For those joining us in Las Vegas, use this time to get to know your neighbor!

In May of 2022, Cisco identified a security incident targeting corporate IT infrastructure. The events and investigation to follow revealed a series of employee behaviors that allowed a bad actor to access part of the environment. What did these behaviors have in common? How can we educate our people to understand how great an impact each micro-decision can have? How much real-world information can we share to discontinue and prevent bad behaviors? If we turned back the clock to May 2022, do employees have both the awareness and ability to stop history from repeating itself?

In this session, Senior Director, Strategic Communications and Enablement Noelle Warburton and Keep Cisco Safe Program Leader Jeanne Hernandez explore how Cisco leveraged a security incident to transform its approach to security training across its global enterprise. Together you’ll examine the importance of transparency in managing human risk. How can we foster a security culture of sharing to encourage transparency around security events? By embracing honest conversations about the true cause of an incident, we allow our security teams to transparently educate our workers on how to mitigate future risks. Whether you have a workforce of 100,000 or 100, learn how your organization can harness the value of using real-life events and data to promote awareness and drive behavior change.

Over the years, pentesting humans by leveraging social engineering techniques have become increasingly important to many organizations. While many focus on the performance of a social engineering engagement, fewer deal with the post-engagement process. How are the results handled? How does a target feel afterward knowing they have been duped, and who is helping them in overcoming adversarial feelings in the wake of a test?

A social engineering pentest puts humans, and not systems as seen in technical pentests, to the test. By doing so, the people affected can feel they have failed as humans and not just failed professionally. Distress, psychological strain, and self-blame are just some of the factors that can affect a human not being treated correctly in the aftermath of a pentest. When are we doing it right, and when are we doing it wrong? Is there a right or wrong way?

This presentation seeks to highlight the possible pitfalls in handling the aftermath of social engineering engagements and explores various challenges and proposed solutions to problems that may arise for companies both conducting the tests and those that orders them.

You have a well-run phishing program with scheduled simulations that keep your users informed and tested. You provide regular education to keep them up to date on criminal activity, but what else can you do to reduce risk?

By collecting and analyzing email filtering metrics, you can develop a more effective phishing program that helps you identify and address areas that need improvement, ultimately reducing your risk of compromise. Conducting targeted phishing simulations and measuring their effectiveness are also critical steps in minimizing the risk of phishing attacks.

During this presentation, you'll learn about three effective methods for staying ahead of criminal activities. Cathy will share examples of how email filtering metrics can be utilized to provide valuable insights, including near real-time feedback to users, a comprehensive overview of determining high-risk areas, and identification of ongoing malicious campaigns. Using email filtering metrics to inform your phishing program, you can create a more effective and targeted training program that helps your users become more aware of the dangers of phishing attacks and how to avoid them.

Carrier launched its Security Awareness program in March 2021, following its split from UTC. We were challenged to build an industry-leading Security Awareness program for a global remote audience amid the Covid-19 pandemic.

In February 2023, the Security Awareness team had a recruit – an associate from Carrier’s Digital Technology Leadership Program (DTLP), who would do an 8-month rotation in Security Awareness. To challenge her, we encouraged her to come up with a strategy to achieve our 2023 goal of getting 1,000 cyber champions (we call them the Enterprise Defenders) in just 10 business days. Between Feb 28 and Mar. This session outlines how she achieved this. The audience will get actionable takeaways and tips that include:

• The advantage of using someone without experience, like an intern
• Timing the campaign. We coincided it with International Women’s Day
• How to win over your audience. Our DTLP came up with a CyberSHEurity
• Empowering Women inCybersecurity campaign.
• How to use common tools like Microsoft to run the campaign.
• How to get leadership support

Have you ever been trapped in customer service hell? We’ve all been there: unhelpful chatbots, emails sent into a black hole, or hours spent on hold, listening to Muzak and yearning to talk to a human being?

Hellish service experiences are almost universally frustrating and can drive customers away for good. So why do we ignore employee experience in security awareness programs? What happens to a company’s security culture when an employee’s requests for help feel like a shout into the void?

In this session, we’ll explore the nexus of security teams and how internal communication can help (or hinder) organizations’ security culture and awareness efforts, including:

• Shaping the Security team’s “voice” and “anchor” in your organization
• The effects of user experience on security reporting and attitude
• Building trust between the Security team and wider workforce
• Separating external security perception from internal divisions
• Leveraging the power of recognition
• Practical tips for designing effective intake, triage, and response protocols

Security Awareness Programs are an essential component of any organization's security strategy.

However, many organizations struggle to get the desired results from these programs. In this talk, I will discuss how Security Operations (SecOps) teams can add value to Security Awareness Programs and make them more effective.

Introduction

The Role of SecOps in Security Awareness Programs

• SecOps as a bridge between Security and Operations teams
• SecOps' unique perspective on security risks and threats
• SecOps' expertise in identifying security weaknesses and vulnerabilities

III. How SecOps can add value to Security Awareness Programs

• Identifying high-risk areas in the organization and creating targeted awareness campaigns
• Providing real-world examples of security incidents and their impact on the organization

• Creating training materials that are relevant and engaging for employees

Recap of key points

• Importance of collaboration between Security and Operations teams

• Recommendations for organizations looking to enhance their Security Awareness Programs

Attendees will learn how SecOps teams can play a vital role in making Security Awareness Programs more effective and will understand the unique perspective and expertise that SecOps teams bring to the table.

Have you ever purchased a product and the manufacturer didn’t include your language’s version of the instruction manual? You get frustrated trying to understand it, only to toss it aside saying it’s someone else’s responsibility. That’s usually how most employees feel when their company communicates cybersecurity initiatives and security awareness strategies to them.

Although cybersecurity professionals are technically skilled individuals, they tend to have difficulty translating their knowledge to the typical end user. And to truly capture business understanding and acceptance of security initiatives, we need to move past telling end users the ‘what’ of security and educating them on the ‘why.’This presentation will show audiences how Parsons took the new cybersecurity role of the Business Information Security Officer (BISO) and created four distinctive groups of security professionals (creating an entire ‘office’ of advisors) that focus on each business group’s unique goals, methods, and workstreams to connect business and cybersecurity.

Then, we’ll dig deeper into our security awareness, communications, and education strategy by explaining BISO Outreach: cybersecurity professionals, specialized in technical communication, who translate cyber to the non-cyber employee. We’ll explain why there is a current industry need for this type of non-traditional cybersecurity role and break down how we used their special skill sets of data visualization and storytelling in presentations, reports, learning modules, and other security awareness projects to capture our audiences’ attention, moving them to act.We’ll prove our success by sharing our security awareness engagement statistics, milestones, and our goals moving forward. To encourage other cybersecurity teams to invest in non-traditional roles, we’ll introduce different technical communicator roles and how they can enhance your security awareness program.

Enough talk about the theory of security behaviour change... this talk explores what it can look like in action!

James van den Bergh from DLA Piper and Tim Ward from ThinkCyber explore three specific use cases where behaviour change interventions can be used to reduce organisational risk in a global organisation.

This joint talk features James van den Bergh Head of Security Awareness at DLA Piper and Tim Ward CEO, ThinkCyber. James and Tim will explore three quite specific case studies in the lifecycle of an employee where risk profiles and the way to tackle those differ. They will do this through the lens of behavioural science and with a focus on offering actionable take aways that can be applied in organisations large and small.

Firstly induction, how can we harness the “fresh start effect” where people join wanting to be their best self. How do we understand employee risk profiles at this point and then target specific behaviours to embed good habits.

Secondly James will explore the idea of offering “stabilisers” to staff encountering greater risk in their role, or who are showing riskier behaviours than the norm. How can we understand, support and guide these individuals to reduce our organisational risk profile?

Finally James will touch on leavers, who have the potential to represent data loss risks for an organisation, whether unthinking or malicious. How can we gently reinforce expected behaviours at this point in an employee’s lifecycle?

Throughout this exploration Tim will talk to the behavioural science behind effective delivery of these interventions. From nudge theory (BJ Fogg, EAST) to playing to cognitive biases such as availability, priming social proof. James will highlight real-world context and examples of theories in action.

Attendees will take away an understanding of:

• How awareness can be targeted to different stages in an employees lifecycle with an organisation
• the importance of understanding your awareness audience to effectively target and embed secure behaviours
• Why and How content can be tailored to different employee needs be they culture, risk profile or other demographics
• How to apply behaviour change models and an understanding of cognitive biases to various security awareness challenges including phishing, data handling and general cyber hygiene.

Carrier launched its Security Awareness program in March 2021, following its split from UTC. We faced the challenge of building an industry-leading Security Awareness program for a global remote audience amid the Covid-19 pandemic.

In February 2023, we had a new recruit, Jeleasa Grayned, an associate from Carrier’s Digital Technology Leadership Program (DTLP), who joined our Security Awareness team for an 8-month rotation. To challenge her, we encouraged Jeleasa to come up with a strategy to achieve our 2023 goal of getting 1,000 new cyber champions (whom we call Enterprise Defenders) in just 10 business days. Between Feb 28 and Mar 13, Jeleasa worked with our internal teams and recruited 1,080 new Enterprise Defenders!

At the time of writing, we have 4,773 Enterprise Defenders from over 100 countries and are on track to achieve our 2024 goal of 5,000 Defenders by June 2023!

In this session, we will share how we achieved our goal and provide actionable takeaways and tips, including:

• The advantage of using someone without experience, like an intern, to bring fresh perspectives and creative ideas
• Timing your campaign strategically. We coincided ours with International Women’s Day
• How to win over your audience. Our DTLP, Jeleasa, came up with aCyberSHEcurity – Empowering Women in Cybersecuritycampaign
• How to use common tools like Microsoft to run your campaign effectively
• How to get leadership support for your initiatives
• Tips for building a strong cyber culture in your organization.

For many organizations, Cybersecurity Awareness Month is an excellent opportunity to shine every October. At PepsiCo, our 2022 event was a new beginning for our education program, increasing employee engagement with cybersecurity topics. We knew our global workforce needed to understand current threats and where to find educational materials. After defining the objective and coordinating with our Incident Response team on which threats to highlight, we looked for an alternate way to demonstrate that good cybersecurity habits are vital to being more secure at home and at work. Something immersive and attractive was needed. After many brainstorming sessions, we landed on creating a game for Cybersecurity Awareness Month that connected all our activities -- phishing simulations, educational articles, our Security Advocacy program, and our Information Security portal – but we still needed a unique branding element to tie it all together. And that is how the character Hacker Harry was born.

We introduced the game concept along with Hacker Harry in September, leading into Cybersecurity Awareness Month. In this presentation, you will see that educating a global organization is challenging, especially when employees are swamped with messages from many different locations. By catching people’s attention with a fun and engaging character, we raised awareness about the most common threats they are exposed to every day. We didn't want an overwhelming amount of information, so we concentrated on phishing and emphasized reporting any suspicious email using the Report Phish button. Overall, PepsiCo’s Cybersecurity Awareness Month program was effective and very well received and led to better outcomes throughout our awareness and training initiatives. Come meet Hacker Harry to see how you can create more impact in your Cybersecurity Awareness and Training program and get people to see your messages.

Bring your HRM program to the next level by identifying your organization’s role-based cybersecurity risks and training needs through the creation of Personas. Personas are tools that provide a deeper understanding of who the audience is, their behaviors, their learning styles, how security is embedded into their day to day, and how they feel about security and the risks they face. Personas serve as the foundation to developing meaningful, tailored, role-based training and awareness content in a way that engages learners with applicable topics and improves overall security behaviors. This presentation will walk you through ways to map your enterprise into various personas, as well as how to engage with persona group members through surveys and focus groups. We’ll also discuss how to analyze and act on the data you collect to create impactful learning content focused on cyber risks.

Building a security-conscious culture within an organization is no small feat. In this talk, we explore a powerful approach to reshape your human risk management program. By combining the capabilities of ChatGPT with proven behavior change frameworks such as the Fogg Behavior Model (FBM), organizations can create tailored interventions to motivate employees towards adopting secure practices like password managers and multi-factor authentication. Learn how this innovative approach can bolster your human risk management program and foster a culture of security awareness among employees, ultimately strengthening your organizational security posture.

Are your users distracted and clicking on phishing emails, despite all the efforts and dedication of your Security Awareness program?

Are you wondering what the next level is for your Security Awareness program?

Are you longing to make a significant and meaningful impact in your organization?

Mindfulness is becoming a cultural phenomenon tool that is helping organizations to transform. Renowned companies are adopting and incorporating wellbeing practices into their daily operations, and positively impacting their bottom line.

In contrast to mindfulness, living in autopilot, being distracted, stressed, and overwhelmed are common challenges we face. If your workforce is distracted while they interact with technology, dealing with computers, devices, and data, your company could easily become the next cybercrime victim.In this session, you'll learn:

• The step-by-step method to integrate mindfulness into your security awareness program.
• A powerful tool that can help you and your users to be safe and secure online.
• The I AM framework, which can help your users instantly get out of autopilot!
• And so much more! Attend this session so you can start integrating mindfulness into your Security Awareness Program and making a difference in the productivity and wellbeing of your employees.

Security remains plagued with the legacy of compliance-driven, security awareness & training tools and methods. As more transformational security and tech leaders and vendors realize the importance of the human element, and the ineffectiveness of those, we will start to move towards behavior and culture change. In the medium term, this will be driven by evidence based human-risk management. In the long term, rebels and creators will demand the shaping of regulations, elevate the value and role of human-centric security and change the game to focus on the outcomes of training, rather than methods. Join us to:

• get a view of future of security awareness & training;
• understand where to invest your human risk management resources; and
• be inspired on how to disrupt the status quo to reach actual outcomes of behavior & culture change.

Session details to come.

Many of us have been the “lone wolf” worker in cybersecurity awareness: running an entire program by yourself or with little support. While this is no small feat, it can also leave you overwhelmed with a large roadmap of deliverables and few people to share the load.

In this presentation, you will hear two stories and two perspectives. You will hear from Princess Young, the lone wolf of our story. After coming from a multi-person awareness team, Princess came to Southwest Airlines and ran the cybersecurity awareness program independently for almost 4 years, providing content, training, and educational events to over 70,000 people companywide. Feeling like her resourcing needs were not being met as work scaled but the team did not, she asked herself a question that would change the game: what story was she NOT telling her leadership?

It was this question that would lead to a change in the trajectory of Southwest Airlines’ cybersecurity awareness program forever. She will tell you how she made a seat at the awareness table for leadership, how she fought to be taken seriously as an integral part of the growing cybersecurity space, and how she advocated for team growth.

Simultaneously, you will hear from Felizia Svendsen, Princess’ leader and the one who championed this program as well as its need for growth in every way she could. Felizia, a newer leader on the cybersecurity team, evolved her own understanding of the awareness program’s purpose and needs that in turn helped propel the program to new heights. Felizia will explain how she built a strategic hiring plan. She will also tell the story of WHY awareness matters to senior leadership and the impact awareness can have in improving the overall security posture companywide.

Now, in just over a year, their awareness program has grown from 1 to 5 people. The presenters will close out the presentation by explaining how although huge successes have been achieved over the past year, there is still work to be done. Princess and Felizia will speak about how they plan to advocate for making the team’s work more visible beyond the familiar efforts in phishing, training, and educational events. They’ll also discuss how they are scaling processes as their team continues to grow and NOT taking on more than the team can deliver.

Key takeaways will include: 1) How to clearly articulate awareness program needs to influence various levels of leadership, 2) how to locate key talent in strategic and creative ways internally/externally, and 3) how to navigate the growing pains of a growing team to scale processes for long-term success.

This workshop is designed to provide a high level overview on cyber threat intelligence (CTI), how CTI teams operate in an organization, and injection points for security awareness to partner with and become consumers of the work CTI teams perform. More specifically, during this workshop, participants will learn about the role and responsibility of cyber threat intelligence (CTI) teams, how CTI teams determine and service organizational customers' needs, the data sets they works with, how they conduct analysis and communicate it to customers, and ways to partner with your organization's CTI team.

Participants will engage in two hands-on exercises throughout the workshop to understand how the CTI prioritizes its workstreams and where security awareness fits into it. These exercises will involve developing a strategic organizational threat profile and identifying customer needs, which in CTI parlance is called intelligence requirement development and stakeholder analysis.

If you ask ChatGPT, the new and wildly popular artificial intelligence tool, it will tell you it can help your security awareness program, providing guidance on best practices, delivering awareness programs in an engaging and interactive way, providing threat information, and more. But is ChatGPT telling the truth? This talk will look at its claims and whether you should believe and/or follow the advice given. In addition, it will include information from human experts on if it possible to use ChatGPT to assist with your program and how. This talk will tell the story of a (fictional) awareness person as they implement each of ChatGPT's instructions into their program, and what went right or wrong.

Session details to come.

Session details to come.

Workshop details to come.

Human risk examines the behaviors of individuals throughout businesses, but security teams often overlook how their own actions impact the overall risk posture. As the primary group responsible for mitigating digital risk, how security professionals act can quickly influence the effectiveness of the entire program. This session will bring to light some of the good, bad, and ugly habits security teams may use to produce outcomes at the business’s expense. By the end, you’ll walk away with the knowledge to identify relational missteps, improve tendencies, and empower your team to reduce digital risk as a valued and trusted business partner.

To create a great dish, award winning chef Samin Nosrat, tells us to use variations of salt, fat, acid, and heat. To create lasting behavior change, renowned change expert BJ Fogg, tells us to use variations of motivation, ability, and prompt. Creating a culture of security requires you, as the MICHELIN Star chef, to continue refining your recipe. If you want a culture of security, you need to account for both transactional and relational behaviors. How you go about influencing these two types of behaviors will be unique to every organization. Comparing recipes with each other is extremely helpful and vendors can supplement, but at the end of the day YOU need to determine the ingredients and methods for your signature dish. Trust in your expertise and get to cookin!

What you’ll learn:

• The difference between Transactional and Relational Behaviors
• How to use BJ Fogg’s Behavior Change Model in your security culture recipe
• How we adjusted our recipe to tackle Relational Behaviors through our Ambassador’s Program