MGT553: Cyber Security Training at SANS Stay Sharp Spring 2023

Provided by

Enquire about this course

What You Will Learn

Open in Case of Emergency

You can't predict or pick when your organization will face a major cyber incident, but you can choose how prepared you are you when you face it. While there are broad technical aspects to cyber incidents there is also a myriad of other activities that generally falls to executives, managers, legal, press, and human relations staff. These include communicating both internally and externally, considering the battle rhythm and a look at methodologies for tracking information gathered and released to the public.

This course empowers you to become an effective incident management team member or leader; ensuring you fully understand the different issues facing incident commanders in the immediate, short and medium term. As well as becoming comfortable with terminology, you will understand what preparatory work you can undertake at different stages to help you get ahead of the situation. MGT553 was developed to ensure efficient management of a diverse range of incidents with a focus on cyber; however, the methodology, concepts and guidance will apply to many regular major and critical incidents.

"Probably the most important part to an organization - how to get their operation functioning again and sorted out with the structure and governance to cover the areas." - Peter Leonhardt


This course will help your organization:
  • Develop staff that know how to lead or contribute to a cyber incident management team
  • Manage your incidents more effectively and thus resolve them quicker
  • Understand the gaps in your security incident plans and response strategies
  • Create higher performing security teams
  • How to make sense of different incident response frameworks
  • Understanding the importance of scoping incidents correctly
  • The ability to define the incident management team's objectives
  • Recognition of the importance of managing a team under extreme pressure
  • Awareness of human responses to facing catastrophically impactful urgent changes
  • How to structure, manage, and deliver briefings to upper management and the board
  • Planning and controling communications when managing a serious incident
  • Communicating with attackers and the pros and cons thereof
  • Where and how to track the incident
  • Planning, coordinating, and executing counter compromise activities
  • Understanidng types and contents of incident resports both during and post closure
  • Steps on how to close the incident and return to business as usual

MGT553 uses case scenarios, group discussions, team-based exercises, and in-class games, to help students absorb both technical and management topics. We follow along as a fictious company deals with a network breach from start to finish.

Section 1: Reviewing the initial incident briefing, Capture initial information and generate intial tasks, Setting the objectives for the IM team, crisis communications: briefing the executives

Section 2: Dealing with the attackers, Drafting public statements, Crisis communications: briefing the wider team, Prioritizing the data and system remediation planning, Running an example tabletop exercise

"All the labs are fantastic and really grounded in reality. Really useful thought experiments and training." - Luigi Ritacca


Section 1: Scoping, defining, and communicating about the incident.

Section 2: Damage control, reporting, closing the incident and training the wider team.

  • Electronic courseware containing the entire course content
  • Printed course books
  • Access to the Cyber Incident Management Tool Kit
  • MP3 audio files of the complete course lecture
  • Access to a new Discord server to chat about the course
  • Immediate actions for dealing with ransomware
  • Training plans, report templates, incident frameworks and other cheat sheets
  • MGT512: Security Leadership Essentials for Managers
  • MGT514: Security Strategic Planning, Policy, and Leadership
NOTE: Some course material for SEC504 and MGT553 may overlap. SANS recommends SEC504 for those interested in a more technical course of study, and MGT553 for those primarily interested in a leadership-oriented but less technical learning experience.


Start date Location / delivery
27 Mar 2023 Virtual Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...