ATLSECCON 2025

In the cybersecurity industry, people are described as a weak link leading to cyber-attacks, and the most effective way to reduce risk is to implement the latest and greatest technology. But on average, more than 1 in 5, or 20%, malicious phishing emails leak through filters and into people’s inboxes. Coupling this with Verizon’s Data Breach Report findings that 82% of all cyber breaches involve the human element led by social engineered attacks, focusing on motivating people to spot and stop these attacks has never been more relevant.  


It’s time to change the narrative that people are the problem – they’re your organizations’ best asset to spotting and stopping cyber-attacks that evade technology controls.  


To effectively manage risk, you must understand further than the technology implemented when creating successful cybersecurity programs. If humans are the target of attacks, then the best way to stay ahead of social engineering antics is to know how humans are programmed to think.  


Our brains are wired with mental shortcuts that have, over the millennia, helped us conserve resources and implement survival strategies. However, leaning too heavily on these shortcuts creates biases that can lead to flawed decision-making – particularly when it comes to cyber risk. One of the riskiest groups of employees is new hires. They possess preconceived notions like "Beginner's Bubble" (the Dunning-Kruger Effect), anchoring or optimism bias. The solution to lowering that risk is to apply a motivation-based approach supported by proven frameworks in neuroscience, biology, psychology, and behavioral economics. 


This presentation will provide security professionals, leaders, and program administrators with proven frameworks and methodologies like SCARF that they can integrate into awareness programs without additional tools or solutions. We will share what we’ve uncovered in our work with independent cybersecurity researchers and organizations worldwide, provide actionable insights for attendees to bring back to their programs, and challenge ideas to help drive the next evolution of cybersecurity awareness. 

Teamwork makes the dream work. Unfortunately, for cyber teams, we prioritize technical skill over all else.

As expectations and stakes have grown, we need technical experts to function in a team more then ever. In this session, a cyber leader and former NFL Linebacker, will discuss:

1. The details of great teamwork and how this could apply to our current cyber culture. 
2. A poll of 1,500 cyber consultants were polled to get a "current" state of our teams.
3. Advice for how to build culture in a positive manner.

Through the journey of a Cyber Curious Business Analyst (BA), you’ll have an introduction to some of the tools, techniques and approaches that can be used to bring visibility to and acceptance of, security & privacy needs, controls and requirements starting at the discovery stage and onward throughout the lifecycle of a project. This talk will discuss some of the benefits of building an alliance with a Cyber Curious BA who already speaks the language of the business and who can help build a security and privacy aware culture from the middle outward in ways you may not have seen before. This presentation will be of interest to C-Suite, Project / Program Leadership, Security & Privacy Leads and their team, students looking to break into the industry, professionals wanting to pivot into the industry from other roles and of course, other Cyber Curious Business Analysts!

Modern project management and delivery practices struggle to find value when it comes to security's role in delivering initiatives for clients and organizations. Too often, we are added too late in the project and design lifecycle where any controls become too costly, or drive schedules too far right, to implement. So how can we fix this?

System Security Engineering (SSE)! By using a system engineering based methodology, and applying sound engineering principles, there is a more effective, cost efficient and schedule friendly approach we can apply that provides better security assurance to our clients and employers.

This presentation will look at the fundamental, guiding principles of the SSE in engineering trustworthy and secure systems. Pulling from the principles of NIST SP 800-160 rev.2, vol.1, this presentation will look at how integration of security within the different lifecycle phases of a design or project can help remedy this age old question plaguing security professionals.

In cybersecurity, we often focus on tools, tactics, and technical skills, but the heart of our field lies in its people. Community and culture are the often-overlooked forces driving innovation, resilience, and collaboration. In this talk,I’ll share how, in my experience, community is key to helping individuals grow and groups thrive, and how cybersecurity’s unique culture of support can help you grow both personally and professionally. Drawing from years of experience in community building, I’ll share lessons learned, practical strategies, and real-world examples to highlight why investing in relationships—both within and beyond the workplace—is an investment in the future of cybersecurity.

As cyber threats evolve and regulatory landscapes tighten (GDPR, NIS2, DORA, CMMC, CPCSC, and more), organizations are challenged to move beyond traditional security perimeters. While the industry has mastered visibility into infrastructure, applications, and even OT environments, have we truly unlocked the full potential of cyber defence? More specifically, how can we align security strategies with business processes, data flows, and evolving operational resilience requirements?

This session explores the art of the possible in cyber defence—rethinking our approach to visibility, control, and governance in the context of digital transformation. Can we move beyond system, network, and application logs to gain deeper insights into how data is classified, accessed, and protected across an enterprise? How do we operationalize consent management, data governance, and security controls in a way that enhances—not hinders—business agility?

Key Takeaways:

• Reframing cyber defence to address regulatory, privacy, and operational resilience challenges
• The role of data classification, consent management, and governance in a modern security strategy
• How to move from reactive security controls to proactive, enterprise-wide security integration
• Practical considerations for embedding security into digital transformation efforts

What do bedbugs and ransomware attacks have in common? Two things: they both sneak their way in, and they both need to be dealt with in a thought-out and methodical manner.

Fortunately, proper planning and remaining calm can go a long way to a successful recovery. In this session, we will draw parallels while covering the initial identification of the problem, the steps taken to quarantine and mitigate the spread, and the eventual remediation and recovery process.

By drawing similarities between data resiliency and a real-world bed bug infestation, we aim to provide a unique perspective on the importance of preparedness, quick response, and thorough recovery in both physical and digital environments. Attendees will gain insights into practical strategies for managing unexpected threats and ensuring resilience in the face of adversity.

In the process of an employee awareness training campaign, employees undergo various stages, marking their journey from initial awareness to completion. Recognizing employee journey stages is pivotal in cultivating a security-first culture that acknowledges human behaviour. Each stage represents a step in the employee's progression, starting with becoming aware of the training, deciding to participate, and finally completing the program.

However, a gap exists in evaluating the success of such awareness training campaigns. Traditional metrics like completion rates tend to focus on the final stages, overlooking earlier stages that are crucial in understanding and enhancing user engagement to sign up for training willingly, and not by force!

To bridge this gap, there’s a need for redefining success criteria for awareness campaigns. A comprehensive evaluation should consider each employee's decision-making journey stages and employ diverse metrics tailored to assess the success of each stage. 

In this presentation learn about different stages of the employee journey stages, engagement strategies & diverse metrics to assess the success of the training campaign. 

By embracing this refined assessment methodology, organizations can delve deeper into employees' learning journeys. This approach aids in accurately evaluating the success of awareness training campaigns by identifying the stages at which employees disengage. Consequently, this allows planners to pinpoint gaps, plan effectively, and make informed decisions to enhance training campaigns. Ultimately, this ensures that employee awareness training campaigns engage employees collaboratively around their needs.

This session explores why many cybersecurity professionals are often overlooked for the Chief Information Security Officer (CISO) role despite their technical expertise and certifications. Drawing on C-Suite and board-level insights, this presentation highlights the essential executive soft skills, business acumen, and strategic vision needed to transition from technical expert to organizational leader. Attendees will better understand what executive leaders seek in their next security executive, equipping them with the insights to make this critical career leap.