Use a simplified, prioritized, shared standard for security
Sager said in 2001 he "shifted my thinking" on sharing government security recommendations with the public. "I got permission to release all the security guidance that we were developing for the DoD to the public," he said. You could go to NSA.gov and get the same security guidance as the DoD. It was all designed to be unclassified and sharable."
But, he said, it eventually became clear to him that despite his good intentions, this had contributed to the "fog of more." A private-sector associate told him that while he appreciated all the information, that he was, "drowning in this stuff. I need to know what should I do now. Not everything, but now."
That, Sager said, led him to convene a meeting with colleagues he trusted, where they whittled the list of "everything" down to 10 crucial security practices. That, in turn was eventually adopted by the SANS Institute as a community consensus project, "and took on a life well beyond anything we expected. And it started with nothing more grandiose than the question: What should people do first?'"
That became part of what is now SANS' well-known "Top 20" list, the first five of which are: Software whitelisting; secure standard configurations; application security patching; system security patching; and no administrative privileges while browsing the web or reading email.
"This is based on the 80/20 concept of security that most of your value is derived from a small set of things," Sager said. "It really matters, because that's how we're getting eaten alive. If you can't handle this, you can't handle more sophisticated threats."
And that led to his final thought on leadership: "The most common mistake of strong leaders I saw," he said, "was that they were great at telling you new things to do, but not so great at telling you what to stop doing.
"A lack of focus and priority is often a great weakness," he said, recalling the late Apple cofounder Steve Jobs saying he was just as proud of the 10,000 things Apple didn't do as the 10 things it did.
"If everything is important, then nothing gets done," he said.
Sign up for CIO Asia eNewsletters.