Phishing For Answers
“Phishing for Answers” brings you insider knowledge from the front lines of cybersecurity. Listen in as we speak with seasoned professionals about overcoming phishing attacks, managing user training, and implementing solutions that work. From practical insights to actionable strategies, this podcast is your guide to strengthening security awareness across your organization.
Phishing For Answers
Phishing 4 Answers: Jay McKickle on Extreme Cyber Defense
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
When your office ranges from the bottom of the ocean to the vacuum of space, cybersecurity is about protecting life and critical infrastructure.
In this episode of Phishing 4 Answers, Joshua Crumbaugh sits down with Jay McKickle, Chief Information Security Officer of Oceaneering. Jay is responsible for the digital resilience of a global leader in subsea robotics, maritime technology, and aerospace engineering.
We dive into the complexities of securing operational technology (OT), managing global supply chain risks, and the unique challenges of remote-piloted offshore operations. Join us as we explore what it takes to defend a technology stack that operates where others can't follow.
Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.
PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!
Psychology First Security Mindset
SPEAKER_00Psychology is the new firewall where human insight trumps every trick. We're not hacking systems, we're hacking behaviors, so you won't click. No complicated code, just try it in true brain science at play. Social engineering for good. The best defense is in your mind today.
SPEAKER_02And the first test on the bad guys that are determined to end from the 50 target to the 50s.
SPEAKER_01The views and opinions expressed on this podcast belong solely to the hosts and guests, and don't necessarily reflect those of their employers or sponsors. But this is a conversation, not a custom consultation.
SPEAKER_02Get ready.
SPEAKER_04Hello and welcome to another episode of Fishing for Answers. Today we have Jay McMickle. He is the CISO over at Oceaneering. But I'm sure I can't do you justice. Why don't you tell us a little bit about yourself here?
SPEAKER_03Sure. Jay McMickle, uh recently at Oceaneering, been here about six months, uh starting kind of reshaping the program here. Um been rolling gas for about 15 years, um, couple different industries, different uh lines of product, um, different threat landscapes. So uh really happy to be here. Thank you.
SPEAKER_04Awesome. Well, okay, so you mentioned that you've only been there for six months.
New CISO Surprises And Governance
SPEAKER_04I know uh when you start as a new CISO, uh there's often some things that surprise you. Well, what was your biggest surprise there, if you don't mind me asking?
SPEAKER_03Um I would say uh maybe a lack of governance. Um the fact that you know policies were there, they were in place, they weren't really read quickly and easily accessible, regimen wasn't put in place, people weren't really relied upon to enforce them. Um we have uh you know lots of we have a government side of our business, which is tightly regulated. We have our commercial side of our business, which is thought to be regulated as well, but we kind of saw some some gaps there. So that was one of the things I was easily able to step into and say, hey, you know, we we need to really start focusing on some of these things. We have policies, maybe it's time to update those policies, modern that modernize those as we modernize the technology that we use to enforce them.
SPEAKER_04Awesome. So this podcast, uh, the the whole goal around it is identifying and building a bigger, better framework, if you will, around the human
Making Leaders Care About Cyber
SPEAKER_04element. Uh, it's part of my social engineering for good uh, I guess, initiative. So, one of the the new questions that uh I'm starting uh to ask every episode is what is the best sort of mental hack that you found throughout your years to really get people that don't care about cybersecurity to engage and care a little bit more?
SPEAKER_03Great question. Um there's no there's no silver bullet, unfortunately. There's not a prescription that someone can write that says this is the way to do it. Um, I have tried with uh meeting with the business, um, aligning to become a business security partner with the business so that they understand what we're trying to do, what speed we're trying to do it at. Um, I've tried showing different businesses, the statistics of what the threat actors try to do, what we do, when people do try to make it in, how we're using controls to keep them out. Um, training and awareness, phishing training, stronger controls, um, you know, MFA. There's I would say six to ten top ways that we try to integrate with the business and kind of get them to understand our direction and what we're trying to do. And it's not even a one-time visit. It's a I would so I meet with SVPs once a quarter, and I kind of let them know hey, here's some of the statistics of what we're seeing, here's how many threats were stopped, here's how many logs we're getting, here's how many people it takes to do this. By the way, some of these each of the in individual businesses, maybe one business may be more of a concern to us from a cybersecurity perspective than another business. And when we had kind of have those in the same room, like, hey, business A, you know, this this week you had, or this this quarter, this month, you had this type of threats brought to us from your particular business unit. And they're like, Well, wait a minute, how do we do better? So I have found that having the SVPs align and having awareness around where they compare against the other portions of business seems to help us the most.
SPEAKER_04That makes makes perfect sense. And uh one of the things that I like that you you said there was you know, showing them how many attacks that have been blocked and just how big the threat actually is um against your specific organization. Um so the foundation for this whole thing is uh, oh, I guess the foundation for the framework is a behavioral science uh principle and formula that was developed out of Stanford University's behavioral science lab, excuse me, uh, by a guy named BJ Fogg. And uh and what he said was that if we want to change behavior, we have to have motivation plus ability plus prompting. And if we lack any one of those, we're not going to be successful. And uh and so I I bring that up to ask if that sort of, I don't know, triggered any thoughts uh as I mentioned those three different ingredients.
SPEAKER_03Uh it does. Um, a lot of the training and awareness that we do for fishing, um we have uh some guidelines that when we do our fishing and training awareness programs, if they click on the link, um then they've got to go back through the training and awareness program, which is not always well received. Like I was busy. Well, that's you know, that's how they get in, right? Um, so the training awareness program works really well for us. We've had people that have pushed back on us. Well, I'm not doing the training, or I didn't mean to click it, or I didn't click it. So, you know, us having to prove that they actually did um click it was actually surprisingly a big task that we did finally accomplish. Um and then on top of that, um, if they do it more than three times, then it goes to HR. Um, so having HR and legal backing on uh backing that on us, and some of the um reprimand that come out of that is uh you know, it can be a write-up in your in your in your actual formal uh documentation with that company. Um it could be loss of internet access, it could be limitation to your job, and it and or it can't could lead to termination. So I would say legal and HR really backing us has really helped us a lot because before they were like, hey, I'm just a hammer chair doing my job. You can't tell me what I can and can't do. So strengthening those policies, modernizing them, defining what one of our assets is, what the asset is intended for. Here's the repercussions for going outside of that, putting in guardrails on helping the users to enforce what they do on our particular assets and having legal NHR back us for when there is one of those guardrails that are tripped. It's kind of in a kind of a full circle 360 uh ecosystem that's helped us.
SPEAKER_04So I I guess with that, I've got to ask the question because those sounded a little bit heavy on the stick. Uh carrot versus stick. If you could only pick one, which are you choosing? I'm gonna go with carrot. I'm definitely a carrot person.
SPEAKER_03Okay. But you know, sometimes sometimes it doesn't always work. Sometimes people, you know, their actions versus um intent sometimes differ. Could be um busy, could be that you're not gonna tell me what I can and can't do. Um, you know, you I'm sure you're aware of kind of what we do, and we have, you know, we've got employees in you know dozens of countries, um, different languages, different ethnicities, different backgrounds. So we we have to combat those, and we have little localized HR that help us with that. And we start with the carrot. Um, I don't think we really ever follow women with the stick, so to speak, but the carrot definitely helps and try to get that business partnership and help them understand why we're doing what we're doing. It's not just something for us to do, right? There is a legitimate reason, and sometimes when we show them some of the statistics for people trying to get in and what they've done in other industries and other businesses, and businesses that have crumbled, you know, you don't want to be the guy that's holding the carrot in your hand and also the stick, and you haven't done anything.
SPEAKER_04Uh yeah, that that's that's fair. Um, okay, so uh I'm gonna tell you a quick story. So I've got uh close to or a little over two million users, and uh and one of the things that I've seen, and it's happened multiple years in a row, um, it seems to be the the same number every year, um, but it's a different user. And what happens is that I've got these users that are my biggest chronic clickers when they first come out of the system. And basically, the more they click, the more frequently they're gonna be fished until their susceptibility drops, right? And so we can rack up some really high fish clicks over the course of a year, and uh and the record has been uh tied at 11 clicks for the past four years in a row. And what I found interesting is that when I follow up on these users who, you know, scored the record for the year out of all of my users across all of my different companies, they are the ones that clicked the most. Uh, that year two, year three, year four follow-up, uh, well, I guess the year three follow-up. We aren't haven't done the year four follow-up yet. Uh, it's always they are one of my not most secure users, but they're not a problem anymore. They're not a chronic clicker. Uh, if they get any clicks that next year, it's one. It's not 11. It's not even three. Um, and one thing that stood out to me about that was that it seems like people almost have to build that muscle memory, uh, or what I like to call human virus definitions. And some people are just terribly susceptible, and they have to click on each and every different type of fish to learn. One mistake doesn't really help them because, well, that was a Facebook fish, and this one's completely different. It's Microsoft. Um, have you seen any of that?
SPEAKER_03No, I would say we've got some pretty good fish training in place. Um, the fact that there is a repercussion, um, the fact that we do have, you know, messages and links that are within our emails that let them know, hey, by the way, this is an external email. Those type of those types of awareness and banners do help. Um, but I think that the muscle memory, like, man, I really do not want to go through that training again. They have started to look, they've started to take the techniques that we give them in those videos, but they're still, you know, oh, that looked legitimate because they're getting better, right? AI is getting better. They're not, you know, people from certain countries writing these anymore. They've got AI, they've gotten really, really good. So we've got to have, you know, on top of that, we've got to have even better training. So um, I would say it's got that muscle memory is there, um, but it's always a new user, it's somebody that's extremely busy. Um, you know, it's the typical characteristics of a person that clicks on a fish, is still what we're up against.
SPEAKER_04Yeah. So going back to that formula, I feel like we all do pretty good on motivation. We we understand what motivates people. We do try to tie things back to their family, their income, their ego, um, the different things that that help them. Um, I I finally see our industry spending more time and ability, but we'll circle back there in a minute.
Prompts That Build Daily Habits
SPEAKER_04Um and I I like that. Uh, but prompting, I I feel is most often the weakest link. And uh and basically what it says, the formula says, is that even if we make it real easy for them and we've got them really motivated, if we don't remind them constantly, they're not going to remember it. It's not going to stay front of mind. Um, what are you doing for that continuous prompting, if you will?
SPEAKER_03Uh so we approach it in a couple different ways. During town halls, we mentioned it, global town halls, IT town halls. Um when we so our screensavers pop up, they have you know cybersecurity messages around clicking links and you know, telgading and nature. Integrate everywhere. I love it. Uh SharePoint, you know, so our internal web page or SharePoint page, our messages that go out. It's uh you're right, it is a constant, you know, remind, remind, remind.
SPEAKER_04Oh, you you have to. I mean, people like you and I, we think about cybersecurity on our own, but that's our job. That's literally our career, that's where we make our money. For that guy that works on the deck of an oil rig, he does not think about cybersecurity on his own. He's gonna have to be reminded, he's gonna have to be prompted.
SPEAKER_03Yes. Um, and those guys, you're right, they are what I would call removed from the corporate office. Um, they're not constantly reminded, right? And they don't always check email, they're not always getting a screensaver prompt because they may be on a an oil rig or a vessel or somewhat where they've got a shared PC, so it's not constantly in their in their face. Um, where we do publish our message of the day, if you will, on vessels, you know, in the in the in the kitchen. You know, we do put up posters, we try to make it fun, try to make it entertaining. Um, we've done things where they have like, let's say uh at a at a holiday party, right? There's a white elephant gift. One of them is actually a fit uh fishing link. So when you open the gift, you're like, ah, you just got fished. Dang it, right? So just trying to make it fun and not making cybersecurity such that carrot stick, right? More than not, you know, less of the less of the stick, more of the carrot. Um, making it fun, making it like, oh my god, man, this is all right, okay, okay. But I think the competitive edge also, and where one SVP may compare themselves to another SVP with maybe a click rate, or you know, cyber cyber statistics of events and logs and of things that may have progressed within their environment has really helped us that we also have the SVPs when they have their individual meetings. Hey, we're doing good, we're doing better than um you know, this other particular um part of our business where we're we're here, here, and here. Cybersecurity says thank you, right? Yeah. How often do you and I've never been in any other place that you've gotten that type of type of message. It's more like less of the carrot, more of the stick, like, hey, you're doing this, versus we're saying, hey, you're only doing this. Yeah good job. And by the way, you're number two in the company of your for your particular business in this particular area, to where people are like, I want to keep doing good. I want to stay on the I want to stay on the dean's list, right? So that is helpful.
SPEAKER_04Absolutely. And you know, I don't believe in leaderboards uh directly for the individuals. I mean, leaderboards, sure, but you know, wall of shame and whatever telling them what the bottom uh you know rankers are uh when it comes to individuals. But when it comes to departments, when it comes to divisions, I am all about it because that svp is not just the one individual. It's not them that's showing up there, it's their whole division that's showing up there. And I think a little bit of that internal camaraderie is is can be very healthy. Um, I have seen it get very unhealthy very quickly, where the, you know, some SVP that doesn't really understand um psychology, behavioral science as well, just goes very punitive, like, guys, you're not gonna make us look bad. And uh, and all of a sudden it backfires a little bit too. So I think you have to be careful. Uh, but that's just a matter of coaching when you're you're building those internal champions, you coach them on how to work with their team.
SPEAKER_03Well, a lot of our SVPs, they're positive influencers, they're not negative influencers, which is what you're talking about.
SPEAKER_04Yeah.
SPEAKER_03Um, and they're like, hey guys, we're doing great. We may have had this mess up, we may have this happen, you know. Um, but hey, we're doing great, let's keep it up, let's keep moving forward, we're keeping the company safe, we're keeping the company profitable. Um, you know, let's just keep doing it and they just move on, right? And people hear those, but you don't have to stay on it and harp on it and drill it down. You kind of just briefly mention it, and it shows alignment, and then they hear it over here, and then they come to a town hall, then they see it on an email. Like, man, when you have the CEO that stands up at an IT town hall and says, Thank you, cybersecurity, y'all are doing a great job. We really appreciate y'all aligning with us and helping us and being a business security partner. That really resonates. And then it comes to the SVPs, then it comes to, you know, it just kind of flows down to where we all we're all on the same team, right? Oh, yeah. Yeah, want you to be safe. I want cybersecurity to help with that safety. I want to continue doing business, I want to help doing our partnerships with our businesses and our our users. So, like I said, that whole ecosystem really works well when it comes from the CEO.
SPEAKER_04Oh, yeah, it goes back to being business enablers. When we're business enablers, we don't get the all the kickback from the rest of the organization, like, well, uh, so many uh of us did, I don't know, a couple
Making Secure Behavior The Easy Default
SPEAKER_04decades ago. So okay, so let's move over to ability um just for a second here, because I think that's another really critical element. And and basically it says that no matter how much we remind people, and no matter how motivated they are, if it's too hard for them to do it, they're not gonna do it. And so one of the things that uh we've done for Ability is started delivering all of our awareness videos directly to the user's email uh so they don't have to go anywhere and log in. We keep them very short, uh 30 seconds or less. And the idea was that we didn't want a doctor to have to choose between doing their training and saving a life. We wanted them to be able to do it on their cell phone, walking between patient rooms. Uh, but I think the doctor is the extreme case here, and it goes way beyond that. Um, now I I bring that whole thing up to ask, what have you what are you doing to make it easier? Because I think that's one thing our industry is finally figuring out is that when we make security the easiest option, it becomes the default option.
SPEAKER_03Yes. Uh so we used to do it, it was like a 45-minute training, 45-minute training. We had to do it once a year. Um, now again, we have two separate businesses, right? Whether the government side or commercial side. Um government side is a little more tightly regulated, their training has a little bit more frequent, um, and that the two environments are air gapped. Um, but from a high level, and just in just uh talking in average median here, um, we would take those trainings and break them up, right? So now they're more like, you know, maybe they're nine to five-minute videos, and it may ask one particular question. I don't give the keys to the kingdom over here, but it may ask one particular question like, you know, what color shirt was Bobby wearing, right? So it's not just the material that they are listening to and that they're repeating and reciting. Okay, do this for an email, look at this, and look at here over here. It's more about, you know, broader picture. Bobby was wearing a blue shirt, and they even made a joke about Bobby and his blue shirt and how the email was blue, you know, just resonating and pulling something together. And then rotating it, right? So Bobby shirt's not always blue. Maybe it's green, maybe it's yellow. So the users don't really learn how to game the system. They don't really oh, if I want to ask you, it's it's it's the shirt's blue, right? That was particularly helpful as well. But breaking the training up and making it smaller, um, and giving them, you know, let's say three months to complete, you know, nine five-minute videos. If you want, you can just knock them all out consecutively, one after another after another, and just knock them all out. But you've got a longer period of time, and each of those videos that they do break it out over a longer period of time, have carryover and overlap. So it's kind of a reminder of the first one they watched, is in the second one. The third has pieces of number one and number two in it. So they're really just getting the same video from a higher level, almost over you know, a period of nine video courses, they're getting a lot of the similarities amongst it. So if they do break it up, which they always choose to break it up, they're just getting reminded, you know, every two or three weeks of the same training. Okay.
AI Guardrails Sandboxes And Shadow IT
SPEAKER_04Um so I I guess uh the one thing we really haven't talked about yet, which I I think is really critical now, is AI and how that's impacting everything from a user and awareness perspective, from a policy perspective. Um just talk to me a little bit about what you're doing there because AI is here to stay, and the users are going to use it. Um, so uh what what do you do to help mitigate that risk? What are you doing around policy? Uh just the the gauntlet there.
SPEAKER_03Sure. So we've got a we have a uh a CDO that runs our AI program, and he and my GRC team have worked together to create some AI guard AI guardrails. And so we have AR governance, we have some guardrails, some policies. Then we built my my uh my architecture team has built some security reference architecture, kind of a blueprint for if you want to build an agent, you want to build an LLM, you want to implement MCPs. So the different types, here's a blueprint. So it's kind of like you pulling up saying, Hey, I want a four-bedroom, two bathhouse, two-car garage. We have that, right? Here's your format, here's your controls that you need, here's your format, your sorry, your uh your foundation for what you need to build. So kind of giving them that, you know, number one, number two, number three, number four, give them some options that are the options that work for you, work for your environment, make risk assessments extremely fast. They know exactly what they need to go get. So when they're talking to you know partner A and hey, we want to do this, and they say, Well, here's your recommendation, they can say, Well, here's my blueprint that I need to follow. Do you guys have these controls embedded within your within your platform? So when Mythos pops up, hey, we want to, you know, we want to use this, we want to leverage that. Well, does it does it meet the the guidelines? Does it meet the framework? Does it meet the does the governance gonna align with this? Yeah, and just building that muscle memory and giving them the the boundaries to stay within has ex has helped us so much. Now there's the other 50% that don't follow that or want to be early adopters or want to get into the yeah, I was gonna say that's great for the developers.
SPEAKER_04What about the project managers that just found out that they could write code?
SPEAKER_03That's a whole nother area that we have or we're still working on. Uh unfortunately, I can say we haven't completely solved for it. Um, but giving them a sandbox to go play in, putting controllers on the sandbox, giving them you know not real data, taking scrubbed or masked data, um, sticking it in a in a in a repository and let letting them run at it or learn at it, you know, so they take those findings from a POC before they move it into production. That's kind of our direction that we're trying to move with it. So, hey, you want to play, go play. But you know, let's put you in this room, let's give you a certain feud number of toys, see how it works, see what it does for you. And then as you graduate from the POC and you want to go to production or dev test prod, let's see how that though those governance and all the regulations and rules and everything that we need you to do. Otherwise, we need to evaluate what you're what you're doing, how you're gonna be doing it, and then it goes down into a whole nother level of um, you know, is it PII data, is it SOX data? Um, what you know, is it restricted confidential data? Like, so we got to get our data, our data sovereignty team kind of built into that and like get them included and involved and see what's going on there. Then we gotta look at countries. So it really does start to spiral, but it does have it does have a lot of um questions, which brings me to our risk assessment that we are redoing our we've revamped our risk assessment program um to start including data types, data locations, countries, PII data, um, and we have POCs that allow, you know, that kind of trigger some of those typical elements that they want to do. And it's really starting to work.
SPEAKER_04Okay. Well, that that's awesome. I know that that's something that everybody's dealing with a lot. And I pick on project managers because you know, every company has uh quite a few typically project managers that have been asking for a tool for a very specific problem. They've never gotten approval for the tool, and now they can write it. Um, and I gotta say, I've seen some very, very impressive stuff uh that that have come out of project managers. Um, so I think there's some value there, but then you've got all the concerns about architecture, um, you know, because it they're not technical, they don't necessarily know how to build these things securely from the ground up. And unlike the development team, they don't have access to the CI CD pipeline.
SPEAKER_03That's correct. And so that's funny that you do mention that. So some of that CI CD pipeline, some of our SDLC and our app dev and our app sec and how they want to do things, and they have you know developer laptops, they're isolated, they're sitting, you know, in an enclave. So we have some some garbels around that. And people not understanding that those are developers, and I'll use your example. I'm a project manager, but that developer over there has the ability to do this. Why don't I? He's a developer, right? So trying to find that middle ground of like, hey, you want to play? You know, here's our playground, go playing it. Yes, and quickly they want to get out of that playground because it has too many restrictions, it's not real data. Um it can be a challenge, but risk assessing, understanding what they're trying to do, flagging risk, and you know, raising the exceptions as needed, um, has really brought awareness. Now, does that stop Shadow IT? No, not really. Does that mean they're not gonna do something at home and try to bring it back into the office once it's built? Not really, right? But different controls on our endpoints do help with that. Um but you know, where there's a will, there's a way, right? They're they're always gonna keep trying. So back to the advertising, not just phishing emails, but cybersecurity and you know, locking your screen. And um we we have a program in which we try to encourage people. Hey, you want to do something? You want to be a developer one day? You want to be uh you want to code an AI, you want to learn AI? We can help you with that, but come work in our environment where that's is expected and we want you to come play so that we are working together as business security partners before you go off and create something and is taking our real financial data and uploading it to the internet, and you know, then we have an issue, right? So you don't want to be the guy that stood there that let the guy through the door, but you know, be proactive and be with us so we can part we can partner.
SPEAKER_04Yeah, you know, I like that you said advertising because to me that's what I see all of uh security awareness, and I say that really with almost fair quotes around it because I I think there's a lot of evangelizing that is far beyond just security awareness uh that that you end up having to do. But uh regardless, uh I like that you said advertising because I've always seen it as advertising to our users, and that's actually where our inspiration came from. Well, let's make every video under 30 seconds, let's hit them at least twice a week. Um and we started doing some things like that, and it's amazing you can uh email users or have them watch a 30-second video every uh single week of the year, and you're not even taking up 30 minutes of their time uh on average. So it's it's a really, really you know, great way to get keep people uh engaged. And I I truly do see it as advertising because it's the exact same goal. What do advertisers want to do? They want to influence your decision making uh so that at the time you're ready to buy, you choose them. I mean, well, we're trying to influence users' decision making. So at the time they're ready to click, or whatever it happens to be, they stop and and they think about you know the the cybersecurity team and their role and the responsibility in it.
SPEAKER_03Yeah, and we do things uh uh just just not just training, but so we do um you know physical uh and socialization type threat hunting, if you will. Um, you know, so we do tailgating exercises. Okay, yeah. We do uh socialization uh where we try to, you know, social engineer, um, not I mean not just a user, but our help desk. Um we have them checking to make sure that they're going through the right protocols and somebody said, Oh, well, I don't have this, I don't have that. Well, no problem, right? Or we have we have our users now like, hey, can I get your phone number? Let me call you back, you know. So just because you can, you know, you can uh you can obfuscate, you can mask your phone number to look like it's coming from something else. So people really don't know, right? So we're like, hey, if you're in doubt, hang up and call the main number and ask to get to that back to that person extension. We won't be upset. Um, they slow you down 60 seconds, but you don't want to be the person that let the guy
Deepfakes Trust Your Gut AI Defense
SPEAKER_03in the door.
SPEAKER_04Well, and and I mean, in today's day and age, with deep fakes being the regular, almost every CISO I talk to has seen deep fakes already, um, which we've got very little time. But when I get done, I want you to tell us if you've seen any and and maybe a little bit about it if you can. Uh, but I mean, I I I think that it's policy and procedure, more most specifically procedure, that will save us in the day and age of deep fakes, because that's the one thing they can't get around.
SPEAKER_03Yeah. And it all it takes is second validation. It's like coming into a website, you got MFA, right? So if you got somebody, you're getting a feeling or something just seems off, it's okay to hang up and call back.
SPEAKER_04Yeah, that's why the number one thing that we teach our users is trust your gut. Uh, because I've never been in an incident where the person doesn't say, Well, something fell off. I should have known better. They always, always say that, which tells me that if they had just trusted their gut, we could avoid most cybersecurity incidents.
SPEAKER_03Yep. I have the same thing. I reach out to a user, hey, I'm following up on this request, they're like, Why is this C so contacting me about a ticket for my developer laptop? Do you mind if I'll call you back? Absolutely not. And they'll call back, okay. I just want to make sure this is good. I'm like, you know what? You just pass my test, right? I mean, that's that's great. You need like swag to give them for that, you know. You say that I actually do that in my in my team meetings. My my my all hands I do once a month. I hand out uh a hand out swag.
SPEAKER_04Nice. Well, I mean, it's very effective what a ball cap or a t-shirt can uh do for you know just people's mental uh state and and drive.
SPEAKER_03Yep. And one last thing, uh you asked what we do for AI, and uh we talked about AI governance and um you know guardrails. And AI is here, it's not leaving. So uh we battle AI with AI. Um, that has been our kind of our new push here lately. Is when you have to. Yeah. So I mean they're moving fast, we've got to move fast, right? And uh we have seen some dramatic in improvements in the past six weeks with some of the AI initiatives that we're doing and some of the AI security tools that we're using. Um I am impressed. Yeah.
SPEAKER_04I I I agree. I think that it's the first time that we have an opportunity to level the playing field, but it only levels out if we fight AI with AI or fire with fire or whatever you want to call it.
SPEAKER_03Yes, I love it. It's it's been it's been amazing. The the stuff that how fast it can correlate, you know, something it takes four hours for a SOC engineer to correlate and it's done sub 60 seconds.
SPEAKER_04Oh, yeah. I mean, I I asked an agent to start a task this morning uh that would take a normal human probably six to eight weeks to get done. Uh, and when I started the call, it was already about 50% of the way there. So it's just ridiculous. And and I mean, and it's ridiculous the fact that we can be on calls talking to each other on a podcast and have these AIs out there working for us and just getting so much work done, it's insane.
SPEAKER_03Yes.
SPEAKER_04Gotta love it. Well, hey, thank you so much. It's been a fabulous episode, and uh, I'll have to check in uh with you again next season and just see how things are going over there at Oceaneering.
SPEAKER_03Please do.
SPEAKER_04All right, thank you. Have a great day. You as well. Thanks. Bye. Bye.