Featured Sessions
Hearts, Minds, and Actions: Counterintuitive Methods for Building Connection and Changing Behaviors
Security awareness leaders have it hard. We know that information alone doesn’t change behavior, but sharing information is still critical to the success of our programs. We also know that shaping security behaviors and influencing culture is critical… but those are fuzzy concepts. In this session, Perry Carpenter will share a number of counterintuitive insights he’s stumbled upon since writing his first book, “Transformational Security Awareness” back in 2019. He’ll discuss his most recent lessons learned about human connection, relationship building, empathetic engagement, behavior shaping, and more.
Lessons Learned from the Inside of the SolarWinds Attack
SolarWinds CISO Tim Brown will provide a moment-by-moment insider perspective of being the victim of an extremely sophisticated attack, sharing insights on public/private partnership when it really matters, and on how SolarWinds proved resilient at the end of the day.
Economic Espionage: Behavioral Study on Employee Reporting of Security Incidents
In 2020, MITRE behavioral psychologists conducted a sensitive behavioral experiment, the first of its kind, to derive a data-driven understanding of why employees do not report insider threat incidents. To accomplish this, we sent out a series of LinkedIn Messages from a recruiter with ties to a foreign adversary to 300 random employees at a medium size company in the National Capital Region. Learn the results from this experiment, presented by Dr. Deanna Caputo, Chief Scientist for Insider Threat Research and Solutions at MITRE.
Lessons from Aviation: Building a Just Culture in Cybersecurity
Airlines don’t “do safety”, they are safe. This wasn’t always the case. By accepting that humans are fallible and building systems that both anticipate human error and poor individual human risk decisions the airline industry improved safety. Join John Elliot, Author, Pluralsight to learn the key lesson from aviation’s experience that culture is vital, and move from “doing security” to being secure.
Live! The CISO Series Podcast
David Spark will record a special LIVE show for his podcast, The CISO Series, with Hadas Cassorla, CISO, M1 and Chris Hatter, CISO, Nielsen.
Stop, Drop & Roll
If we catch fire, we are taught to STOP, DROP, and ROLL! But how many times have you caught on fire? The odds of a cyber incident are far greater than catching on fire, yet we make security awareness programs so difficult. Instead, they need to be easy, relatable, and retainable. This is where behavior truly is changed. This is what winning looks like in the security awareness world. Learn how to design your security awareness programs to be as easy as Stop, Drop, and Roll!
Cyber Rosetta Stone: Using Tabletops to Engage Executives in the Cyber Risk Conversation
The biggest barrier to the cyber risk discussion is the language we use to talk about cybersecurity. Tabletop exercises, when done right, can be the Rosetta stone needed to translate the ones and zeros of security to the dollar and cents of financial and reputational losses. Join cybersecurity author and expert, Mark Sangster, as he walks identifies the pitfalls of tabletops, and builds a simple framework to bring executives and security leaders to the table to collaborate, reduce business risk, and prepare for an inevitable cyber incident.
Scamming the Scammer
Over the last few months, researchers at Cofense have been trying to gain more insights into the world’s most lucrative cybercrime, Business Email Compromise. Business email compromise, often known simply as BEC or CEO Fraud, is when threat actors use email fraud to attack commercial, government and non-profit organizations to achieve a specific outcome which negatively impacts the target organization. Basically, BEC’s goal is to deceive people into thinking they have received a legitimate business-related email and convince them into doing something they believe is necessary to help the company.
How Phishing Simulation Training Fuels a Security-Aware Culture
Now more than ever, phishing simulation training plays an integral part of weaving cyber security best practices into your organization’s culture. Phishing and other cyber threats are becoming increasingly complex and commonplace, yet, according to a recent report published by Fortra’s Terranova Security and IPSOS, 1 in 5 U.S. employees don’t believe they can be targeted by a cyber attack. Join Terranova Security CISO Theo Zafirakos as he guides you through crucial data-driven insights that demonstrate the value of deploying real-world phishing simulations as part of your security awareness training program.
A calculated risk: combining science and data to change the way society thinks about the human aspect of cybersecurity.
Many of us exist to help our organizations manage human risk. (Well, maybe there’s more to life but you get the point). Yet we’ve still got a way to go to truly understand what that means, or convey our thoughts in a way that makes sense to decision makers.
The vast majority of organizations rely on digital technology to function. And we know that good cybersecurity protects that ability to function, and ensures organizations can exploit the opportunities that technology brings. In this light-hearted and informative talk CybSafe’s CEO, Oz Alashe explains how the evolving fusion of scientific research, data analysis and risk management is creating an opportunity for a new breed of security professional. It’s also ruffling a few feathers.
The world is changing rapidly. Join us to learn how and what this means for you as someone charged with helping your organisation manage risk and seize technological opportunities.
Why Human Risk Management is the Next Logical Step
Humans hold the key to securing organizations from breaches. Today’s threats require us to predict potential employee vulnerabilities, focus training and awareness where they have the biggest impact, and measure the impact on the organization’s risk index. We call this Human Risk Management (HRM). In this session, you’ll hear how Medtronic views HRM and its importance, how they’re preparing to implement it across their businesses and regions, and how they are evolving awareness around Ambassadors and Very Attacked People inside their organization.
Inclusion is a Requirement Not a Feature in Security Awareness
By designing for people with varying disabilities and cultural backgrounds, security learning teams can drive higher engagement and retention while ensuring availability anywhere, anytime. In this presentation, you will learn how to ensure your security awareness strategy is reflective of your audience to encourage them to routinely employ security best practices.
The Value of Security Education for Developers
Security Awareness continues to mature in most organizations, but is awareness enough for security-critical roles like developers? Is it time to move security training past simply being familiar with application security concepts to being educated and knowledgeable enough to avoid creating software vulnerabilities? Amy Baker of Security Journey will discuss the pros and cons of developer awareness vs education, how application security education can fit in your larger security awareness programs and how to prove out ROI and work with stakeholders across your organization to deliver safer software and build a secure culture.
The Science of Culture
Building a strong security culture is tough. But it doesn’t have to be. During this session we will discuss the hallmarks of a thriving security culture and how it can align and transform people from passive targets to proactive defenders. Karen Letain of Proofpoint will explore how to best baseline a security culture and then improve on it with the right mix of education, simulation and nudging.
Rebranding Awareness: How to Make a REAL Impact on Organizational Behavior and Culture
We all know there’s a difference between ‘knowing’ and ‘doing’ – focusing on ‘awareness’ alone simply doesn’t cut it anymore. But changing employee behavior requires modifying the awareness language, leaving the entertainment approach behind, and deploying a proven methodology that may add burden to already busy security teams. So what can Security Awareness leads do to make a REAL impact with minimal effort? Mike Polatsek, Co-founder and CSO at CybeReady, will share real-life examples and best practices that can turn your cybersecurity training efforts around.
Florida’s State-wide Critical Infrastructure Risk Assessment: What it means to you
The State of Florida has recently made a substantial investment in The Florida Center for Cybersecurity (Cyber Florida) to conduct a State-wide Cybersecurity Risk Assessment. The scope includes organizations of all sizes and across all 16 CI sectors, which means everyone in healthcare, energy, financial services, government, agriculture, etc. may participate. It is free, anonymous (except for your complimentary NIST CSF and Ransomware Readiness reporting), self-administered, and an opportunity to (again, anonymously) communicate your operational reality to the Governor and his team so they may make informed policy and investment decisions – which may include funding for training and other initiatives for those who participate!
Securing the Ecosystem: How To Extend a Security Awareness Program to Customers
The security landscape is constantly evolving, but this natural evolution was rapidly accelerated during the pandemic. Expanding attack surfaces resulting from a “work from anywhere” employment landscape, a rise in phishing and ransomware, and the role that humans play in these breaches are all contributing factors. Not only has the enterprise been impacted, but customers face increasingly difficult challenges securing their data as well. In this new normal, Security Awareness teams need work to secure the whole ecosystem, not just the employee base.
Measuring the Effectiveness of U.S. Government Security Awareness Programs: A Research Study
The goal of security awareness programs is to positively influence employee security behaviors. However, organizations in compliance-focused sectors may struggle to determine program effectiveness, often relying on training completion rates rather than measuring actual impact. In this presentation, we will describe the results of a multi-phased research study that, in part, sought to discover approaches and challenges to measuring security awareness program effectiveness within the U.S. government. Our results can aid security awareness professionals in developing impact-based measures of effectiveness and inform developers of security awareness guidance and other initiatives that can aid organizations inside and outside the government.
Keeping It Local, CISA Style
Did you know that there are hundreds of CISA security experts situated across the nation ready to assist businesses, nonprofits, and state and local governments reduce their risks and improve their resiliency? CISA’s cybersecurity and protective security advisors are the boots on the ground for the agency, working daily to help protect our nation’s critical infrastructure. Find out more about CISA’s security advisor programs and what types of services they provide right in your backyard.