6 Lessons Learned from the 2017 Security Awareness Summit

The SANS Security Awareness Summit [https://www.sans.org/event/security-awareness-summit-2017] is an annual event that brings together security awareness professionals and industry experts from around the world to address the human security challenge. This year was the largest event ever, bringing together over 200 people August 2–3 in Nashville, Tennessee. As we just finished up the event, I wanted to share with you some key insights on not just the summit but also the security awareness field. First and foremost, the field of security awareness is maturing significantly. Three years ago, the summit — and awareness officers in general — focused on the basics, such as leveraging a framework for building an awareness program, kick-starting phishing assessments, or the basics of human risk analysis. Now the discussion is on how to mature existing programs, go beyond behavior, and change culture. Here are some key points I took away.

Ambassador Programs

Many organizations have moved way beyond phishing. While phishing is an important human risk, there are many other risks that need to be addressed (e.g., passwords, mobile devices, social media), especially as work and personal life continue to merge. Awareness officers are asking, "What's next?" and the answer is "ambassador programs." A large number of organizations are effectively leveraging volunteers embedded throughout the organization to communicate with their peers and help change behavior. Called many different things — ambassadors, champions, advocates, sentinels, or even cyber agents — the volunteers in these programs are effective, and the programs are working. In fact, John Kotter's latest book Accelerate is on just this topic. We were fortunate to have a team of experts from three different companies (Adobe, Dropbox, and Salesforce) share their lessons learned [https://www.sans.org/summit-archives/file/summit_archive_1501780261.pdf]. One of the key takeaways from the talk was that a highly effective ambassador program does not take much budget, but it does require at least half a full-time employee (FTE). The other key point was that recognition (and not money) is one of the most powerful motivators you have.

Board of Directors

Board members are now asking management about cybersecurity, but the problem is that board members do not understand the issues involved and do not know what to ask management. This is something they are not used to, and they don't like it. Security awareness officers are the leaders in security communication, and we have to know how to help coach and communicate to the top. We had two outstanding talks on this topic: Kevin Magee from Brant Community Healthcare System [https://www.sans.org/summit-archives/file/summit_archive_1501784662.pdf] and John Scott from Bank of England [https://www.sans.org/summit-archives/file/summit-archive-1501786788.pdf].

Threat Intel

The world of security awareness and threat intel are beginning to merge. First, just like technical risks, when dealing with human risks we have to understand our threats, and for that you have to understand targeted attacks. Second, the human element can effectively be trained to become the "human sensor" — a great source of information. Few people can better explain the thought process behind targeted attacks than SANS Instructor Rob M. Lee. Rob taught us that elite hackers are actually real people with real deadlines, bosses, mortgages, and lives [https://www.sans.org/summit-archives/file/summit_archive_1501699127.pdf]. They are going to come at you with the simplest approach possible. Attackers are not perfect, and their job is much harder than you may think.

Escape Rooms

Okay, this blew so many minds on so many levels that I'm not sure where to start. People are always asking for something fun, engaging, and interactive but also instructional. FedEx has set a new bar with their Security Awareness Escape Room [https://www.sans.org/summit-archives/file/summit_archive_1501699282.pdf]. What was great was that not only did they present on what an escape room was, they then set up an escape room for each of the 20 tables so all the attendees could go through and compete in their own escape room. While we ran into some technical gotchas (expected for something that is a worldwide first) everyone got hands-on experience to see how an awareness escape room can both engage and teach.

Maturity Model

As organizations and their awareness programs mature, more and more people are leveraging the Security Awareness Maturity Model. This model enables awareness professionals to not only compare their programs using the same standard but also to communicate to leadership where their program is. This was also a key point that Kevin Magee emphasized in his talk on getting the board of directors onboard.

Awareness Community

Not only is the industry maturing, but so is the community itself. There are few other fields where so many people want to engage, help, and share with their peers. In addition, no other field in cybersecurity has as many women — over 50 percent of both the attendees and speakers at this year's summit were women.

What's Next?

This is just a highlight of some of the many activities and lessons learned from the event. You can download the slides from all the talks in the 2017 summit archives.

---

Lance Spitzner is director of the SANS Institute Securing the Human program. Follow @lspitzner on Twitter or visit his Security Awareness Blog.