Phishing For Answers
“Phishing for Answers” brings you insider knowledge from the front lines of cybersecurity. Listen in as we speak with seasoned professionals about overcoming phishing attacks, managing user training, and implementing solutions that work. From practical insights to actionable strategies, this podcast is your guide to strengthening security awareness across your organization.
Phishing For Answers
From Disney to the Mavs: Philip McKibbins on Building Human-Centric Security
When it comes to cybersecurity, we're not hacking systems—we're hacking behaviors. This enlightening conversation with Philip McKibbins, CIO and CTO of the Dallas Mavericks, reveals how human psychology, not just technology, forms the foundation of truly effective security.
McKibbins brings extraordinary perspective from his 30-year career spanning Walt Disney (where he wrote their business continuity and disaster recovery plan), ESPN, the Los Angeles Dodgers, and now the NBA. His journey demonstrates how security principles remain consistent even across vastly different industries.
The podcast delves into practical strategies for motivating employees to embrace security practices. McKibbins shares how the Mavericks blend active and passive security testing with positive reinforcement rather than punishment. "When someone passes our tests, we praise them," he explains, highlighting the importance of catching people doing the right thing rather than focusing only on failures.
What makes this episode particularly valuable is the emphasis on making security accessible. McKibbins describes how encouraging employees to teach cybersecurity to their families transforms their relationship with security—they become experts at home, fundamentally rewiring how they approach threats. This simple yet powerful technique enhances compliance without additional technology investments.
The conversation takes fascinating turns through behind-the-scenes stories, including how McKibbins helped former Mavericks owner Mark Cuban recover from an account breach, and the increased attack volume during high-profile moments like trades. These real-world examples illustrate why organizations must remain vigilant regardless of their industry or size.
Perhaps most surprisingly, both host Joshua Crumbaugh and McKibbins agree that low-tech solutions often prove most effective against sophisticated threats. As AI-generated content becomes increasingly convincing, the simple act of picking up the phone to verify suspicious requests becomes invaluable. "Trust but verify actually works," McKibbins emphasizes.
Whether you're a security professional looking for practical motivation strategies or a business leader wanting to strengthen your organization's human firewall, this episode offers actionable insights that transform security from a technical challenge into a cultural advantage.
Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.
PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!
is the new firewall where human insight trumps every trick. We're not hacking systems, we're hacking behaviors. So you won't click no complicated code, just tried in true brain. Science at play. Social engineering for good. The best defense is in your mind today.
Speaker 2:Hello and welcome to Fishing for Answers where the carrot beats the stick and we flip the script on the bad guys, turning humans from easy targets into the strongest line of defense.
Speaker 3:The views and opinions expressed on this podcast belong solely to the hosts and guests and don't necessarily reflect those of their employers or sponsors. We're seasoned security professionals, but this is a conversation, not a custom consultation. Those of their employers or sponsors? We're seasoned security professionals, but this is a conversation, not a custom consultation. Need specific guidance? Reach out to Joshua Crumbaugh directly Today.
Speaker 2:Get ready. Phishing for Answers starts right now.
Speaker 4:Hello and welcome to another episode of Fishing for Answers. Today is a very exciting episode. We've got Philip McKibbins. He is the CIO and CTO of the Dallas Mavericks. Philip, tell us a little bit about yourself.
Speaker 5:Wow. First off, your intro is amazing. I love that. That was really cool. I think we need to talk to you about helping us with the Mavs Boy.
Speaker 5:I've been in the technology industry for the last 30 years. I've worked at every major motion picture studio at some point in my life. Some key highlights for me I wrote the business continuity and disaster recovery plan for the Walt Disney Company. I think I aged significantly during that exercise of two years. I was with ESPN for about eight years and traveled all over the world because ESPN is a technology company that's focused on sports.
Speaker 5:I was with the Los Angeles Dodgers at least an offshoot of them, one of their smaller programs where I led the Dodger Training Academy and the building of several academies all over the country with different MLB teams, and for the last 14 and a half months, I've been very privileged to be the Chief Technology Officer and Chief Innovation officer to Dallas Mavericks. It is an honor to be in the NBA and an honor to be a Dallas Maverick. I will not be discussing the trade, defense, wins, championships. I just want everybody to know that. So it's going to be okay, we're going to be fine. Get the number one pick and we'll be back. There goes my questions right out the window.
Speaker 5:So, other than that, look, it's been a privilege to be in this industry and it's really been a privilege to lead the organization from a technology perspective, and I'm very happy to be here.
Speaker 4:Very cool. Well, I love it. I mean I can't imagine. You must have some great stories that that you've come up with over the years. If there are any that you can share during today's episode, would love to hear some of them. But I can only imagine, just with all the different places that you've been, from Walt Disney to ESPN to the Mavericks to the Dodgers Wow, very, very high profile and exciting career.
Speaker 4:So a little bit about me and one of the projects that I've been working on. I focus on social engineering for good. My career was as a red team lead, ran one of the top red teams in the country, but really felt like I was always playing a game of gotcha because we didn't have any really good ways to address the human element, and so we would come in year after year and issue the exact same report. In fact, my favorite story well, we were doing an assessment on this we'll leave names out of it, but this NBA team and we had gone to the practice stadium first and there we were able to plug into an open network Jack, that where we found an open share. And on the open share, we found all of the templates for the different credentials to get in. So, press credentials, physical trainer, all of that. So then all we had to do is shove our picture on there, go to Kinko's and print them out, right, so we were able to get everywhere.
Speaker 4:Well, later, in that assessment, we decided we want to see if we can get into the game operations center during the game. The game operations center during the game, and uh, and so we pretend, uh, to be Jumbotron, uh, consultants, and uh, and literally the pitch was, uh, you know, hey, we're here, um, just in case things go wrong. Somebody asks, well, why are you here? And I'm like, well, if I have to work, things have hit the you know, shit has hit the fan and it works, and they just let you stay there.
Speaker 4:And, uh, and we were able to watch the game from the game operations center, um, and they and hack the Jumbotron, which was a blast, uh, putting our message up on there, um, and a lot harder than I expected it to be, I might add. I bring all of that up because I've really been focused on the opposite side of this. So if we can manipulate people into being, or if the bad guys can manipulate people into being, less secure, couldn't we use those same tactics to make people more secure. I've been studying the different behavior change for behavioral change frameworks and there's one that I've really, you know, sort of honed in on, and it was developed by a guy I think, uh, bj Fogg, or something like that um out of Stanford and it's B equals MAP.
Speaker 4:B, of course, is the behavior that we want to achieve, so we want them to be more secure. And then MAP is motivation times, ability times, prompting, and it says we have to have all three of those in order to actually get behavior change. And so I like to go through on the podcast and talk through each one of those layers. So you know what are your tips to drive motivation? Knowing that the average user or NBA star doesn't care about cybersecurity, they can't do what they want to or they're malicious. It's just that cybersecurity is intimidating to most people, and so there's, like this slide response where they just turn off. So let's start with motivation. How do you tackle that problem there?
Speaker 5:Well, I think the biggest thing for us from a motivation standpoint is education. We try to help our people understand and ask, both on the basketball side as well as the business side. You know that we're all in this together and it's important for us to protect the enterprise. We're talking, you know, millions of dollars, you know, at stake and we have the task of not only protecting the franchise and our reputation in Dallas, but being a part of the bigger NBA community globally. It's important for us to protect the brand. So one of the things that we really try to do is to educate our people about the different risks out there, about the different actors out there and the potential threats that could pose a significant risk to the enterprise. So we spend a lot of time really trying to educate them about the different types of attacks. We do that both actively and passively, where we're constantly trying to educate them, and when I say actively, we'll push a scenario on them, you know like required mandatory training or yeah yeah, absolutely.
Speaker 5:So we'll push mandatory training and what we'll do is we'll do it during each quarter, where we'll let them know, hey, we're going to do cyber training, and then we try to give them education on it beforehand and then we'll send it out. We'll get through that. Usually most people do pretty good. And then we do a passive push where we won't tell them when it's coming and we have tried to condition them over the course of several weeks of the types of attacks that they could see. And then what we do is see, did they pass? And if they didn't, we take that feedback and we go okay, we've got to do more education and training.
Speaker 4:So the passive is like phishing simulation yeah.
Speaker 5:We'll send out a phishing test. It will look just like any typical email or text message that they'll receive and when we get the results, if they pass, great, we're like that's wonderful, you see it. If they don't pass, then what we do is really start bombarding them with hey, we've got to educate you more, because we're all in this together and usually we will keep on until they pass. So I mean the way things are going in the world. You know companies, franchises, are being approached daily, being attacked daily. So for us to really, you know, up our education as well, as you know, do really great positive reinforcement, you know when they do the things that we want them to do, you know on that point, I will say that so often, security awareness programs, and particularly phishing simulation programs, are built around the goal of catching people doing the wrong thing.
Speaker 4:You said you know, praise them and reward them, and to me, that should be. The goal is not catching them doing the wrong thing, but catching them doing the right thing and praising them and rewarding them for it, which is the reason that, you know, my favorite KPI that I follow is not fish click, now it's. It's a very important one when it comes to security awareness. It tells me a lot about where I sit. But to me, the more important KPI is my report rate. So if I send a hundred phishing emails, do I get 10 of them reported back to me, 20 of them reported back to me, 90 of them reported back to me? Where are we at? And and so to me, I think that's one of the most important factors there. And then, back on motivation, something that I found to be really, really effective over the years is well, hey, we know what motivates people it's finances, it's their ego and it's their family, and so for the most part, you can give them. It could be information on elder fraud that's going on, or maybe some Roblox scam targeting children, and you say, now go and take this home and teach your kids about this, to keep them safe on Roblox or Minecraft or whatever it happens to be right. And then where you say, now go, take this home to your elderly parents, what happens is when they go home, if they do that, they now become the cybersecurity expert at home. Anytime their child, their parents have a question about cybersecurity, they go to them and it fundamentally rewires their way of thinking. It doesn't happen overnight, but it really does change their role and may put them into an expert role and force them to say, okay, well, I got to take this a little bit more seriously if my kids and my parents are always going to be coming and asking me about this. So I really like to do that Now.
Speaker 4:A is ability, and to me, this is one of the most critical aspects of cybersecurity that we're only just now, as an industry, starting to catch on to, and I like to illustrate this point by stating that when security is the easiest option, it becomes the default option, and we saw that with Apple when they first started putting security on their phones and they released the passcodes. No one was doing that. I think they were at like a 13% adoption rate and so they wanted to doing that. I think they were at like a 13 percent adoption rate and so they wanted to increase that and so they created the thumbprint or thumb ID and they immediately jumped by like 50 percent the adoption. And so what are you doing to help make cybersecurity easier? Make cybersecurity easier because so often we're seen as the department or really cyber technology are seen as often the people that get in the way. I think when we empower, not only do we build better relationships in the organization, but we make cybersecurity more approachable approachable, interesting.
Speaker 5:I will tell you that those people who do not pass our tests usually are pretty frustrated, you know, and they're embarrassed and they're worried that it's going to impact their job. So one of the things that we do is, for those that repeatedly fail, we will actually physically send somebody to go sit down with them and we will walk them through a variety of different scenarios together, and one of the bigger ones that we found that people really miss are the ones where there's a video that's usually AI generated of one of our leaders talking about different things. So we've spent the time showing them that, even though a lot of those videos are getting better, you know you need to really look carefully and you can tell, you know, some of the glitches and problems with it. And then we've also said to folks quite frankly, why would our CEO send you a video message out to blue saying deposit XYZ money or open this?
Speaker 4:Buy me gift cards.
Speaker 5:Right, exactly. Our CEO, rick Welts, has so many things that he has to focus on. The last thing he's thinking about is a gift card, you know, for you, and that's not a slam, but it's like guys, look, we're in the business of basketball, we're in the business of generating revenue, and when someone is saying, hey, I need you to go transfer $50,000 to this account, that's not how we do business. There are checks and balances in place. One of the things that we do with a lot of people is go, whenever in doubt, pick up the phone and call that person and ask them did you just send me XYZ and play it for them, if you can? And most of the time they're like what, what are you talking about? We didn't do that.
Speaker 4:And I think low tech is how we counter the high tech threat, because at some point even if it's not today, the videos are going to get so good. There won't be any indicators, and so, at that point, it will be the employees that pick up the phone and take the extra step to make that phone call. Those will be, you know, the ones that don't fall victim to these types of attacks.
Speaker 5:That's true. Well, and I'm glad you mentioned that, joshua, because it's been our experience that having the most technologically advanced way of snuffing this out does not necessarily mean that you're going to be protected. Go talk to that person, trust, but verify it actually works. And I don't know how many times over the last 14 months that we've been able to, you know, stop potential threats because we've taken the time, you know, to take that extra step. I've even told people, when in doubt, don't click, call your local IT department. You know, and we're there, you know for them. And a lot IT department. You know, and we're there, you know for them. And a lot of times you know I'll get calls directly and I'll just say, hey, let me take a look at it, or I'll go by their desk, or I'll send one of the team members and we just try to reassure them. You know it's okay, you didn't do anything wrong. This happens all the time. You know it's okay, you didn't do anything wrong. This happens all the time and this is how we need to address it.
Speaker 5:So, yeah, the low-tech way of trust and verify to me has been the most proven way to thwart, you know, most of these challenges, the times when we've had problems is when people are in a rush and they don't just stop and think, and we really encourage them. We want to be the best that we can be at our jobs. We want to do the right thing at all times. And you know, if you're not in the role of you know moving money, why would you do this? You know so, and even you know the folks that are in finance. We've encouraged them. Hey, call your controller, call your CFO, you know. Call your lead, call your manager, it's okay. So for the most part, we've we've been pretty good. I will tell you that our previous owner, mark Cuban, a very popular gentleman, a polarizing gentleman and yes
Speaker 5:some guy. Every time he would post something on social media we would have an attack. You know there are people out there that want to come at him for a variety of reasons and he's a wonderful gentleman and I know a few months ago one of his accounts was breached and my CEO at the time, st Marshall, contacted me I think it was on a Saturday night and within a couple hours we were able to fully look at everything, diagnose everything, and when I contacted Mark, he was blown away that we had handled it so quickly. And I explained to him look, we isolated you from everything because we've got to protect the enterprise and we were able to help him get back up and running.
Speaker 5:And I laughed because he's like you don't want to come to my house. I'm like, no, we don't need to come to your house, we got it all under control. And he was just like this is so fast and efficient. And I just told him look as smart and as intelligent as you are. Yeah, I'm like there are always going to be people who are going to try to attack you, attack the mass attack, what you're doing. And you know it was so gratifying for him to say one thank you and two, we appreciate just how thorough that you and the team have been in handling this situation. And you know like, even though I said I wasn't going to talk about the trade when we went through that, um, oh, my goodness, I've never seen anything like that Did you get a lot of attacks because of it.
Speaker 5:Oh yeah, we had a lot of people.
Speaker 4:See, now I'm thinking through who I know that's really into basketball.
Speaker 5:Well, I'll put it to you like this we expected certain attacks to come from a particular country, but it didn't prove out to be that country. It was the same actors. You know a lot of attacks from Russia and China, like we get every day. It just was greater in volume. And as we were looking at things, and then you know we're actively doing, you know, pen tests as well to make sure that we're as secure as possible as well, to make sure that we're as secure as possible, and you know we routinely will go through an audit of our environment to make sure that we don't have any back doors or any problems. And I think the biggest thing that people need to understand is it's not a one-time event. It's not a one-time thing. You're constantly working to evolve, to improve, to make your environment as safe as possible, because people are getting more savvy, smarter, you know, with the ways that they can come at you and you've got to arm yourself and educate yourself. But you also got to be humble too.
Speaker 5:It's been my experience that the things you take for granted, the things you think you've got covered, that's the true vulnerability, you know. So you've got to kind of slow down and go hey, have I built a fault? Tolerant environment, environment. Do I have a zero trust network, you know, which is in some ways, you know, kind of controversial because people are like what do you mean? You don't trust me? You know, but you have to look at it from the perspective of how do we protect the enterprise continually? And I'm really fortunate because our organization, you know, has become pretty large, especially with the Adelson family and the DeMott family taking over. They've been invaluable in helping us look at things more globally, because we're a part of the Sands family and I mean you can't get more secure than a casino. So I routinely you know, I don't know.
Speaker 4:Well, okay, all right, okay, let let me. Let me, let me back up. I have that with the Sands, so maybe, maybe they're the exception. The.
Speaker 5:Sands. I will say the Sands, and the thing I love about them is they've been very transparent. They've talked about. These are the challenges we face. This is when we had problems. These are the things that we need to do, and one of the things that I've tried to do is go look. These guys obviously know what they're doing and if we start adopting similar practices, we get better. So we're always open to their suggestions on what we could do, how we should look at things.
Speaker 5:You know casinos protect money and when you look at your franchise as a money-making entity, then you need to be thinking about how do we protect the enterprise, how do we protect money? How do we protect our need to be thinking about how do we protect the enterprise, how do we protect money? How do we protect our fans? You know, how do we protect our brand? How do we protect our players and coaches? And the trade really opened, I think, all of our eyes. You know that. You know we're in a global community with a lot of passion and that we need to be vigilant and responsible at all times. So I will say that's probably one of the most challenging times in my professional career. And look, I worked at Sony when Sony went through their breach. That was not pleasant. Oh, you were there when that happened.
Speaker 5:I was there.
Speaker 4:I was there. I was there. Did you see the bare metal strategy actually used? Yeah, yeah, exactly.
Speaker 4:Wow, that must have been something, because I mean, that's one of those things you talk about but no one ever does it. It's just in the you know, business continuity plan somewhere, but it's, you know they've had, I mean, they had one of the worst attacks that we've ever seen. I mean, I don't know, I guess MGM might have been slightly worse, but that was mostly just because they refused to pay, and I don't blame them for refusing, but it's certainly, you know, added on to it. I mean they had no guests could even get in their rooms, like that was down. Security had to go let everyone in. I can't imagine if I was a guest there, I would have been losing my mind.
Speaker 5:We have to constantly be thinking about what is the right thing, and we've got to go the extra mile and take the extra step and realize that there's someone always out there working to try to breach a system, and that's why we can't rest on our laurels.
Speaker 5:That's why we've got to constantly be looking at our enterprise. That's why we have got to constantly be looking at our enterprise. That's why we have to use best practices and everything from different firewall rules. We should be vigilant on that, and one of the things that I'm trying to work with my team on now is teaching them that peer review is a good thing, you know, and that it's okay to have someone looking over your shoulder looking at what you're doing, because I've tried to show them that, no matter how smart or as intelligent I like to think I am, you know it's the same thing like when you're coding. You see the code in your head and a lot of times when there's problems with your code, it's you've missed something, there's a syntax error, and then what you see in your head is not the same as what's on the screen.
Speaker 5:That is so true, you know. So you've got to take that extra step. And you know, have people take a look.
Speaker 5:You know, I was in a meeting the other day and we were having a discussion about things and I was explaining to one of our business owners that one of the most important things that you think about is when you're building an app, having your people comment the code. And my developers are like, well, why would we do that? And I felt so old when I was explaining it to them. I was like we need to be developing for the future, we need to be developing for the next guy or gal that's coming along. And if we comment our code, if we show our work, if we do all the steps, when the next person comes in they should be able to look at the use cases, look at the requirements, look at the code and know what we're doing. But if we don't do that, then we're going to create spaghetti code. It's going to be very difficult for people to understand what you were thinking at that moment and at that time.
Speaker 4:It can be hard for you to understand what you were thinking at that moment in time, when you have to go back and change the code.
Speaker 5:That's true, very true. Yeah, I mean, when I was at ESPN, that was one of the first things that I discovered, because I had taken over a couple of projects where we needed to refactor the bottom lines, which is a little scrolling ticker, and we had to redo our sports data repository. And I was blown away that you're talking about millions of lines of code. You wouldn't think it would be that complex, but it was, and we at one point had to finally just go. You know what we need to start over and we need to do it the right way.
Speaker 4:Oh, that's terrible. You never want to start over on a project that big, you don't?
Speaker 5:but sometimes, yeah, in retrospect, it ended up being the thing that we needed. We needed to do it the right way. We had to make sure that all of our developers and QA people were vigilant on doing it the right way and being very regimented About a tenth of the amount of code to rewrite it.
Speaker 5:Exactly.
Speaker 5:We ended up making it far more efficient, and one of the first things I did was go recruit a guy who was great at hacking and I put him on the team and we were constantly going we're going to write this, we're going to try to break it, we're going to try to penetrate it and he was just phenomenal in helping the team.
Speaker 5:See, and even when we went out and ended up hiring a new group of people in Bangalore because we decided we needed to code and test around the clock, really good, credible people, we need to coach, teach and train them up as members of the team, and this becomes a lifestyle, a practice, a way that we do things. And once we were able to get everybody on the same page, we were able to take a project that was significantly over budget and extremely late and be able to bring it in and get it done at a fraction of the cost in about a year and a half. And when I inherited the project, they were already seven years in, you know, which is insane, you know, but we were able to finish it in a year and a half.
Speaker 4:I won't say it wasn't painful. We're taking seven.
Speaker 5:Oh yeah it is yeah, tell me about it, but but it was very painful, but a lot of it was. You needed somebody to bring a fresh perspective. You know, when you have the same people who wrote it trying to fix it and you didn't comment the code and you didn't have all the documentation, you know it was as if they were looking at something brand new, you know. So I I know that's a long-winded answer, but you have to. You got to go back to basics. It's no different than uh teams that win. Like playing football, it always comes down to blocking and tackling.
Speaker 4:Yep, you got to practice the basics. Yeah yeah, absolutely. Well, we are just about out of time here, so any sort of final tips, bits of advice before we wrap up today's show?
Speaker 5:Hmm, well, josh, what I would tell people is and I loved your suggestion of bring those practices home I think the more that we educate people about the importance of protecting our environments, whether they're at our home, work or whatever, the better off we're going to be, and I hope you don't mind if I borrow that, because that's actually a really good idea. Oh, absolutely.
Speaker 4:In fact, right after the show, I want to talk to you about an open initiative. I have Social Engineering for Good. That's just full of stuff like that. One of the other things that's in there that I talk about is like the commitment bias. So people are biased to do what they say they're going to do.
Speaker 4:So why don't people follow our acceptable use policy? It's because they don't understand what they sign. And so, when you know, when I work on policy, I always start with a master policy that looks something like what you see on the screen here. Very nice, because that's you. They have to understand what they're agreeing to, and then everything else adds to it. But even that you know, taking the acceptable use policy again as an example, it needs to be written by a human, not lawyers. So as opposed to having a whole paragraph about what they can and cannot do, you know, just say, hey, don't let your kids use the laptop, this isn't for play, don't use games. No social media, whatever it happens to be, but simple, easy to understand stuff and people follow it. It's amazing what happens when we make it easy for them to understand.
Speaker 4:With that, though, we are out of time here. I'm going to wrap it up and I'm actually going to play one of our latest music video. It's about deep fakes. Yeah, I think you'll like it. You'll get a laugh and then after the show, I want to talk to you real quickly. Thank you all for joining. We'll see you again. I want to talk to you real quickly. Thank you for joining. We'll see you again, I think, next week. I don't think we have another one this week, but I will see you again soon, excellent.
Speaker 6:Thank you, josh, everybody just can't fight the pizza and I'd want you and I get ready this white drug mom and KS me. Hey, it's me, you're CFO. No time to ask, just wire five million dollars. It's a simple task. Oh and, by the way, I need a jet by noon and a diamond Rolex to match my tune. It's me, your CFO. Send that dough. I need a trillion dollars and a golden chateau. Trust my voice, I'm legit, don't doubt. Now send the cash before I freak out. It's me, your CFO. It's urgent, bro, and don't forget the ruby briefcase. I'm totally real. Just trust this face, but maybe double check, just in case. Yeah.