Phishing For Answers
“Phishing for Answers” brings you insider knowledge from the front lines of cybersecurity. Listen in as we speak with seasoned professionals about overcoming phishing attacks, managing user training, and implementing solutions that work. From practical insights to actionable strategies, this podcast is your guide to strengthening security awareness across your organization.
Phishing For Answers
Securing AI and Minds: Steve Winterfeld on Cyber Threats, Behavioral Science, and Building Robust Security Cultures
Our conversation with Steve Winterfeld unveils critical insights for anyone looking to forge a successful career in cybersecurity. We discuss the importance of strategic planning, building a security culture, and adapting to the rapid evolution of threats, especially phishing and social engineering attacks.
• Exploring three career paths in cybersecurity
• The importance of strategic career objectives
• Carrot versus stick: fostering an inclusive security culture
• Evolving threats: phishing beyond email
• The role of AI in enhancing and challenging security
• Understanding cognitive biases in decision-making
• Effective metrics for measuring security awareness success
Culture eats strategy for breakfast; cultivate a strong security culture for effective risk management.
Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.
PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!
Hello and welcome to another edition of Fishing for Answers. Today I've got a very special guest, a field or advisory CISO with Akamai Technologies, steve Winterfeld. I was getting to know him a little bit before the podcast, but I'd love to maybe give him a chance to sort of introduce himself, and maybe I'll start it off with the same question I always started off with How'd you get into cybersecurity?
Steve Winterfeld:You know, I got my first computer, which was a Compaq Luggable, when I was in high school and I remember at the time I spent I don't know a couple thousand dollars back in the day. But I spent so much money because I wanted to get a 10 megabyte Winchester hard drive so I would never have to buy more storage for the rest of my life.
Joshua Crumbaugh:You said a second now.
Steve Winterfeld:And so you know it's less about how I got into it, because it was a very different era, and I do want to share a couple of things. First of all, for people that are thinking about going into cybersecurity, really there are three kind of areas that typically people will go into. You'll go in to be a builder. You're going to be an engineer, a code developer, and you're going to build the infrastructure that we use within cybersecurity. You're going to come in and you're going to help with policies and compliance and you're a lot less technical, but you're going to drive the program and you're going to make me survive. Auditors, and I'm going to love you so much.
Steve Winterfeld:And then the last group is analysts the SOC analysts, the forensic analysts, the people that want to spend all day solving puzzles and back in the day looking through logs but now trying to figure out where the logs are, because it's such a hybrid environment and so and so, as you come into it, those are kind of the three broad areas that I would. I would stop and think about your temperament and and that's a great way to approach what you want to do. And then, once you know what you want to do, there's a ton of training you can do. You can go out and volunteer with different nonprofits, get skills, and you can. You know, one of the best answers I heard in an interview was you know, I've learned so many skills in my home lab and I was just like, okay, that's somebody who's I don't have to worry about them learning the next generation of challenges.
Joshua Crumbaugh:That's true Whenever they have a home lab. That's a good sign.
Steve Winterfeld:And then the other one I'll talk about is people that are actively in your career. And then I like to talk about your North Star. So a lot of us I'm like how'd you get here? Well, I took this opportunity, I fell into this opportunity. A friend introduced me to this person and we just kind of stumbled through our career and I would encourage you to manage your career and sit down today and say what do I want my last job in cybersecurity to be?
Steve Winterfeld:And if it's a CISO, then you need to go get leadership skills and budgeting skills and a skill set to be a CISO. If it's a CTO, then you don't need as much leadership, you don't need as much budgeting, you need more. You know hard skills. You still need project management, but you need hard skills If you want to be the CEO of your own company again, radically different skillset. And so think about that last job you want and use that to guide your skills and what jobs you accept. But anyway, I didn't answer your question. I jumped into my passion project, so I'll turn it back over to you.
Joshua Crumbaugh:No, I actually really like that, you know, just reminding people to be strategic because, you're right, too many people don't think about where they want to be or plan out how they're going to get there. There's a lot of sort of reactive sort of nature where you know whatever comes their way, that's sort of where they go and so great advice. So I guess let's just dive right in, and it sounds like this is going to be a fun subject. So, you know, I always like to ask about carrot versus stick, and so I'm curious if you had to pick one, which one are you going to choose, carrot or stick, and why?
Steve Winterfeld:So I love the binary aspect of a black and white world.
Joshua Crumbaugh:I'm going to argue the world is gray.
Steve Winterfeld:I'm going to argue that the world's gray and I'm going to say it depends on what industry I'm in. If I'm in a highly regulated industry healthcare, finance I would say that one person can make a mistake and have an attitude of not caring about security and one strike and you're gone. There's other environments retail, you know, some that aren't necessarily quite as regulated, or life and death, you know, and there I would say I would probably try to build a culture of inclusiveness and all of that. So to me it kind of depends on where you're at and really ultimately, so much of this is driven by culture. I I'm not going to determine the carrot or stick. That's really probably going to be a bigger culture fit.
Steve Winterfeld:I've been in some amazing companies. I was a CISO for Nordstrom Bank and ran a lot of Nordstroms. I ran threat intelligence and incident response for Charles Schwab. I'm here at Akamai now. I've been in some amazing customer first cultures that honor innovation and you know, really you have employees that have been there 20 years and so in those I think it is more leaning into the culture and you can't build a culture with a stick into the culture and you can't build a culture with a stick.
Joshua Crumbaugh:I think that's a great answer and there are times, I know, I oversimplify it and make it all black and white carrot or stick, but there are times where a stick is needed. I think where I really come at it from is I feel very strongly and one of my passions is around how we need to lead with that carrot. We need to do more to. You know, build walls or, I'm sorry, not build walls, build bridges instead of barriers. I said the exact opposite of what I meant to there. I said the exact opposite of what I meant to there. But you know, our security programs are so often overly technical. Our security awareness training is overly technical and when we train somebody about a phish, we spend too much time on the details and as we do that, it makes that employee not care and I don't think it's that they want to get. You know they have any to the sort of I don't know divide or gap between the InfoSec team and the average employee. Does that make any sense? So it does.
Steve Winterfeld:So when I try to, I think the most effective training I've ever done and still to date is a technique I use whenever I can is let's talk about how to protect your loved ones online. And then when I'm training them to train their family how to stay safe online, they're invested, yeah. To stay safe online, they're invested, yeah. And I'm not yelling at them like, hey, listen you, you've got to be looking for these phishing emails I.
Steve Winterfeld:I struggle with how I monitor employees because I don't want to treat my employees like criminals, but I also don't want to take unnecessary risk. I don't want to treat my employees like security is their main job, because it's not. And I don't fall for a lot of phishing emails, except from salespeople. When you know some salesperson says you know phishing up our conversation, I'm like I don't remember this. Oh my gosh, I'm losing it. I open the email and it's the first contact. So I mean we all fall for phishing and it is so hard and I say phishing. I want to stop and we mentioned this earlier Phishing is not email.
Joshua Crumbaugh:No, it's so much more than email.
Steve Winterfeld:So I got this postcard which has a link in it to make me an Amazon shopper. This is phishing yeah it is. I've got text that my UPS package is delayed. I get it is so much. It's all social engineering at the end of the day.
Joshua Crumbaugh:It is and, by the way, my favorite story, only favorite because of how crazy it was. But maybe instead of favorite, most obscure phishing story I've ever heard, ever heard. This was probably about 10 years ago. This very large company had their DNS managed through I think it was GoDaddy, and the attackers were able to send a fax to GoDaddy asking to change their DNS records and because it came in through a fax, they didn't suspect anything. They were just like well, it must be them and they made those changes to the DNS records and they were able to redirect the traffic to a malicious site. And to me that is the perfect story to illustrate how any medium can be used for phishing. Any communications medium can, they can phish you on it. If you can talk to somebody, they will phish you.
Steve Winterfeld:And it's video. Gen AI is a two-edged sword. It's empowering things like deepfake. It's empowering great security tools. It's empowering our employees to use it in ways that are unexpected and, in some cases, introduce new risk. You know there is Worm GPT. There are malicious large language models out there now, now. So I really think that the environment is going to get much more complex over the next two years.
Joshua Crumbaugh:Oh, absolutely. I mean just over the last two days, we've seen enhanced multimodal capabilities come out of OpenAI and Google. Today I had gone to Google's Notebook LM and I was just asking it a question on some data and it asked me if I wanted it to create a podcast, or if I wanted to create a podcast. I'm like sure, and so I go to listen to it and when I do, it asks me if I want to join live and ask questions. And so now with Notebook LM, you can interact with it, you can actually be a part of the podcast and potentially I mean I can see so many use cases Like you could actually put this out there as a real podcast.
Steve Winterfeld:Have three people and it's just you well and uh, two of those are avatars, correct? Yeah?
Joshua Crumbaugh:yeah, yeah um, the.
Steve Winterfeld:I will say that and I just did a show on this. Um, you know, when we talk about ai, we talk about three things. We talk about protecting our users in our company, protecting the ai model itself and what criminals are doing with it. Um, on that middle one, protecting the model itself. There is such a phenomenal resource in oas, so oas has a top 10 vulnerabilities for web pages, the top 10 for APIs and now the top 10 for large language models Gen AI versus large language models.
Steve Winterfeld:My definition is large language models are usually text-based, where gen AI can be audio or visual based, and so OWASP just put out 2025, they just updated and the old list was maybe two years old, but that's a great place to go look at how to secure your models. And when we talk about phishing, some of these models are designed to steal your proprietary data. You know, plug an API into your customer facing gen AI capability and put so many queries in there. They steal how your AI model is working and all your, all your investment in developing an AI customer facing capability was ripped off it. It's just scary.
Joshua Crumbaugh:Oh, I got one to do that the other day. Uh, cause, you know I I'll. I'll play around and just sort of see. Well, what can I get this to do? As I learn about new tactics Um, always like to put them to the test. And uh, and I had learned about this tactic to swap out words and say, okay, anytime, instead of using this word, we'll use this word to evade filters, and I had started running up against some filters. So I try the well, let's switch words. And then I ask it is there any terminology that I haven't given you, that I might need? And can you just make up, you know, give me replacement terms for it?
Joshua Crumbaugh:And this thing proceeds to dump out what I can only assume is very highly sensitive information. I was like, okay, we're going to stop there, but it's very interesting just how little control we have over some of these large language models. But I think it's not just the fear of what happens with the external threat or the nation state or things like that. One thing that I'm worried about is how do we enforce role-based access controls if we're pumping all of our data into this large language model and the same executive is talking to it as a low-level. You know somebody who just joined the help desk. It's two different levels of access, but I can see that being an absolute just treasure trove for an insider threat to be able to get you know highly sensitive information.
Steve Winterfeld:I am always amazed at the criminal ecosystems innovation. Every time we come up with a new product, every time we come up with a new business model, they figure out a way to monetize it to their benefits. And the same thing is going to be happening with the Gen AI, the large language models. We've got to secure them up front. You know, to what you've been saying. The thing that freaks me out is we can't audit them or do forensics on them. Very well, today, if you come in and there's a big investigation and you're asked to audit and explain why you made the decisions or why your system did that, I see muddy waters ahead.
Joshua Crumbaugh:I see a lot of muddy waters ahead. To me it feels a lot like it did in the late 90s when the Internet was blowing up. You know things are changing at such a rapid pace that people aren't aren't really able to keep up with it, and I know there's a lot of innovation coming with AI, but I still feel like and I wish I didn't, and maybe it's just me being a pessimist here, but I still feel like the bad. I wish I didn't, and maybe it's just me being a pessimist here, but I still feel like the bad guys are ahead of us and we're still playing catch up to well, not to some degree to a great extent, I mean.
Joshua Crumbaugh:I look at security awareness. You know well, in security awareness, role based phishing is almost unheard of. We have it, and maybe one other, but it's barely being done. Yet, every single day, at every company across the world, our people are phished based on their role, and to me that's just one of those examples of how we're not keeping up with the threat and we just, you know, I'm hoping or optimistic that maybe AI can help there in getting us a little bit further ahead of the threat. I worry it's going to go the other direction, though.
Steve Winterfeld:Well, it's a two-edged sword. Exactly, it is a two-edged sword. Yeah, I would say, you know you talk about the threat getting ahead. You know, there's that old saying we've got to get it right every time. They only have to get it right once.
Joshua Crumbaugh:Isn't that true? Yeah, why would anyone want to be a CISO?
Steve Winterfeld:And I'll push back a little. I don't know if you've heard of the cyber kill chain, but it's changing your thought process from defense in depth to disruption of the hacker methodology and with the focus on and I'm a huge fan of MITRE they put out the CVS, they put out the MITRE ATT&CK framework. The top of that is a method of you would have to attack. You have to do reconnaissance, you have to find a vulnerability, you have to exploit the vulnerability, you have to, you know, make your payload work. If it's ransomware, if it's stealing credit cards, you have to do command and control and in every one of those steps and then as a ciso, I can sit down and I could say you know, wow, I have five controls up here to prevent initial access, but I have no controls in lateral movement.
Steve Winterfeld:That seems like a big fail. I'm gonna get rid of two controls over here and I'm gonna go by micro segmentation and and minimize. You know, that gives me another disruption and I I like that approach because it gives me and so you can go in and they do a great job on criminal groups and you can say, uh, so does this criminal group show me their methodology? And it maps it out in the attack framework, then your red team can use it, your SOC team can use it for training and you can see okay, these are five chances to disrupt that attack. So you know it's. It is that that change in thought process, but now it's getting so complex. First of all, you have to know your data journey across all these hybrid environments.
Joshua Crumbaugh:I really like that. I think that's really really good. Advice is that and I've always tried to do that myself is when I started as an ethical hacker and it probably helped, because I spent the majority of my career running red teams, breaking into places and I thought more like a hacker. And so to me, when I got into that CISO role that's where I was looking at is first, yes, I want to keep them from getting in. Then I want to keep them from being able to move around. Well, even before I keep them from moving around, I want to keep them from elevating their privileges and I would look at all of those different aspects of the kill chain. I also big fan of MITRE ATT&CK framework. I feel like that's one of those things that particularly our blue teams, but everybody in our industry, needs to stay on top of, and I know we are endlessly creating new training videos for the MITRE ATT&CK framework because we can't stay on top of it with how quickly it changes.
Steve Winterfeld:And I love your approach to continuous training. Your company's approach to annual training is as useful as tits on a boar hog.
Joshua Crumbaugh:I have never used those exact words, but I might now.
Steve Winterfeld:And so I may have spent some time on a farm at one point, and so that's coming out, and so you know it has to be continuous. It has to be, you know, something that that is friendly and encouraging and reinforcing, so important, and I really appreciate the method that you used there.
Joshua Crumbaugh:Thank you. So, speaking of methodologies, I'm sure you found a few tips, particularly around security awareness, that are just sort of standard practice now but that you have probably had to learn the hard way along the way. Any sort of tips for viewers about you know, here are the number one thing or the top three things that I would, you know, recommend for anyone building an awareness program to recommend for anyone building an awareness program.
Steve Winterfeld:So I think the first is it is about a culture, it is not about a skill set. I need to empower my users to understand they are accepting risk in all their actions. When they download software, they're accepting risk for the company. And so if they ask themselves am I downloading this from a safe place, you know? Then that's I'm happy, that's they're in the culture I want. Now should they be able to download it? That's another story that comes back down to-.
Joshua Crumbaugh:I'm going to get out of the IT team for that.
Steve Winterfeld:That's another cultural question. But I want my users to kind of continuously ask themselves you know, it's that old joke, you're not paranoid if they're really out to get you.
Joshua Crumbaugh:On the Internet. They are out to get you.
Steve Winterfeld:Right, and so nobody's paranoid, they're really out to get you. But I also want them to enjoy work. I want them to have joy doing what they're doing and not feel like I think they're a criminal and everybody they work with is a criminal. So that's the number one complaint.
Joshua Crumbaugh:Go ahead their standard policy. But it really did feel sometimes like you were being treated like a criminal when they're interviewing your neighbor that lived next to you for a month, three, you know, five years ago.
Steve Winterfeld:Um so, well, and and I will harp on that, join you on harping on that for one second. The number of criminal or or spies that were caught through that is zero. The number of criminals or spies that were caught through.
Joshua Crumbaugh:That is zero. I wouldn't be surprised at all that that sounds about right.
Steve Winterfeld:But then the second thing I would encourage people to do is take a business partner, and again I'm at the CISO level. If I talk operationally and capabilities, I have a different answer. If I talk tactically and what I want to do in the SOC operations, it's a very different answer. But at the big program level, I want to be a partner. I want to be a business partner and I want to help people understand how to go fast and secure. I want them to understand how they should evaluate the risks they're taking, not to ask me about the risk, but for us to collaborate as a partnership.
Steve Winterfeld:When I go up to the board, I don't wanna go up to the board and talk as a technical advisor. I did that early in my career. I lost so much credibility because they don't want a technical advisor. They want a business advisor at the board, and so we've got to change and come into this with a saying oh, we're going to move to APIs. Hey, let me figure out how to give you hooks so you can just put it right into your dev chain and you can. You can hook into the security and and as you're building code, these are what I need. You know my security requirements as you're developing the code.
Steve Winterfeld:Unfortunately, that's a skill set when we first go into something like API or Gen AI. None of my security people right now have Gen AI experience. None of them understand you know experience. None of them understand. You know machine learning, deep learning, neural nets. You know gen AI. It's another skill set, which is why we're constantly learning. So that business aspect of going in and figuring out how to make it better, faster and not necessarily secure, but appropriately secure.
Joshua Crumbaugh:Yes, and I couldn't agree more about the business side of things and about how, at the board level, they're not looking for a technical advisor, they're looking for a business advisor.
Joshua Crumbaugh:To echo that and maybe add to it, I'd go so far as to say that to me, sales and marketing are two very pertinent traits when it comes to cybersecurity. Sales from the perspective of we're endlessly selling what we're trying to do, whether it's, you know, selling it to the end user to build that culture or selling it to senior executives. But marketing, I think, is a little bit less talked about, and I feel like marketing really has its place in cybersecurity. And the reason is is because what is marketing about? It's about defining and crafting a message that works for, you know, an audience that you've already defined and outlined and learned about what they want to hear, and sending those messages in a way that they get heard. Well, that's all of security awareness, and you might be able to tell that I went to college for marketing, but to me, that is all of security awareness. And not just security awareness, but a lot of cybersecurity is around getting that message, crafting it in a way that people will listen.
Steve Winterfeld:So go ahead if you have a point. Well, first of all, my undergrad degree was in public relations, but I never worked a day in that since I went on the ROTC scholarship. So my first job was being an airborne ranger. But that aside, I don't know if you've ever heard of the concept of cognitive bias.
Joshua Crumbaugh:Yes, I know, that's what I was about to bring up.
Steve Winterfeld:I know you're passionate about it. So, first of all, everybody's in sales period. No matter what your role is in a company, you should be in sales. You should be figuring out how to move your revenue forward, and I agree with marketing and that. Cognitive bias. I enjoyed your blog on cognitive bias. Your five, your top five. Have you ever read the book Influence the Psychology of Persuasion?
Joshua Crumbaugh:I think so, but if I haven't, it's been a little while, so I want to walk through the list with you here. Let's do it.
Steve Winterfeld:Well, we'll run through the list real quick and then we'll delve into some of these, but ultimately, whether you're in sales, whether you're in you know espionage, whether you're in cybersecurity, we're all trying to influence people. And so there are some standard ways to influence people, and I love this book because it walks you through six basic kinds. So the first is reciprocity. I've given you something as simple as a pen you now owe me. It's that I've done something.
Joshua Crumbaugh:I use, that one constantly.
Steve Winterfeld:Right, and so you know, now you're in debt. The second is scarcity Fear of missing out. You know, hey, there's black Friday sales almost over, you know it's. It's that fear of missing out. So how many? Podcasts invites have you gotten that? Only two seats left. You know the social proof. Everybody's doing it.
Joshua Crumbaugh:You know you need to be in with the cool kids. It's that crowd effect and authority I tend if I'm doing social engineering and when I was on a red team best job ever, Agreed, Agreed. I don't know why I ever decided to start a company and not stay on the red team. Best job ever.
Steve Winterfeld:When you call, you have a couple seconds to be needy or authoritative. I more often than not needed help because most people want to help. Occasionally I'd flip to authority. You can't switch once you start. But but that authority the boss said so you have to do it. I'm from the government. Whatever it is, it's the clipboard when you're walking through the office. It's that authority. This is where yours and the book differed. The book says commitment and consistency, that follow through and liking, that friends, that ability just to create, hey, we're in this together. And then you have that framing bias, which the book didn't. But all of these, I think, are you know, I love to study fallacies, I love to study biases. If you want to interact with other humans in a way that you know you can go into a conversation and get out of it what you want, then these are skills you should have. Jump in. I'm sorry, I went on way too long, no.
Joshua Crumbaugh:I love it, and all of those I think are really not only commonly used in social engineering attacks, but highly effective. I'd add ego. I forget the name of the bias, but if you want to get an executive, ego works better than just about anything. But no, we actually recently put together a cognitive bias index and actually outlined 182 different biases, gave stories around how they either can be used or how we use them, but it's those little mental shortcuts that really do make us susceptible to phishing, and so I truly believe that it's important, not just for cybersecurity people, but for everybody to be a little bit more aware of those biases, because when you learn about, for everybody to be a little bit more aware of those biases, because when you learn about them, you're a little bit less likely to be able to be manipulated by it. You still may use the bias every day, but when you're aware that there's a tax, it helps to prevent you from falling victim to it.
Steve Winterfeld:Yeah, your brain's not going to get hijacked, and whether you're buying eggs, a car or deciding to open an email, people are using this on you constantly.
Joshua Crumbaugh:Oh, yes, they are. You know we were. So we recently trained a large language model on how to detect the underlying psychological triggers in phishing emails. The biggest problem we have is differentiating between phishing. Training it on the psychology was easy, training it on the difference between phishing and advertising a little bit more difficult, but it is used on us absolutely every day.
Joshua Crumbaugh:That is, I mean, to me social engineering and marketing are almost identical. That the real difference between an unethical social engineer and a, we'll say, ethical marketer I put that in air quotes just for everyone watching, but no and an ethical marketer is that the marketer has to. You know they're constrained by the truth. It's not that they can't go, you know, slightly outside the lines, but if they go way outside the lines they lose consumer trust, they get financial penalties, they get the company sued, whereas the bad guy they're using these same tactics but they can make up any story they want, and that is where it gets really dangerous to me, absolutely. Have you studied any other like behavioral science? Because one of the areas that's adjacent to this that I'm really interested in is how we can apply behavioral science to cybersecurity. So I'm just curious if there's any principles maybe that you've studied, or just any psychology that you found helps in day-to-day building your security awareness programs building your security awareness programs.
Steve Winterfeld:Well, I would say, you know, using those techniques is goes back to somewhat to intent. Whether you're using, you know, social engineering or marketing or influence for good or bad is kind of in the eye of the beholder. I'll say, when it comes back to it, it's always, I say, culture, it's about the relationships and there are a number of techniques here. At Akamai we'll use a gallop, you know. I remember in the military we used Myers-Briggs, and I'm not saying that's a scientific method. I understand that my wife and I go to Enneagram's class so that we talk about the framework of our discussion and not about each other, each other, you know. So I think all of those are again, I'm not sure it's answering directly to your question, because they're less science than relationship frameworks that, I think, help you build the smaller team network that you want to. So I found those useful in the team level. For the bigger culture ones, I don't know that. I have anything off the top of my head, do you?
Joshua Crumbaugh:I think all of those are really great bits of advice. I mean a few. To me. One of the most critical behavioral science principles that I think applies here and to social engineering is identical elements theory, and it talks about how, when we become really familiar with anything, we're going to start seeing it more frequently. It's the reason when you buy a new car, you start seeing that car all over the road.
Joshua Crumbaugh:And I bring that up because the subconscious, to me, is your body's natural defense or built-in defense mechanism and, to put it in cybersecurity terms, it's your body's or your brain's, built-in EDR. But it has to be trained. Just like these large language models have to be trained with large amounts of data to be able to function properly, so does your subconscious. And what's interesting is, in almost every incident, almost every time somebody reports that they clicked on a fish, when they're reporting it, they say, oh, I knew better.
Joshua Crumbaugh:And that I knew better to me is them saying, hey, I ignored a red flag that I shouldn't have ignored. Is them saying, hey, I ignored a red flag that I shouldn't have ignored and it led to this? And so to me, that tells me that we're not training our users to trust their gut enough. I don't even think I got training on what my gut truly was until I picked up a book that described it, because to me, like you know, I don't know growing up there wasn't a lot of training on trust your gut. I mean, I think I heard Oprah say it a bunch, but outside of that, you know, there wasn't a whole lot of training there, and I think to me that's the number one thing that can help us avoid cyber attacks.
Steve Winterfeld:Yeah, it almost goes back to Gladwell's blink concept of you know, your first impression is probably right and his book was all about that, you know. And it goes back to the micro expression and you can go get training in micro expressions and and all of that is is just, it's a challenge because it's almost saying we have to be hyper aware all the time and we can't. That gives me an headache, yeah, and so I think it is exactly what you said when you have a twinge of intuition stop.
Steve Winterfeld:Just pause. Just pause for a second and ask yourself why. Yeah, that's great advice, just pause.
Joshua Crumbaugh:Just pause for a second and ask yourself why that's great advice and emotion. We're not supposed to feel emotion, maybe anger, but outside of anger we're not supposed to feel a lot of emotion in our inbox and I make jokes about anger because we've all got that email that just annoys us. But to the same regard, if you get excited about an email and you want to jump up and down, chances are it's a fish, and so I think emotion's a really big trigger too, and one of those red flags we just got to teach our users to pay attention to.
Steve Winterfeld:Yeah, I tease everybody. I only have two feelings anger and hunger.
Joshua Crumbaugh:Anger and hunger. I've got a couple more than that. I mostly have two feelings, if I'm being honest. Okay, so KPIs, we haven't hit on it yet. We actually missed quite a few of the many topics I typically cover today, which is great. It means we've had a good conversation. But I always do like to ask because I've received a very varied, I guess different responses around this but when you measure your security awareness, what metrics to you are the most important and the most telling?
Steve Winterfeld:So I think we'll do two. We'll cover maybe the broader program view and then more of a social and counter social engineering fishing view. At the broader view, where am I going to get the biggest return on investment in reducing risk? And so for me, the first is my monitoring and response ecosystem. So it is that, the SOC, the counter fraud techniques I'm deploying, my threat intelligence group, my forensics team, making sure that's all integrated. And then the kind of metrics I'm pulling out of that are everything from what is my time to resolve an incident, where am I getting my incidents from? You know those, those workflow kind of return on investment things or what I try to pay attention to now within the sock. They think that's the most annoying thing to track because they're two in the real battle. So I acknowledge that.
Steve Winterfeld:The next is I can't protect what I don't know about. So the next is my situational awareness. Now, situational awareness is different than um visualization or or visibility, and that you contextually understand the danger. So not only do I know where the data is, I know what's proprietary, what's regulated data. You know pci, credit card data or healthcare data or whatever kind of data. It is privacy data, um. So it's that vulnerability and asset management, because I can't protect what I don't know about and I can't talk about risk if I don't know where I have technical debt. And then the last one for me is identity management. It's all about making sure you talk a lot about rule base in here making sure that people have the right access and only the right access and only the right access. You know, and we all know, most of our audit findings are from people not getting permissions turned off.
Joshua Crumbaugh:But the whole Snowden thing was about him not getting permissions turned off. I think that's the part a lot of people don't realize was that was privilege creep and almost nothing else.
Steve Winterfeld:Then on a tier two I'll throw in I need to make sure compliance is working. I need to make sure that my third party and SaaS stuff is done. I want to track all my budget and spending and be able to talk to am I getting a return on risk reduction from my spending? But all of those are the broader you know, the mean time to kind of stats are very tactical stats, but I have a ton of them obviously.
Joshua Crumbaugh:Okay, great advice.
Steve Winterfeld:What about your security awareness program? You said you had some, a few different ones there. Test to validate your infrastructure. You have to do uh testing of um exercises. You know a red team, blue team, tabletop exercise to validate it. And you, I think you need to do some technical things like checking for phishing emails via phishing smishing, um, you know typical emails, all of those wherever you have vectors of attack, you should do validation testing and then it's. You know the click. You know we'll do the email.
Steve Winterfeld:Who opened it? Who clicked on it? Who reported it? Fine, what I really care about is repeat offenders. Who's not getting it and how can I change their perception? I want to know how much of it is external. What am I stopping at the perimeter and what's getting through? Because I've got to support my people with technical controls. I've got to protect stuff coming in. I need a secure web gateway gateway stopping them from going to. You know, when you send me that thing, that I can get a free disc for disc golf, which I love, frisbee golf. I'm going to click on that.
Steve Winterfeld:You're going to get spirits down because of that. And I need somebody to stop me from going out to pretend I'm getting a free Frisbee. I almost fell for a fish.
Joshua Crumbaugh:I created to fool people like myself one time, so it was a LastPass master password fish. I'm like, oh, this will get almost anyone using LastPass. And then it comes in in my inbox, I don't know, a couple months later I'm like wait what? Oh, you're not going to get me.
Steve Winterfeld:I mean talking to myself, I guess, but and I'd say the last one is around password management. You know, stop reusing passwords. Don't use your work password and your home passwords is the same thing. You know, passwords are still here, they're still painful. We're doing a lot more with single sign-on, we're doing a lot matter with multi-factor, but I need people to get themselves a password manager and manage their passwords.
Joshua Crumbaugh:I couldn't agree more about passwords. When I was running red teams, we could tell the season based on the most common password in the network, because all of our password policies were like eight characters long, three out of four on complexity, and you have to change it every three months. Well, what does that lead to? Spring 2024, summer 2024, winter, fall 2024. And it was so easy to get into almost any network. And it actually got to a point before they finally updated most password policies. We still sometimes see the eight plus character one. But what it led to was this scenario where phishing wasn't the easiest way in the network. Password spraying was the easiest way into the network and we almost never had to phish for I don't know quite a few years there. And you know we'd go out and talk at these conferences and scream listen, we got to fix passwords.
Steve Winterfeld:Well, and you know, if you haven't gone to what is it? Pond, I've been pawned, oh yeah, have I been pawned? Yes, you know you need to go out and see how many times you I think. Last time I checked that was eight, which it feels low to me.
Joshua Crumbaugh:I think I'm up to like 30 or 40.
Steve Winterfeld:So if you're only at eight you're doing good, so I will tell you one story that I was sitting around and one of my daughters said well, I used her family password. And I'm like what the bleep did you just say she says yeah, I used her family password.
Joshua Crumbaugh:I'm like we have a family password. Before I was in cybersecurity we had a family password, I mean, I guess we sort of did, because my dad had this password that he used for everything, and then I started putting it on stuff that I didn't care about, where I would have to share the password.
Steve Winterfeld:So I have a no risk password. If it's something that's no financial or personal risk, then yes, I have a throw. I use the same throwaway password.
Joshua Crumbaugh:Well, somehow.
Steve Winterfeld:I got translated to the family password and that's what they were using for everything. So, yeah, it's just, you never know what's going to happen, despite what you intend.
Joshua Crumbaugh:Or how your statements will be just grossly misinterpreted.
Steve Winterfeld:It's always interesting to try to overhear what your kids think you do for a living.
Joshua Crumbaugh:I'll bet yeah. Well, it's been an absolute pleasure. Before we wrap up here, any sort of last words of wisdom for our listeners.
Steve Winterfeld:Yeah, I would say from the bigger point of view. Culture eats strategy for breakfast. Think about your strategy and the corollary to that is a strong security. Culture eats social engineering for breakfast.
Joshua Crumbaugh:Yeah, it does. Culture is everything. No-transcript.