Last week our Managing Director, Bruce Hallas, was invited by the SANS Institute to join them at the 4th SANS European Awareness Summit in London. He did a book signing of his new book, Re-thinking the Human Factor and did a breakfast briefing where he shared key insights from the book.
There was quite a queue!
SANS European Security Awareness Summit
The SANS European Security Awareness Summit was in London on November 28-29, 2018 and was for anyone who is interested in security education and awareness training.
Whether you’re a compliance officer or security engineer, a CISO or an education and awareness manager, a cultural change officer or a training manager, there was something there for you. The 4th annual SANS European Security Awareness Summit aims to provide the very best forum for security awareness officers looking to take their program to the next level and it was certainly that.
SANS promise to provide actionable lessons you can take back and apply right away within your own organisation, with a focus on your industry, employee base, and current maturity level. The two-day summit includes expert awareness-focused talks, interactive discussions, networking events and for this year our Managing Director, Bruce Hallas, will be there.
It was a busy two days with lots of networking, some great talks and interesting discussions. Here are some of Bruce’s key take-aways from the event.
Education & Awareness is the younger sibling of nearly every other aspect of information security. As such the industry is young, tactically driven in a majority of cases and lacks the level of maturity we see elsewhere in the broader information security space.
This means that education and awareness is an exciting sector to be working in right now!
One theme dominated lots of conversations; how to build a compelling business case for investment in education and awareness. For many, this is considered a significant challenge. There was a collective feeling that the budget for education and awareness was too small.
The reasons for this were many but ultimately there is a gap between the value that the security professionals, the Board and employees place on it.
Metrics without a clear sense of objectives are better than nothing but they are vanity metrics. They show something is being done or at least monitored but whether this contributes to a broader set of meaningful strategic KPI’s could be questioned.
Bruce asked six attendees whether they had a strategy for awareness, behaviour and culture. Five of them listed a range of tactical initiatives they have in place. From this, it’s clear that many of those responsible for education and awareness are failing to establish a link between strategy and tactics.
The need for innovation and creativity are much spoken about. However, innovation and creativity are often restricted in scope to the means by which organisations engage and communicate with employees. If we’re to develop a more mature approach to the challenge of the human factor we need to get creative and innovate much more broadly.
There are some voices who bitterly complain about Boards and employees “not getting it” or failing to “do anything” or “failing to take it seriously”. Whilst its naturally tempting to put the blame at someone else’s doorstep we need to ask what is it that we may be doing, or not doing, that’s failing to bring about change? We have some responsibility in this too, and the sooner we accept that, the sooner we can bring about positive change.