A Con Artist Expert Explains Why Smart People Still Get Scammed | Secure Talk with Robert Siciliano

Justin Beals: Hello everyone and welcome to SecureTalk. I'm your host, Justin Beals. The FBI reported $16.6 billion in cybercrime losses in 2024. Now that's a 33 % jump from the prior year. And the primary reason is an outdated software or weak firewalls. It's something our guest calls the human blind spot, our biological instinct to trust by default, which no compliance training has ever actually fixed.

Now I've spent a lot of time thinking about why security awareness training doesn't move the needle. We hope it will. At StrikeGraph, we host security training with our staff. It helps make it personal and germane to our business. So any organization can run phishing simulations. And of course, we all check the compliance boxes. And every one of us has sat through an annual training video or LMS or lesson plan. But the losses keep climbing.

What our guest today argues and what I find genuinely compelling is that we've been training against the wrong target. We teach people to recognize phishing patterns, but we never address the deeper cognitive reason they keep clicking away. We're social creatures. Trust isn't a vulnerability we can patch. It's how we're wired to function.

Until we start treating security as something personal, something that connects to people's families, their finances, their own lives, rather than just a workplace obligation, we're going to keep seeing these numbers go up.

And that's why at StrikeGraph, we decided to host our own security training with our own team, make it a part of what we do day to day, the people we care about and the outcomes that we want as a business.

Our guest today is Robert Siciliano, and he's a private investigator, a certified speaking professional and the CEO of ProtectNowLLC.com.

As one of the nation's most trusted voices on cyber crime and identity theft, he has built an unparalleled media track record, appearing on over 500 television shows, contributing to over 1,000 radio programs, and being featured as an expert source in over 3,000 articles. He's a fierce advocate for personal and professional security.

Robert is the architect of the CSI protection certification and is a bestselling author who strips away the technical jargon to deliver straight talk solutions.

His expertise is regularly sought by every major network, including CNN, Fox News, MSNBC, and The Today Show, where he empowers millions of viewers to protect their data, privacy, and wealth from modern threats. Please join me in welcoming Robert to Secure Talk.

—----

Justin Beals: Robert, thanks for joining us today on SecureTalk.

Robert Siciliano: It is absolutely my pleasure, thank you so much.

Justin Beals: Well, I think the treat will be ours. You're obviously a very deep expert in the work that you do. Let's start off, I think, with a place where we can gain a little bit of your perspective. You know, how do you look at kind of corporate security, the leaders within corporate security, and some of the challenges that you're trying to help them solve or improve?

Robert Siciliano: Well, a few things. Number one, you those that are responsible for protecting us, me, you, our critical infrastructures, you know, they are the unsung heroes from my perspective. And when I ever deliver a presentation, you know, I always tout like what their role and responsibilities are in making sure that effectively the lights are on. You know, the banking system is functional, right? That we have clean running water. I mean, that's what they are actually doing. And I don't know that they actually get the respect that they deserve, nor the funding for that matter. And they're also in effect hurting cats. It's an overwhelming role and responsibility they have. And I always say like the good guys are in fact winning because if the good guys weren't winning, the lights would be off because that's what the bad actors want.

Justin Beals: Yeah, it's it's an incredibly multifaceted role, right? I there's a little bit of engineering. There's a little bit of defense and offense conceptually, there's a little bit of business acumen and you need a really strong, you know, emotional intelligence to try and, you know, get a culture inculcate a culture of security practices at your organization.

Robert Siciliano:

Yeah, it's a big deal. the training that they provide is check the box compliance, which is necessary and important and required. And I have been engaged in working with company officers for a couple of decades now. What I've seen is the evolution of phishing simulation training, which is there to solve that problem. And that's what it does relatively effectively.

But what I'm also seeing is that the employee, right, those cats, they're not essentially being engaged the way that I find that they can or ultimately should be to solve the various security risk issues that they face, both in their personal and professional lives. And there is an addendum or in addition to that security compliance training that I don't know is being effectively considered.

Justin Beals: Yeah, you know, one thing I love that you said is, of course, we all of us now in this security space work in compliance and especially my background lately has been a lot about compliance. And we see a lot of this check the box attitude. And even though we work in that space as a CTO, I deeply disagreed with it. Right. I liked that I had a kind of a set of things, a set of expectations, kind of a measuring stick to work against.

But I railed against the idea that every company was going to solve that problem the same way, right? Like it was, it was our job as leaders to be like, this is the type of security training we need for our team.

Robert Siciliano: You know, I have good friends that are, you CTOs, they run entire municipalities, right? And they say to me over and over again, we need metrics. I need metrics. I need numbers. I need to see the results. And it's like, yeah, I get that. Like that's important. But like when it comes to dealing with humans, right? Emotions, right? Everybody has their own perspective. And when it comes to dealing with security specifically, I don't know that enough thought has been given towards the fact that we are like, worry, we have fears, we have concerns, we have our loved ones that we're concerned about. And we don't know what to do when it comes to clicking links and dealing with passwords and two-factor authentication, or even frankly, having a conversation with your daughter who's going off to college, who's going to be consuming alcohol at a frat party. And, you know, something could happen. Like we don't have these uncomfortable conversations with each other.

Nevermind our employees and there is a huge opportunity there to connect with your employees in such a way where they begin to look at security a little bit differently because they don't know really what to do in all the presentations that I do. You would not believe how many times people ask me, okay, so I'm searching on Google. How do I know what link to click? That's where they're at. And while the phishing simulation training is necessary and it's there, you know, and it's required.

It's just not bridging the necessary gap that there is significantly to connect the employee to what they're engaged in in regards to the role and responsibility they have to protect the data in which they are entrusted with. And there's ways to do that.

Justin Beals: You know, this reminds me of a prior conversation I've had with a safety expert that was like, you know, if you'd look at like a major manufacturing organization or a construction company, they kind of, they kind of want to weave safety culture into everything that's going on. It's not about the decision in the moment, but an attitude throughout the day, you know, of the work and what we get concerned and how we analyze what's going on. That's very different than I tested you against anti-fishing and you made it through my test.

Robert Siciliano: You know, that is brilliant. What you just brought up. really truly is because when you weave safety culture into everything that they do all day long, it does actually move the needle because now you have people thinking regularly about what to do and what not to do. And that also means like they're wearing, you know, they're wearing hard hats. They're wearing safety glasses. They're wearing good gloves, steel toe boots, the signage everywhere. And with compliance based security awareness training, what is that? You know, once a year, an hour plus.

Sometimes it's micro e-learning, which is great, but still I don't know that that's enough. you know, that safety training is designed to like create a mindset, create a way of engaging daily and weekly, so that it's top of mind. You know, when you think about it, cybersecurity as we enjoy it today has been around for what? 20, 25 years, maybe 30. It's brand new as far as like, you know, our existence on this planet. And to expect like, you know, a soccer mom or NASCAR dad that's got to pick the kids up after school and take them to soccer and drive the daughter to dance and get home in time to cook the meals and get the kids doing homework and find time to watch Dancing with the Stars to engage in an hour plus of security awareness training and not actually address the human, where they're at in their lives in regards to password management, two factor authentication, protecting their own identities, securing their home, their bank accounts, what links do you click on Google, not addressing any of that stuff upfront. I think we're doing them and yourselves a disservice because we're not connecting the effective dots.

Justin Beals: Yeah.Well, maybe let's try and find a couple of those dots, especially in some of your background around finance, finance services and the scale of the problem. One thing I found is the FBI reported 16.6 billion in cyber crime losses for 2024. That's a 33 % jump from the prior year with business email compromise alone counting for 2.7 billion.

Maybe you can talk to us a little bit about these cybercrime or these threats and the two decades of the work we have done and what's not been working.

Robert Siciliano:

So appease me a little bit here, right? It's important that we understand why humans do what they do, why they react the way they react and why they continue on being, you know, snared by these various frauds and scams that, you know, the CISO, the CTO looks at and goes, yeah, I know that's fraud. How come you don't see that? Right. And I call it the human blind spot. All right. So the human blind spot effectively is the, the innate

Psychological instinct to trust the familiar. Okay. It is that cognitive gap where biological trust overrides digital suspicion, leaving the door wide open for all forms of deception. What that really truly means is we as humans are an interdependent species, which means we depend on each other for our survival, for our procreation. Right. Without each other, we would fail to exist, obviously. And the basis of that

means that we need to trust each other. And that trust is that biological way in which we see the world regularly. So when we trust by default, that means that every day as emails comes in, phone calls come in, texts come in, people we engage with on a regular basis, getting in the car, driving down the street, we want to, and we need to trust the interactions we have with others. We give the benefit of the doubt all day, every day. And so

Bad guys know this, they use the truth and they twist it. And so if they're constantly reaching out, it's just a matter of time until the bad guys get in because we want to and need to trust. Not trusting others isn't a natural and normal sense. We learn to not trust others through pain, through deception, through betrayal, through being physically and emotionally hurt by others. And we don't necessarily take those lessons

and learn from them the way that we could or should. We just kind of like, you know, we worry, we are in fear. And then as a result of that, and just hear me out a little bit, right? If you're watching the six o'clock news and something bad happens in a neighborhood somewhere, right? Something tragic happens to a family, to, you know, something bad happens. And the local TV station comes in and the reporter knocks on the neighbor's door and the neighbor comes outside and they put the microphone in her face, and they say to the neighbor, so what do you think about what happened? What does the neighbor often say?

Justin Beals: That I never would have suspected. I didn't think it could happen to them. Or we're such a quiet neighborhood.

Robert Siciliano: Categorically across the board. That's what they always say Why because nobody ever wants to think or believe that these things can happen to us. We don't want to think that Therefore to a degree we as humans we function in a certain level of denial. That's what we do Denial is this like psychological thing that like we've had forever that allows us to deal with the chaos in the Insecurity of the world around us it allows us to function without denial, like we would just be completely overwhelmed. So it's easier to a certain degree to function at level of denial and think that these things can happen to us in order to cope. Otherwise, like we wouldn't be able to deal with all the various threats that are out there.

We would just be consistently overwhelmed. And as a result of that, we as a culture have developed like this understanding of what we think security is, right? And it's wrong. And let me explain. And thank you for like giving me the floor here, right? It helps, right? Trust me. So like, I'm a guy that has, and I say this to my audiences all the time, I'm a guy that has 20 plus security cameras, okay? So when I say I've got 20 plus security cameras, like what, let's just say you don't know what I do for a living or whatever, and you hear like, okay, this guy's got 20 security cameras, what might you say, oh, the public say about like this guy's disposition?

Justin Beals: No, it's great, yeah.

Robert Siciliano: His outlook, like he wakes up every day, he must be what?

Justin Beals: Paranoid. Yeah, yeah.

Robert Siciliano: Yeah, yeah, exactly. Okay. So, so, so risk management, putting systems in place, engaging in, you know, layers of protection, putting the security cameras in your house is does that mean that that I am mentally ill? Because that's what paranoia is, right? But that's what we how we look at it. I mean, yeah, maybe it's a little excessive, sure, right. But the reality of it is we look at those who engage in security practices as he or she must be paranoid, they must worry, they must be terrified, they must be always looking over their shoulder thinking that bad guys are out to get them. That's how we look at security as a culture. we justify denial by looking at security as a bad thing. That's what we do.

Justin Beals: Yeah. I have four cameras, so I'm with you, but not as quickly as you've gone, Robert. But I do have to say that I think when I put them in, I had this emotional reaction like, am I being paranoid? You know, I like my neighbors. I have a great neighborhood. I picked it, you know? And at the same time, I think once I put them in, I worried less. I was like, I can instantly know what's going on a little bit, and I don't have to think about what could be going.

Robert Siciliano: Yeah. You know, we've been doing this all our lives. It's like a cultural thing. You know, we, we, we've been doing this forever, and we're going to keep doing it. It's not going to change. And when the employees receive those phishing simulation emails or whatever it might be, like what they're doing is, they're trying to beat the LMS. They're trying to get through it as quickly as possible. They're like, you know, I got work to do. My CISO is paranoid. Like he's, he or she is making me do this. And that's, that's, that's unfortunate.

But it doesn't have to be like that. So it's just a matter of like engaging the employee in such a way where they begin to see security a little bit differently. And the reason why they keep succumbing to all of these, you know, business email compromise is because they truly don't look at this as their role, their responsibility as something that they need to do. They look at it as if like, you know, this is about being paranoid. I don't want to deal with these things. It's not even my job they're saying.

Justin Beals: Yeah, yeah, I've heard that one many times. You know, one of things I read about you and your work is this concept of the strategic human firewall and also the fact that you kind of start some of these training exercises a lot closer to home for people, family, right? Yeah.

Robert Siciliano: So the way I look at it is, look at anybody can do this, Understand that like all secure, from my perspective, all security is personal. And all it boils down to like me and my physical being, right? Like physical security, like violence prevention. It starts with that. All security is personal. Personal security is violence prevention, right? But it's also like what is more personal than your identity? You know, your name, your social, like your identity is very personal to you.

And in these issues, you're like predators, sociopaths, hardcore narcissists preying upon us, right? The likelihood of them choosing us is it's kind of slim, but there's still a chance. But when you look at all security as being personal first and you address the employee, the learner from that perspective, they begin to look at security a little bit differently because look at we are all self-ish or self-interested creatures for good reason. Actually, you need to be selfish to a certain degree, right? You have to take care of your body, nourish your body with good foods and fluids and get a good night's sleep in order to take care of others and so forth. There's a reason why on the airplane when the flight attendant is providing the, you know, security safety instructions, she says, put the mask on yourself first because you can't possibly help or take care of anybody else if you're like, you know, choking to death, right? So we have to take care of ourselves first.

And when it comes to protecting the data in the organization, it makes so much sense that they understand how to protect themselves first. So I asked my audiences all these qualifying questions at the beginning of the presentation. And, know, so we have a dialogue, you know, none of my presentations are a monologue where I'm talking at the employee, like what phishing simulation training does. Pre-recorded e-learning is talking at the employee. While there might be some interaction there, it doesn't necessarily like engage the employee like a conversation does right. And so I asked them questions, you know, how many of you can honestly say you're using a different passcode across all your critical accounts at work and in your personal life, including email, raise your hand. Every presentation that I do, if I get 15 % of the room to raise their hand, that is a lot. Okay. Which means 85 % of all your employees are using the same passcode across multiple accounts everywhere. This is what I do. Okay. And then in that same breath, how many of you can honestly say you're using two factor authentication across all your critical accounts, including email, both at home and at work. If I get 20 % of the room to raise their hand, it's usually a little bit more because it's like required more often.

If I get 20 % of the room to raise their hand, that's a lot, which means in total, 80 to as much as 94 % of my audiences, which is everybody, which is your employees, right? Maybe not yours, but in general, right? Are engaged in way poor cyber hygiene practices because they just don't know because they don't even know what a password manager is. And then the next question is, Oh, well, what if the password manager gets hacked? And then I go to explain to them, listen, this has been 175 billion records compromised in the past 15, 20, 175 billion, right? Two to 3000 data breaches per year. And that out of those 175 billion, it's estimated that about 15 billion of them are, you know, passwords and that like 94 % of those passwords are basically like the same, you know, like people you're reusing. And when you start to like roll all that out and show them how like we've just been engaged in silly habits over the past, you know, 15, 20 years, this is all kind of new to us.

You know, and then as I'm explaining all of this, I,you know, point out like, you know, how some of these things can be a little bit tedious. They can be a little overwhelming at times, but once you engage in these processes, they become normal. And then I say, like, I can make a joke and listen, if you just don't understand all of this stuff, just find a 14-year-old. They'll take care of it for you. Right. And they all laugh just like that. And then I say in response to that, yeah, you know what? That is kind of funny, but you know, I don't know that.

We should be laughing about that any longer because I think we're at a critical point now where with AI and deep fakes and voice cloning that like we can't just like think that this is funny or okay or not my responsibility or it's not going to happen to me. think that like things are shifting right now to a degree where, look, I've been saying for 30 years at the end of every presentation, don't worry about anything that I'm talking about here, just do something about it.

Just engage in best practices and you're good. You become a tougher target, which is still relatively true. However, I am now worried and I'm worried because for the same reason that, you maybe you are that AI is like deep fakes. Look, I've come face to face with people that have lost six figures, seven figures, right? And it is devastating and I've never seen more money being stolen in such a concentrated period of time in my entire career than I have in the past year. And it's exponentially getting worse. And the gap is that human blind spot. That's it.

Justin Beals: I, we found an incident in kind of doing our research for this podcast with you, that in January, 2024, an engineering firm named a rope lost 25 million when an employee attended a video call with a CFO, and his colleagues were all AI-generated deep fakes, to your point. You know, I think that in my work with computers and most people, even lightweight business users, you know, I'm an old computer programmer from back in the day, have this concept that the computer is fairly implacable, right? Like if we program it to do something, it just does that over and over and over again, and it doesn't get outside its boundaries. But I feel like between the internet, so this massive community that has come on to these computing systems alongside now AI, that it's not as implacable, it's more probabilistic. It's getting even harder to detect, you know, when we're dealing with something like an AI deep fake. Yeah.

Robert Siciliano: The attack surface is massive at this point. Massive, you know, with everybody getting the wrong number of text messages, your mom and your dad being, you know, the most trusting humans left on the planet, the most moneyed, right? The least technically savvy, cognitively declining. They're a big target of the $124 trillion in wealth that they currently possess that they'll eventually pass on to us.

Like that's a big deal and organized crime worldwide. You know, the UN says that right now there's about maybe two, 300,000 victims of human trafficking right now whose job, whose role is cyber crime. That they're basically think they're getting jobs. They show up and then like their passports are taken away from them. They're on a compound that's like 80 acres, a hundred acres, and they're beaten and tortured if they don't make their quota.

That's what the CISO is up against. Organized crime that's got this figured out. That's what our parents are up against. That's what we're all up against. None of us are really truly prepared to deal with what's here and now, nevermind what's going to continue to come. They're just going to get better at it. And the idea behind, you mentioned the strategic human firewall is essentially it blocks deception. It's not antivirus, it's not software, it's not e-learning, it's not, you know, click this link, it's dialogue, it blocks deception, it's a proactive governance, it's a mindset that turns employees from a passive target into an active detection layer.

They begin to see the world around them a little bit differently. It's the shift from, trust what I see by default, to I verify everything. That they go from emotionally reacting all the time, to intellectually understanding what's in front of them. And that's a significant shift that I don't know is being effectively remedied with basic compliance training that doesn't really affect the learner the way that it could or should.

Justin Beals: Yeah. You know, I can't think of a time in history personally. And of course, you know, I'm not the expert of everything, but certainly in my understanding where the offensive and defensive tactics in a space have been changing so rapidly.

I mean, we certainly had innovation during times of warfare where people were learning to use different tools, but we look at the cyber landscape and that it's just we're building tools more quickly than we can figure out defensive postures for them that are being used more rapidly for crime. And that's part of the acceleration engine. think also the criminals have learned how to monetize it a lot better and gotten better organized than maybe they were in the 80s or 90s when I was first getting started.

Every single presentation that I do, every single one, people say to me, you know, if these criminal hackers, if they would just take what they know and they're smart and they're brilliant and if they would just take that, they would cure cancer. And I'm like, yeah, no. And here's why. The reason why they're not gonna cure cancer is they don't care about anybody but themselves. So in the 30 plus years that I've been doing what I do, I've come to the conclusion that 97 % of all the people that you will ever meet in the course of your life, 97 % are worthy of your trust. They are good people with good intentions. Okay. They may lie occasionally. They may deceive occasionally, but they're good people. Right?. About 2 to 3 % of the world's population, 2 to 3 % are sociopaths, psychopaths, hardcore narcissists. Google it. Right. The American medical community labels these people as they don't have empathy, sympathy, guilt, remorse.

Essentially, they are the human predators amongst us that look at you and I, they are the lions, they are the wolves, we are the gazelles and the rabbits. And they look at us as their natural prey. And they make more money, some of them in a day than some of us might make in a lifetime. So they're not gonna cure cancer, but they are gonna steal every single dime that your mother has.

They are gonna take everything that your dad ever worked for. They're gonna go after your employee who he or she has access to funding in the organization. And your employee, 25 % of them are lonely.

And that matters because loneliness is much like, call it the pain and ache of loneliness, right? We experienced the pain of an ache of loneliness. Similarly to we experienced hunger pains, hunger pains motivate us to forage, to go towards food, to find it, to consume sustenance. If we never felt hunger pains, you wouldn't eat, right?

I mean, we wouldn't meet. That's just how that is. If we didn't experience loneliness, we would never want to or need to be with others to procreate. Like that is just part of our evolution. That's part of our design, so to speak. Right. And 25 % of us right now wake up every day experiencing loneliness. And if you pay any attention at all to this stuff, often when you feel that sense of pain, that ache,

People will do anything to extinguish it. They will do anything to get over it. And often that means, you know, communicating with somebody because they send you a text message. Hey, Robert, are we meeting for lunch tomorrow? And you're like, I'm sorry, who's this? You're already heading down the rabbit hole. If you don't already know that this that's a scam, you know, and too many of us don't and too many of us get that reaction.

I'm sorry, who's this? And they respond with a beautiful picture of Gloria.

And now Robert is being solicited eight to 10 times a day by Gloria, who's saying, good morning, dear. How did you sleep last night? What do you got going on today? I'm meeting my girlfriends this morning for breakfast, and then I'm having yoga late morning and I'm meeting my team this afternoon. What do you got going on? And then Gloria sends pictures of her grocery cart and what she's buying this week for groceries.

And all of this is designed to build rapport. It's all designed to establish a relationship. It's all designed to take advantage of Robert's trusting nature. And 25 % of your employees are doing this.

Justin Beals: Yeah, I also think that COVID must have accelerated some of this sense of loneliness. Also our reliance on digital tools for human connection. It is a little bit of a perfect storm. mean that and I think that's why we see the increase in financial product. 30 % is a big jump for the size of the number that we had the prior year. Yeah.

Robert Siciliano: It's getting worse because the existing training isn't working the way that it could or ultimately should, or there needs to be an addendum, right? That biological impulse that we all have versus the intellectual understanding, the internal conflict between our evolved survival instincts and our modern knowledge or resistance to digital risks. Like it's not being discussed at all.

Unless, you know, frankly, I'm doing it. I mean, it's like, it's just not, then it's unfortunate. It doesn't have to be like that. And then the compliance officer says, I need metrics. I need metrics. I'm like, okay, I get that. But I mean, when you sit your children down at 15, 16 years old and you're having conversations with them about life, is it like metrics, metrics, metrics? No, it's a dialogue about your past experiences, your understanding of the world around you. You know, what you want.

You're trying to enhance their learning curve based on, you know, your understanding of what works and what doesn't work and so on. You're trying to like, you know, like take it all apart and your experience in life and just kind of walk them through it and like, you see them begin to understand as they begin to ask questions that mean that they're beginning to get it. And like, that's how you, that's how you change hearts in order to change minds.

Justin Beals: Yeah, and you've worked a lot in, you know, financial institutions, but not banks. I thought this was really interesting about your background, Robert, especially the real estate industry, where you have a lot of different types of transactions going on. It must be a big leap for that group that's so used to assigned paperwork. Yeah.

Robert Siciliano: And what happens is what I call the kitchen table effect, right? know, like, look at every presentation that I do, it's the funniest thing to me. I get on the platform, I'm in front of a live audience, and you know, this is what I see. This is what I see.

You know, like they're apprehensive, right? They're either doing this or they're doing this. You know, and what I do is like, you know, I say that like most security awareness is a monologue. It's I'm talking at or you're presenting to. Whereas what I engage is in the dialogue. I ask them questions. I flesh them out. I kind of, you know, talk about the whole paranoid thing and the, you know, all that stuff. It just kind of lay it all out. And they begin to look, they're beginning to go,

like I didn't think that this was going to be that, right? And what happens is the arms begin to go down by their side and they begin to literally lean in and then the hands start to fly up. Now they have questions because what I'm doing is, is I'm breaking down their resistance to what security is and isn't. I'm kind of pointing out how, you know, our denial and trust and all of this stuff makes it difficult and how we all using the same pass codes and like, you're just kind of breaking them all down. And now like they begin to look at like, he's not talking about like what I got to do at work. He's talking about me and my family and my worries and my fears and what has me up at night. And so now when you make security personal in that regard, and anybody can do this, they begin to look at it much differently because it is about them.

And what happens is what I call the kitchen table effect. Every single presentation that I do, frankly, is somebody comes up to me, come up to me at the end. didn't think it was going to be like this. I really didn't want to be here. I'm here because my boss told me I had to come. I didn't think I wanted this or needed this, but I'm so glad I came because it was nothing like I thought it was going to be. And I wish my spouse was here, right? Because you've just made it about them. And that becomes what I call the kitchen table effect, which is basically the multiplier effect where, you know, successful training ends with the employees teaching the concepts to their families, cementing the lessons for life. That's what it should be. Fishing training doesn't do that.

Justin Beals: To argue that learning management systems, you know, struggle to deliver the same emotional connection as well. And having, you know, part of my career was in education work, I coded a lot of learning management systems over the years. And when I think about the difference between using a platform to deliver a set bit of training that was genericized for any possible company in the world or role, compared to a CISO, standing up at an all-hands and be like, hey, these are the types of things that I'm concerned about. These are the types of things that we deal with. This is a type of impact to our customers, our business and you personally. If we're not sensitive about this culture that we put together, I just, I think there's an impact to that. And to get away from the compliance thing, we're like, Hey, I need a list of everybody that attended security training, having sat 45 minutes for this YouTube video, compared to, hey, we had it all hands, we discussed it, we distributed it, that just seems more impactful as a security activity.

Robert Siciliano: Yeah. Prior to COVID, I was on the road. was airports, hotels, rent the cars, conferences, speaking, training, COVID hit flat line, right? Nothing. And, you know, I did my fair share of virtual stuff, which I still do. It's necessary. It's important. And, and then like around 20, 2023 and a half, about six months in phone starts to ring a lot more frequently. Emails start coming in.

People are kind of like, you know, getting back to work a little bit, you know, Facebook and Google, they hadn't quite like gone in 100 % at that point yet. But like the calls were this, hey, listen, we've been doing the phishing simulation training compliance space. We've kind of reached the plateau a little bit here. We just want our employees to care about security. That's all we want. What can you do in that regard? You know, and it's like, that's easy. That's what should be done.

And now like 2025 was, it was, was a great year, you know, cause now companies are realizing like, okay, we're back to work now, you know, and, and there is like, you know, in and out of work, you know, two or three days at home, two, three days at work. Um, still the problem itself is not ultimately being addressed. And the problem is the human problem. And yeah, it needs to be interaction. You know, those, those all hands on matter to people like.

They may be busy. may not necessarily want to be there, but once they're in the room, that engagement like that, that human on human, that dialogue is, it's entirely necessary. Look at, don't date virtually all day, every day for the rest of our lives. We get together. We meet, we have a cocktail, you know, we, we, we break bread. We're humans, we're social creatures. And you can only, I look at, you know, no offense to anybody out there, frankly, truly no offense. I look at fishing simulation training as like hitting them over the hammer with a head, you know, hitting over the head with a hammer. It's bang, bang, bang, do this, do this, do this or else in this repercussions and this, shame involved in that. And I don't know that anybody really truly addresses that, you know, but there is, and it feels imposing to some people. And look at, am not asking a single officer out there to find your 50 year old coworker and give them a hug and hold their hand. I'm not asking for that.

Justin Beals: Although it's okay. Little human connection wouldn't hurt, but yeah.

Robert Siciliano: Yeah. Look, if we talk to our coworkers, as far as this particular topic, which is this worry and fear and concern, if we talk to them about this particular topic with just a tick more empathy, a tick more understanding, I think we can completely change the game.

Justin Beals: I think in two vectors too. One you've mentioned deeply. This is a safe space. Mistakes have been, know, things have happened to us because there are people trying to attack us. We can talk about our fears about that. When we did something that, you know, didn't work out, you know, in my group at work, we strive very hard to never, you know, someone's like, hey, I have a security concern. And they raise it. That is never a negative ever. It is always a positive.

You know, and the other thing that I think of is just this ability to create a sense of responsibility as well for I'm part of a team. I, I decide what I'm concerned with. So phishing is a set of rules, right? Like they will teach you like, look in these URLs, hover over these things. Don't click on attachments. Not like, Hey, let's use some critical thinking here. What looks off about what's happening right now?

How much trust would you lean into a digital communication channel like email? Yeah.

Robert Siciliano: Yeah. The compliance trap is that false sense of security, you know, required regulatory requirements while the actual human behavior remains unchanged and vulnerable, you know.

Justin Beals: I think it's okay to think of compliance as a baseline. We start from here and we construct towards a more refined, effective security practice. You know, Robert, as we wrap up here, I had one other question for you. I think that in some of your presentations and work, you share a lot of personal stories about how you developed a sense of security. And I think we'd love to hear about that. You're obviously very passionate.

Robert Siciliano: 100%, yeah, agreed.

Justin Beals: And love hearing about where that passion stems from.

Robert Siciliano: Man, look it, I don't have the CISSP's, I don't have the credentials like you rock stars do, I just don't. People ask me all the time, are you from law enforcement, government official, FBI, CIA, where do you come from? I'm like, I come from the streets of Boston, man, I just do. Look it, I have never ever parked a car in a Harvard yard ever.

Justin Beals: That's great.

Robert Siciliano: Which is actually might've once I went to a hockey game anyways. like, look at real quick. My, my story is very different than most. And, I was 12 and my dad let us go into Boston and we got on the train, got off the train. Me and my brother, he was like eight. I was 12 and we got off the train onto Washington street and five kids attacked me, took my money. They, they, they beat me up and took my money.

I was not prepared for that at 12 years old. And I go home, you know, with my brothers crying on the curb, and I go home, and my dad explained to me, predators and prey, lions in gazelle, and I was the gazelle that day, right? And so that kind of like settled in a little bit. This is like, we're talking 40 plus years ago, I'm 57. And so a year later, I'm at summer camp. Parents worked, I went to summer camp, and I met a girl, I was 13, she was 13. And we kind of liked each other, like my first crush. And we got off the bus one day and go to her house, we're sitting on her front stairs. And she's looking at me all kinds of solemn, and I'm like, what's going on, you all right? She's like, I think you should know, my mother's boyfriend raped me. And I'm looking at her and I'm kind of bewildered, and shortly afte,r I take her home. And I say to my dad, dad, what is rape? because I had no idea what she was talking about. I just knew it wasn't good by the way she expressed herself. And so my dad gave me the conversation about the birds and the bees and sexual assault in the same breath. So at the age of 13 years old, being a victim of a multiple attack situation, meeting my first victim of sexual assault, which, since I have met dozens, if not hundreds, it had a profound effect in the way I viewed the world.

So I gravitated towards security. It's just what I did at that point. And by my mid-20s, I had a small business where I sold security products, you know? And I got my first computer in 94, 95, which was an IBM PS1 consultant with 150 megabyte hard drive and Windows 3.0. And frankly, I think I might have bought it hot.

Justin Beals: I agree.

Robert Siciliano: Probably shouldn't say that, but yeah, and I got hacked.

I had to install a card to connect it to the internet because it didn't come to fault. I think I had dial up for AOL and I got the ability to accept credit cards. Back then wasn't an easy thing to do. And so that meant merchant status, which meant like using my computer as a point of sale terminal. And I got hacked. I lost like $3,000 in product, in credit card fraud.

My business was personal security. And when that happened, personal security was like protecting yourself from physical violence and from thieves and from muggers and burglars, right? So that was my mindset. And when I got hacked like that, I was like, it was devastating because it was financially devastating to me, but I was intrigued because I was like, if this is like, this is what they did was awful, but it was awesome. It's awesome what they do. What they do today is

Awesome. It's awful, but it's awesome. It was then it's even more awesome now. They're making billions. It's phenomenal. It's awful, but it's great. I mean, you know, mean and so So I like I said if they can do that to me like think about what's possible and I just started to focus on it and that became my focus and it's still my focus and I saw it back then as something that you know, You'd see like a university in California has 600,000 records compromised as national news. Today, it doesn't even make the radar any longer. It's like, yeah, another data breach. And they've just evolved. And as sophisticated as they are, it's just that they were organized, they treat fraud as a business. And I have been doing this since back in the day. know, I look at, I owned LedZeppelin.com back in the day. That's how long I've been doing this.

Justin Beals: Well, Robert, I want to really thank you both for your work and also the refinement of your perspective around what matters in the work that we do in security, the training work. I certainly have a deep agreement with you around the compliance checkbox versus, you know, build the best security you can and like that baseline into effective practices.

And we really appreciate you sharing your expertise with our listeners today, Robert. Thanks for joining us on secure talk

Robert Siciliano: Hey, my pleasur,e and thank you so much.