Developing Cybersecurity: How to Make Staff Know Security

it's ignored by people who don't really care about it um and that sucks um and for for those of us who are trying to build engagement and push pretty important material for uh for our staff um for whatever reason people ignore their training they do it because they have to and then they sit through the module and they click all of the right buttons to get the check mark so that they stop getting the emails and then they forget everything that they learned 2 days later or whatever um and then we have to send more emails and get them to redo it so why does that happen I'm going to talk a little bit about my

perspective on some of the reasoning for why people ignore that training uh or forget to do it or forget the stuff that they've learned uh and I'm going to talk about some of my experience as an instructor here at Nate on how to build engagement and how to get people interested in something that they don't necessarily have the background to fully comprehend or fully understand um just as a note a lot of my perspective on this stuff is anecdotal it comes from my experience as an instructor here and I don't know if this happens to you guys but for whatever reason in my personal life the people in my life tend to use me as a sounding

board for why their it departments suck um every time I visit my parents one of my mom's favorite topics of conversation is that her ID depart it department is awful and she asks if we train them intentionally to do stuff wrong or whatever it is um or every time my wife comes home having done a new cyber security training thing she talks about doesn't everybody know this you don't click on the links in your emails why do I still have to do all of these uh all of these training modules and then I have to turn around and go to work and try and convince people who are getting into Tech that this stuff is important

and they should care about it and they need to pay attention um so it's a it's a weird intersection of a bunch of different perspectives uh and I hear from both sides quite a lot um and so in my mind I I I have some ideas for how to sort of in increase the engagement in the existing training utilities um my talk today I'm not talking about replacing things like no before or other fishing campaigns or utilities I'm more interested in increasing engagement with those existing tools and improving uh the roles that those already play in our organizations um so to start off with a good chunk of our users who take the Cyber secur training probably don't

really care about it and the the subset who do probably already know all of the stuff that we're trying to teach them right the example of uh I I mention my wife will come home from work one day and talk about taking a security training module that is just a bunch of stuff that I talk to her about all of the time so she's not gaining anything from spending her day doing that training um she already knows about it you guys probably have people like this in your organizations um your power users or your super users the people who aren't necessarily in a tech role but know a little bit about this stuff they follow security news in their free time

they have a bit of a background with with this sort of thing um in when I did support these were the people where I would call when I was offsite and say hey I need you to go reboot a printer for me or reconfigure something simple the people you can trust to go do something because they have a little bit of a technical background that the rest of your user base doesn't um our cyber secur training is probably not super useful for that subset of users everybody else tends to fall into the other category these are our users who need this training for whatever reason whether it's uh they work in a critical role where

they're the target of like fishing campaigns or fishing emails at a higher rate than somebody else or their customer facing or whatever it is these are the the folks who need this training to be applicable and these are the ones who um in general it's lost it's not absorbed for whatever reason uh these are kind of the people that uh uh make up the rest of our user base and if we compare them to that first group for users who have some existing knowledge or already know a little bit about what they're what we're talking about versus the users who don't we can pretty easily come up with a rough idea of who in our user base is

our training being effective for and that is a pretty small group of people right the the group of people who are going to listen to your training and find it uh useful and understand what your point is or what you're driving at probably not uh a huge portion of your user base and so our goal and what I want to talk a little bit about is how to increase this overlap uh how do we push these two groups together a little bit how do we make it so the people in the green circle start to become the people in the yellow circle a little bit more to do that the first question is why does that green circle even exist

why is it that existing cyber secur training and existing modules are not uh taken seriously by our users I think there's a few reasons for this from my perspective this type of training is tends to be mandatory uh and people don't like things that are mandatory tends to be generalized which is exactly the type of thing that people forget about as soon as they're done with it uh and culturally this is the type of stuff that's generally considered kind of pointless it's the thing your boss tells you you have to do so you do it and then you're done with it um so things that are mandatory are things that generally speaking people put in the bare minimum they do it

because because they have to they have to check the box you get the email hey there's some cyber security training you have to do because it's cyber secur awareness month and then you go okay fine I guess I'll do this you click click click click click and then you're done because you don't want to get emails about it anymore you don't want your boss to bug you about it anymore um our students do this all the time students here at Nate are required to do an academic Integrity training module uh in order to get their credits uh and I can speak from experience that they they go in and they click all of the boxes

that say that they understand they are not allowed to copy things without giving credit they are not allowed to do un unsighted work or anything like that and then six weeks into the semester I have to pull a student aside and say hey why did you plagiarize this and they go well I didn't know I couldn't because they forgot about the training that was mandatory um the other thing that happens with mandatory training is it is always at the worst time it does not matter what time it happens it was the worst time uh and you hear people talk about this all the time I'm not going to do my training I'm right it's a you know I'm

about to go on vacation why would I take time out of my day when I'm getting ready to do this training or I just got back from vacation I have so much stuff I need to catch up on why would I do the training or we're about to start the busiest time of the year I don't have time to do my training or we just ended the busiest time of year I need a break I'm not going to do my training doesn't really matter if mandatory training comes out at a bad time it's the worst time doesn't really matter what time of year it is uh the other thing is that training tends to be generalized especially if

we're using the modules that are built into things like no before um they come full of examples that are sort of canned I guess uh and you know uh pre-built scenarios that for some people is pretty hard to relate to um if you're sitting in a training module and you work in uh the education space all of the examples in the training module are talking about Healthcare data that's pretty hard to relate to your day-to-day job and for the average user they're just going to not really pay attention or do the work of the lateral thinking for how does this apply to this type of stuff that I see in my day-to-day interactions um which is understandable

um because then what happens is an instant comes up where they do need that training and it doesn't come to mind because when they think back to their security training they've been thinking about healthare data and they're working in the education space right um so it's easy to forget after the fact and then lastly this is more of a cultural thing a lot of this training is sort of considered pointless um to end users because they don't really understand what it is or why it's important or the role that it fills in their sort of uh day-to-day they know that it is making them do it they're getting emails about having to do this thing and they're getting alerts about

it if they don't and their bosses on them because they have to check the box but there's not really a lot of understanding in the background as to why this stuff is important um the other thing that happens especially for it departments that have been around for a while is that sort of culturally you get into these situations where it uh and the average sort of user or the user base tend to kind of butt heads with one another a little bit right culturally your users think of it as this group who comes down from on high and decrees that a new policy is going to take effect uh and changes a rule or the way that some

function works and then they disappear and now your users have a different way that they have to go about doing their job and that's frustrating especially if there's not really any reason given as to why that change was made and with time this develops a culture where your users just don't really trust that it knows what they're doing and then you lead to situations like when you visit your family they complain about their it Department to you all the time um um I'm going to talk about fishing campaigns a little bit because that sort of culture of mistrust leads to a situation where things like no before and things like fishing campaigns um generate a huge

amount of distrust in your user base um I have a story as somebody in my personal life came to me once uh complaining about a fishing email their it Department sent out um the this was generated by an internal team as part of a you know sanctioned Noe fishing campaign uh and the subject of the email had something to do with uh an issue with payroll and of course the person clicked on the link because they have a mortgage they have bills to pay they're you know they want to make sure they're getting paid properly and then they find out they get a big screen that says H you fell for it time to go do more

training um that is not exactly generating a huge amount of trust right because that person didn't really understand the point of that interaction or why their it Department would cross that line I think everybody in this room knows that that's a pretty good fishing email that is the type of thing that an attacker would absolutely send out if they had access to it but the average person might not really understand that context right so this creates a culture where uh it is viewed as it trying to trick you into doing more training um and I've I've seen this here at Nate maybe I shouldn't admit this but I've seen this here at Nate where Nate starts

up a new Noe campaign and a message goes out into the big group chat with all the instructors that says hey everybody watch out Nate's trying to trick you again don't click on any links in your emails which you can understand why a user might do that but it kind of defeats the point of the training if people are just not going to do anything with it right and so over time this builds into this um this Us Versus Them culture as it and in the security world we kind of forget that users tend to be stakeholders too they want to be able to do their jobs they don't really want us coming in tell them what they do or do

not have to do and then disappearing and leaving them to feel like they have to clean up the mess uh and pick up the pieces that's not what we want so how do we fix that I've I've suggested there's a bunch of problems with this and the way we kind of do this training now uh how do we actually resolve those problems uh one of the biggest ways to do this and I do this in my classrooms all the time is to provide the why why are we doing doing something why do your users have to sit through this training module why do they have to do this particular piece of training uh why is it they have that we're running

fishing campaigns just taking a moment to give uh some reasoning to your users behind why it is that you're doing what you're doing can help people understand uh huge amounts of the reasoning behind some of this training one of the biggest biggest ways to increase this buy and two is to make sure that there is some context that's relevant to your users's day-to-day uh situation so the example I gave of your your no before training being full of healthc care examples you're giving that to somebody working in the education space that's something you can change without an enormous amount of work right there are examples from every industry of cyber security issues or violations or breaches or whatever you can find an

example for the industry that your users are working in and you can provide that to them and you can give them an ex example hey here's an example of an you know in the education space of a breach that occurred because of whatever whatever give them some context why the training matters and what happens if they don't do it properly and we do this in class all the time with students especially when they're learning something new I can stand in front of a room of students and I can lecture about you know the Linux command line for an hour and a half but without being able to relate that to something they do dayto day nobody's

going to listen to me because they don't understand why it matters right the other thing that helps a ton with trying to get these messages across is helping to stay informal especially if you're working in a culture that is already like an Us Versus Them environment um your users will not trust your it department and they just won't listen to you and that kind of sucks too um and the way to combat that one of the best ways to combat that is uh to avoid being seen as an authority making decrees down to people who don't really want to listen but trying to stay informal about whatever it is that you're trying to get across why your

training is important what an example means to you or your industry whatever it is uh maybe I shouldn't admit this but I'm sure I'm not the only one in this room sometimes I'm sitting in a meeting and my boss tells me some piece of information and I write it down and I say that's important I have to look that up later and then I forget about it uh because it's something that came up in a meeting and there's so much other stuff to worry about then you're sitting in the lunchroom talking to some Co workers and somebody says hey did you hear about that policy change that's going to mean XYZ for our day-to-day and

I go oh right I was going to look into that and forgot especially if there is a distrust and Authority people tend to trust their co-workers more um than their management structure a little bit and so if you can present new information in a way that's informal tends to carry a little bit more value of course this is generalizing a little bit but in my experience and from what I've heard from my students and and that other folks tends to hold true generally speaking so I have a couple examples I want to go through of um uh uh examples of uh how to sort of build some trust in your it department and some examples of what I'm talking

about today um we all heard about the crow strike uh issues that happened over the summer um I had a family member who came to me after this event uh frustrated that they're their company had been down for as long as they had been um and he didn't understand why didn't understand what had happened or what had occurred they've been at a standstill for like six days or something like that and he was just angry that he couldn't get any work done so I asked him isn't your it department at least sent you one email explaining everything he goes no we haven't heard anything we were just told we're down and we're working on it so

okay so he took a second uh and I kind of explained to this person you know crowd strike is a thing that does work in the background that you don't really see dayto day but it tends to be pretty important for uh server operations especially for large organizations um crowd strike pushed a bad update and it caused a bunch of servers to crash and nobody really had any control over that uh and unfortunately a fix for that tends to be fairly manual your it team has to go in one server at a time and reset the update and there's nothing anybody can really do about that being sort of slow depending on how complicated your

environment is and his family member kind of paused and looked at me and said you know that's good to know that they're not just sitting around on their asses doing nothing well nobody can do any work the reason I bring this up is because in my mind if I was working in the IT department at this organization that's a really easy win to get some buyin from my staff that's one email hey everybody just so you know this software we rely on has has had an issue outside of our control the fix is a really manual process and it's going to take some time but we're working around the clock and if you have any questions you

can reach out to us at whatever email address and maybe that's not a perfect fix maybe that's not uh going to solve everybody's frustrations but at least you're communicating and you're trying to be open with your users to help them understand why something is happening or why an event has occurred there's another example um I'm not going to name any names but in the news a little while ago um uh an educational institution in the area uh lost a bit of money because of a fishing attack um basically what had happened was um somebody had sent some emails to the accounting department of this uh Institute claiming to be a vendor that they had been working with asking to

change some account numbers the person in the accounting department did it they said yep you sound trustworthy changed a bunch of account numbers and the next three or four payments went to to the scammer instead of to the actual vendor something like $10 million was lost over the course of a couple of months and it wasn't caught until the vendor called and said Hey where's our money kicked off a whole investigation and eventually this was discovered uh could have been caught pretty easily by whoever took that call or took that email doing just a little bit of independent work to verify that you are who you say you are right and again the reason I bring this up this is

a really simple example that you could EXP play into your users if you work in that sort of space if they are in an accounting department somewhere they deal with accounts payable at all there's a really simple case of somebody didn't check they didn't do their due diligence it would have taken 30 seconds to make a phone call end result was $10 million lost so that's what I mean by specific examples the actions that the user could have taken and the consequences of them not taking those actions and this works for other um other areas as well like I said there are tons of examples for whatever industry you work in being able to find

a security incident or a violation or a scam or whatever affecting the industry that you worked in being able to relate that to your users the other thing that we can do to to help Foster our security culture is to kind of Leverage that other Circle so I talked a little bit about your power users um existing in your environment already having a bit of an understanding of some of the security stuff and caring about this stuff sort of intrinsically and if you can build a culture where those people feel empowered to discuss security issues with their co-workers that helps Foster your security uh culture in a way that is a lot more natural more of a

Grassroots movement than management coming down and telling people how they have to do things um so if you can find ways to do that encourage and Empower your users to bring up this stuff in a way that is informal just in passing instead of it coming down from management or whatever it is that can be a huge win to help develop your security culture um and in this way especially again if your users are sort of mistrusting of their it Department this is something coming from somebody they work with every day somebody they trust instead of you know Jim in it has decreed that uh so it shall be uh and this can be simple little things right somebody can

can say Hey you know I noticed you have your passwords on a sticky note taped to your monitor it's not a great idea um I get that you know we change them a lot but you could at least hide them under your keyboard or something like that right Baby Steps coming from somebody that your users trust instead of from it coming through and tearing passwords off of screens or whatever um obviously um we don't want to turn this into the sort of security policing you don't want your users going around and pointing fingers and saying hey I saw you plug that USB and I'm going to report you to it uh that is kind of the

opposite uh situation we want to build as well so this is about striking a balance um but being able to empower your users to uh your power users to help build the security culture can be a huge step that you can kind of just let happen in the background as well um and then lastly we want to try and build trust in no before um you want to give your users context to what this tool is and why we use it and the role that it plays in our sort of larger security uh training and security materials um no is not a secret anymore um when I was doing support it was just starting to become a thing there was a

bit of a bit of an attitude that we wanted to kind of surprise users with this right you want to send out a fishing campaign and hope that nobody's paying attention and catch somebody off guard with an email that they were not expecting and that's just not really the case anymore people know what this thing is they know that it departments are using it there are messages sent in slack slack groups or teams about the fact that there are fishing campaigns going on um it's not um it's not a secret weapon that we have in our back pocket anymore uh so why not tell your users about it why not take a bit of time and say hey this is a tool that we

use it's part of our cyber security training it's to ensure that um the training we have been provided is actually being effective uh and doing the role that we need to and there are going to be times where we email you about things like payroll issues or HR issues because that's not a line that an attacker is going to respect so we want to make sure you're paying attention to that sort of thing um and and providing some context about why it is that you're doing these sorts of things instead of it just being out of nowhere an email they clicked on and now they have to do some extra training or whatever right on top of that um you can always

provide examples of real fishing emails if you get push back about things like emailing about payroll things about things like emailing about HR you can provide real examples of fishing emails that that have passed through your industry and so this is the type of thing that we're trying to predict against um these are the type of things actual attackers are using to trying to get get into networks this is the type of thing we want you as users to be able to notice and ignore uh and they tend to be realistic and they don't really respect the boundaries that you're expecting us to respect so there will be times when we kind of push through those

limits a little bit right and it's all about building trust it's all about building uh a sense in your users that they understand why it is that you're doing what you're doing instead of just trying to get them with with a trick or any email or

whatever so uh quick little summary here um cyber security training in general depending on your culture uh tends to be uh have a negative connotation it's a thing your users have to do because they're expected to do it and they want to check the box and not get emails about it anymore um espe if this is a cultural thing where there's some conflict between your users and your it um your users don't really want to trust or listen to an authority that they don't necessarily trust they don't want to do mandatory training um and they don't understand why it is we use tools like no before so we want to bridge that Gap a little bit we want to sort of bridge

the gap between the users we we know know about this stuff and our own perspective uh and the perspective of our users who don't know about this stuff and don't really care and we want to kind of push those two groups together a little bit more um working on this from the bottom up builds a Grassroots movement empowering your users to to engage in that security culture helps propagate itself naturally as this becomes more and more common in your environment instead of it constantly being something that it pushes from on high uh with time you will build you will help build a security culture that sort of propagates itself and of course this cannot be

forced belief in a strong security culture is the type of thing that is just going to come with time through slow consistent messaging um that is fostered in your user base slowly with consistent examples and extra training or or uh those sort of informal discussions around the water cooler whatever it is to help your users believe that this stuff is important and it's the type of thing that affects them that they have to care about uh you can get there by giving your staff context giving them the reasons why you are doing the things that you're doing why you're sending fishing emails with the subject line that you sent them with uh and why it is that the training

that they're doing matters and some examples from their specific industry about um why they should care and what the consequences of not caring are um and tweaking your training modules to be able to do that to can go a huge way to increasing that user Buy in um in the short term at least yeah done a little bit early but I wanted to say thank you to uh you guys for coming out thank you to bsides for having me and thank you to Nate for hosting the conference every year thank you very

much not you back how you doing I had a baby oh congratulations

uh I believe some um do we have any question okay yeah go ahead so you made the mention of like great now I got do another training when I clicked on the random link do you think those retraining sessions are effective why or why not and if not what would you do instead if a person clicked on a link I think that's a great question um and I think it depends on whatever the existing culture is so if um somebody clicks on a link they're asked to do some extra trading um and they are you are already in a situation where they don't really trust the IT department or they don't think that this is valuable then no I don't think that's

doing anything I think you're just propagating the existing Problem by making somebody do something that they don't want to do um that said if somebody clicks on a link they shouldn't you have to have some kind of consequence for that right um and maybe there is a form of uh maybe not here's a training module you have to do but here's a discussion about why this even happened why this link showed up in your email um why it is that uh that it's a bad thing that you clicked on this why did we send an email trying to get you to click on something about payroll or whatever it is to help sort of start fostering that uh that

Improvement towards your security culture if down the line when you've done that work and you think the the relationship between your it department and your users is a lot better then yeah why not provide some extra context if you can support it with reasoning and context and sort of your understanding for why why it is valuable and why um why they should be paying attention I had a great question my name is Troy great presentation love your Insight any thoughts on positive reinforcement experience or uh that's a great question so um positive reinforcement for your users I think that's uh that's a great idea um I I think that that again if you're at the

beginning of this cycle where you've got some conflict between your users and your it um I think that would be really hard to do because in my experience if you try to give somebody who does not like you or does not trust you positive reinforcement they are not going to see a ton of value in that um so maybe not off of the bat but once you get a bit more into into that process of developing that trust then absolutely I think I think there could be some value to having some kind of positive reinforcement um off the top of my head I can't think of any examples of of what that might look like maybe it's a get

out of training free card one time for if you click on an email when you shouldn't have you build up some Goodwill but I definitely think there could be some value in that sort of thing for sure um thanks it was a great presentation I just have a quick um bit of a background so generally most larger Enterprises um there's usually a sort of um gap between SE suet Executives and everyone down uh in fact most times at C Executives they've probably got an EA who's doing all of their day-to-day stuff for them now how do you get C because most times the usually like security MFA all of that is for the rest of the minions not me so

how do you get SE Su to also realize that it's you know how what insights do you have to get SE Su to say okay it's also important that c have to do this kind of awareness training because and they have to Champion those courses actually for it to actually trickle down to the rest of the Enterprise that's a great question um and I can I can sympathize with that experience of getting your your Executives uh to understand whatever it is that you're driving at um I think all of the same ideas apply um I think you need to start um by trying to Foster your this security culture sort of from the ground up try to provide context and

understanding as to why something is or isn't important um in particular for breaking into that se Suite um I think there's a ton of value in in focusing on one one of your Executives if you can get the the CIO or the or the CTO or one person on your side then we end up in that same situation where people like to listen to their co-workers more than they like to listen to somebody in their management chain so if you can break into that se Suite um in on one person maybe somebody who works in a similar Silo to you and then you can leverage them to help spread your security culture a little bit more naturally um I

think I think that and then kind of following some of the similar ideas I think that would be a great way to help Foster it but it's it's a bit of a problem right stuff like this is for the minions and not for the executives but um I've heard stories of of very lucky people who get the CTO on their side and then they get the approval to no everybody does this it doesn't matter what level you're at you have to follow the rules too um and with a little bit of work that uh that buy in can be

huge thank you that was a great uh presentation thank you um at my job now that's one of the things I do I run security awareness and stuff like that so I can totally relate with what you're seeing it's always a challenge getting people to do these trainings no matter how you know you try I've you know I listen to all the points you made very good points there and I'm trying to think okay what can I do better and just to pick it back of what he said um you have a situation where some of the C with folks I'm still trying to get them to complete their training and so that makes a

challenging what are some other recommendations in terms of maybe tools cuz you've said a lot about No before now maybe I I don't know if there are some better tools I've had people talk about some gamification type you know tools things like that what are your thoughts around that um that's a great question um the reason I mentioned no before so much is Just that's the one I have experience with I know there are other utilities out there but this is the one I I knew when I was doing support um I think that actually comes back to to tr question about uh positive reinforcement a little bit too um and I see that with your with students in the

classroom too if you tell somebody they have to do something they'll do it but they're not going to enjoy doing it um but if you can find a way to to provide some some reasoning for them then you get a lot more Buy in the example of this is in some of my assignments I give my students an optional bonus question for extra marks on their next exam or whatever sometimes um so yeah I think I think sort of gamifying in some way um would could be super valuable for breaking into those uh those sections of your business that are a little bit resistant to the training um unfortunately my experien is with students and and the positive

reinforcement is is marks and Grading and stuff like that so uh unfortunately off the top of my head I can't come up with a specific example but that sort of positive reinforcement or that sort of cycle of um understanding I think is a lot more effective than just telling somebody over and over again again that they need to do something because they have to do it right um hopefully that's helpful yeah thank you thank you do we still have any other question okay um thank you once more conis for this wonderful presentation thank you I I gain so much and I believe everyone as well did thank you and on behalf of the team is I want to present

to this thank very much thank you

onward top all right there we go thank you everyone who has survived till the end of day two of bides Edmonton 2024 uh so you will be getting an event survey uh automatically in your email uh same one you got this morning so whatever email address that came to we really do appreciate it we want to hear the good and the bad so that we can keep making each year better last year we got feedback we needed more time in between each one of the talks and we added that so we always do incorporate your feedback you can help make the event better if you don't tell us what you need we can't do it all right so our CTF sponsors this

year were NCL security innovation they actually ran the platforms we had two different ctfs this year that was new one was geared more towards people who have not had the experience before and the other one was geared towards those who had then we had prizes provided by TCM security and hack five so we really appreciate that it kind of makes a little more uh fun to compete for those prizes and the winners of the nctf were and this is just going to be Butchery and I apologize code glitch zero Timothy Doby an effortless admin in first place second place was Rick the Vic and Eric Fred fredson Frederickson and uh third place is four where is four do we know where four

is are you four all right there we go come and get a prize all right for the security innovation CTF first place was zma Amed and Vivic we've got second place with zero trust and Elias we've got third place with triple the check and Benoit to forge and they got their prizes so we appreciate that there's also a prize draw for a Lego R2-D2 Chris Wilson and Mount Royal University you're going to get that in the mail I am envious our gold sponsors this year which we absolutely could not have had this event without were Optive zscaler poo Alto and vhim our silver sponsors were M&P digital CP cips Alberta epic it security Glass House systems convolt net scope

and Long View we had Cisco CGI and recorded future for our bronze sponsors and infos map if you don't know about them they're a great place to find where the next event you want to go to is and also if you got one of the Blinky badges if you got here early enough that was done by hackerare doio and uh if you were a speaker uh we appreciate you making this event possible obviously you all came to see the speakers that is what makes this an awesome event everyone in the community sharing their knowledge with the community and I left some lauram ipsums in please ignore that and we do have an announcement uh we're excited to share that we are now

separate as our own nonprofit entity you should not notice any differences but we really need to thank ISC squared for all of their help founding bides Edmonton and growing us to the point of this record-breaking year we had 600 people registered for this year so if it felt a little crowded that would be the reason why so this is the biggest besides Edmonton we have had next year it's probably going to sell out again so just as a warning maybe get your tickets before September uh or sign up to volunteer before September and uh thank you so much for everyone who has contributed to this growth whether you have volunteered whether you have spoken whether you have

just showed up every single year you make this community event possible because you are a part of our community and for 2025 we will see you September 22nd and 23rd here surprised you won't have to learn a new layout that's kind of convenient and we are going to have a mailing list uh it'll get emailed to you to sign up we have to figure out exactly how that's going to work but we can sign up you'll find out when the CTF or when the call for papers opens when CTF is going to be so you can pre-register when you get here to compete uh and if you want to you know find out anything about donating to us

any of those

things we have another all right and thank you to the volunteers uh so everyone who saw all the blue shirts around they were keeping our speakers on time they were making sure you knew where to go they were cleaning up after everyone they were setting things up they were tearing it down they were making the event run smoothly and again laurum IPS them o I apologize uh I need more coffee next time somebody just bring me more coffee and I believe we have a drawing uh Nate Nate d d all right come on up let's do the drawing okay so you you must be wondering why was here um you know the reason one of the reason we are you know

in collaboration with bside is just to you know promote ourself uh even though data management association chapter is doesn't deal with cyber security but uh it's our way of just collaborating with other associations and chapters so bide is one Kips is another so we just like to promote um each others conferences and activities that go on all the time so one of the things we're doing here today the reason we're here thanks to Har harinder is that we've got a conference coming up uh end of October and the draw was a one free pass to the conference plus a $50 gift certificate and I've got the entry form here our entry forms and I'm going to get harinda

to uh draw or one of our guests or somebody somebody do it going for the middle okay all right thank you hopefully it's legible enough for me to read and it's it's not gonna be it's uh Fabian is does anybody know Fabian um anyway it's from Alberta Government I guess gov and uh so we'll have to uh get in touch with them we got a email address and we'll send that out I was the person was here but it doesn't mean you know seem like the person is here so yeah we're going to keep this and we will send out the uh free gift okay so thank you very much and lastly just a round of applause

for this young lady Nicole she is amazing to work with um all right so yeah shout out for Nicole yeah she's the backbone of bside admon without her uh this event is not like you know kind of possible so she keep us everyone including myself in line like you know you do you're making this mistake like you're know going to fix it so she's the best project manager I call her like you know for the BS side we can ever have so thank you Nicole yeah best vies and with that reminder 22nd and 23rd of September put it on your calendars we will see you then thank you than you so much for

coming home driv thank you very much see them yeah yeah thank you any volunteers didn't get their gift card please uh come here uh I have a gift cards for all the volunteers