Phishing For Answers
“Phishing for Answers” brings you insider knowledge from the front lines of cybersecurity. Listen in as we speak with seasoned professionals about overcoming phishing attacks, managing user training, and implementing solutions that work. From practical insights to actionable strategies, this podcast is your guide to strengthening security awareness across your organization.
Phishing For Answers
From Buddhism to Cybersecurity: Jess Vachon on Leading with Empathy, Innovative Training, and Balancing Budgets in a Digital World
Jess Vachon shares insights into her calm approach as a CISO and how empathy in cybersecurity can significantly transform organizational culture. The episode emphasizes the importance of effective communication, role-based training, and the evolving impact of artificial intelligence on how organizations secure their operations.
• Exploring personal journeys into cybersecurity
• Importance of mentorship and coaching in the field
• Balancing cybersecurity budgets and investments
• Communication as a key to successful cybersecurity strategies
• Tailored role-based training for improved retention
• Challenges and opportunities presented by AI in security
• Building a compassionate and cooperative security culture
Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.
PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!
Hello and thank you for joining us for another episode of Phishing for Answers. Today we are joined by our guest, jess Vachon, and she is the CISO of PRA Group, so I'm really excited to talk to you. Do you have anything, maybe, that you not necessarily security related, but anything interesting about yourself you'd like to share with us?
Jess Vachon:Sure. So I'm quite often asked how I can be so calm as a CISO and I like to share with people. I actually studied two years to become a Buddhist minister, so that's. I bring a lot of that practice into my my work life and my personal life. So that's how I maintain that balance, not something I generally tell people unless they're asking. You know how come you're not all stressed out like all other CISOs. We know.
Joshua Crumbaugh:Honestly, that sounds like a black hat or an RSA talk that I'd go to. You know how we can bring RSA talk that I'd go to. You know how we can bring I mean whatever just the less stress and more peace I think most of us could use, because cybersecurity has this habit of making people a little bit crazy, or at least manic. I'd say, yeah, true. So tell me a little bit about your background. How'd you get into cybersecurity?
Jess Vachon:Yeah. So it's been an interesting road, kind of a long road. I actually started out in the military learning electronics Okay, get out of the military. I worked for Cisco Systems doing support and then, for a division of Chase Bank, went up through the ranks, kind of running IT departments, and then, as I was getting later and later in my career, I was finding I was spending 50, 60, 70% of my time doing security work and less doing the IT work as a manager and I just decided I'm going to do this full-time because I really had a passion for it and it kind of hearkened back to my time in the Marine Corps when I was younger. So I decided I'm going to pursue my passion area and worked for a company that allowed me to build a program from scratch.
Joshua Crumbaugh:Oh, that must have been fun.
Jess Vachon:It was great. It was my first experience doing it and it was for a company that was doing business with the DOD, so it was a good exposure to governance, risk and compliance at a very deep level, plus learning how to build security teams at the same time. And from there I just I moved up into the CISO roles, and that's how I find myself where I am today. I love it, I love all aspects of security and I love building teams and either building programs from scratch or reinventing them.
Joshua Crumbaugh:Yeah, I know it was the same way for me. When I discovered cybersecurity. I just knew I had found my place in the world, if that makes any sense. You know, I jumped around and done a few different things really trying to figure out what was my career, and I actually changed careers a couple of times throughout my lifetime before I found cybersecurity. What's interesting is I actually found cybersecurity way back in high school but didn't know that I could make a career out of it until a little bit later in life when I went into it. So I always find it really interesting to just sort of hear how I went into it. So I always find it really interesting to just sort of hear how people got into it, and I know that for me that's one of the number one questions that younger people, when I go out and talk at these conferences, will ask is well, how did you get into it? Because it seems there's a lot of people out there that want to get into this field but maybe are having a difficult time breaking in.
Jess Vachon:Yeah, I think that's true and it's, you know, combination of things I think, learning cybersecurity. Today a lot of the people getting into the industry don't have the exposure that some of us, the older generation, have to actually understanding what the internet was. Before you had singular programs that gave you access when you had to go and get a CD or a floppy disk and insert the programs on your computer so you could connect the internet and send email and do all that. So we understand a lot of the underpinnings. I think it's more challenging for those coming into the career field now that don't necessarily have the understanding of the bits and bytes.
Jess Vachon:Some do I don't want to say no one does, but I think a vast majority don't have that. So when they're trying to work security and relate that to the business and relate that to what the IT teams as a whole are doing, it's a little more of a difficult transition for them to make that leap. And then I would think what's been lost over time is when I came into the career field, just in IT in general, there was a lot of mentoring, a lot of coaching, a lot of learning on the job while you're being paid, and I don't see that as much. These days, there's expectations from a lot of people in my position or other IT managers that you come in and you know everything and you have experience. Well, that's not the reality of the situation. We have to go back, I think, in my opinion, to investing in our teams and taking the chances on those people that show aptitude but don't necessarily have the experience.
Joshua Crumbaugh:I couldn't agree more, and I think part of it is that, you know, budgets tend to be a little bit they ebb and they flow in cybersecurity, and so we'll have these, you know, really massive high profile breaches. It'll remind everybody that they need to care about cybersecurity. They'll care for a few years and then it almost seems like all of a sudden, there's this shift where everybody says nope, we're spending too much on cybersecurity, we're going to pull back. And then all of a sudden, we're, you know, we're in this you know ebb phase and what happens is that everyone cuts back and then we go back to mass breaches and they wonder why. And it would be great if we could just, you know, maybe get a little bit more moderate, where we don't have the massive spikes after a breach and we don't have the massive cutbacks afterwards and we have a little bit more of a stable budget. I don't know, that's been my experience in terms of, you know, if you look at the industry over the course of any 10-year cycle, it definitely goes both ways.
Jess Vachon:Yeah, absolutely. I think some of that is on those of us in leadership and information security, because I think there's a tendency to say we need all these tools and invest so heavily in the tools and we're not maximizing the use of those tools, but on the flip side, we're not talking to the business, we're not understanding the demands of the business. We're not understanding the demands of the business, we're not following the revenue of the business. So what we are doing, what we are protecting, has to be in step and in moderation with what the business can absorb. We want to make sure that, if we're a public company, that those that are investing in the company are getting a return on their investment. So it behooves us to be prudent and diligent in how we're presenting data to back up our case for expenditures, whether that's for tooling or for staffing.
Jess Vachon:I have this theory that information security is kind of like having a rubber band in your hands.
Jess Vachon:If you put it around your two hands and you separate your hands too much, you break that rubber band in your hands.
Jess Vachon:If you, if you put it around your two hands and you separate your hands too much, you break that rubber band because you put too much demand on the rubber band.
Jess Vachon:If you go in the opposite direction, it's really loose, the rubber band is not effective, it's not doing anything. So we we have to find that tension point where it's just right, where that rubber band is not too tight and not too slack, and we have to do that in terms of budget. We have to do that looking at personnel, that looking at personnel and looking at our risks, presenting data to the business and then making a good business case overall to leadership. I think when we do that, and we do that with a multi-year plan, we don't have the peaks and valleys. We stay very consistent, we're communicating to the business in terms that they can understand why we're making the investment and it's better overall in terms of security and the ultimate success of the business, which is why the security folks are there right, unless we're providing security services as an MSSP. We're there to help secure the business, but not hinder the business.
Joshua Crumbaugh:So I like that and that's one of the things that you know, I guess was a little bit unexpected, but comes up very, very frequently on this program, and that is that we have to understand the business case and we really need to have a little bit of that business mentality to be effective cybersecurity leaders Everything from communicating risk to executives so that you can get that budget and that they understand why they're giving it Because if they don't understand why, you're never going to get the budget to do what you need to do but also understanding how to balance. You know, there's a lot of, I think, sometimes misconceptions as to what the role of cybersecurity is, particularly with newer people. Because it was true, for me, when I first got into cybersecurity, I thought it was my job to mitigate risk and my job, to you know, just really crack that whip to keep the network secure. And I had that I don't know, the stereotypical God mentality or God complex, I guess, and uh, and I was like this is my network, but it wasn't right. My job and I learned this very, very quickly but my job was to communicate risk and and let other people decide what they wanted to do with it, and it was also my job to communicate ways to help manage that risk, but ultimately it was the business decision as to whether or not they did anything about it. My job is just to communicate risk.
Joshua Crumbaugh:And I think one of the things that really stood out to me in my career because I did a lot of application security testing of the things that really stood out to me in my career because I did a lot of application security testing was the data that is highly sensitive that gets thrown into these penetration testing reports as an informational, because the testers didn't realize how sensitive the data is.
Joshua Crumbaugh:And I'll give you an example on all of these, or a large majority of these SaaS companies that I've looked at over my career they all have single sign-on. Well, that's great. It seems like it's a good thing until I can enumerate each and every one of your clients. And as a SaaS company, as the founder of a SaaS company, I can tell you one of my most protected bits of information is my client list. But I can also tell you, when I was a penetration tester, I saw a million times where that finding made it to the report, but as an informational one, how it's so important that even for the junior people in cybersecurity that they understand the business case and the fact that we're there to enable we're business enablers. We should not be hindering.
Jess Vachon:Right. I agree with that and I agree with the statement that we have to take our frontline staff, our most junior staff, and help them understand the business. I've instituted a practice in several organizations I've been with where we have some of those junior associates in some of the meetings with the senior security associates so that they can listen, learn about the business but also learn about better ways to ask questions so they can do their job better and how to communicate things, because so often they go straight into the weeds and no one's going to understand a thing they're saying when they're getting really technical.
Jess Vachon:Exactly. I work with a lot of mentees and when we talk about your skill sets, we certainly talk about the technical aspects. We talk, we talk about your skill sets. You know, we certainly talk about the technical aspects. We talk about governance, risk and compliance. But I stress to them that to be successful, you have to be a good communicator. You have to be a good teacher, because at least 50% of your time, if not more, is going to be spent educating the business on why we're doing things in security in a way that they can understand, but communicating it over and over and over again.
Jess Vachon:You know, I think people in information security can get frustrated. I've told you once, I've told you twice, I've told you three times. Well, we have to keep telling people until they understand it, and maybe the way we're telling them they can't take it in. So we have to find different ways to communicate. It's an aspect that teachers will tell you is called differentiated learning. So we could be speaking something, but maybe they need it in writing, maybe they need it in video, maybe they need it in all three forms so that they can take that information in. That's on us. If we're not effectively communicating, we're failing the business.
Joshua Crumbaugh:So this is what I call social engineering. For good, You're bringing up a behavioral science principle and applying it to cybersecurity. A long time ago, when I first got into red teaming, I very quickly realized I was very good at social engineering, and after years of the gotchas, it really made me question if penetration testing was doing any good, because most of my clients were just there for compliance and we issued the same report I mean identical year after year after year. Nothing changed, nothing improved. And so, you know, I really wanted us to find a better way of addressing the human element, because time and time again, I'd go read you know, do the readout for senior management and they'd say well, we're already doing this, this and this. What else do you want us to do? There's no, there aren't even any tools in the market that can support what you're saying. We need to do right.
Joshua Crumbaugh:And so it really led me to. Well, if social engineering and human nature can be used to get people to be less secure, doesn't it stand for reason that those same tactics could be used to make people more secure? And it took me down this really fascinating rabbit hole, and there's so many things like that that we can apply to cybersecurity and one of the things that I'm always trying to teach, because in between, when I learned about cybersecurity back in high school, teaching myself to program and being in the Usenet news groups and the Freenode IRC channels for 2600. I didn't necessarily know that I could make a career right, but in that meantime, when I went to college, the marketing dean, he found me and he recruited me. So I went to school for marketing. Never planned on it, but I went to school for marketing. Why does this matter? It matters because advertising theory really does apply when it comes to security awareness. Coca-cola doesn't get mad when you don't listen the first hundred times you see their ad.
Joshua Crumbaugh:They know that if they hit you enough times with the same ad, that they're going to get you to drink their product, and it's called space learning theory, and it's really advertising theory, but it says that if you break things down into tiny little chunks, feed them to people at a really high frequency, you get really high retention. So to me, if we apply that approach to our cybersecurity initiatives A we're not going to be mad when they don't listen the first three times because we're going to expect them not to listen for the first hundred times. And, b we're going to get better results. And when you look at all of the academic studies coming out, they're all showing that the traditional methods, the methods that we're all using right now, they don't do anything to improve our security. In fact, there's been a few academic research papers that have found that they actually make people worse.
Joshua Crumbaugh:I don't know if you've read any of those.
Jess Vachon:I haven't, but I can certainly see that I mean what? For 10, 20 years we've been approaching training for staff in the same way. They've shut off, they go through the training, they answer the questions, but they've seen it so many times that they're not taking it in, they're just going through the steps. They might as well be walking out the door to go to work in the morning. I mean, they're not thinking about each step. They're taking to the car and unlocking the car and getting in the car. So we have to find better ways of doing it.
Jess Vachon:And I think you kind of touched upon it. Instead of saying, well, you're the recipient of the training, what I've tried to do is say, well, we want you to be a security champion, we want you to be a participant in the process. So give us some feedback on how you would like to learn about this or what other ways we can present the learning to you so that you can use it effectively. And maybe it's breaking down the training into individual groups. So if you're working with a legal team, there's ways that they want to understand information security. If you're working with a procurement team, there's ways they want to understand it. So we can tailor it in that way and we can communicate in that way and then say hey, you're going to be the champions in your area, the proponents for us of security, and I think that empowers them to make the difference instead of making them just passive consumers of the information.
Joshua Crumbaugh:Yeah, in fact I saw a study that found that when we do role-based training and it's contextual to the work that that person does every day, that there is a 15x multiplier on retention 15 times better retention, just because we tailored it to that individual. And so when we combine that with a few other things, just imagine how much better we can get. But yeah, we have been doing the same thing for 20 years now. And what's the definition of insanity?
Jess Vachon:Doing the same thing over and over again and expecting different results.
Joshua Crumbaugh:Exactly. But you know, I had an opportunity last Friday or Thursday, I don't know last week to speak with Wendy Nather, and and one of the things that she was saying is, listen, we need to question everything. You know why? Why is it that I've been at this for 20 years yet I still have to work this hard, she's like. So if we're all having to work this hard, we're clearly doing something wrong. And her thing was question everything, including me and what I'm saying. Question everything because chances are we could have created some of the problems too. I mean, I know, back in the day I was a big advocate of the stick, which I'll get to character stick in a minute.
Joshua Crumbaugh:First, I want to get to hit on role based training a little bit more. But I mean, when I, when I first started, I was just like everybody else. What's the first thing you learn? Well, you learn that the user is the problem, and it's not just if you're in cybersecurity. You can be in IT and you're learning about pebcac, the ID 10 tier you can't patch stupid. Cac, the ID 10 tier you know you can't patch stupid, but all of these, to me, are demeaning to the user. Yes, and number two, it's it's a cop out, because if if we're not even trying to begin with, how can we blame the user?
Jess Vachon:Agreed, Agreed and I I agree detest that attitude. That's not something I ever want to hear with the teams that I'm working on. It's just, it's the completely wrong approach and it's adversarial.
Joshua Crumbaugh:It is. It is, and when I mean social engineering, 101 says I got to keep you on the same team as me. So if we want the users to feel like you know they are part of the solution, we got to be on the same team, not on opposite sides as them, and I think that's really critical. Before we go to carrot or stick, though, one of the things that I've realized in talking to different people like yourself is that, as we talk more and more about role-based training, that it means different things to different people, and that we're looking at different, maybe slivers of the picture, and so I'm curious when I talk about role-based training, what does it mean to you and what would your priorities be?
Jess Vachon:Yeah, I think I touched upon it a little bit earlier in the conversation that we're tailoring the training to different business roles. I know when I take training, if I have some experience in my area, if I can relate the training to the work that I do, that I retain it, and I'm already thinking before I'm done the training. Oh, I know exactly how I'm going to use this information to improve the work that I do. So that's how I view it. We're tailoring that training to the individual groups, to the work that they do, in ways that they can incorporate it almost immediately into that work and it benefits the security of the organization.
Joshua Crumbaugh:So if I've got limited ability and let's say I can only do three new roles this year and I know it's different for every business, but I'm just curious what roles would you prioritize?
Jess Vachon:Certainly, applications development would be one area, I agree, and I think procurement has to be procurement, because you're dealing with third-party risk, right? So when we look at staff, we know staff based upon data, they're the biggest entry point to threats into the organization, right? Well, after that it's third-party risk, and that's based on the data too. And if we look at the attacks that are going on now, less of those are directed at individuals. More of that is directed at relationships that a company has with other companies. So they're looking for the lowest entry point. They can get the point of least resistance.
Jess Vachon:So, definitely procurement, definitely development, because they're using a lot of software that's developed by outside agencies and brought in. Those would be the first two areas. And then, I think, our legal counsel. It's important to loop them in as well, because they have a lot of perspectives of how we can incorporate what we're doing into the business and they can incorporate that into our contractual agreements that we have and hold some of these other companies accountable for some of what we're trying to do. The farther out we can push that security. The more partnerships we can build for security, the easier it makes it for us to do our jobs.
Joshua Crumbaugh:I like it. I've also heard people I like it. I've also heard people answer that question, based on seniority and sort of coaching how to drive that culture change within the organization, of the approach that you would take with limited resources to developers. Absolutely, you know procurement, I really I would include all of finance, not even just procurement, just the entire finance team. But you know, I completely agree, and I think that one of the things that's really critical to mention when talking about role-based training is that I know almost everyone that I'm talking to is already seeing role-based phishing attacks. Is that true for you as well?
Jess Vachon:I won't say that in the last three or four positions I've been in that I've necessarily seen it, seen that evidenced. You know, other than if we were looking at the business email compromise, you know for the executive team that that might be an area where I see it's being targeted based on role.
Joshua Crumbaugh:But yeah, that's where I see it the most commonly, but it definitely seems like they know what the person does in the company and they're trying to exploit that.
Jess Vachon:They're definitely smarter about it. They're using the data that's available to them. I think, maybe because we have good partnerships out there with tools or the tools that we're using those, the experts in those companies are adapting to those changes from the attackers that that some of that's been mitigated. That's, up until now, right, but then we factor in ai and I think we're into a whole nother area of of threat and how those threats are going to come across and how they're, how effective they're going to be, because when you've seen some of the examples that are out there, it is very, very, very hard to detect if that's a real individual or not.
Jess Vachon:I think at some point we're going to be telling our, our staff look, don't trust anything that's coming across unless it's. You know you were expecting that period. It's okay to delete an email. It's okay not to respond to a team's message that comes from outside the organization. If it's really important, if it's really critical, someone's going to pick up a phone and call you, you know. So maybe we're looking at multiple layers of authentication, socially based, to trust what we're seeing.
Joshua Crumbaugh:Oh, I think policy and procedure has got to be part of the protection, because at a certain point, technology is not the solution anymore. Technology is only the problem. And it's funny how, as AI progresses and gets better and like we look at the reality of deep fakes. I talked to the CISO of Synovus Bank and they've already had a deep fake target their CEO. Now I think it's mostly in financial right now and not a lot of people have seen that. But it's not just over in Hong Kong anymore. It's happening here, here, and as technology gets better and it's easier to create these fake videos of people, I think that's when we're really going to have to go low tech to address it.
Joshua Crumbaugh:One person said, well, we're going to have to do baseball signals. Another person said, well, we're going to need code words. Another person said, well, we got to do out of band. And I honestly think it's probably a combination of those. You know where we have a set policy. This is the only way we're doing a wire. You follow the policy or it doesn't go out and uh, and we just leave it there where all these things have to happen or it's not happening, period.
Jess Vachon:Right. Yeah, it's definitely a challenge and I don't think anyone has the answer right now to how, to how to address that in that in a way that's foolproof Although I think saying anything that's going to be foolproof in information security you're really putting yourself out there to be wrong.
Joshua Crumbaugh:Yeah, we don't want to be another version of the Titanic, do we? Because that's what I see or think of. When anyone says we can't be hacked, I think, yeah, the Titanic couldn't sink either. Okay, so carrot or stick. Now I got to premise this. I know it's not so simple, but I know that everyone leans toward one or the other. So if you had to pick one, what would it be?
Jess Vachon:Carrot.
Joshua Crumbaugh:Any follow-up like why?
Jess Vachon:or thoughts on that, because I think when you're, when you have a culture of punishment, people are less likely to come forward when they make a mistake, because they fear what's going to happen. Look, I have clicked on phishing test emails before and I'm a CISO. It happens.
Joshua Crumbaugh:Thank you for admitting that, because, I mean, I've clicked on things before too, and I think everyone in our industry tries to pretend that they're perfect, and when we just admit that we make mistakes too, the users see us as human.
Jess Vachon:Right. I mean, we don't know where a person is going to be at any particular moment in their life. And they could have excellent training, they could be a professional in security, but for some reason, at some instant, when they received a particular message, they weren't fully there, they weren't fully aware, fully in the moment and present and they made a mistake. All of us make mistakes. So I, I just don't, I don't believe in a culture of you do what we say or you're in trouble. I'd rather say do what we say, please. Okay, if you make a mistake, we'll reinforce the learning with you. Don't continue to make the mistake. Here's how to avoid the mistake in the future. And you know, certainly if the same person keeps making the same mistake over and over again, there has to be some sort of adjustment made to that behavior.
Jess Vachon:But you know, I think, even if we look culturally across, at least in the United States, when some of us were younger, we were raised with the stick, and the more or the switch, or the switch and the younger generations have been raised much more with the carrot and I think they probably have a little bit stronger relationships with their parents than some of us that were raised with the switch or the carrot and I I think they probably have a little bit stronger relationships with their parents than some of us that were raised with the switch or the stay.
Joshua Crumbaugh:You got me laughing now. But no, I think you're right. And, and just to me, it really goes back to that old adage you catch more flies with honey than you do with vinegar. And you know, I think about this scenario where you've got the employee that's having financial problems, has been passed over for a raise for the last two years in a row, knows that they deserve at least a cost of living, if nothing else, and all of a sudden they get an email saying, hey, you got a raise. And they click on it and it takes them to a landing or a login form that doesn't work. But they go and you know, they walk outside and they call their spouse and they say, hey, I got a raise Don't know what it is yet because I can't get into the portal and then they come back in and their boss has sent them an email saying, hey, I need to talk to you. And they go into. Their boss has sent them an email saying, hey, I need to talk to you. And they go into their boss's office and not only did they not get a raise, but they're in trouble.
Joshua Crumbaugh:And imagine the emotional roller coaster from depressed to excited to seeing, you know, maybe a light at the end of the tunnel to now. You're right back to where you were, only it's even worse because your job's down the line. That is how we create insider threats. That is not how we create employees that want to help. And you know when people talk about the firing, one of the things I like to point out is that the only employee that deserves to be fired is the one that doesn't care. The one that doesn't care has had problems elsewhere. Security is not the only reason that person needs to be fired, and so it still comes back to communicating risk. Only this time we're communicating it to HR.
Jess Vachon:Yeah, I think you're talking about a lot of different things there too. You mentioned the insider risk or insider threats. So you should have a program for that Compensating controls. You should have compensating controls because you know that everybody in the business is going to make a mistake at some point in time. The compensating control is there to catch them, to save them right.
Jess Vachon:And then the third part of that is culture. So how do you get to a point at which you have an employee that is that disenfranchised? That's a failure of leadership. So you really need to be developing a culture where you're talking to your staff all the time, you're listening to their concerns, you're trying to address them. Now, you might not be able to get them a raise, but at least you need to go through the process of talking to them, representing that concern in front of HR, asking for a market analysis to be done, and then coming back then saying, look, we couldn't do anything about this. So they know that the best way to address that issue is internal, rather than hoping that some email comes in. That's promising them something more than they should be believing in and causing them to click on it. So you've got. You know, you mentioned a good scenario, but there's three other areas in which we should be catching those problems before they ever become an issue for the organization.
Joshua Crumbaugh:I agree, and the only reason I know it's a bit of an extreme, but and I do a lot of speaking at conferences and one of the things that will happen is that people will come up and talk to me afterwards. And because I'm talking about things like this and one of the really common talk tracks I have is about the three strikes and you're out policy, because I still see it being deployed all over the place. In fact, just last week I had somebody on the show where I got to spend a whole 30 minutes debating carrot or stick because they were so adamantly for stick over carrot and we went back and forth. But you know, I just I do see that there's still a lot of people on Team Stick and they're in positions of great authority and they're creating cultures very much like what I described, and so I think it's important to sort of, you know, just try and help people understand just what can come of that. But I agree that you should have that insider threat program.
Joshua Crumbaugh:But I think where I was going is we don't want to hurt our employees, we don't want them to feel alienated or, like you know, their employer is the bad guy, because that's when things go bad, and that's when we're shooting ourselves in our own foot, right, okay. So so many different places we can go after that, but one of the things that we haven't really talked about yet let me move this, okay, over here. So one of the things we haven't really talked about yet is artificial intelligence. Now we talked a little bit about deep fakes, but AI is really reshaping a lot of things, everything from DevOps over to just how our people are working on a day-to-day basis, over to what we need to train people on working on a day-to-day basis, over to what we need to train people on. So, starting out from a security awareness perspective, in your opinion, what should we be training our users about as it pertains to AI?
Jess Vachon:Yeah, I think probably the main focus right now is that if they're using AI, where is the data that they're accessing? Where is that coming from? And if they're using AI, where is the data that they're accessing? Where is that coming from? And if they're putting company data in, where is that data going? Right? So we need to know the answer to those two questions Because a lot of organizations they have retention policies in place. They may be multinational, so they have GDPR requirements or CCPA requirements around privacy. So, depending on what you're putting into these models, you could automatically be violating some of these federal, state and company regulations that you have in place. So when we talk to individuals across different industries about the threat of AI, we speak to them first about where's the information going.
Jess Vachon:If you don't know where the information is going, don't use the AI model, and there's so many SaaS products that are available now like oh, we'll transcribe for you automatically, Okay, but if you read the fine print, they're using all that audio that they're transcribing to train their model and that data is being kept by them and they have rights that you sign away for them to use that in any way they want to use that data.
Joshua Crumbaugh:We switched video meeting or video conferencing providers because of that exact thing. So, yeah, I definitely have seen instances where already it's a concern, and then there's so many where it's almost like a black box. It's impossible to get any answers as to how the data is being used, and I think that's the next area where it's concern is hey, if you can't get any answers, you really shouldn't be using it.
Jess Vachon:Yeah, absolutely shouldn't be, using it? Yeah, absolutely.
Joshua Crumbaugh:You know, one of the things that one person said is well, we have to give them some way to use this, because if we don't give them a tool to use, then they're just going to go use it on their own and then they're probably going to use insecure tools. Do you agree, or do you think that maybe that's not giving the user enough credit?
Jess Vachon:I don't think you have to say no. It's not giving the user enough credit. I don't think you have to say no. It's not approaching a request to use a tool with a no. It's saying okay. Well, here are the questions we need to ask. Can we both ask these questions?
Joshua Crumbaugh:How can we do this securely? I like that yeah.
Jess Vachon:Right, and then making sure that whoever's requesting it, that that line of business understands what the risk elements are and making sure that that line of business owner is willing to accept that risk. Now that's very generalized. There's other things that go into that your overall organizational threat profile, your risk appetite, what market you participate in, manufacturing, financial, what have you, and claims data actual data about claims that are being filed on that. So you have to factor all that else, all that other stuff, in, but at a very basic level to enable people to use it. It's a conversation, right, we talked about that earlier. It's about teaching and talking, coming to an agreement on the risk that we're going to accept and making sure that someone in a position of authority is accepting that risk and showing what the business benefit is going to be, because that's part of the equation as well.
Joshua Crumbaugh:Yeah, I agree, and one of the things that you said that I think is just so key making sure somebody is accepting that risk. I've seen so many people that accept risk on their own because they're afraid to go talk to the higher ups. Don't you want them to sign off on that risk? Not you? But I think that's really great advice.
Joshua Crumbaugh:Rewinding a little bit earlier, you were talking about how we have to be going out and having conversations with people inside of the organization, and one of the things that I've just noticed over the years is just how introverted so many of us in this industry are. But it seems to me that the more we can force ourselves to be a little bit extroverted, the healthier it is for security, because anytime I've had, I've been able to just go out and sit down and start having conversations with different department heads or even just people in the trenches at the companies that I managed security for. I learned about things and ways that they were doing things that maybe weren't super secure, and I think that's part of it, because there's so much we don't know if we don't have those conversations.
Jess Vachon:Yeah, I agree, that's very important. I use a practice with my teams where we put our actual security professionals out on some of these other teams. So software development we will embed for lack of a better term some members of our team with software development so that they can be there as active coaches but also understand the workflow and what they're doing and act as partners in that way. So there's ways to address that. Yeah.
Joshua Crumbaugh:No, I like that. I think that's a great way to go about it, Not exactly purple team. I don't know what would we call that but, I like it, regardless of getting our people out into those different organizations. You know, I've really, I guess, led this conversation. Are there any things that maybe I haven't asked you about that you're passionate about as it pertains to the human element of cybersecurity?
Jess Vachon:Well, you have to believe in people. Everyone wants to default to good behavior and doing the right thing. No one sets out in the morning to do the wrong thing, Even those that end up on the wrong side of the law. Their intent was not initially to do something evil. It was an intent to alleviate some stress or some pain point in their life. Right, that's what causes them to react in a way which they think they're going to get rid of that. And we have to remember that everyone has different things they're bringing to the table at any moment in time. And when we say that you shouldn't be compassionate, like we shouldn't bring compassion to the table, I completely disagree with that. That is the way we should be treating each other all the time. That is the way information security professionals should approach their work. And I think when you do that, it's received well and you're more successful with your program, because others want to partake in the success of the mission with you. Take in the success of the mission with you.
Joshua Crumbaugh:I agree, and empathy is so critical in cybersecurity but in every walk of life I mean. We're all different. We all bring unique traits, skills and expertise to the table, and you said it right before we got started that that was one of your pet peeves is not realizing that value that other people bring to the table. And I couldn't agree more because in cybersecurity there's a lot of egos and I've been guilty myself, but you know, it's OK to have the ego, but I think it needs to be kept in balance with the fact that, hey, that that person in finance is just as brilliant, that person in advertising or marketing is just as brilliant. We're all brilliant in our own way, and just because we're in cybersecurity doesn't mean we're any smarter. It just means that we're in a field that Hollywood really glorifies.
Jess Vachon:Agreed. I heard it said on a podcast earlier today. There's two different types of pride, right. There's pride in an accomplishment, which is a good pride, and then there's a pride where you just think you're the best and you stop questioning if you need to learn, and that's the bad pride.
Joshua Crumbaugh:So hopefully I would call that arrogance.
Jess Vachon:Yeah, Well, and it right, it is. So hopefully you know it's okay to walk with the right kind of pride where you're accomplishing things as a group and everyone's taking part in that, rather than just thinking, well, I've been doing this for 20 or 30 years, so I know everything there is to know. I mean, that's a folly waiting to happen right there.
Joshua Crumbaugh:Yeah, and this crazy thing happens when you create a strong, positive, empathetic culture. The users reward you by being more secure and all of a sudden you have less to deal with because you've got users that care. And I think that's one of the most critical things, and I've seen it time and time again when companies are punitive, they always have significantly higher human risk than the non-punitive companies. The numbers speak for themselves, unfortunately, I get to see them from time to time, but no, I just yeah, it's a big pet peeve of mine too. We are running a little bit low on time here. So, because it's Security Awareness Month and I know it's winding down, we only have a couple days left. But number one are you doing anything special for Security Awareness Month? Or rather, did you do anything special for Security Awareness Month? And then the follow-up to that is do you have any advice for the non-technical user that may be listening in?
Jess Vachon:Oh, all right. So yes, we run educational campaigns and training throughout the month. We're also developing newsletters to run throughout the rest of the year. So, rather than just treating one month as the time when we focus on education communication, we're rolling out a bigger plan throughout the rest of the year to keep security fresh and foremost in people's minds. And then the second part of the question was advice for non-technical people. Is that correct?
Joshua Crumbaugh:Yes, yeah, just the average user. What tips do you have for them to be more secure?
Jess Vachon:Yeah, just the average user. What tips do you have for them to be more secure? Yeah, so just enable auto updates. Patch any of your devices whenever the patches are available. Don't wait. Do it immediately and those patches come out. If you have accounts that enable that, allow for two-factor authentication to be enabled, turn it on, especially for your financial accounts, because that is one of the greatest areas of attack for personal devices, and once the money's gone, it's gone and it's. It's a lot of work to get it back. So just do the very basic things that are recommended. You can trust most of the technical companies that when they're putting a security feature in place, it's for a good reason.
Joshua Crumbaugh:You should take it to each other and and that's almost every update security patches because some hacker found a way to exploit it. So yeah, I couldn't agree more. One thing I might add trust your gut. It's your body's built-in antivirus, so trust it. It's designed to protect you from getting hurt, doing dumb things, losing all your money to an investment scam, whatever. So trust your gut. With that, that's another episode of Phishing for Answers. Thank you for joining us and have a great day.