Phishing Fallout: Angela Chen on Combating Cyber Threats in Higher Education and Building a Secure Digital Culture

Show Notes

In our latest episode, Angela Chen, CIO of the University of Delaware, shares her personal experience with phishing, revealing the profound emotional and psychological impacts of these attacks. We discuss the importance of making cybersecurity a collective responsibility that spans generational divides and the need for tailored education to enhance awareness among vulnerable populations. 

• Angela's personal experience highlights the emotional toll of phishing 
• The impact of phishing on trust and mental health is profound 
• Younger and older generations are particularly vulnerable 
• Universities face challenges in effectively educating students on cybersecurity 
• The dual-role of AI in enhancing and threatening cybersecurity 
• Effective communication is crucial for changing security behaviors 
• Positive reinforcement ("carrot") approach over punitive measures ("stick") 
• Collaboration and learning from one another are key in boosting awareness

Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.

PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!

Chapters

• 0:00: The Impact of Phishing Attacks
• 11:20: Challenges in University Cybersecurity
• 27:03: Effective Role-Based Training in Cybersecurity
• 38:40: Leveraging Data Governance and Cybersecurity
• 48:52: Embracing Cybersecurity Awareness and Collaboration

Transcript

Joshua Crumbaugh: 0:00

Hello and welcome to another edition of Phishing for Answers. Today I am here with Angela Chen, the CIO of University of Delaware. Angela, do you want to introduce yourself real quickly?

Angela Chen: 0:16

Thank you, josh. So hello everyone. My name is Angela Chen. I'm very honored to be here. So right now I'm the chief information officer for University of Delaware and I spent almost 25 years in the technology industry working for actually, I have a split career now half for financial industry, half for higher ed which gave me a pretty unique perspective and helped me to really see how things work together and how we can leverage technology to support the society.

Joshua Crumbaugh: 0:57

Oh, that's wonderful. Before we got started, you were telling me a story and I'd love it. Maybe if you could share that with my audience here today.

Angela Chen: 1:08

Well. So the story I was telling first started from how me myself fell for fishing a couple years ago, which I feel even embarrassed to say so because I supposedly right, should be highly trained and be very aware. But it's pretty obvious the bad guys they know when we are vulnerable and when to like how to gain that access and the trust to basically mislead people into doing things to their favor. And the story I was telling Josh is a couple of years ago, as I experienced, became the victim myself. What hurt me the most is my feeling of the betrayal of trust and also, obviously, a little bit of financial loss. But then, as I took the CIO role for the university a year and a half ago, because of my role, I definitely get a lot more insight into the constant cyber events or attempt that being made to our community members.

Angela Chen: 2:33

And so, um, the type of events, the type of attack that's happening every single day, every single or even every single second, is mind-boggling and very like a serious and potentially could be very damaging to not only how I experienced in the past just as an individual, but to both the institution and the individual who get attacked to both financially and also mentally get very negative impacted. So that really made me feel so critical that we have to take all the actions that we can to educate, to protect and to basically try to win this game. To protect and to like a basically right Try to win this game that I was told that the bad guys, they, they can try a couple thousand times and only need to win once and if we fail once, the the impact is like sometimes unrepairable. So it's a constant battle, but we are in this game every single day, yeah.

Joshua Crumbaugh: 3:48

And, you know, one of the things that you mentioned there that stood out to me was the loss of trust in people, and I think that is an incredibly key aspect of the consequences of phishing. That's really not taken into account nearly enough and, in particular, with some of these romance scams that we're seeing more and more, just the emotional devastation that happens and financial is just can it can be almost overwhelming for some people, and I have no statistics on this, but I would imagine there's probably been some sort of suicide rate as a result of those scams too.

Angela Chen: 4:36

Yeah, I will not be surprised because now the scam has becoming so sophisticated through social engineering, the scammer sometimes they know more about you, sometimes more than maybe you yourself know about yourself, and they will catch you at your surprise and build your trust. So I can tell from personal experience perspective. This is a serious concern, not just only like data privacy or like financial loss. Like data privacy or like financial loss, it's also a potential big risk to human psychology, like our safety right. How do we, whether we feel safe or not? That's which is like the most basic right needs for any human. That could get very severely impacted.

Joshua Crumbaugh: 5:44

You know, that's a perfect segue to one of the things that I like to talk about, and that is the need for people to understand this, not just from a professional point of view, but also from a personal point of view, and how both are so intermingled. What are your thoughts about that? I mean, do you feel like the? You know, training people for that risk that they're going to experience in their home life is just as important.

Angela Chen: 6:32

Well, so, like this catchphrase everybody would like to say in the cyber industry, is security is everyone's business? Yes, only right, the security professionals alone. It's absolutely not enough. And one more personal story I could share is my dad, who is approaching 80, a couple of days ago just posted something on his social media account which is so odd. Then I called him right away to say hey, what happened? Why do you post a weird message like that? He said oh, people said, if I share that message, that could be a good thing to do, it's just a nice thing to do, it's a nice thing to do. And so I was able to detect it, call him, stop it, tell him, say hey, delete it and never, ever respond to this kind of things.

Angela Chen: 7:36

I know you have a good intention, but it could be very risky. The whole society, everybody, is vulnerable. Sometimes we think we have trained people enough, but there are lots of pockets of the society they have not received the right message or have the right awareness. Then they become very, very vulnerable to those type of attempt and ever right, they fell into the trap. Sometimes the damage is devastating to those people. Hello, hello.

Joshua Crumbaugh: 8:31

Oh, I'm sorry I was talking away and I was on mute. I haven't done that before, at least not on the podcast, so that's my mistake. Um, but I that actually brings up, uh, uh, some research that we've seen, or at least anecdotal a little bit. Uh, but across all of the different organizations that I work with at least the ones I got demographics on uh, it's the oldest and the youngest that tend to present the most risk. Uh, the oldest because technology is new. They didn't grow up on it and they've had to learn it after the fact. The youngest because technology has been there their entire life and they've almost grown apathetic to it. Now, focusing on the younger generation, with you being the CIO of a university, this must either stand out and sound 100% accurate to you, or maybe you disagree, and I'm just really curious what are your thoughts? Do you see that younger people tend to be less risk aware?

Angela Chen: 9:40

Actually I agree with you 100%. So, based on the data we have, our student community actually is the most vulnerable community, for a couple of different reasons. Number one is for any given university, we have a huge number of students, some public university even pushing I don't know 100,000 students at any given time. So compare this to private industry. The organization's ability to have tools and services available to this huge volume, to this population, actually is limited. So, for example, security, phishing, training tools that we could purchase for a younger generation, we are not yet even positioned to have that level of budget to have everybody covered, while the industry vendors, their initial licensing model is typically per user, like an active user, per account. So that is one reason that they are very vulnerable, because we just do not have the means to provide enough coverage. And then, second reason for the younger generation is university.

Angela Chen: 11:17

I'm just talking about university. University we throw a lot of things at the students. It sometimes get them very overwhelmed. Before I talk about the students, their attitude themselves, I do think universities we will take responsibility also need to take responsibility because we are not very well organized when we deliver messages or services to the students. Very often the students, they feel overwhelmed and then, after they feel overwhelmed, what happens? They ignore. So whatever the message you send to the students, they will be saying another email from the university and then just auto delete.

Joshua Crumbaugh: 12:05

I don't know that that's just students. I would argue that's the average user too within our companies, because when they feel overwhelmed, my experience is they do the same thing. It could be HR, and if they feel overwhelmed, they're still going to turn off, just like that student.

Angela Chen: 12:21

Very, very true. But what's also it's a little unique is because the students they live on campus, especially undergrad students, so the amount of communication they got from university is a way more than a typical staff member, because university will reach out to them about everything in their life Dining clubs, athletics, library safety and it's all email right.

Angela Chen: 12:53

Yeah, we do have a mobile app, right, so that's where we try to improve by giving different channels to engage. But email is still a very heavily used traditional channel. So, as a CIO for the university, I noticed, right because I spent 15 years working for private industry I agree with you 100%. I ignore HR emails myself very often, right, as we all did in the past.

Angela Chen: 13:21

But students, oh my God, I really feel sometimes, like you know, being accountable, right, because my own kids, my oldest son is going to college next year and knowing that how much work, right, university needs to do to improve, I know right. I know right, they do get overwhelmed right now because it is a hot topic that we have within higher ed industry how can we organize ourselves better and really get the students' attention, while the nature of their engagement will require communication from so many different perspectives, both academic side and administrative side, and basically the entire life. It is overwhelming for students. And then the last piece it is the fact you talk about the newer generation. They grew up with all the technology, so very often they feel they know more right then In their defense.

Joshua Crumbaugh: 14:38

I definitely had some professors when I was at college, but I went to school for tech too. I did know more than them. But that's a little bit unique, because when I went to school for tech it was very new and most universities were way behind. I think nowadays they've started to catch up and I doubt that's the case very often.

Angela Chen: 15:02

Yeah, and so that actually is where I am pushing very hard for my team to look into is how can we leverage the students to help the students themselves? Because the students, they understand each other better, they speak the language, they also are more involved in the student community. So, rather than university trying right, the central units are trying to figure out a way to engage. We can learn a lot from the students. But still right, because every actually after I switched to higher ed, I find, oh my God right, life is so interesting. When I work for private industry, it's very much profit-driven, product-driven, but when I work for university, you almost work for an entire city, or sometimes you feel you work for UN, right, if you have lots of like global programs. So there are so many different like challenges that you have to manage and it just makes life very interesting and challenging right now.

Joshua Crumbaugh: 16:29

Artificial intelligence I know that I mean for just the average organization AI is a loaded subject. There are a million different opinions on it, but for you in particularly, given that you're at a university, ai must be 10 times more loaded than even at the average organization. So, just wide open, what are your thoughts on AI?

Angela Chen: 16:52

Well, so you are right. Right, for a university, actually, ai means many different things. So allow me to make a kind of a high level cover, right, what does it mean to a university? So a university, especially, for example, university like University of Delaware, we are a R1, means the highest level research institute, means we do a lot of related research activities on campus, right, not only the UD researchers, but also people they collaborate with.

Angela Chen: 17:38

And then research the nature of research requires openness. So it's not like when I work for used for the banks, right. So things are very strictly blocked, right, you cannot, like, use your own personal machine, you cannot download anything to a some drive, you cannot forward email to anywhere, but the nature of research, it requires huge collaboration across the entire globe, not even like when it's in the country. So then that become a very difficult topic. So it's not just say AI threat, it's how do you enable those research which will have AI component in it and just research in general, understanding that there's all kinds of a threat that's becoming even more sophisticated by leveraging the latest AI algorithms or compute powers, then how can you make sure those, especially those research that will have sensitive data objects involved, to be properly protected but yet still kind of open enough to allow collaboration.

Angela Chen: 19:01

So to any RA institution that is an everyday challenge. The work is getting just harder and harder. The government also is implementing even more strict rules to require compliance to different kinds of controls. So that's one side of the story. And then on the regular teaching and learning and administrative side, the hackers are probably, I have to say, right. They are most of the time a lot more skilled and have a lot more resources that they can deploy to make their attack very sophisticated, hard to detect and hard to defend.

Joshua Crumbaugh: 19:46

Agreed. But I will say I really do think that, from the hacker's perspective, at number one, we're funding them every time we have a successful ransomware attack where somebody pays. But beyond that, I don't know that it's necessarily just that they're better than us. But if you look at, you know, take the cybersecurity vendor space or cybersecurity tool space. Having founded a company in this space, I know a thing or two about it and I look at just what we're doing.

Joshua Crumbaugh: 20:23

We have AI driven phishing. The bad guys have AI driven phishing. But the bad guys are ahead of us, and it's not because we couldn't be right where they are right now. It's because we can't afford a really big error and for them it doesn't matter, and so they can push things into production for for lack of a better term without ever testing it, while the rest of us are going to take great caution with pushing stuff to production, or at least most of us do. I won't name any names, like CrowdStrike, but jokes aside, they deserve that joke, uh, they deserve that joke. Um, but uh. But jokes aside, no, I I do think that that's part of the problem is that the good guys are never going to be able to move at the speed of the bad guys.

Angela Chen: 21:15

Yeah Well, so how I see it is, um, coming back to my higher ass story um, because the bad guy is a facing uh, couple hundred thousand bad guys right all together, and so what's still happening now is, most of the time, the good guy is fighting alone. So I'll give you the reason I say that is, for example, I have a team security team that has probably about 12 people to 20, right, because we also responsible for physical security technology support as well. So let's just say right, my digital security, cybersecurity team, it's a team of 12. And they have to be split into security operations, security compliance, reporting and identity and access management, security architecture right, so many different roles to put to develop what's needed. Right, to protect the university while we are facing I don't know what's the number actually right, so many, so many bad guys constantly trying to attack the university. So we are very often outpaced, outsourced, right, because-.

Joshua Crumbaugh: 22:39

Outnumbered.

Angela Chen: 22:40

Yeah, outnumbered. Right, Because each individual organization. We just have limited resources, so I am pushing pretty hard to leverage as much as possible. Right, you mentioned that you started a company, because there are absolutely experts right.

Angela Chen: 23:01

Like subject matter experts in the industry who are good guys and developing solutions or services that we could leverage, and developing solutions or services that we could leverage. So this is where we are trying very hard to figure out how can we partner more and more with industry experts to leverage the products and the services to help us to do the needed job, while the internal team can never be right, kind of be big enough to have all the skills to have all the time right that we need, right to protect ourselves.

Joshua Crumbaugh: 23:41

And I actually think that security awareness or security training, phishing simulations is a great area, or a great example of that. One of the number one problems that I've seen is that the average security team does not have the skill sets required to run an effective security awareness team, and I don't say that to be negative or mean to anyone in cybersecurity. I say that because most people in cybersecurity come from a very technical background and they do not come from a communications, a psychology or a behavioral science background, and having those skills is incredibly important when we want to change human behavior, when we want to drive culture change. We're never going to be effective if we're putting our most highly technical people that probably have some of the least understanding of psychology in charge of our biggest, most important communications project, and so I do think there's a lot of times where we, as cybersecurity professionals, need to understand where our weaknesses are in our team, and that is to your point where vendors can really really help compliment us there.

Angela Chen: 25:07

Well, yeah, I wholeheartedly agree with you. Well, yeah, I wholeheartedly agree with you. And I went to a session specifically about cyber communication, right, like how right, at different universities they take different approaches, and so it's a panel discussion and Yale, nyu and the University of Illinois they had like leaders there NYU and the University of Illinois, they had leaders there to share some of their good practice. So what resonated with me as a big aha moment was I actually worked for NYU both NYU and Yale in my career. I worked for NYU for almost seven years before I took the new job last summer. And so they talk about right, their communication approach, their success and also the team.

Angela Chen: 26:28

So one lady in the audience raised her hand and said well, thank you, but I'm jealous and because as a smaller liberal arts university, we just don't have that kind of luxury to have a team of five communication specialists who will be able to focus on that and develop such a comprehensive program, which we all agree it's it is a must do, and so the reason I share this story is I number one. I want to say agree with everything you just said. Yes, it is so important and at the same time, there is a lack of skills that exist within cybersecurity team or even at IT in general. So, like communicators, change managers roles that are very often like deprioritized right we will hire developers first, right Before we hire a change manager. And the but oh and change management is critical.

Joshua Crumbaugh: 27:40

I mean, I think for my company, it wasn't as a setup until we really took change management seriously, particularly from a client-facing point of view, that people started seeing our value and our technology started exploding. Before we really did a great job at change management, they didn't see the value. It's not that we had more value, but we were able to articulate it better, and I think that that's not just true for us and for you, and I think that that's not just true for us and for you. I think that's true for almost everybody in those situations, but particularly cybersecurity departments.

Angela Chen: 28:19

Yeah, so true. So that's why I specifically went to that session, took a bunch of notes and sent it to my team right after, and also because I know the people from those universities. So that's definitely going to be a commitment that my university is going to take, which is to add more capacity and focus change management communication to make sure that our let's just come down right to this one particular area the phishing campaign and the security awareness training to become a lot more user-oriented and like effective right Rather than just like give out a more general purpose training and hoping right People will take it and have enough awareness.

Joshua Crumbaugh: 29:24

Yeah, so that's a great segue to a topic I like to talk about role-based training. What I see is that every day, our users report more and more phishing attacks that are tailored to their role within the organization that they work for. And if we're getting role-based phishing already from the bad guys, the argument stands that we should be conducting role-based phishing simulations as part of our training, but I think, also just role-based training in general. The finance teams face different threats than the IT teams, than the developers, etc. What are your thoughts about role-based training, and have you had any opportunity to really go down that path much yet? And, if so, what kind of results are you seeing?

Angela Chen: 30:19

Well, so you basically said everything that I am going to try to do. First of all, I want to start the response from what we have learned from those cyber events or cyber attacks. What we observe is those attacks. It's absolutely role-based. You no longer see those very generic saying right that actually either is being used or works. Where we see the phishing attempts from right. All the data we collect is a full example.

Angela Chen: 31:00

Summertime we see a spike of phishing attempt being made against our students and the faculty members. For students, typically it's our we have a summer job. Are you interested? Imagine what would be the response. Of course our students would love to get a summer job. For the faculty members going to be right say, hey, your dean has some questions for you to prepare, right for whatever right the grants or research project you are working on, and so respond. So it's not just conceptual, it is for real. All the data we have that we see either like where the community members they do like a fall for the trap, actually the summertime we do have a good number of students. They actually the accounts get compromised because of right what I mentioned, hey, we have a summer job type of official intent. And we also have other incidents that we noticed because of those role-based only role-based. It also have a season, like a like a seasonal effect, building it right, yeah, holiday fishing yes yes, absolutely yeah right.

Angela Chen: 32:23

So it's role, plus the timing of the events together make those attempt to have higher success rate.

Joshua Crumbaugh: 32:33

Yeah.

Angela Chen: 32:34

And so having that data in hand. So you guys, right, obviously we are going to look fairly deep into how can we evolve our approach into those more role-specific type of training going forward. So, at least for my current university, the approach has been relatively generic, right, we have one training every year for everyone, and then the completion rate is relatively low. And so this year we are already taking approach to make the training to be shorter, more frequent, more, like I say, event driven, rather than only like just give out generic message to everybody at the same time. But this is where I really hope the AI, like technology integration into our vendors, can continuously give us more options to leverage, to customize our campaign and also our training material for different audience.

Joshua Crumbaugh: 33:50

I like where you're going with that. We at Fish Firewall we live and breathe micro training and there's this behavioral science principle called spaced learning theory and it's the foundation of advertising. It's the reason that Coca-Cola is a global brand and what it says basically is that if we break things down into tiny little, bite-sized chunks and we deliver that content to users at a high frequency, we're going to get really, really good retention. Now the opposite of that is that there are some behavioral science principles that say, if we don't do that and we use really long training, that's once a year, that we'll get zero retention. And so I love the direction that you're going and I think that that's going to be the direction of most things not just security awareness training in the future. If we look at social media and just the direction society is going, everything's getting shorter, smaller, more bite size. I mean even work meetings went from, you know, an average of 45 minutes you know years back to you know most companies moving to a scrum 15 minute. You know meeting sort of approach.

Angela Chen: 35:08

Yes, I agree with you. I definitely think that that's going to be the trend.

Joshua Crumbaugh: 35:13

Yeah. So carrot or stick? I like to ask this because I think that there's two schools of thought and I've had very, very strong opinions on this subject from both sides of the aisle, very strong opinions on this subject from both sides of the aisle. But you know, if you could only use one tool for the rest of your life and you had to give up the other one, would you pick carrot or would you pick stick?

Angela Chen: 35:44

Well, so give you the short answer is I will go with carrot Because I've tried the stick approach. I was hoping you'd say because I've tried the stick approach.

Angela Chen: 35:52

I was hoping you'd say that I tried the stick approach right for many different reasons. It never really worked. You really have to help people to see what's in it for me rather than say you have to do this, otherwise you will be blah, blah, right. It never really gets you where you want to do this, otherwise you will be blah, blah, right. Um, it never really right get to where you want to be. Um and uh, you kind of to me. You have to help people to recognize the value and to to be motivated. Then you can really right get the result. Otherwise, like you can force people to take a training, people People will just click through not paying any attention, just I'm done, bye, leave me alone.

Joshua Crumbaugh: 36:36

I mean, I've done that before in the once annual training and I was a cybersecurity professional who was passionate about security awareness at the time. But it was that once a year, boring, you know, hour and a half long LMS module that I would take a test at the end, and and they did not get me entertained. And I think if, if you can't connect with the people who are passionate about cybersecurity, then there's no chance you're ever going to connect with the people that don't care about cybersecurity or don't know they need to care about cybersecurity. I think would be a better way of putting it. And so, yeah, no, I couldn't agree more.

Joshua Crumbaugh: 37:18

Carrot is just incredibly important and and using carrots and in my experience is is well, it's like that old adage, carrots and in my experience is well, it's like that old adage, you catch more flies with honey than with vinegar. And it's true. And it's true with users and I too have tried the stick, my favorite story of the stick when we first founded this company, we were still working on our methodology and one of my co-founders he says hey, I have this idea. What if we write some software that looks like malware and scares the heck out of the user. But it's fake and it's just designed to teach them a lesson not to click and at the time I go, oh, that's a great idea. It took us only less than a week to realize it was a terrible idea. But I definitely understand and anytime I have tried that stick, it doesn't work. But when I really use the carrot and motivate people and try and understand psychology and the science of how people change their behavior, it works.

Angela Chen: 38:36

Yeah, so I just want to share a quick story with you. So before I took the CIO job, I spent most of my career as, like, a data girl most of my career as a data girl. So I played many senior data jobs for different organizations and very often data governance is a big, daunting ask that organizations say, oh, we should do data governance, let's do it. How do we do it? The reality is actually you, if you do a survey right of a different organization to say, hey, how is your data governance initiative right? Did you really get what you really need out of it? Um, I I think, right, most of people will give you a little bit of funny face, like it's like, this is so daunting and not probably getting what they need. So what I I really realized and kind of did some trick um, a while ago about this is, it's a little bit similar mindset. So anytime when people hear governance or complaints, right, they say, oh, my god, right, so it's just red tape, it's just going to make me to do things I don't want to do. Yep, so when I uh was thinking, right, so how do we like, really do what's meaningful, what's valuable from the data governance perspective? I used exactly your current stick picture and so what I was able to recognize is the reality is everybody wants data, just like cybersecurity, right?

Angela Chen: 40:22

So the reality is everybody wants to be protected, and just from different perspective, right? For example, the researchers, they want to be protected. So number one is so then they can meet federal compliance requirement before they even get any funding, because that's a prerequisite, right? So that's their incentive number one. Incentive number one, number two incentive is they know there are lots of different research projects that they are collecting very, very sensitive information. Sometimes it's a human object related, some is like a government, like military related, whatever you name it. Right, there are so many different cases. And they actually do want to be protected. They don't want to be bogged down by trying to protect themselves.

Angela Chen: 41:15

Right to say, oh, I just want to hide my data, I want to use it whatever way I want and just don't talk to me is the reality is everybody needs data, especially from those essentially managed critical system like HR system, student system, finance system, and so if we can't implement the governance process as a part of the data access request which is so popular, it's all the time it is something people want, right? It's not like you say people want to run away from you, so then you make it to be number one. Show the value, just like you said right, be right, because it's contextual to their job now.

Angela Chen: 42:32

Yeah, right, so be able to help them to understand, okay, this governance process is going to help you to get the data you want, rather than getting a default, no answer from the owner right of the system or the data number one. Number two is the process is going to be designed in a way so easy, so simple, right, so it's not going to become a red tape, rather than it's just simple couple clicks but then we can talk, basically, right, we can communicate and understand each other, what's important for you and what's important for the owner of the system and data. So then, as we start to take that mindset, the data governance process become just part of the workflow, without having to make it to be big and evil that nobody likes, and then it just always just stay on paper, never really being like a delivery, really the real value. So the same mindset that's what I see right from cyber training everything perspective is we do need a governance, right, to be honest, the stick is needed, right? It?

Joshua Crumbaugh: 43:42

is yes.

Angela Chen: 43:42

The compliance everything. Without those you don't have enough teeth right in some of the work that has to be done.

Joshua Crumbaugh: 43:51

No, I completely agree, and the caveat to that question is that it's not as simple as one or the other.

Joshua Crumbaugh: 44:00

I'm really trying to see more where people lean toward and what I find is that people like yourself tend to lean more toward the carrot if they can, and you stick more as a last resort, and to me I think that's the best approach.

Joshua Crumbaugh: 44:16

And even before you go to, hey, we're going to fire you, and there's some really soft sticks you can use long before that, like just making them aware of the risk that they're posing to the company, if nothing else, making them aware of the risk that they're posing to the company if nothing else. So I think you know, even when we do get to sticks, one of the things that we can do is start with the soft sticks and if those don't work, then we can start keep escalating those sticks versus the places that I see that have more of that opposite culture, where they start with the you know the sticks and just make it keep, you know, escalating from there and it doesn't often take long to get fired. I've seen, you know, more than one fortune 500 company that still to this day does the three strikes and you're out, thing which you click on three fish and you get fired.

Angela Chen: 45:08

Oh really, yes, yes, so really.

Joshua Crumbaugh: 45:09

Yes, yes.

Angela Chen: 45:12

So yeah, that's a little extreme but I understand right, for financial industry or private, some private sector, it's necessary, and what I hope to accomplish for my current institution is create this culture that everybody understand we are in it together. It's complex, and for good reasons, and so we have to help each other.

Joshua Crumbaugh: 45:40

Security is a team sport.

Angela Chen: 45:43

Yeah right, if we work against each other, it will be even harder, that's true.

Joshua Crumbaugh: 45:50

You know back to what you were talking about with the example of data governance and tying it to those specific requests a metric that I actually misquoted, I think, on this podcast the other day. But regardless, there's a metric that shows that when you do role-based training, or when you can tie that training to the individual's role or function within the organization, that there is a 15x improvement. I say that because I said 5x improvement on the other one and I was wrong. It's actually a 15x improvement on retention, meaning that you know, one of the smallest things that we it's not necessarily that small, but one of the easier tasks that we can do that has massive improvement is just cover a few critical roles in our organization and we see a massive difference critical roles in our organization and we see a massive difference.

Angela Chen: 47:00

Well, I agree, I actually can see right that why it is 15 times more. And my question is how? So? Because to be able to do the role-based training, it actually requires a lot more sophistication in terms of how we leverage the internal and external data together right to identify the right training at the right moment to the right people.

Joshua Crumbaugh: 47:24

Agreed Not to shamelessly self-promote, but I will say there are startups working on stuff like that. One of them is Fish Firewall. So you know, regardless of us or someone else, I do know there's a number of players that are looking at specific things just like that. But you know, I don't that's not really the point of this podcast, but I think that's one of those areas where it's it's well. Like you said earlier, there's going to be times when you need to rely on vendors and I really think that security awareness is sort of like EDR.

Angela Chen: 48:14

You know you're going to have to rely on a vendor to to really get something that's really next gen or or best of breed. Oh yes, 100. I'd love to learn from the vendor. Um, because I I recognize what I don't know and where my team needs help. That in itself right. Give us, like, the ideas right where we need to make investments and what type of help that we will need from the industry.

Joshua Crumbaugh: 48:45

Yeah, so this has been absolutely wonderful. We are running low on time. Do you have any final words of wisdom that you'd like to leave with the listeners today?

Angela Chen: 49:08

that security is everybody's business. We are all vulnerable, and so myself, my dad and everyone right. Just, we all have to get the awareness and also looking to technology, how we can leverage it to get ourselves better protected, both by the technology and also ourselves. So I am just very excited to be part of this continuous evolution of potentials and also, obviously, risk also increasing all the time and also obviously risk also increasing all the time. But I would love to also learn from the audience any suggestions or feedback that you can share with me. I'm always looking for new ideas or partners that we could work with to help us to manage this very complex puzzle and the never ending puzzle.

Joshua Crumbaugh: 50:11

It is, and that's actually the exact reason I do this podcast, because I, for me, it's the ability to talk to people like you, share opinions, share experiences. Because you know we all see the world through the glasses that are, you know, through the frame of our lives, and so you know we all see the world through the glasses that are, you know, through the frame of our lives, and so you know what you see. You can look at the exact same thing as me and see some of a very different perspective of it diversity inside of technology and just in general, that we just work to expand those skill sets so that we're not so, you know, one-sided, or you know a one-trick pony, if you will, within the cybersecurity team.

Angela Chen: 51:04

Yes, 100%. Thank you again for giving me this opportunity to just talk about my personal experience.

Joshua Crumbaugh: 51:14

Oh, thank you, and it's my pleasure. I really appreciate you joining us today. Please stay with me, but for the audience, I'm going to end the stream. Angela, stick with me just for a.