Security Awareness Blog

Lessons Learned from the EU #SecAwareSummit

STH-Summit-London-BannerImageLast week we hosted the first ever SANS Security Awareness Summit in Europe. The goal of the summit was to bring together thought leaders and practitioners from around the world who are working to secure the human element. The event was huge success as over 80 professionals had the opportunity to meet and learn from each other. I wanted to share with you some of the key take aways from the event. You can also download the presentations from the summit here.

  • Behavior Costs: Angela Sasse is the Professor of Human-Centred Technology and Head of Information Security Research in the Department of Computer Science at University College London. The key thing I learned from her research was that every behavior we ask people to make has a cost. The more secure behaviors CISO's require people to make, the greater the cost to the organization and the greater the complexity to the individual. Lesson learned, if you want to truly secure your organization, focus on a few key behaviors that will have the greatest impact.
  • Aligning to Business: Andrew Huddart is head of the awareness at the Bank of England. What I loved about his talk is he focused on the business side, he reminded us that ultimately our job is to help the organization fufill their mission. He then described how to align your program based on John Kotter 8 steps from "Leading Change". It was really good to take a step back remember ultimately why we are trying to secure human behaviors.
  • Ambassador Programs: John Haren is Head of Information Security Governance, Risk & Compliance at Diageo. John is a thought leader in building ambassador programs, what John Kotter calls embedding change agents throughout your organization. John emphasized the importance of providing motivators for your ambassadors, ensure they gain from the program. In addition, he covered how you have to be flexible, as different regions operate differently.
  • Learning Theory: Geordie Stweart is the Principal Consultant at Risk Intelligence with extensive experience in safety culture while Dr. Lisa Murray-Johnson is Training Director at Securing The Human with over 20 years experience in communications and learning architecture. Their presentations complimented each other as they went into detail on how people think and how different academic theories apply to changing human behavior. By better understanding the motivators and learning processes of people, you are better prepared to create engaging training that changes behavior.
  • Mascots: Nilay Bozacioglu was one of the winners of the show-n-tell event, where attendees share examples of their own awareness program. Nilay and her team developed an amazing mascot that fit perfectly the culture of their organization and gave them a powerful and engaging tool to communicate their key topics and learning objectives.
  • Networking: Ultimately though, the number one thing I heard from everyone was how the networking, interacting with and meeting others from different industries and countries was the biggest value. We as a community are in this together, and only by working with and learning from each other can we grow and improve. What worked well here were the extra long breaks and lunch to ensure everyone had plenty of time to meet others.

For those of you who could not make it you can download the presentations from the event. In addition, there is still time to sign up for the US Security Awareness Summit in Philadelphia on 19 August. Thanks to everyone who made this happen!