We just wrapped up the 2019 SANS Security Awareness Summit in San Diego, California. Over 300 security awareness professionals came together from across the globe to learn from and share with one another other. Simply put, it was amazing! Awareness folks are some of the friendliest, passionate, and most interactive people I’ve known. In this post, I want to share with you some thoughts, lessons learned, and key takeaways from this year’s event.
I’ll start with an overview of the top ranked talks, which were rated by Summit attendees, followed by general observations of the event and our industry.
Top Rated Talks by Attendees
- Jake Williams – Latest Human Attacks:
We have an annual tradition at Summit, we like to kick off each summit
by first defining a problem or challenge facing the industry. Last year,
for example, professional social engineer, Jen Fox demonstrated how a social engineer thinks.
This year, Jake Williams, ex-NSA hacker and a world expert in Incident
Response, walked us through the latest human-based attacks he sees in
the real world. Attendees really appreciated getting to peer into the
mindset of who their adversaries are, how they think, and the latest
human attack methods they are using. What is especially interesting is
how targeted and crafty the most effective phishing emails have become.
Slide deck from Jake's talk available here.
- Jill Barclay – The Creative Process Behind Fun, Low-Budget Videos:
Jill knocked it out of the park with this one. She detailed to the
audience how they can create highly effective, truly engaging videos
with almost zero budget and some props from your home. Jill’s key
takeaway was that anyone can create effective, fun, and engaging videos
on a minimal budget. It just takes some creative thinking. Jill also won
last year’s Video Wars competition with her Cyber Villain series, which
has now become a whole series of awareness training videos for her
Slide deck from Jill’s talk is available here.
- Adam Tice - A Lesson in Survival: Transforming Culture by Preparing for a Crisis:
Adam’s story was one of the most emotional as he detailed to attendees
the breach at Equifax and the impact that had on people and our culture.
In his talk, he deeply detailed the importance of individuals, touching
on the idea that it only takes one person to inspire change. This
lesson rings true not only in the cybersecurity landscape, but also
within our everyday lives. The key takeaway from Adam’s talk was the
growing need to partner and build strong relationships before a crisis
happens and how critical those partnerships become.
Slide deck from Adam’s talk is available here.
- Micah Hoffman - OSINT Workshop:
Hands-down, this was one of the most popular and highly rated workshops
ever hosted at the Summit. Micah is a top-rated SANS instructor and
detailed what OSINT (OpenSource Intelligence) is, how it is used, and
how it can apply to the world of security awareness. Then, through a
series of interactive labs, teams conducted OSINT assessments of
themselves. It is absolutely amazing, not only the amount of information
you can learn about any person or organization, but the extensive tools
and frameworks to help you do it.
Slide deck from Micah’s talk is available here.
BONUS: Workshop handout from Micah’s talk available here.
- Alexandra Panaretos – Partnerships and Collaboration:
Throughout the event, people continuously brought up just how important
partnerships and collaboration are, so Alex’s talk really hit the spot
for these attendees. Her focus was ultimately on how to build trust with
others, as she detailed that trust is the currency to derive value and
loyalty. She also reminded the audience that there’s an escalating need
to put the humanity back into the human element of security.
Slide deck from Alexandra’s talk is available here.
- Nicole Jacobs - Security Awareness Recognition Program:
Nicole shared how she created a recognition program for USAA’s fraud
fighters, making it not only fun and creative, but also highly engaging
and motivating for USAA’s customer support staff. What attendees loved
about Nicole is she presented it in a way that attendees could easily
Slide deck from Nicole’s talk is available here.
Special Events: We had two talks in this special session, Bob Hewitt and Justin Perkins covered How to Build Your Own
Escape Room and Laney Cannon covered Online Digital Scavenger Hunt. What was great with both talks is that they both covered in detail how to launch these events. People especially loved that Laney’s talk detailed how her hunt easily reached their remote workforce, with virtually no budget.
Optional Third Day: Every
year at the summit SANS likes to challenge the status quo and try
something new for Summit attendees. This year, we implemented an
optional third day to the agenda so that people could extend and expand
their learning. It was a huge success. Instructional Design experts Kevin Bennet and Andrew Mantuano
spoke to attendees about the concepts of Adult Learning, the ADDIE and
ARCS model and the specifics of designing good Learning Objectives. This
is key to an awareness program, as your Learning Objectives specify the
actual behaviors you want people to exhibit to manage risk.
Slide deck from Kevin and Andrew’s talk is available here.
Their talk was followed by a one-hour Birds of a Feather (BoF) session that discussed topics on Advanced Phishing, Critical Infrastructure, Behavior Modeling and Engagement Strategies. It was a great opportunity for professionals to discuss in small groups and learn from each other.
Networking: I think the networking events are what attendees often appreciate the most. They get the chance to meet, network, and learn from others in a relaxed, no pressure zone. We hosted numerous interactive networking events, including a pre-social treasure hunt, two bonus evening activities (including Tacos & Tequila on Mission Bay), numerous breaks, and onsite lunches.
One of my favorite networking events this year was the Living Map. In this exercise, we sectioned off the entire lecture hall into a map of the world. With different parts of the hall labeled from locations around the world, we then had all 300+ attendees go to and stand in the hall based on where they lived. It was so successful because people got to meet other awareness professionals who lived near them, ensuring they can continue those relationships. Many people spent that time comparing cities, exchanging business cards, and connecting on LinkedIn. They could have spent the entire Summit sitting a few chairs down from someone who might work in the same business district in their city and never had known it.
Fun fact: The record for the longest commute to the Summit was over thirty hours for one attendee, who traveled from South Africa. Plan on even more networking opportunities during next year’s Summit.
Sharing Toolsets: Two great, popular activities were the Security Awareness Video Wars and the Show-n-Tell tables. The Video Wars were comprised of short video clips, under 3 minutes, which people developed for their security awareness programs with many bringing humor into the mix. The attendees were asked to vote on the videos, with an informal panel. The collaboration and innovative ideas were remarkable.
The Show-n-Tell display tables were available for people to browse throughout the Summit, allowing for the sharing of all types
of collateral, from lanyards to web cam covers, to mascots/villains, and even selfie stick masks. This offered great inspiration for other awareness professionals to learn how organizations made the materials, which ones were the most effective, and why.
Feedback for Next Year: We received a tremendous number of ideas from our feedback for next year, here are some of the most exciting:
- Due to the overall success, we will definitely return with a half Day 3 of the Summit next year. We are also exploring the idea of making the Day 3 dedicated to a workshop.
- The Living Map was a huge hit, so we will be sure to add that to the agenda next year. We may also include options for specific industries as well.
- Feedback from our half Day 3 attendees loved the Birds of a Feather (BoF) session so much that we are thinking about adding that session to the main agenda.
- For the evening of Day 2, we will enable attendees to sign-up for dinners with other attendees based on topics and industries. In other words, pick the people you want to go out to dinner with based on a common challenge or industry you share. It’s like a dinner version of BoF where you get to decide and drive the conversation.
- Expect more talks that detail how the individual speakers implemented something in their program, such as metrics, gamification, engagement, and so on. The focus will not be as heavily weighted on what they did, but how they did it. I think this will give the Summit attendees a much better look into how they might be able to implement similar practices into their own programs.
- Expect more time for Questions and Answers. We had a lot of really great announcements this year, including the SANS Security Awareness Professional (SSAP) credential, but because of the tight agenda, we couldn’t dedicate as much time conducting a Q&A on the SSAP as we would have preferred.
Conclusion: This was a fantastic event this year. It was packed with opportunities to share, meet with, and grow from each other. I would especially like to thank this year’s Summit Advisory Board who worked tirelessly to help plan and host the event, including Neaka Lynn Balloge, Cheryl Conley, Meredith Howland, Molly McLain-Sterling, Lisa Miglioratti, Stephanie Pratt, Janna Sondenaa, and Maritsa Santiago. Ultimately, this event is by the community, for the community.
We are already planning for next year’s Summit, which will take place in Austin, Texas. If you are interested in being a speaker at Summit, the CFP (Call for Presentation) process will begin February 2020.
If you have a suggestion for or want to ask a question about the SANS Security Awareness Summit, please don’t hesitate to reach out to me! Don't miss the action as the next Security Awareness Summits are this November 20-21 in London and next August 5-6, 2020 in Austin, Texas.
Find the slides from all talks at the Summit Archives page.