SUMMIT 2018 - SANS Institute · 2018-07-03 · 3:20-4:20 pm Security Awareness Video Wars...

Post on 19-Jul-2020

1 views 0 download

Transcript of SUMMIT 2018 - SANS Institute · 2018-07-03 · 3:20-4:20 pm Security Awareness Video Wars...

SUMMIT 2018Charleston, SC | August 8-9, 2018

Chairman: Lance Spitzner

#SecAwareSummit @SecureTheHuman

#SecAwareSummit @SecureTheHuman

SHOW-N-TELLBack by popular demand, this event is a creative and interactive way for attendees to generate new ideas for their own security awareness programs. Attendees bring and display materials (posters, stuffed animals, give away items, handouts, etc.) they’ve developed for their security awareness programs, and share how they created the materials and their impact. Grab a cup of coffee, browse the wares, take some snapshots, and get ready to take your awareness program to the next level. If you want to share your own materials, there is no prior registration or coordination required, just bring whatever you would like to show from your own program. We will provide you with a table, you provide the rest. You are welcome to setup your materials the night before the summit, during early morning registration or during the first break. We have a separate room dedicated just for Shown-Tell. You are welcome to leave your materials during the whole event including overnight, however we recommend do not leave anything highly valuable such as electronics. Please be prepared to provide any vendor related information in-case other attendees want to do what you did.

SPEAKER Q&AFor this year, we are adding time after every talk for you to ask the speakers questions. In addition, we are adding time for you to discuss with members at your table one thing you learned from each talk.

EVENT BADGESOne of our goals is to maximize your ability to meet and network with other attendees. That is why when you pick up your badge during registration, be sure to select the industry sticker(s) that apply to your organization and stick them on your badge. This way you can easily identify others in the same industry as you, and vice-versa. In addition, we have colored stickers to represent the size of your organization so you can easily spot others the same organizational size as you. Finally, we will be providing red Sharpie markers at every table, use the red markers to write on your badge any topic you are passionate about or hoping to learn more.

EVENT RULESTo encourage honest and open dialogue amongst attendees, this event follows the Chatham House Rules. This means you are free to share what you learn with others, however you cannot attribute the source. In addition, there will be no media at this

event. More about Chatham House Rules at:

PRE-SUMMIT MEET AND GREETTuesday, August 7 | 6:00 – 8:00pm

Meet and network with your fellow attendees the night before the Summit kicks off. Make the most of the event by building those partnerships and learning

from others early on. In addition to free food and drinks, we will be hosting an interactive treasure hunt with an iPad as the top prize.

#SecAwareSummit @SecureTheHuman


DAY 018:00-10:40AM


8:00-8:30 am Welcome for First Time Summit Attendees In this informal and totally optional session we welcome all attendees who are attending the summit for the

first time. Learn what this summit is all about and how you can make the most of it.

8:00-8:45 am Registration and Coffee

8:45-9:00 am Welcome, Introductions & Rules of Engagement Lance Spitzner, Director – SANS Security Awareness

9:00-9:20 am Networking & Introductions We know that the conversations among peers and the connections forged during these events are just as

valuable as the talks. Kick off your day by getting to know the other attendees seated at your table and begin fostering those meaningful connections and exchanging ideas right away. Introduce yourself with your name, organization and industry, size of your organization, what you hope to get out of the summit, and one thing most people do not know about you. No more than two minutes per person.

9:20-10:00 Keynote: The Dark Arts of Social Engineering Jen will share insights she has gained through her experiences as a social engineer. What exactly is social

engineering and what goes into a social engineering campaign? What does social engineering look like and what tricks or techniques has Jen found to be the most successful? Most importantly, what has she found to make people and/or organizations more resilient to these attacks? Jen will share various real world stories, to include recorded conversations of real social engineering attacks.

Jen Fox, VioPoint

10:00-10:20 am Open-Source Intelligence (OSINT) More and more organizations are beginning to leverage OSINT in there security awareness programs, from

demonstrations to their workforce on how cyber attackers leverage OSINT, to creating OSINT reports on senior leadership as part of their security awareness training. Learn exactly what OSINT is, how it is conducted, and what the final results are and how they are commonly used.

Josh Huff, Stillinger Investigations

10:20-10:40 am Networking Break Drinks and snacks will be served.

#SecAwareSummit @SecureTheHuman


DAY 0110:40AM-3:20PM

10:40 am - 12:10 pm Communications and Engagement Session In this exciting session, four presenters will get twenty minutes each to share their stories on communications

and engagement. We will then follow the session with ten minutes of Q&A where you can beat up the speakers with your questions.

• Security Culture: An Awareness Success Story Yvonne Long, SLAIT Consulting

• How I Pulled off an Edgy Security Campaign Lisa Plaggemier, CDK Global

• Using Motivation to Drive Security Behavior Change Masha Sedova, Elevate Security

• Communication Lessons from the World of Public Health Ben Smith, RSA

12:10-1:00 pm NETWORKING LUNCHEON Lunch is served onsite to maximize interaction and networking among attendees. If you finish lunch early,

take a moment to review the show-n-tell tables or sign up for an evening activity.

1:00-3:00 pm Workshop Track Pick and attend one of the two workshops below. Regardless of which workshop you select, all attendees

receive a copy of all the slides and handouts for both workshops. Workshops are very different than talks, they are highly interactive as you work in teams and learn from each other as you are guided by your instructors. The end goal of each workshop is for you to take back a plan and lessons learned you can implement the day you return to the office. NOTE: One of these workshops may switch with one of the workshops on Day 02 to ensure that the two most popular workshops are not on the same day together.

• Phishing: Learn how to establish a cutting edge phishing simulation program, to include template creation, simulating targeted attacks, reporting, handling repeat clickers, translation, key metrics, privacy challenges and much more. This workshop is led by two recognized experts with years of experience running industry leading, global phishing programs. Cheryl Conley, Lockheed Martin and Tonia Dudley, National Cybersecurity Society

• Creative Writing: Learn how to take common security topics and communicate them in engaging, novel and creative ways that push the envelope. As part of these hands-on labs you will be given various challenges you have to design how to communicate, then compare and learn from what your peers develop. Cathy Click, FedEx

3:00-3:20 pm Networking Break Drinks and snacks will be served.

#SecAwareSummit @SecureTheHuman


DAY 013:20-5:15PM

3:20-4:20 pm Security Awareness Video Wars Volunteers will show clips of 3 minutes of a security awareness videos they’ve developed for their security

awareness programs. At the end of all the videos presenters will then share lessons learned, to include how the video was developed, how it was deployed, and the impact. Attendees will also vote on the videos they think are the most effective, and winners will be announced the next morning and awarded the coveted SANS Security Awareness coin.

4:20-4:50 pm No User Awareness Budget? No Problem In this presentation we will discuss building a user awareness program from scratch. We will talk about

creative ways to make the user awareness program fun/memorable using nursery rhymes, Dr. Seuss, images from movies, games and pets in the user awareness program. We will discuss the benefits of monthly lunch and learns and give examples of putting a successful lunch and learn program together. The presentation will touch on the importance getting the communications department involved with the awareness program and will give examples of starting out small and growing the program in partnership with the communications department. The presentation will give examples and discuss ways of getting the user population involved with the awareness program. And finally we will briefly discuss how we measure our success and failures with the program and how we adjust the program accordingly.

Steve Lape, Savannah River Remediation

4:50-5:00 pm Table Closing Discussion Each member of table will share with everyone else one key learning from the day’s agenda, and plans for

applying that takeaway to their program when they get home.

5:00-5:15 pm Closing Remarks

#SecAwareSummit @SecureTheHuman


DAY 028:45AM-11:30AM

8:45-9:00 am Day 02 Kick Off and Coordination Items Lance Spitzner, Director – SANS Security Awareness

9:00-9:20 am Introductions & Networking For the second day of the Summit, please sit at a new table so you can meet, network, and interact with a

whole new group of peers.

9:20-9:50 am Keynote: Engaging Your CISO Having trouble explaining the value of awareness to your CISO or maintaining their support long term?  Ever

wonder what metrics they find the most useful or how to speak their language?  Learn from a CISO’s perspective about what challenges they face, what they need from you and how you can best engage and support your leadership.

Dawn Cappelli, Rockwell Automation

9:50-10:20 am The Science of Security: The Psychological Impacts of Security Awareness Programs Security Awareness professionals have been pushing training and awareness on information security best

practices for some time now. Many companies have spent millions of dollars on computer and instructor based trainings as well as awareness activities, however few companies have really seen a behavioral change in their employees. Behavioral modification is hard, but not impossible. Once we realize that security awareness is a science, positive behavioral changes can take place, thus impacting the overall security posture of any organization.

This presentation will examine how through security awareness programs utilizing positive psychology principles – Engagement, Relationships, Meaning, Achievement, and Positive Emotions – they can directly impact the security risk appetite, behaviors and overall culture of their organization and bring back the positivity in information security.

Shayla Treadwell, Discover Financial Services

10:20-10:40 am Networking Break Drinks and snacks will be served.

10:40-11:30 am Metrics Session In this exciting session, two presenters will get twenty minutes each to share their stories. We will then follow

the session with ten minutes of Q&A where you can beat up the speakers with your questions.

• Using Metrics to Drive Cyber Security Decisions and Behaviors Kathi Bellotti, U.S. Venture

• Want people, funding, buy in? Speak Metrics! Julie Rinehart, CVS Health

#SecAwareSummit @SecureTheHuman


DAY 0211:30AM-3:50PM

11:30 am- 12:00 pm Partnering With and Leveraging Threat Intel Do you want to be able to ensure that your security awareness program addresses the top risks to your

company and employees? You are most likely not alone, and work in the same organization with people where it is their job to understand what threats your company faces and to take action to respond or deploy preventative controls. Learn about the different cyber security functions and the value these relationships can provide to elevate your awareness programs. Lauren Clark will be focusing on cyber intelligence, incident response, and red teaming.

Lauren Clark, Thomson Reuters

12:00-1:00 pm NETWORKING LUNCHEON Lunch is served onsite to maximize interaction and networking among attendees. If you finish lunch early,

take a moment to review the show-n-tell tables or sign up for an evening activity.

1:00-3:00 pm Workshop Pick and attend one of the two workshops below. Regardless of which workshop you select, all attendees

receive a copy of all the slides and handouts for both workshops. Workshops are very different than talks, they are highly interactive as you work in teams and learn from each other as you are guided by your instructors. The end goal of each workshop is for you to take back a plan and lessons learned you can implement the day you return to the office. NOTE: One of these workshops may switch with one of the workshops on Day 01 to ensure that the two most popular workshops are not on the same day together..

• Security Awareness Escape Rooms

Learn what a security awareness escape room is and how to build one, then compete in an actual escape with your peers, followed by labs where you work in teams to develop and unique escapes for your own escape room – FedEx Security Team

Scott Fackler and Matthew House, FedEx

• Ambassador Programs

Learn from world experts on how to build a high-impact security ambassador program, followed by various hands-on labs where you create a plan to implement your own, customized ambassador program.

Cassie Clark, Salesforce and Jessica Chang, Dropbox


3:20-3:50 pm 24 Million Reasons You Should Care About GDPR General Data Protection Regulation (GDPR) is the 800-pound gorilla when it comes to regulations and

compliance, yet there is a huge amount of confusion and misunderstanding about what it is and how it applies to the world of security awareness. Learn what exactly GDPR is and how it applies to your and your awareness program. NOTE: We have invited a European expert to lead this talk, as Europeans have a different perspective on GDPR, and we feel it is vital that you understand the European perspective.

Dave Prendergast, BH Consulting

#SecAwareSummit @SecureTheHuman


DAY 023:50PM-5:00PM

3:50-4:10 pm 2018 Security Awareness Report The 2018 Security Awareness Report analyzes the data submitted by 1,718 security awareness professionals

from around the world to identify and benchmark how organizations are managing their human cyber security risk. Learn not only what are the top challenges awareness programs face, but how the most mature awareness programs overcome those challenges. Key takeaways include how many FTEs should be involved in your program, how to get and maintain leadership support, and key skills for success.

4:10-4:40 pm Managing Your Security Awareness Career I’m on my third program build at my third company. I’ve had anywhere from 3-6 manager changes at each

company, often in less than three years. I’ve reported to people from the Director level to CIO and most recently GCISO. Learn how to keep your Security Awareness ship on course through different managers and how to manage your career in the process.

Janet Roberts, Zurich Insurance

4:40-4:50 pm Closing Table Discussions Each member of table will share with everyone else one key learning from the day’s agenda, and plans for

applying that takeaway to their program when they get home.

4:50-5:00 pm Closing Remarks




Security Culture Lead, Dropbox

Jessica Chang leads the global security culture program and key company initiatives in security at Dropbox. Over the past few years, she built and launched Dropbox’s security culture program as well as Trustober, a global celebration of safety, security, and trust held annually in October at Dropbox in conjunction with National Cyber Security Awareness Month. Prior to her work within security engagement and technical program management, Jessica was the Program Manager for Trust & Security at Dropbox. She holds degrees from Yale, the Juilliard School, and the Curtis Institute of Music, maintains a dual career as a professional musician, and is passionate about building communities through her work.


Global Security and Chief Information Security Officer, Rockwell Automation

Dawn leads the Global and Information Security (G&IS) team at Rockwell Automation. G&IS is responsible for protecting Rockwell Automation and its ecosystem of customers, suppliers, distributors, and partners from the ever-changing global threat landscape. She came to Rockwell in 2013 as Director, Insider Risk, and built the company’s Insider Risk Program. Before coming to Rockwell, Cappelli was Founder and Director of Carnegie Mellon’s CERT Insider Threat Center. She is recognized as one of the world’s leaders in insider threat mitigation, and has worked with government and industry leaders on national strategy issues. Cappelli is a Certified Information Systems Security Professional (CISSP), and she holds a BS in Computer Science and Mathematics from the University of Pittsburgh.


Senior Security Analyst, U.S. Venture

Kathi holds a B.S. Management degree from Cardinal Stritch University and has over 25 years of experience in business and IT. She has worked in manufacturing, analytics, and financial industries locally and globally. Presently she is a Senior Security Analyst at U.S. Venture. Prior to information security, she was in sales and marketing. In addition, she and her husband were small business owners for 10 years. Kathi is a founding member of Women in Technology, Wisconsin and played a key role in the development of the WIT4Girls pillar. She has done security training for NATP as well as various volunteer engagements for smaller businesses and schools. She is passionate about cyber security and helping everyone become more security aware. She has three children, two girls and a boy; 14, 11 and 9. Her interests outside of work are gardening, hockey, walking, reading, and anything that her kids want to do.




Summit Ambassador; Security Awareness Project Manager, FedEx

Cathy Click has more than 19 years of experience at FedEx with 17 years spent in IT and the last 11 years focused on Security Awareness for the corporation. Cathy began her career at FedEx developing printed manuals and materials for human resources, recruiting and operations. In 2016, Cathy was named as “One to Watch in Cyber Security” by the SANS Institute, for her leadership in the security awareness community. She has presented at the yearly SANS Awareness Summits on building successful security awareness programs. She is also a member of the SANS editorial board for their monthly “OUCH” newsletter and leads the sponsorship interaction for FedEx of the NCSA’s SMB program, CyberSecure My Business.


Security Community Manager, Salesforce

Cassie Clark engages employees through strategic partnership initiatives, educational programs, and an incentive-based approach to behavior change. She focuses on building community and infusing culture through her work. She is particularly proud of her use of outdated, nerdy pop culture references.


Senior Director of Cyber Intelligence, Thomson Reuters

Lauren Clark is responsible for integrating intel into the defense of the company that includes tactical information for detection and strategic reporting. She previously worked for GE and drove critical programs for the cyber security operations organization.  She has worked across multiple teams in cyber security that include incident response, intelligence, technology platforms and pen testing.




Summit Ambassador; CISSP, CISM, CISA, National Cybersecurity Society

Tonia Dudley has held roles as the Director of Security Awareness for a financial services organization and previously managed the security awareness program for a fortune 100 global manufacturing organization. Her diverse background has allowed her to change the perspective of running a security awareness program typically focused on compliance to drive behavioral changes and improve overall security culture. She has been recognized for her success in building a phishing simulation program with multiple awards. She recently joined the National Cybersecurity Society board, with a focus on assisting small businesses with building a cybersecurity program.


Sr. Cyber Security Analyst, FedEx

Scot has worked for FedEx since 2000 and has over 30 years in IT with the last 25 specializing in IT asset management, data protection, authentication services, threat Intelligence, CIRT management, data analytics, network control, security operations, investigative analysis, compliance adherence, and enterprise process refinement. He is married with 4 children and 5 grandchildren. As a veteran of the US Coast Guard, Red Cross disaster volunteer, and active member of Bikers Against Child Abuse, he spends his free time working to help and protect the innocent.


Summit Ambassador; Lead – Security Education and Awareness, Lockheed Martin

Cheryl has a passion for education and awareness, enhancing security culture across the corporation, and teaches several courses in the IA arena. The SANS Institute named Cheryl among its 2014 Difference Makers, along with the Lockheed Martin Excellence in Leadership Award for solving complex challenges LM faces in cyber security.




Digital Forensics Analyst, Stillinger Investigations

Josh Huff is a Digital Forensics Analyst and licensed private investigator in Columbia, South Carolina. Josh’s cases have spanned the gamut of computer and mobile forensics, audio forensics and open source investigation to support his firm’s field investigators. Josh has invested much of his time networking with information security professionals in the area. As a result he has become a speaker and co-organizer of Columbia’s InfoSec meetup, ColaSec. During his time with ColaSec, Josh organized a study group on Open Source Intelligence and an exploration of encrypted communications. The studies in OSINT led to conference speaking engagements around the country and his casework has landed him in court as an expert witness in computer forensics. Josh blogs his OSINT research at


Senior Cyber Security Analyst, FedEx

Matt has worked in Information Security for eight years, beginning his journey with Data Protection initiatives before landing in his current position in the FedEx SOC. Matt enjoys sunny days, long walks on the beach, and complaining about users making poor cybersecurity decisions.


Senior Cyber Security Consultant, VioPoint

Jen Fox holds the DEF CON 23 Social Engineering Capture The Flag black badge. When she isn’t asking people for their passwords or gaining unauthorized access to secured areas, she provides awareness training, risk management and compliance services for clients.




Director – Security Awareness and Education, Thomson Reuters

Angela currently leads the enterprise-wide programs that raise awareness and educate employees, helping to ensure the security of Thomson Reuters assets and customer data. Because she believes culture is a leading indicator in keeping assets secure, Angela leverages her values and culture facilitation and collaboration skills to educate employees and change their behavior in order to reduce risk.


Enterprise Security Architect, SLAIT Consulting Yvonne has a proven record of identifying and developing strategies to improve security and delivery of services to customers and end-users alike. Her areas of strength include Information Security Program Management, Vulnerability and Patch Management, Governance, Compliance and Audits specifically with NIST, PCI, HIPAA, GLBA. As an information technology professional with proven security expertise, Yvonne is a results-driven technology expert with more than fifteen years’ experience in the information technology field supporting an enterprise organization in a geographically dispersed environment. A cyber security professional capable of developing compliance policies for large scale organizations with a passion for bringing security awareness to lay persons in a creative and interesting manner. She successfully creates, develops and implements Interactive Security Awareness Campaigns utilizing multi-media formats to educate employees of their role in maintaining a secure enviro.


Principal Cyber Security Specialist, Savannah River Remediation

Steve Lape has over 19 years of computer and computer security experience. His experience includes computer networking and network security. Steve regularly works with and is considered an expert in FDCC, FISMA, NRC, NSA and NIST standards. Experience also includes wireless security, penetration testing, developing security programs, policies & procedures, and conducting risk assessments. He is an industry leader having recently developed a cyber security awareness training program that has been recognized by DOE as “Best in Class.”




Information Security Advisor, CVS Health

Having earned her Bachelor of Science degree in Business Administration and Management from Framingham State University, Julie Rinehart began her Information Security career in 2008 at EMC Corporation. In the End User Security Training role she established her first corporate phishing program. She joined CVS Health in 2015 as a Security Awareness Advisor, established a phishing simulation program in 2016, which she is currently augmenting based on its initial success. Julie has a passion for information security, and is driven by her curiosity and desire to understand how people think and behave.


Senior Security Consultant, BH Consulting

Dave originally hails from the north-east of England (the ‘original’ Washington CD not DC) but now lives in rural Ireland. Formerly CISO for DEPFA Bank, he’s now a Senior Security Consultant with BH Consulting. Despite his youthful appearance, he has worked in IT and security for over 30 years, long before it was re-branded cyber! His career history includes roles in security and operational risk at Ulster Bank, Allied Irish Banks (AIB), IBM, Diageo, and manufacturing, health service and local government organisations. Dave is passionate about the people side of information security – motivation and awareness – and the practical implementation of good risk management (along with associated disciplines, such as fraud prevention, GDPR / data protection, compliance, etc.). He is still very happy to be learning his trade.


Director, Culture of Security, Risk and Client Advocacy, CDK Global

Lisa has spent her career branding and marketing cars and trucks, software and data, and now security. She’s combined her passion for the automotive industry with a fervor for security awareness to help CDK, OEMs, and dealers manage their risk and grow their businesses securely. Lisa worked for marketing for Ford Motor Company in the US, Europe, Africa and the Middle East. She is currently the Director of the Client Security Advocacy Office for CDK’s Global Security Organization. Lisa graduated from the University of Michigan and currently lives in Austin, TX.




Co-founder, Elevate Security

Masha Sedova is an industry-recognized people-security expert, speaker and trainer focused on engaging people to be key elements of secure organizations. She is the co-founder of Elevate Security delivering a behavioral-science based platform that can measure, motivate, and enable employees on security behaviors that prevent breaches. Before Elevate, Masha Sedova was a security executive at Salesforce where she built and led the security engagement team focused on improving the security mindset of employees, partners and customers. In addition, Masha has been a member of the Board of Directors for the National Cyber Security Alliance and regular presenter at conferences such as Blackhat, RSA, ISSA, Enigma and SANS.


Head of Information Security Education – Bank of England

John is an established Information Technology trainer, with many years’ experience in Further and Higher Education and training in both the private and the public sector. He has been integral in the implementation of the Bank of England’s current security training programme, and is focused on the transition from passive compliance to active security.


Global Head of Security Awareness, Training & Education, Zurich Insurance

Janet Roberts joined Zurich Insurance in March 2015 as the Global Head of Security Awareness tasked with building the first security awareness program across Zurich, Zurich North America, and Farmers Insurance. Prior to Zurich, she built the first security awareness program for Progressive Insurance and re-designed the security awareness program at American Express. She holds a B.A. in Journalism from Temple University and an M.A. in Communications from Edinboro University of Pennsylvania. When Janet is not building security awareness programs, she’s writing and self-publishing novels. She loves ice cream, wine, yoga, traveling, hiking, and getting lost in a really good book.




Summit Chair & Director, SANS Securing The Human

Summit Chair & Director, SANS Securing The Human

Lance Spitzner has over 20 years of security experience in cyber threat research, awareness and training. He invented the concept of honeynets, founded the Honeynet Project and published three security books. Lance has worked and consulted in over 25 countries and helped over 350 organizations plan, maintain and measure their security awareness programs. In addition, Lance is a member of the Board of Directors for the National Cyber Security Alliance, frequent presenter, serial tweeter and works on numerous community security projects.


Field CTO (US East), RSA

With 25 years experience in the information security, networking and telecommunications industries, Ben regularly consults on RSA’s strategic vision relating to architecture and technical roadmaps for the company’s security and risk management solutions. His prior employers include UUNET, CSC, and the US Government, along with a string of technology-oriented startups. He holds industry certifications in the areas of information security (CISSP), risk management (CRISC), and privacy (CIPT), and has presented on RSA’s behalf, both domestically and internationally, at cybersecurity events sponsored by Gartner, FS-ISAC, IANS, CERT/SEI, ISSA, (ISC)2, ISACA, RMA, BSides, ASIS, InfraGard, HTCIA, ICI and other organizations.


Senior Manager, Information Security, Discover Financial Services

Shayla currently leads Discover Financial’s Business Information Security Office and Information Security Education & Awareness program. Throughout her experiences she has had the opportunity to wear multiple hats, yielding broad skills in training and development, people management, and project management. Shayla is a graduate of Bradley University with a B.S. in Marketing and Management and holds an M.S, in Organizational Leadership from Lewis University. Along with holding Information Security certifications and being a Six Sigma Green Belt, she is currently a Doctoral Candidate pursuing her Ph.D in Business Psychology - Organizational Leadership from The Chicago School of Professional Psychology.