Phishing For Answers
“Phishing for Answers” brings you insider knowledge from the front lines of cybersecurity. Listen in as we speak with seasoned professionals about overcoming phishing attacks, managing user training, and implementing solutions that work. From practical insights to actionable strategies, this podcast is your guide to strengthening security awareness across your organization.
Phishing For Answers
License to Secure: Joshua Kuntz on Protecting Texas from Cyber Threats
Josh Kuntz shares his extensive journey through cybersecurity, emphasizing the balance of compliance, risk management, and the mentorship of the next generation. The episode discusses the evolution of security roles, the impact of AI, and the importance of understanding organizational objectives in strengthening cybersecurity culture.
• Biography of Josh Kuntz and his career path
• Transitioning from military to civilian cybersecurity roles
• Importance of compliance and developing security programs
• Adapting to remote work during COVID-19 challenges
• Concept of risk acceptance in cybersecurity practices
• Significance of training and mentorship in building talent
• Role of AI in enhancing cybersecurity communication and education
• Emphasis on integrating security into organizational culture
Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.
PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!
Hello and welcome to another episode of Phishing for Answers. Today we have a very special guest with us, josh Kuntz from the State of Texas Department of Licensing and Regulation. He is their CISO over there and very active in the state and helping to build new leadership. Joshua, maybe you could tell us a little bit about yourself and how you got into cybersecurity to begin with.
Joshua Kuntz:Sure. So I started out in the Marine Corps, went to college, figured out that majoring in beer and women was not conducive to a degree plan Enlisted in the Marine Corps.
Joshua Kuntz:I know a bunch of people that would disagree with that, but hey, so I enlisted in the Marine Corps, spent six years there doing electronics maintenance and then when I got out I started with the state at the Texas Department of Public Safety. I ended up running their satellite system for the Texas law enforcement telecommunications network for approximately almost eight years and that was kind of my introduction. That was my bridge from the physical security things that I'd learned in the Marine Corps to the electronic security around securing those networks and securing that data, because it was highly regulated data data and it was life and death. It was supporting all the police departments and sheriff's offices throughout the state. So they don't, when that system's not up, they don't run traffic stops because they don't know who they're stopping and they, you know they could walk up on a fleeing felon and end up dead. So that really solidified the importance of the electronic security for me.
Joshua Crumbaugh:Yeah and that's, I guess, why A is a key part of the triad right.
Joshua Kuntz:YA is a key part of the triad right, oh yeah, and so making that transition, I then went to the Texas Youth Commission, and that's youth prisons. That was another highly regulated industry. Not only is it criminal justice information.
Joshua Kuntz:It's youth criminal justice information, so there's twice as many regulations on that data youth criminal justice information, so there's twice as many regulations on that data. And I was their first information security officer and built out their program. Before that, security in the state was really this oh yeah, that's a thing that Jody over in IT does and about that time that's when the state was really getting serious about you know, you have to have a program, you have to have somebody dedicated to doing that program, and so I built out their program, um, took them through three audit cycles and then ended up going over to the texas department of motor vehicles at that time they were splitting off from text, nation um, the functions that were customer facing.
Joshua Kuntz:So it was the motor carrier, so long haul trucking, oversize, overweight permitting that kind of thing. The motor vehicle distributor, manufacturers and dealers. And then vehicle title and registration. So those are big three and those are very, all very different kinds of activities but all centered around transportation. And again I was faced with some life and death stuff the oversized, overweight permitting those trucks. If they did not have the right permitting or they went off route, people died and that was kind of serious. So I built out their program. I was with them for about seven years and then moved over to the Texas workforce commission. Uh, and there we had five different missions. That was even more fun. Uh, unemployment insurance where we both paid out and collected, and I was there during COVID, so that became oh wow, yeah, that'd be.
Joshua Crumbaugh:that must've just blown up. And on top of that, I assume you're sending everybody home and and so now you've got this massive remote workforce that you weren't prepared for.
Joshua Kuntz:No, no, both. Both a massive remote workforce that we had not anticipated. We had remote work, but we never anticipated more than maybe 20, 20 to 30 percent of the staff being remote at any one time. So we went from 20 to 30 percent to 90 percent and that was a big shift and our IT department had to scale up. I think I was in solid meetings for the first four or five weeks. That was eight hours of meetings I don't know when you know and it was basically I'd attend meetings and assign things out for my staff for trying to make sure that we didn't go off the rails. For the most part, I just collected information so that once things slowed down, we could go back and take a look at the risks that we'd inherited during that period of time.
Joshua Crumbaugh:I mean, I think that's how everybody did it. Like you know, we've got to keep the business up and running first and foremost. We can lock it down a little bit later. I know we all want to do that in the opposite direction, but you know there's times when you can't and uh, and I think that's the best approach is keep that running list, so that uh you know you have to go back and pick.
Joshua Kuntz:And you know, quite frankly I think that's why I've been so successful in my career as a security professional in the state is because I never viewed security as black and white. Right Security is a thousand shades of gray. It's the risk you're willing to accept and you have to also understand that. You know the business is not security, I mean, unless you are a security company.
Joshua Crumbaugh:Mine is, but most aren't.
Joshua Kuntz:Unless you're a security company, the end product's not security. The end product is some other good or service and the security is just there to enable you to do it without getting hacked, getting in trouble. You know, stopping business due to I mean, that's something that's come around recently, that's been a real game changer. But yeah, at TWC it was, oh I think I had seven federal audits every three years because of all the regulated data. We did early childhood education, criminal let's see the civil rights. So we did both equal housing and equal employment opportunity.
Joshua Kuntz:And then for the state we had vocational rehabilitation things for people with disabilities to obtain or retain employment through assistive services. So we had HIPAA data because we were the people paying for the medical procedures, so HIPAA actually applied to us. We had IRS data, so I had to do PUP 1075 through all of that. And Social Security Administration, federal Office of Child Support Enforcement, the Department of Labor, two different audits from the Department of Labor plus the CJIS audit. It was a lot. There's a lot to keep up with. So almost half of my staff was PRC just to keep up with audits and compliance.
Joshua Crumbaugh:Yeah, and I think that's one of the reasons that compliance and GRC becomes such a focal point in most programs and even though you know we wish it was best practices, at the end of the day we don't want to get fines from auditors and so you know there's so much time that's eaten up around compliance, particularly in your sector. You know, rarely do sectors hit or organizations hit multiple different regulated things, but in the SLED space it's very common to have three, four, five, in your case seven different audits.
Joshua Kuntz:That's a lot.
Joshua Crumbaugh:I think that's a lot for any company.
Joshua Kuntz:Yeah, but that was a good experience and during that time so managing through all of that during that time I was actually able to execute a move of the cybersecurity program out from under IT. So that was for me a very large accomplishment. And the people asked me and in fact my executive director asked me during that time well, do you think that no security program belongs in IT? And I said no. So when you're small, a small organization, and you're starting out, everybody's doing every job and you have to overlap and it's all intertwined. But once you get to a level of maturity and size where you have specialization, at that point security goes from being a very tactical thing not that you're not doing the tactical security to being a strategic thing. And that's where the GRC comes in and you become an oversight entity over the IT operations and that's where you switch over and say, well, if I'm going to be doing oversight, I can't really be reporting to the people I'm doing oversight on. You end up in a conflict of interest.
Joshua Kuntz:And, quite frankly, it was very clear and this was some of the evidence. It was very clear and this was some of the evidence, is that I spent almost four years my leadership verbatim, which helped me articulate when there was something that wasn't right, but that was extraordinarily frustrating because I was the guy of no, because they would. They'd want to do something. Well, this statute or this regulation says we can't, so we really need to figure out a way to do it right. And so I was the impediment and the squeaky wheel.
Joshua Crumbaugh:You became Dr no because of all of the compliance and I know that's one of the things and it sounds like you're very much on the opposite side. You don't want to be Dr no, but sometimes you have to be. And I think that's a really great point you bring up, because so often we talk about how we don't want to be Dr no and it comes up all the time on this Rarely. I don't think it's ever come up before. Actually has this side of it where you're saying, hey, I mean because of all of the regulations, I had to say no constantly. I find that fascinating.
Joshua Kuntz:Well, and it's unfortunate because IT had been allowed, and this happens a lot in the state. It is this mysterious thing that happens in a black box. Right, and especially in the private sector, cios are only there's only three jobs right. It's innovation. Let's make something new, make something more efficient, help the bottom line Operation. The email has to keep going, the servers have to stay up and maintenance and that's keeping track. The only one they're measured on really is innovation. That's the KPI that CIOs are measured on is are you adding value to the organization?
Joshua Kuntz:Operations is neutral at best and negative if it goes down. If something goes down, then you're mud, but as long as everything's working, you're not getting kudos for keeping the email running. The only person who cares about the maintenance is CISO, and so that's where you have that tension, and because of that, I just kept doing whatever they wanted and they kept pushing the maintenance down the road or they'd want to shortcut things and skip steps. It's like, hey guys, we can't skip these steps. You got to do it, and that's where the no came in. I think I was there about two weeks, started out with a bang and killed two projects. Two projects were trying to go live. We go to the go live meeting and I'm looking at the documentation. Where's the security testing? Like we need security testing, he said yes, you are going to be transacting in confidential information on the internet. It's in statute you have to do the security testing.
Joshua Crumbaugh:I will say that was my favorite part of being at the SEC was killing projects.
Joshua Kuntz:I don't enjoy it, but it was something where I had two projects Now they weren't major projects, they were smaller projects, but they were changing significantly, changing the way we were doing business externally with customers. I said you cannot do this without going through the security testing.
Joshua Crumbaugh:And I joke, it wasn't as much about killing them. I mean, they always came back. Well, almost always. There was one time where we quite literally found a different finding for each and every one of the OWASP top 10 vulnerabilities in it, and that was the one that didn't come back, but most of them they were just delayed. You know, we'd say say, okay, you forgot about this, this and this. You've got some huge or, you know, serious uh, vulnerabilities here. Get them resolved and uh, and then we can improve this. Uh. But you know it was.
Joshua Crumbaugh:It was different though because I was a penetration tester. I I didn't have the full, I guess, view that I have now, where you know I was much more rigid. It has to be my way. And then, as I grew and got into a CISO role, and then even more so when I got into a CEO role, it helped me to learn to really balance things. And I think one really eye-opening, I guess, conversation that I had with my dev team earlier on in Fish Firewall we had this huge vulnerability that somehow made it into production and I'm like, how did this get into production? Why on earth would you do this? And they came back and they said because you said we had to get the feature pushed by Friday. And they came back and they said because you said we had to get the feature pushed by.
Joshua Kuntz:Friday.
Joshua Crumbaugh:And I'm like, oh man, I've become that stereotypical CEO. But it helped me really realize that it's not so black and white To your point about it being a thousand shades of gray. It really is, because there's this art form to balancing security and productivity, and I don't think everybody has the ability to easily do that. I do think it's a little bit of a talent. Uh, because there is that very fine line before between oh no, we're ransomed and you know we gotta still be operational and and it's not a big you know, it's sort of like a very tiny little line that you got to stay on there. Um, you had said before we got started, you were telling me a little bit about some of your work and the education space to help sort of train and breed that next generation of CISO. Tell me a little bit more about that.
Joshua Kuntz:Sure. So my first foray into that was actually at the Department of Motor Vehicles Within the state. We had identified for several years that the largest failing was that we did not have a trained workforce in cybersecurity. We had a very small amount of people who actually had certifications or who had any real formal cybersecurity training. And so I developed a public private partnership with a trainer because we had a large training conference room at that or at that organization and worked out hey, if I provide the space, can you provide the training at a discount? And I said, what would that be? And so you don't have to pay for any rental or anything. Just what does it cost for the materials and you to do it for about 30 people at a time? And they ended up coming in at like $1,500, which was over $1,000 less than you could get it commercially. And so we ended up doing three rounds of that. So I ended up getting about 90 people in the state certified. And then, you know, so that started my desire, to you know, increase the acumen of our cybersecurity professionals in the state.
Joshua Kuntz:Well, in my current role I got cornered at a happy hour by a couple of senior analysts asking me about cybersecurity, budgets and the legislative process. And I was explaining it and they said how do you know this stuff? That's not security. I said, well, I've been doing this for 22 years, and before that my father had been a state administrator for 25 years, and so I learned this stuff at the dinner table. And I said, well, how do you do it if you don't have those things? And I had to start thinking. There's not really a program for that. The state has a program for building a generation of executive directors, you know, agency heads or CEOs. They have a program for building out the next generation of CIOs. They really had nothing for the security side and I'd been through the CIO program and about 40% of it applied to me. It was just the general leadership part. 60% of it was around IT operations Interesting to know, but I wasn't going to be using that as a CISO and so myself and two other CISOs in the state got together and developed a curriculum and a program where we met.
Joshua Kuntz:We currently meet once a month to our basically a long lunch on a Friday where we bring in a sponsor. So because you know, we're state, we don't have a lot of money we partner with with vendor sponsors, folks that have a product, security product that's available to the state through state contracts, where they get about 10 or 15, you know 15, 20 minutes to demo their product or talk about you know the service that they have. And then we have about. You know we have lunch and then we have about an hour and a half uh discussion on a particular topic. And we start with, you know, when you first walk into a to a program, how do evaluate the program and we move through. How do you evaluate staff, how you evaluate your budget, how do you deal with the legislative session, all those things where you can progress through.
Joshua Kuntz:If I started a new program, how do I figure out how to make that work? Our first cohort had nine mentees and three mentors, so we took on a lot and so you had the session and then you'd meet with your mentees in between sessions to kind of discuss the topics, what they've got going on, how it might apply to their current job or how we see that helping them develop. That program went from last October to this September. In October we started a new cohort. This one was 13 mentees and 10 mentors. So not only did I have an increase in desire for people to participate in the program from a learning standpoint, but also other CISOs who wanted to participate as mentors. So we're only each of us only have to do like one or two mentees per instead of. I think I had four last time, so that was.
Joshua Crumbaugh:Oh wow, that's a lot of work, especially with being a full-time CISO.
Joshua Kuntz:That's only due to this job. So when I came here to this agency from TWC, I went from those seven federal programs to no federal programs. We do professional licensing and consumer safety regulation, so we license everything with 38 programs, everything from barbers and cosmetologists to combative sports. We are the boxing commission. So the Tyson-Jake-Paul fight. We ran that OK was it rigged.
Joshua Kuntz:No, not for people talking about all the goofy things in the contract. The contracts are very standard. There was no hey, if it ends in the first round, you don't get paid. Now, that's, they were very standard contracts.
Joshua Crumbaugh:Now if they had agreements outside of that that's not.
Joshua Kuntz:That's not something we.
Joshua Crumbaugh:But we had. I was disappointed. I mean, part of me was Well, hey, he's made it. You know this many rounds. Part of me was like nah, Jake Paul Really should have been down in the first round, Like Tyson always does, you know.
Joshua Kuntz:A couple of times it looked like that's what was going to happen and I just I think the hurt knee Really put him off, when he couldn't move as good as he he had anticipated.
Joshua Crumbaugh:So, but elevators we digress, we've got all these different programs.
Joshua Kuntz:So we collect fees on the licensing and we do inspections and you know we that kind of but we don't give out money Right Unlike the last job where we had unemployment benefits and we had child care subsidies. So billions of dollars going out we don't get. We collect some money and either we collect it physically, like you send us a check and we deposit it with the state, or, if you're going to do it online, you go to the state's credit card processor. It's not even us.
Joshua Kuntz:So I have very low threat profile and a lot of fraud where it's like if you're going to operate without a license, you don't have to hack in and get a license, you just operate without a license to get caught. So that lower threat profile has allowed me that the actual you know breathing room to do a program like this. So that's been very, very good. It's just a good timing. But yes, it is a lot of effort, a lot of time and so. But my father was a huge mentor and so I kind of inherited that and really wanted to continue that legacy of mentorship.
Joshua Crumbaugh:Well, I think it's great to help out the younger generation. I look at so many times when I was in in situations where I had no clue how to handle it. I really had to just learn through trial and error. I couldn't ask an AI like you can now, and and. So I think about that and I'm like, yeah, you know, I, I really do want to help and give back, and and I to me it's starting with people in school, letting them know that cyber security is a career.
Joshua Crumbaugh:Uh, for me, I did not know it was a career, and so I spent a good bit of time in marketing. Uh, ironically enough, even though I was very technical, I taught myself to code back in high school. I spent some time in marketing, because that's what the well really, the marketing dean just found me and said you're going to be in marketing, and I said, okay, because I was young and dumb and it worked out. It actually worked out a lot, because one of the things that I really discovered is how critical some of those marketing teachings are for the cybersecurity space. When we're out trying to change culture, we are marketing to the people inside of our organization.
Joshua Crumbaugh:When people talk about social engineering for good. It's just marketing and there's a lot of study that's really gone into that. But before I switch gears over to that, my favorite question to ask absolutely every guest is if you had to choose one and I know it's not so simple, it's more shades of gray, but we're going to make this black and white If you had to choose one carrot or stick, what would it be and why?
Joshua Kuntz:I would as much as the security Marine in me wants to say stick, it's the carrot. And because it's much more effective to provide a benefit or an understanding of how and we try to do this in all of our cybersecurity education is. This isn't just for you. Take these lessons. Or, if I send out alerts, take these to your family, let them know so that they don't fall victim.
Joshua Kuntz:And tell your parents especially parents, elderly parents, trying to provide benefits to our, all of our staff, instead of just well, you're going to do it because I said you're going to do it Because then they'll find a way around it. You know, if you make it authoritarian, they'll just find a way to get around it, and that's. That's not the goal. The goal is to influence the behavior, and generally that behavior is influenced through, you know, positive reinforcement versus negative reinforcement.
Joshua Crumbaugh:Yeah, you've got to make them want to be more secure. And when you say, great job, you're an, you're a cyber hero and things like that, that makes them want to. When you crack the whip, you're right. And that's not the first time that that's come up with people saying, hey, if you crack the whip too hard or use too much of the stick, people will find a way around it. They may comply, but they're only complying because they have to and they're going to look for ways around what they're doing or what they're told to do. So I couldn't agree more. I'm a really big fan of carrot too. I was curious, since you were ex-Marine, which way you'd go with that. But no, I couldn't agree more, and I think that old adage you catch more flies with honey than with vinegar is so true particularly when it comes to cybersecurity.
Joshua Crumbaugh:Any good stories of a time maybe that you were able to use a stick over a carrot and how it works Well.
Joshua Kuntz:So I'll go back to my last agency. I had to use the stick a lot because the it I was put in a position where where the stick was the only thing they they listened to. So you know, any time I would come in, I'd have the, I'd have a statutory citation and a rule citation and, ok, this, it's not me telling you you have to do this, it's the legislature telling you you have to do it, telling you you have to do this. It's the legislature telling you you have to do it. And you know and this is where we you know, and the consequence of not doing it is having to face the legislature come you know the budget time and explain why you're not being compliant, because they look at the audits and they look at your, you know your incidents and they want to know what are you doing to maintain the integrity, the confidentiality and the availability of the citizens data, and that's something that we forget a lot of times in public sector.
Joshua Kuntz:We get so focused on the fact that it's you know. Oh well, we're just doing this work, you know. Go through. You know, go through the motions, try to get more money. It's public service and the first part of that service. So we are providing a service to the citizens and they entrust us with a lot of their very confidential data and we have to uphold that. And so that I've had, like I said, I had to use a stick a lot because I they'd lost sight of that a lot of times and they it was. How can I do this most expediently? Um, with the least amount of resistance and, uh, get the product out there. And you know, usually the fastest way is not the most secure.
Joshua Crumbaugh:Um, it's never been in my experience, I wish we had security baked in. I mean, we were moving to all these new, yes, more secure languages for development, but security is still not just baked in, it's still something you have to put in on top of things, and it's how you code, and I just feel like it's 2024. We should have a language that's just secure by default by now. But I digress, okay. So a couple of things that I love to talk about in addition to where we've already gone is. One of the things is role-based training. I find that it's really interesting to see how different people approach role-based training, and so I'm curious, from your perspective, when I say role-based training in an awareness perspective, what do you think of? And the follow-up to that would be what should be prioritized? You, and the follow-up to that would be what should be prioritized? Um, you can only cover so many roles. So if you're going to go down that path, uh, but what does it mean to you?
Joshua Kuntz:So we start out? Um, well, I'll say this. So I attend every new employer orientation. We do two a month, uh, so we first and 15th and I have about 15 minutes where I go through some standard things just to make sure we level set with everybody and and that that starts the baseline. And then we have a baseline. Everybody takes the state, you know, state approved cybersecurity awareness training training. After that we have additional training for privileged users, right? So for our IT administrators that have, you know that, higher level access, they all have to go through extra training.
Joshua Kuntz:Our financial folks go through additional training, both on the finance side and in cybersecurity. Our CFO has worked with us. Uh, we have a, a uh commercial off the shelf, uh subject awareness module, uh tool and we, in that you have a bunch of pre pre-loaded uh training modules and she went through and selected uh 12 of them. She said I want one a month for my staff. And she went through and selected 12 of them. She said I want one a month for my staff in addition to any cybersecurity training that you're doing. Hey, great, so that's where you're seeing those wins within the business side they're going. Hey, this is important and my people are at risk because we're handling the money, so I want them to have more training. I didn't even have to enforce that in the money, so I want them to have more training.
Joshua Crumbaugh:I didn't even have to enforce that. If I'm a CFO, I'm more scared of that wire going out to the wrong place than the CISO is.
Joshua Kuntz:I mean both. It should keep both up at night. But as a CFO, that is terrifying, oh God. Yes, and that's quite frankly. They're the highest value target because they're the ones paying out. That's who's paying the invoice. So your account's paying out.
Joshua Crumbaugh:Yeah large invoices too. It only takes a second for a million dollars to be gone, and I've seen it happen before where the team was tricked into sending a wire. We just saw actually it's a great uh sort of segue into ai, but we just saw the the deep fake in hong kong that tricked the guy into sending uh 25 million after he said, no, I'm not gonna fall for this fish. And then they're like, oh, just jump on the zoom and he falls for the the deep fake instead. But, um, but I mean, I think that's one of those things that everyone's worried about. We are starting to see it more and more. I talked to a CISO of a bank the other day who his CEO had already been faked a number of times and their employees targeted, and so I think it's really blowing up. So I really like what you're doing there.
Joshua Crumbaugh:And just before we jump over to AI, a couple things you said that I find, or I really agree with Anyone who has a great deal of access needs that extra training. It's that with great power comes great responsibility. Training, that's what I've always called it, but no, I couldn't agree more, and I think that often IT teams are overlooked, and being an ethical hacker, I learned that, while it was the mistakes of the user that got us in, it was the mistakes of IT that let us get full control of the system, and it was often the lack of staying on top of the MITRE ATT&CK framework that would allow us to stay in the network without being detected. And so, to me, I look at it and think you know, we've got to train those most critical roles, and I've always been a big fan of training IT, yet so often it's neglected.
Joshua Kuntz:Well, in the state actually, they instituted a program. So not only are they doing the cybersecurity certification training for cybersecurity personnel, but then they also have secure development training and it's free to the agency. So that's an allocation that's given to our centralized IT agency and they provide this training. And so I get these notifications and I send them on to the application development manager, say hey look, if you have anybody who hasn't been through a training and you want to send them, have them log into the portal and do it. There's no cost, you don't have to do a purchase request and I'm the only one who has to approve it and I always say yes. So you know, giving them some additional training and secure coding helps with that. That IT, you know not making it easy for the bad guy to get in and move around.
Joshua Crumbaugh:I agree wholeheartedly, and I think so much of OWASP is about making sure that they know about the threat. I think most often developers, while they are one of the more vulnerable links in most organizations. I don't think that they're malicious or they do it on purpose. They just don't know better and often it's as simple as hey. Let me tell you about SQL injection, how it happens and how to prevent it, and it takes no more than a minute to explain that, but it has massive impact on the organization.
Joshua Kuntz:Well that. I hate to say it but unfortunately I found application developers to be the most shortcut, taking people in the whole organization developers to be the most shortcut taking people in the whole organization.
Joshua Crumbaugh:They are. I had one customer who was nothing but devs, so they're like a 250 person company. They've got 230 developers and and so they say, hey, we've got really, really low engagement. And we look and well, 230 people have never done any of the training. And uh, and so I was like something has to be going on, because we're not even seeing opens. Normally we'd get something here. And so I said, let's, let's go take a look. And uh, and so they bring in one of their developers and they're like, yeah, we found a rule that, uh, that shared or that automatically took all the training out of their developers. And they're like, yeah, we found a rule that shared or that automatically took all the training out of their inbox and just moved it to the trash. Apparently they've shared this throughout the entire team.
Joshua Crumbaugh:They come to me and they're like, well, what should we do? I'm like, well, actually they asked us to do something about it. I'm like there's nothing I can do, but you could block their ability to write those rules. Nothing I can do, but you could block their ability to write those rules. And so we gave them some advice. But but I just always found it as a fascinating story because you're right, developers. In fact, it shows up in the phishing data. One of the things that trends that we've seen is that any fish that promises to save them time they'll click on. Now it needs to be a little bit like tailored, so like if they're using React and Node or something like that. It needs to be around React or Node, but it is interesting how easy it is to get them to click on the save time stuff. So, yeah, I'll pick on developers through there and agree with you.
Joshua Crumbaugh:I don't think we have any listening, mostly security folks. So AI is man. I mean, just in the last two weeks, with the 12 days of Christmas and Google going from zero to hero on AI, a lot has changed. In fact, we are borderline, human level intelligence, with the caveat being that this is a PhD trained human that's an expert in every domain, not just one. So it brings a lot of opportunity. It brings a lot of threat Even before we go there. Is there anything really cool that you've seen in the AI space recently that you want to talk about? Because I found it moves so quickly that everyone in our industry is having a difficult time keeping up and we're the tech.
Joshua Kuntz:So I will say this I've used it and I used it for messaging. So we had an incident where we had some streaming music deals downloaded onto laptops and I was like, okay, it's not an approved software, it eats bandwidth. There's no business justification for it. I want Spotify. I was one of them, and so we identified like 40 people in a 580 person agency that had this on their computer. And I start out with a message that was very stick you know this is not allowed and you know that it's not allowed. You just signed the you know data use agreement. You know, two weeks ago, that's specific, but you don't really read that.
Joshua Kuntz:Well, they signed it, whether or not they read it. They signed it and you agreed not to do this and now it's on your computer. And so I, and you know, I sent it to my staff saying hey, you know, let's take a look at this. You know, am I missing anything? Do you see anything obvious? And as a lark, they kicked it into chat GPT and said rewrite this, like a California surfer. And it was hilarious. It's like, hey, dude, I know the good tunes are vibing, but we really do. And it was. It was hilarious, Made a couple of edits to that and I told him I said, oh, I'll use that.
Joshua Kuntz:And they were, they were floored. They're like you're going to send this? Sure, that's what I did. I sent it to. I basically put all the people who were, who had that on there in the blind CC line, so they got it, but they didn't know who else. I didn't want to shame anybody and and send it out. And I got more people that email me back, say, hey, I'm sorry, but that message was really funny. And so, going back to the carrot, it gave me the ability to soften the message and still, but still, get the point across.
Joshua Crumbaugh:Hey, you can't do this, but do it in a fun way. Yeah, I will. Oh, no, I I agree. I've actually used it for uh, making all kinds of things fun. Um, like, I had this idea for some uh songs. Uh, security awareness songs. That would just be funny. Um, actually, you want to hear one real quick hey, it's me, your cfo.
Joshua Kuntz:No time to ask, just wire five million dollars. It's a simple task. Oh and, by the way, I need a jet by. Actually, you want to hear one real quick, but I don't know.
Joshua Crumbaugh:To me it's amazing that an AI can first both write those words in seconds and then you plug it into a different AI tool and you got the music, just like that. Yeah, there's some really cool stuff. I saw one tool that you can take a picture and apparently Hollywood's all over this already, because you can take any picture and turn it into a fully editable 3D world and these 3D worlds are better than what we've been making and creating and spending just tedious hours and they're done in under 10 minutes.
Joshua Kuntz:It's really neat, my data management officer is kind of an AI junkie. She's actually a PhD and working on in her spare time elusive spare time working on a human AI model. So and she it's funny she's talking about yeah, I'm pretty close to getting it complete. I'm like that's wild.
Joshua Crumbaugh:So human AI like going after that artificial general intelligence Okay, awesome, I know I've been working on the exact same thing. So human AI like going after that artificial general intelligence Okay, awesome, I, I know I've been working on the exact same thing. Maybe that's what all of us work in the background. Uh, it sounds like chat GPT or open AI is going to beat us all because, um, what I found interesting? I mean they released on Friday as their GPT-03 and uh, and that actually hit the pre-established benchmark for AGI and they should have won the award, but they actually moved the target based on the GPT-03.
Joshua Crumbaugh:And they made it. They said we have to come up with a harder test, and so that's the only reason that they aren't officially the first AGI right now. Found that interesting. It will be fascinating to see how things change, like we're already seeing it improve the capabilities of robots. So they had the one, the new AI tool that came out the other day that allows you to train robots inside of a virtual world, which means you can do millions of hours of simulations in a matter of minutes, and and that you know can take this robotics program that was, you know, five years from pushing anything amazing now and get it done in a.
Joshua Kuntz:Yeah, the the advances in humanoid robots are a little scary they are.
Joshua Crumbaugh:My wife keeps saying no and I'm like but it can clean the bathtub bathroom oh yeah, it's, it's.
Joshua Crumbaugh:I mean, they're not far from robotic assistance and that's mind-blowing to me yeah, I, I agree and I I think the idea of having a humanoid robot that can clean your house, cook for you, uh, mow the lawn, you know, whatever it needs to do, I I think is great, and if it gets hurt, it's not you getting hurt or a person getting hurt, it's you know, it's a machine that can be repaired. Okay, so we are. Oh, I was just gonna say we are almost out of time here and I I do want to make sure to save time, to just uh give you a chance to really just give your sort of final thoughts, if you will around. Whatever advice you have, whether it's to somebody that wants to be a CISO, or to somebody even more junior, or even to somebody non-technical at all, whatever advice you have that you think would be valuable for our guests, I'd love for you to share.
Joshua Kuntz:Okay, well, you know and we you talked about this you know, the pipeline for cybersecurity professionals has changed significantly in the last 10 years. I'm a little, I think I'm a little older than you, so when I came through, there was basically three.
Joshua Crumbaugh:Much, but you got a little more gray than me.
Joshua Kuntz:When I came up through cybersecurity, there's three ways. Right, you're either a network guy, a server guy or a desktop person. Every now and then you'd get an application developer that would cross over, but not very frequently, and that was how you came into security.
Joshua Kuntz:So from those three disciplines, and now they actually have cybersecurity degrees in college. They have a lot of colleges that are offering these. You know, purpose-built cybersecurity degrees where you can have somebody coming right out of college with a base level of cybersecurity knowledge. They may not have the experience but they have the knowledge and, you know, for somebody who's coming out and wanting to do cybersecurity I would say, you know, look for the nontraditional things, look for apprenticeships, look for internships, especially your last, you know, last year in college. I know for the state we do that we do summer internships. There's a number of agencies that do apprenticeships.
Joshua Kuntz:There are Department of Labor programs specifically around apprenticeships in technical areas to try to get people who have no technical experience not have to go into some other area to get related experience in order to qualify to get into an entry level cybersecurity position. Because, let's be honest, entry level cybersecurity positions aren't really entry level. You're at a mid level somewhere else before you get to the entry level of cybersecurity, and so that's where having to try to bridge those gaps has been.
Joshua Crumbaugh:And it's a really well-paid job entry level so it is very much worth your while to go out and do that internship, Because at the end of that internship there will be jobs waiting.
Joshua Kuntz:Oh, 100%, I mean even with the state. My baseline, my lowest, my cybersecurity analyst one starts at $72,000.
Joshua Crumbaugh:Yeah, exactly.
Joshua Kuntz:If you're coming out of college with a degree in cybersecurity, you qualify, so that's.
Joshua Kuntz:For a recent college grad, 72 grand is a great salary and it only goes up from there, and that's in the state that that doesn't I'm not even looking at. You know the private sector, where you make all the money, that's in a public service where you can do that, and you know a lot of people you know don't understand this. There are programs where if you do 10 years of public service, they'll forgive the rest of your student debt. So that's a way to both make a decent living and get out from underneath crushing student debt. So that's a good way to do that. A little plug for the private sector, for the public sector, but it's something that's how I got my student loans forgiven.
Joshua Crumbaugh:So, hey, I'm a big fan personally, so it's all right, I'm a big fan personally, so it's all right, really, yes, somebody Go ahead, go ahead.
Joshua Kuntz:Oh, no Go to a career, not just a job, and and it's, it's very impactful. And you see this all over the place where, where business starts to slump off, they let go some folks. They don't let go of their cybersecurity people, especially in a publicly traded company. Because that's now. They're now measured. The SEC is now measuring, you know companies based on their cybersecurity acumen and whether or not they have you know compliant programs and that becomes you know real fines and real penalties for publicly traded companies. So that's where you can look at something that's stable, something that you're going to have a career path in.
Joshua Kuntz:It's not just, oh well, I get this job and then I got to figure out where the next job is. You can really establish a career path in cybersecurity and just find and that's something I tell people try a couple of different things. Figure out if you like the technical things or you have the aptitude for the compliance, and I will say this if you have the aptitude for auditing or policy making or risk analysis. There's a lot less of those folks than there are the white hats who you know put on the hoodie and sit in the dark room with the computer glow, threat hunting. So it's, you know you're looking for the highest demand. It's going to be on that GRC side. So if you have the aptitude for it, I recommend that to folks. Just try it and see if you like it, because if you do you'll have no problem finding positions.
Joshua Crumbaugh:And once you get into the industry, it's a lot easier to pivot. If you did want to move into a different side of cybersecurity, you have the experience, at least somewhat, on your resume at this point. It's going to make it a lot easier to make that next jump. Well, thank you for joining us today. We are out of time here, but for those of you who joined in live, thank you so much for joining us. Happy holidays, merry Christmas and we will see you in the new year.