Phishing For Answers
“Phishing for Answers” brings you insider knowledge from the front lines of cybersecurity. Listen in as we speak with seasoned professionals about overcoming phishing attacks, managing user training, and implementing solutions that work. From practical insights to actionable strategies, this podcast is your guide to strengthening security awareness across your organization.
Phishing For Answers
Phishing for Answers: The CISO on the Razor's Edge
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
A conversation with Steve Tout, author of The CISO on the Razor's Edge, about what it really takes to lead cybersecurity in today's complex environment. Steve draws from systems thinking, game theory, and real-world advisory experience across high tech and financial services to reframe cybersecurity as a leadership challenge — not just a tech problem.
We dig into the pressures reshaping the modern CISO, why alignment beats control, how to navigate chaos with clarity, and why too many security leaders burn out under impossible expectations.
If you've ever felt like you're leading from the edge, this episode is for you.
Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.
PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!
Psychology Over Tools
SPEAKER_01Psychology systems. We're not hacking systems. We're hacking behaviors. So complicated code just tried it. Science supply. Social engineering for good senses in our mind today.
SPEAKER_02And we flip the script on the bad guys turning humans from an easy target into the strongest line of defense.
SPEAKER_00The views and opinions expressed on this podcast belong solely to the hosts and guests and don't necessarily reflect those of their employers or sponsors. We're seasoned security professionals, but this is a conversation, not a custom consultation. If you need specific guidance, reach out to Joshua Crumbach Directly.
Steve Taute’s Cybersecurity Path
SPEAKER_04Hello and welcome to another episode of Fishing for Answers. Today I've got Steve Taut, the author of CISO on the Razor's Edge with us. Steve, tell us a little bit about yourself, how you got into cybersecurity, you know, all that fun stuff.
SPEAKER_05Sure. Thanks, Joshua, for having me. And first of all, that uh intro video was off the hook. I love it. I'm gonna have to find that so I can uh share it with my team and replay it. All right. This uh, you know, this conversation uh, you know, I think is really timely and really appropriate. I uh, you know, a little bit about my background and and you know what I'm currently doing. Um, you know, I think, you know, I uh got started in cybersecurity by accident. You know, it was uh I was a developer. Yeah. Uh I my career aspirations were that I wanted to be a developer. And uh I worked on a team at one of the big telcos, and uh we suddenly got asked to evaluate uh a single sign-on vendor. And one thing led to another. I was you know supporting that, became one of two LDAP administrators for um, you know, one of the big uh telcos websites, um, then got recruited to to lead identity management implementations for one of the major banks, and then got recruited, you know, and the story goes on. But um, you know, it it was an um you know career track that I couldn't have designed for myself. I just kind of pursued where the opportunities led and uh let that unfold, and here we are.
SPEAKER_04Awesome. No, I I that's uh actually a fairly common story because you know, cybersecurity wasn't this thing, uh this career path that we could just choose. Uh at least not when I was going into school, you know, information technology, yes. Um, to to some degree, even that was still uh a bit of an emerging uh field. So but I guess I'm dating myself. Anyway,
The CISO Diagnosis And Scapegoat Trap
SPEAKER_04we're here to to talk about you. So uh I'd love to start. Um in your book, you say that it's more of a diagnosis uh than uh anything else. Uh tell us about the diagnosis.
SPEAKER_05Yeah, well, I described the first half of the book as diagnostic, and the second half is a bit more prescriptive if cybersecurity leaders are looking for the escape hatch on the uh place that they've landed on uh at in their careers. And I'm, you know, very early on, make it a make the disclaimer that hey, I am I'm not a CISO. Uh I've worked around them and with them and for them for quite a lot of years. And uh I just cleared the air that um, you know, this is you know a book that I wrote from the perspective of, hey, I just finished uh producing season one of the Candid CISO podcast. And I heard 12 cybersecurity leaders in 2024 describe a lot of the challenges that they were facing, like Rinky Sethi, who got ejected from um one of the major social media sites after it was acquired, you know, somewhat disruptively. And if there's one theme that could be summarized, the diagnostic part of the book is that um everything is changing all the time. There's a um a line by um Logan Roy in one of one of this these epic um media shows called Secession. And that line that he delivers that um there is no line, everything is changing all the time, just really struck with me and I stuck, you know, struck me and stuck with me that uh that really is true to life in you know, whether you're secession planning for a major CEO role or in leading cybersecurity programs. So uh, you know, there's one chapter in the book that was inspired by um a conversation I had with Steve Zalouski that also sums it well, well about the comorbid uh um symptoms of cybersecurity leadership. And the diagnosis isn't about the shortcomings of the CISO. Uh, it's about they're they exist in an environment that uh is stacked against them. You know, and the subtitle of the book is it's uh leading cybersecurity when the system is designed to break. It's a bit, you know, tongue-in-cheek and and pro provocative because it makes you stop to think, well, was the system really designed to break? And I I offer that tension point, like there's you know, an emergency uh uh hatch, you know, there's you know, the CISO is viewed as a uh a scapegoat, if you will. And I think those organizational design choices and leadership structural choices are are not by accident, but uh I don't, you know, write, create more conspiracy theories. I write because I'm trying to be clear-eyed and honest about the assessment and then spend a fair amount of time in the book describing solutions rather than just complaining about the problems.
SPEAKER_04Uh yeah, I mean, I I think our our entire sector or industry still has a lot to learn and and a long way to go. So um I I think a a bit of it is uh you know a work in progress, no matter what. I mean, it's sort of like medicine, or we're no matter how advanced it is at this point, they're still learning every single day. Um so I I see cybersecurity very similar and uh and it's only getting more and more complex when you add things like uh you know general purpose transformers into the mix and uh and all these large language models. Uh whereas you know, people really don't understand how they work, and we're talking about the people that developed them who don't fully understand how they work. And uh and I think that even in and of itself is going to lead to a its own class of vulnerabilities, and we're already starting to see some of those, like uh the one we saw with Gemini. Uh, but you know, it it's uh it it really is a fast moving world uh that any CISO's in, and really anyone in cybersecurity in general.
SPEAKER_05Yeah, without a doubt. You know, I I see the the CISO path uh splintering a bit. You know, some of the CISOs are recasting their role as the chief security technology officer, or they're going down a data path and becoming the you know, the the chief data officer or down the AI path, you know, recasting it as the chief AI officer. And I think there's probably a you know a trend that I see to escape the uh liabilities of the role, but still maintaining a bit of the authority and the foresight about securing the organization and the foundations, uh, which I'm fully supportive, right? Because I believe in accountability, but I also believe in you know a shared responsibility model where uh, you know, I think it's unfortunate and a bit unfair that a lot of the blame falls on CISOs when they don't have the power or the resources to make the changes necessary to uh help an organization actually improve their security posture.
SPEAKER_04I mean, yeah, that their job title starts with chief, but rarely are they in the C-suite. And uh and I I definitely see that as an issue, whereas you know, they're often VP, they're answering to somebody in the C-suite, and uh and that is not the same. Um but yeah, no, I I I definitely see how it's a difficult job, and and we see that where people don't last long, uh they stay in it for a few years and and then ultimately they end up becoming a field CISO or or something like that, uh because there's there's not the liability or the stress that comes with the job. Um
Rethinking Phishing Training And Blame
SPEAKER_04okay, so let's let's pivot a little bit before we started. You said you had a little bit of uh I forget the word you used, maybe it was contrarian take on fishing. Non-conformist.
SPEAKER_05I first podcast was called the non-conformist innovation podcast. And uh yeah, yeah, innovation is a is a form of rebellion, you know, as it is. And yeah, so nonconformist was the word.
SPEAKER_04Love it. Okay, so what is your non-conformist take on fishing?
SPEAKER_05Yeah, well, I mean, I was you know, listening to some of the past episodes, and uh, you know, as it relates to the organizational aspects and the environmental aspects that I write about in my book, I think the real key here is that we look at you know, phishing and then do some analysis and like, oh, the user did this and the user did that, and they don't have the awareness or they don't have the skill. And it's like, you know, I think my whole, you know, when I zoom out to like do, you know, scan the environment, I wouldn't place the blame so much on the the user, right? I mean, they're doing what they know here. Let me share this story with you. Like, I was advising on a cybersecurity company, I won't name the name, 225 million or so in ARR. They had been affected by the Solar Runes breach. And I was consulting, and they were running some um, you know, awareness campaigns, and I received an email that was actually quite convincing in terms of being real, that it was, you know, the exact nature of it was um, you know, here's a link. You can go view the um company store and buy, you know, logoed merchandise, like a hat or a pin or a t-shirt or whatever. And I'm like, oh, okay, I you know, I kind of like this company, and let me see what is in their merchandise store. And um, you know, it it on at first glance. I uh obviously I clicked through it, so I didn't see that this was a uh a fishing awareness campaign, and I wanted to see the gear because maybe I'd like to sport the logo. But you know, I fell for happens uh to all of us, by the way.
SPEAKER_04Um the well, we'll go there later. Continue, continue.
SPEAKER_05Yeah, yeah, sure. So I mean, you know, it was a learning because I got to see, you know, just how like realistic these are, and uh, you know, more more on that later, but you know, coming back to we we tend to like try to correct the human behavior, right, through through training, and like your your video in the beginning was about the psychology, which I agree, but if you're tracking the KPI as the success of the number of trainings that you've held, 100% of all the employees took it, right? Isn't really the right metric, I you know, I think to focus on. I agree.
SPEAKER_04I I like reporting the best personally.
SPEAKER_05Yeah. So directly, I mean, I think that you know, the phishing awareness is a uh it shouldn't be a a one-time annual thing, a one and done. It's really a a cultural and a leadership value of what outcome are you trying to achieve, which is uh increasing the uh level of um engagement and concern and and skill of end users to protect themselves and their data. And I think if it's something that you do once a year, you tend to forget it. Or if you if you uh if someone clicks on the link and then you mention that person's name, like hey, you know, on a team meeting or on a company all hands, like, yeah, we had 56% completion this week, but Joe, you know, had an interesting story because you know, you tend to create a culture of uh of fear and shame of like, oh, I fell for it versus um empowerment. And I, you know, that's my non-conformist conformist view, which is that we should you know not be trying to compel behavior change through fear or shame, but cooperation and and dignity uh of dignified response when an event does occur. Uh, and that has to be reflected by the leadership values.
SPEAKER_04I I I agree completely. Uh a couple things I might add there uh around fishing. Number one, I don't think the goal should be to get people to click. I think we should start with easy, obvious stuff so that it's it's easy to get for them to notice it and record it. Because at the end of the day, I want them to record it. And I think we should slowly and gradually make them more and more difficult. And and the reason is is because we want people not to fall for it, we don't want to discipline people, we don't want people to feel bad about it, but we do want them to get that, for lack of a better term, muscle memory that comes with it. And uh and so when somebody falls for a fishing simulation, if there's really good just in time education that comes at the moment that they realize their mistake, all of a sudden we get uh, you know, uh essentially a human virus definition. They they get this instinct that will kick in the next time they see something similar. And so to me, that's the reason that we do it, but we have to do it in a positive, constructive way. And one of the things that I think we need to do there is tell our users we're gonna fish them, make it a game of cat and mouse. Um, it's so much better than this blind testing where sometimes they don't even know they felt or or they clicked on a fishing simulation. And uh and I I think that's probably uh one of the most critical things that we can do is make sure that they know it was a simulation. Um, make sure they realize their mistake and and that we're teaching them, hey, watch out for urgency or authority or whatever at the moment they realize their mistake. Because to me, that's when, well, not just to me, I mean uh psychologically speaking, that is when we're gonna get the highest retention because there's an emotional response happening.
SPEAKER_05Yeah, your video, your intro video is powerful for a couple of different reasons. And you hit on one point, which was about the um, you know, the assault on the psychology or the cognitive layer, right? It's no longer about the perimeter that we're trying to protect, um, or even about a user's account or their credentials. Um, you know, there's social engineering, there's phishing, and that's why I think it's so important, right? To to when we're thinking about the metrics and what success looks like, that it's continuous. Uh, it's not just a report card that the CISO should you know deliver to the CIO or the board once a year. It's how continuous the uh, you know, that in with tools like AI that we have now, right? It's like how how is AI enhancing the uh aware you know awareness continuously? Um, and that should be tracked maybe more as a uh a metric than the human performance, right? And then the resilience of hey, if the if this does occur, uh our um are um is our organization prepared for that? Like how to respond in a way that protects our data uh in spite of something that looks compelling that a user happens to click on.
SPEAKER_04Yeah, I I I completely agree. And uh and I I really think that we we really have to give a lot of thought to what is our goal before we run a phishing simulation. There are you know risk assessments, penetration tests where maybe you need to do some blind testing, uh, but there's also awareness training. And the vast majority of fishing that we do is part of an awareness training program, and that means that you're gonna go about it a little bit differently, and uh and I and it's not just about tricking people anymore. Um, but yeah, I I I personally when I'm looking at the APIs around it, the thing that I care most about is what percentage of those patient simulations that I send out are being reported back to me. Because that is an indicator of culture, whereas anything else doesn't tell me about my culture.
SPEAKER_05You know, there was another concept, I think I shared this with you in um the planning, right? And to take this even further from a um non-conformist perspective, right? If we're if we're phishing, it's like usually it's the you know, CISO or the security team that is raising awareness and conducting these campaigns against the rank and file and against the uh you know the the individual contributors and the organization. And you know, I wrote uh um you know a blog post and you know in a couple of other places about, you know, we we do these kinds of simulations and even red teaming against our own uh infrastructure, but the leadership is not immune to the to this, uh, right? There's uh I think as much an even greater need to run these simulations and tests against the uh the C-suite as there is against the individual contributors. And so I introduced this notion of um, you know, if cybersecurity is a leadership issue, we should maybe be focusing more time on it, right? What about uh penetration testing our leadership? You know, can can you know, not just their inbox, but can they are they resilient as a team or are there constant uh battles and struggles between the CISO and the CIO for power, which is typically uh something that I see. And if the team can't keep their shit together, we have a bigger problem than you know, are we gonna be, you know, is a user going to be susceptible to a link? So I step back and look at this whole uh broader picture of uh you know, fishing not just the inbox, but the the the leadership uh as well and and pressure testing that.
SPEAKER_04Sorry about that, muted myself for half a second because uh I thought I had it. Um anyway, okay. I want to rewind uh to something that you said a little while back.
Behavior Change With Continuous Prompts
SPEAKER_04Um you were talking about how it has to be continuous when talking about awareness. Um there's an actual formula for behavior change, although a number of them. Uh but the one that I like the best uh comes out of Stanford's behavioral science laboratory by Bog. And it says that if I want to achieve any specific behavior, I have to motivate people, I have to make it super easy for them to do whatever I want them to do, and then I have to remind them about it constantly. Um, and it just says behavior equals motivation times ability times prompting. And it's that prompting, that continuous education that I think is the number one thing that is missed in cybersecurity. We we I've heard so many talks about motivating people that I know that we're talking about motivation, but what we're not talking about is that prompting and that continuous reminder. Because most people are not like you and I. You and I might think about cybersecurity. Security completely on our own, but the average person is not going to.
SPEAKER_05Yeah, I agree. And the the way AI works now, I mean, we have most teams have Slack or Teams or Google Chat. Um, we should see the um opportunity. I think smart organizations are building security bots that present contextual just-in-time reminders, you know, that aren't that are continuous in the sense of, you know, hey, every seven days or every three days, but they're also uh looking at the behavioral profile of users engaging in potentially risky activities, and that person needing more uh reinforcements, if you will, right? Like that person may need five reminders in a day versus someone who doesn't normally engage in risky behaviors, maybe five in a week. Um, so continuous and intelligent and empowered by AI tools right where users work inside of their Slack or Teams or Google Chat.
SPEAKER_04I I completely agree. And I think that's one of the beauties of AI is that we have the ability to give the computer the ability to think like a human. And uh and that's where we can say, hey, be careful. This exhibits some, you know, some behaviors that may be risky. And I I really am excited about those contextual cues because I think that that's gonna do more to drive culture change in organizations than really anything we've done up to this point.
SPEAKER_05Yeah, you know, the and just if if you have end users that are you know looking at leaders who don't care or who aren't going through the same training as them and feel the same struggle, um, they're probably gonna just not be inclined or or care as much to um go do anything more than they need to. Right. So on the incentive aspect, um, you know, if you if you look at this as a measure of incentives, like why should I care to spend an extra five minutes to to you know read this uh summary of why this was a phishing attempt and what I can do to protect myself better. Um, you know, there's there's if you think about leaders lead by example uh of how leaders should care instead of being dismissive both towards risk and towards uh employees, um, you know, I think this leadership style, like the player coaches that are going through it, that are in the trenches with their teams, are going to demonstrate the behaviors. And this is a again a leadership and a cultural issue that um tools can't touch, right? Tools can do great work, um, but they're only gonna get you so much if you don't have leaders that believe in um the what you know that model, the um behavior that they want to see.
SPEAKER_04Well, and I think you need your your cybersecurity leaders. And and when I say that, I'm not talking about your CISO, your you know, your head of the SOC. I'm talking about your head of sales who is really charismatic that you can loop in and make an evangelist for the cybersecurity team. Um, but to your earlier point, it all starts with the CEO. Um I when I was doing penetration testing, almost always we would have uh
Why Executives Must Train Too
SPEAKER_04at least one person in the company who was exempted from it because, well, we don't want to offend them. And uh and I I still see it to this day, less so, but um, I I still see where the you know we're we're exempting people in the C-suite, um, often without them asking to be uh exempted, I I will point that out. Uh, but we're exempting people in the C-suite when they need to be the very tip of the sphere. And the example I like here is the the gift card scam. I mean, we should not still have successful gift card scams happening, but they're still successful in 2026. And the reason they're successful is because the first time that employee ever hears from the CEO, it's in that text message or in that email that they got asking for the gift cards. If that CEO had been the tip of the spear and had recorded a video stating, hey, I will never ask you to buy gift cards or whatever, right? And that was just brought into the onboarding process, that would never happen. Uh, to me, it seems like it's the easiest thing in the world to eradicate, but it's still a very simple, what I would consider to be lazy fish, uh, that is still effective uh in today's day and age. And I just think it's a really great example of why we have to have that top-down leadership because uh the C-suite drives the culture. And uh and if they're not driving that culture of security, um ultimately they'll end up regretting it.
SPEAKER_05Yeah, with without a doubt. I mean, I've had a number of consulting clients, and like you know, when it comes to like AI tooling choices, for example, uh, you know, where um, you know, one person in the C-suite is allowed to, you know, use a you know, an unapproved tool, um, you know, maybe from a vendor that hasn't had a SOC2 report or whatever the case may be. And everyone else, you know, is expected to follow a certain pattern. And you know, it's it's a um a situation where there shouldn't be any kind of curiosities or questions around why uh security performance is uh rising, like increasing and improving, or it's declining because it's you know, with with leadership, with architecture, with zero trust, you know, I've heard it said that there's you know, there's a third kind of company that there's a company that's been breached, a company that who hasn't been breached and who doesn't know it. And then a company, the third kind of company is a company that won't get breached. And it's one where um you know it's just is the philosophy uh represented in the architecture choices that are made and the you know way that leaders and end users uh stick to their standards and their policies and model the behavior and uh um you know that makes data breaches optional, you know, to be provocative or or uh you know, as a point of conversation, right? Is I think the the um you know the phishing, the vulnerabilities um are all something that we're aware of, but how much time and effort and resources that a company wants to invest into making them optional is up to them.
SPEAKER_04Yeah,
Bad Design And Systems Thinking
SPEAKER_04I I don't disagree. Um pivoting uh a little bit, um I I thought I saw somebody in your book about bad design. Um and I I want to get into that a little bit because I I also um really think bad design is one of the biggest obstacles to truly secure organizations myself.
SPEAKER_05Yeah, I mean to to create the illustration, I mean there's this idea of the the Ruben vase, right? That uh if you it's this picture of like a figurine uh of horses on a face on two sides. Um, but if you um you know defocus, then you you know you may just see a figurine, but if you um the way you focus, you're gonna see two faces of horse, uh, you know, two horse faces. And it's one where are you you can't focus on the foreground and the background at the same time. Uh that's the exercise of the Ruben vase. Sometimes it's a picture of people, and you know, you get it's in black and white, you know, so it plays a mind trick on your eye where you're either drawn to see um, you know, like a figurine or picture of people. And the design, you know, when it comes to design thinking or systems thinking, is that you have environmental considerations that you, you know, organizational design, uh, organizational structure. Uh uh, and to put it simply, I've stated, I've said in the past that I, you know, I believe that technology is simply a manifestation of the values and beliefs of the leaders. And if there's a data breach, right, that's some reflection of how some cybersecurity leaders, you know, might value returning uh profits to shareholders versus investing in modernizing their uh consumer identity and access management system. So it's about, you know, design thinking to me is about the trade-offs between share, you know, the needs of shareholders, the needs of end users, the needs of um customers. And it becomes apparent, right, where the priorities are, um, but not, you know, you know, I take the you know, position in the book that you shouldn't just pin all of the problems onto the CISO or complain about uh the end users all the time. If you're creating an environment that's toxic or that doesn't empower users uh to um think or function more securely, then they aren't the ones to blame. At some point, you know, it just comes full circle back to this idea that leaders are creating the environment for their employees to either succeed or to fail. And that's an opportunity that they should take more seriously, right? So I create a framework um that maps out strategy, governance, uh economics, and tech eventually technology. And so to me, the design thinking follows that pattern, it uses you know, for um a reference like the the McKinsey 7S model or a balanced scorecard approach. And I just created a um a variation of that for for my own thinking to help me look beyond and even reverse engineer uh um technology, right? Like where did we get here? Um, and if you think backwards, right? Um strategy informs politics uh or or governance. Uh politics and governance informs economics, and then the economics informs technology. So that's the kind of systems thinking, it's multidisciplinary. Uh, it traces back to alignment across um uh team boundaries, across program boundaries, across business units, all the way back to uh the founders or the executive team that set the strategy into motion.
SPEAKER_04I I like it. The the one thing I might I wouldn't say add to it, uh, but just uh mention is I think the most critical part of design is about the end user.
Passkeys And Change Management
SPEAKER_04When if we want users to do anything securely, uh there is one fact that we have learned time and time again in cybersecurity, and that is that if the most secure option is the easiest option, that's what the user is gonna do every single time. It becomes the default. And so um I think we have to think about how easy are we making this for the end user? And that to me is the reason that I love pass keys, because we took something that was annoying and difficult for users, like passwords, and we replaced it with something that's easier, like biometrics. Um, and that is how we drive to me better cybersecurity out of our users.
SPEAKER_05Yeah, I I totally agree with that. However, the the the thing you have to keep in mind is that there is a uh a learning curve, and it won't it doesn't necessarily get easier immediately.
SPEAKER_04Like for me with passkeys, you know pass keys were a bit of a an implementation for us too.
SPEAKER_05Yeah, even on in users, like I needed to like think where do I store these? And you know, I I set up my uh password manager to be the vault for those. And I you know, it's something I needed to pause, like you know, pause and slow down and think about before I'm presented with like two or three prompts a week now. Do I want to save my pass key for future use here? And I'm like, at first it's gonna throw users off, right? And I think that's part of the training that it, you know, easy doesn't always mean the fastest solution. But after you learn a new way of doing something and it becomes uh a routine or or firsthand because you've done it five or 50 times, um, that you know, it's if it takes three or five extra seconds, um, it's still an easy task because you know, it doesn't take 30 seconds and it doesn't take one second, but five or for five or ten seconds for you know, making sure you save your pass keys in the correct location for future use um is a good investment of time, right? That secures you and sets you up for in your organization up for success.
SPEAKER_04Oh, and and you're right, without a good change management uh program around whatever it is you're gonna be pushing, it'll fail every single time. Um, because users have a knack for misunderstanding things. You know, one thing I found interesting when I did penetration testing, uh, if we ever got caught on the fish, it wasn't because some user thought that, you know, they were gonna report it and they they saw it as suspicious. It was always because they had questions and they didn't understand something. So they forwarded it to somebody internally that we didn't want to see it. And uh and I think it just goes to show that you know if there's if you've got a hundred people and there are a hundred different ways that you can interpret that, chances are you're gonna get at least 99 of those out of your 100 people. So that uh, you know, that change management really does help to uh to you know calm those that anxiety around your user population.
SPEAKER_05Um and in smaller organizations, that I mean that is kind of a it could be a scary term, but you know, to put it simply, it it could be a call to just communicate clearly and regularly versus assuming that's a great way to start, right? I mean, there there are more programmatic ways to like with ProSci and uh measurement and you know to implement change management at a program level. But the first step is to just this, you know, take assessment of your the clarity of your communication to your peers and to your teams and uh get a report card on that. Uh, because if you don't communicate clearly, um that could become a uh an obstacle to whatever kind of uh security measures or changes that you're trying to implement.
SPEAKER_04Yeah. And if you've got communications or marketing, let them help you. They're really good at communications. So um, well, hey, we are out of
Where To Find The Book
SPEAKER_04time today. It's been an absolute pleasure having you on the show. Uh, where can they find your book?
SPEAKER_05Well, there's a link and uh even a way to have a conversation with my book at stevettout.com. My digital twin is there. Uh, there's links to the book, there's links to some articles that I write for CIO, and um more information about me is there as well. And on LinkedIn, if you want to just look up Steve Taute there, I'm on LinkedIn as well.
SPEAKER_04Very cool. First time I heard the idea of the ability to talk to a book, but with today's day and age and agents, why not?
unknownI love it.
SPEAKER_04All right. Well, thank you so much. You have an amazing day.
SPEAKER_05Thanks, Joshua. You too. Thanks for having me.
unknownThank you. Bye.