Get an 11" iPad Pro, Surface Go 2, or $300 Off with OnDemand Training

London, United Kingdom | Mon, Nov 18 - Thu, Nov 21, 2019
This event is over,
but there are more training opportunities.

Summit Agenda

We strive to present the most relevant, timely and valuable content. As a result, this agenda is subject to change. Please check back frequently for changes and updates.

Day 00 – Tuesday, 19 November

Pre-Summit Meet and Greet
This optional session offers the opportunity to meet and network with your fellow attendees the night before the Summit kicks off. We highly recommend you attend if possible.

Day 01 – Wednesday, 20 November
08:00-08:45am Registration and Coffee

Welcome, Introductions & Rules of Engagement

Lance Spitzner (@lspitzner), Director - SANS Security Awareness


Networking & Introductions

We know that the conversations among peers and the connections forged during these events are just as valuable as the talks. Kick off your day by getting to know the other attendees seated at your table and begin fostering those meaningful connections and exchanging ideas right away. Introduce yourself with your name, organization and industry, size of your organization, what you hope to get out of the summit, and one thing most people do not know about you. No more than two minutes per person.


Online Polling

We introduce you to what online polling is, how it works and kick things off with a couple of fun polls.


Let’s be scientists!

In this session, Jessica will present primary research from a variety of studies that will give us insight into how hundreds of thousands of people outside the security industry feel about security. We will discover what they are confident about, what they are worried about and what the trends imply about how we can improve our awareness-raising efforts. This call to arms will encourage the security awareness community to put an evidence-based approach at the heart of our discipline.

Jessica Barker, co-CEO and Co-Founder, Socio-Technical Lead at Cygenta.


Changing Security Culture, One Small Step At a Time: -

It’s no secret that resource and budget constraints are two common challenges that facing Security Awareness teams today. Despite this, achieving a common goal that most Security Awareness teams share - to influence a positive shift in security culture - has often meant spending a lot of time and money. But big isn’t always better. This talk explores alternative, quirky and creative ways that we can make big impacts to our organisation’s security culture, one small step at a time.

Chris Fleming, Security Culture & Awareness Manager

10:30-11:00am Networking Break: Drinks and Snacks will be served.

So now what? Using risk assessments to prioritise security behaviours

Here are three common security conference talk takeaways: 1) Understand the requirements of your business 2) Align your messaging to those requirements 3) Get your board on board with what you’re doing. But then what? How do you take practical steps to start moving towards those goals, to move from awareness through behaviour to a strong security culture? In this talk we will take you through the journey we are currently on at the Bank to more closely align the advice we give to the risks we face. Over the last five years, we have developed a programme of mandatory face to face training, e-learning, policies and accompanying messages across the Bank about different aspects of physical, information, personnel and cyber security. We decided to review all the various advice and found that we were asking our colleagues to enact more than 65 different behaviours. All the individual behaviours are important, but some are more than others. Some are must-haves – things we require to comply with legislation and standards such as ISO 27001. Others require active thought and a more mature approach to security. In this session we discuss what we considered to be the missing piece of the puzzle - the analysis of which behaviours map to which parts of our risk taxonomy, and how that then enables us to target our attention on those behaviour changes which have the most impact. We also talk about how this helps us drive meaningful discussions with the business, what worries them and what actions they can take to mitigate those risks, helping us to integrate both risk management and security culture into ongoing business as usual functions. Final takeaways: 1) When trying to understand the requirements of the business; don’t reinvent the wheel. 2) Find out how your business communicates about risk and use the same language.3) Align the reports you make to the board with the rest of the business.

Alison Crockford, Security Communications Manager, Bank of England


Hacking Security Awareness: practical steps to a demo led security awareness program

In this fun and light talk we will look at the challenge of making security awareness programs interesting for staff. We will examine the common pitfalls organisations fall in to when preparing training. We will show how with some imagination and some simple freely or cheaply available toolsets we can replicate common attacks and demonstrate them in a simple non-technical way, helping all staff from the bottom to the top better understand what an attack looks like. In addtion, with the convergence of office and home life, non-work related systems such as the Internet of Things can also be exploited and used in security awareness presentations to help staff better understand the risk these devices present to businesses. We will show how easily tools can be set up and provide live demos of tools in action showing the ease at which they can be created and will provide after the session simple instructions to allow you to set up the demos yourself. This session will offer practical solutions to help you run your own demo led security awareness program.

Tony Gee, Associate Partner, Pentest Partners

12:00-1:00pm Networking Luncheon: Lunch is served onsite to maximize interaction and networking among attendees. If you finish lunch early, take a moment to review the show-n-tell tables.

Identifying the Introvert : How to identify hidden cyber talent within your organization

Cyber Security skills are in high demand, with short supply. The threats we face are changing at a phenomenal rate and it is becoming increasingly challenging for organisations to keep pace with developments from malicious actors. Having failed to find suitable external candidates to fill vacancies, I was set the challenge to look internally and develop skills that already existed in the organisation. We set to test a hypothesis that your typical Cyber Superstar may be a shy introvert, who lacks confidence and therefore may not even apply for jobs they are capable of. By day they work a normal 9 to 5, but by night they spend they time learning, hacking, tweaking and pushing the boundaries of cyber space in the comfort of their bedroom. Learn how our interactive hacking game helped educate our employees on the threats they face, understand how a hackers’ mind words, and ultimately identify hidden talent which we were able to develop to become the next Cyber Security Superstars.

Simon Grant, Head of Cyber Awareness & Business Partnership, Santander UK


Learning Theory / Instructional Design

This hands-on, interactive workshop dives into the world of learning theory as you develop learning objectives, leverage frameworks such as Blooms Taxonomy, ARCS and ADDIE, and engage in interactive team labs to help develop your own learning plans. Learn the science behind adult learning and apply those lessons learned to your own awareness program.


The Many Faces of Culture in Security Awareness

Most awareness practitioners have delivered smart, creative security trainings and campaigns - and then dismayingly find out the activity had little engagement or impact. While there are many reasons this may happen, one core reason that campaigns may fail is a lack of connection to the company culture - whether on a campaign level or a broader security culture level. This presentation shows how to build your security culture on your company culture to offer dynamic campaigns that resonate with employees.

Cassie Clark, Sr. Security Awareness Program Manager, Cruise Automation

3:00-3:30pm Networking Break: Drinks and snacks will be served.

Think 'Video First'! How to create your audio-visual security awareness program

TLast year I noticed when I was reviewing some corporate comms that I would only scan the topics and only read those that were particularly relevant to me or if something was written by somebody I knew. To read all of it might have taken 30 minutes and I was simply too busy. I don’t think I am atypical and this convinced me that so much text-based communication in a corporate environment is simply not read. I wanted a way that our security awareness messages could rise to the top of the pile and get noticed. What did we do? I will outline how we moved to our new motto “Think video first!”, what were the challenges we encountered and what approach we took. I will discuss how instead of articles, written blogs and help cards we moved to • Releasing short 2 minute biweekly videos giving an ‘Information Security’ update, using QuickTime and iMovie to splice video segments and include company-specific logos and technology icons, to deliver three key messages only in every update. • Developing cartoon videos or animations on security topics. • Creating video reminders - Instead of chasing people to do something (e.g. to attend a training session), do a short recording. • Running video competitions, asking our security champions to develop a security- themed video, thus enhancing other strengths in our program with this new approach. • Introducing recorded interviews where we scripted three key questions and answers (i.e. the three main things we wanted people to know) with team members, recorded over Zoom and delivered to employees. • Developing screen recordings with voice overs to demonstrate to employees how to use an aspect of security technology. • Working collaboratively with training personnel to translate their text-based training content (e.g. help cards etc.) into short, instructional videos. Outcome: • I will demonstrate how our content stood out relative to other all the other corporate content. Our insight is that people will watch a one minute video much sooner than something that takes the same length of time or longer to read. 3 Key Action Items/Lessons Learned for the SANS Audience 1. Moving to an audio/visual as a much more effective way to communicate can be done at minimal cost. It only takes the will to make the change, a willingness to put your face in front of the camera and a little time to develop your techniques. 2. It is essential to engage with your Communications team as early as possible and consistently through the process. Their feedback was invaluable, particularly on how we can improve recorded content such as backgrounds, music, logos, eye contact with the camera and design considerations. 3. Consider this as an exercise in building your security awareness brand as this improves effectiveness and this business language helps to further sell the idea to management. Involve marketing people to understand what that means at your organisation. Define brand goals and brand outcomes and develop plans to deliver these.

John Haren, Head of Information Security Governance, Risk & Compliance, Diageo


Security Awareness Video Wars

Volunteers will show short (no more than 3 minutes) security awareness videos they’ve developed for their security awareness programs. At the end of the videos you will be asked to vote on the videos you liked best and we will award the top winners. After the videos and voting we will ask the video submitters to sit down for an informal panel, enabling you to ask them questions.


Table Closing Discussion

Each member of table will share with everyone else one key learning from the day’s agenda and plans for applying that takeaway to their program when they get home.

5:15-5:30pm Closing Remarks
6:00-8:00pm SANS Social Activity - SWAY Bar
Day 02 – Thursday, 21 November
08:00-08:45am Networking and Coffee

Day 02 Kick-Off and Coordination ITems

Lance Spitzner (@lspitzner), Director - SANS Security Awareness


Introductions & Networking

For the second day of the Summit, Please sit at a new table so you can meet, network, and interact with a whole new group of peers.


Not on my Watch

Year-after-year, new stories of harassment surface from around the globe, yet little seems to change. Last year, cybersecurity influencer, author and women’s champion, Jane Frankland, created the IN Security Code of Conduct and led a campaign for appropriate behaviour at events to change this. This year, whilst developing an Action Kit for the Code of Conduct, she felt compelled to study the extent of the harassment. This presentation looks at the situation, how other social movements in history have succeeded, and what lessons we might learn from then. Jane also shares some of the research gathered from 2,145 women globally, ahead of her publication next year.

Jane Frankland, CEO of Cyber Security Capital and Founder of the IN Security Movement.


Tales from the frontline.
Pull up a sand bag and hold onto your hat…

After 12 years in the trenches of Incident Response, we have some spooky fireside tales that you can learn from as we help you improve your security awareness and cyber/human defences. We will take you on a tour of some of the ways that social engineering has been used as the entry vector for some devastating incidents. More importantly we will look at the thinking behind the attack and the human trait they seek to exploit.

Steve Armstrong, SANS Instructor


Using Appreciative Inquiry to Create a Network of Security Champions that Went Viral

In 2016 40 operational security employees sat in a room and asked to imagine a future where employees demonstrated proactive security behaviours. Three years the team has over 600 security champions, all volunteers and Openreach are able to demonstrate the measurable changes in behaviour the programme is having on employee behaviour that minimises incidents. This presentation will take you through: - The step, by step methodology to recruit, train, and sustain the momentum of champions - How to use Appreciative Inquiry to engage stakeholders in self-determined change - How to use champions to measure behavioural change at grassroots level (eg what people are doing differently)

Sarah Janes, Managing Director, Layer 8

10:30-11:00am Networking Break: Drinks and Snacks will be served.

Metrics Session

We are seeing a growing interest in metrics and measuring specific behaviors. As such, we are providing two different perspectives on metrics.

No more hiding: employee behaviour uncovered

We cannot secure behaviour, but we can learn, help and motivate people to behave securely. For a long time, we had to rely on surveys and phishing tests to learn about employee behaviour and susceptibility, but recently new tools have become available. Tools that reveal a lot about employee behaviour. What information are employees sharing with external parties, what online services are people using and what software do they use to perform their duties? People are inventive, do not always stick to procedures and sometimes take short cuts that will surprise management and even your security staff. There are various new tools that provide a wealth of metrics that will help you to understand the internal information security threat. Analysis of these metrics will enable you to detect current issues within your company and address these in your awareness and educational programs. Key action items: 1) Learn more about real employee behaviour. 2) Address insecure practices in your awareness campaigns 3) Educate employees via use cases.

Richard Verbrugge, Information Security Awareness Manager, ABN AMRO Bank

Phish, apples and oranges: assessing the sophistication of your phishing simulations

Most phishing simulation providers will boast about the reduction in susceptibility - how much you can reduce the number of people who click on an email by using their solution. This drives many of us to be forced to including 'click rate' as part of our KPIs. But how sensible is that? If we have, say, a 5% target click rate, how do we account for teaching our colleagues about more sophisticated spear phishes where we would naturally expect a higher click rate. Following a conversation with his CISO arguing against click rates for a KPI, I decided that no-one had looked at this systematically and dedicated my MSc thesis to the simple question - can we broadly assess the sophistication of a phish into 5 levels - from basic to highly advanced - and start predicting click rates against each level? The assessment is based on the factors that go into the phish and which research shows are more likely to make people click. So we're at least comparing apples to apples. In this talk I will briefly address the methods for assessment, the results when the phishes where assessed by security awareness professionals, and then how those assessments fared when the phishes were used against my organisation. Did my model and the assessments of security awareness professionals world wide stand up? 3 Key takeaways from the talk. 1. How to take this model and try it in your own organisation. 2. How to use the model to have a more nuanced metrics conversation with your superiors than simple 'click rates'. 3. How to use the model to engage and reward your colleagues as you phish them.

John Scott, Head of Security, Education Bank of England

12:00-1:00pm Networking Luncheon: Lunch is served onsite to maximize interaction and networking among attendees. If you finish lunch early, take a moment to review the show-n-tell tables.

Communications & Engagement Track

Each speaker gets 40 minutes to present their point of view and experiences on the same topic – communications / engagement.

Less Filling: Five Steps to a Successful Security Behavior Change Program that Doesn’t Taste Anything Like “Training"

Training is dead. In an age where cyber threats and incidents are exponentially increasing almost by the hour, employee information security awareness programs must stand out from the rest of the ‘training’ pack. Because employees are a first line of defense, the information security awareness programs that target them must mimic attackers themselves – be agile, alluring and unapologetic. They should not resemble ‘training’. But how? In this sessio n, we will introduce some sticky, innovative approaches to building employee awareness programs that will positively impact security behaviors, and ultimately improve business outcomes. Using real-world lessons learned from program fails as well as successes, we will outline a recipe for compelling learning creation and deployment that will have your employees voluntarily taking hours of security- related “training” - and telling their friends and family about it! We will discuss characteristics of success, and how they can be achieved by exploring five key considerations when building a learning experience to gain maximum employee engagement. This session will inspire participants and propose a short action list to jump-start a custom change program focused on keeping business information safe – starting at the human level.

Kevin Nameth, Senior Manager Human Performance, Accenture
Urszula Fabiszak, Director Human Performance, Accenture

Awareness training secrets gleaned from the security podcast world

Why is it that employees often sport a look of...pained expe ctation upon entering a training session? They are being paid to learn about how to be safer online, and yet their pinched faces look as though they’re about to change a stinky nappy. I know this look because, for years, I was responsible for security awareness training at a global IT security firm. Now, I host popular cybersecurity podcasts. Each week, I present stories and interviews designed to engage listeners, as well as provide them security takeaways for when they flit around the digital nebula. Yet everyone listening to cybersecurity podcasts - which present the same takeaways - are doing so utterly voluntarily. We had millions and millions of downloads. Many say they cannot wait for the next episode. After some noodling, I’ve curated takeaways glean ed from my podcasting experience and thoughts on how they can be used in cyber training: -Get trainees to look forward to training before it even begins - a happy mind is an open mind -Make sure the takeaways are sticky - a strong relatable or sensational narratives are easier to recall than numbers and stats -Ideas to reducing the content to key elements and its supporting points - less is definitely more when it comes to the retention game. The plan? Make cybersecurity training and best practice more fun, more engaging, and, most important of all, much stickier.

Carole Theriault, Podcast Host and Producer - Smashing Security and The Cyberwire

Go out of the ordinary for communication and get help from a little friend

The relationship between employees and security teams is always in a delicate balance. In order to make this a little more intimate, the work needs to be unconventional and to be innovative with some courage. Some of these ways can put you in a dead end, while others give you better results than you might expect. We got support from a little furry friend on this road. Learn our story as I cover what happened to us, what processes we went through, and ultimately how we created a powerful and fun way to engage our workforce.

Nilay Ersen Bozacioglu, Information Security Expert at Turkcell, Turkey

3:00-3:30pm Networking Break: Drinks and snacks will be served.


We are seeing a growing interest in overall strategy. As such, we thought we would provide you two different perspectives on your strategic approach to awareness training.

‘Don’t fly to Close to the Sun: Carefully building Leadership Support for your Program’

In Greek mythology, Icarus’ father gave him a pair of wax wings to help him escape. Icarus was warned not to fly too low so the sea’s dampness would not clog his wings, nor too high or the sun’s heat would melt them. Icarus couldn’t resist getting closer to the bright light of the sun. His wings melted and he fell to the sea where he drowned. Four years ago, I came to Zurich to build their first security awareness program. No one outside of information security knew who I was. Slowly, I built relationships and projects a layer at a time, strategically. In 2017, my GCISO at that time told me no one in Zurich leadership would clear their calendar to meet with me. Today, I have support all the way to the BoD who have asked to take our training an d learn more about the program. I’ve been to Switzerland and, yes, leaders at several levels had time on their calendar for me. Let me show you the strategy, how to maximize luck, and how to make sure you don’t have wax wings when leadership finally recognizes you and the heat of the spotlight is on you and your program.

Janet Roberts, Global Head of Security Awareness & Education, Zurich Insurance

Demystifying Cyber Security Cultural Strategy: The What, How, and Why

As we are realizing day by day that Cyber Security culture change is a complex topic, we need to develop a strategic plan which compromises of long-term projects and quick wins help facilitate behavioural change. Not only, should the Cyber Security culture strategy be able to integrate various workstreams (White noise, Role Based training, Game mechanics etc.) to help change behaviour but the Cyber Security cultural strategy must address how it supports internal business requirements as well as external factors (Threat Landscape and Regulation). This session will show you the blueprint of a successful Cyber Security Cultural strategy that Lushin has implemented at various global clients across different industries (as well as pitfalls to avoid when designing a Cyber Security culture strategy!). He will show you how to lay out your Cyber Security Cultural change strategy, how you can visibly show that it supports your business and what are the workstreams you should include within your Cyber Security cultural strategy. You will walk away with an understanding of what a Cyber Security cultural strategy is and how it is much more than a Cyber Security Awareness Program (just one of the pitfalls)!

Lushin Premji, Security Specialist, IBM


Show-n-Tell Winners Announced

Winners of the show-n-tell event will be announced. The winners will present on their materials, how they came up with and implemented the winning ideas, and the impact on security awareness as a result.


Table Closing Discussion

Each member of table will share with everyone else one key learning from the day’s agenda and plans for applying that takeaway to their program when they get home.

5:15-5:30pm Closing Remarks