CIO Confession: The #1 Mistake Holding Back City Security

Show Notes

Art Thompson, CIO of the city of Detroit, shares essential cybersecurity insights in this interactive discussion. He emphasizes the importance of open communication and the need for role-based training to safeguard against the growing number of phishing attempts.

• Art’s journey from supply chain to IT and cybersecurity
• Emphasis on zero tolerance for suspicious activities
• Importance of communication regarding cybersecurity at work and home
• Personal anecdote highlighting the need for multi-factor authentication
• Discussion on the increasing threat of phishing attacks and deep fakes
• Need for updated, role-based training programs
• Proposal for new metrics and KPIs to measure cybersecurity culture
• Final advice on the significance of learning from mistakes and fostering a supportive culture

Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.

PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!

Chapters

• 0:01: Cybersecurity Awareness and Personal Accountability
• 15:05: Future Implications of Artificial Intelligence
• 28:18: Enhancing Employee Cybersecurity Awareness
• 35:26: Advice and Insights on Cybersecurity

Transcript

Joshua Crumbaugh: 0:01

Hello and welcome to another edition of Fishing for Answers. Today we have a very special guest, the CIO of the city of Detroit with us, art Thompson. Hey, art, it's a pleasure to have you on the show today.

Art Thompson: 0:18

Thank you very much for having me. I appreciate it.

Joshua Crumbaugh: 0:21

Yeah, no, it's awesome to have you here. So let's start out where we start out at every single episode. Tell us a little bit about how you got into technology and got into your role.

Art Thompson: 0:36

Yeah, it's like probably half of IT people. We just fell into it, right? I actually was going to college and wanted to find a job to put myself through college and found a local company hiring for some IT support and so, you know, started out in college, had every aspiration of getting out and going into supply chain and logistics, and here I am, you know, almost geez, almost 20 years later stuck in IT. But it's been a great journey, so no complaints.

Joshua Crumbaugh: 1:09

So no work in your entire career in supply chain or logistics.

Art Thompson: 1:15

Zero, zero. It's, you know, typical college grad right, you set out to do one thing and then you never go into it. So I dreamed about it when I was young and I haven't looked back since.

Joshua Crumbaugh: 1:28

See, I was a little bit the opposite. I had planned on going to school for technology. I wanted to learn computer programming, but I was, I guess, a little bit ahead of my time. Most of the programs were just still teaching COBOL when they should have been teaching, or Fortran or you know some antiquated languages like that, when they should have been teaching, I guess, back in my day, C sharp or something a little bit more relevant, and and. So I ended up in marketing and, and you know I'm still in technology myself, but marketing has had a big influence on my thought process and just that sort of education. So I'm curious has the logistics and supply chain education influenced any of your decision making or how you handle things in technology?

Art Thompson: 2:22

A hundred percent. It's kind of been a blessing. You know, I guess I have a unique lens. I approach everything just from that logistical business practice standpoint. And then, you know, I leveraged my experience doing technology as a practitioner to kind of build that viewpoint. So it's been great. As I look at things, you know, just breaking it down from a business standpoint is usually where I try to focus and it's been good to me. So no complaints, it's definitely a unique thing, especially, you know, in and I think, a lot of IT or a lot of organizations in general. You know everything's about lean process improvement. This has been a great opportunity for me to kind of have some good exposure and use my background.

Joshua Crumbaugh: 3:05

Yeah, no, that makes perfect sense and, uh, and particularly right now, with so many technology teams trying to do more with less, I imagine that comes in pretty handy absolutely, absolutely.

Art Thompson: 3:18

You know, in government there's no plethora, uh, so it's all about doing the most you can with limited resources.

Joshua Crumbaugh: 3:24

Yeah, in fact, our number one vertical is at state and local government, and so I'm very familiar with it. What's interesting is, it seems like every city is its own unique entity, though While they have some commonalities, they're all their own sort of beast, if you will have some commonalities.

Art Thompson: 3:46

They're all their own sort of beast, if you will, yeah it's interesting.

Joshua Crumbaugh: 3:52

No rinse and repeat, Everyone's unique. It's very, very interesting, Absolutely Okay. So this podcast is all about the human element in cybersecurity and, before we dive too deep into it, one of the questions I have for you is you know, you've been at this for a while. Do you have any sort of overarching I don't know opinions or methodologies that you sort of run your security awareness by, or anything like that?

Art Thompson: 4:24

I think the probably biggest two is zero tolerance, right. So if it looks fishy, it smells fishy, we just react. Right, we want to take action. We don't want to sit around and wait for confirmation or just wait for users to say they didn't click something. Most of the time if people think they're going to get in trouble, they just say they didn't. So just kind of a zero tolerance, right. If it looks fishy, it smells fishy, we act. And I mean it's everything from resetting passwords to just taking zero tolerance. We're not going to wait for something to happen. And then the secondary thing I think is just communication. You know, anytime I can get in front of my peers, the executive team staff, I just want to remind people security is a topic. Security is a big deal. It's something that we have to deal with, not just at work but at home. It's everywhere and everything. So I try to over-communicate it, not to the point where people are sick of me hearing it, but when they see me I want them to think oh, there goes the security guy right.

Art Thompson: 5:21

I want it to be fresh on people's minds more often than not.

Joshua Crumbaugh: 5:25

So the marketing guy in me has to point out that the more frequently you're in front of people and the more you harass them, if you will, the more likely they are to remember you and they rarely get mad. I mean, do you get mad when you see a coke ad, even though you've seen 10 million of them?

Art Thompson: 5:44

Right, of course not.

Joshua Crumbaugh: 5:47

So I sort of think of security awareness as that, and that was one of the things that to me really stood out when I got into cybersecurity, because I did start in tech before moving into cyber a little bit later on, mostly because cyber wasn't a thing when I got started. It's the gray hairs are telling me what my age, but it really stood out to me that some of those principles around advertising could be utilized inside of cybersecurity to make it more effective. Now, something you were talking about before we started, I asked you if you had any stories and maybe we'll just start there and we can dig into it a little bit after that. But you said you had a fishing story.

Art Thompson: 6:34

Yeah, kind of an embarrassing one. You know, my, my wife was blowing my phone up one afternoon. She couldn't get on her Instagram account anymore, and so it was funny. Because I'm telling her you know, try to go here, try to deal with Facebook support, and if you've ever dealt with Facebook support or medicine support, oh it's terrible.

Joshua Crumbaugh: 6:53

Oh, it's the worst.

Art Thompson: 6:55

You know it's you know. Send us a picture of yourself, your driver's license, your firstborn birth certificate and then the blood or something, or something. Yeah you know you got to have a human sacrifice at midnight, um, but it's, it's obnoxious and it rarely works. So, uh, you know she's upset telling me all about this and um, finally, after you know a, little bit of talking about.

Art Thompson: 7:18

I look at her and go well, why don't you have multi-factor authentication on? She's like what I'm like, mfa. She's like I don't you have multi-factor authentication on? She's like what I'm like, mfa. She's like I don't know what you're talking about. I'm like, oh my gosh, I am, I'm in charge of cybersecurity for an entire city and I I preach at it right Like I failed her as a husband.

Art Thompson: 7:36

Yeah, you know I'm out here talking about all the time, Uh. And then I get home and I just wiped away from my brain and I was like, wow, you know, if I would have thought about this, maybe I could have protected your Instagram account a little bit better. But it's funny and that's when I had the realization like cybersecurity is not just a work thing. It needs to be that dinner table conversation, right? If you're not talking about it with your spouse, with your grandparents, with other people, to let them know that these things exist, these scams are very prevalent. We're doing ourselves just this justice. I mean, it's got to continue to be a topic of conversation amongst everyone.

Joshua Crumbaugh: 8:16

I agree. In fact, I saw a study that was talking about how, when you connect it to their home life or people's home life, it makes training that much more effective, that much more real to them, and I think it's really that people don't necessarily care about protecting the company, but they do care about their grandparents not getting scammed or their parents not getting scammed, and so it really does have a very, very real impact, and so, no, I think that's a great story. In fact, one of the things that I've been pushing a little bit more, even for us technical people, is normalizing, saying hey, I've fallen for a fish before and sort of telling those stories. And the reason I've started doing it is because I had a student reach out because of this podcast. But a student reach out and say, hey, listen me and a bunch of my friends, we all fell for the exact same scam, and what I realized is there's a stigma around it, and so no one would tell anyone that they fell for the scam. And if any of us had communicated, at least some of my friend group could have been prevented from falling for the scam.

Joshua Crumbaugh: 9:34

And I'm like man, that's a really good point is we got to tell people, because you know when we, when we have these incidents happen inside of a little bubble and no one ever knows about it, other than maybe, uh, you know, the help desk or the cybersecurity team. It it really doesn't, uh, doesn't necessarily do us justice, and so, uh, yeah, just interesting, uh, to say the least. So what's the scariest fish you've seen?

Art Thompson: 10:01

Ooh, um. You know that's a great question, I think, depending on the industry. Luckily it wasn't mine, but actually, if you, if you pick, calling the help desk and pretending to be someone else and getting into their environment and just traversing and being able to take down a huge casino, I mean that's scary. You start thinking about a lot of the out-of-date practices and I think you nailed it. We can't be afraid to talk about this stuff.

Art Thompson: 10:43

Now's the perfect time of year. We all get that tax of hey, your parcel can't be delivered, and everyone's this stuff. You know we all. Now's the perfect time of year. We all get that text of hey, your parcel can't be delivered, and you know everyone's got gifts being shipped out right now. So everyone clicks on it and goes, oh boy, that's not embarrassing, it's just life. You know everyone gets fast, but it's, you know, training people to acknowledge it. See it, uh, not enter their credentials. Or, if they do, hurry up and go in and restate your credentials. You know, report a disband, make sure that you're able to recover.

Art Thompson: 11:06

That's where I think people need to be able to kind of feel more proud of themselves and capture those things, because it's just everything we do is essentially outdated right. Bad actors have the just the honor of having to be right once, where if you're on the defensive side you've got to be right every single time. So the more that we can communicate which I think is our biggest tool against this to your point, you know the better off we'll be. So you know we looked at the MGM thing and we started to review our password reset policies and you know it was like oh well, if they didn't disclose this, we could have fell ransom.

Art Thompson: 11:44

To the same thing, you know, someone could have called the help desk and said hey, I'm Art and jokes on anyone who tries this. I don't have permissions to do anything. They take that away when you become public. But you know they could have probably reset my password and got into some boring emails. But those are the kind of things that if you're not revisiting and at least talking about, people overlook it. They just keep rolling. So I think that's probably one of the scariest things is when you start to have that realization and MGM's breach did that for me it's like holy cow. You know, yesterday is now outdated. We've got to stay on top of this and keep moving forward.

Joshua Crumbaugh: 12:19

For me, I think it's the generative video type capabilities that I see coming out. You know I've talked to the CISO of Synovus Bank. They've already seen deep fakes targeting their CEO or impersonating their CEO.

Joshua Crumbaugh: 12:37

Rather, we saw that incident in Hong Kong where they had the deep fake of the CEO and CFO that led to a $25 million fraud. That's the part that scares me, and just the vast increase in phishing and sophistication around it. I mean there's estimates of let me rephrase that it's estimated that there's around a 750% increase in just the past 12 months on total number of phishing attacks hitting us, and so, yeah, we block most of them, but they're getting smarter, they're pivoting through companies that are legitimate and business email compromises, through companies that are legitimate and business email compromises, and I don't know. To me, that's the concern that we need to be worried about with AI and so much of the talk is around like Terminator or whatever, but that's not. I don't see it, you know, building robots and attacking us. I do see it building fish and attacking us all the time.

Art Thompson: 13:47

Yeah, I agree, you know. You start talking about AI and just the challenges that it presents. It's crazy. You know it's easy for people to do deep fakes and start to really look like and sound like you know people who they're not. And then you introduce quantum computing. So you know, tie in, tie in that you know it's no longer than Nigerian prince in Africa who needs 20 bucks and there's a ton of spelling and grammatical errors. Now, all of a sudden it's you know a video of someone who you know and looks like and sounds like them telling you hey, you know, send me a $25 gift card and people are going to fall for that. So you know how do we better protect ourselves and how do we band together? And I think you know standards again, they just so quickly get outdated. You start to talk about quantum computing. Holy cow, you know what we know for today that is uncrackable is no longer uncrackable. So definitely it is scary.

Joshua Crumbaugh: 14:41

And with what Willow did I mean that could crack, you know, 256 bit encryption in just a matter of minutes, and so that's. That's the scary, scary thing. But I mean, technology is exploding too right now, and that's not on the subject of humans and cybersecurity, but it's really cool. I don't know how much of this you've had a chance to see, but did you hear about the neurons that you can actually rent in the cloud and you can train them like the large language model, but they're smarter than large language models.

Art Thompson: 15:23

Wow, I didn't hear about this.

Joshua Crumbaugh: 15:25

Yeah, no, it's so, it's. I want to say they're out of Switzerland, but it's 500 euros a month and you get like four neurons and and you can access them in the cloud. They live for about 100 days on average and during that time they're feeding them dopamine and shaking them uh like really uh severely and uh all to keep them alive. I guess that's how they've been able to extend the life, because at the beginning they'd live for like 30 days. Um, so anyway, it's just really just crazy. And now we've got a company in the Us and a company out of china competing on photon based processors. Um, so it's, it's only a matter of time. I mean, well, the future is here, I mean literally finally. I mean. But I expected it in 2000 we were supposed to have flying cars. We never got it, so uh, yeah, I was.

Art Thompson: 16:24

I was one of those kids not allowed to go anywhere on Y2K, so, uh, yeah, I expected the whole world to change that that that year.

Joshua Crumbaugh: 16:31

So and nothing happened, nothing at all. So there were some pretty good parties on Y2K, but uh but.

Joshua Crumbaugh: 16:39

Hey, so I hear um, see, I was 18 when, when Y2K hit2K hit, so I was the right age. So, on AI, it brings a lot of opportunity, it brings a lot of risk. But, you know, one of the things that I've been really focused on is how do we update our training? What type of training do we need to give our users about artificial intelligence and how to use it and the different threats that it poses? Because to me, it's completely rewritten the threat landscape. And the example, like you gave earlier, is you know, we used to look for typos. Nowadays, typos, if anything, they're a sign that it's legitimate. So it's one of those things where it really has changed what we're training and if we're still doing the same thing we were doing just even five years ago, it's outdated.

Art Thompson: 17:40

Yeah, I think it all comes back to just kind of training. We can't let down right. You know, people need to be taught, to be trained, to be tested on these more advanced practices. If we don't, it's going to leave us behind. I mean AI is.

Art Thompson: 17:56

I think, going to be probably one of the most revolutionary technologies, at least in my lifetime. Just because it's going to move so fast, everything is going to change. You know, because it's going to move so fast, everything is going to change. Everything is going to be built upon faster, faster, faster. If you look at cell phones, they were revolutionary when they came out. I remember how exciting it was to have the new iPhone and just how crazy that was. Now fast forward and I will wear it up and down since probably 2011. It's in the same device, no major changes, better camera. But if you look at AI, now everything's just so rapidly changing and just getting so more in-depth. If we don't have the capability or keep pushing people to train, to educate, it's going to become something that leaves people behind. So I think it's definitely going to be a technology boom and a kind of revolution again when it comes to tech.

Joshua Crumbaugh: 18:50

Yeah, and I think most people are going to have to relearn some, if not all, of their job and how it works, because I think that the people that will get left behind are the ones that didn't learn how to use AI. Uh, there was this Stanford study that just recently came out, and it found that, you know, for for the most part, all of these standardized tests, uh, the AIs are right up there with PhD students, um, but what they said is they're running out of tests, and there's still this factor that they don't know how to measure. But it's the reason that, while AIs are very smart, they're not being employed like humans are, because they're not effective like humans are. And so they were talking about how we need to develop new testing methodologies in order to, you know, identify whatever that is that is unique to humans, and to be able to measure it. That AI doesn't currently have. So it'll be interesting as well. They race toward artificial general intelligence. So Google finally on the map.

Art Thompson: 20:04

Yeah, it took a minute, but yeah it's exciting and actually you know, to your point about the working AI. I mean, elon's got their robot I don't remember what it's called, but it looks like it's from iRobot. You know, once you get to that point where it's starting to use and process AI, why can't it do more of what humans do, which is terrifying and exciting? You know? I'll be honest, it's both, but still it's. It's just fascinating to think about what it can do and will be able to do in a short period of time.

Joshua Crumbaugh: 20:39

No, I'm really excited. I mean, I see a future where you know when you go to Netflix, you tell it what you want to watch and it just creates the movie for you on the fly. I mean, we're already almost there. If you look at the new models that have come out just this this past week, google's V, what is a bio or something like that? Our Veo is incredible.

Joshua Crumbaugh: 21:06

Um, open ai sora is, uh, is, I mean, just really really good quality hd video? And so you just got a question. I mean, how long before they can do that two-hour movie? Um, of course, they've got to get all the actors and and you know, the unions on their side and all that, but it's going to take over at some point. So, uh, it'll be interesting to see. I think that the most interesting stat that I saw, though, was about longevity, escape velocity and talking about how, in some time in the 2030s, they expect that we will be able to potentially live forever. Uh, that technology will advance beyond a point where you know we won't need to die from heart attacks or cancer or anything like that, because they'll be able to solve all of it that's uh, that's scary.

Art Thompson: 21:55

I was just gonna say earlier to your comment about movies you know, I don't even know what movie trailers are real anymore, um, but you start to combine that isn't it yeah, you know I I'm a huge.

Art Thompson: 22:07

You know typical nerd right, comic books, whatever. There's so many good movies trailers that are fake out there now that I don't know what's what, um. But you're right, you know you start to think about how that changes into the medical field, how that changes into the lifespan of humans, and you know there's a lot of movies where you offload your conscious. And you know it's now an Android, but it doesn't seem as crazy as it did 10 years ago right Like no it doesn't?

Joshua Crumbaugh: 22:33

I mean, isn't Elon working on that? What's not Starlink, neuralink?

Art Thompson: 22:39

Neuralink yeah.

Joshua Crumbaugh: 22:40

Where you can actually upload your consciousness into the cloud. I still think we'd have to be able to. I mean, if we can't even measure it, I don't think we're. I think we've got a long way to go before we can just upload it. It's one thing to store data or memories. That's another thing to store a person's being and uh, and I think that's a completely different thing. Well, anyway, uh, enough about ai. We, we've done our mandatory ai talk, uh for the day. It's. I think it's just required by law. Now, uh, it's the buzzword bingo, um. But something I do like to ask everybody I bring on the show is and I know it's not this simple uh, but let's oversimplify it. If you had to pick one or the other, would it be carrot or would it be stick to deal with those chronic clickers?

Art Thompson: 23:33

um boy with the chronics. That's the keyword. I would say the carrot. I will say, more often than not I think positive reinforcement leads to better behavior. At least that's what I tell my children. So I'm going to go with the carrot.

Joshua Crumbaugh: 23:53

I completely agree.

Joshua Crumbaugh: 23:54

In fact, I think that, well, my belief is that we focus way too much on training the conscious and not enough on training the subconscious, and what I mean by that is that our subconscious is our body's built in defense mechanism.

Joshua Crumbaugh: 24:14

It's, you know, it's what controls our reflexes that automatically block threats.

Joshua Crumbaugh: 24:19

Well, you know, it could be a physical threat, like something coming at your face, or it could be a digital threat, and and I believe that's why we run phishing simulations is so that we can allow our employees, our staff, to learn through hands on, you know, explore experimentation, and in doing so, they're essentially planting human virus definitions, and once they learn about each one of these red flags really well, they're going to start seeing them everywhere. And there's this really cool behavioral science principle called identical elements theory, and it talks about how, when we learn about something, we'll start to see it everywhere. And the classic example of this is you buy a new car and you thought it was unique until you get to the first traffic light and you see three of them. But that's to me, how we truly empower employees not to fall for these things. How we truly empower employees not to fall for these things is when we get it to where it's at a subconscious sort of place, sort of like looking both ways before you cross the street.

Art Thompson: 25:27

Yeah, no, I think that makes perfect sense. I love the car analogy because that is all too true. You know, you see one and you're like, oh, it's a sharp car, I've never seen one before, I got to get one. And then you know, you get it and all of a sudden everyone has the same thing. Uh, but, totally agree, you know, I think it's so much more about positive reinforcement and just letting people know it's okay to make mistakes and learn from them.

Joshua Crumbaugh: 25:50

Uh, because the yeah then become more easily recognizable out there in the wild yeah, and and I think the other thing that you hit on there that's really critical is letting people know it's okay to make mistakes. I'd rather empower people to make mistakes and try and capture the mistake myself than have a play or an environment where it's almost so punitive that they're afraid to make mistakes Because, when that happens, so punitive that they're afraid to make mistakes Because when that happens, you've lost, to me, sight of what the true purpose of cybersecurity or technology is it's to empower the organization to do, whatever the organization's mission is.

Joshua Crumbaugh: 26:32

For a city it's take care of the constituents and provide all of those services and keep everything up and running and fill the potholes or whatever else right, whereas, you know, for a business it's to make money and I think that sometimes we don't do a good enough job, particularly in the cybersecurity side of things and just balancing all of that where it's.

Joshua Crumbaugh: 26:55

you know we forget that we're not in the business of cybersecurity. Well, I am, but I mean, most people aren't in the business of cybersecurity. They're in the business, you know, whatever it happens to be.

Art Thompson: 27:09

Yeah, so I'm sorry, I was going to agree.

Joshua Crumbaugh: 27:16

So, just jumping around here, one of the things that I've realized that a lot of people look at from different perspectives is role-based training. And role-based training. Well, I guess I'm curious what? What does it mean to you? As the first question and as a follow-up, what uh aspects of role-based training would you prioritize? Uh, cause there's only so much that you can actually do. I know we'd love to have everything customized down to the individual, but the reality is is there's only so many roles you can actually cover.

Art Thompson: 27:56

So, uh, you know what makes the short list um, well, I think you know, if you, it's actually good if you can have an organization that's mature enough to recognize those roles, and roles don't have to be, you know, spelled out down to the. I'm a financial analyst. Um, you know. So this is the five things I do. So I need to learn about cybersecurity for those five things. But you start to look at the critical nature of the function or exposure to data, because that's what it's all about. Right is, how do you classify data and then protect the data by those who have access to it or can have access to it, and kind of I view the roles in that kind of function and kind of I view the roles in that kind of function. It's something where I think you, you can really help grow an organization and your staff by training them and helping them understand what they have access to, what their capabilities are, because a lot of people just look at you know if you're an HR, you might just look at humans, people's.

Art Thompson: 28:55

You know, birth dates, social security number all that is just work data. But what you truly have is everyone's livelihood in your hands and how critical that information is to protect and keep sensitive, you know. So that means not just emailing it out over non-encrypted forms of traffic and whatnot. And then you know you go to the financial side and there's so much to be said about people emailing invoices and POs back and forth. You know, and do any of those have any financial data where a bad actor could? You know?

Joshua Crumbaugh: 29:25

glean information and do something nefarious.

Art Thompson: 29:27

So you know, I view the rules, kind of training to that level of just you know, what type of data do you have access to, what are you exposed to, and then training people to be responsible with that information and helping them understand what they have access to.

Joshua Crumbaugh: 29:41

Yeah, no, I like it.

Joshua Crumbaugh: 29:43

And you know, interestingly, along those lines, when we first launched what we call our just sensitive information users group just a generic for anyone that has a high level of access right and the most surprising statistic to me was that in a lot of our organizations that we worked with, we saw that that sensitive information users group accounted for like 25% of their total workforce, but more often than not they were clicking on almost 50% of the, or they accounted for almost 50% of the phish clicks, and I found it interesting that the people with so much access were often almost twice as likely to click on a phish than the rest of the organization.

Joshua Crumbaugh: 30:32

Now, I think that's you know that that may be just those, those few organizations. I think that's you know that that may be just those those few organizations. Um, but uh, I don't know. I I've seen it, it repeat itself in quite a few different places, and so I I think that's all part of it. And uh, another study that that I saw was saying that when you can make something contextual to that person's job, like finance or it or whatever right, something contextual to that person's job, like finance or IT or whatever right it actually makes that training 15 times more effective.

Art Thompson: 31:07

Yeah, no, I totally agree, and it's interesting. You start to look at organizations and it's funny to me. One thing I will say I've learned is usually the person who you think would be the most targeted isn't usually that person. So, you know, within my organization it was amazing to see how people went, instead of you know, to the head of the organization, you know the mayors to the CEO, but it ends up being the CFO, which obviously you know you're going after the money, but, or the treasury department underneath the CFO. That is usually the most targeted and hit. So it's very much about knowing the role and knowing where bad actors are looking, and it's too easy to find that information at times.

Joshua Crumbaugh: 31:47

Yeah, and I will add that too often, or not too often, almost all of the time, those finance fish are finance themed, and what that screams to me is well, the bad guys are already fishing our employees based on role, and that's to me a threat. And that's all the more reason that it's important, particularly with finance, to make sure that they do have that training. I say particularly with finance because I think that's the department that keeps everyone up at night Like, well, just don't make a mistake. Any other department it's fine, but not that one. Yeah, absolutely Okay. So KPIs, what are you know? When it comes to human security, what are some?

Art Thompson: 32:41

of the things that you measure. Well, you know, kpis, I think, from a security standpoint, are one of the hardest things to measure. As I kind of said earlier.

Joshua Crumbaugh: 32:54

You know, the bad guy only has to be wrong, right, one time.

Art Thompson: 32:57

That's it. You have to be perfect, right? You know they hit the grand slam. So it's neat, I think, to track and look at from a email threat protection standpoint how many malicious emails do you block, how many are flagged and caught? Those are cool stats and a good tell of a tool and how the tool is performing.

Art Thompson: 33:17

But where I'm trying to push my organization and really figure out how to get behind is I want to create KPIs based around the employee.

Art Thompson: 33:26

And how often are employees reporting phishing and links that are missed? Because what I think is our best line of defense is that culture, right so, and it's something where I'm trying to learn and figure out how to implement but if I can have a culture where people are excited about it and not excited as in, yes, I can't wait to go find some phishing emails, but, you know, open to clicking that phishing button, open to reporting things and communicating about it and then measure that, I think that is just a huge success when you start to talk about a maturity of an organization, and I think those KPIs really can say how are you positioned, you know how are you going to respond when something does happen. And if, culturally, more people are bought in and you know, having that exposure and that ability to react, you know that's how you measure success. I think again, it's something where I'm trying to find out how I can position my organization and find that maturity level to really just change how we behave.

Joshua Crumbaugh: 34:25

Yeah, so it's just my opinion, but I truly do believe that the reporting metrics are the best gauge of culture within an organization.

Joshua Crumbaugh: 34:37

I know we have limited metrics when it comes to things like that. It's not like you can just measure culture. I've heard of a few other stats like the average time to mitigate risk for new employees, so if you can accurately track that culture should reduce that time, and that's one way to measure it. But to me, one that's far less ambiguous and much more direct is just what percentage of the fishing simulations that we send out are actually being reported back, because to me, if we see that 50% of what we run in simulations are being reported back to us, that tells me that only 50% of the fish that actually make it through are being reported to the top desk as well. Absolutely so. We've talked through most of the most critical issues, so one of the things that I like to end every episode with is just really leaving it up to you and asking a very, very open-ended question that you can answer however you want, and that is what advice do you have for the listeners?

Art Thompson: 35:51

Oh, that's a great one, you know. Actually, I think I'm going to say it's probably been the theme of our conversation and that's really to be talk about it and to acknowledge and know that you can make mistakes. I think the people who hide it and try to, you know, avoid it probably don't learn from that lesson. And if you can't approach people and try to educate and talk about it with them, you know you're not doing them any justice either. So I would say, don't be afraid to talk about it with them. Um, you know you're not doing them any justice either. So I I would say don't be afraid to talk about it, don't be afraid to ask. You know, in school we learned there are no stupid questions. Um, as I got older I started to not believe that, as I got into cyber yeah, I'm not sure.

Joshua Crumbaugh: 36:29

I believe that yeah, uh you know it's a maturity thing, but you know now that I've gotten more into cyber security.

Art Thompson: 36:35

I will say there are no dumb questions within cyber um, because it's always better to be safe than sorry. So, um, I had to ask somebody about a scam the other day.

Joshua Crumbaugh: 36:45

I couldn't figure out how it worked, but I knew it had to be a scam and uh, and so I mean, yeah, I, I completely agree, and I'm I'm supposed to know about the scams, but this one even, uh, fooled me and it's uh, it's this new youtube well, maybe not new, I guess it's a, a rework of an old scam, uh, but they will comment on, like I, let's say, I take a short clip from today where we're talking about ai. Uh, they'll comment on it and it's normally on cryptocurrency or crypto, uh, scam. And then they say, hey, here's my wallet password and I'm trying to move it, could you help me? And then you log in and there's like eight grand in there, and and it's just in US dollars, and, and so you know, I'm like, ok, there must be some sort of catch here, and, and I wasn't going to go forward with trying to move that money.

Joshua Crumbaugh: 37:40

But what I found out is that that's how they get you. So there's eight grand in there, but you can't actually withdraw any funds until you get up to ten grand. And then the second you ten grand hits it, the money's gone and you never see it. So they trick people by making them think they're stealing money, and it, uh, I don't know, there's, there's this evil, genius side of it that I I don't know if it terrifies me or uh, or what, but it's uh, it's interesting, to say the least.

Joshua Crumbaugh: 38:12

Well, the bad guys are getting smarter they are, at least their tools are getting smarter. They are, at least their tools are getting smarter. Well, hey, art, this has been an absolutely fabulous discussion today. Thank you so much for joining me, stick with me, but for those of you listening, thank you, have a great day and I will talk to you soon, thank you.