Business Case Studies for CISOs

With the Management Curriculum we have found that successful organizations work to build cybersecurity engagement with multiple levels of leadership. We refer to this as the Cyber Leadership Pyramid.


An important foundation of every security program are the technical skills required to build and improve core security capabilities. However, as teams mature and people progress in their careers it is important to build both management and leadership skills to effectively implement projects, lead change, and align with business goals. Google found out the hard way what happens when you don’t value these skills.

If these skills are so important though, how do you build them? It’s been said that “practice makes perfect” and that “experience is the best teacher” but how do you gain that experience without going through the sometimes bitter, real-world challenges first hand?

In a prior blog post I mentioned the Cyber42 security leadership simulation. Certainly, games like these help make learning fun, engaging, and competitive. But, is there something else that can place leaders in real-world business scenarios?

Enter the case study method pioneered by Harvard University. Case studies center around a challenge faced by a real or fictional organization and require security leaders to deal with real-life scenarios, discuss trade-offs of different approaches, and use various management tools to analyze available options. The goal of the case is not so much to come up with the right answer but to understand the pros and cons of why a decision was made.

Here’s an example from MGT514: Security Strategic Planning, Policy, and Leadership which uses the case study approach extensively throughout class.

PharmaCo is a large multinational organization with $25 billion in annual revenue, 70,000 employees, and offices across six continents. At the heart of PharmaCo’s culture is a heavy focus on innovation and R&D. In fact, it has created breakthrough drugs for the treatment of numerous medical ailments and has helped millions of people lead longer, healthier lives. Due to its success, competitors are constantly looking to take market share. There is increasing pressure to speed up the creation of new drugs in the face of this competition and the increasingly difficult regulatory environment. At PharmaCo, each individual business unit runs its own research and development and operations functions. As a result, security is currently decentralized across business units. Historically, this has not posed a problem, but recently there has been evidence of intrusions. Sensitive documents about product development plans have been found in the hands of outsiders.

Since starting at PharmaCo as the new CISO, Cheryl has had countless meetings with senior leaders, business partners, her direct leadership team and their staff. The feedback from senior leadership and business partners has been clear. Security is often seen as, at worst, a blocker and, at best, a team that drastically slows things down.

Does this sound familiar? If you have experienced this before what would you do next? What management tools would you use to identify what the business needs? How would you lead your team in creating a business focused strategic plan?

We’re glad to hear that students get value from these types of scenarios.

“Today’s final course was most excellent because we had several case studies we were able to apply what we learned this week to. The course was highly interactive and produced good discussion worthy of adopting some team member’s recommendations on approach.”

– Stephanie Butts

“Very practical stuff. I can take some things from Day 1 and immediately use them the very next week! They applied to both day-in-the-life experiences and the coursework.”

– Ken Kaufman, Providence

“Really good case studies and examples which prompted useful class discussion -this helps to — understanding.”

– Alexis Brownings, CERT-UK

“Unquestionably – one of the best tech courses I have taken in my professional career. This course stimulates serious introspection regarding security strategy and forward thinking.”

– G. S. McFather, Anthem

“The case study/class participation exercises were a fantastic vehicle to help understand the material. Great course! You should definitely attend if you are or plan to be in IT management.”

– Kevin Sciarra, CIGNA

Oh, one last thing. There’s also a challenge coin. If you are taking the class live (either in-person or live online) the members of the winning team get the MGT514 challenge coin.


The theme of MGT514 is “Strategic Security Leadership” so we have one side of the coin representing the journey to your destination. Along this “roadmap” you see a brain which represents the plan, a heart which represents the emotional element of motivating people to implement the plan, and a lion which represents the leadership skills required to execute the plan. At the end of the road is the emerald city that you, the hero, are searching for. Based on this Wizard of Oz theme some small Easter eggs (scarecrow and oil can for the tin man) are also included.

The other side of the coin highlights the three phases of our planning process “Decipher | Develop | Deliver”. Graphically, it has the lions which represent leadership, a compass between the two lions, a north star, and the pyramid which shows up several times in class.

Look forward to seeing you in MGT514!

*** This is a Security Bloggers Network syndicated blog from SANS Blog authored by SANS Blog. Read the original post at:

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)