1 min read

Lance Spitzner: Making security simple - FISSEA NIST Conference

Picture of Hoala Greevy Hoala Greevy March 15, 2018

From the founder

Lance Spitzner presenting at NIST conference podium

Lance Spitzner: "We’re nothing more than another operating system. The HumanOS.” Day two of the 31st Annual FISSEA conference at NIST kicked off with a Keynote presentation from Lance Spitzner, Director of Security Awareness at SANS.

His Keynote was titled: Making Security Simple - It's Really, Really Hard. Lance was fired up on stage, which in turn got me fired up. I was especially encouraged to hear that when it comes to enhancing security, Lance strongly recommends a focus on making the new behavior as simple as possible. In the case of Paubox and our approach to seamless encryption and HIPAA compliant email, there is no new behavior for senders to learn. Here are my takeaways and pics from his energetic presentation:

Lance outlined his 3 step process for making Cybersecurity Simple.
Changing human behavior is key to managing risk.
Lance Spitzner founded the "Honeynet Project" in 1999.
The best security awareness officers often do not have technical backgrounds.
"Once people interact with technology, then the game radically shifts.”
In general, people are smart.
Defense organizations tend to have the strongest security programs. At the other end of the spectrum, manufacturing firms.

Thanks for the write-up Hoala, you nailed the key highlights. Also, here is the link to the slides from my talk. Simplifying Security I feel is key to changing behavior, and a topic not discussed enough. https://t.co/DiXZlM3qQd
https://t.co/SXJO6AiSzJ — Lance Spitzner (@lspitzner) March 16, 2018

Lance Spitzner's Three Steps to Making Cybersecurity Simple:

Teach as little as possible (be wary of cognitive overload).
Make the new behavior as simple as possible.
It has to be “Sue” proof (Can a non-technical person understand it?).

20 years ago, it was easy to hack default Windows OS installs. Timeline chart showing evolution of WindowsOS security controls from 2004 to 2016

The BJ Fogg Behavior Model - Curse of Knowledge: The more of an expert you are at something, the worse you are at communicating it BJ Fogg Behavior Model diagram showing the Curse of Knowledge, displaying the relationship between motivation and ability with trigger points

BJ Fogg Behavior Model diagram showing the Curse of Knowledge, displaying the relationship between motivation and ability with trigger points

“Every behavior has a cost.” Used disabling of auto-complete within Outlook at the world's largest bank as an example Presentation slide showing Dr. Angela Sasse from University College of London with the quote 'Every behavior has a cost.'

Presentation slide showing Dr. Angela Sasse from University College of London with the quote 'Every behavior has a cost.'

Lance spent a good chunk of time (rightly so) on NIST Special Publication 800-63B Slide titled 'Here Are the 25 Worst Passwords of 2017' showing password requirements and image of hand holding login credentials.

Slide titled 'Here Are the 25 Worst Passwords of 2017' showing password requirements and image of hand holding login credentials.

Lance reported only 10% of Google Workspace users are using 2FA (two-factor authentication) NIST slide on simplifying passwords listing passphrases, password managers, and two-step verification

NIST slide on simplifying passwords listing passphrases, password managers, and two-step verification

Infographics are great for communicating information NIST infographic on password security showing methods passwords are cracked and recommendations for improving system security

NIST infographic on password security showing methods passwords are cracked and recommendations for improving system security

Lance's 3 Takeaways for Making Security Simple (Hint: It's Really, Really Hard) SANS Security Awareness slide on simplifying security behaviors, presented at NIST conference Also, thanks for fielding my question Lance!