Cyber Storytelling: Cecil Pineda on Revolutionizing Security Communication, AI Threats, and Innovative Training Solutions

Show Notes

Cecil Pineda, the CISO at R1RCM, shares his journey into cybersecurity, emphasizing the importance of communication, emotional intelligence, and effective risk management in CISO roles. He discusses how emotional awareness and tailored training approaches can significantly enhance cybersecurity awareness and compliance across organizations.

• Importance of storytelling and communication in cybersecurity risk management 
• Emotional responses play a critical role in user learning and engagement 
• Value of marketing principles in cybersecurity communication 
• AI's dual impact: enhancing threats and defensive capabilities 
• Need for targeted and micro training in busy professional environments 
• Successful gamification and its cautious implementation in cybersecurity training

Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.

PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!

Chapters

• 0:01: Cybersecurity Leadership and Communication
• 10:40: The Impact of AI on Cybersecurity
• 28:41: Effective Security Awareness Training Strategies
• 42:07: Trusting Your Gut

Transcript

Joshua Crumbaugh: 0:01

Hello and welcome to another episode of Fishing for Answers. Today I've got a very special guest. We've got Cecil Panita or Cecil the CISO. But I'll go ahead and maybe let you introduce yourself. Tell us a little bit about yourself.

Cecil Pineda: 0:22

Hey, josh, thank you for inviting me. Thank you for being here. Yeah, I'm Cecil. I'm currently the CISO at a healthcare organization called R1RCM, also co-founder of a local CISO organization here in Dallas called CISOXC.

Joshua Crumbaugh: 0:49

I've been doing cyber for so many years I forget when, but it's been a while.

Cecil Pineda: 0:54

Well have you gotten sick of it yet? Not really. You know, a couple of months ago when I spoke with our board, I kind of described what we're doing is really stressful and tiring. But they were laughing when I said but it's fun. It's fun to solve problems, it's fun to create solutions, it's fun to threat hunt, it's fun to comply with compliance and regulations.

Joshua Crumbaugh: 1:23

That's a little less fun, but the others I'll give you. Well, hey, tell us a little bit about how you got into cybersecurity to begin with.

Cecil Pineda: 1:53

Yeah, in the late 90s I was doing some programming development on very old platform that probably many people don't remember. You know. Faxbase, you know, in Asia started to be popular. I started going to selling and supporting networking devices. One day a large school ordered a bunch of routers and started getting interested about let me configure this. And then I started getting inquiries about firewalls and at that time those firewalls were super expensive, expensive and and they didn't do much and one of my friends said hey, you should start um reselling and supporting a checkpoint and I was the

Cecil Pineda: 2:54

second partner in the Philippines to sell and support the checkpoint in 2000. Oh, wow, wow. And after that I just got addicted with cybersecurity. We didn't call it cyber at that time, but it was really good. We started selling vulnerability assessments. My favorite was a self penetration testing and one of the local banks said hey, if you want to sell to me, show that you can. You know your team can hack into our network and it didn't take a long time it's probably minutes because their router was on a default password. So and we did our first business with that, and then the rest is history.

Joshua Crumbaugh: 3:47

So you've got a background in penetration testing, then, or at least you've had a chance to do some.

Cecil Pineda: 3:52

A little bit but a lot of it.

Joshua Crumbaugh: 3:54

I have much smarter technical team and my expertise is mostly selling it, documenting the results, providing recommendations, those kind of things much of being a cybersecurity leader really revolves around going out and evangelizing or selling the different ideas and just communication in general and how it really does require that you get up out of your chair and you go meet with the different department heads and just learn about what they're doing, because there's so much risk that's uncovered there. It sounds like you've experienced the exact same thing, right.

Cecil Pineda: 4:57

Yeah, I'm in many CISO chat groups and meetings and discussions and it is really part of our. I think many of the successful CISOs I know are very good in selling selling. Uh, risk selling solutions selling you know convincing leadership about. In fact, if you really look at it budget-wise, a lot of the people I know are able to get their budget are very good salespeople.

Joshua Crumbaugh: 5:30

I would think the sales extends down to the end user, selling them on why they want to make or create a good secure password, or selling them on why they don't want to click on that link or different things like that too.

Cecil Pineda: 5:45

Oh, and I would like to add selling to your auditors and to your insurance broker. It's uh one one of my interesting discussion with our uh risk team here. They are responsible for helping me, helping us uh get cyber insurance and you know we're trying to get as much coverage as possible and even though everyone has an increasing premium, we've managed to control our premium because I think part of that is we are able to sell to them. The program we built is, you know, is able to manage our cyber risk. Yeah.

Joshua Crumbaugh: 6:28

Well, and I mean no two programs. Look, you know the exact same and there's just so many variables in cybersecurity where you know, three companies can have the exact same technologies but one can be terribly insecure and the other one could be very, very secure, with the third being in the middle. So I can imagine, as an auditor, it can be very difficult to really read between the lines and tell the difference between the one that is secure sometimes and the one that's not.

Cecil Pineda: 7:02

So, being able to sell that I I can imagine being very, very pertinent and and uh, important there yeah I I was in a conversation with the cis a couple of days ago and we talked about the value you know, selling and the outcome is really I'm gonna I'm probably gonna hate saying this word is feelings, how you make the other party feel about your story.

Cecil Pineda: 7:33

I think it's. You know, telling the story, at the end of the day, is you want to see, you know, you want to convey, you want to make them feel that you have a good grasp of your program. And, yeah, it's a lot of emotions and it's a technical. A lot of the things we do is technical in nature but at the end of the day, we make decisions and we pivot based on how we feel about certain technologies, certain issues that we encounter every day.

Joshua Crumbaugh: 8:11

Absolutely. In fact, I would argue that emotions play a very critical role in cybersecurity. One of the things that I've learned is that at the moment a user realizes their mistake say, they click on a fish and they hit that landing page and they realize they made a know really good just-in-time learning, combined with that emotional response they're already having we get better results. And so I think emotion has an incredibly important part in securing our enterprise. And you know, of course, our industry is filled with largely with people that are, you know, very technical, maybe not as good at the social skills, and so, uh, I think that that's one of those elements that maybe doesn't get as much focus as it as it needs to. Uh, both from you know, the need for more sales in cyber security, and one of the things my big ones is marketing, how we've got to bring marketing into cybersecurity. And it's not just what you think or maybe it is, I don't know. I don't presume to know what you're thinking, but it's.

Joshua Crumbaugh: 9:36

You know, when I say bring marketing into cybersecurity, one of the examples I think of is when you look at advertising. Examples I think of is when you look at advertising, all of the ads that hit us back in the late 90s were more like 60, 45 seconds, you know, 30 seconds at the shortest, whereas nowadays, ads that hit us are five seconds, 10 seconds, 15 seconds long, with the longest ad being 30 seconds Right and, and I look at that and I say, well, you know the reason they're doing that is because of this behavioral science principle that talks about how that's one of the areas that we can be much more effective in with cybersecurity If we start trying to break our messaging down into its core components, make it as simple as possible and take up as little of the user's time as possible too.

Cecil Pineda: 10:40

Yeah, no, I was guilty of putting too much information in the past.

Joshua Crumbaugh: 10:45

I've been guilty of that too. We all have.

Cecil Pineda: 10:49

After many meetings with executive leaders, board of directors, and you're right, you can't send all the messages you got to focus on key items and then some key takeaways and break them down into several instances you don't just deliver everything because leaders have too many things in their mind. It's not just cyber, it's other things revenue, profitability but especially with speaking with business leaders you know profitability, but you know, especially with speaking with business leaders.

Joshua Crumbaugh: 11:28

I you know I used to have 12, 14 slides for my board presentations. Now probably four slides, yeah. And to echo that, I like to make a joke that when I was a pen tester, I was rigid and it was my network and you had to do things my way. Then, when I became a CISO, I learned to balance the use case and then when I became a CEO, I realized I don't care about cybersecurity, I only care about sales. Now I make jokes, but at the end of the day, there's a lot of truth there that it's the revenue that drives this and for that CEO or that any executive that you're talking to, they have a lot of juggling they have to do, and it means that your priority may not be the number one most critical thing to the executive. It doesn't mean they don't care, it just means that they've got limited time and so often, the more succinct you can be in your messaging to them, the more likely you are to actually get that positive outcome that you want as well.

Joshua Crumbaugh: 12:37

Okay, so we've talked about what got you into cybersecurity. One of my favorite topics is AI. We were talking ahead of time about how it's obligatory. We have to talk about it because it's a tech podcast. There's a law, I think, in Colorado or something. But jokes aside, let's start with the scary side of AI. There's a lot of threats that come with it. So, as a CISO, what are you sort of tracking as your biggest concerns when it pertains to AI?

Joshua Crumbaugh: 13:17

Well, I want to start with the bad guys.

Cecil Pineda: 13:19

first, we are know, even without the aid of AI, they're getting some wins here and there. And just imagine, with the use of AI it's going to exponentially increase their capabilities and they're going to use it in their ph fishing, in developing your exploits. We've seen those deepfakes are really believable. I've seen a couple actual deepfakes that are really I couldn't tell. We've come across a person that. I know that hey my father called me and for the first eight minutes she believed that was her father.

Joshua Crumbaugh: 14:14

Wow yeah, eight minutes, I mean.

Cecil Pineda: 14:17

And that's not just somebody you barely know, it's her own father, it was conversational oh wow, and however when they started talking about more personal, intimate stuff and she suddenly said, okay is not, this is not him. And for someone being on the phone for several minutes with someone that they think it's, they know it's scary because I said hey the, just the the tone, and it's, it's, it's really him and she immediately called me and told me the story that you know.

Cecil Pineda: 14:52

Good thing, um, she didn't send money. They were asking for like sixteen thousand dollars. Wow, he the father, the fake father, and good thing, uh, but of course, um, for her, it's wow. If this is happening to me and this is probably happening to other folks and again, that that's personal, but at the corporate level, many of my leaders have video samples online. Uh, voice samples that I heard they just need a few seconds of samples to create a.

Cecil Pineda: 15:28

You know a version you know a deep, fake version of your voice, so I worry about it a lot. We've done a lot of awareness campaign internally to hey spot them. These are the identifiers. Maybe you need a secret word or something to use within your family, within your corporate teams, to use it if you want to spot a deep take. On the positive side, I'm very I think we're entering this next. You know, when the internet came, it was a game changer. I think this AI revolution is going to be really good for many of us. Again, it's the same thing the good will come with the bad, and you know I see a lot of benefits a lot of improvements.

Cecil Pineda: 16:28

I work in the business of healthcare and I know we're going to increase our efficacy in many of the things we do using AI.

Joshua Crumbaugh: 16:38

Absolutely Like just being able to look at a patient's actual entire record. I mean, I know they've got all these health management systems, but I by no means have any experience being a doctor, but I do have experience being a patient and they are in and out of that room so quickly that I there's no way that unless it's like some really critical issue that they have the time to even have the full understanding of just my record. So I got to imagine that AI has stands to help immensely in areas like that. Diagnostics. I actually read that they expect us to pass the longevity escape velocity sometime in the 2030s, which means if we can live to whenever this happens in the 2030s, we can potentially live forever. Um, I imagine the key you know the caveat there is if we can afford it.

Cecil Pineda: 17:37

Uh yeah if we can afford it yeah, but they.

Joshua Crumbaugh: 17:42

It is really interesting, some of the the really cool stuff that's, uh, that's coming with technology right now. I mean we've got, quite literally, human brains in the cloud that we can rent. We've got photon-based processors coming out of China and now a university in the US. We've got, you know, internet that's a thousand times faster than what we currently have. I mean, it's just, technology is expanding at a rate. Well, I guess it is very much like the beginning or the birth of the internet.

Cecil Pineda: 18:19

All over again, it is all over and I think, in everything we do, I think AI will be there to support, assist, probably, at certain areas, even replace us.

Joshua Crumbaugh: 18:33

Unfortunately, you know it was Stanford University that was saying by all of our tests, they basically said we're running out of ways to test AI's intelligence and by all of the tests that we have, they're borderline or getting close to being as smart as humans. They said, but they're not even close to being on the adaptation to where they should be if it were actually that smart. And so they said but there's this missing element that we really have no way to measure, and that's the difference between being human and being artificial intelligence. And it's interesting, they keep giving them better reasoning capabilities, supposedly Pro is incredibly smart, but I don't know. Did you see the new Gemini 2.0? Did you get a chance to play with that yet?

Joshua Crumbaugh: 19:33

I don't know that yet but I'm a longtime user of.

Cecil Pineda: 19:37

Gemini, you know, Before I just used Google Search, Now I ask my phone and it even explains the answers.

Joshua Crumbaugh: 19:47

Yeah, no, I'm a fan too.

Joshua Crumbaugh: 19:52

And Gemini. The cool thing is is it has massive context windows so it can watch a whole video and give you a summary of it. In fact, I was playing with that notebook LM, and you can drop, like, if there's a really long article or research paper you want to read, you don't have time, you can drop it in and it'll create this podcast about it. Oh yeah, no, it's they, the AI. Even it says um and stutters and all of it just to make it and it's like back and forth two people in fact here.

Joshua Crumbaugh: 20:31

Uh, never mind, I can't do it in the middle of this, otherwise I'd play it for you, uh, but I, I had to do it about, uh, about the podcast, just because I wanted to load up every episode so that I had sort of a repository that I could go back and reference and I'm like, well, let's see what this podcast would be like and it's it's really interesting. I just the back and the forth. It sounds a lot like almost a Howard Stern episode. It's interesting. So you have to check it out at some point. But no, ai is really changing both the threat landscape as well as just about everything and coming up with a lot of new fun things, but certainly increasing the amount of attacks that we're seeing as a result.

Cecil Pineda: 21:17

Increase in the velocity. Just imagine being able if you're an AI hacker being able to create your own script on the fly. And then you see you got blocked. You create another way to get around those filters at a speed that you know you doesn't have to code again and just on the fly create another way of you know targeting a I mean you're making me miss the days of ethical hacking here.

Joshua Crumbaugh: 21:53

But no, I agree. I mean just the speed at which you can create custom tools. They've got this tool called Open Interpreter, where you can put large language models directly into the command line and you can give them access to Kali Linux and be like hey, do this. And if it's you know you're using, like the major models, they're pretty restricted. I say pretty restricted because all of these restrictions are seem to be keyword based, and so if you just like, tell the AI, hey, from now on, replace this word with this word, then it'll bypass any of the security constraints.

Joshua Crumbaugh: 22:34

Or the other one I've found is that it's all about that first prompt. If you ask it to do something outside of its guidelines, it has to be included, as to why, the ethical reason around, why in that very first prompt, and then 10 prompts later you won't even have to tell it why. It'll just do it. But if you ask it to do something like write a fish and it says no, you're never going to be able to convince that thread to do it. You're just better off moving to a new thread and starting off that way. Well, hey, one of my favorite topics that I like to bring up is what do we do with those chronic offenders in our cybersecurity teams? And there's two camps for cybersecurity.

Joshua Crumbaugh: 23:23

You've got the camp of carrot, camp of stick. I am very firmly a carrot, but what are you?

Cecil Pineda: 23:32

How do you?

Joshua Crumbaugh: 23:32

identify carrot or stick.

Cecil Pineda: 23:37

Quickly, I'm a carrot, but it is. You know, sometimes they're just different people. You know they're just repeat offenders and you may have to use a stick once in a while, but uh, I have I had three.

Cecil Pineda: 23:57

You know my three kids. They are grown up now but you know, um, I'm a carrot kind of guy. My wife is the opposite one and I've seen the benefit of doing the carrot. But I've also, you know, my wife's a disciplinarian and they change the behavior. Change is when she starts using the stick. What do you see in hip-hop? You know, you've done this so many. You've interviewed a lot. I'm interested to see what other CISOs are telling.

Joshua Crumbaugh: 24:36

Most CISOs are really big fans of the carrot. They think that the stick should be a sort of last resort. But there is the occasional person that I run into that heavily believes in the stick. I disagree, but I've had at least two firmly stick believers that have been on the show, and I'm not saying that they don't raise some good points, and I definitely think they do points and I definitely think they do.

Joshua Crumbaugh: 25:14

I just feel like we've got to start with the carrot and focus on motivating people. And you know, and unlike that, your kids, we can't exactly spank our employees to get them to, you know, to work better, or put them in timeout or like that. And so you know, for that employee, in my opinion, it's better that they want to change and that we've explained why and that we've used, you know, positivity to drive that desire, because they may comply if I crack the whip, comply if I crack the whip. But they're complying, they're not learning, there's no emotion put into it. They're going through the motions because otherwise they'll get in trouble, and I just don't think that's a real positive culture. Yeah, no.

Cecil Pineda: 26:03

I'm with you, but I want to share something that we've done at many places. I used to work and currently, today I hope no one at my employers listening there will be some. We always joke about this, josh. We've created some layers. We call this initiative called it Should Survive the First Click. This initiative called it should survive the first click, meaning, uh, even if you click it, we should have, you know, layers and layers, not just second, third, if I could afford it, we'll have fourth layer to, yeah, catch that. Because I think, especially with AI, all these phishing attacks are going to be just all these phishing attacks are going to be just more sophisticated, you know, especially if they started to profile their target. You know they know this person is big on certain food or certain basketball team or something. You know people could actually use AI to create something that will click, you know, make the person click it.

Joshua Crumbaugh: 27:17

Yeah, no, I mean, we built an AI that learns what you're most likely to click on and targets you accordingly. So if we, the good guys, have done it, I'm certain the bad guys have already done it. In fact, I've seen quite a few of those phishing attacks that seem like they were created with an AI.

Cecil Pineda: 27:38

Well, now we probably need to talk after this discussion.

Joshua Crumbaugh: 27:43

I'd be happy to, but no, there are a lot of these types of attacks targeting us every day and I see far too many that they almost had to have been put together by AI. It's just, there's no other way. And I know you don't want to be the first person to cry Skynet or whatever, but that's a joke. Net or whatever, but that's a joke, believe it or not. We wrote one article about the talking about AI driven phishing and we called it the real sky net or something like that, and to this day, that drives an insane amount of traffic on Google to our website just every day as people searching skyet and AI. So clearly the average person is a little bit concerned. So okay, so we've talked about carrot versus stick.

Joshua Crumbaugh: 28:41

Another topic that I like to really hit on, and I think it's particularly well for the healthcare industry, is micro training. So, in my experience, particularly doctors and I don't want to pick on doctors themselves, but they're very, very busy and because they're busy, they don't have a lot of time to do security awareness training and that can make it difficult to you know, just for them to find the time to actually do it and sort of move on, and what I've found is that the shorter the training, the more effective it is, particularly with people like that. I'm curious, and if you can't answer this, that's fine, but is that something that you've seen, where doctors just tend to be too busy for the training?

Cecil Pineda: 29:37

Well, unfortunately there's no doctors in our organization, but we do have a lot of executives.

Cecil Pineda: 29:44

Everyone at my company is incredibly busy and I know many of them think that our cyber security training is just something that they just have to do. But I could tell you that I don't think their whole heart and their whole. You know, attention is in the training and that's why I in the training and that's why I I actually, just few days ago I reassigned one of my leaders in my team to uh, to fully engage the organization to uh and I want him to focus 90 of this time on awareness and uh. You know they're their first line of defense, they are the first one to get all.

Cecil Pineda: 30:30

You know we have all these tools that block many of this, but we don't block 100 we block, like maybe 99.9, they're still that are going through the filters to our policies, to our tools and umi really want in 2025, I, I want to develop more targeted training to finance, you know, to HR, and probably break them down to more meaningful pieces instead of having them stay for 30 minutes and you know everyone's so busy.

Cecil Pineda: 31:05

In fact, I noticed that some of the training are being done after work because that's the only time um they have time to go through training and I just feel, bad because you know, I wish I have you know most companies would have the means to, or companies like training awareness tools out there to create those micro, micro training and, over your next slide, role-based thing. Yeah, because I think go ahead, it's important. It's important that people get a, a training that's modeled after what they do in a company.

Joshua Crumbaugh: 31:49

You know, there was a study that found that when the training was contextual to the person's role, that it was 15 times more effective. Oh, 15x more effective. But it makes sense, because no longer is it this random thing that doesn't apply the second you connect it to their job. Whether it's IT, whether it's networking, whether it's cybersecurity development, it hits home a lot more and people are so much more likely to listen.

Cecil Pineda: 32:24

Yeah, they can relate to you quickly they can relate quickly.

Joshua Crumbaugh: 32:28

Yeah, exactly, exactly. So you hit on a couple. I think you said HR, I might have heard finance. What roles are you looking at as sort of those critical roles that maybe you know? When it comes to role-based training, it's hard to just hit everybody out of the gate. So it's one of those things where you tend to prioritize specific roles. And I found a couple of things through this podcast. Number one different people look at roles in completely and wildly different ways. Well, I won't give examples because I want to throw off your answer, but I'm always curious what different leaders are looking at in terms of what roles they would start with from a role-based training perspective.

Cecil Pineda: 33:21

I actually working on reviewing our executive training. I think I want to start at the top.

Joshua Crumbaugh: 33:28

I like that.

Cecil Pineda: 33:29

My executives are not going to be happy when you roll this out, but of course I'm going to make sure that my boss will approve of this, probably that's my first step is the executives. Then you know we work in a healthcare environment and there's risk everywhere. So you know I'm gonna start. You know departments or people where we have the greatest risk. I don't wanna wait if you know if I could roll it out tomorrow, I would do it. I've asked my guy to start developing a more cohesive, more targeted cybersecurity awareness for 2025.

Joshua Crumbaugh: 34:13

And I'm pretty sure he's doing his job right now.

Cecil Pineda: 34:15

Maybe he's listening on this.

Joshua Crumbaugh: 34:18

Hey, if he's listening, we're giving him all kinds of really good advice, right? So well, really really great information, really really great information. You know, one of the things that I've been interested in and hearing about how different people are doing it is gamification, and so I'm curious A if you've done any gamification around awareness and if you you have maybe what it looked like and what were the results.

Cecil Pineda: 34:56

I'm really torn on this subject. Uh, josh, because I think it goes back to the topic we had 10 minutes ago about the busy schedule, and I'm a big fan of gamification. I've used some of them in more targeted, you know similar to like a very attending, the more problems you're solving. We really love the platform. However, it's not cheap. About 40 to 50 of my team members are enrolled in it and the first few months the adoption is very high because they want to be on the leaderboard the adoption is very high because they want to be on the leaderboard but at the same time, especially people in cyber.

Cecil Pineda: 36:00

Essentially every part of the organization I work for is so busy. I would really find if there are tools, if there are awareness solutions out there that can combine this micro-based training, the role-based, that are also gamified, but something that's also not taking a lot of time. I think that will be a really good day. My folks were enjoying it. Now remember the first three you know that's like fish firewall sales pitch.

Cecil Pineda: 36:30

You're like doing it for me the first three, four months this platform I was using. It's not an awareness tool. It's a technical cyber security training platform for soft analysts for incident response forensics. It's really good.

Cecil Pineda: 36:48

um, it has some modules for beginners or anyone who's entry level. It has a lot of modules. It is gamified with scores. The thing is also in a. What I noticed is the first three or four months the adoption is very high. Then it started to wane. You could see the adoption is going down and I wish I'm pretty sure the developer of that tool is thinking about how to sustain the adoption, but I don't know. Hopefully there's something out there that will analyze also the adoption, find a way to make it more interesting, you know, maybe by using more different games in it, you know yeah.

Joshua Crumbaugh: 37:40

By the way, I'm a little conflicted on gamification as well. I think that it can be effective, but you have to be really careful in how you use it, because A being mindful of people's time At the end of the day, everyone's at work to drive business, not to do their training or play games or things like that. And so definitely have seen areas where it was done maybe ineffectively, like where it's hey, play this game, which is great, you can play the game. But often playing a game doesn't necessarily relate or return in that person actually being more secure and most people wouldn't want to play it anyway. And so I've certainly seen that.

Joshua Crumbaugh: 38:32

I know what we do is we try to make it more of a game of cat and mouse around the fishing so that that fishing, if they do click on it, it doesn't feel like a big betrayal, but we're also warning them ahead of time to create that vigilance around it. But so we found a happy balance there where we make the fishing a game but we don't have these. You know, hey, let's play a game and learn about cyber, and you know, it's like star. I don't know whatever. I'm trying to think of games from back in the day, but they're always like these, these games that are based off of like the ones we grew up playing, games that are based off of like the ones we grew up playing.

Joshua Crumbaugh: 39:16

So, um well, very cool. I I appreciate all of the, the really great advice that you've given today. Um, I'd like to end every episode by just asking, you know, if you had three bits or even just one bit of advice. If you had three bits or even just one bit of advice that you would give to either you know, even your team, or other people that are trying to build out an effective security awareness team or training program, what would your top tips sort of be?

Cecil Pineda: 39:52

My goodness, we discussed some of them. Well, you can repeat them it's okay I think top of mind will be uh, probably content wise it has to be. Uh, you know you've seen those. And uh, super bowl commercials. You don't have to produce an expensive one, but I think they should be, you know, will catch your attention, you know, even for a few minutes, you know you remember those? Things that are really impactful, and I think that's one is the messaging should be crisp, clear, short, you know, if possible.

Cecil Pineda: 40:34

Yeah, Simple and you understand yeah and something that you know people forget when they leave that session, when it's impactful, when they see an actual fishing is oh I remember this.

Cecil Pineda: 40:52

You know they kind of connect those dots. I think that's really important. Um, I think, um, creating custom uh training for different types of users is really important. Um, people working in human resource should not should have a separate module. If there is something that are developed and again going back, it should be interesting. It should be something that people are just dreading to go to. Those pages Create something that's impactful and applicable to their day jobs and a lot of the things.

Joshua Crumbaugh: 41:44

They could just rewind it. Still, I like it. And to echo what you said about people remembering those different red flags, and it crossed from one fish to another, there is this behavioral science principle called identical elements theory, and it's the reason that when you buy a new car, you start to see that car at every red light. You know other people driving it. But it talks about how, when you learn about something really well, you'll start to see it everywhere. About how, when you learn about something really well, you'll start to see it everywhere.

Joshua Crumbaugh: 42:19

And I bring that up because I always like to give my number one top bit of advice for avoiding fish. It's not hover, it's not even think before you click, it's trust your gut, because our body does have a built-in defense mechanism that can spot fishing attacks. It just needs to be trained, and the more of those simulations or even actual fish that we go through, the better we get at detecting those things. And so I always just say trust your gut. But they've actually found that people that have gone through a simulation are over 70% less likely to fall for that same fish in the wild. So that that's part of the reason we run them Right, yeah, all right. Well, hey, cecil, stick with me just a little bit longer, but for the audience, thank you for joining us for another episode of fishing for answers. Have a great day.