When Cecelia Finney, Manager, Systemwide Human Risk Management and Strategy at the University of California, Office of the President (UCOP), took the Managing Human Risk course through the SANS Institute (SANS), she knew she had to find a way to bring the training to UC, and specifically to the UC Systemwide Cyber Champions Group.
Surrounded in the training by fellow attendees from different verticals worldwide – education, private, and public – it became apparent to Finney that the UC Human Risk Management (HRM) program could mature. Finney knew that by building this knowledge at UCOP, and across UC systemwide, UC cyber security efforts would greatly benefit.
Cyber threat actors have changed their attack methods; they no longer target technology but people. Human Risk Management (HRM) is the structured approach in how organizations secure people, addressing for most organizations what is now their greatest vulnerability – their workforce.
Source: SANS Institute
SANS, founded in 1989, is the world’s largest cybersecurity research and training organization, annually developing over 40,000 cybersecurity practitioners. Through comprehensive training, certifications, and resources, SANS equips cyber professionals worldwide with the practical skills and knowledge necessary to enhance global cybersecurity.
Finney, working diligently with Risk Services, was able to coordinate bringing the SANS Managing Human Risk course to UC free of charge for members of the systemwide UC Cyber Champions Group. This training took place on August 13-15, 2024 at UCLA. Over 20 participants attended.
“There is a major shift in the Security Awareness industry moving away from the traditional compliance and communications-based programs to cultural/behavioral focused programs, which are centered in identifying and mitigating threats against human targets,” said Finney.
“In order for UC to be at the forefront of these changes, it needs to shift its focus accordingly. Investing in this course for the Security Awareness Managers across the system ensures a more cohesive and standardized systemwide approach,” she continued.
“Our managers are gaining the skills to align their programs with industry best practices, and can now confidently and proactively approach mitigating the behavioral and cultural aspects of human-centric cybersecurity threats. It will fortify our efforts to safeguard our sensitive data, and ultimately increase our resilience in reducing UC’s human risk,” Finney concluded.
Bringing UC Cyber Champions together
Finney leads the UC Cyber Champions Group – a systemwide team of Awareness Managers whose goal is to strengthen UC’s culture of cybersecurity by developing strategies to mitigate risks associated with human behavior and interaction with technology and ensuring that employees and other stakeholders are aware of and adhere to best practices in cybersecurity.
The gathering of the group at the SANs training was the first time the group has congregated in-person in nine years, since it was formed.
“Cecelia did a great job organizing this and making sure the course proceeded smoothly,” said Petr Brym, Assistant CISO, UC Davis. “The instructor was very experienced, and projected enthusiasm about the topic. I recommend this course to all cyber security leaders, trainers, and communicators, and those who influence decisions about training the work force on cyber security.”
“The SANS Managing Human Risk course organized by Cecelia and hosted by UCOP was outstanding!” said Roger Padilla, Jr., CISSP, Senior Systems Engineer, Unit Information Security Lead. “The course content was insightful, relevant, and contained valuable information. I especially enjoyed the lab sessions that allowed me to collaborate with my UC peers. I gained fresh ideas on how to positively impact our security awareness program at UC Santa Barbara.”
Attendees that completed the course are eligible to sit for the SSAP (SANS Security Awareness Professional) Certification exam within four months of course completion.
SANS human risk training objectives
The SANS training aimed to achieve two primary objectives: first, to empower the team with a structured approach to managing human risks at UC, focusing on practical priorities rather than theoretical concerns. Second, to elevate the maturity of UC’s awareness programs by effectively managing behaviors associated with these risks.
“Bringing SANS in-house was both exciting to me and vital to maturing our program because it allowed us to openly discuss UC’s unique issues within this unique environment,” said Finney. “This training represents a pivotal step toward enhancing our security awareness programs and taking our behavioral risk mitigation strategies to a new level.”
SANS instructor Lance Spitzner, with his over 25 years of security experience in cyber threat research, security architecture, and security culture and training, taught the course. Lance Spitzner pioneered deception and cyber intelligence through his creation of honeynets and founding of the Honeynet Project. He has authored three security books, consulted globally, and developed security behavior programs for over 350 organizations. Lance also speaks at events and previously served as an armor officer in the Army’s Raid Deployment Force.
“We were very lucky to get Lance Spitzner,” said Finney. “He is a great instructor. He is at forefront of cybersecurity.”
SANS Summit
Lance Spitzner also runs the SANS Security Awareness: Managing Human Risk Summit. Finney attended the summit last year when it was held in Las Vegas, and through that experience, she was selected as a member of the Advisory Board for the 2024 Summit. The 2024 summit was held this year on July 29-August 2 in Norfolk, Virginia.
As an advisory board member, she was involved in the summit planning and reviewing all the entries for presentations for selection at the summit. She personally reviewed about 100, “and that was only half of them,” she said. Finney also MC’d a number of the virtual sessions, acting as online host and introducing the speakers.
Read more about the SANS Security Awareness: Managing Human Risk Summit 2024 here: https://www.sans.org/cyber-security-training-events/sans-security-awareness-summit-training-2024/
Contact
Manager, Systemwide Human Risk Management and Strategy
UC Office of the President
Author
Digital Risk Communications and Events Manager
UC Office of the President
Header photo: SANS Training at UCLA