2019 SANS Security Awareness Summit: Recap

We just wrapped up the 2019 SANS Security Awareness Summit in San Diego, California. Over 300 security awareness professionals came together from across the globe to learn from and share with one another other. Simply put, it was amazing! Awareness folks are some of the friendliest, passionate, and most interactive people I’ve known. In this post, I want to share with you some thoughts, lessons learned, and key takeaways from this year’s event.

I’ll start with an overview of the top ranked talks, which were rated by Summit attendees, followed by general observations of the event and our industry.

Top Rated Talks by Attendees

Jake Williams – Latest Human Attacks: We have an annual tradition at Summit, we like to kick off each summit by first defining a problem or challenge facing the industry. Last year, for example, professional social engineer, Jen Fox demonstrated how a social engineer thinks. This year, Jake Williams, ex-NSA hacker and a world expert in Incident Response, walked us through the latest human-based attacks he sees in the real world. Attendees really appreciated getting to peer into the mindset of who their adversaries are, how they think, and the latest human attack methods they are using. What is especially interesting is how targeted and crafty the most effective phishing emails have become.
Slide deck from Jake's talk available here.
Jill Barclay – The Creative Process Behind Fun, Low-Budget Videos: Jill knocked it out of the park with this one. She detailed to the audience how they can create highly effective, truly engaging videos with almost zero budget and some props from your home. Jill’s key takeaway was that anyone can create effective, fun, and engaging videos on a minimal budget. It just takes some creative thinking. Jill also won last year’s Video Wars competition with her Cyber Villain series, which has now become a whole series of awareness training videos for her company.
Slide deck from Jill’s talk is available here.
Adam Tice - A Lesson in Survival: Transforming Culture by Preparing for a Crisis: Adam’s story was one of the most emotional as he detailed to attendees the breach at Equifax and the impact that had on people and our culture. In his talk, he deeply detailed the importance of individuals, touching on the idea that it only takes one person to inspire change. This lesson rings true not only in the cybersecurity landscape, but also within our everyday lives. The key takeaway from Adam’s talk was the growing need to partner and build strong relationships before a crisis happens and how critical those partnerships become.
Slide deck from Adam’s talk is available here.

Micah Hoffman - OSINT Workshop: Hands-down, this was one of the most popular and highly rated workshops ever hosted at the Summit. Micah is a top-rated SANS instructor and detailed what OSINT (OpenSource Intelligence) is, how it is used, and how it can apply to the world of security awareness. Then, through a series of interactive labs, teams conducted OSINT assessments of themselves. It is absolutely amazing, not only the amount of information you can learn about any person or organization, but the extensive tools and frameworks to help you do it.
Slide deck from Micah’s talk is available here.
BONUS: Workshop handout from Micah’s talk available here.

Alexandra Panaretos – Partnerships and Collaboration: Throughout the event, people continuously brought up just how important partnerships and collaboration are, so Alex’s talk really hit the spot for these attendees. Her focus was ultimately on how to build trust with others, as she detailed that trust is the currency to derive value and loyalty. She also reminded the audience that there’s an escalating need to put the humanity back into the human element of security.
Slide deck from Alexandra’s talk is available here.
Nicole Jacobs - Security Awareness Recognition Program: Nicole shared how she created a recognition program for USAA’s fraud fighters, making it not only fun and creative, but also highly engaging and motivating for USAA’s customer support staff. What attendees loved about Nicole is she presented it in a way that attendees could easily act upon.
Slide deck from Nicole’s talk is available here.

Special Events: We had two talks in this special session, Bob Hewitt and Justin Perkins covered How to Build Your Own Escape Room and Laney Cannon covered Online Digital Scavenger Hunt. What was great with both talks is that they both covered in detail how to launch these events. People especially loved that Laney’s talk detailed how her hunt easily reached their remote workforce, with virtually no budget.

Optional Third Day: Every year at the summit SANS likes to challenge the status quo and try something new for Summit attendees. This year, we implemented an optional third day to the agenda so that people could extend and expand their learning. It was a huge success. Instructional Design experts Kevin Bennet and Andrew Mantuano spoke to attendees about the concepts of Adult Learning, the ADDIE and ARCS model and the specifics of designing good Learning Objectives. This is key to an awareness program, as your Learning Objectives specify the actual behaviors you want people to exhibit to manage risk.
Slide deck from Kevin and Andrew’s talk is available here.

Their talk was followed by a one-hour Birds of a Feather (BoF) session that discussed topics on Advanced Phishing, Critical Infrastructure, Behavior Modeling and Engagement Strategies. It was a great opportunity for professionals to discuss in small groups and learn from each other.

Networking: I think the networking events are what attendees often appreciate the most. They get the chance to meet, network, and learn from others in a relaxed, no pressure zone. We hosted numerous interactive networking events, including a pre-social treasure hunt, two bonus evening activities (including Tacos & Tequila on Mission Bay), numerous breaks, and onsite lunches.

One of my favorite networking events this year was the Living Map. In this exercise, we sectioned off the entire lecture hall into a map of the world. With different parts of the hall labeled from locations around the world, we then had all 300+ attendees go to and stand in the hall based on where they lived. It was so successful because people got to meet other awareness professionals who lived near them, ensuring they can continue those relationships. Many people spent that time comparing cities, exchanging business cards, and connecting on LinkedIn. They could have spent the entire Summit sitting a few chairs down from someone who might work in the same business district in their city and never had known it.

Fun fact: The record for the longest commute to the Summit was over thirty hours for one attendee, who traveled from South Africa. Plan on even more networking opportunities during next year’s Summit.

Sharing Toolsets: Two great, popular activities were the Security Awareness Video Wars and the Show-n-Tell tables. The Video Wars were comprised of short video clips, under 3 minutes, which people developed for their security awareness programs with many bringing humor into the mix. The attendees were asked to vote on the videos, with an informal panel. The collaboration and innovative ideas were remarkable.

The Show-n-Tell display tables were available for people to browse throughout the Summit, allowing for the sharing of all types of collateral, from lanyards to web cam covers, to mascots/villains, and even selfie stick masks. This offered great inspiration for other awareness professionals to learn how organizations made the materials, which ones were the most effective, and why.

Feedback for Next Year: We received a tremendous number of ideas from our feedback for next year, here are some of the most exciting:

Due to the overall success, we will definitely return with a half Day 3 of the Summit next year. We are also exploring the idea of making the Day 3 dedicated to a workshop.
The Living Map was a huge hit, so we will be sure to add that to the agenda next year. We may also include options for specific industries as well.
Feedback from our half Day 3 attendees loved the Birds of a Feather (BoF) session so much that we are thinking about adding that session to the main agenda.
For the evening of Day 2, we will enable attendees to sign-up for dinners with other attendees based on topics and industries. In other words, pick the people you want to go out to dinner with based on a common challenge or industry you share. It’s like a dinner version of BoF where you get to decide and drive the conversation.
Expect more talks that detail how the individual speakers implemented something in their program, such as metrics, gamification, engagement, and so on. The focus will not be as heavily weighted on what they did, but how they did it. I think this will give the Summit attendees a much better look into how they might be able to implement similar practices into their own programs.
Expect more time for Questions and Answers. We had a lot of really great announcements this year, including the SANS Security Awareness Professional (SSAP) credential, but because of the tight agenda, we couldn’t dedicate as much time conducting a Q&A on the SSAP as we would have preferred.

Conclusion: This was a fantastic event this year. It was packed with opportunities to share, meet with, and grow from each other. I would especially like to thank this year’s Summit Advisory Board who worked tirelessly to help plan and host the event, including Neaka Lynn Balloge, Cheryl Conley, Meredith Howland, Molly McLain-Sterling, Lisa Miglioratti, Stephanie Pratt, Janna Sondenaa, and Maritsa Santiago. Ultimately, this event is by the community, for the community.

We are already planning for next year’s Summit, which will take place in Austin, Texas. If you are interested in being a speaker at Summit, the CFP (Call for Presentation) process will begin February 2020.

If you have a suggestion for or want to ask a question about the SANS Security Awareness Summit, please don’t hesitate to reach out to me! Don't miss the action as the next Security Awareness Summits are this November 20-21 in London and next August 5-6, 2020 in Austin, Texas.

Find the slides from all talks at the Summit Archives page.

About the Author

Lance Spitzner

Director, SANS Security Awareness

Lance Spitzner has over 20 years of security experience in cyber threat research, security architecture, awareness and training. He helped pioneer the fields of deception and cyber intelligence and founded the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.