Women talking at SANS Security Awareness Summit

We just wrapped up the 2018 Security Awareness Summit, the largest summit the SANS Institute has ever hosted and the largest event dedicated to managing human risk.  Over 350 security awareness professionals descended on Charleston, SC to learn and share with each other.  Simply put, it was amazing.  Awareness officers are one of the friendliest and most interactive folks I know.  It also helps that most awareness professionals actually like working with people.  In this blog post I’ll share with you my key thoughts, lessons learned and key take-aways from the event.  You can find the slides from all of the speakers who permitted release of their slides at the Summit Archives page.  Finally, don't miss the action as the next Security Awareness Summits are this Nov 28/29 in London and next 7/8 August, 2019 in San Diego.

  • Maturity: The security awareness community is definitely maturing. In past summits speakers and attendees focused on how to start or build a security awareness program.  Most attendees now already have a security awareness program in place, what they are looking for is a way to mature it - many leveraging the Security Awareness Maturity Model.
  • Social Engineering:  We have a tradition at the summit, we start each summit defining the problem.  Last year SANS instructor Rob M. Lee kicked off the event about targeted attacks.  This year professional social engineer Jen Fox explained and demonstrated how a social engineer thinks, and shared actual phone recordings of attacks she has done.  What was great was she presented numerous examples, not only including who was tricked and why, but also people who did the right thing by questioning and ultimately denying her what she wanted.  Attendees really appreciated getting into the mindset of who their adversaries are and how they think.
  • Metrics: We had two excellent talks on metrics led by Julie Rinehart and Kathi Bellotti, specifically what to measure and how.  However attendees wanted even more, so plan on more talks next year on metrics, to include a hands-on, interactive workshop on just this topic.
  • Science: We did bring a bit of theory into the mix, the top rated talk from the summit was Shayla Treadwell on The Science of Security, her energy was amazing.  We may just be able to import her to speak at the EU Summit this 28/29 November.
  • Career Development: We tried out something new that was a smashing hit.  Janet Roberts talked about how to manage your security awareness career and handling different types of difficult bosses.  Janet is one of the most experienced awareness officers out there, having run the awareness programs of three very large companies and worked for seven different bosses.  Attendees really appreciated the career development lessons.  Moving forward we will always have a talk at each summit on developing and promoting your career.  This is becoming especially important as the career opportunities for Awareness Officers is exploding.
  • Workshops:  One of the programs we have expanded include interactive workshops, the chance for you to work on and develop solutions for your program.  This year we had four workshops: Phishing, Ambassador Programs, Escape Rooms and Creative Writing.  Attendees loved the chance to interact with and learn from their peers while working on an actual awareness challenge.  We are learning that the best workshops have specific goals and that we don’t want to make them too broad. Workshops we are thinking of for next year include metrics, OSTINT and video creation.
  • Engagement: Having problems communicating to and engaging your workforce?  You are not the only one. We had four different speakers cover the different ways you can engage an audience.  Lisa Plaggemier’s talk on How I Pulled off an Edgy Security Campaign was one of the highest rated talks of the event.
  • Video Wars: Video wars is where attendees submit their home made videos from their awareness program and compete to see who has the best. This event is always a big hit but this year things were taken to a new level.  Thirteen attendees submitted videos, their creativity was amazing.  We broke the categories into low budget (below $5K) and big budget.  What impressed everyone is how even the low budget videos were able to deliver.  Unfortunately we are not allowed to share most of the videos but one we can share is from RBC titled Cybersecurity isn’t Child’s Play.
  • Networking: This is probably what attendees appreciate the most, the chance to meet and learn from others.  We hosted numerous interactive networking events, to include a pre-social, treasure hunt, two bonus evening activities, numerous breaks and onsite lunch.  Plan on even more networking opportunities during next year’s summit.

We received permission to record several of the talks and hope to post these talks in the coming weeks. While this year’s summit was the biggest and most interactive yet, we are already planning for next year’s event 7/8 August, 2019 in San Diego.  If you are interested in speaking, plan on the CFP (Call for Presentation) process starting in February, 2019.  If you have a suggestion or idea for the summit, please reach out to me at lspitzner@sans.org.  Hope you can join us and looking forward to meeting you next year in San Diego!