Security Laboratory

Please enjoy this series of interviews with the thought leaders in software security. If there is someone missing whose voice you feel should be heard, drop me a note, stephen@sans.edu.

What is a Security Thought Leader

March 22nd, 2008
By Stephen Northcutt

The SANS.edu Security Thought Leader project began with a simple Google query. I had landed on a web page of Cisco' titled: Cisco Federal Security Thought Leadership.[1] I looked at the page and did a double take. It had topics, it had pictures, but it did not have people, well John Stewart was at the very bottom. So, I started wondering, just how does one define "security thought leadership"? I went to Wikipedia and their opening statement is: "Thought leader is a buzzword or article of jargon used to describe a futurist or person who is recognized among their peers and mentors for innovative ideas and demonstrates the confidence to promote or share those ideas as actionable distilled insights (thinklets)."[2]

I do not totally agree with the definition, but since it is Wikipedia, it will evolve. But, key points of thought leadership clearly include:

• Person - things cannot be leaders
• Recognized by their peers, a person is not a thought leader simply because they call themselves that
• Mentors, a thought leader passes their information on to help others
• Innovative ideas, so we have the concept of intellectual leadership
• Shares ideas as actionable distilled insights, I was never big on the whole thinklet craze, but actionable makes all the sense in the world to me

In our industry, information security, we tend to overuse the term. I did a Google search, March 20, 2008 for security thought leader and there were 2,430,000 results.[3] That's a lot of leadership. Or misuse of the term. Oh, I forgot, use quotes. I redid the search as "security thought leader" and the number dropped way down. Oddly, another thing ended up as page one, hit one from Google, a press release for "Oracle Recognizes Integrity as Oracle Applications Security Thought Leader". This is a bit scary, some company I have never heard of leads the entire planet as the number one, security thought leader. It isn't Gene Spafford, Richard Clarke, Marcus Sachs, Amit Yuran, Marty Roesch, Anton Chuvakin, or even Oracle's own Mary Ann Davidson. This needs to be fixed!

So, I have started the Security Thought Leader project. Over the years I hope to introduce you to some really great men and women. They will each meet the criteria we have defined ( with Wikipedia's help ) for thought leadership. And I could certainly use your help, what are the chances I know everyone that is a real thought leader for a field the size of information security in a world as vast as ours? ZERO. So, if you know someone special that has made a major contribution to the field, give me an introduction please, stephen@sans.edu.

1. http://www.cisco.com/web/strategy/government/usfed_security_leadership.html
2. http://en.wikipedia.org/wiki/Thought_leader
3. http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=bs9&q=security+thought+leader&btnG=Search
4. http://www.integrigy.com/news/press-releases/integrigy-thought-leader/
5. http://www.sans.edu/resources/securitylab/marty_roesch_int.php
6. http://www.sans.edu/resources/securitylab/loglogic_chuvakin.php
7. http://www.sans.edu/resources/securitylab/41/

© 2000-2007 The SANS™ Institute

SANS Web Privacy Policy: www.sans.org/privacy.php - Web Contact: webmaster@sans-ssi.org
SANS SSI Press Room: www.sans-ssi.org/press / Policy On SANS Trademark Usage