Lance Spitzner

Event offers practical & theory sessions by teams working inside leading European organizations SANS has announced the speakers and agenda for the upcoming European Security Awareness Summit in London this July offering a blend of practical and theoretical sessions delivered by teams working inside leading European organizations. “We have taken a different approach this year to increase the level of peer discussion by theming our groups around different subject matter areas and less on vertical markets,” explains Lance Spitzner, training director at SANS Securing The Human Program, “This is based on feedback from our last event and reflects the notion that security and awareness challenges transcend industries and the experience and insights gained by a manufacturer, industry regulator or financial services organizations are valuable across the board.” The line-up for speakers includes representatives from the Bank of England, Lockheed Martin, University College London, Diageo and ENISA amongst 7 sessions and an extended networking luncheon and additional peer-networking breaks. Summit Will Allow Attendees To Gain Insights “The audience has also grown significantly,” says Spitzner, “Alongside InfoSec professionals, our early registrations are showing delegates from compliance and audit, human resources and communications backgrounds who are increasingly tasked with information security awareness and policy management roles – the summit will allow these attendees to gain real insights from both academic experts and peers with similar roles.” The hands-on- nature of many of the sessions is typified by John Haren, Head of Information Security Governance, Risk & Compliance for Diageo. With 16 years within the company across a variety of roles and the last 4 spent with the information security area, John will discuss the ongoing work to create a network of “security champions” across one of the world’s largest drinks companies. "It is vital that we use extended teams to help get our critical messages out there – and we can do this because there is a pull from those teams both to help their own parts of the business and their colleagues" “I feel this is an important topic because budgets are continually being squeezed and central Information Security teams, particularly in global organizations, have fewer resources (both people and financial) as a result,” says Haren, “It is vital that we use extended teams to help get our critical messages out there – and we can do this because there is a pull from those teams both to help their own parts of the business and their colleagues but also from interested individuals who find Information Security fascinating.” Summit Includes SANS MGT433 Program Taught By Spitzner The one-day summit follows the two-day training course, SANS MGT433 Program taught by Spitzner, “To reduce human risk you need to change peoples’ behaviors, and to change peoples’ behavior you need a well-planned, high-impact security awareness program. Far too often organizations have a security awareness program, but the program is immature, designed only for compliance purposes to meet a certain standard. To truly change human behavior, you need a mature security awareness program that has the support of your management and answers the key questions of who, what and how,” Spitzner adds.

The report found the top two challenges are employee engagement and lack of support from senior management Ahead of SANS Secure Europe 2015, the region’s largest annual InfoSec training event; Lance Spitzner, Director, SANS Institute suggests that the recent 2015 Security Awareness Report highlights that security awareness programs are still in their infancy and many lack the soft skills needed to ensure successful implementation. Need for communication and an understanding of human behavior “In many cases, the wrong people are leading security awareness programs or lack the training they need to be successful,” says Spitzner, an internationally recognized leader in the field of cyber threat research and security training and awareness “The majority are from highly technical backgrounds and lack skills such as communication and an understanding of human behavior.” More than 75% of the awareness programs surveyed are run by people with highly technical backgrounds, such as IT admins or security analysts, but with little experience in softer skills, such as communications, change management, learning theory or human behavior. In addition, people limited to just technical backgrounds may be prone to view security strictly from a technical perspective. “There is a role for IT and for other stakeholders such as auditors but they should contribute to the definition of sensible policies. Organizations need to invest in and train their security awareness officers on the softer skills required for any security awareness program, or provide them access to the people who can deliver those diverse skills.” Another key finding was that awareness programs are still immature, “We found that half of the organizations surveyed currently do not have an awareness program or have an immature program that is solely focused on compliance. Only 5% of respondents felt that they had a highly mature awareness program that not only was actively "We found that half of the organizations surveyed currently do not have an awareness program" changing behavior and culture, but also had the metrics to prove it.” SANS Institute survey The survey was conducted last October by the SANS Institute during National Cyber Security Awareness Month and included approximately 225 respondents with analysis carried out by Bob Rudis of the Verizon DBIR team and validated by community reviews including experts at Charles Schwab, Cisco Systems and Cyber Risk Aware amongst others. The report found the top two challenges facing security awareness officers are employee engagement and lack of support from senior management. “They need to understand that their organization cannot effectively mitigate risk if security is treated only as a technical issue; the human issue must be addressed also,” says Spitzner. The report also makes several recommendations including the advice that any organization with over 10,000 employees should have at least one person dedicated to running the security awareness program. “Giving the person in charge of security awareness multiple responsibilities destroys his or her ability to focus and the consequences speak for themselves,” says Spitzner pointing to “human error” as consistently in the top 3 of root causes of breaches as identified by the influential Data Breach Investigation Report (DBIR) which has examined over 100,000 security incidents over the last decade. Spitzner will be running the 2-day “MGT433: Securing The Human: How to Build, Maintain and Measure a High-Impact Awareness Program” at this year’s Secure Europe which takes place in Amsterdam during May.