sans european security awareness summit 2017€¦ · • gautier bugeon, incident manager &...

#SecAwareSummit @SecureTheHuman securingthehuman.sans.org [email protected]

SECURING

THE HUMAN

ENDPOINT

6-7 DEC

SANS EuropeanSecurity Awareness

Summit 2017London 6th – 7th December, 2017

Chairman: Lance Spitzner



Event RulesTo encourage honest and open dialogue amongst attendees, this event follows the Chatham House Rules. This means you are free to share what you

learn with others, however you cannot attribute the source. The only exception is the speakers, you are free to attribute speakers unless they state other-

wise. More about Chatham House Rules at www.chathamhouse.org/about/chatham-house-rule

Speaker Q&AFor this year we are adding time after every talk for you to ask the speakers questions. In addition, we are adding time for you to discuss with members at

your table one thing you learned from each talk.

Video WarsVolunteers get to show 3 minutes of a security

awareness videos they developed for their security awareness programs. Attendees will then vote on

and select their favorite videos. The winners will be awarded the coveted SANS Securing The Human security awareness coin. If you want to submit a

video for videos wars, you must submit your video to [email protected] by Thr, 24 November in .mov, .mp4 or .wmv format or via Vimeo/YouTube link. No

submissions will be accepted after that date. We can accept up to 13 video submissions, first come first

serve.

Event NotesAll presentations will be available online following the Summit at https://securingthehuman.sans.org/

resources/summit-archives

SANS European SecurityAwareness Summit 2017

Show-n-TellBack by popular demand, this event is a creative

and interactive way for attendees to generate new ideas for their own security awareness programs. Attendees bring and display materials (posters,

stuffed animals, give away items, handouts, etc.) they’ve developed for their security awareness

programs, and share how they created the materials and their impact. Grab a cup of coffee, browse the wares, take some snapshots, and get ready

to take your awareness program to the next level. If you want to share your own materials, there is

no prior registration or coordination required, just bring whatever you would like to show from your

own program. We will provide you with a table, you provide the rest. You are welcome to setup your

materials the night before the summit, during early morning registration or during the first break. We

have a separate room dedicated just for Shown-Tell. You are welcome to leave your materials during

the whole event including overnight, however we recommend do not leave anything highly valuable such as electronics. Please be prepared to provide

any vendor related information in-case other attendees want to do what you did.

Event BadgesOne of our goals is to maximize your ability to meet

and network with other attendees. That is why when you pick up your badge during registration, be sure

to select the industry sticker(s) that apply to your organization and stick them on your badge. This way

you can easily identify others in the same industry as you, and vice-versa. In addition, we have colored stickers to represent the size of your organization so you can easily spot others the same organizational

size as you. Finally, we will be providing red Sharpie markers at every table, use the red markers to write on your badge any topic you are passionate about or

hoping to learn more.


8:00 – 8:45 am

8:45 – 9:00 am

9:00 – 9:20 am

9:20 – 10:00am

10:00 – 10:40am

Registration & Coffee

Welcome, Introductions & Rules of Engagement • Lance Spitzer @lspitzner

Director - SANS Security Awareness

Networking & IntroductionsWe know that the conversations among peers and the connections forged during these events are just as valuable as the talks. Kick off your day by getting to know the other attendees seated at your table and begin fostering those mean-ingful connections and exchanging ideas right away. Not sure what to say? Start off by introducing yourself with your name, organization/industry, size of your organization, what you hope to get out of the summit, why you are attending the event. If you’re lucky enough to be attending with colleagues from your organi-zation, consider splitting up for the most benefit.

Jessica is going to surprise with something fun, she promised• Dr. Jessica Barker

Co-founder, Redacted firm

Measuring Your Security CultureThe talk will demonstrate how security culture can be measured in both a quantitative and qualitative manner. The talk will highlight how organisations must go further than just sending ‘phishing emails’ to measure their security culture. The talk will specifically highlight to the audience:• Why a ‘to be state’ is vital in any measurement which is to be carried• How to structure a focus group and how to analyse the large amount of data

which will come out a focus group• How questionnaires can be useful when they are testing the security culture

and NOT an employee’s security awareness• How a final ‘figure’ can be obtained when measuring security culture• Pitfalls of both a qualitative and quantitative approach in industry (NOT

theory) including use cases• How a report can be structured to demonstrate the output of your

measurement

• Lushin Premji Global Security Culture & Awareness Manager, Thomson Reuters

Pre-Summit Meet and Greet - Tuesday 5 december, 6:00 - 8:00pmIn the Penthouse at the Grand Connaught Rooms - drinks include mulled wine.

This optional session offers the opportunity to meet and network with your fellow attendees the night before the Summit kicks off. We highly recommend you attend if possible. This is an amazingly friendly group.

WED 6 DECSANS EUROPEAN SECURITY AWARENESS SUMMIT 2017

8:00–10:40 AM


10:40 – 11:00 am

11:00 am – 12:20 pm

12:10 – 1:20 pm

1:20 – 2:00 pm

2:00 – 3:00 pm

Networking Break - Drinks and snacks will be served

Security Awareness Escape Room Workshop The security awareness team from FedEx will share how they created and executed security awareness escape rooms in their organization. They will then challenge each table to its own escape room. After the challenge they will walk you through how to create your own Security Awareness Escape Room back at your organization.

• Matt House - Information Security: Fedex• Scott Fachler - Information Security: Fedex

Networking LuncheonLunch is served onsite to maximize interaction and networking among attendees. If you finish lunch early, take a moment to review the show-n-tell tables or sign up for an evening activity.

A Sociotechnical Approach to Cyber SecurityA senior researcher from the NCSC will discuss the organisation's journey to be-coming the UK's national authority in cyber security, and its vision to make the UK the safest place to live and do business online. A key part of the NCSC's success has been the importance it has given to the human aspects of cyber security: this talk will explore the activities and research ambitions of the NCSC's Sociotechni-cal Security Group, how the NCSC can help you and how you can make the most of our resources.

• Senior Researcher, UK National Cyber Security Centre

Gaming / Interaction TalksIn this session, three presenters will get twenty minutes – and only twenty minutes each –to share their stories and lessons learned on gamifying their awareness program through interactive challenges and events.

• Gautier Bugeon, Incident Manager & Security Analyst, Michelin CERT Security Awareness Card Game?

• Daria Catalui, Cyber Security Awareness & Training, European Commission Develop and Run “Cyber Ready” Game

• Veerle Peeters, Technology Consulting Manager, PwC Leadership engagement through gamification


10:40 AM–3:00 PM


3:00 – 3:20 pm

3:20 – 4:30 pm

4:30 – 4:50 pm

4:50 – 5:00 pm

Networking Break

Security Awareness Video WarsVolunteers get to show 3 minutes of a security awareness videos they developed for their security awareness programs. Attendees will then vote on and select their favorite videos. The winners will be awarded the coveted SANS Securing The Human security awareness coin. If you want to submit a video for videos wars, you must submit your video to [email protected] by Thr, 24 November in .mov, .mp4 or .wmv format or via Vimeo/YouTube link. No submissions will be accepted after that date. We can accept up to 13 video submissions, first come first serve.

Table Closing DiscussionEach member of table will share with everyone else one key learning from the day’s agenda, and plans for applying that takeaway to their program when they get home.

Closing Remarks

SOCIAL EVENTS AND INFORMAL NETWORKING NETWORKING ACTIVITIES ARE AFTER EACH DAY OF THE SUMMIT. SEE WWW.SANSEMEA.ORG FOR INFORMATION AND DISCOUNTS.


3:00–5:00 PM


8:45 – 9:00 am

9:00 – 9:20 am

9:20 – 10:40 am

Day 2 Kick-off and Coordination Items• Lance Spitzer @lspitzner

Director - SANS Security Awareness

Introductions & NetworkingFor the second day of the Summit, please sit at a new table so you can meet, network, and interact with a whole new group of peers.

Two Track Workshop:Two different workshops at the same time. Pick the workshop that best fits your needs. Track #1 was designed for security awareness programs that are just starting or lower on the Security Awareness Maturity Model. Track #2 was designed for more mature awareness programs.

TRACK #1: Building an Enterprise Wide Phishing ProgramPhishing programs have become a popular and effective way to not only meas-ure phishing risk, but an effective way to training and change peoples’ behavior for phishing. Learn in this workshop how to build a phishing program from the ground up, to include gaining leadership support, deciding who to phish and how, and how to effectively communicate the phishing program.

• Gavin Duffy, Global Head of Cyber Training & Awareness - Diageo

TRACK #2: Building an Enterprise Weide Ambassador ProgramAmbassador programs are one of the fastest growing and most effective methods organizations are using to scale their awareness capabilities, engage employees and change behavior. In this special session, we’ll have awareness officers from two different organizations (Salesforce and Dropbox) share their lessons learned in building their awareness programs. They will then provide interactive labs to help you plan your own ambassador program.

• Cassie Clark, Security Community Senior Representative, Salesforce• Jessica Chang, Security Culture Lead, Dropbox

THU 7 DECSANS EUROPEAN SECURITY AWARENESS SUMMIT 2017

8:45–10:40 AM


10:40–11:00am

11:00 am – 11:40 pm

11:40 am – 12:20 pm

12:20 – 1:20 pm

1:20 – 2:20 pm

Networking Break

Getting Buy in from the Board - how to talk to your senior leaders about security: To change the security culture of your organisation, you need buy in from the top. But many boards won't necessarily have a cyber expert to hand to help inform their decisions. So how do you help them learn what they need to know? In this talk Joanna Place, Chief Operating Officer of the Bank of England will discuss:• How boards work• What the board wants to know about cyber security• how to get your message in front of the board in language they’ll appreciate.

• Joanna Place Deputy Governor, Bank of England

Security Awareness & GDPR

• Brian Honan Owner & CEO, BH Consulting

Networking Luncheon

Lightning TalksIn this exciting hour, five presenters will get ten minutes – and only ten minutes – each to share their stories and lessons learned. We will then follow the session with ten minutes of Q&A where you can beat up the speakers with your ques-tions. This format jams tons of information into a short period of time. Don’t blink!

• ‘Surprising Skills and Hindering Habits for the Security Awareness professional’ Louise Cockburn, Information Security Awareness Manager, Burberry

• ‘How to Build a Community for Security Awareness Professionals’ Martine van de Merwe, Trainer, Privacy Lab and Chris Karelse, Senior Prevention, ABN Amro Bank

• ‘How Not to Be a Techie in the World of Security Awareness’ Sue Wade, Product Owner & Security Awareness, Booking.com

• ‘Turn Sceptics to Advocates’ David Porter, Head of Innovation, Information Security Division, Bank Of England

• Every touchpoint matters: Make it Sticky Marilise de Villiers, Director, Delivery Information, Information Security Forum Ltd


10:40 AM–2:20 PM


2:20 – 3:00 pm

3:00 – 3:20 pm

3:20 – 4:00 pm

International Security Awareness ProgrammesWhat works at home, will probably not work abroad… But how can you design international security awareness programmes? Do you need to have different security awareness programmes for each country? Or is it possible to transfer main parts without adjusting anything? Which aspects do you need to consider? The target of my presentation is to emphasise that you can improve the impact of your security awareness programme by considering intercultural differences. There is a framework, which measures the intercultural differences (the GLOBE study) and which can be used to check on the differences that cultures have. Within my presentation, I will shortly introduce this framework to stress how it can be used to improve international security awareness programmes. I will present the main dimensions, in which cultures differ in regards of security awareness: communication style, uncertainty avoidance, and collectivism vs individualism. Afterwards, I will explain how various elements of a security awareness programme are influenced by these intercultural differences and what this means in terms of the design of an international security awareness programme.

• Angela Baudach Security Awareness Consultant, DXC Technology

Networking Break

Offensive Security – Changing Behavior by Teaching How to HackMany say, “humans are the weakest link in the chain” or other such commentary that places blame on users, in my opinion that simply isn’t true. In this talk David and I will cover how we decided that humans can be, instead, the greatest asset in our Cyber Defence Team.

In the past year we took the approach of offensive security training – taking non-tech-nical users and training them on how to hack. This approach, red team exercise, allowed us to demystify our systems and increase awareness. Measuring specific metrics we were able to confirm not only did this give us a high success rate, but also brought excitement to learn more – both at work and in the personal lives of our colleagues. Starting out we did not have budget or understanding from high up, so we did what we do best, brought the risk closer to home. Engaging partners and leadership in table top exercises, this clarified our approach and gave much needed buy in and a small budget to continue sharing with the rest of the firm. In this talk we will cover how we created this programme, what supporting requirements were involved, how we were able to get company sign off, and retaining user acceptance by implementing an incentives programme based on gamification principles. • David Prince, Cyber Security Director, Baringa Partners


2:20–3:00 PM


4:00 – 4:30 pm

4:30 – 4:50 pm

4:50 – 5:00pm

Show-n-Tell Winners AnnouncedWinners of the show-n-tell event will be announced. The winners will present on their materials, how they came up with and implemented the winning ideas, and the impact on security awareness as a result.

Closing Table DiscussionsEach member of table will share with everyone else one key learning from the day’s agenda, and plans for applying that takeaway to their program when they get home.

Closing Remarks


4:00–5:00 PM

SOCIAL EVENTS AND INFORMAL NETWORKING NETWORKING ACTIVITIES ARE AFTER EACH DAY OF THE SUMMIT. SEE WWW.SANSEMEA.ORG FOR INFORMATION AND DISCOUNTS.


ANGELA BAUDACH @DXCTechnology

Security AwarenessConsultant – DXC Technology

Angela is a security awareness consultant at DXC.technology. She supports various international customers in building their awareness programmes, starting with an investigation, development of measures, implementation, and evaluation as an ongoing process. Thereby, she is always experiencing the importance of intercultural aspects and how to deal with them. Already during her studies, Angela was highly interested in Security Awareness and intercultural aspects. Thus, she wrote her thesis about international security awareness programmes. Within the thesis she investigated the influence of national culture on the design of security awareness programmes in regards to different security awareness measures. Her thesis was awarded twice: By the Competence Center for Applied Security Technology and by Deutsche Telekom AG.

BRIAN HONAN @BrianHonan

Ireland’s Tallest Lepruchan

Known to be the type of man other men aspire to be and that woman dream to be with, Brian is recognised as one of the sexiest information security professionals. His good looks are only slightly eclipsed by his intellect and modesty. After a successful career as a body double for Brad Pitt, Tom Cruise, and Chris Hemsworth, Brian briefly worked in developing nations rescuing orphans. Now as a security professional Brian provides his insights to his client base. Brian's claim to fame is being Ireland's tallest leprechaun.

CASSIE CLARK @cassomatic

Security Community Manager, Salesforce

Cassie Clark is a security community manager for developers and engineers at Salesforce. She encourages secure coding at Salesforce by engaging developers through strategic partnership initiatives, education, and an incentive-based approach to behavior change. She focuses on building community and infusing culture through her work. She is particularly proud of her use of outdated, nerdy pop culture references.

SANS EUROPEAN SECURITY AWARENESS SUMMIT 2017

BIOGRAPHIES


CHRIS KARELSE

Security & Intelligence – ABN AMBRO Bank

Chris Karelse is passionate about the human, soft tech part in security. This passion brought Chris to develop multiple courses on security awareness and the human factor in security for various academies and organizations. Chris has been evaluated multiple times as best teacher. Chris previously worked as a senior training consultant and change manager. Since 2014 Chris is working in the Security & Intelligence department of ABN AMRO Bank. Chris is founder of the Dutch security awareness community Security Awareness NL (over 400 members and counting). Chris received the award Security Culture Person of the Year 2017.

DARIA CATALUI @DariaC

Cyber Awareness coordination - European Commission

Daria Catalui is a passionate learner and cyber awareness professional. Currently she is enrolled within a PhD programme at Lancaster University in Technology Enhanced Learning and at the same time working full time in cyber awareness coordination for the European Commission in Brussels. Previously in her ENISA years, she was coordinating the European Cyber Security Month scale up from 7 pilot countries to fully fledge 32 countries, designing and deploying e-learning like the NIS quiz or the NIS educational map, also setting up the group for a pan-European CTF or challenge. Having founded a youth NGO in her home country at the Danube River, she promotes daily peer to peer learning and participation in youth activities.

DAVID PORTER

Head of Innovation, Information Security Division, Bank Of England

David Porter has over 25 years of experience in computer security and risk management. Originally an artificial intelligence researcher, he has worked in fraud and money laundering detection, information security, incident response, accident investigation and threat intelligence. At the Bank of England he worked on the development of the CBEST security assurance framework and is now responsible for security strategy and innovation. David holds an MSc in Advanced Methods in Computer Science and is a Certified Fraud Examiner. His book contributions include Analysis for Knowledge-Based Systems, A Practitioner’s Guide to International Money Laundering Law and Regulation, Corporate Fraud, Handbook of Research on Information Security and Terror in the Tunnels.


BIOGRAPHIES


DAVID PRINCE

Baringa Partners

David Prince is a deeply passionate cyber security expert, who takes a human focused approach to minimising risks. David has considerable experience and demonstrated success in designing and delivering cyber and information security strategies for a variety of businesses and private clients. David has achieved this through: improving response capabilities to emerging and live data loss incidents and crises, building better secure culture and ambassador programmes. David has gained significant experience as an in-house cyber and information security leader as well as a trusted advisor and consultant. David has hosted many cyber security training sessions and events, and often speaks at conferences surrounding human focused security.

GAUTIER BUGEON @CeladSsii

Incident Manager and Security Analyst - Michelin CERT

Gautier Bugeon is an Incident Manager and Security Analyst for the Michelin CERT. He has extended knowledge on network security thanks to his past experience. Besides the CERT incident response, he’s also working a lot on the elaboration of SOC use cases and awareness for his end-users. Last but not least, Gautier is SANS 408 certified.

GAVIN DUFFY @gavinkerrduffy

Global Head of Cyber Training & Awareness - Diageo

Currently Global Head of Cyber Training & Awareness at Diageo, the world's leading premium drinks company. Gavin is responsible for spearheading a shift in information security awareness & behaviour across the organisation. Most recently he has established global cyber security eLearning curricula and simulated phishing awareness campaigns for Diageo's global markets. He has a keen interest in all things information security, in particular the social, behavioural and psychological impacts of and reactions to technology.


BIOGRAPHIES


JESSICA BARKER @drjessicabarker

Redacted Firm

Dr Jessica Barker is a leader in the human nature of cyber security. Equipped with years of experience running her own consultancy, she recently co-founded Redacted Firm. Her consultancy experience, technical knowledge and sociology background give her unique insight, and she has a talent for translating technical messages to a non-technical audience. Jessica delivers thought-provoking and engaging presentations across the world. She also frequently appears on the BBC, Sky News, Channel 4 News, Channel 5 News, Radio 4’s Today programme, Radio 2’s Jeremy Vine show and more. She has been published in the Sunday Times and the Guardian, and frequently in industry press. She is regularly commissioned to write cyber security blog posts, and runs the website www.cyber.uk.

JESSICA CHANG @jessicatchang

Security Culture Lead – Dropbox

Jessica Chang is the Security Culture Lead at Dropbox, where she manages the global security engagement program and key company initiatives in trust, security, and privacy. In 2016 she built and launched Dropbox’s security culture program in conjunction with National Cyber Security Awareness Month. Prior to her work within security engagement, Jessica was the Program Manager for Trust & Security at Dropbox. She holds degrees from Yale, the Juilliard School, and the Curtis Institute of Music, maintains a dual career as a professional musician, and is passionate about building communities through her work.

JOANNA PLACE @bankofengland

Deputy Governor, Bank of England

Joanna was appointed the Bank of England’s Chief Operating Officer in July 2017 and previously was the Executive Director of Human Resources. Joanna has spent most of her career at the Bank, which has included a secondment to the Border Agency. Joanna currently has responsibility for the day to day management of the Bank including Finance, Technology, Information and Physical Security, Human Resources, Property and Procurement. Joanna is a Fellow of the CIPD; an Independent Director, Chartered Institute for Securities & Investment; a Trustee of Blind in Business; and a School Governor. Interests include walking, running and swimming.


BIOGRAPHIES


LOUISE COCKBURN

Information Security Managerat Burberry

I am the Information Security Awareness Manager for Burberry. Like many I’ve come from an IT background (I’ve spent the past 13 years working in IT - service desk, and then moving into networks and security), but my background is in art, language and psychology (which are weirdly useful in the Information Security awareness industry) and in previous iterations, I have been a snowboard instructor, a makeup artist and a bar manager.

LUSHIN PREMJI @LushinP

Global Security Culture & Aware-ness Manager, Thomson Reuters

Lushin currently manages Thomson Reuters’ global information security culture and awareness program which spans over 150 countries. His responsibilities include diagnosing the information security culture and implementing strategic as well as appropriate (fun!) tactical solutions to change behaviour from boardroom to basement.Before taking his role at Thomson Reuters, Lushin was a founder of the award winning cyber security culture and awareness capability at PricewaterhouseCoopers. Here, working with different clients across different industries he was able to build information security centric workforces.

Lushin has had publications in magazines such as ICAEW which complements his more formal security qualifications. He prides himself in not being a 'technical born' security practitioner which allows him to think differently.

MARILISE DE VILLIERS @marilise77

Director, Delivery Information, Information Security Forum Ltd

Marilise is a seasoned People & Change leader with a broad base of business and technical skills. Over the past decade, she has been combining her finance and audit background (as a chartered accountant) with her passion for people, to design and deliver global training and employee engagement programmes across a broad range of industries and functions (e.g. finance, internal audit and IT). Five years ago, a conversation with a colleague sparked her interest in the human aspects of cyber security and she’s been devoting much of her time to this important topic ever since. In 2014 Marilise authored the ISF report From Promoting Awareness to Embedding Behaviours: Secure by choice, not by chance, followed by the design and implementation of an award-winning cyber security awareness and cultural change programme for an aviation business.


BIOGRAPHIES


MARTINE VAN DE MERWE @privacylab

Privacy Lab

Martine van de Merwe believes privacy is essential to freedom. People are key to ensure privacy. In 2014 Martine has decided to focus on information security culture in healthcare and has started PrivacyLab: “Care for privacy. Privacy for healthcare.” With years of experience in IT advisory and IT auditing Martine knows what she is talking about. She developed the PrivacyLab framework for privacy culture and awareness with six phases to help healthcare organizations to work effectively on an information security culture. Martine is a co-founder of the Dutch security awareness community Security Awareness NL (over 400 members and counting). Martine has been named a security awareness leader by SANS and received the award Security Culture Person of the Year 2017.

SCOT FACKLERTechnical Advisor Fedex Information Security

Scot has worked for FedEx since 2000 and has over 30 years in IT with the last 25 specializing in IT asset management, data protection, authentication services, threat Intelligence, CIRT management, data analytics, network control, security operations, investigative analysis, compliance adherence, and enterprise process refinement. He is married with 4 children and 5 grandchildren. As a veteran of the US Coast Guard, Red Cross disaster volunteer, and active member of Bikers Against Child Abuse, he spends his free time working to help and protect the innocent.

SUE WADEProduct Owner, Security Awareness, Communication and Training - Booking.com

I have spent the last 20 years of my working life swinging between two very different career paths - being a teacher and coach, and managing people within the IT sector. I have been part of the Booking.com adventure since March 2015 and since August 2016 have been in my current role where these two different career paths intersect into one of the most challenging, rewarding and inspiring jobs I have ever had. Attending the “Securing the Human” training in London last year made the final link between the two disciplines and I left with a head buzzing with ideas and the tools to clearly articulate the needs of my team and the purpose and benefit to having a full time focus on security awareness. When I am not busy with all things security, I enjoy spending time outdoors, swimming and cooking.


BIOGRAPHIES


VEERLE PEETERS @PwC

Manager at PwC – Technology Consulting

As manager at PwC’s Technology Consulting practice Veerle helps clients on the steps they can take to keep their business safe. Her expertise lays in the human side of information security. Helping clients in managing sustainable performance through security awareness transformation projects. Veerle helps them to understand the maturity level of their security culture and to turn their desired security mind-set from aspirations into the way people actually behave in relation to security risks. Next to her daily work, Veerle has been invited as guest speaker and lecturer at several events talking about Behavioural & Cultural Governance and how organisational culture can be used as a preventive measure in the fight against both insider and external threats. As a graduated criminologist Veerle was part of PwC’s Forensics practice for ten years before joining the Cyber team last year.


BIOGRAPHIES

sans european security awareness summit 2017€¦ · • gautier bugeon, incident manager &...

Documents