SANS security awareness summit 2024

Some of the Mindshift team had the privilege of virtually attending the 2024 SANS Security Awareness: Managing Human Risk Summit on July 31- August 1.  

What is the SANS Managing Human Risk Summit? 

SANS is seen as the world's most trusted and largest source for information security awareness training and security certification.  

 Each year, the SANS Managing Human Risk Summit  brings security awareness experts together who share invaluable insights through case studies and cutting-edge technologies for managing human risk. 

The talks will be available on the SANS Security Awareness YouTube channel, but in the meantime, we've compiled a summary of the most impactful talks, highlighting key takeaways that we believe will be of interest to our clients and anyone interested in advancing their cyber security awareness programme. 

Key takeaways  

As in previous years, Mindshift felt this a very worthwhile experience to be inspired by innovative concepts and strategies and hear from leaders across the globe. We did not see that key themes were different from previous years, as summarised below -  

  1. Human-centric approach: Across all sessions, a common theme was the emphasis on human behavior as both the greatest vulnerability and the strongest defense in cybersecurity. Fostering a culture that prioritizes security awareness is essential. ‍ 

  2. Leadership's role is crucial: Effective human risk management begins with leadership. When leaders actively engage in security practices, it influences the entire organisation, making security a shared responsibility. ‍ 

  3. Continuous improvement: Security is not a one-time effort but an ongoing process. Continuous training, simulation exercises, and adapting to new threats are necessary to stay ahead of risks. ‍ 

  4. Measurable outcomes: Success in human risk management is measured by the reduction of incidents and the improvement in security behaviors. Metrics and assessments are vital tools to ensure strategies are effective. 

Mindshift’s take on the top talks  

Beyond the Breach: The Role Culture Plays – KEYNOTE  

Speaker: Tim Brown, CISO at SolarWinds 

Context: SolarWinds, based in Tulsa, Oklahoma, provides IT management tools including the Orion platform, which monitors network and infrastructure. In late 2019, hackers inserted malicious code into SolarWinds Orion updates. This attack, discovered by FireEye in December 2020, impacted over 300,000 major customers, including Fortune 500 companies and U.S. government agencies like the Pentagon and NASA, marking one of the largest cybersecurity breaches of the 21st century. 

Key take-outs 

  • Control and communication: In the immediate aftermath of a breach, managing chaos through clear communication and defined roles is crucial. SolarWinds split its response teams early, emphasising collaboration and a "do your job and help others" approach. 

  • Leadership and culture: The CEO’s role in setting a customer-first culture was pivotal. A strong, unified message from leadership guided the organisation during the crisis. 

  • Commitment to transparency: SolarWinds emphasised the importance of being transparent with customers and stakeholders, not just during the breach, but in the long-term aftermath, including correcting misinformation. 

  • Ongoing recovery efforts: Recovery from a major breach is an ongoing process, involving not just technical fixes but also restoring trust through continuous communication and demonstrating improvements. 

  • Cultural impact on security: The security culture within an organisation can either hinder or help the response to a breach. SolarWinds highlighted the necessity of a strong, proactive security culture to manage crises effectively. 

Self-security Awareness 

Speaker: Erica Mick, Security Culture and Human Risk Management at Royal Caribbean Group 

Key take-outs 

  • Engage with users: Meet employees at their level of understanding and set realistic cybersecurity expectations. Tailor communication to be accessible and practical. 

  • Build empathy: Connect with employees by recognising their non-expert status in cybersecurity. Understand their challenges and bridge gaps through empathy. 

  • Collaborate across departments: Work with different teams to understand their needs and ensure that security measures are practical and relevant. 

  • Make security accessible: Ensure that security initiatives are easy to engage with, provide clear instructions, and offer incentives to motivate participation. 

  • Integrate security by design: Embed security into tools and processes from the start to make them intuitive and user-friendly. 

  • Recognise and motivate: Implement recognition programs to highlight employees who have performed exceptionally well on phishing simulations 

Fear, Empathy, and Team Spirit: The Psychology of Cybersecurity Communication 

Speaker: David Shultz, Founder at Sans Serif 

Key take-outs 

  • Capture attention and motivate action: Effective cybersecurity communication begins with capturing attention and translating that attention into motivation for the right behaviours. This involves using strategies that resonate with different psychological triggers.  

  • Seven strategies for motivation: 

  1. Fear: Is a powerful motivator, but can be worthless. 

  2. Shame: When fear is personalized, it can turn into shame. 

  3. Empathy drives personal responsibility in cybersecurity. 

  4. Fun: Making security information fun can increase engagement. 

  5. Team spirit fosters collaboration and shared security goals. 

  6. Personal connections make security practices more relatable. 

  7. Gamification and competition, particularly where individuals compete against themselves.  

  • Cultural considerations: The choice of motivational strategies should be aligned with the organisation’s culture. Segmenting the audience based on factors like location, office environment, regional culture, knowledge level, and field of work ensures that communication strategies are relevant and effective. ‍ 

  • Understanding technology interaction: Recognising how people interact with technology in their daily lives can inform more effective cybersecurity communication, making it easier to implement strategies that resonate with employees. 

  • Positive reinforcement, empathy, fun, gamification, and competition (e.g., leaderboards) are integral to effective Human Risk Management strategies. These approaches have proven to be more impactful and efficient than negative motivations such as fear. 

How rewarding and recognizing your employees can drastically increase engagement 

Speakers: Sophie Tate, Security Awareness & Culture Lead at National Grid & Niki Wileman, Head of Security Culture, Training, and Resilience at National Grid 

Key take-outs 

  • Identify key behaviors: Focus on recognizing and rewarding the specific positive security behaviors that are most valuable to your organization. 

  • Support advocates: Find and support employees who exemplify these key behaviours. Provide them with recognition, rewards, and opportunities for increased responsibility. 

  • Sustained engagement: Engage personally with employees to understand their roles and implement cost-effective recognition initiatives, like "Phishing Belts, "maintain high levels of motivation and engagement.  to

  • Low-cost recognition: Use creative, cost-effective methods for recognizing employees, such as informal awards or public acknowledgments. Align the reward with your organization's culture, but ensure it's something that excites and motivates your employees 

How to Build a Successful Awareness Program 

Speakers: Marianne Lindroth & Tiina Kärkäinen, Cybersecurity Consultants at Nixu Corporation

Key take-outs

  • Lead communication: Appoint a dedicated leader for the awareness platform to ensure effective communication. 

  • Know your audience: Use preferred channels and relevant topics to engage your audience effectively. 

  • Management support: Ensure management actively supports and demonstrates the values of the program. 

  • Personalised messaging: Tailor and personalise communications to boost engagement and motivation. 

  • Leverage networks: Connect with others and seek support to enhance the program’s impact. 

Strong Communication: A monthly or quarterly cybersecurity newsletter can be an effective tool for keeping employees informed and engaged. 
 
Key take-outs 

Using Behavioral Data to Inform Security Awareness Campaigns and Measure Impact 

Speaker: Jade Meyer, Security Awareness Program Management at Salesforce 

Key take-outs 

  • Ongoing and targeted campaigns: Use data to target high-risk employees and tailor security messaging accordingly. Implement both ongoing and ad hoc campaigns to address varying needs. 

  • Track and measure: Monitor campaign effectiveness over time to understand its impact. Measure behaviour change, information engagement, and retention. 

  • Framework for data analysis: behavioural data: Analyse what is happening and when. 

  • Employee attribution: Identify who is involved and where incidents occur. 

  • Human risk measurement: Assess why risks occur and how to mitigate them, using a risk score based on severity and frequency.  

  • Custom scenarios: Create realistic phishing scenarios that mirror common threats encountered by your employees to increase engagement and effectiveness. 
    ‍ 

Avoiding a Culture Clash: How to Harmonize Security Practices with Organisational Values 

Speakers: Amy Herbert, Information Security Behavioural Change Lead at Accenture & Jennifer Bliss, Information Security Innovation Portfolio Lead at Accenture 

Key take-outs 

  • Use innovative training: Engage employees with interactive methods like VR, gamification, and personalised content to make security training more effective. 

  • Align with culture: Integrate security practices with your existing organisational culture rather than changing it. 

  • Understand your culture: Tailor security strategies to fit your organisation's decision-making, risk tolerance, and communication styles. The idea can be great, but it might not flourish if it’s not the right time or culture. 

  • Pursue continuous improvement, no matter the culture: Regularly update strategies, seek guidance from advisory boards, and challenge existing practices and status quo. 

  • Customise training: Align training methods with your organisation’s culture to boost engagement and effectiveness. 

  • Regular evaluation: Continuously update strategies based on feedback and emerging threats.  

Evolving Beyond Basic Analytics to Quantify Human Risk 

Speaker: Nandita Bery, Director of Information Security Programs at Equinix 

Key take-outs 

  • Leverage user engagement data: Track user engagement through posts, topics, and views to gather insights on behaviour and risk levels. 

  • Develop a human risk heat map: Use data to identify trends, pinpoint challenges, and target training effectively. 

  • Program tracking and metrics: Monitor elements like cyber ambassadors, new hires, training modules, and overall security awareness to measure and improve program effectiveness. 

  • Engagement forecasting: Analyse historical data and patterns to forecast future engagement and refine strategies accordingly. 

  • Report to stakeholders: Present quarterly updates to the board to demonstrate the impact and progress of security initiatives. 

Check out the SANS Security Awareness YouTube channel for the full talks if any of these are of interest. 

 

 

Previous
Previous

Beware of scam calls: cybersecurity alert for New Zealand residents

Next
Next

Staying safe online when buying and selling