Phishing For Answers
“Phishing for Answers” brings you insider knowledge from the front lines of cybersecurity. Listen in as we speak with seasoned professionals about overcoming phishing attacks, managing user training, and implementing solutions that work. From practical insights to actionable strategies, this podcast is your guide to strengthening security awareness across your organization.
Phishing For Answers
From Technician to CISO: Rob LaMagna-Reiter on Cybersecurity Leadership, AI Threats, and Effective Communication Strategies
This episode delves into the human side of cybersecurity, featuring insights from Rob LaMagna-Reiter on the importance of communication, mentorship, and understanding AI-related threats. By focusing on personalized training and fostering a culture of open dialogue, organizations can empower their workforce to effectively navigate evolving risks in cyber defense.
• Highlighting the role of mentorship in personal development
• Importance of clear communication across all organizational levels
• Relationship between cybersecurity and business operations
• Strategies for effective phishing and awareness training
• Addressing AI-driven threats and their implications for cybersecurity
• Understanding visibility and decision-making in security initiatives
• Encouraging a culture of trust and accountability within teams
• Emphasizing the need for continuous learning and adaptation in strategies
• Creating non-intrusive yet effective security training methods
• Exploration of the evolving digital threat landscape
Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.
PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!
Hello and welcome to another episode of Phishing for Answers. Today I am here with Rob LaMagna-Ryder I believe I said that. Right, Absolutely All right, Rob, maybe you could tell us a little bit about yourself. How did you get into cybersecurity to begin with?
Robert LaMagna-Reiter:Yeah, so cyber has been the focal point of the entirety of my career which gosh. If I'm looking at the calendar, we'll be going into 2025, and I'm hitting up close to that. 19 pilot in the Air Force and his side hobby was tinkering with machines. So I grew up tinkering with the old 286s and 386s, which I'm sure some of our viewership is like that's not that old. I was tinkering with things before then, right, but I'm sure some of your audience is probably going a 286, man, there's no way, right, but I'm sure some of your audience is probably going to 286 man.
Joshua Crumbaugh:There's no way.
Robert LaMagna-Reiter:That's what I learned down, by the way, was a uh, a 286. It's also the first computer I bricked, uh. So yeah, yeah, um. And so, as I was growing up, I dabbled into uh for those of you who might remember phone freaking and I joined the 2600 hacker quarterly and had the magazine show up at my doorstep. My parents are going what are you doing? You know what is that? Should we be concerned?
Joshua Crumbaugh:And it just evolved Back in that day, they probably should have been concerned. At least my parents should have been.
Robert LaMagna-Reiter:So it just evolved into my appreciation for technology doing something it shouldn't do and learning how to help organizations prevent it or minimize the chances that something doesn't produce the intended output. And I've had the luck of being in several verticals and several industries. So I've got to see your highly regulated government organizations, organizations. I've got to be in startup land and, uh, the career journey is not linear by any means right. So it's taking me all over the place throughout the country, different roles and levels, and I I've just been lucky to work with some very impeccably nice, uh, very talented individuals. That's probably the most important thing about the information security realm is, um, but by far, uh, we have a tremendous number of folks that are willing to invent, you know, mentor, advise and guide, and that's helped propel my curiosity, I think has helped me succeed.
Joshua Crumbaugh:So oh, I, I agree and uh, and likewise, when I was early in this, there were just so many people ahead of where I was at and my knowledge and my career that were just more than willing to help out and I hope our industry still is that way for newcomers joining.
Joshua Crumbaugh:But I think it's a really great point that you brought up and something that is a great reminder to anyone new, anyone trying to get in. Feel free to reach out. You may have a very different path yourself than what we had, but sharing ideas and knowledge and how we broke into this in the first place, I think is so critical, so that's really great. I think is so critical, so that's really great. Now you're a few boards and you do some advisory work to sort of get back to the industry. What is some of that work that you do?
Robert LaMagna-Reiter:Oh yeah, thanks for asking. I'm a member of a teammate that calls villagers, where we participate with cybersecurity startups, ideate and advise them on problems. That we're experiencing as leaders, what we're experiencing collaborating with others and helping to funnel their ideas and energy into solving our problems versus a lot of times when security practitioners get pitched. We're getting pitched with great ideas but they're not designed at solving legitimate problems that somebody's willing to pay for.
Robert LaMagna-Reiter:There's a company out of Kansas City, soft Warfare, where I'm a president of their advisory board. They're doing some very phenomenal things with zero trust identity. You know. They claim and make some very good technology for the guy I can't go into details on it right, they do some very highly sensitive information with our wonderful armed forces, so they're helping to enrich the resiliency there. And then I participate with the Cloud Security Alliance as a member of their Zero Trust Expert Committee. As a member of their Zero Trust Expert Committee. So I've had the pleasure of leading several security programs through some either overhauls or implementation aligned to those principles and was graciously asked if I could help join and continue the evangelism and teaching others. That's been the most exciting part of that role.
Joshua Crumbaugh:That's awesome. I imagine you didn't start out as a CISO and you started out a little bit more junior. Now that you're in a CISO role, what are some of the things that really stand out as just really big, eye-opening lessons that you learned, that maybe you weren't aware of when you were more junior, but becoming a CISO forced you to learn. Are there any sort of big revelations that you had during that transition?
Robert LaMagna-Reiter:More often than not, the ability to communicate but not just communicate, but to be personable with others is incredibly important.
Robert LaMagna-Reiter:Conveying ideas and finding likeness and not using technical terminology again more often, is going to make you immensely successful.
Robert LaMagna-Reiter:While being able to understand and piece things together, you learn that the vast majority of what you deal with as a security individual contributor or an engineer, an analyst, architect pick your title the vast majority of the folks that we interact with just want their jobs to be as easy as possible and do not have a need or desire to go as deep down the rabbit hole in security as what we're taught through you know, either online courses, your formal education system, certifications, and so understanding that and leveraging that to your fullest advantage to extract the resources. Get the capacity, get the funding for your folks on your team and others. Get the capacity, get the funding for your folks on your team and others. Those are the skills right. You don't learn, aren't necessarily taught or given. They come through cutting your teeth, being mentored, talking in peer groups, and those have been the biggest skills that I've had to learn, double down on and hone over the course of my career, transitioning from an intern all the way up through, which is now. This is my third CISO role.
Joshua Crumbaugh:So one thing that stood out to me about what you just said and that seems to be a recurring topic on this show as well as at the different conferences that I'm at what the speakers are talking about is how most of our industry, or our industry as a whole, tends to be heavily introverted, but how there is absolutely the need for that extroverted mentality, and how you're never going to understand all of your risk if you're not out there talking to the different department heads and not just evangelizing cybersecurity but also just learning about their workflows, their processes, their procedures and identifying areas that there may be weaknesses that can be addressed by cybersecurity, by cybersecurity. So I like that you mentioned that it's you know so much of. It is around communication and being able to articulate that risk, or being able to articulate you know what needs to be done. I couldn't agree with you more on some of those points there. Anything else that sort of stood out as you sort of you know progressed uh in in your career.
Robert LaMagna-Reiter:The, the power of being silent and and listening very, uh, intentionally, uh, is is going to be a superpower for a lot of, uh, those in the industry, uh, you. You tend to pick up on word inflection, the non-verbals, trying to understand where folks are anchored or where they may have bias in one way or another, and it's the picking up on those you're never going to get at the first time, but over time you tend to learn when and how to interact, and that is almost more effective of always having the right answer. Today, I don't pride myself on always having the right answer. I pride myself on knowing when and where and who to ask questions to and tying that back to you know, for example, in my organization, how is that going to help us control unit costs, right? How is that going to help us control unit costs, right? How is that going to help make us more competitive while maintaining the existing risk appetite and so on, right? How are we controlling the controllables?
Robert LaMagna-Reiter:And even though I'm not using the terminology externally that we might talk about in the cybersecurity world, I don't have to I'm getting what I need to be able to translate that into initiatives for my team and let the experts do their thing right. They want clarity and guidance on where we should be focusing our engineering and architecture and operations teams on, and it's my job to ask the right questions, to solicit the right responses. And those are some of the things that, again, it takes some trial and error, but that's going to. If you have an interest in becoming a cyber security leader that has broad, you know business buy-in and has well-refined relationships with those peers and continuing to wanting to become an effective non-security leader as well as a security leader, those are the areas you need to focus in on or dive into.
Joshua Crumbaugh:All right, I like it Real quickly. Do you see me? Because all of a sudden my picture has disappeared here? I can see you, yes, and I'm going to assume so can the audience, and it's just my computer having some issues in the audience and it's just my computer having some issues. So I couldn't agree more.
Joshua Crumbaugh:Just about all of those business needs balancing it, and I like how you brought it down to unit cost, because to me that is how we are more successful as cybersecurity departments is being enablers of business instead of being doctor, no, if you will.
Joshua Crumbaugh:And so when we enable business, we understand that our KPIs are very different than the CEO's KPIs and the CEO is not necessarily going to care about all the why they know the CEO is not necessarily going to care about all the why they care about the risk and managing that risk or accepting the risk sometimes. But it's a little bit of a different conversation when you realize that you know that, CEO, they care about cybersecurity. They just have 10 other things on their plate that are far more critical than cybersecurity, and so it may come off as though they don't care, but they truly do, and I think it's almost this misconception that you know that they don't care about cybersecurity. No, they just have other things that are a little bit more critical at the moment, and the problem with that, though, becomes that when cybersecurity becomes critical at those companies, often it's as the result of a breach, and and so, you know, those memes start becoming very true.
Robert LaMagna-Reiter:You know, budget before a breach versus budget after a breach, so well, a lot of the misnomer goes back to a couple of forces working against each other, right, you think back to the majority of either the high profile, low profile, any of the cyber incidents that you might have heard over the last 10, 15, 20 years. The majority of those organizations are still operating. They're still around. You still shop at Target, I would assume. Right, remember that when that was the largest breach I do. And so it's not the fact that security professionals are hammering on the wrong ideas. We're very well intentioned, but how we're going about discussing them right can sometimes lead to those unintended consequences. In information security, I go back to, uh, like the fundamental hard problem of what we're all all tasked with, right, and that's the threat. And you can define threat in a variety of ways, but the threat truly can't be quantified, right, no matter how, how you try to quantify and qualify that risk, there's going to be some ambiguity and some open discussion and respectful disagreement in that. And because that threat can't be quantified, a system also cannot be threat proof, right, so that threat is unconstrained. You're just trying to enable resiliency up to a certain point in and in security. Nothing is truly secure. I think that's an idea, a concept a lot of us have already agreed on, because to secure it, the whole thing has to be secure, has to be free from vulnerability, and there's no such system, device et cetera that's out there. And so when we start communicating that we need X, y and Z to. And so when we start communicating that we need X, y and Z to secure an organization, secure a process just even changing your terminology to how much downtime do you want to incur as a result of a potential information security event or incident? Or how complicated do you want the access request system to be? Or how easy do you want it for our customers or our internal employees to be able to interact with said data? Obviously, those of us like myself that are in a regulated industry there's some minimum bars there that you know. Regulators and laws will articulate that we get to interpret and then pair up with our internal teams on how we are gonna apply controls.
Robert LaMagna-Reiter:But just recognizing that our job is to not secure systems and processes and applications, our job is to do our best to assure that, as data is being accessed, that business process that facilitates all of the actions, that it's operating with a minimum level of trust that we can agree upon and kind of just shifting that mindset that you can trust the inputs and outputs and it rethinks where you're going to put your controls. It forces you to understand the business process, as you and I first started talking today, and it's all those non-exciting things that information security professionals sometimes gloss over because we want to go secure the configuration, we want to lock things down when, in actuality, understanding how your core operations team or understanding how your sales or marketing teams are interacting with your crms, interacting with the reporting, and then how customers are calling in and the whole ecosystem of a business, depending on your vertical, uh it, it changes your terminology and verbiage, right? So bringing that all back to other professionals and your priorities, yeah, most definitely.
Joshua Crumbaugh:You know. A great example of that is that, I guess, stood out to me in my career. I started out an ethical hacker, spent a while as a CISO, then decided to found my own company, and it wasn't until I founded my own company that I saw this finding that had been in a million of my application security reports as an information well, no, I'm sorry, not an informational, but a low severity finding. And then, as once I'm the CEO, I realized just how much this was a critical finding. But we had always mislabeled it because we didn't understand the data. And the example I'll give you is SSO implementations often lead to full user enumeration and sometimes, particularly in SaaS companies that have a bunch of different customers, those same SSO implementations can lead to the ability to enumerate all of the companies that might be using your platform.
Joshua Crumbaugh:Well, owning a tech startup in the SaaS space, I can tell you one of our most protected bits of information is that customer list. But when I found those same findings as an ethical hacker and I wasn't aware of it, we reported them as lows. They often showed up year after year after year because they never made their way up to the C-suite, because no one realized just how critical that data that was being leaked was, and so I like that as an example, because it's where there's often this disconnect between the top executives in the company and the cybersecurity people that are in the trenches, and even the people in between, that maybe we don't necessarily know what is our most protected data, and I think it always starts there, and that has to be communicated all the way down to even your contractors that you might be hiring to do an assessment, because I worked for companies when I was in consulting, that they had defined what their sensitive data was, but it didn't make its way to me, and so we rarely had somebody fire back and say, no, this is a higher finding. We all the time had them wanting to argue them down, but never wanting to them to argue them up. So, yeah, no, I think it's just a great, great point.
Joshua Crumbaugh:Now, switching topics a little bit here, I like to talk a little bit about methodology, particularly as it as it pertains to both security awareness as well as phishing, trying to leave this very, very open so that you can answer it however you want. Are there any key methodologies that you've learned over the years around awareness or phishing or both, that you would like to share with the audience as hey, this is something I've learned that helps make this more effective.
Robert LaMagna-Reiter:Yeah, that's here. Hold on, Let me pull it out of my hat. There's a silver bullet. Um, we'll start down the path of what I found has has worked, uh, to a to a good degree in my last, my last few places, and then we can dive into why, why and how we started experimenting with that.
Robert LaMagna-Reiter:So, uh, a lot goes back to personalizing and shrinking, uh, the time it takes to communicate, so communicating differently and being exciting and getting in front of individuals. So that personalizing and shrinking the time it takes to communicate, so communicating differently and being exciting and getting in front of individuals so that manifests itself in a variety of ways, depending on our user groups. Sometimes it's Rob walking to them, walking to their department, bringing some cookies or donuts and having an informal ask me anything session and walking through ideas for five or 10 minutes and just saying, hey, you know, making sure you have no questions, you know anything I can do to help, just raising the awareness that somebody cares and that you know we're here to help you. Providing prompts and nuggets as folks are navigating the web, you know, sprinkling information to them when we get any indicators that the session is changing or that they might need further education. Right, you still have your traditional educational avenues with your training, your emails.
Robert LaMagna-Reiter:But what we found over time is that as our workforce has continually evolved evolve and change the attention span, for us at least, has shrunk dramatically. What folks expect to get out of nuggets has changed and so we have to change up and personalize and make folks care a little bit, and sometimes just going back to the basics and being in front of them has worked for us a lot and explaining ourselves. And the reason why we found that it has worked a little bit is because a lot of individuals by default and I'll tie it back to you know their how behavioral economics describes it it's that we value immediate rewards over future benefits. So you tie that back to training and that my immediate reward for passing this training is that I can just bug it off and it goes away and I'm not going to get anything else. I'm you know some of the incentives or the disciplinary actions that a lot of organizations put in place. I don't necessarily agree with how that's evolved.
Joshua Crumbaugh:I got to give you an amen or something there, but could not agree more Continue.
Robert LaMagna-Reiter:Yeah, no, and so we try to influence how the choices are presented and personalize. You know why we're providing said trainings and so we don't just focus it on security. We look at how training in general and awareness in general is given to individuals, and instead of training on corporate policies and fishing, we make it personalized on how they could stay safe around the holiday season, nuggets for their children and families and help put it in terms that they understand. So some of our simulations not necessarily like phishing emails, but like simulations where we're trying to gamify for folks are let's imagine you're at a shopping center, you get a call and this is what happens. It's not. Hey, you know, are you going to click on this link and get slapped on the wrist or are we going to try to trick you? And then it's three strikes. You do the nudges and frame the situations in different ways that people. It's going to stick with people so that they can think about it later. So it's just changing content and changing delivery and just being personal.
Joshua Crumbaugh:I love it. There's three key things that I heard there, but just a little bit about my background. I got an opportunity years back to collaborate with college professors from around the globe that were working on writing coursework for how do we create effective security awareness training programs that not only address compliance but actually change behavior? And I ran into these professors and got to collaborate on writing that coursework because I had asked the question well, how do we use social engineering as a form of good? And it turns out it's not called social engineering, it's called behavioral science. We've been studying it forever and we just really have largely, as a community, ignored behavioral science. And then we've asked why our efforts to change behavior aren't working. So a few key things that you said and just sort of connecting those behavioral science principles to them.
Joshua Crumbaugh:Number one you talked about shortening that training and making it as short as possible in advertising. Advertising there's well, I guess it's behavioral science in general, but there's this one theory called space learning theory. That is essentially advertising theory and it talks about how, if I break something up into really tiny, bite-sized chunks and I feed it to you at a regular frequency, we're going to get really high retention. It's the reason that Coca-Cola is a global brand. When you see their ads, they're not 60 seconds long, they're not even 30 seconds long anymore, they're 10 to 15 to 20 seconds in length, and it's the reason that when you think about you know a soft drink. That's probably, for most people, the first name they think of. And so I've been saying forever and I guess I might be biased because I started in marketing, but I've been saying for a long time we need to bring marketing to cybersecurity, and so shortening training and approaching it more like it's advertising, I think is very critical. The next thing you said is you have to make it personal to the individual, and one of the studies that I was reading found that when we make training contextual to somebody's role, there is a 15x improvement on retention, and it makes sense, because when it's not applicable to their job or their role, it's just this, you know, distant idea that's not relevant to them. But the second, it's contextual to their job, it's relevant and they pay more attention, and so I think that that part's very critical too.
Joshua Crumbaugh:And then, lastly, you talked about gamifying, the fishing, and there's this theory called psychological safety, and it really just boils down to you catch more flies with honey than with vinegar, and it's so true that we have to be motivating people and not just using the stick but, more importantly, starting with and every opportunity that we get, we need to be using the carrot, and that means saying great job when they report a fish, saying, hey, great job, you reported a potential fish. But it's not just there, it's any opportunity that you have, and so it sounds like you've definitely been at this a while. You've certainly learned some things that work, so that's just great advice. Are there any? As a follow-up question to that, what would you define as the most core KPIs or most critical KPIs as it pertains? Well, I guess it's to cybersecurity as a whole, and then the sub question would be to security awareness.
Robert LaMagna-Reiter:So I have found in every team that I've been a part of or have led for us, it is gauging the percentage of you can call it systems. I've started reframing it to the percentage of business processes that I have visibility and can take action on. I don't care what your mean time to identify, detect, contain is. If it's not on the entirety of what your scopes and critical data is, it's meaningless. So we pride ourselves on trying to set benchmarks for where you don't go below a certain percentage of your visibility to take action or make decisions on information in an environment. And that actually re-keys and switches a lot of how you think and prioritize and communicate value. Because when you start focusing on visibility and the effectiveness of your security program, that's what allows you to shift perception both at the C-level and down in the organization. Again. So visibility that leads to data-driven decisions sprinkled with a little bit of humility and practicality. And I apologize if I missed your second question, I can't recall.
Joshua Crumbaugh:No, I mean, I think you answered it really well and my big takeaway there, or what I heard and I apologize if this isn't what you said was don't let vendors set your KPIs. You know what your KPIs are better than anyone else. I mean, I've really taken a lot of creative licensing with that, but I think that each and everybody's KPIs are different and I like how you connected it to the business and your specific organization that you work for. In my experience, I know I'm a vendor, but I will be the first to criticize vendors, saying that too often vendors want us to look at KPIs that have no impact on our bottom line at the end of the day, and I think that's how we end up with a tech stack of 90 different security tools and maybe five that actually have a real value that they add to the company.
Robert LaMagna-Reiter:Yeah, I personally have never found value in any of the quote unquote executive dashboards that you see offered in a plethora of vendors. Right, I mean, I get the intent behind trying to summarize the information, but, even to a certain level, those executive dashboards are for the security team that's managing them to be able to leverage. Or would expect a non-security individual to take verbatim something coming out of those, right? So we're always trying to again reframe and retweak how we articulate that information, even when we send out notifications to the organization on upcoming changes or enhancements. Not once do we ever say you know we're going to be enforcing stricter security controls, we're going to be tightening X, y and Z. We always lead it with. You know we're in an effort to maintain the expected level of resilience and to support X, y and Z business initiative. Emphasizing the positivity right.
Robert LaMagna-Reiter:A lot of where I've had effectiveness also is getting out of the way, whether it's from a DevOps or a delivery team or an operations team. They just want a secure foundation, where I've, my team, have proactively built the right guardrails that they can operate in and I'm okay with just taking nuggets of learning along the way, as long as I'm not taking any unnecessary risk. Gosh, you know, let others in the organization be your biggest uh supporter on how you're partnering with them. And it it seems counterintuitive, right, because you're not getting everything you want, but guess what? At the same time, nobody else is either. But you're going on a shared journey and over time, when you, you build up up that, I would call it your escrow account of goodwill. Right, you can make a withdrawal from that at various times. If you have to call in a favor, get extra funding, you name it. It's not about again chasing that elusive target that you're going to lock everything down and create a bunch of friction.
Joshua Crumbaugh:Yeah, I like it. Okay, because we are running a little bit of time here, I'm not going to go into what I heard you say there and put words in your mouth. But, jokes aside, ai is reshaping society as a whole, right?
Robert LaMagna-Reiter:now.
Joshua Crumbaugh:It's changing every aspect of our daily lives, and we are only just beginning to scratch the surface of what AI is going to be capable of, how it's going to help humanity, how it's going to impact our day-to-day jobs, everything from running a cybersecurity team over to other industries that are going to be impacted by this, like your creative types that are in marketing or advertising or creative writing.
Joshua Crumbaugh:I mean, there's a lot of industries that are going to be hit very quickly With AI. There's a lot of opportunity and there's a lot of threat. I think I want to start with what threats are you seeing actively right now and are you taking any measures to educate your people about the threat those same threats with AI? And, if so, what are you educating them about? And I ask because I talk to a lot of people in your role and it seems everybody's looking at this from a little bit of a different perspective and seeing a different side of the problem, and so my goal is, if I ask enough people this question, maybe we'll see the whole picture at some point.
Robert LaMagna-Reiter:You know that, or the answer is just everything right, it could be.
Robert LaMagna-Reiter:So I appreciate the way you frame this, because it is so personalized to every organization. And what are the let's call it top three or top four issues in the world of like? What AI is causing us to look deeper at right In our world? Number one is, you know, fraud and impersonation. If you think about in the financial services world, we've relied heavily on a lot of information that folks seemingly should know themselves, which unfortunately, has been lost to data breaches or has been posted publicly. So in some way or another, that information is out there, right, whether it's their secret questions or information about an individual that they think they should know. Coupled with AI systems that are getting much, much better cloning voices, cloning images and creating an actual representation of someone that can look, sound and act just like them and you couple that with the information that's out there, it's right for increased fraud.
Robert LaMagna-Reiter:So, going back to we talked about trust earlier. How do you raise the level of trust in any kind of conversation and get to the right level of assurance that a transaction is actually going like it should? And so we're exploring a lot of things on the fronts, right Novel technologies that could potentially detect or alert when it thinks that something is AI generated. Those have garnished a lot of attention, but the other side being changing how we authenticate individuals, or the types of information that we would expect from them to validate a transaction. So much so that you're even requiring, dare I say, wet signatures for certain transactions, right? I?
Joshua Crumbaugh:mean looking at the whole, I like it. I truly do believe that non-technical solutions are the answer to the deepfake threat, so I like it. I think that's a great example. Sorry, go continue.
Robert LaMagna-Reiter:Yeah, absolutely. And then us, like a lot of individuals, you know the development. So the ingress and egress, sanitization and checking just to make sure that inputs and outputs from your code generation, that's using some sort of gen AI, is meeting the minimum bar for what you would expect. We are not developing and creating our own models, right. But where we're seeking visibility is for those third parties where you buy your license, access to leveraging their models, trying, trying to figure out how we get the best assurance that, um, they're upholding their end of the bargain, that somebody on the back end is not just querying my information out of whatever service that I'm using. That's still in its infancy as well, right, but it goes back to visibility. It's kind of, you know, back when the the cloud operating models, you know first, you know first came to light and how the industry sought to get visibility to the access and processes behind the information. We're trying to do the same thing there. Those would probably be the top three.
Robert LaMagna-Reiter:The fourth rounding it out is in the financial services space, the regulatory requirements governing artificial intelligence change and look different depending on the jurisdiction, and so it's pairing all of that other areas that we're concerned with with maintaining compliant and regulatory aligned ways of leveraging and communicating that as well, because when you and I are talking about artificial intelligence, I mean we're not getting down to whether it's deep learning, machine learning, you name it and the regulations can be even more ambiguous on how they're defining certain terms and wanting to make sure we're partnering with our legal counsel to make sure we're understanding what's being asked of us and staying as compliant as we can while trying to take advantage of the innovation offered while trying to take advantage of the innovation offered Makes sense.
Joshua Crumbaugh:So, along the AI front, I love all of that advice from sort of the defensive and even the risk perspective. One of the only forms of what I'll call Skynet that I've seen is AI-based phishing that is targeting us based on our role, and you hit on that a little bit. But I'm curious how much of that have you been seeing so far? Is it relatively light? Is it pretty substantial? How much of what seems to be that AI-driven phishing are you actually seeing?
Robert LaMagna-Reiter:It's hard to answer that with definitive answer because I think that the adversaries have been using it for quite a while. They're just continuing to get better and better at it, right, so we have not seen an uptick in I would call like social engineering attacks that are leveraging, like deep fakes to a great extent. But we have seen the proportion of messages get smarter, right, they're very, very personalized. It is almost indistinguishable If you're just looking at the message itself. In a lot of ways, if it's going to a decision maker or someone in the finance group, that's always a popular target right Across the board. Anybody that's in a position to um, an authority that can go um, ask or demand an action, happen. They're, you know, obviously frequently impersonated and targeted and the messages that come back are always enriched by a plethora of legitimate information out there. And and so, getting back to what we talked about earlier, we combat that right now, obviously with your typical email security solutions. But what we have found to also pair that is a lot of those nuggets and awareness on how to validate authenticity and do rely quite a bit on, I would call, offline or traditional ways to go validate if somebody is really sending you that that message.
Robert LaMagna-Reiter:Um, we're considering, you know, how we can further up our levels of incorporation, incorporating ai into just automatically removing certain messages and evaluating them before they get deliberate again. But that's not gonna. It's not gonna solve all the problems, right, it's always about your people and helping make sure that they feel comfortable taking the right decision, but also augmenting your people's decisions with the right balance of technical controls, because training by itself won't do it, but it's training coupled with the right aligned technical controls and the right aligned support and reevaluation of what you're seeing. That whole you know process on having those different layers in a seamless way is is what helped, uh helps us maintain a certain level of resiliency yeah, I might add one element, uh, to that.
Joshua Crumbaugh:You said training in and of itself won't do it. There have been a ton of academic studies that have come out that have found that traditional approaches to security awareness training have zero impact on reducing the susceptibility that that organization has to phishing attacks. Now, that's traditional approaches, but they have taken in a lot of the modern content, that's, like you know, the five minute long micro training, and even that's been proven that it doesn't work. And so I really, really do think and believe in harnessing the power of the subconscious. There's this book called Thinking Fast and Thinking Slow, and it talks about basically how you have a fast brain and you have a slow brain. The slow brain is great for deductive reasoning. The fast brain is great for anything where you need that split second decision, and that fast brain is our body's natural defense mechanism that, if something flies at our face, it causes us to block automatically without thinking about it.
Joshua Crumbaugh:Well, I truly believe that the same thing can be done when it comes to malicious attacks, phishing emails, things like that. But when we're successful, it happens at a subconscious level, not a conscious level. So if we're educating people and trying to get them to consciously avoid that in and of itself is always going to fail. You may be able to reduce it somewhat, but you're not going to get the level of results that you'll get if you can condition the person to where hovering before they click is the same as looking both ways before they cross the street. And there's this behavioral science principle called identical elements theory and it talks about how, when I learn a red flag really well, or learn about anything really well, I'm going to start seeing it everywhere. The classic example is you buy a new car you see them everywhere until after you bought it right.
Joshua Crumbaugh:But we can do the same with fishing, and so if we run simulations that have the whole point of making sure they realize their mistake and they learn that one red flag really well, they'll start to see it everywhere, not just in phishing emails, but potentially in voice phishing or phishing calls, smishing you name it. And so I truly believe we've got to do more with helping our users harness their gut instincts, but also training them to rely on it, because I've never been a part of an incident where the person that let them in didn't say I knew better. I knew something was off, but I did it anyway, and you hear that almost 100% of the time on these incidents they say I should have known better. So I really do feel that training users to utilize their gut more is so critical to creating that human firewall, if you will even though I know that word's beat to death and we probably both have to take a shot now for some drinking game both have to take a shot now for some drinking game.
Robert LaMagna-Reiter:Exactly, we've been trying to balance how obstructive or intrusive do we want to be with just tidbits and reminders? So we've been piloting somebody gets a message and it makes it through. We still want them to see the score. Issue of prompting hey, this may be legitimate, but we've seen some emails that have been reported as phishing. Please just double check, like just little nuggets, where you're not trying to stop the individual from what they're doing, but just offering a word of hey, you know, this was rated at this, we didn't stop it. You might want to just double check x, y and z. We didn't stop it. You might want to just double check X, y and Z.
Robert LaMagna-Reiter:The one area that I think is going to be a wild card is if somebody picks up the phone, right, and starts talking to an individual that's not on a company protected mechanism and is fished there. Right, you're hoping that the information, the trusted environment that you've created for them, that knowledge coming up to the top of their mind, doesn't result in them giving something away, because human beings by nature, right, we love to help each other. Very trusting, way too much very trusting. And if somebody presents us in a voice, in a legitimate position of authority or from a institution that we do business with, which, as you and I talked earlier, it's all out there, right, all the information that somebody would need to trick you. It just has to be put together in a good story.
Joshua Crumbaugh:Just from an advertising perspective. I look at the amount of data I have on these prospects inside of Zoom Info. It tells me what technologies you're using. When you change technologies, it's impressive and scary the amount of information they have on everybody. And that's the good guys. The bad guys probably have more.
Robert LaMagna-Reiter:And so I go back to a principle that gives me peace at night, when I don't want to worry about the bad going on. It's just ignorance is bliss. And so just treat. Anything that you don't want to deal with, Just hang up, delete. Ignorance is bliss. If it's important, somebody will follow up and it's very simple. I don't mean to over gloss and tell somebody to delete the email from their boss, but gosh, you have other ways of authenticating that level of trust and authenticity. And if and if it raises that, I'm going to I'm going to use my, my, my young terminology here but raises that, that sus bar a little bit, just delete it.
Joshua Crumbaugh:Agreed, and I actually teach the same thing Anytime you feel like something's off, delete it. Delete it, move on, report it, but whatever you do, don't open it. Don't give it enough time for curiosity to get the better of you. One of my favorite and wildest studies that came out of a, I want to say it was Xavier University in Florida, florida. They found that there's this certain group of people in every organization that when they get a suspicious email to their personal address, they will forward it to their work address and open it there because they believe it's so secure they couldn't get hacked. And to me that is, if that's not proof, positive that we as an, as an industry and I'm talking about cybersecurity practitioners here have not done a good enough job. Just communicating the number one rule Anything can be hacked, it just. It really sheds a lot of light on where some of the users are from a thinking perspective and just how much overconfidence they might have in our ability to block everything. So I don't know. Just really interesting study that I saw one time.
Robert LaMagna-Reiter:Oh yeah, and if you block everything, though, you tend to detract from your mission. So you're back in that rock in the hard place, right? Because, again, I'm a big believer. As a security leader, my job is to not block and protect absolutely everything. Leader, my job is to not uh is to not block and protect absolutely everything. My job is to align those resources and block and protect the data that's most critical.
Robert LaMagna-Reiter:And sometimes there are, uh, uh, certain systems that are going to be collateral damage. So you know that we take the, the measured risk that there's a lower level of assurance on some systems that don't have the right scope data, um, and it's going to create a disruption for that user. And so we do let folks know, right, that, depending on the device, system and role, you could be out of service for a while, and that, by itself, they're like well, I don't want to lose my machine or have it. You know X, y and Z, so it sounds like a very easy problem, right? And that's why, when I was looking through your content historically, it's great seeing the plethora of responses, depending on the individuals, depending on the industries, the verticals. We all have so many unique challenges that there's not one solution that every organization can follow, and that's probably a good thing, right? Because there's almost an unlimited number of ways an adversary is going to try to target you, so everything has to again be personalized to how important the data is you're trying to protect.
Joshua Crumbaugh:So well, and I think that all of our brains work a little bit differently, and it's that argument for needing more and more diversity inside of cybersecurity.
Joshua Crumbaugh:The more minorities that we have represented, the more just different groups that we have represented, the more diverse our thought process becomes, and I think that really stood out to me on asking the question of people like you and maybe we'll wrap with this question because it's a great question, but I've asked the question well, what roles, when you think about role-based training, are the most imperative that you cover? And I've heard that question really answered three entirely different ways. You know, one way is focusing on the roles that are the most targeted, so it might be like finance professionals. Another one is focusing on the hierarchy of the person within the organization and then I've heard yet another one that focuses entirely on the level of access that person has. I don't think it's any one of the three. I think it's probably a combination of all three, but it's really just went to show me that we can both answer the exact same question, we can both be 100% right in our answers and still have two completely different answers.
Robert LaMagna-Reiter:Yeah, every.
Robert LaMagna-Reiter:So to add another level on to that, every individual we hire, even if they're on the same department in the same role, everybody shows up and responds with their own lived experiences in a different way to the same stimuli, right?
Robert LaMagna-Reiter:And so when we think about training for certain roles, we not only so we rotate the type of training based on role and maybe who's targeted, but we generate training and engagement in different ways, so it's not static. So, to answer your question, it's both a combination of we do try to again go back to the buzzword we personalize the training for go forth and execute training. It's we take a look at the information, we take a look at the trends that we're seeing, both from our tools, uh, conversations from peers locally and nationally, and we try, we try to adjust. It's not going to be in in real time, but we want to respond accordingly. To be in in real time, but we want to respond accordingly to who we give training to and the type of training and partnership and education, uh, as as um, the situation evolves. So hopefully that answers your question.
Joshua Crumbaugh:We know it's, it's great. Uh, I I I agree that no two people are the same. Uh, one of the things that stood out to me and fortunately in my career I've sent now hundreds of millions of fish, and so I've seen some trends that across that, like your salespeople are very you know, they're famous for clicking on fish, but when you look at what they click on, it's mostly those social media themed phishing attacks, because they are the face of the company. They're the ones out there in the trenches and most of their leads come in through those different social media channels, so they're more likely to fall for those. But you know, another group that is famous for being susceptible are executives, and they click on very different things.
Joshua Crumbaugh:Executives, it's often those ego things that that tend to get them, and honestly, it might get me too, I don't know. But. But I find it interesting because, even within those to your point that you just made, just because you're a salesperson and most salespeople click on this doesn't mean that you're not the exception to the rule that's going to click on the Netflix fish, and so I think that understanding that, being able to identify that and make decisions based on that data is so critical, and that's what you were talking earlier is about having the right data to be able to make critical or strategic decisions based on real insight into the company. So, yeah, I couldn't agree more. Any final words you want to leave with our audience today.
Robert LaMagna-Reiter:Just don't overcomplicate how you're thinking about this either. We talked about the ins and outs on how you can perfect and well-round and ingrain a program or enhance the resiliency, but when you get to, the most effective thing that you can do it's to try to simplify how you deliver for the organization and how to, uh, really make it, really make it easy, and that's going to um supercharge your cycles and capacity more than you think, right? So again, it's 90 behavior, even 95 behavior sometimes, you know, and then the remainder being some, some have knowledge or some experience, but gosh, how you do it, what you do it, what you say, how you say it, that's going to enable you to be extremely effective, no matter what you're doing. So that's what I guess I'll end with it's more important, I think, today than it ever has been.
Robert LaMagna-Reiter:Uh, and especially going into a season where it's so easy to find, um, so many uh, quote, unquote, authentic pieces of information out there. And how do you gauge level of trust? So it's always good to keep it simple, don't over complicate it, but at the same time be realistic.
Joshua Crumbaugh:Absolutely Well. Thank you, this has been just amazing. You've given the audience some really really great words of wisdom. It's clear that you've been in this industry for a long time and you definitely know what you're doing, so thank you. It was my honor to have you on the podcast today and you just gave us a great bit of advice With that. I will see you again, I think, later this week for our next episode of Fishing for Answers. And, rob, stick with me one second.