Building a Culture of Security in the Age of AI Deception

Cole French:

We all know security is important. Critical, in fact. As we’ve discussed on this podcast, security is also hard and it’s driven primarily by the culture we set, and building a security culture starts with how we train and teach those in our organizations who are responsible for security, which is all of us. Join us for today’s episode where we talk about building a culture of security through our training and awareness programs.

Welcome to the Cyber Compliance and Beyond podcast, a Kratos podcast that brings clarity to compliance, helping you leverage compliance as a tool to drive your business’s ability to compete in any market. I’m your host, Cole French. Kratos is a leading cybersecurity compliance advisory and assessment organization providing services to both government and commercial clients across varying sectors, including defense, space, satellite financial services, and healthcare. Now, let’s get to today’s episode and help you move cybersecurity forward.

We all care about security and we want the systems we use to be secure. Like so many other things in life though, we have to question how much do we really care? True care must be accompanied by meaningful action. Without meaningful action, care is just a form of lip service. A challenge facing most organizations is building a culture of security where the care we feel towards security is equaled by the actions we take to ensure security.

How do we build such a culture? We’ve all been part of annual security trainings and phishing simulations. I think most of us would agree these are surface-level attempts to build a culture of security. Their biggest flaw is that they emphasize negative thinking, and in the case of phishing simulations can even feel punitive to users. In other words, they don’t help us understand why security is important, nor do they extol the benefits security provides us and our organizations.

Joining us on today’s episode is Robert Siciliano. Robert is a speaker, author, and cybersecurity leader focused on advancing a new model of security awareness built for the age of AI-driven deception. He developed a strategic human firewall methodology to address what he calls the human blind spot, the natural psychological instinct to trust what feels familiar. As AI-powered social engineering tactics increasingly bypass technical controls, Robert emphasizes that the most critical line of defense is the workforce itself. His approach shifts the employee mindset from, “I trust what I see,” to, “I verify everything,” equipping organizations to defend against deep fakes, synthetic identities, and other human-centric attack vectors where traditional security often fails.

Moving beyond compliance-based training, Robert bridges the gap between security awareness and true security appreciation by demonstrating how strong security habits protect not only organizations, but also employees and their families. He helps cultivate intrinsic motivation, lasting behavioral change, and a resilient security culture.

We hope you enjoy this episode.

Robert, just want to thank you for taking the time to join us today to talk about something that I think is pretty prevalent in a lot of our organizations, which is user behavior, and we’ve talked about it a lot on the Cyber Compliance and Beyond podcast. More, I guess, on protecting your systems from vulnerabilities and unauthorized access, but I think today we’re going to talk more about user behavior and, in particular, you’re going to introduce us to this concept of the human blind spot. So if you want to take it away, explain what that is and why it’s the number one reason security programs fail even when the technical implementation is strong.

Robert Siciliano:

Yeah, so I don’t know that most people fully grasp just how vulnerable we as humans are to a very small percentage of the population that mean to do us harm. And what I mean when I say that is in the course of my life, and you can do your own research and I think you’d come to the same conclusions as me, is that I’ve come to the conclusion that about 97% of all the people that you will ever meet in the course of your life, 97% are worthy of your trust. Which means that they’re basically good, that they have good intentions, that they don’t essentially mean to do harm. And while that 97% occasionally deceive, they occasionally lie, they don’t necessarily have bad intentions. Whereas about 2% to 3%, and I mean of the world’s population, are what the medical communities would call antisocial personality disorders, sociopaths, psychopaths, basically hardcore narcissists that their intention is to do harm. They are the wolves, we are the rabbits. They are the lions, we are the gazelles. And that 2% to 3%, they make a lot of noise. They’re the reasons why we need security.

But the problem with that 2% to 3% is that that 97%, we generally are just not prepared because of our biology. And what that means is we possess, and I’ve been doing what I do for all of my life, at least 30-plus years professionally, but ever since I was a teen, we possess what I consider the human blind spot, as you mentioned. Essentially, it is that psychological instinct to trust what is familiar to us. It is that cognitive gap where biological trust, which we all have this biological trust, overrides today’s digital suspicion, leaving the door wide open for fraud, AI, deception, and so on.

So understanding that human beings are what is considered an interdependent species, which means that we are dependent upon each other. We need each other to procreate. And without each other, of course, we would dissipate if we don’t procreate. Well, the basis of that interdependence means that we need to trust one another. Trust is our default. So that 97% and that 3% we trust by default. So throughout the day, the people that you meet, phone calls, emails, text messages, you want to think and believe and you want to trust that the person on the other end or that you’re engaging with in person does not mean to do you harm, that has your best intentions, and that in the end, whatever they’re saying or doing is essentially in some way to your benefit, not necessarily to harm you.

So going with that, that 3%, they know that that 97%, that your employees, that they’re just responding to emails and text messages and phone calls thinking that the person on the other end is essentially good. And most training today doesn’t really speak to any of that. Most security awareness training doesn’t really speak to any of that. It’s, “These are the risks. This is what it looks like. This is how you need to react and respond. Do this, or else.” And that’s what most security awareness training is. And I don’t know that that is any longer effective.

Cole French:

Why do you think it’s not effective? Do you think it creates paranoia? Is it a negative? Does it come at it from too much of a negative perspective? What are the reasons you think it’s not effective?

Robert Siciliano:

So it’s not effective enough. It is effective in what it’s there to perform, what it’s there to accomplish. It’s effective in engaging in compliance. It’s effective in solving the problems of, say, phishing or what to do when the phone rings or an email comes in and so forth. It’s effective in that regard. It’s effective in solving the problems in which it speaks to. But there are many more problems that we as humans have that most compliance-based or security awareness training doesn’t really touch upon.

So my philosophy is and has always been that all security is personal. And what that means is it begins with me and my physical being. And personal security starts with, when you think about it, violence prevention. So security starts with violence prevention, personal security does. That means preventing a predator from harming my physical being. And then from there, as a family person, as a homeowner, even in an apartment, home security is the next level up. Preventing a bad guy from getting in while you’re home, while you’re sleeping, and, of course, while you’re gone.

Your home is your castle and home security is personal security. But then all security being personal, what’s more personal than your identity? What’s more personal than your Social Security number, your name, your address, your phone number, your passwords? And we don’t necessarily look at security as being personal to us. Phishing simulation training, most security awareness at work is all about protecting the data in which you are entrusted with, but it doesn’t speak to the actual person where they are in their lives and how security affects them.

Look it, we are what is considered a selfish or self-interested creature. And the word selfish generally gets a bad rap. And I think the word selfish is actually important to us. I think we need to be selfish. What that means is you need to be selfish. You need to get a good night’s sleep. You need to nourish your body with good foods and enough fluids. You need to take care of your mental health. There’s a reason why the flight attendant says, “Put the mask on yourself first.” Because you can’t take care of anybody else unless you take care of yourself first. And when it comes to security, what’s missing in most security awareness training is that. It doesn’t actually speak to the person, where they’re at in their lives.

So I believe that where all security is personal means that the core belief that people protect what they love. And by teaching someone to secure their child’s digital footprint to protect their own identity, you create more secure employees at work. And as a result of that, this isn’t really groundbreaking, but it kind of is, you get what’s called the kitchen table effect, which is the multiplier effect where successful training ends with the employee teaching the concepts to their family, cementing those lessons for life. They’re not doing that with phishing simulation training, but if you make it all personal to them, you have one aha moment after the other.

Cole French:

I like what you said about compliance training, phishing simulations, things like that. They are very… And we’ve talked about this before on this podcast, about the importance of compliance, but also maybe sometimes the mindset in the compliance space that I’m checking the box, I’m doing this because I’m required to do it, and some standard has set forth these requirements. And really, I’m building this program to meet those requirements, and I do meet those requirements. But to what you’re alluding to and what we’re going to really dive into here, I do, I think that in a lot of cases, that is effective to achieve the compliance end, but not so much effective at actually building security into our organizations. This is another thing we talk a lot about here, is how do we build security into how we do things and the way we do things.

So getting employees to care more about security, so do you want to dive into that a little bit more? How do you personalize it and get that kitchen table effect?

Robert Siciliano:

So prior to COVID, I’m what is considered a security awareness trainer. I’m a speaker, which means I get on airplanes and go into hotels and function facilities, I speak at conferences when something bad happens and/or at an association meeting to bring everybody up to speed on security. And so prior to COVID, I was on the road quite a bit. Delta 1.5 million miler, Diamond Medallion, the whole thing.

COVID hit flatline, nothing, dead in the water. Barely feed the family. And of course, I went online and did a bunch of virtual learnings and so forth, kept the lights on. And then around 2023 and a half, the phone starts ringing again. People start waking up. CISOs, company officers, they start saying to me, “Listen, we’ve been doing the whole compliance training thing. It’s there. It’s necessary. It works to do what it does. But what we’re finding is we just,” and I heard it and I still hear it over and over again, “we just want our people to care. We just want them to care. We want them to care about security. How do you do that?”

And the reality of it is it’s a lot easier than you might think. So it’s like most security awareness training is what I would consider a monologue. You’re watching an animation. You’re watching a talking head. You’re consuming information. You’re trying to get through an LMS, maybe even trying to beat the LMS to get through it. And in many cases, you might, you do, or it’s phishing simulation training. And with phishing simulation training, not always, but sometimes there’s a little bit of fear involved. There’s a little bit of shame involved if you don’t get it right. That’s not with everything, but you see that here and there. People feel bad when they get things wrong. But most security when there’s training is a monologue. You’re being talked at and told.

Look at, I got girls. I got a 17-year-old and a 20-year-old. I got a 57-year-old honey. I cannot talk at these people. If I even talk at my girls, I get resistance, let me tell you. They are not ones that you could just tell what to do. And so I have to have a dialogue with them. I have to speak to them like they are what they are, emotional, empathetic, sympathetic humans that have their own perspectives and emotions and fears and concerns. And that’s what security awareness training could or, frankly, should be, or at least what it can be.

So what I mean is when I get in front of a live audience, which a CISO, a CTO, a CIO, they can do the exact same thing, is you’re having a dialogue with your coworkers, with your employees, with those in your charge. You’re having a conversation with them. You’re engaging them where they are in their lives. You’re speaking about the issues that concern them first. All security is personal. It begins with where they are in their lives with their own personal, with their physical being, with their own identity, with their own data, their own dollars. And when you begin with that as the concept that it is a dialogue, that it’s us having a conversation, I have a conversation with 100 people at a time, with 500 people at a time. I’m asking them questions, they are responding with answers, and therefore they are asking me questions, I am responding with answers. And there’s a process to this. And part of the process means breaking down what security is and breaking down what security isn’t. And that is a huge part of this.

So we’ve talked about trust, and we also need to talk about things like denial and paranoia because those are two things that play into how all security is personal and why we resist security. So if you wouldn’t mind, I could explain that to you.

Cole French:

Absolutely. Is that part of… So I know we discussed beforehand this shifting beliefs. So is that part of what you’re getting at, is we have to shift the beliefs of our users are those who were seeking to train to provide security awareness to? Is that what you’re talking about, is the denial, things like that?

Robert Siciliano:

100%. You see, most people, all people trust by default. And then from there, people don’t want to think that bad things can happen to them, obviously. Nobody ever wants to recognize that a criminal would choose me, that a bad guy would want to harm me. Nobody wants to think about that stuff. And not only do they not want to think about it, many people just choose not to think about it. They would rather not acknowledge the reality of that because it involves worry, it involves fear, it involves harm. It’s unsettling. So all people do not want to be hurt. We can all agree on that. And so as a result, what happens is, here’s what we do about security in our culture, why and how we resist it.

So when I ask all these qualifying questions to my audience, first up front, I’ll ask, “How many of you use a password manager?” It’s always less than 10%. “How many of you can categorically say you’re using a different passcode across all your critical accounts?” If I get 10% to 15% of the audience to say they’re using a different passcode, that’s a lot, which means 85% or more are using the same passcode across all industries combined in their personal and professional life. “How many of you are using two-factor authentication?” If I get 20% of the room, that’s an awful lot, which means 80% are not using two-factor authentication. That is the general public.

And then from there, I ask, “How many of you have a home security system? Personal security? How many of you lock your doors?” Locking your doors is like 60% to 70%. It’s not 100%. It’s 60% to 70%. Certain parts of the country, it’s more, but most of the time, it’s 60% to 70%. “Well, why don’t you have a home security system?” And that question usually gets 10% to maybe 20% of the room depending on where in the country that you live. So 80% don’t. And in a country where every year one to 1.5 million or more homes are burglarized, that means in the next 10 years, that’s like 10 to 15 million homes burglarized in the next decade.

And I said, “Okay, so why don’t you have the home security system?” They say, “Well, we don’t have a home security system because my husband says we have insurance, so why bother?” “Okay, you have insurance, but what happens if you’re home sleeping? Have you thought that one through?” “Well, my husband also says that if they’re going to break in, they’re going to break in.” Which obviously is a fatalistic attitude, which many people take when it comes to security. That’s a comment, I see it all the time. “Okay. Have you thought through they’re breaking at 3:00 in the morning with a machete? Okay, so if they’re going to break in, they’re going to break in. Just make it easy for them.” But people don’t want to think about that to begin with. But you know what the most common answer is when it comes to why they don’t have a home security system? They say, “I don’t have one because I don’t want to live like that.”

Cole French:

I knew that’s what it was going to be. When you said that initially with the home security system, I’m like, there’s a point of pride people have sometimes. They talk about, you hear, you watch TV shows and things like that, and people are like, “Oh yeah, it’s a safe neighborhood where nobody ever has to lock their doors.” And it’s like, yeah, exactly. I think people want to live that way.

Robert Siciliano:

Okay, which I get. And that’s great that you live in a “safe” neighborhood. Let me ask you a question. When you’re watching the 6:00 news and something tragic happens in a neighborhood somewhere, and the local news channel comes in with a reporter with a microphone and a camera guy and they knock on the neighbor’s door where it happened, and the neighbor opens up their door and she comes outside and the journalist puts the microphone in her face, what does the neighbor always say about what happened?

Cole French:

“I can’t believe this happened in our neighborhood.”

Robert Siciliano:

Yeah. Nobody ever thinks that, but they all say the exact same thing as if it’s never, ever going to happen in your neighborhood.

But look it, I point that out because it’s not that you have to worry that these things are going to happen to you. I point that out because we’re all the same. It’s the same dialogue that we all have. We never want to think it’s going to happen to us. Therefore, when they say, “I don’t want to live like that. I just want to be free. I don’t want to have to worry about those things,” what they’re doing is they’re looking at the world around them and saying, “Yes, there’s risk out there, but I’d rather not have to be reminded of it. I’d rather not walk in my house and have to disable an alarm system because I don’t want a constant reminder that there’s harm in the world. I want to be free and clear of those thoughts in my head. I just want to be free.” Which I get if you’re a five-year-old, but now you’re 50 and you’ve got a family and you’ve got a bank account and you’ve got passwords you got to manage and you’ve got investments.

And I ask similar questions like… So look it, if you don’t understand all of these things, if it’s too much for you, just find yourself a 15-year-old. They’ll take care of it for you. And as you’re laughing right now, they all laugh, and my response to that is, “You know what? There was a time when that was…” And it is kind of funny, but I don’t know that it’s any longer okay. I think that if we continue to deny that we need to recognize risk and that security is about worry and fear and that putting those systems in place means a constant reminder of worry and fear, I think that that’s just really, frankly, immature. Maybe a little bit silly. I don’t usually say that to them, but they figure it out for themselves.

And then part of this process, I’ll ask them, and I’ll ask you. And it’s true, I’m a guy that has 20-plus security cameras. Maybe a little excessive. Inside, outside the home in total. When you hear in general, the general public has, this guy’s got 20 security cameras, what might be their belief of my disposition, my worldview, my outlook? I wake up every day, I got 20 security cameras. I must be what?

Cole French:

Paranoid.

Robert Siciliano:

Exactly. And if you pay any attention to anything, we know that paranoia, as far as the medical community is concerned, is a mental health dis-ease. It is somebody who effectively does truly believe that others are out to get them. They do truly believe that they have to look over their shoulder and watch their back because they do truly believe that they are at risk all the time, that their disposition is such that their mind is essentially out of control, which is a horrible, horrible disease.

I truly, actually, unfortunately have a first cousin that is afflicted with this. And I think that right now, she might actually be living in her car because her meds just aren’t working for her. She struggled with this her entire life. She’s been arrested multiple times. She’s wanted me to inspect her house for bugs. She truly does think the FBI, CIA, Secret Service are all trying to get her. And I’m contacted as a cybersecurity guy. I’ve done a bunch of TV shows on mobile phones and spying on you and stuff. And I get contacted by people all over the country. They really think that they’re being spied on and that their house is bugged. And I know that those are generally mostly mental health issues.

So all that being said, we have this unhealthy relationship with security. We just do. If you look at security as being paranoia, it’s about worry, it’s about fear, why the hell would you ever want to engage in it? Why would you want to be phished at work? Why would you want to even think about it or even be trained on it? Because it’s a scary, ugly thing about fear and worry and paranoia and bad guys and sociopaths, and I don’t want to be hurt. But that’s not what security really is. That’s not what it should be. If you reframe that conversation as we started to do, you start to see that as you make security personal, they begin to look at it as something very good for them.

One of the most satisfying things about what I do is that when I get in front of an audience, 100% of the time I get on the platform, I look out in the room, I’m looking at 100 people, 500 people, two-thirds of them, mostly men, arms crossed, scowl on their face, looking at me. “Okay, security guy, what are you going to tell me?” Every time. And then as I start asking them questions about passwords and two-factor authentication, home security, I start talking about trust, I start talking about denial, and then what happens is their arms start to go down by their side. As you make security more and more personal about them and how to protect their identities and manage their passwords effectively, make their lives easier, now they’re looking at all the benefits of what it is that you have to speak to. And as the arms go down, you know what happens? The hands go up, because now they’re interested in what you have to say because they have questions.

Look it, your people have questions. They’ve had questions all their lives, and they don’t know what to do. They need your help. When I tell you in every single presentation that I do, 100% of the presentations I do, inevitably somebody asks me, and I know that it’s not just one person who has the same question, they ask me, “How do I know what links are okay to click on Google?” Anybody who’s listening to this podcast has a clue and they know what links to click on Google, but when I tell you, that’s everybody. It’s not just your grandmother. It’s your spouse, it’s your kids, it’s your employees, it’s the people that matter the most to help you protect the network in which you are entrusted with. And they are absolutely at that level. It’s not a bad thing. It’s just that nobody, and maybe even including where you’re at in your profession, has actually sat down with them and had this conversation with them.

And here’s the deal. I’m not asking anybody to walk up to your 50-year-old co-worker and give them a hug and hold their hand. I’m asking you to actually address the humanity revolving around security and the fact that people are scared. They just don’t know what to do, and they’ve never had any real direction in regards to this topic.

Cole French:

And to personalize that story that you just shared, or I guess that question that you just asked, and I think actually going back to what you said at the beginning, about 97% of us trust, and then there’s the 3% that are that outlier. Just a week or so ago, got an email from somebody outside of our organization wanting to potentially engage in business, and they provided a link to look at some documentation related to their particular inquiry. And I didn’t click the link or anything like that. I looked at it. I didn’t think anything of it, I forwarded it on to the person who would handle it, and he actually came back and he’s like, “Do you think I should click this link or should I check it?” And I was like, “Man, I didn’t even…” Even as a security person, I didn’t even think about, ooh, that’s potentially dangerous before forwarding it off to somebody else. So to the trust part of it, that’s a great real-world example.

And just to go back to changing the mindset here and the shifting beliefs. So from a practical perspective, you talked about password managers, MFA, things like that, but maybe get more practical with it. If you’re working with an organization, how do you approach really getting this mindset and belief shift to happen?

Robert Siciliano:

A couple things. The story you just provided, I think it’s important just to address that really quick. So I think most of us to a degree in our personal and professional lives are on a form of autopilot, especially in a work environment. 100 years ago, it was just factories where people had this move they made throughout the day where they did this one thing they did all day long on autopilot, where they had this mechanical, physical thing they would do to move the whatever it was from one part of the belt to the other part of the belt. That was their job all day long. So now, you and I are in autopilot with emails and phone calls and how we address all these multitasking things that we do.

And so the idea is to develop intentional security, which is a shift that you first have to get the employee to believe in security first by breaking them down, challenging the belief systems, what security is, what security isn’t, everything that I’ve just ran on about. And once you begin or try to sell those who have your budgets intentional security, which is what you want to move to, which is moving from accidental vulnerability, which is autopilot, to a state where digital interaction is a deliberate conscious endeavor. So the links that you click, the emails you receive, you forwarding that email gave that email credibility. You know what I mean? That’s what it does. Because when the person who gets it from you, they’re like, “Oh, Cole has already seen this email. Cole already sent this to me because Cole needs this done. Therefore, Cole is who this email’s coming from.” Not a criminal overseas or somebody trying to scam the person you forwarded it to, it’s coming from Cole. So you gave it credence.

That being said, if we have those discussions, which I don’t know that we’re having the discussions at that granular level, bringing it to everybody’s attention. I’m not asking a single CIO, company officer, and so forth to stop doing what they’re doing. I’m requesting that they update and upgrade the conversation in such a way where you add onto what you’re already doing.

After COVID, 2025, my best year ever since pre-COVID. Why? Because companies don’t realize we’ve got to do more. Because with AI now in the game and deep fakes and voice cloning, we are at a point now where we really need to get our employees to really, truly engage in the practice of security because it’s now to the point where I don’t know that they’re going to be capable of recognizing real from fake ever again. Now, that being said, we need them truly at this moment in time to care about security. And the beauty of that is I don’t know that there’s ever been a better time to actually engage the employee about security awareness because it’s exciting to me, and it should be to all of you as well because AI is awesome, what it’s capable of, both good and bad. It’s like James Bond 007 meets Mission Impossible meets the Minority Report all in one security awareness training, which isn’t being done through phishing simulation training, but it can be done through a live interaction.

Listen, the way I look at our culture and society in regards to the role that your listeners and audience play is that there are teachers and nurses, there are first responders like law enforcement and police officers, we call them our heroes. And my firm belief is that those company officers, those CIOs, CTOs, CISOs, CSOs, they are the unsung heroes. The reason why you and I enjoy the lives that we have today, truly, and I am asked this question all the time, every presentation I do, “So who’s winning, the good guys or the bad guys?” Well, obviously the good guys are winning, and the good guys are winning because those unsung heroes that sit behind the desk, that are crawling under the desks, that are above the drop ceilings are the ones that are the reason why the critical infrastructures today are functional. We have electricity because of you guys. We have clean running water because of you guys. We have a banking system because of you guys. If it wasn’t for you, it wouldn’t work.

But I don’t know that in the next five to 10 years we’re going to be able to maintain that due to the fact that the attack surface is getting bigger and bigger and bigger. And with AI and so many organized criminal syndicates getting in the game, I think that the grandmother test is no longer even a consideration that y’all are going to have to start tightening things up in such a way where it’s going to be very difficult to even access our current systems to be able to perform the functions that employees need to do on a regular basis to get their jobs done, that you’re going to have to start to tighten things up in such a way where the level of interaction between you and your employees to reset passcodes or passkeys or whatever it might be just for them to do their jobs, I think that that’s going to have to change because you’re going to have to tighten things up a lot more because the vulnerabilities are going to be a lot more frequent.

Cole French:

I 100% agree with that. You’re starting to talk a little bit about practicalities. And of course, I guess even in some ways, maybe we’re getting to a place where some of this stuff might even become impractical to some degree. But for you, if you’re coming into an organization, you’re working with them, what are you doing from a practical perspective? Because that’s always what we like to get into here. We talk a lot about compliance, but we like to make compliance a little bit more practical. And the practical, I find, gets us to a place where we actually do security better, or at least gives us an opportunity. So what would that look like for an organization to realize that strategic shift?

Robert Siciliano:

Yeah, so I think most organizations have some type of an all-hands-on type event, which they’re having them less and less, but I think those all-hands-on events are really important. And time after time, I would be one of those presenters that would come into those all-hands events and I’d deliver a presentation. And those all-hands events are not just all hands that are actually in that physical space. All hands might be broadcast worldwide in many cases.

And so whether it’s me or your CISO or however you go about it, for example, I’m speaking in an auditorium or a facility that has, say, 100 employees in that room and it’s being broadcast, and I’ve spoken to as many as 4,000 worldwide, those 100 employees and the questions they have and the concerns they have, the interaction, the dialogue that we have, it is the same exact interaction and dialogue that all 4,000 people worldwide wish to have, but they’re getting it through their fellow employees that are actually in the room. So they all have the same questions, they all have the same concerns, the same worries, the same fears, and so when you engage them in person that’s broadcast worldwide, that’s practical. That’s easy. And if you do that once a year, you’re getting a percentage of the people to start to look at security deliberately as if it is something that they want in their lives, that they look at it as something that is good for them.

I think I started to say at one point, in every presentation that I do… And this can be anybody. It doesn’t have to be me, but it’s what happens with me. Like I mentioned, when they start off with their arms folded, eventually their arms go down and their hands go up. At the end of the presentation, inevitably people line up and they say, “You know what? I’m here because I was told to be here. I’m here because my boss made me come here. And I got to tell you, I didn’t want to be here. I really didn’t think I was going to learn anything because I know about these things.”

And then they say, “But you know what? This is not what I thought it was going to be. This is nothing that I thought it was going to be. And really, I’m so glad I came.” And then they say, “And I really wish my spouse was here, because he or she needs this too.” That’s what you want them to say, because now what you’ve done is you’ve connected with them. You’ve made it about them, and now they look at it as this is something that I need in my life versus something that my CISO is making me do.

Cole French:

Yeah, so when you talk about, “My CISO is making me do,” in your approach, it sounds like you find that instead of talking about, oh, this is a security awareness thing and talking about it maybe in technical jargon, I guess, for lack of a better way of saying it, you are personalizing all of these security awareness things. So you’re actually, it’s your goal to give practical examples and to share with people like, “Hey, these are things that you can actually be doing, versus this is something you do while you’re at work and not necessarily something you do at home.” Is that essentially what you’re advocating for, is translating that corporate jargon, if you will, into real-world this is what people actually can understand and articulate?

Robert Siciliano:

Exactly. Yeah, that’s exactly what I do. So I’ve done 500 TV shows. I’ve been on every major media network, Fox, CNN, everything, CNBC, MSNBC, Al Jazeera, China Television, ABC World News Tonight, all the morning shows. Why? Because I break down complex topics so that anybody who’s anyone who’s watching understands how these things work. You can’t speak tech to someone who doesn’t know if it’s okay to click a link on Google. You have to speak practical. You have to speak where they’re at in their lives.

I don’t consider myself all that smart with book smart or anything to that degree. I graduated high school, I got a little bit of college under my belt. My background is literally the streets of Boston. And over the past 30, 40 years, I’ve managed to develop the ability to communicate effectively, which I’ve always believed that the quality of a person’s life is based on the effectiveness of their communication skills. And the better you can communicate, the more you can get your point across, what your needs are, what you might need other people to understand to maybe meet those needs and so forth.

And time after time, when speaking with the CISOs and so forth, what is so fun for me is engaging them. And they come from a very analytical mindset, and they’re all just so smart, way smarter than me, way more capable of me in regards to technology and code, and just the general language and dialogue that we have just makes me smile. But I know that if they were to speak in that manner to their co-workers, it would be hard for them to follow, let’s put it that way, because it’s like you’re talking to somebody who’s really, really, really smart who’s over your head. And I come up with that with certain people in my life, like in finance and other vocations. But when it comes to an engineer trying to communicate basic security awareness to an employee who doesn’t understand what link to click, it becomes difficult.

I speak in front of law enforcement officers all the time too. And law enforcement officers, there’s all kinds of people in law enforcement. And when I’m explaining all of this to them, one of the questions I ask them is, “Why do you think that your town residents engage in these various scams?” And you know what answer I often get when I’m talking to law enforcement? What do you think that the law enforcement officers often say?

Cole French:

People didn’t understand, didn’t take the time to try to understand what exactly it was they were getting into before they just got into it.

Robert Siciliano:

That’s what they should say. Often I hear, and I don’t mean to go down on law enforcement officers, often I hear, “Oh, because they’re stupid.” And it’s like, so these are the people you’re responsible for. These are the people you’re supposed to protect. I get that. I guess it’s frustrating. And while there may be “stupidity” engaged in clicking that link or forking over that money or depositing all that cash into the Bitcoin ATM, that can be stupid, but at the same time, we just want to trust. We just need to trust.

Look it, when the employee at Uber a couple of years back got a text message from who he thought was his boss at Uber, his employer who asked for a text message, and that the Uber employee provided a text message which gave unfettered access to Uber’s systems. Is that employee stupid? Is he dumb? What did he truly want to do? He just wanted to help. He just wanted to do his job. And that is most people.

So I think it’s just a matter of slowing down, back it up a little bit, getting practical again, connecting with people, not being so requiring metrics, metrics, metrics every time somebody clicks a link, that doesn’t click a link. Let’s make some connections to people and let’s reach them where they’re at in their lives. And I guarantee people are going to start to look at you differently because they’re looking for somebody to help them. They’re looking for somebody to help them navigate this scary world that we’re in. Hackers, attackers, and thieves is scary. And who better to do it than you?

Cole French:

I agree. What you said, and as you were saying it, especially the Bitcoin thing, which I’ve heard several stories along those lines, exactly to what you said, the motivation is to help. The motivation is to do the right thing or to avoid something that’s bad. But one thing that’s different about the world we live in, I think, today is the speed at which this type of stuff happens. And I know, I wouldn’t consider myself to be old or anything like that, but I can already start to sense that I don’t process information quite the same and I have more… And some of that is, and maybe it’s not even age from an ability standpoint, but it’s also at a certain point, we’ve consumed so much information throughout a lifetime that I think it just becomes more difficult to sort through and sift, especially as these things change.

So I’m curious, what are the things that you think enterprises should be training for right now or should be teaching their employees about that maybe we aren’t or that they aren’t focused on?

Robert Siciliano:

Right now, I think that most companies are purely engaged in what I call the compliance trap. And no offense to compliance. We need compliance. It’s absolutely necessary. It is fundamental. You have to have it. But there is a bit of a trap to it, which essentially is a bit of a false sense of security felt by meeting regulatory requirements while the actual human behavior remains unchanged and vulnerable. That’s really all that means.

And so if we begin to refocus our efforts on the human behavior aspect by getting to the root of why we behave the way we do, versus looking at, say, phishing simulation training as a hammer beating the employee over the head. “Do this, do this, do this, do this, or else.” And we apply a scalpel to it, which essentially is, “Hey, let’s have a conversation about this. Where are you at? How are you feeling about this? What are your concerns? What do you do at home in regards to your own security? Do you lock your doors? Do you have a home security system?”

And I might be being a little bit repetitive here, but that is where they need to be. This is not a fundamental shift, it’s just going back a little bit in time, looking at all security as being personal, understanding the shame barrier to a degree, like that emotional wall that prevents victims from reporting a breach. We break this by treating mistakes as data, not causes for termination.

I recently met somebody who was fired from their job as a mortgage broker because she just couldn’t get the whole phishing thing down pat. She kept failing, and she was fired. And I don’t necessarily blame her for that. I blame the way that she was trained. I think that there’s another way around it. Here’s a 30-year professional in her trade, one of the best at her business ever, revered by realtors in her community, and lost her job because she couldn’t meet a basic requirement of avoiding a phish. And I think that there’s a way to reach that person, but I don’t know that phishing simulation training is the way to do it. And so you have to keep doing what you’re doing, but there needs to be an addendum, an adjustment, an addition to.

Because we have this cognitive load management. It’s building security habits designed to work when mental bandwidth is at its lowest, exhaustion, stress, multitasking. And frankly, I don’t know a single person in my entire life that isn’t exhausted or stressed or multitasking. That is everybody. It’s everybody. And so we’ve got to meet people where they’re at. And until we do that, the bad guys have a bit of an upper hand in that regard because they know we don’t want to think about security. It’s paranoia. We trust by default. We’re just simple humans that have enough strength to get to bed and to wake up and to get the dog fed and to get the kids off to school and to get to work and to get home, to pick up the daughter at dance, and to get the kid to soccer and make dinner and find enough time to talk to your spouse and maybe watch Dancing with the Stars, and then start all over again.

And in the meantime, you got to deal with sociopaths and psychopaths that could care less about your mother and would like to see her on the streets homeless so they can get all of her money so they can buy a Benz. That’s what we’re up against. But it doesn’t have to be like that, but it is. So there needs to be an update in the conversation.

Cole French:

So is that the biggest thing for you from a practical perspective? Like you said, so we do the things that we’ve always done to some degree. So phishing simulation is a good example. It’s like we do these exercises and they give us information, but it’s what we do with the information. You gave the example of somebody who was fired because they couldn’t, but really it is, it’s an opportunity to say, “Hey, this person is having trouble with this.” It’s not a judgment, or at least it’s not a negative judgment. It’s you meet that person to try to understand, had an issue with these phishing simulations, get into understanding what is going on with that person. Why is it that they’re having trouble with this? Provide resources for them to potentially help them, on and on.

So would you say that’s the most important practical shift to make, is that use it as a means to connect with your people versus measuring metrics and punitive results, things like that?

Robert Siciliano:

100% agreed. Of course, yes. And you start off with, again, rewiring them, trust, denial, the whole thing, all that.

Look it, I’ve been going to therapy, literal therapy for most of my adult life. Why? Because it’s important to talk to somebody who is outside of your spouse and your friends and your family that has a clue that can look at where you are in your life and why it is that you’re having these difficulties with the certain people in your life based on your upbringing and the way you interact with your mom and your dad and all that stuff that makes us human, that also causes problems with your relationships with your spouse and your kids. We have all this baggage.

And I’ve heard over and over and over again when talking to a therapist, when something is happening in your life where there’s conflict, where there’s an issue, where there’s a struggle, every single time, the therapist’s response is generally something to the effect that, “Here is a great opportunity to discuss that.” Because now, it’s out on the table. It’s raw. This is the perfect time to unpack what’s gone on, why that is happening, why we reacted that way, why we processed and understood what appeared in our lives and how we emotionally, physically, intellectually, biologically reacted and interacted with whatever occurred. Whether it’s another person while we were driving who upset us and led to a mini road rage or we gave the finger, or your wife said something that triggered something that upset you, or whatever the case is.

We’re just human and we’re complex. And at the same time, it’s relatively simple to address that complexity with solutions that have been developed over the course of our lifetimes that are meant for that purpose, whether it’s through therapy or it’s through phishing simulation or ultimately through dialogue, discussing the foundation or the fundamentals or whatever issue we’re speaking to, and in this case being security, and what our resistance to it. And then just getting to the bottom of it and shaping people so that they recognize risk much more holistically.

Cole French:

So this has been a great conversation, but as we wrap up, I got a final question that’s really, I guess, two questions or two-part opportunity for you to share with us some parting wisdom. And that is, all right, you got 60 seconds in front of your CEO to explain to him how you’re going to make this change. How do you do it without being alarmist? And then what’s one change an IT leader could make this week that will reduce human risk?

Robert Siciliano:

So I think that if the IT leader starts with talking to those who are responsible for their budget in ways in which they address it as, and there could be risk care, but every CEO has a family. They have a mom, they have a dad, who maybe even that CEO has to maybe talk his mom down from investing in cryptocurrency because of an email she received or a text message she got. Guaranteed, all of us have people in our lives that we are their chief technology officer. And you speak to that and you relate to that and how the people in their immediate life are affected by this stuff and how they’re vulnerable, and explaining in the same breath that is pretty much all of our employees too. They’re all the same. They’re just as vulnerable. They’re just as concerned. They’re just as scared. They don’t know what to do. They don’t know if they should click a link on Google or not, and so on.

So you begin with that, because we all have families and we all have vulnerabilities. And then from there, those changes, I would say that engage in a dialogue, even if it’s micro e-learning that you’re implementing on your own with a daily, weekly email that just talks about the absolute fundamentals. It talks about the absolute basics. It talks about why humans look at security as being paranoia. Heck, if you go on Google’s Gemini, ChatGPT, you start asking these questions, and they’re probably taking it right from my own website for that matter because I’ve been writing about this and speaking about this for quite some time. That philosophy is out there. It’s understood. The LLMs know this, and all you have to do is just essentially just translate it for your people and you will start to see things different in their reactions to this dialogue.

Cole French:

So one thing we say a lot on this podcast is security is a people problem, so I think the lesson of our conversation today is that’s true, and then we need to humanize it. So I really appreciate you taking the time this afternoon. Really appreciate you sharing your valuable insight, wisdom, experience with this important topic. Thank you for your time.

Robert Siciliano:

Hey, and thank you. And you guys are protecting our critical infrastructures as well. Your company’s amazing, and thank you so much for that. Well, I appreciate that.

Cole French:

Yeah, absolutely. Thank you for your kind words. I appreciate that, and I really enjoyed this conversation. I think we could have gone on for a lot longer just on a personal level. Interesting topic to me. So I appreciate it. It was good to meet you.

Robert Siciliano:

Thank you, Cole. Have a great day.

Cole French:

Yep. Thank you, Robert. You as well.

Thank you for joining us on the Cyber Compliance and Beyond podcast. We want to hear from you. What unanswered questions would you like us to tackle? Is there a topic you’d like us to discuss, or you just have some feedback for us? Let us know on LinkedIn and Twitter at Kratos Defense or by email at ccbeyond@kratosdefense.com. We hope you’ll join us again for our next episode. And until then, keep building security into the fabric of what you do.