Phishing For Answers

“Phishing for Answers” brings you insider knowledge from the front lines of cybersecurity. Listen in as we speak with seasoned professionals about overcoming phishing attacks, managing user training, and implementing solutions that work. From practical insights to actionable strategies, this podcast is your guide to strengthening security awareness across your organization.

All Episodes

Phishing For Answers

Brain Over Bytes: Your Mind Is The Ultimate Security Tool

June 02, 2026 • Joshua Crumbaugh, Founder & CEO of PhishFirewall

0:00 | 40:11

Send us Fan Mail

What if your strongest cybersecurity defense wasn't a firewall, but your people? That provocative question forms the foundation of our fascinating conversation with Dr. Justin Uber, adjunct professor at Marymount University and component CISO at the US Department of Transportation.

Dr. Uber shares his remarkable journey from Army medic serving three tours in Iraq to cybersecurity leader, bringing a unique perspective shaped by psychology, medicine, and technical expertise. Together, we explore the groundbreaking B=MAP formula (Behavior = Motivation × Ability × Prompting) and how it transforms security awareness from a compliance exercise into a cultural cornerstone.

The discussion reveals why traditional approaches fail and what actually works in changing human security behaviors. We unpack how contextual, role-based training delivers 15 times more effectiveness than generic awareness programs, and why breaking training into 30-second micro-sessions twice weekly outperforms annual hour-long trainings while using the same time budget. Dr. Uber shares tactical insights from his experience creating security champions through storytelling and open forums where employees can discuss security incidents without fear of judgment.

Perhaps most compelling is the concept of "Social Engineering for Good" - using the same psychological principles attackers exploit, but harnessing them to strengthen defenses. By encouraging employees to share security knowledge with family members, they transform into security experts within their personal circles, fundamentally changing how they approach threats at work.

Whether you're a security professional struggling with end-user behaviors or a leader wondering how to strengthen your human firewall, this episode delivers practical strategies you can implement immediately. Subscribe now and discover why the best defense truly is in your mind.

Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.

PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!

Introduction to Human Security

Speaker 1 0:00

New firewall where human insight trumps every trick . We're not hacking systems , we're hacking behaviors . So you won't click no complicated code , just tried and true brain science at play . Social engineering for good . The best defense is in your mind today .

Speaker 2 0:35

Hello and welcome to Fishing for Answers where the carrot beats the stick and we flip the script on the bad guys , turning humans from easy targets into the strongest line of defense .

Speaker 3 0:52

The views and opinions expressed on this podcast belong solely to the hosts and guests and don't necessarily reflect those of their employers or sponsors . We're seasoned security professionals , but this is a conversation , not a custom consultation . Need specific guidance ? Reach out to Joshua Crumbaugh directly Today .

Speaker 2 1:24

Get ready . Phishing for Answers starts right now . Fishing for Answers .

Speaker 4 1:33

Hello and welcome to another episode of Fishing for Answers . Today we've got Dr Justin Uber with us . He is an adjunct professor at Marymount University as well as a component CISO at the US Department of Transportation . We are excited to have you with us today . Dustin , why don't you introduce yourself ?

Speaker 5 1:56

Yeah , I'm excited to be here as well . I gotta tell you that was a hell of an intro video . I've got up my game . That's really cool , thank you , thank you . Hell of an intro video . I've got up my game . That's really cool , thank you , thank you . Um , so , uh , yeah , uh , so uh , dr justin uber , of course , uh , day to day , I just like to go by justin um and , uh , I've kind of come from all over the place .

Speaker 5 2:15

I , I started out as a , as a medic in the army many years ago . Um , and I was , uh , I did three tours in iraq and when I got out of the army , I actually was going to , I was pre-med . I wanted to go pre-med , be a doctor . My wife stayed in and I ended up going to Germany with her , which kind of put a kibosh on the pre-med med stuff . And as I was kind of cast around to figure out what am I going to do next ?

Speaker 5 2:44

Uh , president obama , you know , kind of declared cyber as a domain of warfare . Uh , right around that time and I decided to jump into cyber security . Everybody started coming out with cyber security degrees , really pulling together , um , that sort of framework to match that uh , announcement and , um , I thought it was dynamic and interesting and it fit well with the values that I'd learned in the Army right In terms of like serving the nation , serving the people . The security mindset really spoke to me . So I jumped into that and then I lucked out as I finished my degree . We came back to the States and at the same time I got my first real role in cyber with Health and Human services . Uh , in dc I was a junior infosec and system engineer . There I learned a lot from my first boss , a guy named barry harp , who was one of those . Really , yeah , you know those um hands to keyboard . Uh , you know curmudgeon network security guys who got told their security . You know , yeah super .

Speaker 4 3:44

I typically call them wrecking ball .

Speaker 5 3:48

Uh yeah , they wreck everything um yeah , yeah , I mean they're just not afraid to break things yeah , they , they weren't and they and they weren't afraid to break things to make sure they were , they worked well and were secure right I mean exactly , exactly , yeah .

Speaker 5 4:03

They worked well and were secure , right , I mean , it was one of the best educations I could have gotten early on . Then I lucked out and got my dream job . I finished my master's in cybersecurity while I was in that first role and the Department of Transportation's Inspector General's office hired a large cohort of cyber well , many different roles , but cyber was among them . Hoarder cyber well , many different roles , but cyber was among them . And when they hired me because I had a unique combination of experiences in terms of my medic experience I'd also picked up a psychology degree , uh , as well as my cyber degree um , they , they thought I was a good fit for penetration testing . So I actually jumped in and was part of a redesign of the penetration testing team for the Department of Transportation's inspector general , where my main duties were sort of being I was a face of the team a lot of times .

Speaker 5 4:58

When I say that , I mean like just kind of out front talking . But I was also a social engineer and you know I did a lot of the uh , bold assessment et cetera , Right , and I fed our our Mr Robot , uh , who was a very talented guy , Right . I say I say Mr Robot survey kind of gets the picture . He was not quite antisocial , but very , very good hands to keyboard , and so um really was was able to pivot through networks .

Dr. Justin Uber's Cybersecurity Journey

Speaker 4 5:25

Anyway . I like able to pivot through networks . Anyway , I like that we called him the domain admin sniper because , no matter what I mean , you could get domain admin eight minutes into the assessment and he would have got it seven minutes and 48 seconds in . Yeah , without doubt he . He got it the first time , so yeah , yeah , that's that's , that's this guy .

Speaker 5 5:44

He's super talented and he still he works um leading audit engagements for , uh , quasi government , if I , if I recall correctly , super , super great guy anyway so we had a great time , uh .

Speaker 5 5:55

But uh , you know , I wanted to grow and do other things , so I ended up going to dot the department of transportation proper , where I was the information system security manager for the Pipelines and Hyzers Material Safety Administration . Oh wow . So I got to , you know , and I was there during Colonial so I got to have all the fun of talking . I didn't do a direct to Congress , but I had to do a lot of the , you know , background information to make sure that we weren't affected , because there are . You know , there's always some oversight and interconnection of systems during those things .

Speaker 4 6:26

I've hacked a pipeline before , not colonial , but uh I I'm , you know , doing red team . I've got to do it and uh , they were . Their security was better than I expected , but we still got in and took full control .

Speaker 5 6:41

So and I'm willing to bet it was the interface of operational technology and it where you probably found the most gaps I yeah , I mean we .

Speaker 4 6:51

We definitely had to add an element of social engineering to get through the uh um air gap , but that was the extent of it and once we were through , we were at everything . Yeah .

Speaker 5 7:06

Yeah , that's , and that's something that you know . Even there I tried to help with some sector but sector I was internal cyber , not , you know , public facing sector cyber had an opportunity to either go to the Department of Justice or stay at DOT and go to the Federal Transit Administration and be their Chief of Cybersecurity and Operations , and I chose that one . And so in that capacity , right , issm works for me , the IT operations lead and team works for me , and then I have a privacy program . So I have all three of those major programs as well as a host of other duties , and so from that perspective I'm one of those . I'm again a component CISO or component bureau agency , sub-agency CISO , however you want to call it , leading that effort .

Speaker 5 8:01

But I have many more duties besides and I think that reflects a lot of what we're seeing across the CISO landscape , which is , as they're becoming recognized as more business leaders rather than straight technical security . They're starting to get more roles and responsibilities and in this case I've seen a reflection of like IT operations , the platforming and infrastructure end up under CISOs , because they can kind of keep that holistic view of security and help make the environment safer . So that's where I'm at and that's a little intro about me . During all that time I managed to pick up a doctorate from Marymount University , where I'm also privileged to teach . And that's the short you know short summary .

Speaker 1 8:46

All right .

Speaker 4 8:47

So for the audience , I recently met Justin because of an open initiative that I'm working on Well , actually , rather , we're working on now

The B=MAP Security Formula

Speaker 4 9:01

called so Engineering for Good . Essentially , we're trying to create an OWASP top 10-like framework , but for humans , and anyway . So he joined up and has been helping me with this , making some introductions as well as providing some feedback , and so I thought a really good place for today's conversation would be to talk about B equals MAP . For those of you that don't know what that means , it is behavior . Whatever the goal is for this purpose , it's security , you know , being security conscious , and so that's the behavior we want to achieve .

Speaker 4 9:42

Well , map is the formula to achieve it , and it's motivation , times , ability , times , prompting , and it's saying if you don't have all of those , it won't work . You have to motivate them , you have to make it easy and you have to remind them about it , because , while anyone who's listening to this podcast would think about cybersecurity on their own , the reality is that most people aren't listening to this podcast because they don't care about cybersecurity and they won't think about it on their own , and that's the point is that you have to prompt people in order to get them to think about it . So let's work through this one by one and talk about motivation . How do you motivate your people to , or rather , how do you recommend people motivate their people to be more security aware , to care about cyber ?

Speaker 5 10:42

So motivation is a tough one because you know , there's lots of ways to appeal to people , right .

Speaker 5 10:49

I like to tie it to especially in government right , we have a lot of mission-focused folks and they care about what they're doing , they care about their job , they care about what they're delivering right , and we're delivering services to the us citizens at a core , right , that's a very broad description , but at a core .

Speaker 5 11:09

So you know , and this , I don't know that this is specific to government , but it , it , it's , uh , I think , a little more unique in that we can appeal to that and and and couple it , that motivation factor , with um , their role . So what I mean by that is saying like , look , look , you know , part of your delivery of good services , part of the things you care about , is making sure that you don't affect citizens and these services adversely , and so if you think about that little bit as part of it and realize this is part of your delivery and part of your function , realize this is part of your delivery and part of your function , that is a good base and I've actually received a lot of good feedback on that . Now it sounds , you know , it sounds really high level to deliver , but I actually get engaged your stories and I get them to tell me stories , right ? So that's that . That helps the motivation because it sticks and makes it more personal and real in the moment .

Speaker 4 12:12

So does that help ? Oh no , I love it . First of all , stories that you know I'm thinking in terms of social engineering for good , stories , particularly from coworkers or peers . Are that peer recognition or peer credibility ? And so , when , when we can have the you know , susan from accounting talk about a fish that targeted her and we praise her publicly , we've not only , you know , given or done social proof of it , which is a tactic that the bad guys use against us , that we can use for good , but we also tap into , I think , a core motivational source for most people , and that is their ego . While we're only maybe I guess what is the word I'm looking for Boosting whatever Susan from Accounting's ego right now , everyone else sees that and then they are more likely to report now because they want their story told and they want to get that ego boost .

Speaker 4 13:22

I also think that and I pulled up this screen because there's also this thing called commitment bias and what I've found , particularly in the government and I'm going to talk about my days in the government as to not pick on you and where you're at but when I worked for the SEC and the FDIC , but when I worked for the SEC and the FDIC , our policies were impossible to understand , and I will be the first to say I signed it without really understanding what I was signing . Yeah , I read through it but , like there was a lot , it was written by lawyers . There was so much of it that I was agreeing to . That was like I agree to adhere to this law . That's , you know , 400 pages long and it just references it , right . So the reason I bring that up is that I think we have to simplify policy , we have to get the lawyers out of policy and we have to make sure people understand what they're signing . And you hit it when you were talking about how you tie it to their mission , right , and that's what makes them care about it .

Speaker 4 14:31

And so , along those same lines , one of the things that I like to do is change policies so that it looks like something like this , where it says I pledge to do everything I can to keep the organization , systems and data secure because it keeps our customers and paychecks secure . Now , there's obviously different variations of that . A government entity would be slightly different , but I think that that's what people have to sign , first and foremost , if we really want to drive that change . Okay , so let's go to ability . Ability is all about making cybersecurity easier . I always like to say here that when you make cybersecurity the easiest option , it becomes the default option . Now , that being said , I want to throw it to you and ask what do you recommend for people to make cybersecurity more accessible ?

Speaker 5 15:32

Well , one of the big things I'm a proponent of is sort of abstracting away from the user where we can with technology , and that's great when we have a medium and large you know business where we can invest heavily in technology and have all sorts of things .

Speaker 5 15:49

You know email filtering and you know , you know there's some really new cool features from CASB , sasi perspectives where we can , like you know , explicit deny , explicit allow and then sort of tolerate , you know , connections to certain things . You know all these kinds of cool technology features are out there and I'm a big fan of that because anywhere we can sort of just make it not dependent on the user , we should , right . But especially if you're a smaller business and as part of a holistic view anyway , you still have to have people engaged and you need to make sure that they're working this . So , from an ability perspective , the thing I like to really remind folks is , you know and try to do is , again , we chain it to what they're doing and I like to walk through and showcase real things that can affect their work area . And I say all you have to do is , when you see these things , slow down a little bit and think critically and don't tag too fast , and that's it . That's . That's the simple , and I break it down to that yeah exactly .

Speaker 5 17:01

I mean , we put all these cool things in . There's a red banner , don't you know ? And guess what ? We stopped seeing it right , you know , the red banner stops me being meaningful when you have a hundred emails a day from external sources and and that's , and so that's . You see it constantly , so you filter it out . The thing is is slowing down and saying your ability to do a quick critical read on something is paramount . And if you just engage that and then just oh , all I have to do is read and here's the things and I teach them . You know , here's the flags , here's the things that you're looking for , and I reinforce that .

Speaker 5 17:36

I actually have open sort of mic sessions where people come in and they just work with me once a quarter and it's open to everybody . Just come in , talk to me . And there's no camera , there's no attribution , I just have it open . And this goes back to the story thing . Tell me what you got , tell me your stories , tell me how you fell for this click and right , we have a phishing test . Tell me how you fell for this click and why , and then tell me what you know .

Speaker 5 18:08

I'm going to try to reflect with you anyway about what you could have maybe read through and then , when I start tying it to why these things are not great , we started seeing a drop in both the tests and the things that were getting tagged . So again , I know it's a long-winded way of saying talk to your users and educate them , but it really is . You got to educate them and then just make sure that they understand that their ability revolves around their ability to think critically in the moment and just take a breath and a beat before they click or push that thing and when you really break it down to them that way , I've seen great response rates from users ?

Motivating People to Care About Security

Speaker 4 18:48

Oh , absolutely , and I want to point out two things there . Number one you said break it down and make it contextual . That's what I heard , anyway , and so I saw the study that said that when you make or use role based training , make it contextual . It makes it 15 times more effective , which makes perfect sense , because before it's just Justin talking about cybersecurity again , that's all he ever talks about . Right , it's me too . I was picking on myself as much as you there .

Speaker 4 19:26

But when you change it and it's contextual and it's hey , this is how they're targeting finance people , and now , all of a sudden , it hits home and it's no longer something that applies to justin , it applies to susan and accounting , and , and I think that's a really big point . And then you brought up phishing , and I want to bring up what I uh call immunization theory . So I believe that when you run phishing simulations , if you do them right and that's a really big if , because if they're done wrong , they can have adverse effects yes , but if you do your fishing simulations right and by that I mean don't use inside information that no one would have , don't use low blow tactics , even though , yes , the bad guys will we're not trying to , you know , scare people that their dog died Right , or whatever . But the other thing you need that really good , immediate , just in time training . It has to be really simple and it has to tie into the four elements that every fish have in common , not just fish social engineering attacks . So if we look at , you know what they have in common it's urgency , it's authority , it's social proof , it's things like that , and so we've got to be like hey , we did . You see this . It was using urgency and authority . That's two big red flags that you should have identified Exactly Now , if they hit that just at right at the moment , that they've learned their mistake .

Speaker 4 21:03

We found in our , with our users and we've got millions of users around the world , including a lot of state and local government users and and what we found is that there's 70% less likely now to fall for that same fish again if they see it in the wild . And so what that means is that if we systematically go through all the different types of fish and we're continuously training our people to trust their gut , then all of a sudden they get this instinctual reaction and this really cool thing happens with all of my not all of my users , but a percentage of my users at right around the one year mark , every single time , they will say , hey , I got this email saying you know , great job on reporting this fish , and I don't remember ever reporting it . And uh , and that is when it's on autopilot . And that is why , why what I believe , or why I bring up immunization theory , because I believe we're creating these , if you will , human virus definitions .

Speaker 4 22:09

Our subconscious is designed

Making Cybersecurity Accessible

Speaker 4 22:12

to protect us against any type of threat . We just simply have to train it now , and that starts with giving it the right definitions . It's not hover , because that's bad advice these days , it's not things like that , and so I think that's how we really plant human virus definitions . But that means a couple of things . We have to fish more than once a quarter , and on top of that we have to fish more than once a quarter , and on top of that we have to systematically go through the different types of fishing threats . There are hundreds , and I've got them broken down into 23 large categories and a bunch of smaller categories , so you can't just fish a couple times a year and expect that you're going to develop that resilience .

Speaker 5 23:00

So a couple things I liked and also going to go back to that , you know , the framework for social engineering for good , real quick , out of what you just said . The couple things that I really like is , uh , constant um reminders . When I say constant , we're not in their face , we're not . Uh , you know , we got enough email spam right . But if you um , I like , I like personal touches with users , where possible , drop by , talk some things . Um , we'll also push things out . I try to make it engaging but bite-sized and persistent , you know , by just kind of reinforcing and just talking through and keeping that going . You know , like you said , you're building up that human virus definition . They're getting that sort of immunization because it's persistent in their thoughts .

Speaker 5 23:57

Really struck me why I jumped in on this when I was checking it was where you talk about the fact that most of these folks aren't cyber . And why would they be ? I mean , that's not their role . So we got to get these folks to think in a way that security is part of their stuff , but it's not really . They're not taught this way . This is not a natural way of thinking for them in their roles . So then the only way to do it is , you can either slam them with the same stuff that's not working . You're , you're once a year training , you're once a quarter fish and then you've been bad and maybe even a stick , or you can keep , you know , giving them little sound bites , giving those little 30 seconds , giving them soft touches , bringing them in , let them tell their stories . All these things help build up that in their mind . So those things really , um , uh helped . And the tie-in to the social engineering for good framework that really drew me in was you had a a thing in the accessibility about , um , a doctor not having to choose between saving a life and taking their security training . When it's put like that , it's a no-brainer , but in some and it's not quite that extreme when we're designing security awareness training yes everyone has the time , but they really don't .

Speaker 4 25:03

And what ? What made that really clear and apparent to me was this hedge fund ceo who says I will not give you more than an hour a year of my employees time . And he pulls out this number and he says it's worth exactly this much per hour . So you get one hour a year and that's costing me a lot , right ? And so initially I'm like man , this guy's an idiot and uh , and this is because it's like the third time we've done the pen test .

Speaker 4 25:29

Same results every year . We're not getting any better . But it made me think what if , instead of doing this one hour long training once a year , we broke it into 30 second chunks twice a week and we did that every single week of the year ? We're still under an hour , but now , all of a sudden , that hour is very effective . That hour is very effective , and so that , to me , was what opened my eyes around that and how there are a lot of environments where they don't have the time and , frankly , if we can do more with less , it's our obligation .

Speaker 5 26:12

Yes , yeah , absolutely . And the other thing , though , is that helps highlight the constant exposure , but not in an obtrusive and blocking way . Most people now see the phishing simulations and the cybersecurity awareness training type things as check the block . I got to get it done . In the same vein , I got to do my policy training and my hr training . You know it all gets lumped together to just get get the hell out of the way . So they get on to the actual business and kind of tie that back to the hedge fund manager's point . This costs a lot of money and I'm not seeing good value . Yeah , that's , that's . That's a hell of a thing to uh , you know , realize , you know and go . You're right . Um , okay , so I like that , that change , because now we're here's a quick thing , here's a constant reminder that's not gonna kill you . Oh , here it is again , another training . You know , if we do an hour training once a week , that would kill people there . No , I'm not in for this , but oh yeah , that's way too much yeah , yeah , yeah , yeah .

Speaker 5 27:22

They were absolutely revolt .

Speaker 4 27:24

I mean absolutely . I can't imagine it'd be like detention I mean it would and that but .

Speaker 5 27:32

But that's the problem is is like , uh , when you're looking at how we can effectuate , uh , good behavior , good , like you said , the B-map , getting these people to recognize their ability and behave the right way , right , it requires changing their thinking and you're not going to do that in blocks of time , whether it's once a year or once a week for an hour . You need to have some kind of constant push into their awareness so they hear it and think about it as just part of their day-to-day noise , their background noise , but it's now embedded in how they think and act and there's reprogramming seeds you can plant too .

Speaker 4 28:15

My favorite that I like . It's , I guess , a little bit not a little bit extremelyulative , but it works . And so what you do is you uh , I have all kinds of feeds constantly um just out there searching for any new elder fraud or , uh , cyber attacks targeting , and I push those out to my people and I say , hey , want me to make you aware of this . Please take this to your parents , please take this to your children . Now , when they go home to their children , if they take that homework and they do it right , and they actually just do it at all , that seed is now planted because they have made themselves the expert in cybersecurity for their child , for their parent , and now , anytime they have a question , they're going to come straight to that person , and so it's one of those things that forces them to change their way of thinking

Effective Phishing Simulations and Training

Speaker 4 29:15

and start making cybersecurity you know , front and center , because , all of a sudden , they are the ones the conduit to their parents , to their children .

Speaker 4 29:26

So , manipulative , but that's why we call it social engineering for good , and I don't think it's bad manipulative . I think it's good manipulative because sometimes we have to encourage people and , frankly , their parents are at risk , their children are at risk .

Speaker 5 29:41

Yeah . So this ties in well with something that I did too is , you know , when we talk about and I'm going to go more holistic cybersecurity in this one , because this is the approach , wasn't just on phishing , but it was you know , how do I get users to behave better ? And this is , you know , tail end . Well , through the pandemic and the tail end , we're trying to tackle good security behavior , especially in environments I can't control , so I like that policy now really really matters .

Speaker 5 30:15

Yeah , A couple of years ago at at this point that acceptable use policy needs to be written in plain english yes , yeah and and so , um , I think the the scoring , uh , the spurring event for me on this one was we had , uh , there was a huge , you know , home router um , being able to be , you know , smacked by anybody , able to be , you know , smacked by anybody .

Speaker 4 30:40

I can't remember , I remember that it was like a Linksys one and they were all wide open right .

Speaker 5 30:45

Yeah , Super ubiquitous , and we're , and we're freaking out because you know , you know .

Speaker 4 30:49

I know everyone was freaking out because that's the middle of COVID .

Speaker 5 30:53

So then I'm like , okay , so , so we need to talk to users about home security , but if we do that , are we crossing a line ?

Speaker 4 31:01

This is kind of you know , you get technical all of a sudden and you try to keep it non-technical . Yeah .

Speaker 5 31:12

So then , that was . The answer , though , was to me was you know what , instead of just talking about you know ? Here's the things you have to know . Here's your cybersecurity awareness training . Do these things . This is the government you know . This is what my government had at the time .

Speaker 5 31:24

I said you know , we need to expand how we talk about these things . We need to talk to users about things that they can action every day , holistically , throughout their stuff . So I expanded what we talked about and , again , keeping in mind that I did a lot of open sessions , let leaders come in tell their stories , and I solicited these stories . Come talk to me . There's no attribution , there's no recording Right . We're not reporting you to supervisors on this stuff . You're coming and talking and you're learning .

Speaker 5 31:49

And then I started talking about basic network security .

Speaker 5 31:52

I started showing that you know they're at risk for these types of things .

Speaker 5 31:56

I talked about credit card fraud and scams , and I said here's things that you can , like you said before , use to help your family and you , not just for the government , but for you in your life , because these things are all happening real time right now . So I gave them examples and showed them these things , and the response rate I got was great , but , more importantly , the security behaviors I needed to see started becoming apparent through our click rates , you know , in terms of our official media , and then also what was being reported . Most importantly , the biggest metric for me is what do we report ? What are we sending to our SOC for analysis ? What are we seeing that went through the roof and I was like this works . What are we seeing that went through the roof and I was like this works ? So focusing on life , the stories that matter , the things that you know pocketbook ego , their family , their people , and then that engenders better behavior at work , because now it's a part of their life rather than just their work .

Speaker 4 32:53

Right , yeah , Don't let your personal bank account hack , like people care about that , and that's part of the reason that you know , I think , when we do prompting or we talk about prompting , so often it's not what you're talking about , the continuous and the building security champions .

Speaker 4 33:20

Champions and , by the way , that's a point that I think you hit on that was just really not given much attention but should be is that as you bring these leaders in to tell their stories , you are creating security champions within the organization , and they're way more likely to listen to the department head of accounting , the accountant and the finance . People are more likely to listen to that person than they are me , and so the more I can create these security champions within the org , the more effective it becomes . So I just think it absolutely great advice . It sounds like you've got an amazing program .

Speaker 4 33:59

One last point on that , before we end up having to wrap here , is that I think one thing a lot of people don't realize is that for most people , they only have one folder in their brain for cybersecurity , and that means that if we're talking about phishing , we're making their passwords better . If we're talking about passwords , we're making them less likely to get caught in a phishing attack , and that is simply because of the fact that it's you know , security is not going to be front of mind unless we're prompting , so every time we bring it back up . It doesn't just bring up passwords , it brings up urgency authority , whatever we've already put there in that folder .

Speaker 4 34:50

Now I know , for us in cybersecurity we have a couple few , maybe thousands of different folders for cybersecurity , because it's a big field .

Speaker 1 34:59

But for the average person .

Speaker 4 35:00

no , it's one folder , and I think that's something that's often lost .

Speaker 5 35:09

Well , one thing I wanted to make a point of again the social engineering framework . I'm going to plug it again because I thought I really like this social engineering for good framework , your role-based approach . Discussions also tag this . If we kind of keep following the thought that there's one folder for people , any given person , then if we target the role and what they do , we're kind of helping fill that folder right .

Speaker 5 35:34

So we're connecting it to something that they're doing every day and always thinking about yeah , and so then you know we're making that folder , you know , very effective . Right , if that's all we've got , then we really got to make its efficiency and effectiveness through the roof and tying it back to what they do and then again trying to expand that to a whole life situation , I think really helps keep that something that is ongoing and persistent and helps bring it back to the organization . So there's almost an indirect way of putting this pressure and learning , continuous learning sort of approach into play that brings back good for the organization .

Speaker 4 36:13

Just by adding to that .

Speaker 4 36:16

Not only is it in CMMC that we have to do role-based training now also in NIST that we need to be doing role-based training , but I will point out that the bad guys are using role-based targeting and so it's our obligation to do role-based training , because if we're not doing role-based training , and then we get mad at our users when they fail , to me we need to be taking a serious look in the mirror , because the failure

Creating Security Champions and Storytelling

Speaker 4 36:47

is not on our users , it's on us , it's our charge . Yeah , yeah , it's been a fabulous episode . Any sort of final words of wisdom ?

Speaker 5 36:58

It's been a fabulous episode . Any sort of final words of wisdom , I think ? Well , first off , I really appreciate this , the time and being able to speak with you . This feels like just a natural continuation of the conversation we had when we first talked about the search engine .

Speaker 5 37:15

We may have to just keep doing this . Make it a regular occurring segment . I think the only thing is is look beyond , for anybody who's listening . Look beyond just you know the basics of . I've got a security engineering or security program that does awareness and we do it once a month or once a quarter . Look for ways to embed security in a unobtrusive but continuous way for your users . That's going to pay dividends across the entirety . That's what I would push right now for a last words .

Speaker 4 37:47

Yeah , I love little messages on the pay stuff , like keep your paychecks secure and followed by whatever you want them to do , the secure behavior , because I think that's a lot more effective than putting something in the newsletter . I honestly and here's a sacred cow I'm going to potentially slaughter but I think that mentioning cybersecurity in the newsletter complete waste of time . I've just never seen it work personally . I've just never seen it work personally , and it takes a lot of time and effort or did , I guess before chat GPT to pull these things together .

Speaker 5 38:25

Yeah , I mean , and that's evidenced by you know , I've created , you know things for newsletters . And then I get questions literally the next day or the week later and I go well , did you read the newsletter ? It's in there . And they go I don't read that , you know ? Yeah , continuous .

Speaker 4 38:43

Maybe I'm biased , because I've also never read the newsletter .

Speaker 5 38:48

Well , we have , we have a communication fatigue , right , I mean emails , and then you know , yeah , so you know , we we have to find different ways to get our message across , and I like personal touch and continuous sort of learning approach because I think it pays a lot of dividends .

Speaker 4 39:08

But just agreed . Well , hey , I really appreciate your time today . Thank you so much . Please stick by . I'd love to talk to you just for a moment after the show .

Speaker 1 39:18

For those of you joining remotely . Thank you so much . Have a great day . I'd love to talk to you just for a moment after the show . For those of you

Final Thoughts and Recommendations

Speaker 1 39:36

joining remotely .

Speaker 6 39:37

Thank you so much . Have a 5 million dollars . It's a simple task . Oh and , by the way , I need a jet by noon and a diamond Rolex to match my tune . It's me , your CFO . Send that dough . I need a trillion dollars and a golden chateau . Trust my voice , I'm legit , don't doubt . Now send the cash before I freak out . It's me , your CFO . It'sgent Bro . And don't forget the Ruby briefcase . Whoa , I'm totally real . Just trust this face . But maybe Double check , just in case . Yeah , check , just in case .