We recently finished up the European Security Awareness Summit this 20/21 November in London, UK, one of the very few events dedicated to the human side of cybersecurity.  Over 100 security awareness, engagement and culture professionals came together to share lessons learned.    Not only did we have over 15 fantastic speakers but numerous networking and interactive events.  Cybersecurity is not only a technical challenge but a people challenge, as a result people are also part of the solution. You can find all the speaker slides and notes from the summit at the Security Awareness Summit Archives.  We also invite you to join us for the 2020 Security Awareness Summit 5/6 August in Austin, TX.  Here are some of my key takeaways and favorite talks from the two-day summit.

Chris Fleming SANS Security Awareness EU Summit blog recap

Chris Fleming – Marginal Gains:  This was one of my favorite talks as Chris shared stories of the British cycling team and Champion Hot Dog eaters to demonstrate the approach of marginal gains to achieve your long term goals.  Instead of looking for that single, silver bullet that will solve all your security engagement, behavior and culture challenges, look for numerous ways to make smaller improvements.  Similar to investing repeatedly over time, the long-term impact can be quite significant.  In many ways Chris’s talk reminded me of Thaler and Sunstein’s research in the book Nudge.

Carole Theriault SANS Security Awareness EU Summit blog recap

Carole Theriault – Lessons Learned from Podcast World:  At times it is good to get an outside perspective for our world.  We were thrilled to have Carole, professional podcaster and host of Smashing Security and The Cyberwire, to share with us her lessons learned on engagement in the podcasting world.  She hit it home with her focus on WIIFM (What’s In It For Me), the reality that most people find cybersecurity confusing, intimidating or boring and how to communicate to them in a simple yet honest level.  She had by far the most engaging / fun slides I have seen in twenty years of working in information security.

Cassie Clark SANS Security Awareness EU Summit blog recap

Cassie Clark – Many Faces of Culture:  Cassie’s passion is culture.  What I loved about her talk was not so much about changing culture, but Cassie’s focus on understanding your existing culture and integrating security into that existing culture.  She provided several examples of how she is doing just that at her company Cruise, to include identifying existing values and the matching security to those values.  To me this is so much more an effective approach.

Nilay Bozacioglu SANS Security Awareness EU Summit blog recap

Nilay Bozacioglu – Getting Help From a Little Friend: Mascots can be a fantastic way to engage your audience and create a common theme and brand for your entire program.  In the United States, one of the most successful awareness brands is Smokey Bear, with over 90% of adults being able to both recognize the bear and his message.   Nilay walked us through how over the past three years she and her team developed, launched and leveraged their mascot the Data Monster.  Lots of great lessons learned, to include leveraging an add agency and a friendly character that people could more easily to relate to, as opposed to dark / scary brands typically used for cybersecurity.

Richard Atkins SANS Security Awareness EU Summit blog recap

Richard Atkins – Table Top Exercise: While not a presentation, this was a fantastic bonus for the event.  Richard, from the City of London Police, set-up a full blown cybersecurity table top exercise / game that leverages both cards and Legos. Richard then walked attendees through how to play the game at several social events and how the game can be leveraged to demonstrate to others, especially leadership, the value of cybersecurity and key decisions that have to be made.

As always, the best part is all the networking activities, to include evening socials, show-n-tell, video wars (which was won by Torben Sorenson from NETS) and the partnerships that people make.  Only by working as a community can we help address the human side of cybersecurity, and that is what these summits are all about.  Hope you can join us next year 5/6 August in Austin, TX or 18/19 November in London, UK.