8:40 am - 9:00 am
ET
12:40 pm - 1:00 pm UTC | In Person Speakers Opening Remarks |
9:00 am - 9:20 am
ET
1:00 pm - 1:20 pm UTC | In Person Speakers Table Top Introductions This event is all about networking with and learning from each other! We start each morning by giving you 20 minutes to meet and chat with those sitting at your table (primarily for in-person attendees).
Show More
|
9:20 am - 10:00 am
ET
1:20 pm - 2:00 pm UTC | In Person Speakers Keynote | Beyond the Breach: The Role Culture Plays
Show More
|
10:00 am - 10:20 am
ET
2:00 pm - 2:20 pm UTC | In Person Speakers Break |
10:20 am - 10:55 am
ET
2:20 pm - 2:55 pm UTC | In Person Speakers Security Self-Awareness: Changing Culture Through Introspection Erica Mick, Security Culture and Human Risk Management Senior Analyst, Royal Carribean Group Looking inward to examine our own thoughts, judgements, and perceptions can help us as individuals to be more creative and communicate more effectively. What if we applied those same principles of introspection when trying to build a security culture? Holding a mirror to your cybersecurity team encourages self-reflection and starts a conversation on how we’ve failed to meet the organization where they are. When your cybersecurity team understands the viewpoint of the organization, they become partners rather than blockers. By creating more user-friendly processes and tools to achieve business objectives, the culture around cybersecurity changes. During this session you will learn how you can bridge the gap in understanding by evaluating the attitudes and beliefs of your own cybersecurity team. You will learn how to conduct a self-assessment, change your team’s attitude towards users, and foster partnerships between cybersecurity and the organization.
Show More
|
10:20 am - 10:55 am
ET
2:20 pm - 2:55 pm UTC | Virtual Speakers Three Things Security Awareness Pros Should Steal From Marketing Mike Taylor, Cybersecurity Learning Capabilities Consultant, Nationwide In today's fast-paced world, capturing and retaining the attention of our audience is more challenging than ever. This presentation delves into three crucial lessons that security awareness professionals can borrow from the field of marketing to revolutionize their approach.
Firstly, we explore the concept of speaking to the 'Primal Brain.' Understanding the subconscious, emotional drivers of human behavior can empower L&D professionals to create more impactful and memorable learning experiences. By leveraging techniques that appeal to the primal instincts of learners, we can enhance engagement and facilitate deeper learning.
Secondly, the importance of first impressions cannot be overstated. Just as marketers meticulously craft the initial exposure to their products, Security awareness professionals must design the first encounter with their materials to be visually appealing and emotionally engaging. Learn the one element is under your control that accounts for over 90% of a person's reaction to your content.
Lastly, we address the challenge of capturing and holding learners' attention in an environment saturated with information. (Hint: It doesn't work the way you think it does!) Drawing parallels with marketing strategies, we discuss the need for streamlining messages, making expressions fun or intriguing, and employing visuals to create learning experiences that are not only informative but also impossible to ignore.
Join us to discover how embracing these marketing-inspired strategies can transform your security awareness initiatives, leading to more effective and engaging outcomes.
Show More
|
11:00 am - 11:35 am
ET
3:00 pm - 3:35 pm UTC | In Person Speakers Fear, Empathy, and Team Spirit: The Psychology of Cybersecurity Communication Understanding motivation is relatively straightforward when marketing consumer products like sneakers or cars. It becomes more complex when persuading internal audiences to improve data security practices. Corporate objectives don’t always naturally translate into messages that both capture attention and resonate on a personal level. However, other behavior-change campaigns offer valuable insights. This session will look at compelling past (and current) mission-critical campaigns that range from WWII secrecy posters to airline safety videos and even Smokey the Bear. We’ll break down the motivational strategies behind these varied approaches—weighing the relative effectiveness of fear, empathy and/or team spirit. We’ll also look at how the examples leverage entertainment and humor to engage audiences—even when the underlying subject matter is serious. For years, this analysis has informed cybersecurity creative at one of the nation’s largest networking companies, and it can provide inspiration and insights for other organizations encountering similar challenges.
Show More
|
11:00 am - 11:35 am
ET
3:00 pm - 3:35 pm UTC | Virtual Speakers Ransomware for Security Awareness Practitioners The term "Ransomware" no longer refers to a simple encryptor that locks down resources. The advent of Human-Operated Ransomware (HumOR) along with the evolution of Ransomware-as-a-Service (RaaS) have created an entire ecosystem that thrives on hands-on the keyboard, well-planned attack campaigns. Ransomware is a rapidly growing threat that has evolved from being a single machine infection following an ill-advised mouse click to becoming a booming enterprise capable of crippling large and small networks alike. So, what do security awareness and culture professionals need to know about ransomware? Where did ransomware begin, and how has it evolved over the years? More importantly, how do ransomware actors get into YOUR organizations? Attend this talk from Ryan Chapman, the author of SANS FOR528: Ransomware and Cyber Extortion, to learn these items and more!
Show More
|
11:40 am - 12:15 pm
ET
3:40 pm - 4:15 pm UTC | In Person Speakers Recognition Revolution: How rewarding and recognising your employees can drastically increase engagement Nik Wileman, Head of Security Resilience and Training, National Grid We evolved our awareness program from forgotten to unforgettable. We spent years feeling like we were talking to ourselves, our colleagues did not seem to appreciate the significance of security within our organisation, the importance of our controls or understand why they should want to play a part in helping to secure our organisation.
Today we have an engaged workforce representing a positive security culture throughout our global organisation, with employees proactively playing a part in helping their colleagues become security smart. The secret? Reward and recognition. We embedded several processes and initiatives that recognise positive security behaviours and offer rewards for helping protect our organisation, its people, assets and information whilst growing our human firewall.
We will help you discover what motivates your employees, how you can use this as a tool for developing innovative reward and recognition initiatives and become amazed by the increased engagement with your awareness program because of simply rewarding and recognising your colleagues in ways they appreciate.
Show More
|
11:40 am - 12:25 pm
ET
3:40 pm - 4:25 pm UTC | Virtual Speakers AMA: Ask a Human Hacker Anything Curious how an ethical hacker hacks? Wish you could ask a hacker all the questions on your mind to learn how to develop your security awareness training with the latest attack methods in mind? Join us for Rachel Tobac's Ask a Human Hacker Anything (AMA). You'll hear how she hacks, how she picks her targets, technical and human based tools to make her hacking harder, how AI has changed her hacking, and answers to your questions.
Show More
|
12:30 pm - 1:30 pm
ET
4:30 pm - 5:30 pm UTC | In Person Speakers Lunch |
1:30 pm - 2:05 pm
ET
5:30 pm - 6:05 pm UTC | In Person Speakers One size does not fit all - how to build a successful awareness program for your organization? Tiina Kärkäinen, Senior Cybersecurity Awareness Consultant , Nixu Oy, a DNV Company One size does not fit all, and that includes cybersecurity. Organizations are different, and that matters when it comes to building a culture of cybersecurity awareness. We'll present two case studies from very different industries, a global manufacturing company and a national media company, to illustrate how an organization's operations and environment should be considered when building a cybersecurity awareness program. We'll share lessons learned from real cases, so you can avoid pitfalls and know what to consider to successfully build an awareness program that makes an impact.
Show More
|
1:30 pm - 2:05 pm
ET
5:30 pm - 6:05 pm UTC | Virtual Speakers Bridging the Gap: Ensuring Accessibility in Cybersecurity Solutions Join Justin Merhoff, a passionate advocate for accessibility in cybersecurity, for an enlightening presentation addressing the critical need to ensure people are aware of the risks without cybersecurity being accessible. Attendees will gain insights into the specific challenges faced by individuals with disabilities in accessing and utilizing cybersecurity solutions, alongside the associated risks that many face in the world today.
Throughout the session, Justin will explore actionable strategies and initiatives to foster greater accessibility in cybersecurity solutions. Attendees can expect to learn about integrating accessibility standards in design and development, promoting awareness of inclusive cybersecurity practices, and fostering collaboration among stakeholders.
By the end of the presentation, attendees will be equipped with practical takeaways to advocate for accessibility within their organizations and communities. They will understand the urgency of addressing accessibility risks and be empowered to drive positive change towards a more inclusive digital landscape.
Show More
|
2:10 pm - 2:45 pm
ET
6:10 pm - 6:45 pm UTC | In Person Speakers Empathy in Cybersecurity: Nurturing Trust and Mitigating Risk with Repeat Clickers Sue DeRosier, Senior Advisor, Cybersecurity Awareness, Southern California Edison Martin Valle, Advisor, Cybersecurity Awareness , Southern California Edison This presentation will walk you through the process and reasons why creating a safe space for repeat clickers to overcome their challenges is a win-win for the employee and the company. Setting the stage with a case involving a 30+ year veteran with a stellar record who was on his fourth failure, which per our guidelines for corporate goal simulations would have meant termination, we will outline the steps the Cybersecurity Awareness team took to ensure his tenure at the company which then led to an ongoing process for employees who need extra guidance on identifying suspicious indicators. Working with a diverse organization of 28K+ employees and supplemental workers, half of which are in the field 100% of the time, means understanding the various ways people interact with technology can impact – positively or negatively – their ability to recognize malicious actions. Our lessons learned brought us to a place where “going the extra mile” for those who need more help is now Job #1 for the team. During the presentation, we will highlight those lessons and the steps we take today to mentor individuals who need a bit more help in successfully navigating phishing attempts.
Show More
|
2:10 pm - 2:45 pm
ET
6:10 pm - 6:45 pm UTC | Virtual Speakers Looking For Some Bigger Phish to Fry? Engage and Retain Learning Through Phishing Rodeos Phishing rodeos and other special events have been floating around the industry for a long time. But do you find your people aren’t as enthusiastic as they should be, don’t stay engaged, or don’t retain the lessons learned? Join Cyber Shield as we delve into our Phish Fry event, how it was developed and marketed, along with how we kept the engagement going. And, of course, the lessons learned along the way. We will also share a toolkit to take back to your organization that will help you implement a similar event that will fit your organization’s culture!
During our presentation, we’ll go over:
• Branding the event to something your employees care about
• Maintaining brand look/feel by working with communication departments and others
• Advertising the event well in advance with sign-ups and training
• Advertising to leadership, spurring competition amongst areas
• Working with HR/Legal/other departments on rules/regulations
• Using a combination of generalized phishing and public knowledge spear phishing
• Consistency in prizes, themed to the event and what the employees want
• Debriefing with participants as well as messaging from CISO and newsletter articles
• Employee reactions/discussions with other employees to create a longer lasting buzz
• Proof in the pudding - metrics show reporting jumped when advertising, raised during the
training and phish fry months, and have remained consistently high since
• Lessons learned along the way and how it changed or will change our approach for the
future
Show More
|
2:50 pm - 3:10 pm
ET
6:50 pm - 7:10 pm UTC | In Person Speakers Break |
3:10 pm - 3:45 pm
ET
7:10 pm - 7:45 pm UTC | In Person Speakers Escape Rooms and Virtual Treasure Hunts - Leveraging Interactive Learning in your Awareness Program In my proposed talk for the SANS Security Awareness Summit, I will explore the transformative impact of interactive learning in cybersecurity training, drawing on our success with an escape room at First Citizens Bank as well as my extensive prior experience creating virtual OSINT treasure hunts. This session will guide attendees through the conception, design, and execution of engaging educational experiences that go beyond traditional training methods. Participants will learn how to craft compelling puzzles and scenarios for both physical escape rooms and virtual treasure hunts, each designed to educate on critical cybersecurity practices and principles. The presentation will highlight the importance of moving away from passive learning, demonstrating how immersive activities can significantly enhance knowledge retention and understanding. I will share practical insights into organizing these interactive experiences, from assembling materials and setting up environments to leveraging open-source intelligence tools for virtual hunts. Attendees will gain strategies for incorporating interactive elements into cybersecurity training, tips for creating memorable and impactful learning activities, and evidence of how such approaches foster a security-conscious culture within organizations. I'll also speak about how leveraging various AI tools can lower the typical barrier to entry for these activities.
Show More
|
3:10 pm - 3:45 pm
ET
7:10 pm - 7:45 pm UTC | Virtual Speakers Cultivating a Zero Trust Mindset: Nedbank's Cybermindfulness Program In this talk, Christine Gordon Bennett from Nedbank and Anna Collard from KnowBe4 Africa will share the learnings of their 1.5-year journey into their cyber mindfulness campaign at Nedbank (one of South Africa's leading banking brands). We will touch on human psychological traits and tendencies that make us susceptible to social engineering and how mindfulness practices can (scientifically evidenced) 'patch' our human vulnerabilities. The talk will share both practical on-the-ground experiences from a practitioner's point of view and provide backed-up academic highlights (without boring anyone..) from Anna's Master thesis in Cyberpsychology about Cyber mindfulness which influenced the campaign. We believe that the combination of scientifically validated data with practical experience in the cyber mindfulness space gives us the authority to talk about this subject on a global stage and we will make it fun and engaging too.
Show More
|
3:50 pm - 4:25 pm
ET
7:50 pm - 8:25 pm UTC | In Person Speakers TBA
Show More
|
3:50 pm - 4:25 pm
ET
7:50 pm - 8:25 pm UTC | Virtual Speakers It’s a Small World of Security Data, After All: Using Behavioral Data to Inform Security Awareness Campaigns and Measure Impact Self-inflicted incidents, or those caused by employee user-negligence, pose a significant risk to companies. When such incidents occur, sensitive data can be exposed, resulting in a drain in resources, diminished trust, and direct impact on customers. The Salesforce Security Awareness team uses various data inputs to deliver programming to address such risk, strengthen security culture and change/reinforce behavior and security best practices. This discussion will center around how Security Awareness teams can use trends in conjunction with awareness efforts to measure progress over time and demonstrate awareness programmatic impact through data/metrics. Participants will gain a better understanding of how to: - Use data to measure human-related security risk across their organization - Provide targeted security education and training to high-risk populations with their organization - Decrease the number and types of security incidents caused by user-negligence - Improve their organization’s overall security posture
Show More
|
4:30 pm - 4:45 pm
ET
8:30 pm - 8:45 pm UTC | In Person Speakers Wrap-Up |