people sitting at table at conference

The SANS EU Security Awareness Summit is an annual event that brings together security awareness professionals and industry experts from around the world to share and learn from each other how to manage human risk. This year was the largest event ever in Europe, bringing together over 130 awareness professionals for a jammed pack two-day event. I wanted to share with you some key insights and lessons learned from this unique event. You can download all the speaker slides and handouts from the Summit Archives. In addition, the next summit will be 8/9 August, 2018 at Charleston, SC. Register early as the last US Summit sold out five weeks before the event. As for the European event, here are some key points and take aways.

  • Focus on Yes You Can: Dr. Jessica Barker kicked things off with a bang by demonstrating how to humanize your training, focusing on the positive and how to enable people. To date too much awareness training has been scary and intimidating, we need to simplify security in peoples' terms. For that Dr. Barker lists the five key steps to humanizing security.
  • Measuring Culture: One of the toughest challenges of managing human risk is how do you know if you are making an impact, especially when dealing with a "squishy" topic like culture. Lushin Premji tackled this head-on by sharing his step-by-step process on how to break down and measure your security culture. What made Lushin's talk so valuable was it was action based with lessons learned from previous organizations he had worked with. We loved what Lushin did so much we are hoping to have him lead a hands-on, interactive workshop for the US Awareness Summit in August, 2018.
  • Ambassador Programs: While phishing is an important human risk, there are so many other risks that need to be addressed in a security awareness program, such as passwords, mobile devices, social media, data protection, GDPR, etc. As awareness programs mature, awareness professionals are asking what is next? Ambassador programs are time and time again proving to be the most effective method to going beyond just behavior and creating a secure culture. An ambassador program is leveraging volunteers embedded throughout your organization to communicate with their peers and help drive behavior change. Called many different things: Ambassadors, Champions, Advocates, Sentinels or even Cyber Agents, it's effective and working. We were fortunate to have two leading experts Cassie Clark (Salesforce) and Jessica Chang (Dropbox) lead a hands-on workshop on how to build your own Ambassador Program.
  • GDPR: No event on human security would be complete without discussing GDPR and its implications to your workforce. Brian Honan took a very complex (and let's be honest, boring) topic and made it both easy to understand and entertaining. Long story short, if you want to be GDPR compliant, you will have to engage and involve your workforce. Oh, and GDPR does not just apply to Europe but any organization in the world that handles EU data.
  • Video Wars: No Awareness Summit would be complete without video wars, the chance for attendees to show off their home-made security awareness videos and vote on others. This year's winner was the UK's HMRC, which created a short but powerfully emotional video for their staff on the impact a mistake can have. Their video demonstrated the power of emotion to engage and learn. On the flip side, Javvad Malik's satirical "GDPR Millionaire" came in at a fun second.
  • Board of Directors: Board members are asking their executive leadership more and more questions about cybersecurity, but few know how to answer in business terms. If you want to gain the support of leadership you have to speak in their terms. We were absolutely thrilled to have the Deputy Governor of the Bank of England Joanna Place lead us through how to talk to your Board about cybersecurity. Key points she covered include keep your talk strategic, no acronyms and use frameworks such as the NIST Cybersecurity Framework or the Critical Controls to communicate your roadmap and current state of security.
  • Escape Rooms: Okay, this blew so many minds on so many levels that I'm not sure where to start. People are always asking for something fun, engaging, and interactive but also instructional. FedEx has set a new bar with their Security Awareness Escape Room. What was great was not only did the present on what an Escape Room was, but they then setup an escape room for each of the 15 tables so all the attendees could go through and compete in their own escape room. Everyone got hands-on experience on how an awareness escape room and both engage and teach. Escape rooms are not only a low-cost way to really engage, but they are a fun way to reinforce key security behaviors.
  • Card Games: Gautier B. from Michelin CERT shared with us a really cool, low cost security awareness card game. What we appreciate so much is he shared all the designs, rules and resources to the card game so anyone can print their own cards to help gamify their own awareness program.

This is just a highlight of some of the many activities and lessons learned from the event. You can download the slides from all the talks in the Summit Archives. The next Summit is 8/9 August, 2018 in Charleston, SC, please register soon as we would love to have you become part of this amazing community. Can't make a summit? Then consider taking the intense two-day course MGT433 on building high-impact awareness programs. Either way, we hope you can join us!