Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27

Security Awareness Summit - Live Online

Virtual, US Central | Tue, Dec 1 - Tue, Dec 8, 2020

Due to high demand, we have added another MGT433 on Dec 7th - 8th. Click here to view details and register.

Security Awareness Summit Agenda

Live Online | December 3-4


We strive to present the most relevant, timely and valuable content. As a result, this agenda is subject to change. Please check back frequently for changes and updates.

Thursday, December 3 - all times are in Central Standard Time (UTC-6)
9:30 – 9:45 AM CST
Opening Remarks

Lance Spitzner @lspitzner , Director, SANS Security Awareness

9:45 – 10:00 AM CST
Overview of Slack

We introduce you to Slack and how we will be making the most of it for interaction, networking and learning more.

10:00 – 10:45 AM CST
Keynote

A Human Hacker Playbook: Account Takeover in 1 Day & How to Stop Me

Rachel Tobac, @RachelTobac, Hacker & CEO, SocialProof Security

At the world's largest hacker conference, DEF CON, a journalist asked Rachel Tobac to take over as many of his accounts as she could -- live. By the end of the day, Rachel had wreaked havoc on 10+ accounts, siphoned thousands of dollars worth of points into accounts she controlled, disrupted his travel plans, and was even ready to shut his lights off. Rachel did all of this without ever once contacting the journalist. Learn the playbook Rachel used to social engineer her way into her target's accounts in one day, and what you can do to stop attackers like her in their tracks, even during a pandemic.

10:45 - 11:00 AM CST Break

Track 1

Learn about managing human cyber risk with a focus on communication, influence, engagement, and culture.

Track 2

Learn about managing human cyber risk with a focus on data, reporting metrics, automation, and technology.

11:00 – 11:30 AM CST
Track 1

May the Horse be With You

Perry Carpenter, @PerryCarpenter, Chief Evangelist & Strategy Officer, KnowBe4, Inc.

Lisa Plaggemier, @LisaPlaggemier, Chief Strategist, MediaPRO

This session will guide the audience through a journey to create Trojan Horses for the Mind. We'll explore how to powerfully use images, sound, emotion, and stories to move beyond simple information delivery and create something that engages learners at a primal level. We’ll illustrate how this is done by looking at examples from popular culture (advertisements, movie clips, stock images, and podcasts), and then discussing how the principles from those examples can be implemented in a security awareness program. The session is vendor-agnostic and will focus on thought leadership and advice that will work with any vendor solution or home-grown program.

11:00 – 11:30 AM CST
Track 2

Behavior and Risk Selection

Oz Alashe, @ozalashe, Founder and CEO, CybSafe

Dr. John Blythe, @johnmblythe, Head of Behavioral Science, CybSafe

Many awareness and behavior change programs often fail because they try to do too much, they jump straight to interventions or they haven't explicitly defined their cyber security risks in behavioral terms. Incremental change and building on small successes are key to effective behavior change, both at an organizational and individual level. But, identifying and prioritizing security behaviors is a challenge for many organizations. This engaging presentation will explain why it's important to focus on intervening intensively on a few behaviors. It will also show attendees how to identify and prioritize security behaviors for your organization. You will learn how to apply four criteria:

  • impact (on security risks),
  • likelihood of change,
  • behavioral spillover
  • and ease of measurement

As well as how free, open source research tools like the Cyber Security Behavior Database (SebDB) can help you to prioritize behaviors for intervention efforts.

11:30 - 12:00 PM CST
Track 1

Cybercrime insights and mitigating strategies from Sub-saharan Africa - Zambia

Freda Mwamba-Brazle, @DrFredaBrazle, Chief of Staff and Initiative Project Leader, Anthem

Mark Mondoka, Founder, SuperVeg Farms

In January 2019, Bank of Zambia, the central bank, issued a public notice that monies paid to a company, Heritage Coin, would be reimbursed. The monies obtained from the public were going to be used to purchase cryptocurrencies and guaranteed a 38% return.

Throughout 2018, Heritage Coin was operating in the financial sector without a license from the Bank of Zambia or other sector regulators. The company was offering attractive returns, too good to be true, and word got around. Members of the public, with limited to no understanding of bitcoins, were attracted to the opportunity of making money. Some took their retirement monies and gave it all to Heritage Coin. Later on, the directors of Heritage Coin were convicted and the judgment was viewed as a lesson to perpetrators of money laundering crimes and emerging cyber fraud.

Dr. Freda Mwamba Brazle and Mark Mondoka invite you to join our session to learn more about the context and layout of cybercrime in Zambia and Africa. We will provide insights on Zambia’s experience with cybercrimes, how she is addressing opportunities and challenges associated with these crimes, and share tips and best practices for doing work in Zambia / Africa.

11:30 - 12:00 PM CST
Track 2

Empower Employees: Nudging by Numbers

Pooja Srivastava, Senior Manager, Genpact

Mandatory trainings, videos, awareness sessions, newsletters, rewards; we did it all, but were missing an important component - proactive employee behavior towards a cyber secure culture. Based on existing data, we created a score card for users. Users can now look up their individual scores, discover the scoring rubric, and identify specific measures to undertake to reduce their risk score. This customized approach has been much more effective than a one-size-fits-all program. In this presentation, you’ll learn about of sources of data collection, the logic for the scoring rubric, how data was calculated for the pilot group, the results and feedback, and the planned next steps.

12:00 - 1:00 PM CST Lunch: Take a break and network with your peers as we host small 10 person breakout room for you to virtually meet, eat and greet with each other
1:00 - 1:30 PM CST
Track 1

The Pen Is the Mightiest Weapon of All

Steffanie AK Schilling, @SAKSchilling, Information Technology Marketing & Communications, Steris

Picture this: After embarking on your arduous journey of mitigating human cyber risk, the summit is finally in sight. A culture of security is sweeping the organization, you have allies in far-reaching corners and enthusiastic support from the highest reaches of leadership. Can you feel that? Are you yearning for that excitement, pride, and sense of accomplishment? You might be saying, “Yes! I want that! But how do we get there?” Facts and figures do not change minds; emotions do. Emotions not only affect our decisions, but even more fundamentally they determine whether or not we engage. By weaving stories into presentations, you have the power to engage the hearts of those around you, and in turn, capture minds. Join SANS Cybersecurity Difference Maker and Innovator Steffanie Schilling as she makes you into a master storyteller who creates allies and inspires action. You’ll learn to create a compelling vision and purpose, capture audience attention, facilitate understanding and memory recall, build support, and strengthen commitment to your initiatives.

1:00 - 1:30 PM CST
Track 2

Using Security Operations Center Metrics to Develop Awareness Programs

Chris Crowley, @CCrowMontance, Consultant, Montace LLC

Security Operations Centers (SOC) are immersed in the day-to-day defense of computer networks. The visibility they provide on issues is likely the best security vantage point any organization has. This presentation will show what capabilities a SOC should have, the metrics that should be collected and delivered within the SOC, and the usefulness of these metrics for general organizational and executive awareness. We’ll examine the importance of leveraging SOC information to showcase the daily efforts to improve security capability – efforts that unfortunately become less visible as that capability become more successful. Attendees can expect to learn what every SOC should aspire to be, how an SOC can better present its performance and accomplishments to the organization, and how the SOC's data can be used to target general awareness within the organization. The net effect is an effective collaboration between deeply technical efforts with efforts to improve human awareness.

Workshops: Time to Choose!

Each of these workshops will be an intense, hands-on event where you actually develop solutions you can apply to your own program. Select and attend one of the options below. Remember, slides and handouts from both workshops will be made available to everyone.

1:30 - 3:00 PM CST
Workshop: Facilitated Social Engineering Sessions: Build Your Own!

Jen Fox, @J_Fox, Security Program Specialist, Domino's Pizza

This workshop demonstrates a short and effective social engineering exercise. Participants will walk through an example of the exercise, creating their own pretexts based on information that organizations frequently leave exposed. Sample materials are included. Participants will learn how to present this group exercise and customize it for your organization and/or different attack types. We’ll examine which types of presentations and activities work best in certain environments, then run through the presentation and exercises. We’ll also look at key questions that need to be answered in order to make presentations effective. What types of security attacks are common or problematic to your organization? What does your organization need to protect? Why does social engineering work? What is the process? How are pretexts developed? How or why did these work? The workshop features group exercises that involve reviewing research packets (everyone gets the same set), determining how to approach getting credentials, and having someone download a file or getting access to a physical machine the groups will share their ideas on how to customize/build Internal information sources.

1:30 - 3:00 PM CST
Workshop: Your Program is Awesome, Now Prove It

Masha Sedova, @modMasha, Co-Founder and Chief Product Officer, Elevate Security

The inability to measure the effectiveness of security awareness training usually leads to these programs being deprioritized. For too long, we've accepted training completion and mock phishing data as a sufficient way to measure the impact of our interventions. But is the training you're conducting actually reducing security risk for your organization? That remains a black box for too many teams. There is a way forward, as security teams have installed tons of security tooling that can provide insight into how our employees are behaving. However, we often just leave these data on the cutting room floor. For example, most enterprises have an endpoint solution that prevents malware from being run on a machine. Known malware execution attempts are blocked and logged, and the security team moves on. But wait! That's pure security-behavior-change gold! Wouldn't it be great to see who was running that malware, and how many times it happens? With that information you would know which employees need more malware training and who is good to go. Further, it would show you where your malware hotspots are for the future just in case your existing endpoint solution doesn't catch everything. Practice defense in-depth now with more people security! This presentation will show attendees where to get the data, how to prioritize those data, and how to use them to effectively change behaviors within their organization.

3:00 - 3:15 PM CST Break
3:15 - 3:45 PM CST
Track 1

Making Security Personal with Personas

George Finney, Chief Security Officer, Southern Methodist University

This presentation will summarize the evolution of a security program over the course of 10 years to focus on creating culture change one relationship at a time. We’ll look at a customized awareness program that used marketing personas, culture assessments, and personal interviews to meet the needs of a community, increase engagement, and change the organizational perspective from being compliance-focused to having a coaching mindset that meets individuals where they are and builds them up. After attending the session, participants should be able to create awareness personas based on the users in their environment, apply personas to tailor training outreach to multiple constituent groups, and use culture audits to identify strengths, weaknesses, and opportunities for outreach.

3:15 - 3:45 PM CST
Track 2

Automating Your Awareness Program

Blair Adamson, @Reluctant_Us3r, Cyber Influence - Senior Lead, Telstra

Be honest; how much of your program is allocated to winning hearts and minds vs managing an Outlook distribution list and Excel spreadsheet? Your ambitions to keep growing your program are likely limited by the available resource or capacity within your team. But have you considered automating your program where it makes sense to do so? Over the past 18 months, Telstra’s – Australia’s largest telecommunications provider – Cyber Influence team has been using freely available automation tools in O365 to scale, optimise and now enhance their program; and the results speak for themselves.

3:45 - 4:00 PM CST
Closing Remarks
4:00 - 4:30 PM CST
Plenary Session - Track 1

Coffee Chats with Cassie Clark

Learn all about the world of growing, making, selecting and making the world’s best coffee from self-professed coffee geek and guru. Sit back, turn on your video and interact with your peers from all over the world in this informal, relaxed and fun session.

Friday, December 4 - all times are in Central Standard Time (UTC-6)
9:30 – 9:45 AM CST
Opening Remarks


Lance Spitzner @lspitzner , Director, SANS Security Awareness

9:45 – 10:30 AM CST
Keynote

What 2020 teaches us about cyber security awareness, behavior and culture.


Dr. Jessica Barker, @drjessicabarker, Founder & CEO, Cygenta

The challenges of 2020 have brought with them many lessons. As security awareness professionals, what can we take from 2020 and apply in 2021 – and beyond – to make us more effective at planning, communicating and influencing cyber security in our organizations and communities? In this keynote, Dr Jessica Barker draws on research, case studies and reflections from the year to consider how we can help people better-protect themselves from an ever-evolving and often unseen threat.

10:30 - 10:45 AM CST Break

Track 1

Learn about managing human cyber risk with a focus on communication, influence, engagement, and culture.

Track 2

Learn about managing human cyber risk with a focus on data, reporting metrics, automation, and technology.

10:45 – 11:15 AM CST
Track 1

Comparing apples and oranges: how do we report on click rates when all our phishes are different?

John Scott, Head of Security Education, Bank of England

Phishing simulation companies promise massive reductions in click rates, but are those numbers reliable? How should you compare someone clicking on a badly spelled, obvious phish versus a spear phish? Can you draw any comparisons?

In this talk, John Scott will feed back to the SANS community on his MSc. thesis research into creating a useful and usable model for predicting the susceptibility of a given phish, based on the presence or absence of certain psychological triggers. He will discuss how he tested his models against his own organization, and will share the results.

10:45 – 11:15 AM CST
Track 2

Creating and Maintaining a Virtual Security Ambassador Program

Nandita Bery, Director, Security Engagement, Fareportal

There are never enough awareness professionals to support the size of companies where we work. A growing trend is to establish a security ambassador program to leverage networks of employees to help spread security messaging, threat trends, news, and best practices. People get excited at first and sign up, but then you have to find ways to keep them engaged and coming back for more, because it’s easy for them to get diverted by their "day jobs." How do you create excitement, so people want to join security awareness programs? How do you maintain that excitement past the honeymoon phase? What solid resource do you need to provide to keep them coming back? What reporting and metrics can be leveraged to demonstrate success? In this presentation, Nandita Bery will share success stories, failures, and lessons learned from creating new programs and transforming existing ones. She’ll look at the key elements of a successful cyber champions program and how to avoid the pitfalls that lead to volunteer fatigue and boredom. Nandita will present strategy and specifics on how to roll out a program and support it with infrastructure such as a web portal, monthly calendars, speakers, activity kits, recognition, topic selection, reporting and metrics, and going global.

11:15 - 12:00 PM CST
PLENARY SESSION - TRACK 1

Lightning Talks: Success Stories and How-tos for Virtual Engagement

Madeline Howard, Socio-Technical Engagement Manager, Cygenta

Dana Barka, Senior Cybersecurity Awareness Program Lead, Kimberly-Clark

Jonelle Burns, Firmwide Cybersecurity Education & Awareness, JPMorgan Chase & Co.

Melissa Misuraca, Security Culture Lead, Kroll

Neaka Balloge, Cybersecurity Awareness & Training Specialist, NYU Langone Health

Don’t blink! We will host five 8 minute lightning talks as people share their most successful virtual engagement tricks, stories and methods.

12:00 - 1:00 PM CST Lunch: Take a break and network with your peers as we host small 10 person breakout room for you to virtually meet, eat and greet with each other
1:00 - 1:30 PM CST
Track 1

Meet a Culture: Security Awareness in Latin America

Mora Durante Astrada, Security Education and Awareness, Zurich Insurance

Companies that operate in various countries sometimes face the challenge of the “one size fits all” approach: having a global concept or initiative and making it work everywhere. Security Awareness is no different. In today’s talk, and under the umbrella of Zurich Insurance’s global education and awareness program, we will see just how unique Latin America can be, and how aware we must be of certain particularities first, in order to successfully run a security awareness program –or campaign even! in the region.

By the end of this talk, you will have gained some insight into Latin America, and what it takes to drive security awareness in the region:

  • Flexibility and adaptability (especially to political unrest –a sad fact of LatAm culture)
  • A bilingual person, preferably located in LatAm, or a very good translation service (Duolingo is not enough!)
  • The ability to create a sense of being a team and making decisions together (or they will make their own agenda and ignore yours)
1:00 - 1:30 PM CST
Track 2

How Non-Educators Educate Effectively: The Secret Recipe to Building Impactful Training Programs

Dr. Mary Dziorny, Senior Cybersecurity Consultant, Revolutionary Security

As professionals in the security awareness space, we know that people join the domain from a variety of backgrounds that range from marketing and communications to cyber and technology. But rarely if ever are those tasked with designing training and education programs armed with a formal foundation in training or adult education. The SANS MGT433 course provides a comprehensive curriculum that covers all of the essential skills needed to develop and run an awareness program, including the Attention, Relevance, Confidence, Satisfaction (ARCS) model. However, there's a gap between where the ARCS model leaves off and the detailed planning and execution of training and education begins. This session will address that gap and provide program owners with a roadmap to create effective training and awareness activities. The trick is to design engagements that truly teach and motivate the audience. Attendees will learn nine critical components to designing effective instructional events and learning materials; how the instruction tools of Gagne and Briggs map with the ARCS model; and how to stimulate rapid, obstacle-free learning to achieve program goals and promote positive cyber behaviors. The remainder of the session will involve hands-on exercises to enable participants to work together and apply the design principles to the training and education challenges they face in their programs.

1:30 - 2:00 PM CST
Track 1

Culture Eats Strategy for Breakfast – Building Effective and Positive Behavioral Change

Dean Chapman, Director, People + Cyber Risk, Willis Towers Watson

Tom Finan, Cyber Growth Leader, Willis Towers Watson

This presentation will start by examining a fundamental problem, whether we want to hear it or not: most employees think cybersecurity is boring. How then can you achieve “buy in” and interest from those employees in a global business of over 45,000 personnel. Organizations with different cultures, a range of languages, and/or a largely displaced workforce first need to understand what the security awareness “problem” looks like. We continue to suffer incidents, and the traditional governance approach to people and training is not always effective. The underlying objective of this presentation is to better understand what the business cyber culture looks like and then develop a program to enhance positive behavioral change. The presenters will articulate the many challenges they’ve faced and the steps they’ve taken to address them. They’ll provide a series of options to come to grips with defining what an effective training and awareness strategy looks like, supported by the collation of data (metrics) and a culture assessment framework Takeaways will include how to build a custom framework for the assessment of your people + cyber risk culture; how to identify and overcome the challenges you may face on this journey; and how to collect the data and metrics you need and ensure that they drive the development of a people-centric security strategy. Finally, we’ll look at why your organizational culture is the key to everything we do and why it must be at the very heart of our activities. In short, culture eats strategy for breakfast.

2:00 - 2:30 PM CST
Track 1

The Human Firewall - A multi-faceted approach to combating Social engineering

Janet Maranga, Chief Information Security Officer, University of Nairobi

Social engineering is rife with the malicious actors utilizing covert and unique techniques such as SIM SWAP fraud and mobile money compromise. This session will focus on the social engineering attack lifecycle and creative ways to train people on these attacks and consequently foster a security aware culture that can be replicated successfully in other organizations.

Key take homes for the attendees would be how to effectively issue advisories, best practice guides and creation of awareness in a bid to deter and contain the criminal and fraudulent activities. They will also learn how to improve their vigilance in relation to social engineering hacks.

Overall, the mindset of the human element has to be changed by continuous creative sensitization and generating awareness to the people who are in harm's way.

2:30 - 3:00 PM CST
Track 1

The Art of Ethical Influence: Shaping the Decisions of Leaders to Support Security Awareness

Luke Barnes, Managing Partner, Fidelis Risk Advisory

Getting business leaders and employees to buy into security training and initiatives is not only hard but also sometimes discouraging, since it requires people to change existing behaviors. What if you had tactics to deliberately target and influence leaders and employees into taking action? Like the term “ethical hacking,” which implies that hacking can be done unethically, the word “influence” today has become something of an expletive. Yet, like hacking, influencing can be done ethically for the good of the organization. This presentation will explore the art of ethical influence in information security. InfoSec professionals often get bogged down on the technical side and forget that one of their most powerful tools to get things done is the ability to influence others. Attendees will learn actionable methodologies to ensure that motives and actions are ethical. They’ll also learn about the dynamics of an organizational climate, culture, and context; how to define a target audience, how to ascertain the proclivities and biases of leaders that contribute to their decision-making; how to craft messaging themes and connect business objectives to them; how to map out information conduits and channels and determine success criteria; and how to effectively and ethically influence targeted leaders and employees.

1:30 - 3:00 PM CST
Workshop: Choose Your Own Adventure Video

Jill Barclay, Enterprise Cybersecurity Communications and Engagement Lead, CommonSpirit Health

Roman Aguirre, Digital Media Producer, CommonSpirit Health

Video is one of the best visual tools you can use to convey complex information in an engaging way. In this workshop, participants will dive into the creative process – choosing the topic, theme, key messages and call-to-action. We will take you through the steps from script to screen using your input and participation to help create a short video that everyone will be able use for their organizations. Every adventure is different, which one will you choose!

3:00 - 3:15 PM CST

Break

3:15 - 3:45 PM CST
Track 1

Initial Findings and Results from the Annual SANS Security Awareness Report

Dan deBeaubien, Director, SANS Security Awareness

Lance Spitzner, @lspitzner, Director, SANS Security Awareness

3:45 - 4:00 PM CST
Closing Remarks