2018 SANS Security Awareness Summit

One of my absolute favorite responsibilities working at SANS Security Awareness is helping organize and run the annual Security Awareness Summit.  This is a huge community event where Security Awareness professionals from around the world come together to share lessons learned, resources and network.  It’s awesome.  For the 5th annual summit this year in Charleston, SC we tried something new - interactive polling.  We gave attendees the opportunity to interactively ask a variety of questions.  One of the polling questions “Ask Lance Anything”.  We had over 50 questions submitted, below I attempt to answer what we consider the top questions. There is some fantastic stuff here, so with no further ado, let’s jump right in.

  1. Will there be a Sans Security Awareness certification?  This is something people have been asking for a while now.  We have already started working with the globally recognized GIAC team to develop a cert for security awareness professionals.  Stay tuned for more.
     
  2. How can we convince our leadership that Summit attendance isn't a "once and done" event and that we NEED to attend every year? I’m always amazed at how often security leadership treats human security different from technical security.  Would you send a penetration tester to a training event only once in their life and consider them trained for the rest of their career?  Of course not. Would you do the same for a someone in forensics, secure software development or malware reverse engineering?  Of course not.  Security awareness is no different. Both the challenges and how we attempt to solve those challenges are constantly evolving and advancing.  New methods are being developed on how to engage your workforce, how to prioritize what behaviors to change, and how to measure that change.  In addition, going every year is a tremendous way to network and learn with others, benchmark your program, and build a community that can continue to help you after each Summit.  If you have a suggestion on how you got leadership support to continue coming to the Summit each year, PLEASE email me your secret at lspitzner@sans.org so I can share it with others.
     
  3. Should you allow users to test out of training?  For annual training, in many cases yes - if your compliance standards permit it.  However, if any new or additional training has been added they need to be required to take that training (GDPR is a great example).  In addition, annual training is just a small part of any security awareness program, you also need continuous reinforcement throughout the year.  I feel every member of your workforce should be part of that continuous reinforcement.  That is why we need to ensure that the reinforcement training is engaging and valuable; content that people want to consume.
     
  4. What training/certifications/masters program are there beyond your MGT433 class to further security awareness education?  For above and beyond the two day SANS MGT433 course I highly recommend either the two day Security Awareness Summit, the SANS MGT512 or SANS SEC301 courses, or the SANS STI program for a masters degree.
     
  5. What have you learned this Summit?  Oh boy, where do I start.  First, it always amazes and thrills me every year how friendly, interactive and helpful our community is.  What I learned is how the security awareness community is starting to truly mature.  Conversations are no longer about CBT or Phishing, we are now discussing Escape Rooms, metrics frameworks, reporting to the Board and other key concepts.  A common challenge I’m also seeing is how many of us want to create edgy campaigns that engage, but are not sure how to gain leadership support to be edgy and not offend people at the same time.
     
  6. How many dedicated FTEs (Full Time Employees) does it take to run your phishing program?  Good question, it really depends on the maturity/complexity of your phishing program.  If you are doing nothing more than a simple phishing simulation once a month for an organization of 500 people, perhaps 5 hours a month to manage that.  However, if you are targeting different target groups with different tiered phishing templates for an organization of 10,000 people, AND you are measuring metrics such as click rates, report rates and repeat clickers, AND building targeted training around your simulations AND briefing leadership on these results, then easily minimum half FTE to full FTE.  
     
  7. What cybersecurity risk keeps you up at night?  What really bothers me is how many in the security community continue to belittle the concept of awareness programs and/or the concepts of managing human risk.  I’m stunned at how many people in our field continue to perceive cyber security as a purely a technical challenge that can be solved by technology alone.  The concepts of changing human behavior is not new, other industries have been doing it for decades (safety, wellness, heck even marketing).  Until security professionals take a relevant view of managing human risk we will continue to lose the battle.  We have hit the point of diminishing returns by focusing on technology alone.
     
  8. What is the biggest satisfaction you got after such conferences? That’s easy - helping others.  Seeing how our attendees are so happy to meet, share and help with others is an awesome feeling.  Knowing people are going back to their office with a new community of friends and pages of new ideas to try out.  Ultimately the summit is all about making a difference.
     
  9. Why are you so passionate about security awareness?  Because after twenty years of cyber security I truly feel that the human is where we can make the biggest difference.  We can only invest in technology so far, we have hit the point of diminishing returns.  The other aspect I love about awareness is it’s about helping others, not only at work but at home and in their personal lives.
     
  10. What is the biggest change in this Summit since it first started, and why?  Wow, in the past five years it has exploded into something I never even imaged.  First, the size, the event has grown from 75 people to 350, with well over 400 expected next year.  Second, what amazes me is just how important this event has become for people and their career paths.  It’s not just what attendees learn from the Summit talks, but the networking with others, sharing ideas and lessons learned and building personal relationships.  Ultimately it is those relationships that are now the most important part of this event, and something we want to build on and expand.
     
  11. What is the one thing you want everyone to walk away from this conference thinking about?  Managing human risk is a key part of any cybersecurity program, and it can easily be done if we go beyond just technology and think about people.  That is why we are such big fans of the Security Awareness Maturity model, it provides the framework on how to manage your human risk and enables you to communicate that impact to leadership.
     
  12. Is there any awareness event scheduled in AsiaIf the cultural difference is the reason to organize a Summit in UK, we should have one in Asia.  We are definitely looking at Asia as another location for future Summits.  We would absolutely love to help spread the word and build community there, the challenge is one of resources and logistics.
     
  13. When is next year's Summit? The 6th annual Security Awareness Summit is 7/8 August, 2019 in San Diego.  We will be calling for our official Call for Presenters (CFP) in early Feb of next year.   However, remember we also have the European Security Awareness Summit this 28/29 Nov in London.
     
  14. What are your top 1-3 book recommendations for this community?  These three books helped me tremendously.  They are fun and easy to read, yet helped transform how I approach managing human risk; Leading Change, Switch and Made to Stick.
     
  15. What makes Awareness the best domain in security?  It’s all about people.  Ultimately that is the core of every organization.  Take away the technology and you still have an organization.  Take away the people and you have an empty building full of boxes.  We tend to forget that, no matter how important the technology, ultimately it’s there to help people, not the other way around.
     
  16. Noticed the 2019 dates include 9-14 after the summit. Are you teaching additional courses?  Yes we are.  Not only do we host the two day SANS MGT433 course at each Summit, but we offer other SANS courses after the Summit as well.  For the 2019 Summit we hope to host some very cool courses, including SANS SEC301, MGT512 and the new SANS OSINT course, SEC487.
     
  17. How do you choose where to host the Summits?  The sites for each year’s Summit are chosen by SANS amazing summit team who makes these events possible.  Every year we like to pick a new location, rotating between the West Coast, central US and East Coast.  2018 was East coast (Charleston, SC) next year is West coast (San Diego).  2020 plan on somewhere central time zone wise.
     
  18. What is your personal energy source?? Is it legal?  Hah!  I’m very fortunate, I get to work full time in a field I’m uber passionate about.  Also, to be honest there is so much energy at the Summits that it is quite easy to feed off of just that.
     
  19. What is your least favorite part of this job?  The travel.  I absolutely love meeting new people in new cities and countries around the world.  I’m very fortunate that I have traveled to over 40 countries in my career.  It’s the actual 5-35 hour commute to each of these locations that is the biggest pain.  In fact, I’m writing the answers to these questions while sitting on an airplane stuck on the runway tarmac for two hours now.
     
  20. Do you ever lose your voice?  Yes!  After 4-6 days of non-stop teaching or talking I can lose my voice, I have to be very careful.  I learned to project my voice as an Armor Officer in the US Army (you have to talk very loud around M1A1 Main Battle Tanks).  But you can do that for only so long.
     
  21. What 1 thing do you wish we had had a speaker on?  We definitely need to bring in some of the harder sciences for next year.  As such, expect some talks on identifying and prioritizing key behavior, leveraging Learning Objectives to clarify key behaviors, and a metrics workshop on how to measure those behaviors and communicate their impact.
     
  22. Will videos be posted?  Videos of the talks will be posted in the near future.  However, we will not be posting all the talks.  We will only be providing a selection of the best talks that we are allowed to share.  Several speakers requested that their talks not be recorded or shared outside the summit.