We just wrapped the 4th annual EU Security Awareness Summit and I could not be more excited about the whole experience. In fact, we are already planning for the big US Security Awareness Summit next August in San Diego. Over 130 security awareness professionals from around the world came together to share resources, ideas, and lessons learned on the latest in managing human risk.
I want to share with you some of my own key takeaways and favorite activities from the event:
- Workshops: The hands-on, interactive workshops are one of my favorite events, as we not only learn from speakers, but each other. This year, we tried two totally new workshops: OSINT assessments and “Fun / Cheeky Videos”.
As always, people love the hands-on and interaction with others. At the OSINT workshop, folks were amazed at just how much information they could find about themselves on the Internet.
However, what really stole the show was Javvad Malik’s video workshop where each table was challenged to create their own cheeky security awareness video on-site in less than an hour (pick a topic, write the script, shoot, edit, etc with only the materials at their table). The creativity people showed blew us all away. Plan of both of these workshops for the Summit in San Diego next August.
- Environment: Two wonderful talks by Brian Honan and David Porter communicated the same key point through different stories. Specifically, we need to stop blaming people when we have incidents and start looking at the environment we have created and how those drive the incidents that happen.
Brian walked us through the history of car safety and all the innovation that has gone into making people safer, while David walked us through a tragic train accident of 1861 and how the train crew was set up for failure.
Another key lesson learned was the need to study when incidents do NOT happen and learn why.
- Metrics: People ask us for more material on metrics, and every year we take it to a new level. This year, we had two outstanding talks that covered how to measure and report on your security culture. Noora Alfayez from Aaramco did a fantastic job walking through several years of metrics, the impact of their training, and how to identify weaknesses.
Denise Beardon and Mo Amin walked everyone through a different approach. When it comes to metrics, there are a variety of different things you can measure, a variety of different ways, they have different value to different people.
- Learning Objectives: One of the surprise hits was Jon Portzline’s talk on Learning Objectives, what are they and how they are the foundation in creating effective training. Many people do not understand just important how specific, clear Learning Objectives are key to changing behavior. Expect us to extend this talk and make it bigger and more interactive in San Diego next year.
- SpyPi: University student, Sarah Mühlemann, demonstrated her amazing SpyPi technology that puts university students in the role of a hacker and teaches through immersive learning. She designed this to appeal specifically to the GenZ generation target group.
- GenZ: Alison Crockford walked us through how the Bank of England’s intern program has taught them a great deal about Generation Z, just how technically savy they are, and how the most effective awareness programs will start by listening to them.
- Managing Your Career: Janet Roberts is a true veteran after building awareness programs in three international companies and dealing with over 9 different bosses. She covered how to deal with all types of different personalities, how to grow your career, and ensure you stay happy what you are doing. Her talk was such a hit, we plan to have a career-focused talk at every future summit.
- Book Signing: Bruce Hallas was on site to discuss his new book and sign them for all attendees. We loved this idea and hope to promote authors and book signings at all future summits.
This is just a highlight of the many talks, events, and activities we covered in two days. Remember, you can find and download all the talks from the Summit Archives page. You can also find the event agenda and the speaker's slides in the summit archives. In addition, you can see what attendees posted and shared on social media using the hashtag #SecAwareSummit.
The biggest takeaway from the event for me was how we need to stop blaming people and take a hard look at security itself. Instead of focusing solely on changing people or changing culture, we should focus on what can we do to change our security policies and our approach to security so it works for our workforce.
Simply stated, stop focusing on changing “them”. Actively listen and see how we can change the “us” in the security world. Consider submitting a talk or put in your budget request now for travel, we would love to see you join us!
