From the Air Force to CISO: Ellison De La Cruz on Cybersecurity Leadership, AI Advancements, and Enhancing Threat Awareness

Show Notes

Ellison De La Cruz, a seasoned cybersecurity leader, shares his journey in tech and invaluable lessons learned in the changing landscape of cybersecurity. The episode emphasizes the importance of soft skills and behavioral science in security, exploring the relevance of role-based training and insights into evolving threats like phishing and AI. 

• Transition from technical skills to leadership roles 
• Importance of understanding behavioral science in security training 
• Role of AI in shaping cybersecurity challenges 
• Necessity for role-based training in enhancing effectiveness 
• Stories highlighting the impact of human behavior on cybersecurity 
• Advice for aspiring CISOs and the significance of continuous learning

Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.

PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!

Chapters

• 0:00: Lessons From a CISO's Career
• 10:38: Security Threat Awareness and Prevention
• 22:00: AI Awareness in Cybersecurity
• 37:53: Cybersecurity Career Advice for Aspiring CISOs
• 44:11: The Path to Career Success

Transcript

Joshua Crumbaugh: 0:00

Hello and welcome to another edition of Fishing for Answers. Today I've got a very special guest, a CISO of IBR, and this is Ellison De La Cruz. He is a very experienced CISO. I see you've got that job title quite a few times and has been in tech well, pretty much your whole career right. And has been in tech well, pretty much your whole career right. So how did you get into tech and the sub-question of that cybersecurity.

Ellyson DeLaCruz : 0:41

And yeah, just tell us a little bit about yourself. Sure, sure, ellison Del Cruz. I started getting into tech when I was younger, but professionally I joined the Air Force and they trained me, just like most of the cybersecurity folks, and during that time cybersecurity wasn't really the name. It was something about computer security, cryptography, information assurance, security. So a long, long time ago, I made a very junior mistake of asking a question that one of my senior NCOs was asking is hey, who wants to?

Ellyson DeLaCruz : 1:16

we need to do a mission and it needs to be secure. And I said, what does that mean? And then I got blessed as the guy that makes it secure. And then I got blessed as the guy that makes it secure. So during that time I learned a lot. Right, I had to call some very, very senior folks within the Air Force just to get on a complete mission, and that was my trajectory into cybersecurity.

Ellyson DeLaCruz : 1:41

Ever since, they've sent me to a few courses both, you know, commercial courses and classified courses and eventually landed a job with Northrop Grumman, which also involved, you know, network engineering, cybersecurity in general, and so on and so forth. We did great things at Northrop Grumman and I got a call to move to Germany with another company another cybersecurity thing. So we did security operation centers throughout UConn and Middle East and then, when that job was almost ending, my boss at that time said hey, if you don't want to leave Europe, I know somebody who could use your skills. So I ended up working for the United States European Command as a cybersecurity professional and that time, after COVID, I was getting ready to go back to the States and my new boss, the CEO of Imagine, booty VRLI, thought that I'd be perfect for the job.

Joshua Crumbaugh: 2:26

So here, I am All right. Do you miss Europe? I do miss.

Ellyson DeLaCruz : 2:32

Europe. I go there once in a while so I get to relive the experience over the last 11 years, but I do always miss Europe. It's quite an experience every time I go.

Joshua Crumbaugh: 2:42

I agree I've been to quite a few places, but not enough. But I actually just gave a keynote a few weeks ago in Stockholm and while I was there I was able to go up into the Arctic Circle in Sweden and the Lapland. There was no snow, but you know, it was way warmer than it was supposed to be when we first got there. There was grass. Fortunately, there was snow by the time we left, but but no, it was just a phenomenal experience. We even stayed in an actual hotel made of ice, so very nice a little bit chilly but but other than that I'd say, a phenomenal experience.

Joshua Crumbaugh: 3:30

Well, that's a very cool story. So you've been with this company now for quite a while then, or a few years, yeah, In your career. What are some of the biggest lessons you learned? I know myself, as I've sort of gotten more and more senior in my career, things that I, you know really hard beliefs I had when I was a little more junior sort of become or melt away and I realized they were often wrong. Anything like that with your career.

Ellyson DeLaCruz : 4:07

Yeah, yeah, absolutely. I've learned quite a bit. So, just like for most professionals, we start out very technical right. So you're on hands-on keyboard and you're hyper-focused on what you're trying to do on that equipment, whether that be something that you're building or something that you're troubleshooting. And, just like you said, joshua, the biggest thing at that stage in your career is you're building the technical skills to actually deliver something.

Ellyson DeLaCruz : 4:34

And as you move up, what generally happens is that you'll have folks that you're mentoring, folks that you're training, and you start to build those technical skills along with interrelationship skills and then, while that's still happening, you'll have the direct mentorship one-to-one direct mentorship at that early supervisor manager level.

Ellyson DeLaCruz : 4:55

But when you move off the director, senior director, in the C-suites, your perspective is a little bit different, because now you're trying to drive a ship that's not necessarily pivoting on the way that you are, and this is really, I think, the lessons learned is that you build interrelationship skills early on so that later on you can navigate the variety of personalities that you're going to run into. Each individual have their own drives, they all have their own motivations, they all have their own way of working and, especially, they like to be praised in different ways. So as you move up in the ladder, you need to understand those kinds of soft skills and ensure that you can actually drive the organization, given that you don't have direct pivoting skills anymore. Right, you have more governance skills, but your pivoting skills are a little bit limited just because of the sheer size of an organization, especially as they get larger.

Joshua Crumbaugh: 5:51

No, I like it, and that is probably the number one bit of advice that CISOs give on here, or CIOs give, is that you really do have to be very social in this job, and I know that's one of my pet peeves, and one of the things that I often speak about at these conferences is how we've got to understand the behavioral science, the psychology side of all of this, and I think it's not just from a leadership perspective, but to me, that is one of the most critical aspects.

Joshua Crumbaugh: 6:30

That's missing from most security awareness programs when I look at them, is that there's no understanding of how people learn or different things like that. All the understanding is around the technical, so what is the threat and what do I want to train them on? And while that's good, it really makes it very robotic and less personal, and I think, on top of that, hollywood is just making things 10 times worse, because every time you see a hacker, they're the genius or whatever, and so they glamorize this thing, and so I feel like the and this is just a personal opinion, but I feel like the average user is intimidated by that, and when we make our training technical or too technical, rather, it just turns them off and they immediately shut down. And if we make it simpler, they're more likely to listen.

Ellyson DeLaCruz : 7:33

Absolutely. Yeah, you got to meet them where they actually get to absorb that information. Absolutely.

Joshua Crumbaugh: 7:38

I like it.

Ellyson DeLaCruz : 7:39

Commentary Joshua.

Joshua Crumbaugh: 7:41

Well, hey, that's a really great bit of advice. While we're still on the personal side of things, do you have any hobbies outside of cybersecurity?

Ellyson DeLaCruz : 7:54

I have a few. When I was younger I used to play chess. I don't do that quite as much you probably wouldn't, You'd probably love me. The family likes to travel. We try to do that as much as we can, and then outside of that.

Joshua Crumbaugh: 8:19

It's like hanging out with my kids. You know just making sure that I spend time with them.

Ellyson DeLaCruz : 8:21

You know attending whatever activities that they have, that can be a full-time job in and of itself. I live in Orlando, so there's no shortage of theme parks and whatnot to do, right? So you know, if I was younger I did have a motorcycle, but then, you know, the priorities change after a while. Right, you don't want to be a little bit risky when you have a family.

Joshua Crumbaugh: 8:41

Yeah, no, I completely agree, and I wonder sometimes if I miss out on a little bit of fun because security almost made it worse, because I have to think about how things can go wrong and so it becomes like ingrained in you where everything that you do you're thinking about how things can go wrong and uh, next thing you know well, you know somebody might break a leg, so we're not going to do that. That's really great. Family balance well, just work-life balance, I think, is really critical too. One of the guests actually I had on earlier today was talking about that how you have to make time for it If you're going to burn out.

Joshua Crumbaugh: 9:27

If you are 24-7, all about cybersecurity all the time, while it has to be a passion and something that you really do care about, you have to know when to put it down too. So have you in your career ever been involved in a real incident? We don't need to know with who, what happened, any details that might be confidential. You know, what I find is that almost all incidents have some good stories around them and some good lessons around them that can sort of be anonymized.

Ellyson DeLaCruz : 10:19

And I was hoping maybe I could get you to. If you have one, maybe share one of those stories Definitely a few. Right, I'm going to try to share the story where we actually maybe part one not real, but it was more of an exercise we learned quite a bit. You know, in the military we do a lot of exercises and part of those is a cybersecurity exercise. Earlier in my career there was a cybersecurity exercise where they you know the tactics were supposed to, um, our, a red team was supposed to just be outside of the wire and, uh, can't even get to the base. Uh, and their objective was to get into the most classified uh, you know systems. Um, long story short. Um, we learned a lot from that lessons. Um, you, they're fairly successful, but one of the things that actually came out of that was the personnel that were able to stop. The Red Teams were the ones that were not necessarily technical, like you said, joshua. They were more of the ones that were very, very focused on exactly what the things they were supposed to be watching out for and the mission that they were supposed to be watching, and they actually interrogated some of the red teamers. So what really happened was it went from digital to actually more physical, where the red teamers were successful in getting into closed areas. And if it weren't for our typical employees that are not part of a technical team they're not part of a cybersecurity team knowing their training, then they could have probably gotten there.

Ellyson DeLaCruz : 11:53

So those are exercises which kind of opens up the whole door of what could have been happening From real cybersecurity incidents. I've been parts of the cybersecurity incidents where we've actually seen the impact on the dollars Back in the day, right. So there's these voice systems. We were transferring from the traditional telephones to now telephony to voice over IP. And what really happens there is, if you don't secure those systems, uh, you could get um attackers coming from different countries to just use their telephone system for international calls. So a long time ago, uh, it was not cheap to just communicate with anybody on the internet, but nowadays it's ubiquitous, yeah. But because it wasn't cheap, uh, you'll have attackers just using your telephone system, not necessarily to destroy, but just to kind of make those phone calls and make it cheaper.

Joshua Crumbaugh: 12:46

Yeah.

Ellyson DeLaCruz : 12:47

I was going to very, very interesting thing. We did the investigation. It kind of turned out to be something that's, you know, as you could probably expect. You know, some of some of the third world countries are not so, you know, not so well developed countries, just because those, those are things that they could probably capitalize on, just be sure.

Joshua Crumbaugh: 13:06

No, it makes perfect sense. In fact it reminds me you bring it up long distance charges. When I was a teenager, probably a freshman in high school, maybe even eighth grade, something like that I wanted to get on the internet at home and we had no local ISPs, because I'm up in rural Michigan and so even AOL there were no local numbers. It was long distance to call them. But I realized at the time that the library, the schools, all of them were on the internet all the time, and particularly the library was dialing up. And so I'm like, okay, they must have a local number. And so I go in, find the configs, find the username, the password. I just go plug it in Next thing. You know I'm on the citywide network, I can see all of my teachers' computers. Know, I'm on the, the city-wide network, I can see all of my teachers computers. Um, but, uh, the.

Joshua Crumbaugh: 14:09

The funny part is, I mean I just use it to get free internet. And I tell my parents, oh yeah, the internet's free, it's a you know us government thing, right. And uh, and it's I don't know. Like three years later, and they move and my dad's like, well, where's that free internet? I'm like, oh, I need to tell you something about that. What's funny is I actually know quite a few other people that did those sort of like I don't know non-malicious hacks, and it was almost always around that exact same thing how do I get on the internet? For people our age, that was the goal, like get on the internet as quickly as you could. So very cool. So, since we're on real stories, why don't we jump straight to phishing? Phishing attacks they're only getting more complicated. What are some of the more recent or more scary attacks that you've seen? Just targeting your organization, your friends, your family, whatever.

Ellyson DeLaCruz : 15:15

Yeah, absolutely. So. This is probably happening to every single organization out there, whether you're small or large or enterprise scale. What really happens is, um, some of our adversaries. They're scraping, like social media, uh, and they're looking at linkedin who actually got hired recently and they already know the typical naming convention of an email. They already know what the start date looks like, they have a a fairly decent intelligence on on who works there, fairly decent intelligence on who works there, and you now see not only phishing but you also see even just the typical text, because they'll know the, the leaders of the organization, and they'll try to influence you by knowing a fairly decent amount of specifics about the organization.

Ellyson DeLaCruz : 16:03

So it could be like your high ranking CISO or CIO or CTO or a senior director within their organization as a new employee. You'll get a text that say hey, this is so-and-so, I'm in a rush, I have a plane to catch, or whatever, but I forgot my phone, I forgot my wallet, whatever the case may be. And it's very rampant. You hear it quite a bit where the gift card scam.

Joshua Crumbaugh: 16:30

Yeah.

Ellyson DeLaCruz : 16:31

But on top of that gift card scam, I've seen where they've elevated that attack vector, the human-side vulnerability, where they're actually using sirens. They have a geolocation now they understand where you're generally at and then they understand the mechanics of the work environment, whether that be a remote working environment.

Ellyson DeLaCruz : 16:55

Yeah, like the organizational hierarchy and things, yeah, and then they'll even do phone number masking and things of that nature.

Ellyson DeLaCruz : 17:03

So what we generally advise our organization is that if you have a sense of a feeling that this is not quite as what it normally is, even in our onboarding process we'll have this idea that we actually, on onboarding, we train our employees that this is something that you're going to encounter, whether now or in the future, and the key step is to pause right. If it's super urgent, a few more minutes of actually thinking it through might not necessarily be a bad thing. And validating out of band meaning that you know a special phone number that you already know, that it is something that you've already contacted before and make sure that you actually have positive contact meaning it's a voice, a video out of band and where it's not the solicited, you know the same nature as the way you get solicited. And you'd be surprised to what extent these phishing attempts or smishing or whatever you call social engineering you know tactics, could, what lengths they go through. It's really just fascinating in one way but very, very scary in another.

Joshua Crumbaugh: 18:08

I wouldn't be surprised. I have close to a million users with report buttons on their desktops. So I I see all of of those reported phish and spot on. I mean they're very targeted. One thing that I've found interesting is that when we hire a new employee, they'll almost always get a phish. But they'll get a phish from a local phone number. It's not just that it's a random phone number, it's that text message from a local phone number. It's not just that it's a random phone number, it's that text message from a local phone number saying, hey, it's me. And when it's not local, I've noticed that almost always it goes back into my history, where it's from another region where I used to live, which maybe the employee doesn't catch, but I'm like, okay, they know more about me than I'd like them to know.

Joshua Crumbaugh: 19:02

One thing you hit on there that I want to dive into a little deeper is around when something feels off. So one of so my background was as an ethical hacker. I've spent almost as long in tech as you not quite, but almost as long and almost that entire time was running red teams, being on red teams, working for everyone, from major casinos to fortune 50s to the federal government and, right at the very beginning of my career, got deep into social engineering because it turned out I was really good at it. And just physical assessment after physical assessment, I'm getting into places and things I shouldn't be able to get into. Physical assessment I'm getting into places and things I shouldn't be able to get into. And that actually led me to my passion of how do we use social engineering as a form or as a tool for good. And that's really not social engineering. It's really more about behavioral science and psychology and how do people learn and how do people defend.

Joshua Crumbaugh: 20:20

And one of the things that I've realized is that almost always, whether it's phishing or a real incident or large incident, you see that employee they say the same thing almost every time. I knew better. I know I should have known better, everything was there, but they make comments about how there were red flags and they ignored them. And to me, that's one of the most critical elements, because our subconscious is our brain's antivirus. It's our you know, it's the defender, it you know something's flying at our face. It's what causes our arm to jump up in front of it and our eyes to close without us even thinking about it.

Joshua Crumbaugh: 21:09

And the same thing can happen with phishing, where they avoid these things at a subconscious level. Now, while that takes a lot of training and you know training your subconscious to understand how to spot phishing attacks what doesn't take any training is just trusting your gut. When something feels off, always pay attention to that and 99 times out of 100, it's actually off, it's malicious, it's not good, and so I tell people. You know, when you get a gut feeling about something, just delete it If it's important. They'll write you again, but you know and you can always tell them why you didn't trust it Absolutely.

Ellyson DeLaCruz : 21:56

Yeah.

Joshua Crumbaugh: 21:57

Yeah, perfect advice yeah. Okay. So, moving on to another topic that I think we're required by law to talk about on any technology podcast is AI. When I say AI, what do you think of in terms of what you need to be educating your users, your clients, about, when it you know, ai brings a lot of opportunity, but it brings threats and, more importantly, it brings training gaps.

Ellyson DeLaCruz : 22:37

Yeah, yeah. So the funny thing is, before AI became popular, I actually took a class in AI when I was an undergrad years ago, so my introduction to AI was not the same thing as what most would call AI.

Ellyson DeLaCruz : 22:49

Imagine yeah, agentic AI, these new ways of thinking about AI, was not how I got introduced, right, so it's definitely more machine learning, algorithms and the way most statistical models work for prediction and whatnot. So now that we are now in a generative AI, genetic AI, the fascination of how things could look almost as real is kind of changing the way we perceive, uh, the quality of information. Uh, before you would normally uh get cues off of the quality of information just because of the. The technology at that time is not as good as you know. Maybe an artist would draw it or maybe a a writer would write it, but with AI it's seemingly even better than human. So now it's almost reversed.

Ellyson DeLaCruz : 23:43

What I see is that if it's way too good, it's way too well-written. You might also need to take a pause. But before, if you imagine and remember, it was more of an email with grammatical errors. I think there was also psychology there that was actually embedded to make sure that there was grammatical errors, because I think that attackers were also thinking if you, if you still clicked on something that had grammatical errors and it's poorly written, you're more than likely to do lower guard and trust it. You know all the better anyways, but now it's also reversed, right, if something looks fairly well-written, completely reversed yeah it's something that quite you're not thinking.

Ellyson DeLaCruz : 24:22

Okay, this looks a little bit too generative or a little bit more autonomous and a little bit more targeted. Right, because we know, like you mentioned, joshua, from a behavioral aspect, most humans will not necessarily, most people will not necessarily, remember who they encountered over the last few minutes. Right, we have the recency thing, where the first thing that you hear in the last minute here are probably more recent for you than the things in the middle. But during the course of the conversation you introduce your name, you talk about a little bit of stuff and you walked away and you already forgot the name. But now, because of this I do that all the time.

Joshua Crumbaugh: 25:03

I'm terrible at that Now you know.

Ellyson DeLaCruz : 25:08

Can you imagine a world where things were, you know, automated and just agent-based, and now you have super? You know super, memory, right, and now you know exactly who you talked to and what to talk to. Having it a little bit way too real is probably another red flag that you're probably going to be needing to get trained on in the future. So I'm not saying that AI is bad. It's just probably just one of those things that we'll just need to be aware of so that the level of trust and level of confidence based on our interaction is a little bit more improved as this technology actually becomes part of our lives.

Joshua Crumbaugh: 25:43

Yeah, and I mean Google's voice, uses us and ums and pauses and like, has all of those human like characteristics. I was, yeah no.

Joshua Crumbaugh: 25:56

I was playing with it and uh, and I had loaded up all of my podcasts. I was like, okay, let's check out how good this thing is. So I, I give it all of the youtube links and uh, within seconds it has all of the data, um, organized neatly and and it you know. So I tell it to create an audio clip for me. And not only does it sound a little bit like the Howard Stern show or something like that, but the humanizing aspect of them saying um and pausing and mauling over their words just like we would, was crazy.

Joshua Crumbaugh: 26:35

But to highlight one of the things you said, the advice we used to give about how to spot a fish is the exact opposite nowadays. It's completely flipped on its head, and I think that's part of the reason we got to talk about AI and really dig into what are the threats, what are the opportunities, how do we protect it, how do we train our users about it, how do we write policy about it, how do we govern it? I mean, there's just so many questions as it pertains to that, and if we're not asking them, then we're already behind the eight ball, right? So you know it's, I don't know. It's interesting. Now one of the fun things I like to ask everybody, because there are two very distinct camps in cybersecurity Bear it or stick. Say you can't use both, you have to. You know, choose only one. Which one do you choose?

Ellyson DeLaCruz : 27:43

If I was still in the military, I probably still. I am still in the military, but there's a tendency to use stick. But recently, I guess because it's probably part of my recency bias I've been kind of listening to this book about gratitude. I've been kind of listening to this book about gratitude, right, so gratitude is attitude and some interesting things about that was personnel like to be complimented and if you want something to reinforce, then you, you praise in public, correct, in private. So I believe that if you are going to reinforce positive attitude, it's definitely good to show carrots, especially in public, and I'll probably stick with that with the majority of the situations that I'm in.

Ellyson DeLaCruz : 28:40

But for the most part, right, there's definitely hard sticks that you need to enforce, but those are actually done a little bit more in public, private than in public and by nature, as humans we don't like to be. You're called out uh and by nature, you make more enemies doing that and you, just because you don't see it doesn't mean it's not happening. Uh, so positive relationship, uh, reinforcement learning, just like an ai or machine learning, I think is a better way to go. And, um, I, I go with that idea that, uh, people might not necessarily, uh, remember you said, but they definitely remember how to make you made them feel, and knowing that they encounter positive engagement with you probably makes you a little bit more trustworthy and a little bit more believable, which turns hopefully turns into positive actions in the future. Right, meaning that you're gonna be, they're gonna be, they're gonna be more supportive of the campaigns that you're gonna do from any price-wide organizations, more than they're gonna be unsupported so you mentioned something that I think is really critical.

Joshua Crumbaugh: 29:56

They don't necessarily remember what you said, but they remember how you made them feel. So I'm a big fan of phishing simulations. I feel like I need to put that disclaimer out there first. But I've also seen phishing simulations create very negative experiences for employees. Have you ever experienced that and, if so, what sort of measures did you take to help mitigate that?

Ellyson DeLaCruz : 30:24

There's definitely negative experience, especially if it was real right. So those things that they were so close to getting scammed or they were so close to actually losing money and having the support system is important to have that conversation, not just because it's important to talk about it, but also it's important to get off of the feeling of I was so helpless and I didn't feel like I could talk to anybody. Unfortunately, it's going to happen Even for our most senior professionals in cybersecurity, in IT, who think that they should know better. There's still a lot of things out there that we're not quite as exposed to, especially for me. You know I tend to look for the positive in individuals and always want to give them the benefit of the doubt. But there's also that you know that feeling that, ok, how far should I take the benefit of the doubt? But there's also that you know the the feeling that, okay, how far should I take the benefit of the doubt?

Joshua Crumbaugh: 31:23

Um, but going back, going back to the idea, of Snowden had a bit too much benefit of the doubt going back to the idea of the negative feelings.

Ellyson DeLaCruz : 31:32

I think it's just a matter of us talking about these kinds of campaigns because we tend to train each other. Um, and going back to our previous conversation as well, as the more we see there's different kinds of new avenues of phishing, new ways of delivering social engineering attacks, the better informed we are right. Even in Notebook LM, like you mentioned, that voice is fairly familiar now because I've interacted with it. But for folks who hasn't interacted with that voice might not necessarily know with that voice, might not necessarily know that that voice came from Notebook LM. And then I've even seen an AI being deployed out there where you can record a voice and now you can mangle your own voice and do that as well, knowing that those technologies exist. It's just part of the awareness campaigns that we might have not incorporated yet into our cybersecurity awareness programs.

Joshua Crumbaugh: 32:25

In CapCut, because I use it often for editing videos because this podcast. But in there I can change my voice to. I mean, they've got a catalog of voices, everything from, like you know, the cartoony type stuff over to just other male voices and and it's. It's crazy because not only does it change the voice, but it keeps all the emotion, it keeps the lips perfectly in sync and you can't tell that it's an AI versus a real voice. And they've got cloning tools now where you can just impersonate somebody. You get just the smallest bit of their voice. Heck, this podcast alone would be enough to get both of our voices. Not trying to give any of you bad guys ideas here, I don't think they watch the show, but, no, it might be Okay.

Joshua Crumbaugh: 33:34

Well, I want to make sure that we've got plenty of time to cover all of the topics, so one of the ones that I like to dig into is role-based training. It's not one of those things where you can just educate everybody, but it is something that's talked about a lot. I know the military, they've done some of this, but I really think that, as said, the commercial sector is way behind. Even the military is a little bit behind there, and that there's so many unique threats that each one of us face that we need more customized training, that each one of us face that we need more customized training. In fact, I saw a study that said that training that is customized to the person's role is 15 times more effective. So to that, what roles should be being prioritized, or what roles would you prioritize should be being prioritized, or what roles would you prioritize?

Ellyson DeLaCruz : 34:43

For training.

Joshua Crumbaugh: 34:44

Yeah, for security. You know custom like role based training, security awareness training, but an example might be OWASP top 10 training for your developers.

Ellyson DeLaCruz : 34:57

We have a variety of things that we were involved in, but I think I could probably parallel task certain things depending on the context of the situation.

Ellyson DeLaCruz : 35:07

So definitely for me, having the user base out there informed of all the things that they're going to get exposed to, whether that be within our organization or in their personal lives, is very important just to kind of have that baseline training.

Ellyson DeLaCruz : 35:22

So that particular role of just a general user base is an ongoing thing. We always have campaigns every week that kind of reinforces that model. We also already have role-based training that's only for our software developers and that happens as part of their roles, meaning that not only are they kind of trained on where to get code and how to curate code and how to test code, but also to understand the different nuances about integration testing and unit testing that they may be exposed to. Because we incorporate in some of our projects not only the actual shift left approach but also the dynamic testing that needs to happen after the code is repackaged, before it goes to deployment, just because as a software development organization we prioritize our tech employees to have that kind of very specific training. But, just like any profession, we still have the responsibility to make awareness out there from the lowest common denominator and each employee will get the annual or the quarterly. I think it feels like an organization and weekly testing with an organization to make sure that the reinforcement happens.

Joshua Crumbaugh: 36:37

You know, we found that developers are one of the more risky groups in terms of phishing susceptibility.

Joshua Crumbaugh: 36:46

That one actually was a little bit surprising to me, but when you think about their job and what they're doing and then combine that with the types of phishing attacks they're susceptible to, it makes sense.

Joshua Crumbaugh: 36:59

But you know, what I found interesting is that not everybody clicks on the same things, and so I know one of the things that we've been really focused on as an organization is role based phishing as well. You know, phishing your developers to their role, phishing your finance teams according to their role, and that's one of the that's really the one that inspired it was that we were seeing all of these phishing attacks specifically targeting finance teams or IT teams, and you know we've seen them targeting dev teams, and so you know the idea was well, if the bad guys have role-based phishing, we've got to develop that role-based phishing as well to ensure that your people are trained for it. It sounded like you've seen at least a little bit of it, because when you were talking about the text messages for people that just start up at the organization, you mentioned that they understand a lot about the employee. Have you seen any of that sort of targeted, role-based phishing from the bad guys.

Ellyson DeLaCruz : 38:14

Yeah, so we hire quite a bit of developers and it seems like our adversaries have the same database access that we do, right?

Ellyson DeLaCruz : 38:24

It does seem like it sometimes Curating the you know, the open source of recruitment right, the Indeeds, the LinkedIn, and understanding navigating around who's in the peripheral area, the geographic area, the geographic regions that they might be interested. So they use similar technologies that we would do to target our campaigns to hire employees that might be interested in working with the company. But with that we've seen, definitely, that some of these attacks are a little bit more real in the sense that the timing seems a little bit too realistic. So, for example, somebody might see that I'm on travel, so they know that I'm not actually at home. And because my employees know I'm on travel, they might actually get a text from me that's relevant about travel and getting delayed and so on and so forth.

Ellyson DeLaCruz : 39:24

And they use that capitalize, that quick snippet of information to actually make that tactic a little bit more practical for somebody to have a higher probability of getting fish, right. So getting the quick information, ideally, what we've normally done now is we've got out of band capabilities within the organization to validate information. That is not necessarily through text, right, because you probably already heard that text is no longer safe you now need to have. It's funny because before everybody was like, oh, just validate through text, and now the new method of texting is no longer safe, so go back to the encrypted apps that we said don't use before.

Joshua Crumbaugh: 40:07

OK, but what I don't get about this is that we caught China doing this exact same thing in the UK years ago. Why didn't we immediately look at our own systems, because it sounds like they were doing all of the same activities here and again. I know I heard that it's no longer safe, but I knew it wasn't safe because I heard about what they were doing in the UK what four or five years ago.

Ellyson DeLaCruz : 40:35

And the reality is it was never safe, right? So? And the reality is it was never safe, right? Exactly. It wasn't safe before for the cybersecurity folks who knew all about how unsafe 2G, 4g, 3gs were, but we didn't really have a good mechanism to say well, what else, what else is what else? Because, back in the day, 2g it cost money, right, right. So you go to wi-fi. Oh crap, wi-fi is probably not safe either, so, uh, but now we have alternate methods to kind of do, um, to provide some validation, so we train our employees, um, if in doubt, pause, validate outside, have a, you know, a voice, a video, uh, it only takes one to two minutes, and if you can't get a hold of them, they'll try to get a hold of you for sure, right? So that's probably the better way, right so?

Joshua Crumbaugh: 41:27

Yeah, no, I couldn't agree more. We are running a little bit low on time or getting toward the end of the program. So, with that, one of the questions that I always like to ask and it's very open-ended is you know, what are the top bits of advice that you would give to maybe somebody trying to become a CISO or somebody more junior in their CISO career?

Ellyson DeLaCruz : 42:01

Yeah, I kind of run into this now more and more that I've been in a role for a few years. I get random requests, you know, whether that be in person, via LinkedIn, or some of my students where I teach who has aspirations to be a CISO, partly because they might not necessarily be aware of what that means to be a CISO and partly because it is why would you want that job?

Ellyson DeLaCruz : 42:25

Probably it is the bracket, the pinnacle of like a career, and before that I equated that to when I was going for something in IT. I think the CIO was the top bracket for a technologist and then became a CTO and now we have CISO roles. Bracket for a technologist and then became a CTO and now we have CISO roles. But my advice is essentially, if this is the passion that you have, you're not going to stop learning. And I always get asked why do you continue to learn?

Ellyson DeLaCruz : 42:53

You're already, you know, fairly at the top of the ladder and the reality is technology is like everything else. When you stop learning, it becomes very, very apparent and you become a little bit out of touch with technology and the folks are not easily being able to relate to you and they stop coming to you. The moment folks stop coming to you is the moment you kind of became irrelevant, right and just getting around you. So if this is a passion for you and you want to be a sizzle, right, but the sizzle is not the only role and you probably already found sizzles out there for one sizzles and now going back into technology side or, you know, maybe steering away from being a technologist, uh, and going into the finance roles or into the other executive roles, like I see, I meet a lot that are in sales roles nowadays.

Joshua Crumbaugh: 43:44

They get sick of the stress and they move over into sales and they sell to people like you, yeah.

Ellyson DeLaCruz : 43:51

So you become the VISA role or the field CISA role? Yeah, start talking at TED Talks and whatnot, yeah I mean. But the reality is the path. So I actually just did this presentation with IEEE in Orlando. It says the journey is long and winding, right, and you never really know how you land into a job. You might have a trajectory, but the long and winding road is that you build your network, you build your relationship, you build your skill and the moment that you actually have that opportunity, it's 80% preparation and just 20% luck, right. So don't wait for the luck. Prepare yourself, because when the time actually comes, then you'll be ready for that opportunity 100%.

Joshua Crumbaugh: 44:40

That's really really good advice. Well, hey, thank you for being on Fishing for Answers today. If you could stick with me just a little bit after the show, but for those of you joining in, we are signing off. Thank you for listening to another episode of Fishing for Answers.