What I Learned at the SANS Security Awareness Summit

sans security awareness summit.jpeg

Each year for the past 4 years I've made the trek to a new city to join my fellow security awareness nerds, and sometimes to present to them, about what's going on in the security awareness industry. It's a great networking event, sometimes called a 2-day venting session, as we share problems and issues with our programs as well as successes and new ways to approach old problems.

This is a community of security awareness professionals, engaged CISOs, and even some communications roles. We all come together to learn as one bigass, slightly dysfunctional family. It's beautiful.

This year was the biggest event yet, with nearly 350 attendees migrating to Charleston, SC.

I was fortunate enough to meet several of our customers and hear inspiring stories of how they've been using the videos, the engagement they're getting from their employees and coworkers, and most importantly, just to listen to problems and help provide guidance to those attending for the first time.

Here is a breakdown of what I learned this year.

People are begging for funny videos.

I swear, this is not some click-baity attempt to sell our videos. Three separate speakers highlighted how important funny, well-produced videos are for engaging your coworkers. I don't wanna say #Itoldyouso but there's a reason why I formed Habitu8, and that was because I wanted short, funny, intelligent videos when I was running the programs for Disney and Sony Pictures. There wasn't anything worthwhile, so we made them ourselves.

ANYWAY, back to the point here which is: Companies want videos. They see the value in using funny videos to connect with their coworkers and engage them about cyber risks.

SANS Security Awareness Summit does a Video Wars event each year as well, where companies can submit their own funny videos that they've created and the group judges them. (Sidenote: this video wars started after I brought the videos I was making at Disney to share with the group). This year there were more than 13 entries and for real, I was impressed. They almost all had an element of humor to them - and whether they were small budget or big budget, they were all authentic. It was really awesome to see companies acknowledging the power of storytelling.

Haven't checked out our videos yet? Come on, do a test with your users and see what they say about them. Our demo is here. 

Companies are digging the behavioral science stuff.

I got hooked on this years ago, so this year was awesome to hear all the convos discussing the focus on behavior change, and the use of behavioral psychology and neuroscience to influence positive behaviors in our programs.

There were at least two speakers who focused their entire presentation on introducing the concept to the group. It's called Security Awareness 2.0 to approach it from the angle of focusing on the user experience and understanding how people are motivated to make certain decisions.

It was really clear that the companies and security awareness programs that are placing behavioral psychology and neuroscience techniques at the forefront of their programs are the leaders in the space and having the largest impact on changing people behavior. Kudos there, this is very exciting to see the adoption in the industry!

Unsure where to start? A great book to intro the topic is Made to Stick by Chip & Dan Heath.

Security awareness professionals want guidance.

The summit brings together a vast range of experience in security awareness roles and of the practitioners themselves. When I first attended I was soaking up as much info as I could from my fellow awareness peeps, the event was overwhelming with the amount of knowledge sharing. I'm proud to now be able to share my own thoughts and experiences with others attending, it keeps me going to help others.

There are some workshops during the event that allow seasoned awareness veterans to share their tips and tricks on how to approach specific initiatives. What was cool about this was to see the desire from those in the space to be provided insight and knowledge from their peers. I think this is such a critical part of this young industry. Knowledge sharing. 

There wasn't a conversation or networking break where I didn't hear people sharing advice and guidance. Referring people to other people saying "oh, you need to talk to..." 

All of these things and this special community that Lance has brought together inspire me and our mission with Habitu8 to provide experiential guidance, tips, and resources to the community. I think that together we can be better and stronger. It is why we launched Habitu8's Mentoring Program, where interested companies can sign up (for free) for a couple hours of mentoring on security awareness programs. I do the calls weekly and it literally makes my heart want to explode connecting with others, helping programs mature, and even just shooting the sh*t for a bit.

I'm already looking forward to next year's Security Awareness Summit, which appears to be in San Diego...how convenient...

Jason Hoenich