Phishing For Answers

“Phishing for Answers” brings you insider knowledge from the front lines of cybersecurity. Listen in as we speak with seasoned professionals about overcoming phishing attacks, managing user training, and implementing solutions that work. From practical insights to actionable strategies, this podcast is your guide to strengthening security awareness across your organization.

All Episodes

Phishing For Answers

Rethinking Security: Dr. Joshua Scarpino on AI, Ethical Practices, and Gamified Training for a Safer Tomorrow

January 28, 2025 • Joshua Crumbaugh, Founder & CEO of PhishFirewall

Send us a text

What if the key to fortifying your organization's cybersecurity was hidden in the ethical deployment of AI? Join us for an enlightening conversation with Dr. Joshua Scarpino, a dual expert in cybersecurity as CISO VP of Information Security at TrustEngine and CEO of Assess Intelligence. Our episode charts the powerful intersection of AI and cybersecurity, exploring how AI can both shield against and execute cyber threats, and why a comprehensive risk management approach is crucial for any enterprise. Dr. Scarpino's insights highlight the pressing need for responsible AI practices, addressing biases, and maintaining fairness in automated decisions.

Our discussion takes a deep dive into the innovative methods of security training, including the potent mix of continuous education and gamification. We explore the significance of understanding the risk landscape and the necessity of personalized security education, particularly for new hires who may be more susceptible to targeted attacks. From interactive modules to scenario-based learning, discover how these dynamic training methods can enhance engagement and retention, contrasting starkly with the often monotonous governmental training programs. The episode underscores the pivotal role of feedback in refining training programs, fostering a culture that bridges gaps between personal and professional security practices.

We conclude by emphasizing the integral role of building partnerships and fostering cybersecurity engagement within organizations. This includes challenging the misconception that security impedes business progress, and instead, highlighting how it can be a key enabler. The conversation pivots to the role of ethical AI, privacy concerns, and the need for transparency as technology continues to evolve rapidly. Dr. Scarpino advocates for a proactive and supportive cybersecurity culture that integrates AI into foundational risk management processes. Tune in to learn how to create a robust security-aware culture, where employees at all levels actively participate in safeguarding organizational assets.

Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.

PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!

Dr. Joshua Scarpino: 0:03

All right.

Joshua Crumbaugh: 0:07

So once again we're here with another episode of Fishing for Answers. Today I've got Dr Joshua Scarpino. I didn't ask do you prefer Josh or Joshua? Josh is fine, okay, I go by Joshua, so I just assumed, but I probably shouldn't have. So well, hey, tell us a little bit about yourself.

Dr. Joshua Scarpino: 0:30

Yeah, so currently I'm the CISO VP of Information Security at TrustEngine. I'm responsible for our security and compliance programs and also our IT operations function at the organization. In addition to that, I'm also CEO of a company that I founded, Assess Intelligence, which is really around deploying responsive technology. So that includes both security and the AI side of things, so I'm heavily involved in the AI landscape as well, because I believe that without responsible technology, where are we going in the future?

Joshua Crumbaugh: 0:59

right, it's important to understand that, uh, from that, go ahead. I, I was just going to throw in I think ai is becoming a core part of cyber security. That, uh, that I plan on talking about later today. Anyway, but continue. Yeah, I was gonna say aside from that I uh, I mentor.

Dr. Joshua Scarpino: 1:18

I. I'm also a professor at a local community college, where I first started my education journey years ago and then I try to stay involved in a lot of different research initiatives around responsible AI.

Joshua Crumbaugh: 1:30

All right, that's very cool. Responsible AI is such a big thing. In fact, I find AI as an intriguing conversation when it comes to cybersecurity in general, so maybe we just jump right over there, Did I not? Yeah, I did. I brought my slide. Okay, let's jump over to Uh-oh. Delay one hour. Sorry, our patch management solution was just threatening to reboot my computer on me. Fortunately, it's letting me delay at least once. So we almost had a slight technical difficulty here, but no, so AI is a. It's really a massive concern, at least in my opinion, when it comes to security awareness.

Joshua Crumbaugh: 2:21

There's a lot of different aspects of it. You've got everything from deep fakes Last week I got an opportunity to talk to a CISO that the bank and their CEO had been impersonated already, so we've got that. But then we've also got just the data protection side of it, and I think when it comes, you know response. When it comes to responsible AI, there's even a lot more we've got. How do we make sure that biases aren't involved in decision making? How do we make sure that it's fair and it's honest? And I'm sure you're thinking about even more. So let me just turn it over. What are some of the things that you're thinking about when it comes to AI.

Dr. Joshua Scarpino: 3:07

Yeah. So I'd say, you know, security and compliance and response way I kind of go hand in hand right, because one of the core components of that is really understanding the risk of your environment and the systems and where you are managing data. And to me you know I'm heavily focused in the NIST, ai, rmf understanding that and having organizations adopt frameworks like this.

Dr. Joshua Scarpino: 3:29

We actually wrote a maturity model that was published in conjunction with IEEE and stuff.

Dr. Joshua Scarpino: 3:33

As a result of that, and one of the things that's critical for organizations is to really take inventory of what risks they have.

Dr. Joshua Scarpino: 3:39

Right and this applies to whether it's security education or phishing or AI in general deployment of any new technology we really need to foundationally understand the risks of that technology and that way we can appropriately develop and deploy a technology that makes sense for the organization and for the people that it's having an impact on.

Dr. Joshua Scarpino: 3:58

So I think to me really having a robust risk management process that doesn't include just security but includes all enterprise risk is critical. In fact, there was an article that came out a few weeks ago it was from ISACA and I was writing the presentation that I'm doing and in the headline it said all risk is enterprise risk and I was like, oh, this is going to be great, be great, because you know they have, they're talking about risk and I'm talking about ai, so they're gonna have something on there in ai, right? Well, I literally won't do the whole magazine. There was a call out page about how you need to understand the risk of ai, but it was more of an advertisement. There was no journal article around addressing enterprise risk from the eye perspective. So I you know I'm using that in one of my presentations is like we keep saying that it's important to understand these foundational risks but we're not making it a foundational part of the programs that we have in place.

Joshua Crumbaugh: 4:52

Yeah Well, and I mean I think AI impacts our cybersecurity in so many different ways. It's insane. I mean everywhere, from the approach to how we're going to detect and mitigate threats over to the you know the attacks that are coming in. I've already observed AI-driven attacks. Let me ask you have you seen any sort of AI-driven attacks in the wild?

Dr. Joshua Scarpino: 5:24

So we've seen some from a fishing standpoint, whichishing standpoint, which is one of the topics of this. We've seen some, but our organization is actually very mature when it comes to detecting and identifying these things. I'm lucky, I'm blessed, to have an organization that is as responsible as it is and responsive to identifying these threats. I've been in previous organizations where that was not the case. You have to literally pound it into people like this is a phishing email. You don't just blatantly click on things just because it's in your inbox.

Dr. Joshua Scarpino: 5:54

Actually I have a polo actually listed where it says stop clicking on shit.

Joshua Crumbaugh: 6:01

No, it's okay, this is not a PG podcast, any language is acceptable.

Dr. Joshua Scarpino: 6:06

But no, it's okay. This, this is not a PG podcast. Uh, yes, Uh you know, yes, we uh, I got that as a gift, actually, from one of the people at the organization I worked at, because it's something that is consistent and there's always there's usually going to be at least one person that just will not take the time because they're in such a rush, or too, focused on their job, so I think that, yes, there is an onset, because it's removed spelling errors and grammatical errors that were persistent across like the threat surface, but it's evolved to where now we have to be very proactive in identifying the threats.

Dr. Joshua Scarpino: 6:37

I actually sat on a committee for research where somebody was developing a phishing machine learning language that would develop a phishing module and then they would in turn use that to retrain it to identify phishing training. That was developed by AI and it was like this circular process to help catch when you have these iterative machine learning-based content that's being generated.

Joshua Crumbaugh: 7:03

So it was actually a really fascinating research project that was completed. Yeah, no, it sounds like it. Maybe you can link me to that a little bit later. So I know we're. We've also seen those ones that really appear to be mining social media and and while they're maybe not super advanced, they're smart enough to know who works for what department inside my company and at least have a little bit of hierarchy. Have you seen any of those sorts of phishing attacks, or? No, not really yet.

Dr. Joshua Scarpino: 7:40

Yes, that and also smishing right. People are using direct communication and the problem is with the onset of breaches and with people publicly putting out their professional profiles in general. Right, it's not difficult or a far reach for people to say I know where this person works and what they do with the organization.

Dr. Joshua Scarpino: 7:56

So it shouldn't come as a surprise. The biggest thing for organizations is to really understand what is our risk landscape right? Are these people being targeted? And if they are, let's get them the right education to make sure that they understand the risk that they're being targeted with. I get routinely messages from people across the organization saying I'm getting direct text communications from the CEO or from the CRO, right, and it's like these things are hard to stop because somewhere your telephone number got leaked and it's associated with your name. And then they look you up on LinkedIn and say, hey, you're affiliated with this organization and I think that I could probably get one over on you.

Joshua Crumbaugh: 8:33

It's especially prevalent for people and new roles, especially in an organization. So I've been advocating for a while that we should have a social media waiver that all new employees sign that basically just says hey, listen, the second you tie yourself to our organization online, you're going to be targeted. And just a little acknowledgement that says that they understand they're going to be targeted. Because making them stop to acknowledge that I think is very valuable because, like you said, it's it's every, or pretty much every, employee that links themselves to the company, they're going to get targeted.

Dr. Joshua Scarpino: 9:13

Yep. Not only that companies go out of their way to highlight when new people join the organization right and it's. There's nothing wrong with that. It's good to announce and say, hey, we have these very new people coming on board. But we also have to understand what risk that brings into the organization. We have to be prepared to address it. I think one of the things that is critical that a lot of organizations miss is getting up in front of this with training and a proper education, because when people start.

Dr. Joshua Scarpino: 9:37

they're bombarded with all this new stuff, but it's important to make that training set concise to the risks that are going to be relevant to them at the beginning of their career, not over the next year. So we want to make sure that we tailor the program to, I guess current risks, not just every risk.

Joshua Crumbaugh: 9:54

I like it. Hey, you're preaching my language there. It's Security Awareness Month, so are you doing anything extra to sort of celebrate Security Awareness Month? So I've been in organizations across both sides.

Dr. Joshua Scarpino: 10:11

I worked at Fortune 500 and they've actually went out of their way to have Security Education Week and do hands-on training. But now I'm fortunate, and just fortunate, to work in a remote organization. So from the fortunate side, I love being able to work from home and remote most of the time, except for travel to off sites.

Dr. Joshua Scarpino: 10:28

But the unfortunate side is we don't get that personal interaction, so we have to be creative. Our organization has actually taken the approach of doing ongoing iterative bite-sized training throughout the year because security I understand the importance of security education, awareness, you know, and highlighting that in October but it's also important that we ensure that the threats that people are being faced with, that we have relevant training to those so that we constantly involve it. So we have a cadence of across each quarter we do bite-sized training. We have some common topics and then we also focus on specific topics that we're seeing increased in threats in the organization.

Dr. Joshua Scarpino: 11:07

In addition, to that we have ongoing monthly security uh phishing training, which is focused on addressing their level of uh expertise and identifying these and raising the complexity of the training to ensure that they're getting threats that are relevant and not something that they they can just dismiss, say, oh, I've seen this one, it's not a big deal, right? That's important to have varied and training that's relevant.

Joshua Crumbaugh: 11:33

I love it and I really do think that that continuous bite size that you mentioned is so critical. You know, there's this behavioral science principle called spaced learning theory that talks about how, if you break things up into little bite-sized chunks and you feed it to people at a high frequency, that you get really good retention. I imagine that since you've moved to this model how long have you been on that model? So my previous two organizations.

Dr. Joshua Scarpino: 12:03

I've actually taken this approach. I was at a HR tech company before now being in a FinTech. People are a lot more willing to participate when they're not being consumed for two hours right Between 15 and 25 minute trainings each quarter, and then we do an annual one which is a little bit longer, usually about 30 to 45 minutes, and those are. It's been that way. I've been doing it for about four years now and I have really good engagement. We always get good feedback and we try to pick things that are buried to the trainings, not just somebody sitting down at a PowerPoint, right. We have some that are interactive modules, we have game modules, we have leverage some of the video modules where it's a scenario, something that happened, just to kind of catch get people to think differently.

Dr. Joshua Scarpino: 12:47

So we like to vary the training to ensure that people remain engaged and it's not the same thing every year where you're like, oh, I did this, this security training last year. I was in the government for 16 years and you know it's every year. It's the same exact training, for the most part for like a five or six year stretch. Then they change it up and then then you get used to it again. You're like it just clicked through it.

Joshua Crumbaugh: 13:07

Right, even then, it really doesn't change much, because you're still helping Alice pick a password, or you know Bob, avoid clicking on a pass of fish or whatever it happens to be. I also spent my time working for the government and doing that security awareness training, and even myself, I found myself not listening to anything, guessing at the answers that I didn't know, because there'd be some like about laws that maybe I didn't. I needed to pay attention to that training to know what you know what it was and, and so, yeah, I know exactly what you're talking about. It. Just it didn't do anything to drive engagement with those of us that should care the most. So how is it going to get those people that care the least about it Exactly?

Dr. Joshua Scarpino: 13:52

You said you did government. Did you do any of the Air Force training? What do they call it, this guy? Actually, here I have him. It's on my show. I got another item in the show, so I don't know if you can see this, but I'm sure anybody that's in the military or government remembers this image. It's the common cat card that's relevant. Sweater vest Jeff is what they call him.

Joshua Crumbaugh: 14:15

So I was actually the SEC as well as the FDIC, so don't think it's the exact same training. So I don't think it's the exact same training. But from what I've talked with all of my friends that did work for some of these different agencies, pretty much everyone has the same training. It's almost identical across all the different government organizations.

Joshua Crumbaugh: 14:41

The difference is what laws they're teaching you is my experience there. Okay, so are you doing anything around gamification? So it sounds like you've got a pretty robust security awareness program. I would imagine you've added some level or some element of gamification.

Dr. Joshua Scarpino: 15:00

Yeah. So, it has to be tailored to the organization right. So we have people that love gamification. Then we have senior leaders who think it's a waste of time and childish. So you have to have a little bit of balance. So we do mix it up, some of the rotating modules. We try to mix a game in every now and then.

Dr. Joshua Scarpino: 15:18

But we try to create a balance of the different pieces, because it depends on the individual. Like when you get in the engineers, especially in the career stuff, they love that stuff because it's quick and they just kind of semi engaging, but people that are more tenured and more focused on driving you know business results, stuff like that, and they don't really understand or connect with it. So you have to really understand the audience and your organization, solicit feedback and ensure that. If you're, if you have people that are doing that in your organization maybe that's the culture of the organization then you should increase it. I think one of the things that commonly does not happen, though, is soliciting feedback right in the government organizations.

Dr. Joshua Scarpino: 15:54

I've been in a couple big organization. I've been. The feedback happens like point in time, but it's not part of every single module, and I know we are lms. We leverage feedback from every single training so that we can understand which ones do people enjoy? What should we do more of? What should we do less of, and I think that's critical to ensure that you have people that are engaged. Another thing that's important is ensuring that you have something that's relevant for people.

Dr. Joshua Scarpino: 16:20

A lot of times organizations focus on addressing only the risk present in the organization. What the organization's facing? We also do biweekly newsletters and, like this perfect time of the year, we started getting into the holidays, right. There's a lot of fraud that happens, people going away on trips and vacation during the summers or even at Christmas time, and you want to highlight security risks that are relevant to them, to get them in that security mindset to ensure that they're not only practicing it at work but they're practicing it at home.

Joshua Crumbaugh: 16:44

Because mindset to ensure that they're not only practicing it at work but they're practicing it at home, because the more they practice it at home, the more they're going to practice it at work. Well and that's a really good point that comes up so often on this show is that we have to connect it to their home life, their personal life, because when we do, it makes them care more and, like you said, when they practice that at home, they bring that into the workplace. You said it way better than I did, but, yeah, I couldn't agree more. I have a feeling that I know which direction you're going to go on this, but I do have to ask carrot or stick Now, I know it's not quite so so simple, but say you had to pick one and throw the other one away which one do?

Dr. Joshua Scarpino: 17:28

you go with. I'd say it's not quite that simple, but the the reality is I tend to go with the carrot, just based on the way that I've answered. Obviously that's the best approach. However, there is a point at which the stick is required, right? Because for compliance purposes. We have to ensure that organizations that everybody's completing their training in a timely manner and that they are actually completing the required training throughout the year right.

Joshua Crumbaugh: 17:52

So for phishing, this isn't as big of a deal.

Dr. Joshua Scarpino: 17:54

You have to do some remediation training, sometimes for people that are habitual. But it's more relevant for the required training modules around protecting data and how the company uses data, or policy changes Sometimes, when people don't make the time to do it, you have to make the time, and that's just the reality of the business.

Dr. Joshua Scarpino: 18:11

So if I had to throw one away, I would say it would be the stick and get better at carrots, having carrots or offering carrots, but the reality is I think both are necessary. But I would weigh on the side of using a carrot and always encouraging people to want to do it than forcing, because when you force, people.

Joshua Crumbaugh: 18:27

They don't grasp the concepts. I agree, and I mean I'm just a big fan of the carrot over the stick in general, but I do think you're right, there's absolutely a place for that stick. But I think when you lead with a carrot approach, your stick is a lot kinder too. Like your stick is, hey, your account's disabled until you do your training, versus you know, going straight to hey, you, idiot, you're fired, and I've seen a lot of cultures that really do lean toward that.

Joshua Crumbaugh: 18:59

In fact, on Friday I did a podcast where we got to this and the person goes oh, 100% stick. And it ended up being the entire podcast. We spent, I think, like 35 minutes talking about carrot versus stick and really, really getting deep on that. So I mean, I definitely see the need from time to time, but to me we got to make people want to care and I would rather that the cybersecurity department wasn't looked at as like that evil department that's always getting in everyone's way, the friendly department that is just here to keep everyone safe. I think that's just a better relationship that we have with the user and I feel like it builds more bridges versus the more stick approach builds barriers, and they may do it because they're forced to, but I don't think their heart's in it. Yeah, you actually highlighted something that's a.

Dr. Joshua Scarpino: 20:05

it's a core component of how I operate my security programs and you know I've had executives before tell me hey, I really appreciate the fact that you take this approach, but you made a comment around the care it allows you to partner with people in the organization.

Dr. Joshua Scarpino: 20:20

Right, and I think a lot of people say that security hinders the organization. That's a common misconception across industries. Security is going to put up a roadblock or stop us or stop business from advancing because of whatever reason, and I think it's important to really understand the risks of the business so that you can have a balanced approach to driving the business forward.

Joshua Crumbaugh: 20:39

Because, short of being a public, organization.

Dr. Joshua Scarpino: 20:43

We have to ensure that the company is profitable so that everybody has a job one the other thing is it's a lot easier to partner with people and have mutual benefit to the organization than it is to say no and force people to do things, and then it benefits no one. I think it's important to build relationships in a security program and drive value through bridging those relationships across the organization and partnering with key leaders across the organization.

Dr. Joshua Scarpino: 21:13

And I think it should be a foundational requirement for anybody that's running a security program and a lot of times that's often overlooked. As I'm security and this is what I say and this is the way it's going to go, and I think that does a disservice to the organization and really achieving organizational objectives.

Joshua Crumbaugh: 21:28

I think too often as well, people in cybersecurity maybe don't have those softer skills, and another theme that comes up from a lot of the leaders that I interview here is how important that business mindset is. Understanding how important you know the bottom line is driving revenue. You know making sure that we're profitable so that everyone's jobs are secure, and so I do think that understanding how businesses work and how you know we're we should be an enabler, not at you know, not the one that's always getting in the way. So, uh, couldn't agree more.

Dr. Joshua Scarpino: 22:13

Yeah, I uh.

Dr. Joshua Scarpino: 22:14

I actually took a small stint in my career and went to be an internal auditor at a large insurance company and it was probably one of the best decisions I ever made, because I did a lot of operational audits Right and it forced me to realize that there's a much bigger world than security. Yeah, insecurity leading security, you get very tunnel vision and that opportunity forced me to address what are the operational impacts of everything we do and not just in the security realm across the whole business and not just in the security realm across the whole business, yeah.

Joshua Crumbaugh: 22:44

Well, for me it was, you know, first I was an ethical hacker and I was very rigid. You know the stereotypical red teamer, you know that approach to cybersecurity. And then, as I became a CISO, I learned to balance it a little bit more. But it was really when I, you know, after I founded this company and I became a CEO, that I truly learned to balance that, and I find that invaluable. And I think that, you know, we've got to do more teaching of business.

Joshua Crumbaugh: 23:18

Inside of some of these conferences you don't see the business track. Often it's all about AI or risk or cybersecurity, but not often are we talking about the business side, and I, for one, would love to see Black Hat have that. You know that business track, that. Or you know RSA, so Okay. So another area that I like to hit on is how can we make it more fun for users? Now, I know cybersecurity is not sexy, it's boring, it's, you know, it's not clicking on a link and, in fact, when we do everything right, nothing happens right. So there's no big, you know, bang at the end. If you will, well, there is, if you don't, if we don't do, well. But do you have any tips to make it more fun?

Dr. Joshua Scarpino: 24:15

So, I'm going to circle back to what I said before. Right, I think it's difficult to tailor to everybody in organization because some people are going to one person's going to think something fun, the other person's going to think it's a waste of their time. I think it's important to get feedback and ensure that you're tailoring your program to your people and the culture of your organization, but I think the most valuable thing, aside from making it fun, is making it real. And this goes back to what I was telling you, like the security. We send out biweekly security newsletters. We have stuff that's focused on that personally impact people and, regardless of it being fun, if it's relevant to them like scams at the holidays or whatever it is, or election fraud, right, Things that people are actually going to semi-connect with then they have the opportunity to apply to their personal life and it's something that they can take with them and it's not only a point in time useful for the organization that they work at, and I think that that is what makes it fun.

Joshua Crumbaugh: 25:11

So I will. I do think you're right, this shouldn't say fun. I think entertaining would be a better word, because when you do connect it to to how it helps them in their personal life, it becomes very engaging, very entertaining, very quickly, I will say. The more we can make it fun, like I've heard of cyber escape rooms I don't know what I think about those, but during a month like Security Awareness Month, I think absolutely. But I think the more that we can make it engaging or entertaining, the more effective it becomes.

Joshua Crumbaugh: 25:52

But I do agree with you about, you know, we don't want to become patronizing. You don't want to focus so much on making it fun that it's just, you know, almost childish or whatever. There has to be a fine, there's a very fine line there, because we don't want to waste the user's time, because it's their time is very valuable and we have to be respectful of it. Okay, so I let me see we've talked through a couple things. Do you want to play a game here? And it's a fun, it's an easy game and all you have to do is spot the or tell me whether or not this image is created by AI or if it's stock photography.

Dr. Joshua Scarpino: 26:41

I should get my wife in here. She's an art director and does this stuff for life. So stock photography or AI photography. I should get my wife in here. She's an art director and does this stuff for life. So stock photography or AI. I am going to say hold on, let me make my screen bigger, because I'm doing myself a disservice by having a small screen. I'm going to say this is stock.

Joshua Crumbaugh: 27:03

That is actually AI and it's really put in here specifically to trick you, because everyone thinks that the misconception is that it can't do hands well, which they've gotten better.

Dr. Joshua Scarpino: 27:15

Yeah, I know it's difficult. The thumb looks a little weird on that one.

Joshua Crumbaugh: 27:19

Yeah, it's, would you pay attention?

Dr. Joshua Scarpino: 27:24

See, this stuff is so difficult anymore.

Joshua Crumbaugh: 27:26

I would say that this is stock. It is once again AI. They were both.

Dr. Joshua Scarpino: 27:32

AI.

Joshua Crumbaugh: 27:34

It was rigged to begin with.

Dr. Joshua Scarpino: 27:36

I figured it probably was but art is not my thing. My wife is an art director and she's always like oh, that's AI.

Joshua Crumbaugh: 27:41

She's like oh it's not Wasn't.

Joshua Crumbaugh: 27:46

Last year year I think it was there was this big art contest and I don't remember which one it was, but somebody submitted something that an ai had created and, uh, and it won, and there was just this big uproar. A lot of people were upset because you weren't supposed to submit AI, but they were trying to make a point about just how far AI had come. Yeah, you know, speaking of AI, going back to the AI topic, they predict that we're going to be able to, you know, go to Netflix a couple of years from now. Let's say and say, hey, I want to watch a movie with Ryan Reynolds and this, and it'll just make that that movie on the fly. What do you think about that?

Dr. Joshua Scarpino: 28:37

That's a fascinating concept, right. It seems so far-fetched, I mean, from the era we grew up in. It seems so far-fetched with the onset technology, how fast it is rapidly growing. I think that the challenge is it's really not that far-fetched anymore. I mean, if you look at, technology doubles every 18 months and we look at I back when I started my research project for my PhD, it was actually we were just getting to the point where open AI became like commonplace, right?

Dr. Joshua Scarpino: 29:07

I mean AI has been around since 19, 1956, when the current firm was.

Joshua Crumbaugh: 29:14

And it was going to take over the world since then. Exactly, that's exactly my point.

Dr. Joshua Scarpino: 29:18

And you look at over like a 50 year span, there really wasn't a huge level of innovation, but in the last five years alone it's just been. It's just been crazy. And organizations and I think for security compliance professionals, you know, the biggest thing is like the rapidly expanding risk landscape. We're like trying to keep control of like, like how are people using it? Or using it right? What data is going into it?

Dr. Joshua Scarpino: 29:41

yeah, and I so yeah, I I 100 believe that, yeah, people can do movies on demand. They'll probably be short films at first, but at some point in the future it's. It's practical, as long as you're kicking back royalty to the em and the artist says, yeah, that's okay, there's proper controls. I guess that's something feasible, but it is. There's risk with anything, right.

Joshua Crumbaugh: 30:01

So yeah, no, I mean, it's an interesting, you know, sort of thought around. How are things going to work as AI, you know, moves in? Will we even have, you know, a keyboard and mouse? Do we need it anymore? Do we just talk to the machines from now on? I mean, I don't know. Have you thought about any of this? How does it change our lives on a day-to-day? It's not cybersecurity related, but it's interesting.

Dr. Joshua Scarpino: 30:30

Yeah, it's interesting, so I have not specifically thought about the nuanced change in an individual's life, right. My focus is primarily around AI for good, ai controls and understanding how we're using AI right. So I tend to steer away from technologies or people from technologies that they really don't understand how or why it's working. It's just working right. And that's where I draw concern and raise paws and say, hey, let's really think about this.

Dr. Joshua Scarpino: 30:57

I think that with the appropriate understanding of the context of the system and the inputs and outputs, and how it's being used and the people it's being used against, we can make educated decisions on this is what we should or shouldn't do. There was a research part of my research. One of the things that was interesting is I had a person interviewed he was in AI for over like four years on these big tech companies.

Dr. Joshua Scarpino: 31:25

And he said that the problem is whose morality. It's the same thing as whose definition of bias. If you're in Toronto, you're going to have a completely different notion of what morality is than Salt Lake City, Utah or Angkor Wat.

Dr. Joshua Scarpino: 31:37

So he said there's a lot of different shades of morality, and I'm paraphrasing that, but it brought up something that's very fascinating, right. A lot of times we don't understand that, like we live in our own bubble, and we don't understand that when technology is developed, that our view of how things should be is not really necessarily what's appropriate for somebody else in a different culture or different environment.

Dr. Joshua Scarpino: 31:59

And we really have to have multi-stakeholder feedback as part of that process to understand, like, if we're developing this technology, it's great, but is it right for everyone or the people it's being used against? And I think that's one of the pieces that I kind of focus on when we start talking about well, should we or will we have technology that does X right? It's like, is it right for the people that it's being used against, whether it's financial sector or it's HR sector, right?

Dr. Joshua Scarpino: 32:28

It's not right for everybody, and there has to be gated checkpoints in there that we can validate and make sure that if it's not right, let's rewind and have the appropriate conversations and decision points, so that we can circumvent those processes.

Joshua Crumbaugh: 32:41

Yeah, I think privacy is going to be a really key area around AI, and we already see it with, like the new Windows features that are coming out, where it remembers everything, every website I've been to, every document I've opened, every word I've typed. At what point are we feeding too much data into the cloud? And I mean it's only gone or continued to escalate and go more and more, and you know, as internet connections become better and faster and all of our devices become better and faster, well, what did the developers want to do? They want to send more information up to the cloud. But I do think that we've got to think about privacy a lot more, particularly those of us in the US Around the world. I think they're doing a better job of that often than we are here in the States Now. Maybe not as a whole. You've got California and Colorado doing okay, but you know, I do think just our country in general needs to take privacy a lot more seriously, particularly with AI changing everything, so, so quickly.

Dr. Joshua Scarpino: 33:52

Yeah. I think this also sort of goes back to what we talked about at the beginning, right? So it's really understanding the risk of the systems that we're deploying, right, having those foundational processes and having AI included as part of this process.

Dr. Joshua Scarpino: 34:05

A lot of organizations will say that you know, we have these processes and we're deploying these new technologies, but they don't include it in the routine foundational programs that they have around risk management and understanding the risk. They don't have the right people, like a diverse team of people that are providing inputs to hey, should we use this system in X way? This is what we're intending to use. And then, last, they don't say here's how the system was designed and supposed to be used and deployed. And then they circle back at the end and go well, we changed some stuff and now it's doing all this other stuff too right. And it's like well, did we do the right risk assessments to make sure that that didn't evolve? The scope of the system and the impact on people.

Joshua Crumbaugh: 34:48

Yeah, I mean it all starts with secure design, and you're right. So often we don't even look at it, and it's changed so much from the time we did look at it that it's not even applicable anymore. Yep, okay, so we've talked through quite a bit here. What KPIs are you focused on most when it comes to the human element?

Dr. Joshua Scarpino: 35:15

When it comes to security education the thing I focus on primarily is around completion of the training modules that we assign. I focus on fish fund percentage across the organization, right, and I like to understand what are they? What is causing the increase if there's increases, and the types of training materials that we'll be sending out as part of the phishing campaigns so that if there is a specific type of campaign element around, you know whatever it is, certain vendors or whatever we can ensure that we provide remedial follow-up, in-person module-based training to support those outcomes and drive that number back down. Typically, as an organization I this is actually the only organization I've ever been where I've had consecutive months where we've had zero. It's like people clicking in and we've had a significant high portion of people reporting.

Dr. Joshua Scarpino: 36:05

But people get busy, right, and they do things without thinking. So every now and then we'll get, you know, the numbers creep up a tiny bit, but it's usually remediated pretty quickly and we have training that provides immediate uh feedback on the type of fishing materials they're getting. Uh, which is very beneficial because people go, oh I see what I missed now, right, so you do that enough. Eventually people get used to it. We've been into it about about two years now in this new program and it's been phenomenal. And I can't praise my company enough because they're incredible.

Joshua Crumbaugh: 36:35

They've done excellent work. Well, that goes to a testament to your methodology that you are at zero Um. You know it's uh, there there's so many that that could couldn't even dream of ever getting to zero Um, and so I know the the few companies that are able to get there. It's because they're building a strong culture. I would imagine, based on some of what you've told me, you probably have a really good top-down leadership at your company.

Dr. Joshua Scarpino: 37:11

We do Our leadership team is very focused on understanding security risks in the organization and compliance requirements, and they are really supportive of me and the program, and that's actually probably one of the other comments I'd make is senior leadership drives everything right.

Dr. Joshua Scarpino: 37:28

If it's dismissed at the executive level across the organization, nobody else is going to put the effort into it. But since I've been here, the leadership team has always been extremely supportive of our program and our outcomes and connecting that to driving real value for our business goals. And we do that across with our customers. We do that with how we do business and then how we go to market, and I think it's it shows foundational commitment to the rest of the organization from the leadership team and it shows that we're committed to advancing our controls and maintaining a high level of confidence in what we do as a business.

Joshua Crumbaugh: 38:07

I like it. So I find that most people who have been in cybersecurity for any period of time have developed a couple pet peeves. Do you have any pet peeves I can get you to talk about today?

Dr. Joshua Scarpino: 38:23

I'd say one of the most common ones is when people get in a rush and they circumvent things because it's easier. And a lot of this goes back to access management stuff.

Dr. Joshua Scarpino: 38:34

Right, because for us, any industry really first thing, that auditors always look at, is access right and it's the easiest thing to do? Right, it really is. But when people are like, well, we'll just circumvent this control because I only need this real quick, it'll be easy. But then it goes up on a report of, hey, we didn't have a ticket for this or we didn't follow proper procedures for this, because somebody with an admin access did something, and that's been prevalent in pretty much every organization I've been at. I've argued in previous companies.

Dr. Joshua Scarpino: 39:04

I've argued with Linux admins about well, I want to attach to my primary user account. You're like, you don't need it attached to your primary user. You should use your admin user.

Dr. Joshua Scarpino: 39:14

So access management has always been a pet peeve of mine, and following and ensuring compliance with foundational processes that's the biggest thing. Everything else, people make mistakes we're all human right, and the biggest way to combat those challenges is through education. I think that often security education is an underrated aspect of security programs and it doesn't get the focus it should and they're not relevant. They just pump them out and it's a checkbox compliance and I think that does a disservice to the organization are you doing any role-based training currently?

Dr. Joshua Scarpino: 39:52

so we do yes, yes, we have training specifically for people that handle customer data. And then we also have developer training that's specific to the types of development we do. So we believe that's important we do, and those are annual because it's added on top of the other training that we have. So we have annual specific training that comes out actually just came out end of September for our developer engineer organization. So but yeah, we have modules that we deploy to them. Developer engineer organization.

Dr. Joshua Scarpino: 40:15

But yeah, we have modules that we deploy to them, and that's an additional about 30 to 45 minutes of training specifically targeted around code development and security training.

Joshua Crumbaugh: 40:24

Okay, very interesting. One of my VPs often quotes a statistic that people are, or training becomes 15 times more effective when it's contextual to the person's role in the organization. Because all of a sudden it's not that one size fits all. They feel like it. You know it matters, so very cool to see you doing the role-based training. Doing the role-based training, any general advice that you would give to somebody that's building out their first security awareness program Two things I would say that it's critical to make the training relevant.

Dr. Joshua Scarpino: 41:11

We've talked about that over and over throughout this whole thing. It's a good thing If people do not find it relevant to your point. Developer training right. They have to have context and understand. This applies directly to me. So when you have high risk areas or systems or people, make the content relevant to them and their role, and then I'd say the other thing is security program in general, and this is across any organization.

Dr. Joshua Scarpino: 41:35

I don't care where you are your job is not to be a hindrance to the organization. Your job is to empower the organization.

Dr. Joshua Scarpino: 41:42

And if you empower the organization, you're going to have more support behind your program. So build relationships cross-functionally. My information security oversight committee has executive leaders across the organization and I think that that's critical and they're part of the understanding the risks within our organization. They make decision on any risks that exceed critical thresholds, but they also are foundational to understanding what are we doing in the organization and approving all governments. It makes them vested in the process. Don't build security in a silo. It doesn't benefit anybody but your team and then you're going to say I can't get anybody. Well, if you don't have anybody else included in the process, they're not going to want to. So it's important to make sure that people across the org and executors, including sales and HR and finance, are on those teams making those decisions, if the leadership's helping make the decisions they're going to help enforce it and drive it forward.

Joshua Crumbaugh: 42:34

And it's going to be successful. Force it and drive it forward, and it's going to be successful, you know. Another point that I'll make there is that when you build relationships with the different teams, you learn about the threats that they face in their job that you might not know about otherwise. I talk to people all the time that say, yeah, it was when I went out and I actually started meeting with people that I really started understanding our risk. I thought I knew about it before, but I learned about so much more, so many things that we were unaware of when I met with people and started talking and having those conversations.

Dr. Joshua Scarpino: 43:09

You said something that made me think, so we in my organizations.

Dr. Joshua Scarpino: 43:13

We have built a tiered risk assessment process. That's something that we've done. That's unique, and I got the idea from when I was actually in audit. We did audit risk assessments for evaluating audit goals for the organization and developing audit plan, and one of the things we did is we tailored the program so that every department has a bi-annual or semi-annual um audit risk review with each department head. They get solicit feedback from their team and then they fill out their own risk spreadsheets and then that all goes back and we have an organizational risk review process that occurs biweekly.

Dr. Joshua Scarpino: 43:49

So as those get populated, we find risks that are identified across the org and then we're able to correlate those and say, hey, there's risk over here and risk over here. This is a larger risk, it's impacting multiple areas in the business and we use that to inform our security compliance program. And then, if the risk exceeds certain thresholds, it goes to the ISOC team, which I mentioned earlier, and say, hey, we got this really big problem, and all the executives are in there and they're hearing it it. So they've got to either accept it or make a decision to remediate, and that's something that allowed has had allowed me to prioritize things of identity access management for our platforms was one of them, one of the huge risks that we identified in the org. Yeah, we started raising the concerns there's a lot of little concerns voted up and then we ended up buying a third-party idp and implementing our solution and now we have very robust processes around identity management for our platform.

Dr. Joshua Scarpino: 44:38

So it's really valuable and it helps. You can't do things in a silo. This is what I mentioned earlier. That risk process alone is just another example. We bridge broke down those those walls, those barriers, and involve people across the organization, having multiple stakeholders, and get them in part of that routine process and understanding risk. And then then people start flagging things hey, I was working with this team and they're doing this wrong. We haven't worked over there and it's been incredible.

Joshua Crumbaugh: 45:04

Well, and it's not until they start understanding what things should be that they start flagging those concerns to you anyway, and I think that just goes to. That's one of those signs that you built a robust security aware culture. So, yeah, this has been very great. I appreciate it. It is Security Awareness Month, so one of the things I'm asking everybody is do you have any advice for the end user Not for the CISO out there listening, but just for the end user, non-technical Um, not for the CISO out there listening, but just for the end user, non-technical.

Dr. Joshua Scarpino: 45:41

Yeah, I think that if people are, you know, participating in their program and they say I hate this, or this training is stupid, tell somebody, because really at the end of the day, you don't know what you don't know and it's just like we don't know the risks until we know the risks, right, uh, until they've been realized or something happens, to call it out. So if there's problems in your organization and you feel that the training is providing no value unless you work for the government, then you're out of luck pretty much.

Dr. Joshua Scarpino: 46:07

But if you work for any other organization, private organization, call it out and say, hey, I understand we're doing this training. It's a requirement, but I'm not getting any value from it, and enough people do that. It will provide context for the organization to maybe change their approach to things and do something that provides value.

Joshua Crumbaugh: 46:28

I like it. I like it All right. Well, thank you for joining us for another episode of Phishing for Answers.