The SANS Security Awareness Summit is an annual event that brings together security awareness professionals and industry experts from around the world to address the human security challenge. This year was the largest event ever, bringing together well over 200 people. As we just finished up the event, I wanted to share with you some key insights on not just the summit, but the security awareness field. First and foremost, the field of security awareness is maturing significantly. Three years ago the summit and awareness officers in general focused on the basics, such as leveraging a framework for building an awareness program, kicking starting phishing assessments or the basics of human risk analysis. Now the discussion is on how to mature existing programs, how to go beyond behavior and change culture. Here are some key points I took away.
- Ambassador Programs: Many organizations have moved way beyond phishing. While phishing is an important human risk, there are so many other risks that need to be addressed (passwords, mobile devices, social media, etc) especially as work and personal life continue to merge. Awareness officers are asking "what's next?". Ambassador programs are. Large number of organizations are effectively leveraging volunteers embedded throughout the organization to communicate with their peers and help change behavior. Called many different things: Ambassadors, Champions, Advocates, Sentinels or even Cyber Agents, it's effect and working. In fact, John Kotter's latest book Accelerate is on just this topic. We were fortunate to have a team of experts from three different companies (Adobe, Dropbox and Salesforce) share their lessons learned. One of the key take aways from the talk was that a highly effective Ambassador Program does not take much budget, but it does take at least half an FTE (Full Time Employee). The other key point was recognition and not money is one of the most powerful motivators you have.
- Board of Directors: Board members are now asking management about cyber security, but the problem is Board members do not understand the issues involved and do not know what to ask management. This is something they are not used to nor do they like. As security awareness officers are the leaders in security communication, we have to know how to help coach and communicate to the top. We had two outstanding talks on this topic, Kevin Magee from Brant Community Healthcare System and John Scott from Bank of England.
- Threat Intel: The world of security awareness and threat intel are beginning to merge. First, just like technical risks, when dealing with human risks we have to understand our threats, and for that you have to understand targeted attacks. Second, the human element can effectively be trained to become the Human Sensor, a great source of information. Few people can better explain the thought process behind targeted attacks than SANS Instructor Rob M. Lee. Rob taught us that 'elite hackers' are actually real people with real deadlines, bosses, mortgages and lives. They are going to come at you with the simplest approach possible. Attackers are perfect, and their job is much harder than you may think.
- Escape Rooms: Okay, this blew so many minds on so many levels that I'm not sure where to start. People are always asking for something fun, engaging, interactive but also instructional. FedEx has set a new bar with their Security Awareness Escape Room. What was great was not only did the present on what an Escape Room was, but they then setup an escape room for each of the twenty tables so all the attendees could go through and compete in their own escape room. While we ran into some technical gotchas (expected for something that is a world-wide first) everyone got hands-on experience on how an awareness escape room and both engage and teach.
- Maturity Model: As organizations and their awareness program mature, more and more people are leveraging the Security Awareness Maturity Model. This model enables awareness professionals to not only compare their programs using the same standard, but enables them to communicate to leadership where their program is. This was also a key point that Kevin Magee emphasized in his talk on Board of Directors.
- Awareness Community: Not only is the industry maturing but so to is the community itself. There are very few other fields where so many other people want to engage, help and share with their peers. In addition, no other field in cyber security has as many women, over 50% of both the attendees and speakers at this year's summit were women.
This is just a highlight of some of the many activities and lessons learned from the event. You can download the slides from all the talks in the Summit Archives. If you are interested in participating, the next summits are 6/7 December 2017 in London and 8/9 August, 2018 in Charleston, SC. Can't make a summit? Then consider taking the intense two-day course MGT433 on building high-impact awareness programs. We hope you can join us!