Phishing 4 Answers: Real-World Risk in the AI Era

Show Notes

AI is moving fast. Is your security keeping up? ⚡ I’m thrilled to announce our next guest for Phishing 4 Answers: Rohit Parchuri, SVP & CISO at Yext. Rohit isn't just managing security for a public tech giant; he’s pioneering how enterprises actually govern AI. From vendor risk to data amplification, he’s seen it all. We’re going to discuss the practical frameworks Yext uses to stay secure while leading the market in AI-driven search. If you’re a leader trying to balance innovation with ironclad security, you need to be in the room for this one. Join us LIVE: 🗓️ Tuesday, May 12th ⏰ 10:00 A.M. CT

Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.

PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!

Chapters

• 0:00: Psychology Driven Security Mindset
• 1:49: From Capstone To Cybersecurity Career
• 3:43: AI Supercharges Phishing And Malware
• 8:32: AI Triage And Reachability Risk
• 12:27: Data Classification Becomes AI Fuel
• 13:43: Embedding Security Into Daily Work
• 18:18: Behavior Change Beats Checkbox Training
• 23:07: Carrots Deterrents And Simple Narratives
• 27:27: Phishing Policy Trust And Inoculation
• 33:27: Resilience With Controls And Hardening

Transcript

Psychology Driven Security Mindset

SPEAKER_01 0:01

Psychology systems. We're human psyches. We're not hacking systems, we're hacking behaviors. So you won't be quick. No complicated code. Just try to try science plays. Social engineering for good is the best defense is in your mind today.

SPEAKER_05 0:48

Turning humans from easy targets into the strongest line of defense.

SPEAKER_00 0:55

The views and opinions expressed on this podcast belong solely to the hosts and guests and don't necessarily reflect those of their employers or sponsors. We're seasoned security professionals, but this is a conversation, not a custom consultation. If you need specific guidance, reach out to Joshua Krumba directly.

From Capstone To Cybersecurity Career

SPEAKER_04 1:49

Tell us a little bit about your journey and about yourself, man.

SPEAKER_03 1:52

Absolutely. Thanks, Josh, for having me. And hi everybody. So my yeah, and my journey began, let's say what, 15 years ago. And all this began with a with a capstone project I had in my Bachelor's of Science that had to do with the manipulating of computer programs. I thought it was stupid back then. Why would anybody want to do that? Although here I am right now doing exactly that. But I think uh my I was uh I was, you know, I think I was definitely you know deep into computers and uh programming and whatnot, but security wasn't, um, or at least hacking part of security, let me just put it that way, because that's how I got in, uh, was never a thing, at least I didn't think it was a thing. You can't really, you know, manipulate or tamper with programs. Um, and you know, once I was done with my project, I found otherwise. And that, you know, kind of gave me a sneak peek into what hackers and what bad things can happen. Um, you know, with a with a well-regarded programming structure and a computer system. Um, so I figured, hey, you know, this is fun. Let's actually go a little deeper and figure out what else I can do. Um, and then, you know, one thing got to another, and then I figured, okay, maybe I should be on the bright side, not the dark side. Um, and figured, like, you know, there are actually courses and um, you know, degrees that you could actually get in cybersecurity. So I applied for one and you know, and uh I got into cybersecurity uh degree, which uh focused on InfoSec back then and data security. And yeah, here I am after all these years, still kicking in uh with cyber, never miss a day, always keeps me on my toes. Love it every single moment.

SPEAKER_04 3:40

Awesome, and it definitely keeps you on your

AI Supercharges Phishing And Malware

SPEAKER_04 3:43

toes. Uh, you know, that's actually a great segue. Um AI is just changing things so quickly, uh, from the policy that we have to have in place to the training that we have to have for our people. Uh, and there's so much more than that. It's it's changing how we do our jobs on a day-to-day, it's changing the the tool landscape very quickly. Um what stands out to you about all of that? You know, it it's it's it's a big thing that we have to address or it's gonna run us over, right?

SPEAKER_03 4:20

It absolutely will. I think you know we're we're seeing that now. It's just outpacing everything that we've built and outpacing the things. I I would say like maybe the barriers of existence that we put in place, you know, they they don't no longer, you know, help us actually keep the bad things within the perimeter anymore. I mean, you know, if we think about these waves of transformation, it happened before. And I think with AI, it's happening, but at the same time, it's happening at a such a rapid pace. It's transforming economies, not just the and also giving aspects of weaponization to all the bad people out there uh at a pace where you know it's uh we've never seen before. Let me just put it that way.

SPEAKER_04 5:05

Oh, yeah, I saw something that said that there was an 800% increase in fishing attacks in 2025. I mean, that's ridiculous.

SPEAKER_03 5:15

Um I was just gonna say, speaking of numbers, you know, that's a that's a good point. I've heard from one of the um industry leaders just the other day about the malware creation that's happening right now. It's roughly about 250k malware binaries that are actually coming out on every single day using the AI technology. Wow. And how it could penetrate into the networks, just you know, think of the destruction it can cause.

SPEAKER_04 5:44

Yeah. And and yet the good guys are still dealing with AIs that say, I can't do that. I'm uh, you know, that that would be wrong. Um, I do think we've got to figure that one out really quickly because our AIs have got to be willing to let us do the things we need to do uh to keep up with this. Um, that being said, I I do see it right now outpacing the good guys, and it's it's always been that the the bad guys are one step ahead, right? But I think AI is our first chance that we have to get ahead of them.

SPEAKER_03 6:24

I don't disagree. I think so. I think uh it's a you know just like any technology is a double-edged word, like AI is no exception to that. I think there's as much as that there is, there's also bad, like you know, a knife in uh a kid's hand could be different versus a knife in Doctor's hand. The same thing is the case here, also, right? I think I think one thing I've been you know noticing of late is yes, I think the bad guys definitely have an edge right now, uh, just because of the way these things are accessible, or the the platforms, how you can run the AI and accelerate that and also create all bad things. But I think what they lack, this I think this will take this will take some time for the defenders is the context of the environment itself. Uh, what your environment is, and I think what the the backstory matters when you're trying to build defenses in place. And the the the whole cat and mouse game, I don't think will work out anymore. Uh, just given, you know, Mythos is a great example of that not working out anymore. Like the P1s that we used to focus on, like it doesn't matter, even if it's a P4, it's you know, it's as easily exploitable just as it would be a P1, because the exploit code is out there and you have the AI tools, you know, just like we spoke about, the malware's coming out at rapid pace, it's not gonna stop it. But I think on our end, the defender side, I think we do have, we we got to start using it, practically implementing that, without which it'll be very difficult to figure out, you know, how is it that you're gonna work out AI or feed work out, you know, feed AI into the culture that you're building within the company. And more importantly, how does your tech landscape change with AI, you know, coming in?

unknown 8:11

Yeah.

SPEAKER_03 8:12

I think this would become a place where, you know, without like, you know, you need a diamond to get a diamond, right? The same thing with AI. Like you need AI, you need the the rapid base, you need the innovation, you know, what AI provides you to defend against AI, you know, based attacks. So yeah, one go or the other, you have to you have to be in

AI Triage And Reachability Risk

SPEAKER_03 8:32

that.

SPEAKER_04 8:32

Well, I I think it's a couple of different areas. AI is making our detection and response better and quicker. But the other thing that I see is that we used to have to make this decision. Uh, you know, do I want more false negatives or false positives? And now the answer is obviously, well, I want more false positives. And the reason is is because I can plug AI into it and let it deal with the noise and help me find those, you know, incidents that I need to look at. Um, so I I think that it also changes things a little bit there too, because it allows us to, you know, have that higher volume of alerts uh without it being something that you know makes it to where we can't find uh the needle and the haystack, if you will.

SPEAKER_03 9:29

Yeah, for sure. I think that's you bring up a very good point. Um, I think the triage has been um a pretty laborious process in the past, where you know, how do we identify false positives and true positives so you can work on the ones that you really care about? I think we're also moving away from that and getting into this reach, moving from vulnerability management, at least the way I think about this, into more of a reachability management. You know, it doesn't matter if you have a P1 out there or a P0 or a P4 for that matter. Uh, is it applicable to your environment? Is it something that's reachable directly from the outside world based on the perimeters you've built out? Uh even the the I think the whole thing kind of you know comes down to the attack surface you have open your business, you know, your business assets exposed to the outside world. And what can that do, you know, when you have your tools like AI, uh where you know the damage gets significantly much bigger than how it used to be. And I think getting down, you you're still gonna have to prioritize things. We're still you know dealing with remediation from a human standpoint. We have we aren't there yet from an AI standpoint. Maybe we'll get there soon. But you still have to prioritize what what matters to the business. I think that's where you gotta come down to the priority, you know, stack of things, and which is where does this matter? Is this applicable? Is this reachable? Then yes, then let's move forward. If not, let them keep, you know, let's keep aside. But at the same time, even for that analysis, like you spoke about, you need AI to help with that, you need to bring additional factors, technical and business factors, build the context in, and then now you know try to figure out what the what the final output is, and then start, you know, working on them.

SPEAKER_04 11:12

I I agree. I I think that that same you know business context that is so critical in making decisions around cybersecurity and prioritizing different things is uh is one of those things that we've got to give to the AI as much as we've got to give it to our lowest level cybersecurity person. Um, one thing that stood out to me, I guess, later in my career, uh, because early in my career I had done all of these application penetration tests, and we had a lot of informational or low findings around user and client enumeration. And a lot of these were SaaS startups. And I realized later on when I had a SaaS startup that being able to enumerate somebody's client list is actually very sensitive data, and that should have been mid-listed at least as a high in any of those reports, but it was that lack of context that had it in there as a low. Um, so I think that that's another part of the human element is making sure that we're communicating from top to bottom.

SPEAKER_03 12:26

I will

Data Classification Becomes AI Fuel

SPEAKER_03 12:27

point this out. That's uh that's a good point you bring up, Josh. I think you know the the whole aspect of data, the sensitive data, has always been a first-class citizen, no doubt. But I think the DLP aspect of data, the categorization, classification, enforcement, I think that is still not effective in most of the firms out there. Unless you're in an extremely heavily regulated space and you just have to do it. That's stable states, maybe, but for most of the SaaS first companies and cloud first companies, you don't really have that as the fundamental measure. That is becoming such a big problem with AI now because the data, well, lack of data transformation is the underbelly of having an effective, you know, having an effective AI strategy implemented. Without that, it's very difficult for you to kind of see what kind of damage, you know, can that cause. It doesn't just have to be sensitive data exfil. It could be as simple as you know, somebody trying to access some data that they're not supposed to, and now that amplification can happen. You do bad, that amplification happens, you do good, the same amplification happens, but the you know that the core element of amplification is there. So you got to be very careful on how you're treating the data, especially if you're in a place where the data is super important for you and your clients.

Embedding Security Into Daily Work

SPEAKER_03 13:43

Absolutely.

SPEAKER_04 13:45

So pivoting a little bit, uh, you know, I see a lot of my peers who look at the human element as the weakest link. And I sort of really look at it very differently. I see them as our greatest asset, our, you know, our best endpoint detection, if you will. And so I have this whole social engineering for good project. Um, but uh what I I the reason I bring it up is that I'm curious, and I like to ask every CISO, uh, what's the biggest thing that you found to effectively drive culture change?

SPEAKER_03 14:30

That's a good question. So I think culture comes in multiple forms, and I feel when I'm trying to, in my seat as a CISO and a security leader, the way I'm trying to think about this is how can I embed security into the everyday flow of things? And it has to be something that's not on the dark corner. The security is not supposed to be like that. It has to be embedded in the very fabric of the culture itself. And I think there are a few things that I would usually employ. Like, first of all, I think you know, a lot of people jump to conclusions and figure out, okay, security training, awareness, you know, do this, do that, and there are enforcements, or you know, there are some kind of punitive things that you'll have to, you know, push in to get people going. I think you know, it's kind of this hockey stiff stickification. I feel maybe you will get some benefit off the bat, but after that, it's just gonna get worser and worser. Uh, because you're dealing with people, you know, people are no different than you. So, you know, the the mental terrain is the most difficult terrain out of all, right? So you gotta be careful on how you deal with that. I, you know, for something, and I'm not gonna say I'm perfect at this, but I really like to think about this as I've seen in multiple organizations in the past. First of all, diagnose the situation itself. Like see how your users are, are they being rewarded for something? Are they being punished for something? How open are they about talking about security? Are they bringing up the reports proactively, or do you need to push them to get that going? Um, and also once they do that, how is the team responding back? Are you responding in a fact? Are you embarrassing them? Are you taking this in a right? I hope not. Yeah. That that is a sure shot for failure. So I think once you get that going, you will, I think you'll you'll figure out, you know, what kind of incentives you have built in into the culture already, both personal incentives and also corporate incentives. And then you tie that into the motivations of the person or people itself. Yes. Like what kind of motivations they have, right? Everybody is working towards something. And nobody, you know, in the corporate setting, at least most of them, they're not trying to do bad things. They're trying to do what they they have to.

SPEAKER_01 16:45

Right.

SPEAKER_03 16:45

Preacher. And your social engineering for good exactly taps into that, I guess. It's you're talking about, hey, there's there's good everywhere we look. We just have to look deep enough. And when you look deep enough, you'll actually find this, you know, their their motivations. You want to keep themselves, you know, they want to keep themselves safe, right? You know, how do you do that? Be cyber smart, you know, think about things and learn about things, and we can help you get there. I think that's number one. And second thing I found is also making security the easiest path. Yes, yes.

SPEAKER_04 17:18

It's the default option.

SPEAKER_03 17:20

It's the default option. You don't have to, you know, go out and do something else. It's a part of your workflow. It's a part of how you do things. Like, you know, from an engineering perspective, if you're making it easy for them to, you know, validate the 20 input directly from the same library that they're working on, perfect. Like they don't have to go and investigate and you know create some a new library to bring that in. The same thing applies for corporate too. Like, you know, security awareness or trainings have to be part of the work that you're currently doing. If you're a finance person, you have a certain workflow. You got to diagnose that. If you're a HR person, you have a certain workflow. You come up at you, you know, you come to the desk in the morning, you start working on something. What is that something? Let's figure that out. And now let's see how security can tap into that. I think that was one of the biggest things I've found where we could get better adoption in actually getting people both to listen about what security has to say and also tie that back into their motivations and outcomes they're looking to achieve.

Behavior Change Beats Checkbox Training

SPEAKER_04 18:18

So it's so interesting. You you touched on so much of the uh there's actually a behavioral science framework uh for behavior change. It was developed out of Stanford University's uh behavioral science laboratory by a guy named BJ Fogg, and it's B equals map. So B is behavior, that's whatever behavior you're looking to achieve. And it says, in order to achieve that, you need motivation plus ability plus prompting. And so motivation, you know, you tap in, you they it's what you said, you you make it uh personal for them, you connect it to their job, their their family, their finances, you make it personal. Um, even their ego is uh another great motivator. Um, ability is just making it easy, like you said, uh when it's you know, make it the easiest option. Um, that's why I love pass keys, because finally we have something better than passwords, and it's easier for the users. Um, and once you get over that initial learning curve, um, I don't know about you, but my users love it. So um, but I I digress. And then finally it says, okay, so you've got motivation plus ability, you still need prompting. You have to remind them about it constantly because it's not their top priority, they're gonna forget. And uh and so it you hit on so much of that, and uh, and I just had to bring it up. Have you ever heard of B equals math before?

SPEAKER_03 19:53

Or I did, I did, I did, I did. I didn't know the the you know the detail around it. Thank you for explaining that, but I did hear about that acronym before.

SPEAKER_04 20:02

Awesome. I mean it it's so applicable. Uh, to me, it's one of those things that, well, it's baked into social media, it's why it's addictive. Um it's it's actually a big uh thing that's used heavily in Silicon Valley, but uh, but no, I I guess I part of the reason that uh they bring it up is because I really think that it's one of those things we got to incorporate in cybersecurity. I feel like every bit of the awareness training, maybe not every bit, that's that's an extreme statement. Too much of the training that we do is to check a box for PCI, HIPAA, you know, whatever it happens to be. And it checks a box, but every study out there shows that it does nothing to make us more secure. In fact, there are a lot of uh there's quite a few academic studies. Um, and I'll I can link you to a few. I've got a few friends that have uh done them, but so that they'll do a phishing against a group of phishing assessment against a large group of people, and then they will run the annual security awareness training, you know, that one-hour class where they go through an LMS module, and then they'll fish them again. And in every single instance, either they got no better or they actually got worse.

SPEAKER_03 21:25

It's funny you said that. It's uh, you know, we used to have this uh back at one of the places I used to work for. It's not so much a security awareness, but we used to have the secure coding uh training session, which was half a day. And we used to put people through that torture for half a day. And it's it's funny how desensitized they get by the end of the session itself. It's not making them better, it's actually making them like you know, we're we're hearing the same thing over and over and over again, which doesn't have any direct applicability to what they work on. Like if if that connection has lost, then technically it's no different than you know information trove out there without any linkage to how you need to bring that in and you know put that into your respective workflows, it's it's uh it's a clear failure, no doubt.

SPEAKER_02 22:14

Yeah.

SPEAKER_04 22:14

Well, I think we gotta just fundamentally change how we uh approach it in general. I mean, we've got to approach it to the user and how we drive that change. Um, there's this thing called the forgetting curve, and basically it says that if we get our training out to an hour, that within 48 hours of that training being completed, uh, we will have or our users will have forgotten 98% of what they learned. Um and so I think, yeah, it checks the box, but it it still is the reason that our well, our number one phrase in this industry. Can you guess it? Number one phrase. Let's see, the the weakest link thing. I mean, I would go with you can't patch stupid. That's the one I hear all the time. That's my favorite thing. That's a nice one.

Carrots Deterrents And Simple Narratives

SPEAKER_04 23:07

Um, so I gotta ask you, uh, and I think I know what answer you're gonna go with, but uh, if you had to pick one and only one, would you go with carrot or would you go with stick?

SPEAKER_02 23:20

Oh, absolutely carrot, no doubt. And also, you know, what I'll I'll point out one thing.

SPEAKER_03 23:27

I've only had one guess to go with stick, but you know, just I I was I was gonna kind of, you know, also like stick is I I feel like there are aspects where you get close to stick, especially when you have a time pressure or you know, things that you just have to put this out of the door as soon as possible. You may have to do certain things that are outside of the carrot, but I I've used deterrent instead of stick or enforcement. Deterrents are a better way, and this kind of taps back into everything we just spoke about the motivations. What does corporate motivation look like, right? If you're if we're trying to, rather than labeling something as security awareness, label it as maybe you know, you're building great products, security should be a part of that. So I think that would become kind of this natural deterrent where you're like, you're pushing the message, but not hard. And people, you know, kind of get it.

SPEAKER_04 24:16

Yeah. No, I I I completely agree. I I I sort of see it now. I have an advertising and marketing degree. That was what I went to school for. Uh, so maybe it's coming out, but I really see our job is to be advertisers or marketers within the company um for cybersecurity. What do advertisers do? They get you to pay attention to stuff you don't want to pay attention to until you like it and you want it. Um that's really what we need to do with cybersecurity. So I see a lot of overlap there. And uh, and so I think some of those tactics that they use should be applied over here. Um, and I I don't know, just my two cents.

SPEAKER_03 25:06

I think I think you're right. You know, everything we do, like even outside of uh user safety, we're also talking about product safety, we're talking about trust, you know, customer trust and compliance and risk management. You name it. Like everything within cybersecurity comes with, you know, where you need to have a sufficient amount of influence built in, but also you got to have the storytelling and the narratives built out. So you're kind of taking this more not as dried metric, but more as you know, free-flowing information that talks, like kind of hits at the fact where you're trying to do what's best for the company and trying to enable them move forward. But how do you bring that into a story? And we're we're also constantly talking with the non-technical people too, right? Like how you got to make sense, the technical terms, you gotta translate them in the right form. So they get it. They get that it's not lack of you know, understanding, it's more about can you pitch yourself up to a place where you're able to talk things in business terms and finally get to that business outcome you're looking for as a company, right? Not just for cyber. Company doesn't exist, cyber doesn't, like you know, the so you gotta figure, you know, I think uh that's that's important to you know, kind of carry that over your head.

SPEAKER_04 26:16

Well, and I I think it's also important to think about the message that we want to send and and really just spend time on distilling it down to its core. Um, and I'll give you an example. For the longest time it was think before you click. Uh, but uh that that was what I thought, you know, distilling this whole thing down to its core, that was the best message. Uh, but then I realized, you know, maybe the best message is trust your gut and to teach them about urgency and authority and things like that. Um, and so I I think it's constantly thinking about how do we refine this message down? How do we make it non-technical, and how do we make it as simple as possible? Because to me, users appreciate brevity.

unknown 27:09

Right.

SPEAKER_03 27:09

Absolutely. Oh my God. Yes. Keep it successful, keep keep it clear, tie tube, you know, some business alchemetric, it's so easily digestible. Otherwise, you're just complicating affairs.

SPEAKER_04 27:21

Uh-uh, agreed. Okay, so we are running out of time here, but I've got to ask you your opinion.

Phishing Policy Trust And Inoculation

SPEAKER_04 27:27

Um, one of the policies that I still see constantly, I do a lot of public speaking, and every time I do it, I ask my audience, how many of you have a three strikes in your out policy at work? Where if you click on three fishing uh simulations, you get fired. I always get hands. Now it's less hands these days than it used to be. In fact, and the last one, there was no one in there, but there was one lady that said, My husband's company does. Uh she wouldn't tell me who he worked for, but she said it was a very large company. Um, I think the point is we still see this all the time. And uh, and you know, even in this carrot versus stick battle, and and I said I've only had one guest that uh that called it out, but that's the guest that wrote most of the books on security awareness. Um I don't know, I do still see a lot of stick in uh in our our industry. What do you think about the three strikes in your out policy?

SPEAKER_03 28:27

I think the fishing simulation is a good topic to kind of build out the whole sticks, uh, the three strikes thing, and you know, why why that could could have been you know something that we're still dealing with, even in this day and age. I think you know it came about from a fact that no matter how much you tried to drill about security awareness, first of all, you were not drilling it the right way. The approach was not right. The you know, the response that you had when people reached out to you about reporting or you know, talking about, hey, this is what's happening, the response was never right. So I think we gotta change that in ourselves first before we you know kind of you know blame the users about this. And we're also like users are this is not their day job. Like you we gotta understand that their dog day job is something else. This is kind of on the ambient, you know, side or more on the periphery. Like, you know, you're you're trying to bring that in, but at the same time, like you've all you gotta be empathetic to what they're working on. Yeah, I think you know, with all that said, I would the simulation has always been a vein of my existence. I never loved it. Uh, you know, we we have these requirements, like you know, talking to regulatory or contractual in some cases, where you know, do you have fishing simulation? If you do, how many how often do you do that? What are the reports looking like? I'm like, that doesn't really give any kind of, you know, we're we're not trying to really fix anything there. It's more check the box and move on kind of thing. By doing that, we were actually, you know, we're we were the trust component of cybersecurity was getting really tarnished. And we do all this, you know, and then without the trust, there's no way we could actually build an effective program, no way we could, you know, build good control set because we're relying on people to actually get that done. We're the reporters, somebody else is actually doing it for us. So I think you know that has always been a constant battle for me. The way I do it right now and the simulation part, we are not doing dedicated simulations per se, or I've never been a proponent of that. If it meets a bigger purpose, let's say a red teaming exercise for ransomware event or a data exfiltration event, if a simulation has to be a part of that just to make sure, like what kind of kill chain are we trying to define and how what kind of outcomes we're trying to get, maybe it makes sense, but also, you know, in limited doses on how we do it. You know, first of all, I think inundating people with all that, like, you know, we are kind of missing the core message of what's really trying to accomplish itself with the with the fishing.

SPEAKER_04 30:52

So I agree with everything you said, uh, but I have a little bit different take on it, and I I want to get your opinion. So um, I I have this theory of human virus definitions, if you will. And my opinion is that we can run phishing simulations to um inoculate people, to help them see how authority is used, how urgency is used. But the problem has always been how phishing has been done. We exploit users, we see if they'll type in their credentials, we use inside information to uh trick them, you know, phishing uh phishing attacks that are so real, anyone would fall for them, including the IT person that made it, if they hadn't made it themselves, right? Um, so those do nothing but uh but you know, get rid of trust. So I took a different approach where I tell the users I'm gonna fish them. I tell them I make it a game. If they click, they instantly know they click, they get instant feedback back to their inbox. We start off really easy and we increase the difficulty over time, making it to where we can actually build those immunities. One of the things that stood out to me was that uh for actually the last three years in a row, my number one chronic clicker, I've got close to or over two million users on uh on the platform, uh, but for the last uh three years in a row, 11 clicks is the record for the year. Um, that's the user who clicked on the most uh phishing simulations. Um now, has not been the same user. Uh and what I found really interesting was that these users that needed 11 clicks to learn how to not stop clicking, they were one of my more secure users and those follow-up years after that happened. Um, so I I believe that we can build immunities, but it has to be done right and it has to be done in a healthy manner. Otherwise, like you said, all we're doing is abusing trust with our users.

SPEAKER_03 33:15

I don't disagree with that. I think there are multiple ways to approach this. And what you're doing, I it's very interesting. One thing I'm also looking for, and this kind of goes back to the operational resilience we're

Resilience With Controls And Hardening

SPEAKER_03 33:27

trying to build. Like, what does the security team do? What's our job? Like to build that resiliency into the fabric and build the right control set, right? So that this the soft center is being protected. I think you know, relying too much on the users is also not the right thing. Like, you gotta figure out like the technical controls, like even if they fall, the worst case scenario, like are you still, you know, are you still resilient enough? That's something we've been focused on a whole lot more because it's all about prioritization. Do we need to do like more user training or user hand holding, or do we focus on something else? For us, it's like, you know, it's clear that let's focus on something else because that's gonna be a long-term value. At the same time, we're building this safety net, so to speak. If they fall, they fall, that's fine. But you know, we're still training them. Incremental value happens. But are we protected as a company? Are we doing everything we can from our perspective to build the right level of controls? This could be enterprise controls, product controls, you name it. But I think that's also important.

SPEAKER_04 34:23

Oh, I agree. I I think that system hardening is one of those things that we don't do enough. I go into so many different environments where I start looking around and the GPO is lacking. Uh, we don't have any centralized sort of hardening systems or or uh you know configuration management. We don't have images that were, you know, or you know, baselines that our uh you know vulnerability scanners are testing against. Um, to me, all of those things are just as critical or more critical than the human because we do our job right, the human can make the occasional mistake and it's not the end of the day.

SPEAKER_03 35:05

Absolutely. Well said.

SPEAKER_04 35:07

So, well, hey, this has been a phenomenal episode. Thank you so much. Any sort of final tips before we uh we end the show?

SPEAKER_03 35:15

No, well, first of all, thank you, Josh. This has been amazing, and thank you for all the amazing questions. And I think I've also kind of, you know, uh opened up uh a trobe of things that I haven't really thought about in a long time. So thank you for that. I think last name. I learned a lot here. Thank you. Absolutely. I think the last thing is uh, you know, we we spoke about culture. I want to maybe put one thing in there. I I don't know where this uh phrase came from, but you know, somebody said that you know, culture is all about people, you know, doing what they're supposed to when nobody's watching them. Um I think that's such an important and a critical statement to think about. If you really want to have like, you know, maybe good key performance indicators about how people are doing, uh, I think you really got to diagnose the situation a little bit more and figure out what is it that is driving people forward and how does security come into that? And I think once you figure that out, it's very easy for you to see what adoption you're actually getting, and ultimately you're actually making you know your company a better place to work at. So that's that's one thing I wanted to call out.

SPEAKER_04 36:20

Yeah, no, I I couldn't agree more. I I think uh that that's great advice. In fact, I'm probably gonna have to have you back on the show because I've got a lot more questions that I want to ask you, but we are out of time. Uh, thank you so much. You have a uh a great day. And uh, well, that's the show. Thank you everyone for joining. Bye. Thank you, guys. Bye.