Why does STI require a leadership essay for admission, and why does STI post the essays on the Leadership Lab on its website? One can see from STI's Mission Statement that the focus is to develop "leaders." The Admissions Committee looks at the leadership essay for evidence of leadership experience and potential, and it also functions as a sample of writing skills which we believe are important to leadership. We post the leadership essay to the website so others can see the type of student we are accepting, the level of leadership they have at this point and as they develop through the system, what hopefully they will become. The strength of an academic institution is measured by the success of its alumni. When STI alumni are recognized as a group of consistent leaders in information security, we will truly be able to say we are meeting the goals of our Mission Statement.