Phishing For Answers

“Phishing for Answers” brings you insider knowledge from the front lines of cybersecurity. Listen in as we speak with seasoned professionals about overcoming phishing attacks, managing user training, and implementing solutions that work. From practical insights to actionable strategies, this podcast is your guide to strengthening security awareness across your organization.

All Episodes

Phishing For Answers

Safeguarding Investments: Bob Flores on Cybersecurity in Private Equity, AI-Driven Threats, and Empowering Teams

February 03, 2025 • Joshua Crumbaugh, Founder & CEO of PhishFirewall

Send us a text

This podcast episode emphasizes the critical intersection of cybersecurity and private equity, highlighting the importance of conducting thorough cybersecurity assessments before acquisitions. Bob Flores, an experienced CIO and CISO, discusses key issues like the rise of AI in cyber threats, user education, and effective role-based training as vital components for safeguarding investments against sophisticated attacks.

• Significance of cybersecurity inspections in private equity transactions
• Insights into the evolving landscape of cyber threats, especially with AI
• The need for user education on cybersecurity risks
• Importance of role-based training for vulnerable job functions
• The potential benefits of gamification in cybersecurity training
• Strategies for fostering a culture of cybersecurity awareness within organizations

Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.

PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!

Joshua Crumbaugh: 0:01

Hello and welcome to another episode of Phishing for Answers. Today I am here with Bob Flores and he's going to actually introduce himself and tell us a little bit more about him. But I see you've got a very storied career as a CIO, ciso and in the PE space at that, so tell us a little bit about yourself.

Bob Flores: 0:24

Yeah, yeah, I've been around little bit about yourself. Yeah, yeah, I've been around the block a couple of times, josh, I am a CIO.

Joshua Crumbaugh: 0:31

I got the gray hair.

Bob Flores: 0:33

Exactly. I've heard every one of them. I've been a CIO and a CISO for a number of years, primarily in private equity-backed companies. I started my career with PE companies back in 2007 when a company that I was working for got purchased by Toma Bravo, and at that time I couldn't tell you what a private equity company was. In fact, I think my first question was who the heck is Toma Bravo and why does he spell his name that way? Fast forward to 2024, and I've worked for, I've been really lucky to work with a lot of the really large private equity companies, including Carlyle, kkr, vista Partners, apac, seattle, london, and you know it's just been a fantastic ride. I love the pace of the work. I love the fact that somebody believes in you enough to hand you a pile of money and say go, go, make something really great out of this.

Joshua Crumbaugh: 1:32

Oh yeah, and at the PE phase that's a big pile of money too.

Bob Flores: 1:36

Yeah, it can be. It can be. I really love that kind of atmosphere. I'm not the kind of guy who sort of sits back and watches the machine run. I've got to be, you know, have my hands in it and try to build something out of it. So that really excites me.

Bob Flores: 1:52

And back in 2016, I found myself the CIO at a cybersecurity company and was reasonably, you know, educated in cybersecurity at that time. Being an IT guy, I kind of, you know, educated in cybersecurity at that time, being an IT guy, I kind of, you know had been through the ISO audits and SOC audits and those sorts of things and I had skimmed the surface. But, boy, I'll tell you, when you're the CIO of a cybersecurity company, you got to up your game and that's when I thought, boy, I got to dig into this. So, just so I can keep pace with everybody else who's in the company, I went out and got a CISSP and a CISM and a CISSP, cssp, all those certifications, just to make sure that I was able to keep pace with everybody that was working with me. And it's been great ever since. You know, I love cybersecurity, I love just IT in general, and I kind of market myself as you get a two for one when you hire Bob you get a CIO and a CISO. So that's kind of my strength, of my marketing position.

Joshua Crumbaugh: 3:00

Well, that's a great story, you said before we got started. You're starting a business, started a business.

Bob Flores: 3:08

Yeah, yeah, I'm actually starting a business right now. Congratulations.

Joshua Crumbaugh: 3:13

Yeah, thanks, regards.

Bob Flores: 3:15

I don't know, maybe it's condolences.

Joshua Crumbaugh: 3:17

I'm kidding.

Bob Flores: 3:19

It's some work, but it's fun. It's really fun, it is work but it's fun.

Bob Flores: 3:23

It's really fun, yeah. So this company that I'm starting is all around cybersecurity and private equity transactions and just making sure that when private equity companies go out and make an acquisition they're making it eyes wide open. They know the cybersecurity risks that they're accepting and purchasing that company and you know they can make deal adjustments, they can make insurance adjustments. I kind of liken it to I'll use the analogy you would never buy a house without first getting a home inspection. Yeah, you know, making sure that that electrical and plumbing is solid. Why would you ever buy a company without getting a cybersecurity inspection first, making sure that that company is solid and you're sitting in a good position and you're not just vulnerable to every hacker that's going to take advantage of somebody with deep pockets coming in and buying a company.

Joshua Crumbaugh: 4:18

Yeah, no, I couldn't agree more. In fact, we do quite a few of those assessments specifically for our investor as they go to buy and acquire new companies. So no, it's, it's absolutely something that I mean. If you're buying any asset, really, you want to understand any risk associated with it ahead of time and from a cybersecurity perspective, I can't imagine buying a breach, but I can't imagine that that hasn't happened before. I mean it must have happened at some point, and so you know that would just be the worst possible timing on things.

Bob Flores: 5:01

Go ahead. No, no, I was just going to say that. You know I started this business because of some of my own personal experiences in this regard. You know, having done a couple of carve outs and divestitures, I realized that those are prime targets for black hat hackers out there and threat actors. You know they're smart guys they're. You know they're looking at PitchBook, they're looking at CrunchBase, they're trying to find the companies that are vulnerable but nice targets for private equity acquisition. They're getting in those companies and you know I'm probably preaching to the choir, but those guys just sit in those companies and they dwell there for, you know, anywhere from six to nine months before they make a move, and they always move on the new owners because you know they have deep pockets. So it's a real problem and I'm hoping to help people kind of avoid those problems as they go through and make these kind of acquisitions.

Joshua Crumbaugh: 6:01

Yeah, and you know, the more we can avoid these problems, the more we can make sure that they don't have deep pockets on the other end. You know, that's always one of my biggest frustrations is that you see just how much money they're making and it's like man, if we could just cut it off, we could stop this or at least make it so much better. But instead we just fund it better than we fund the biggest cybersecurity companies in our industry. So now we were joking about someone on the show I forget who it was, but they were talking about how they're doing the volume of a crowd strike in terms of gross revenue. But they've got these insane margins, the criminal element, and so that gives you an idea of what you're up against and what kind of resources they have, from anything from building malware that's better at getting around your defenses over to coming up with more sophisticated technologies like to deep fake executives on a zoom. Call you know that's never happened before.

Bob Flores: 7:14

Yep, yep, no phishing is getting so sophisticated. It's just scary with AI, you know, being used by by threat actors, boy, it is getting really tough to to tough to spot the criminals out there. You know like you had a seasoned guy like you. You know like, look, I've had to take two or three looks at some emails or some text messages and that doesn't quite look right. I'm not sure why, but they are getting good.

Joshua Crumbaugh: 7:42

And the rules are changing a little bit because of AI too. I mean, it used to be that typos were an indicator that it was malicious, whereas typos are almost an indicator that it's legit these days.

Joshua Crumbaugh: 7:56

And so you know it really has flipped things on its head. I mean quite significantly and to the point that you were saying about bad guys using AI to expand their attacks. I saw some reports last week that said that Amazon had gone from an average of 100 million attacks per day that they were seeing hit their servers or their infrastructure up to 750 million attacks a day, and that's just in the past 12 months. And so, if we're to believe their numbers as a good representation of what's really happening out there, that's a 70, 500% increase, just like that. So we're going to have an 150x increase, just like that. So or?

Joshua Crumbaugh: 8:43

have an 150 X increase. So it's it's really to me very scary, but but also interesting, because you know, ai also helps us cut through a little bit of that noise maybe not 750 million a day worth of noise, but yeah. But I think there's a lot of opportunity or opportunities around AI. Speaking of which, we may as well jump into AI and talk about it for a little bit. Any crazy, sophisticated attacks, cool things you've seen around AI that that you know you want to want to talk about or share with us.

Bob Flores: 9:21

You know, I have been fortunate enough not to have been taking the brunt of any AI attacks yet. But you know, any guy who's in cyber will tell you it's not a matter of if, it's a matter of when. So you got to prepare for it. But you know, I think that the first wave of this stuff is all going to be in terms of these phishing scams. Because you're right, you know, like before you could spot a phishing scam pretty easily. You could spot the typos, you could spot the grammatical errors or just the plain awkward language.

Bob Flores: 9:53

But now these, these multilingual ais are generating content that looks native, it looks great. Personally, I think that the guy who cracks the code of I need a really good email gateway who recognizes AI when it sees it and can flag that as suspicious and make sure that people are paying attention to AI generated content. That may be the next thing that starts to tip off people. Maybe there's a red flag on that email that just says, hey, this content was AI generated. Just telling you for context. Maybe look at it a little more carefully.

Joshua Crumbaugh: 10:31

We're doing something along those lines that we're coming to market with early next year, but we're looking more at the underlying psychology. So, as opposed to saying, hey, this was generated by AI, we're just looking for any of those, I guess, psychological indicators of an attack, and so urgency, using authority, scarcity, sunken cost, fallacy, different things like that All of these are constantly built into these, and what we realized is that the psychology never changes, but the technical indicators do, and so we felt like, you know, they're the one thing that won't be a moving target is that psychology. And so the really cool thing about these multimodal capabilities is that they can very quickly, you know, analyze the email from many, many different perspectives. That are better than just like OCR, which we were relying on in the past, and so it gives us more insight into it. But I definitely see an application as well around.

Bob Flores: 11:45

Hey, I think this is AI generated, too Sure sure, then I think that the next version of this and people are gonna have to start worrying about is how do you secure those LLMs that everybody is using, how do you make sure that those things aren't being poisoned by nefarious actors and making sure that you're not getting bad results out of ai engines, that you don't know who's on the other end of these llms and how do you?

Bob Flores: 12:15

you know, how do you secure that data? Um, you know bad enough that a lot of people are pumping out potentially you know proprietary, if not personal, and pii and all kinds of different information into these things and you just don't know where it's going. Unless you own that LLM. You have no idea what's on the other end of those things. So I think data breaches and data leaks are going to start coming just naturally, because I think I'll upload our latest sales report into AI and see what kind of insights I can get from it. Yeah, I don't know who's on the other end of that and who's going to see it. You know you might be spilling the corporate secrets and not even knowing it.

Joshua Crumbaugh: 12:54

Oh yeah, and there's so many different AIs out there. I mean, just search chat GPT, sure You'll find chat GPT at the top, but then you'll find a thousand different companies that are reselling ChatGPT where you can go in. You can upload all of those documents to it. So that actually brings up one of the topics that I like to ask every guest that comes on the show, and that is, when it comes to AI, what do we need to be educating our users about? I mean, it all happened so quickly that, not that we sit around a table as an industry, but that we never really got a chance to like really strategize about all of this before deploying it, like we normally would.

Joshua Crumbaugh: 13:44

It's just overnight. Ai went from this thing that was a cool idea to something that was very real. And I mean, look at it. What has it been 18 months, or maybe 20 months, since the original chat, gpt, sort of, was first released to the public? And look how far we've come.

Bob Flores: 14:04

Yeah, yeah. Now I think more than anything, when you're, when you're thinking about deploying AI in any kind of enterprise or you got to be really sure that you're educating your users about what they can and can't put into those things. Make sure that they understand that there's data privacy and data security issues with all of these things. Unless you own that AI and that LLM behind it, you just don't know where that data is going. So you can't put the company secrets out on these things. You can't just spill the beans and ask for help because it's easy. You have to really know what's on the other end of these AIs and who could potentially see that data and what you're willing to share. So data security and data privacy, I think to me, are my biggest concerns when it comes to AI. I just don't know who's on the other end of those things, you know.

Bob Flores: 14:55

That being said, obviously you can have your own personal LLM. You can bring those in. That takes longer to train those things and to get them up to speed. It's not quite like a commercial product, but there are things that you can do to mitigate those risks. I've seen some really interesting solutions in that space. That would make me feel better. I'm not sure that it makes me feel 100%.

Joshua Crumbaugh: 15:21

Well, I mean even having your own internal LLM. I've got my concerns. What about insider threats, for example? Oh yeah, absolutely. And enforcing robust role-based access controls.

Joshua Crumbaugh: 15:35

It's something that we try to do everywhere, but it's not something we've figured out yet for AI and these large language models and these large language models and, and so even in that internal large language model, particularly in nation state context, there you. But if you had somebody more nefarious like him, what type of data could they get out of it potentially? And so I think there's even issues around that and just deploying it internally that we really have to stop and think about. There's just so much to AI and I agree privacy and understanding your data is just so key, but I think that's in general, that's really key for all users and something I don't think we know or practice well enough as an industry, considering, I don't know, in my experience as an ethical hacker, I guess I saw things from a little different perspective, but the one thing that always stood out to me was just how little control most organizations had over their data.

Bob Flores: 16:52

Yeah, yeah.

Joshua Crumbaugh: 16:53

They might know that they had data here, but they didn't know where all of their data was. And the worst example is just all the unstructured data. I mean whether it was unstructured data inside of SharePoint or something else. I mean I found domain admin passwords and network admin passwords and GitHub admin passwords all just in SharePoint or in spreadsheets and things like that, and so you know. That actually brings me to One of the other things that I really like to talk about, and that is we all talk about behavioral change or culture change in theory, but rarely do you see a whole lot of practical applications where you know where companies are truly changing that behavior, and so one of the things that I like to ask everyone that comes on the show is what tactics have you found to either be incredibly successful and effective or the opposite, ineffective and backfire totally? But what have you found either work or really not work in terms of security, awareness and training in general?

Bob Flores: 18:13

Look, I think that there's always an opportunity to educate people, whether they're technical resources or not. I think you always have to reinforce you know. Hey, there are phishing scams out there. Here's what they look like. Everybody knows, you know and despises those kind of engines that make you fall for a phishing scam. And if you fall for it, then you got to take the training.

Bob Flores: 18:38

Oh yeah, you go to. You go to phishing school jail. Are they effective? I mean, I think that it makes people look a little bit more carefully at things and maybe a little more cautiously.

Bob Flores: 18:50

But I think there's also kind of an imbalance, right Like there are people of my generation and people who have you know, grown up through IT, when we were very naive and you just trusted that the person on the other end was who they said they were. And you know, and we need that kind of training, we need that sort of reinforcement of the internet is not a safe place. The person on the other end of this is not necessarily who you think they are. You know you have to be skeptical about all of this information, and that needs to be constantly reinforced. My sincere hope, though, is that there are younger generations who are, who are coming up and you know, living with these kind of technologies from very young ages, and they're, you know, they're absorbing this all as they grow up.

Bob Flores: 19:37

So my general hope is that you know the 20-somethings and the 30-somethings that have grown up with these kinds of technologies and social media and all these sort of cyber threats that are out there and are normal for them, because they have. You know, they've experienced these since they were. They got their first smartphone. You know, hopefully they're going to be a much more savvy bunch of users. You know, in this environment they're going to be the ones who who are going to say I can't believe you fell for that. You know what, why, what you didn't know that that was a scam. You know. They've seen these since they were. They were kids. So I'm really hopeful that my generation are the ones that are we really have to focus on and train and and and conditioned to spot these sorts of things, and that the the younger generations have come up with a little bit more savvy in this area.

Joshua Crumbaugh: 20:30

So I've got some bad news for you, Dang you're going to dash my hopes. All of our research and our internal data, but not just ours. What I hear from quite a few other studies is showing that the oldest people that are about to exit the workforce and the youngest people just entering the workforce are the two most fish prone groups.

Bob Flores: 20:59

Oh gosh Well I knew that my generation was, but I was really hoping that the folks who had grown up with this stuff were better at it and maybe that's a really good indicator that our educational system needs to adapt to these sorts of things.

Joshua Crumbaugh: 21:13

Well, we really do, and that's why I like some of these initiatives, like cyberorg, that that is a offshoot of DISA, and and their whole goal is to create training and put it in front of students while they're still in grade school, as early as second grade and all the way up until the eighth grade and we've actually worked with them to help create some content.

Joshua Crumbaugh: 21:41

So I'm a big, big advocate of getting in there and educating people early, and not just about the threats but also about the career opportunities. That's how we solve the skills gap as well. I mean, I look at myself like I spent almost a decade in marketing and I never would have spent any time in marketing had I realized that I could do ethical hacking from day one. So I think getting the word out there about some of these jobs that are more obscure, that may seem common to us, but to that you know that high schooler from the middle of nowhere Midwest, you know whatever yeah, they're probably not. They probably haven't heard of those sorts of jobs about for digital forensics or things like that, and so I think that's another big part of it. It's just educating people that there is a huge amount of opportunity around you know things like AI and cybersecurity too.

Bob Flores: 22:39

And it's such a broad field, you know like it's not just. You don't just have to be a hacker. You know you can. You can be an auditor, you can be. You can be a non-technical person and still be in cybersecurity. You can be a non-technical person and still be in cybersecurity. Heck, you can be in sales and cybersecurity. There's a whole spectrum of work out there that needs to be done to broaden the industry. It's not just for somebody who's banging on keyboards all day. So if people are intimidated by it and they think, oh, I'm not good at computers you don't have to be Like I said.

Bob Flores: 23:10

I worked at a cybersecurity company and some of our best auditors had no technical background whatsoever. They were just really good at auditing. So there's a broad spectrum of opportunities in cybersecurity that people can participate in, and they don't have to be intimidated by the technology. There's a lot of roles to play, so, gosh, I would just just love if more people were more in tune with the opportunities in the industry.

Joshua Crumbaugh: 23:36

Agreed, and there's so many little unique niches too. Like you know, I fell into this group of people studying behavioral science when I started looking at social engineering for good, and not only did I learn a lot, but it was a fascinating rabbit hole and you realize just how many little niche groups there are in cybersecurity and it's just a blast. And I mean, if you're I don't know if you've ever done the whole big, you know DEF, con or Black Hat thing, but you've got all of these miniature communities within the bigger community there and I think it's just a really good example of sort of just how diverse this industry is too, absolutely. So I've got one fun question that I like to ask everybody All right question that.

Joshua Crumbaugh: 24:30

I like to ask everybody I know it's not quite this simple, but saying we live in a world where you only get to use one or the other do you choose carrot or stick, and, regardless of which one you pick, why?

Bob Flores: 24:46

Carrot always, carrot always, because you can't beat the sense into somebody, but you can motivate them to want to learn. And you know like it can be a little bit harder, it can be a little bit trickier, it takes more effort and it takes more work, but I think you get better results. You know, the stick is fishing email jail and I got to go take that class and I'm just going to put it up, put it on play, and I'm going to go get that class and I'm just going to put it up, put it on play and I'm going to go get coffee and I'll come back and hopefully the training will be over by the time I'm done and I'll. I won't have to deal with that until the next time I get caught. But if you offer up a carrot, that's a. That's a little more motivation.

Joshua Crumbaugh: 25:26

Agreed wholeheartedly. And you know, maybe we should change the phrase from you can't patch stupid to you can't punish stupid. I joke, but I'm a really big fan of the carrot too. I believe you've got to motivate people. And beyond that, if you get very punitive and you start employing practices like three strikes and you're out, you're having a negative impact on every aspect of the organization and that's going to hit profits, it's going to hit productivity, and our job as cybersecurity leaders is to help balance security and operations, not to inhibit operations.

Joshua Crumbaugh: 26:13

And so you know there's that healthy balance between hey, it's so secure, you're never going to get anything done, and okay, we still are here to make money at the end of the day.

Bob Flores: 26:24

Right, right, no. I absolutely think that a really good and well architected security plan is virtually transparent to users. You shouldn't even know it's there. It should just protect you and occasionally warn you. Hey, this looks a little fishy, or?

Joshua Crumbaugh: 26:41

just get through that warning anyway.

Bob Flores: 26:46

Yeah, but owner of security programs man, they are really detrimental. They impact, like you said, a lot of aspects of the business and you don't want to be that guy who's like oh you know, I want to go buy some new software but I know Bob's not going to let me have it because you know it violates security protocol or you know he hasn't looked at. You don't want to be the bad guy in the situation. I always try to position these things like I'm here to help you. You don't want to be the bad guy in the situation. I always try to position these things like I'm here to help you. I want to make sure that we're doing as much as we can to make your life easier while making us safer at the same time, and there's not a reason that it can't be both.

Joshua Crumbaugh: 27:22

Oh, I agree wholeheartedly. So that actually brings up another really great topic, because one of the things that, well, there's research about, but also that we've just found anecdotally as well, is that the more we make things relatable to the individual and their role, the better retention we get, and in fact, the studies show that it's close to 15 times improvement, or 15x improvement in retention, just because we acknowledge your job and how it's associated with the threat. So, along the lines of role-based training, from your perspective, what are the roles that people should be focusing on if they're going to go down the path of role-based training?

Bob Flores: 28:12

Look, I think that there are always easy targets, right Like first people on my list are always finance, because they're-.

Joshua Crumbaugh: 28:21

That's what keeps us up at night, right.

Bob Flores: 28:23

Exactly. They're going to get hit more often than anybody else. They're going to get hit with a more variety of scams. Everybody has, everybody has gotten that text message. It says from the boss. It says I'm in a meeting and I need you to go buy some gift cards and then take a picture of it. You know that's an oldie and a goodie, but there are still people who will fall for that, you know my brother-in-law still falls for it regularly.

Joshua Crumbaugh: 28:48

Regularly he falls for these things.

Bob Flores: 28:50

It's like yeah you know, I think that there are. There are some certain target areas. I would look I might be a little controversial here I would say that even your development community is probably a close second to your finance community. Because, you know, developers look, uh, there are a lot of code repositories out there and it's real easy to just cut and paste things, especially now that they're ai enabled. Right, you've got these github repositories that are driven by ai. Again, I don't know where that code came from. I don't know who put it in there. I don't know if the ai engine is solid behind it or somebody may have poisoned that AI.

Bob Flores: 29:32

I think that developers, as sophisticated as they can be, they often are blindsided by really simple security holes in their processes, and those become more severe, those become more endemic, because those can potentially open up back doors into your code base. They can do all kinds of things that are much worse than you know allison accounting, uh, sending a thousand dollars worth of gift cards to a stranger and halfway around the world. Those really worry me, and so I, you know, I'm a really big fan of, of reinforcing and educating the people who think that maybe they're not a target or that they're more sophisticated and would recognize something if they saw it. Because, let's face it, developers are very smart people, but unless they're trained in security, then they may be completely blind to some of the things that somebody could take advantage of.

Joshua Crumbaugh: 30:35

They are. They're actually right up there with sales as in terms of being one of the most susceptible groups in almost every organization that we work with, and it's interesting, though, is they tend to fall for that sort of classic spearfish that's impersonating your IT team or the development head or maybe somebody from the CICD team, whereas salespeople they don't fall for the same types of fish at all. They tend to fall for those social media themed phishing attacks, like the fake LinkedIn message or something like that. So it is interesting to see how different job functions you know are susceptible to different types of attacks. But no, I couldn't agree more.

Joshua Crumbaugh: 31:27

And one thing about developers that it's not just about maybe getting bad code in there. I think it's just as much about helping to ensure that they're writing secure code too. Absolutely Most at least development leadership went to school and got their degree at a time when security was not included at all in the training, and even in today's day and age, development programs and most universities are not as robust around security as they should be. They might have one or two classes, and security is more of an afterthought than it is a core, central part.

Joshua Crumbaugh: 32:08

And so you know, I think it's really healthy to remind them about all the ways that you know, just forgetting to do one little thing in your code can go very, very wrong or very, very bad.

Bob Flores: 32:22

Absolutely. You know how many vulnerabilities are out there right now because of a SQL injection vulnerability or a cross-site scripting vulnerability. You know like those things are so common. It's not, and you don't think about it until you know somebody points it out to you oh crud, I didn't, I didn't realize, I didn't know. Yeah, because they're not trained on it.

Joshua Crumbaugh: 32:46

No, and yeah, I, I see them all of the time and that's actually part of the reason that I have issue with the stat that says I don't know. It's anywhere between 91 to 93 percent of all breaches start with human error. I'm like no, 100 percent of them start with human error, even if it's that, you know, technical exploit. It started with us writing insecure code. It started with us not hardening that system or not changing the credentials or different things like that.

Bob Flores: 33:20

Not patching, not updating.

Joshua Crumbaugh: 33:22

Yeah, yeah, not patching Exactly, that's a good one. Well, hey, let me see what are your thoughts. I think we have enough time, yeah, so what are your thoughts on gamification? So we hear a lot of talk of gamification, but I also hear a lot of criticism of gamification. Where are you at with it? What parts do you think work, or maybe don't work?

Bob Flores: 33:52

What do you think? You know I might be the only tech guy out there that is never into video games, or never into games. I used to be before I started a company yeah right.

Bob Flores: 34:04

You know, like I just don't. You know if your audience works for it, if that's the carrot that your audience is willing to chase, then go for it. You know, I don't think that there's any real solid answer for that. It's know your audience and what they're going to respond to and then give them what they're going to respond to. You know, I kind of approach this from a different perspective. You know, if you're a bad guy and you're designing a phishing campaign to your point earlier sales guys respond to a different kind of phishing campaign than a technical guy would do those phishing scams. The guy who architected that phishing scam knows who his audience is and he is tailoring his phishing scam to his audience.

Bob Flores: 34:49

I think you got to do the same thing with your training. You know, know who your audience is. What are they going to have time for? Are they going to say I don't have time?

Joshua Crumbaugh: 34:55

for this.

Bob Flores: 34:56

I don't have time to play games. I got a quarter to meet man I got. End of the quarter is coming. I don't have time for this, all right.

Bob Flores: 35:03

Well then, let me get you the quick and dirty you know, uh, training, let me get you the bottom line stuff that you can get off your plate and you still get the knowledge and you can move on with your life. Other people who respond to that and like, hey, you know, I'll do this in my spare time, I like that, why not? I'll learn and I'll play a game at the same time and, who knows, I might win that Amazon gift card at the end of the month or whatever it is.

Joshua Crumbaugh: 35:26

Careful. It's a fish you know great. Speak to your audience. I think you just got to be in tune doesn't have quite as much experience as you.

Bob Flores: 36:04

Try everything that you can, keep learning and never give up. You know, that's just, that is the recipe for success. You just got to keep trying new things and and not giving up, and that that will lead you somewhere.

Joshua Crumbaugh: 36:16

Good, I guarantee it yeah, no, I like it, uh. I. I see it all the time where, particularly uh that you know, younger people and I think it's just part of being young are afraid of failure and I'm like you don't understand. The people that are the most successful in the world have failed the most.

Bob Flores: 36:37

Absolutely, absolutely, and it's only a failure if you don't learn from it. That has been my lifelong motto.

Joshua Crumbaugh: 36:45

Well then I have a few failures, because there's a couple of lessons I've had to learn more than once. Well, hey, this has been a really great podcast. It's a pleasure getting to know you. What's the name of your company that you're starting?

Bob Flores: 37:03

It's called Cyber.

Joshua Crumbaugh: 37:04

Sweep, cyber Sweep. Okay, so you're going to sweep the floor, clean up the mess.

Bob Flores: 37:11

Clean up the mess. We're going to sweep the network and make sure the bad guys are up the mess. We're going to sweep the network and make sure the bad guys are out of there.

Joshua Crumbaugh: 37:15

I like it. I like it All right. Well, stick with me for a minute. I'm going to say goodbye and end the stream here. But everyone, thank you for joining us for another episode of Fishing for Answers.