Culture Eats Strategy for Breakfast: Adding People Back into the Security Equation

We all know that people are a central part of the security equation, but how often are they really considered when you’re looking for ways to reduce organizational risk?  In this talk we’ll explore what security culture really means and why it’s a critical part of your overall security strategy. We’ll probe attitudes and perspectives that may be crippling your efforts to change behaviors, and review elements of a successful security awareness program. Finally, we’ll take a peek under the hood of your enterprise security policies and review strategies for making them more user friendly – and more enforceable.

Let us help you demystify the human and bring them back to their rightful place at the center of your security strategy–and success.


Glaphre Karolak started out as a help desk technician for a Las Vegas-based airline in 2008, and showing more talent for writing than fixing things, she quickly transitioned to documenting departmental procedures, building IT training, and writing the airline’s first information security policies. Glaphre was recruited by Caesars Entertainment as they launched their PCI compliance effort, to lead development of enterprise security policies and establish a security awareness program. Glaphre joined Kindred Healthcare in 2015 in a combined GRC and awareness role, writing policy for ISO 27001 certification, leading implementation of a enterprise document management system, and building a phishing and awareness program. Glaphre now writes for the Cybersecurity Engineering team, develops awareness content and training, and passionately works to transform security culture one relationship at a time. Glaphre has served as the Secretary for ISSA Portland Board of Directors since 2017, and served in the same position for ISSA Las Vegas from 2014-2016. She holds the GSEC certification and is currently studying for her CISSP.

Brian Ventura is a security leader in the Portland area. Brian works for the City of Portland as an Information Security Architect, focusing on GRC, Education and Awareness. Brian volunteers with the Oregon CyberSecurity Advsory Council:, PCC’s CIS Advisory Board and as a Director of Education for ISSA Portland. Brian is also a SANS Instructor, teaching CyberSecurity courses regularly including: Security Essentials, CISSP Certification, CIS Controls and Risk Management. You can find a NIST CSF management tool published on GitHub:, as well as his SANS course schedule:

Tickets on sale now:

This entry was posted in Past Presentations. Bookmark the permalink.