Cyverity

Get Started

Building a Strong Security Culture: Insights from the New SANS MGT521 Five-Day Course

Group of adult students raising their arms to answer the question during lecture in the classroom.

Speakers: Lance Spitzner and Russell Eubanks

Event: SANS Webcast

Date: November 12, 2020 

YouTube Link: https://www.youtube.com/watch?v=fUWsn7qjlCQ 

In today’s cybersecurity landscape, human risk is often identified as the primary attack vector. While organizations have made tremendous strides in securing technology, the same level of focus and investment has not been applied to the human side of cybersecurity. Recognizing this gap, the SANS Institute has introduced an expanded version of its Security Culture course—Management 521 (MGT521)—a five-day intensive designed to address the “people” side of cybersecurity. 

This blog post outlines key takeaways and highlights from the recent webcast, “New Five Day Security Culture Course | MGT521 | SANS Institute”, presented by Lance Spitzner and Russell Eubanks. 

 

Why Focus on Security Culture? 

The new MGT521 course is built on the principle that human risk must be addressed with the same rigor as technological vulnerabilities. Research consistently shows that human factors—such as phishing, password misuse, and human error—account for 60-70% of breaches worldwide (Verizon DBIR). This makes security culture an essential element of any cybersecurity program. 

Instead of labeling people as the “weakest link,” Lance and Russell emphasize that people are often the primary attack vector due to insufficient training, communication, and cultural integration. The course aims to embed security into organizational culture, ensuring security initiatives are not only effective but also sustainable. 

 

What is MGT521? 

The SANS MGT521 course is part of the SANS Management Leadership Triad, which consists of: 

1. MGT512: Security Leadership Essentials for Managers (focused on technology leadership). 

2. MGT514: Strategic Planning, Policy, and Leadership (focused on strategy and alignment). 

3. MGT521: Security Culture (focused on people and culture). 

This triad equips future security leaders with the skills needed to excel in technology, strategy, and culture. The expanded MGT521 course delves deep into the human side of cybersecurity, blending proven cultural frameworks with real-world application. 

 

Key Takeaways from MGT521

1. The Importance of Aligning Security with Organizational Culture

One of the course’s primary lessons is that you don’t need to change your organization’s culture; instead, you should embed security into the existing culture. This involves mapping, defining, and aligning your security goals with your organization’s values and operational norms. 

Actionable Tip: Use frameworks and models from the course to assess your current culture and identify ways to seamlessly integrate security principles. 

 

2. Leveraging Established Cultural Frameworks

Culture is not a new concept—industries such as aviation and healthcare have long developed methodologies to foster safety and behavioral change. MGT521 adapts these proven frameworks, such as the Satir Model and the “Culture Iceberg,” to the cybersecurity domain. 

Actionable Tip: Use the provided frameworks to understand the underlying beliefs, perceptions, and behaviors of your workforce that influence security practices. 

 

3. Motivating and Enabling Behavioral Change

The course emphasizes the role of communication, incentives, and simplifying security processes to motivate change. For example: 

  • Motivational Models: Learn how marketing techniques like the “Golden Circle” can inspire behavior change. 
  • Simplification: Make security easy to understand and follow by “Marie Kondo-ing” your policies. 

Actionable Tip: Implement strategies that focus on removing barriers to security adoption, such as simplifying policies and providing clear incentives for good behavior. 

 

4. The Role of Leadership in Building Culture

Leadership plays a critical role in shaping and sustaining security culture. Day four of the course focuses on creating business cases and aligning security initiatives with organizational goals to gain executive support. 

Actionable Tip: Develop a business case that translates technical risks into business terms to secure buy-in from executives and stakeholders. 

 

5. Practical Application and Real-World Tools

The course goes beyond theory, offering: 

  • Interactive Labs: Hands-on exercises to apply what you learn. 
  • Capstone Project: A simulated environment to test your ability to build a security culture. 
  • Digital Resources: Templates, checklists, and reports to use immediately. 

Actionable Tip: Take advantage of the lab work and downloadable resources to jumpstart your initiatives and measure progress effectively. 

 

Course Structure and Highlights 

MGT521 is divided into five sections, each focusing on a key area: 

Day 1: Foundations of Security Culture 

  • Define and map culture. 
  • Understand frameworks like the Culture Iceberg. 

 

Day 2: Motivation and Behavior Change 

  • Learn how to inspire change using incentives and marketing techniques. 

 

Day 3: Enabling Change 

  • Simplify security processes and measure cultural impact. 

 

Day 4: Leadership and Influence 

  • Build effective business cases to gain executive support. 

 

Day 5: Capstone Project 

  • Apply all concepts in a collaborative, team-based simulation. 

 

Why Take MGT521? 

By embedding security into your organization’s culture, you can: 

  • Reduce human-related risks. 
  • Improve the success rate of technical initiatives (e.g., vulnerability management, DevSecOps). 
  • Strengthen communication and collaboration across teams. 
  • Gain executive support for cybersecurity programs. 

This course is ideal for experienced security professionals looking to elevate their leadership skills and address human risk effectively. 

 

Closing Thoughts 

The MGT521 course provides a playbook for embedding security into organizational culture. Combining academic rigor with real-world experience, the course equips security leaders with the tools, frameworks, and strategies needed to drive meaningful change. 

To learn more or register for the course, visit the MGT521 webpage 

 

Your Next Steps: 

1. Evaluate your organization’s current security culture. 

2. Explore the SANS Leadership Triad courses to identify your training path. 

3. Register for the MGT521 course to gain actionable insights and tools. 

By addressing the human side of cybersecurity, you can transform your organization into a more resilient, security-focused environment. Let’s build a stronger security culture together!