Over 35 InfoSec Courses at SANS Cyber Defense Initiative 2017. Save $400 thru 10/18.

Security Awareness Summit

Nashville, TN | Mon, Jul 31, 2017 - Wed, Aug 9, 2017
This event is over,
but there are more training opportunities.

Seats for the Summit on Aug 2 - Aug 3 are sold out. However, there is a wait list. If you would like to join the wait list, please click the link below. Please note, you do not need to attend the Summit to register for a course.
Security Awareness Summit Wait List

Summit Agenda

We strive to present the most relevant, timely and valuable content. As a result, this agenda is subject to change. Please check back frequently for changes and updates.

Day 00 - Tuesday, August 1
Time Presentation
6:00 - 8:00pm Pre-Summit Meet and Greet
Day 01 - Wednesday, August 2
Time Presentation Speaker
8:00 - 8:45 am Registration and Coffee
8:45-9:00 am

Welcome, Introductions & Rules of Engagement

Lance Spitzner (@lspitzner), Director - SANS Securing the Human
9:00-9:20 am Networking & Introductions

We know that the conversations among peers and the connections forged during these events are just as valuable as the talks. Kick off your day by getting to know the other attendees seated at your table and begin fostering those meaningful connections and exchanging ideas right away. Not sure what to say? Start off by introducing yourself with your name, organization/industry, size of your organization, what you hope to get out of the summit, why you are attending the event. If you're lucky enough to be attending with colleagues from your organization, consider splitting up for the most benefit.

9:20 - 10:00

Know Your Enemy

To effectively defend against a threat from an enemy or malicious actor, you first have to understand who you're dealing with. What are the adversary's motivations, skills, and methods? In this talk, Rob Lee will walk you through how attackers select, research, and target their victims. As a result, you will be far better prepared to train and defend your organization against targeted attacks that focus on your employees.

Robert M. Lee, CEO & Founder, Dragos, Inc.
10:00 - 10:40 am What do Cars and Beer have to do with Security Awareness?

For years we've heard that people with the "soft skills" of marketing and communications make good security awareness professionals. But what if your background is more technical, and you didn't come to the world of security awareness via Madison Avenue? How can you learn to be a little more Mad Man, a little less Mr. Robot? This talk is Sales and Marketing 101 for Security Professionals. You will learn:

  • The classic sales funnel and how to create "pull" through the funnel.
  • How to segment and target an audience, creating effective engagement
  • Sell the sizzle: make 'em hungry, don't feed 'em lunch
  • Madison Avenue resources to leverage (for free!)
  • Marketing tactics for your next Security campaign: guerilla, viral, ambient, experiential, content, and grassroots

Real-world examples will include tactics from last year's Video Wars winner, Edna. We'll take a brief look at the whole campaign and the successful tactics used in addition to the videos. Before entering the world of security, Lisa's passion was filming car commercials in the Israeli desert and curating museum exhibitions about the life of Henry Ford. Lisa now brings that passion to security awareness, believing that "user behavior" and "consumer behavior" are one and the same.

Lisa Plaggemier, Security Awareness and Client Advocacy - CDK Global
10:40 - 11:00 am Networking Break
11:00 - 12:20 am

Escape Rooms: Talk & Activity

The FedEx team will share how they created and executed security awareness escape rooms in their organization. They will then challenge each table to its own escape room. For those of you who are unable to complete all the locks in time or want to just learn more about escape rooms, the FedEx team will host a follow-up event later this evening after the Summit.

12:20-1:20 pm Networking Luncheon
1:20-2:00 pm I've Got More Games Than Milton Bradley: Incentivize Positive Change in your Security Culture

Security awareness training is one of the last defenses against dastardly effective social engineering threats. Traditional vendor-purchased security awareness training is largely ignored by the workforce and can merely serve to ensure compliance without substantially reducing the risk. In fact, a 2016 Ponemon Institute survey found that 52% of organizations surveyed found their vendor-purchased security training product "somewhat or not effective." Using American Campus Communities, the nation's largest developer, owner, and manager of high-quality student housing, as a case study, this presentation will demonstrate the difference between traditional videos and a security awareness gamification program. Attendees will hear obstacles faced, and what worked and what didn't as we introduced a range of interactive games, contests, and rewards to motivate users to genuinely improve security.

Drew Rose, Information Security Manager - American Campus Communities
2:00-3:00 pm

Lightning Talks - Phishing

In this exciting hour, five presenters will get ten minutes each- and only ten minutes- to share their stories and lessons learned on phishing. We will then follow the session with ten minutes of Q&A where you can bet up the speakers with your questions. This format jams tons of information into a short period of time. Don't blink!

  • Phish Me, Phish You
    Darren Lynch - Lawrence Livermore National Lab
  • Phishing Program Tips & Tricks
    Tonia Dudley, Director, Security Awareness - Financial Services
  • Tailoring Lures to your Target Audience
    Ryan Cadwalader - Zurich Services, Security Awareness Specialist - Zurich Services
  • Phishing High Value Targets
    JJ Rivera, VP, Cybersecurity Phishing Program- JPMorgan Chase
  • Big Phish, Little Phish, How Should You Phish?
    Chrysa Freeman, Security Awareness & Education, Code42
3:00-3:20 pm Networking Break
3:20-4:30 pm Security Awareness Video Wars Volunteers will show 3-minute clips of security awareness videos they've developed for their security awareness programs. Presenters will then share lessons learned, to include how the video was developed, how it was deployed, and the impact. Attendees will select the videos they think are the most effective, and winners will be awarded the coveted SANS Securing The Human security awareness coin.
4:30 - 4:50 pm

Table Closing Discussion

Each member of table will share with everyone else one key learning from the day's agenda, and plans for applying that takeaway to their program when they get home.
4:50 - 5:00 pm Closing Remarks
Day 02 - Thursday, August 3
Time Presentation Speaker
8:45-9:00 am Day 02 Kick Off and Coordination Items Lance Spitzner (@lspitzner), Director - SANS Securing the Human
9:00-9:20 am

Introductions & Networking

For the second day of the Summit, please sit at a new table so you can meet, network, and interact with a whole new group of peers.
9:20-9:40 am Getting It Right the First Time; Avoiding the Costs of a Bad Cybersecurity Hire

Organizational leadership and cybersecurity management grapple with a talent shortage of unprecedented proportions. As CISOs race to build their information security teams, hiring managers face stiff competition for skilled professionals. Regrettably, employing the wrong person can drain a company of productivity, money, morale and negatively impact reputation. According to the U.S. Department of Labor, the cost of a bad hire is at least 30 percent of the employee's first-year earnings- for a security analyst, that's $27,000+. These challenges are even more profound when it comes to hiring cybersecurity professionals. A recent study conducted by the Center for Strategic and International Studies (CSIS) and Intel found that 82% of respondents reported a shortage of cybersecurity skills at their organization, and 71% say the talent deficit has hurt their organization. In an era driven by bottom line metrics, getting a hire right the first time is more important than ever.

In this session we will:

  1. Explore the workforce talent shortage and dangers of a bad hire
  2. Discuss means to assess skills and best practices
  3. Review case studies of successful, innovative programs to develop new cyber talent pipelines
Max Shuftan, SANS Institute
9:40 - 10:20 am

When is it Time to Reboot Your Awareness Program?

While Lockheed Martin's The I Campaign™ has been extremely successful and includes our effective and impactful phishing program, it became apparent in early 2016 that we needed to advance and focus our mission and strategic vision by incorporating the tools and techniques of the future, working to be a step ahead of technology and rapidly changing the adversarial techniques. The team received accolades but wanted to drive wanted to drive the statistics through improvements in overall metrics; emphasizing content updates and next-gen communication toolsets to provide enhanced integration of short, lighter awareness methodologies; tagline updates; and even a cybersecurity mascot persona. By definition, campaigns come to an end. The I Campaign™ team prefers to think we're morphing to a more advanced awareness crusade. This talk will include our initial assessment, planning cycle, expectations for overall employee engagement, actions taken to date, and leadership communications. Key takeaways include what's working (or not), leveraging diverse generations, and enabling non-IA professionals.

Cheryl Conley, Security Education and Awareness - Lockheed Martin
10:20-10:40 am Networking Break
10:40 -11:40 am Ambassador Programs

Ambassador programs are one of the fastest growing and most effective methods organizations are using to effectively engage employees and change behavior. In this special one hour session, we'll have awareness officers from three different organizations (Salesforce, Dropbox, Adobe) share their lessons learned in building their awareness programs. We will then have an extended discussion period where you can both ask questions of the speakers and share ideas with people at your table.

11:40 am- 12:20pm

Getting the Board on Board: Gaining Board Support for Your Awareness Program

Get the inside scoop on a board member's perspective on how to effectively frame risk and communicate program and training requirements to the board and CEO. In light of all the high-profile breaches reported daily by the media, there is still a troubling tendency to view cybersecurity risk as being fundamentally different than and separate from other risks facing an organization, or as simply an "IT problem." This session will provide clear and actionable tips and guidance on clean and effective communication strategies to make sure your message resonates at the boardroom table and ensure security awareness is embraced as a strategic priority from the very top of the organization.

Kevin Magee, Member Board of Directors - Brant Community Healthcare System
12:20-1:20 pm Networking Luncheon
1:20-2:20 pm Lightning Talks
  • Deploying a National Awareness Campaign, Tiffany Schoenike, Director, Campaigns & Initiatives - National Cyber Security Alliance & Ben Flatgard, Former White House NSC Director
  • It Takes a Village: Hands-On Security Awareness, Taylor Lobb, Manager, Security and Privacy Engineering
  • How to Produce Funny & Engaging Videos, Jason Hoenich, Manager, Information Security Awareness & Training - Sony Pictures Entertainment
  • Is Your ePublication Just Another Castaway on Unread Island?, Cathy Click, Security Awareness Project/Process Advisor - FedEx
  • Safe Outside the Walls - The Home Visit Programme?, John Scott, Head of Information Security Education - Bank of England
2:20 - 3:00 pm

Rock the Boat: Transforming Security Culture Through Innovation

Traditional security education programs tend to live within the boundary of an organization's culture, emphasizing compliance and resisting radical ideas. At Geisinger Health System (GHS), we have opted to challenge this norm. Our goal is to transform the culture rather than work comfortably within the box. We contend that in order to create a security culture, an information security department must be innovative, creative and - to a degree - non-conformist. It is not enough to plug 'n play the latest security training solution. Security teams must employ unorthodox training methods and "rock the cultural boat" because, in the moments following the tilt, those aboard become simultaneously aware of their surroundings and uncomfortable enough to act quickly - two characteristics that help right the ship and chart a new course. In security terms, this translates to a workforce capable of making sound technical decisions. In this session, we will present lessons learned from our own journey and hope to assist others who want to rock the boat and begin transforming their own security culture.

Graham J. Westbrook, Cybersecurity Analyst - Geisinger Health System
3:00-3:20 pm Networking Break
3:20-3:40 pm TBD Special Agent Don Cavender, Federal Bureau of Investigations
3:40-4:00 pm The Security Awareness Community Has Spoken: What's the Word and What Next?

The team at American University's Kogod Cybersecurity Governance Center (KCGC) had a blast analyzing the data for the 2017 SANS Security Awareness Report. The security awareness community had a lot to say in the survey responses and we learned a lot about what makes you tick, and what gets in your way. We'll share with you some of the challenges we faced and additional insights we uncovered while sifting and crunching the data for this year's report, including those related to KCGC's core mission - cybersecurity governance. In particular, what role does leadership, authority, responsibility and accountability play in implementing a successful awareness program? And because this work is ultimately all about you - the community - we'll open the session up for your input on next year's survey.

Rebekah Lewis, JD, CISSP, CIPP/US, Director, American University's Kogod Cybersecurity Governance Center (KCGC)
4:00 - 4:30 pm

Show-n-Tell Winners Announced

Winners of the show-n-tell event will be announced. The winners will present on their materials, how they came up with and implemented the winning ideas, and the impact on security awareness as a result.
4:30 - 4:50 pm Closing Table Discussions Each member of table will share with everyone else one key learning from the day's agenda, and plans for applying that takeaway to their program when they get home.
4:50 - 5:00 pm

Closing Remarks