Meet the Security Awareness Apologist Artwork

Simplifying Cyber

This show features an interactive discussion, expert hosts, and guests focused on solving cyber security and privacy challenges in innovative and creative ways. Our goal is for our audience to learn and discover real, tangible, usable ideas that don't require a huge budget to accomplish. Shows like “How It’s Made” have become popular because they explain complicated or largely unknown things in easy terms. This show brings the human element to cyber security and privacy.

All Episodes

Simplifying Cyber

Meet the Security Awareness Apologist

August 18, 2025 • Aaron Pritz, Cody Rivers • Season 2 • Episode 8

What happens after an employee clicks on a phishing link? Jason Hoenich (hey-nick), the self-proclaimed "Security Awareness Apologist," believes that's where the real education begins. Drawing from his experiences at major entertainment companies like Disney and Sony, Jason shares how live hacking demonstrations where employees witness real-time compromises create powerful, unforgettable learning moments.

The conversation dives deep into why traditional security awareness approaches fall short. While phishing simulations and generic training modules check compliance boxes, they rarely drive meaningful behavior change. The most effective programs go beyond making people aware of threats—they make secure behaviors easy and intuitive while building a security-conscious culture from the ground up.

One of Jason's most compelling insights revolves around relationship-building. Security awareness professionals who form strategic partnerships with HR, Legal, and Corporate Communications unlock unprecedented program potential. These connections transform potential roadblocks into champions who help tailor messaging and navigate brand considerations when creating engaging content.

Security champion programs emerge as another powerful strategy for organizations with global or diverse workforces. By identifying influencers throughout different business units and locations, security teams can extend their reach and ensure messaging resonates across various cultures and job functions. These champions provide invaluable feedback while translating technical concepts into language that connects with their colleagues.

The future of human risk management lies in personalization and actionable insights. Rather than just identifying risky behaviors, advanced tools should offer immediate remediation options—imagine a system that not only alerts an employee to unsecured files but offers a one-click solution to fix the vulnerability instantly.

Ready to transform your security awareness program? Start by assessing your program's maturity and developing a comprehensive strategy that goes beyond basic tools. Remember Jason's advice: "Strategy, strategy, strategy. If you don't have one, work on it." Your journey toward meaningful security awareness begins with this episode.

🔗 Connect with Us & Get in Touch

Tune in to Simplifying Cyber wherever you get your podcasts, or watch exclusive video content right here on the channel. Subscribe for hot takes on emerging technologies, tips and tricks for everyone looking to stay secure, and in-depth conversations about complex cybersecurity topics.

No gatekeeping and no BS. We’re here to simplify.

Official Website: www.revealrisk.com

LinkedIn: https://www.linkedin.com/company/reveal-risk

🤘 Stay Secure with Us

If this content helped you understand cybersecurity better, please give it a thumbs up, subscribe to our channel for more expert insights, and hit the notification bell so you don't miss our latest updates.

Reveal Risk delivers cybersecurity results, not just reports.

Speaker 1: 0:05

Thanks for tuning in to Simplifying Cyber. I'm Aaron Pritz and I'm Cody Rivers, and today we're happy to be joined by Jason Haneck, who goes by the title of Security Awareness Apologist, and I think I know where he's going with that, but we're going to need to get into that real quick in this interview. Jason, welcome to the show and maybe tell us about your title.

Speaker 3: 0:25

Thanks guys. I'm stoked to be here. I think I started using security awareness apologist a couple months ago. I've been on my own little journey here from the practitioner side to being a founder and then kind of being on the product side for a while and just I see a space. Right now this industry is. There's a lot of funding happening, with new startups coming out, and I feel like everyone is kind of maybe kowtowing to the VCs and what they want to see and no one's really still here for the awareness practitioners and so I'm just here unapologetically just being like, yeah, but this is security awareness, this is how security awareness goes, just being like, yeah, but this is security awareness, this is how security awareness goes. And if I can maintain people's attention and kind of helping people to rethink like what really awareness programs are, that's what I want to do. And so I don't know, I just kind of landed on that and it sounded good.

Speaker 1: 1:15

Love it, I like it, man, I like it. So let's start with, I think, gartner's latest slogan for awareness, and I do think it broadens the terminology because I think awareness is only one part of behavior change and really shifting a culture. But let's go around the horn here. What is human risk management to you and what is it? What is its relevance in today's world? Or enterprise, jason, we'll start with you and over Cody.

Speaker 3: 1:42

Yeah, happy to go first. I think you know, I think when was it Forrester or Janan kind of introduced that HRM term? I looked at it as like not the new umbrella, but kind of, if you consider security, awareness and training as one layer which is kind of like the actions you're taking, the content you're sharing, the HRM introduction to me is another layer that sits on top of that as part of an awareness program which is more about data, um and like the data around behaviors and and those metrics and stuff like that. So to me, hrm is just another, you know, layer two of what I think is probably a three-layer um paradigm there, of like what it is. So I don't think it replaces anything. I see a lot of those conversations of like I'm not using this or or it's still this, and I'm like I think they both exist, I think both things can be true. So that's my point.

Speaker 1: 2:29

Yeah, good answer, cody.

Speaker 2: 2:31

Yeah, that's great. I think maybe three kind of areas I would say. And that's like engage, you know, engage, educate and empower. Engaging a workforce, like pulling it out of just IT or cyber professionals, I think, and then educating those on, like what their role is and how they can help a company. And then I think the empowerment is like how did they do that? So here's what it is, here's what you can do and here's how you do that. I think, as you're doing that, you kind of build and we know, as a former CTO, you know a lot of the tools you can buy are great, but they need to have like integration and visibility. And so this is looking at like the non-technical pieces and like how do I build the human risk area and how do I evolve that as like a valuable piece and viable piece of my cyber program.

Speaker 1: 3:14

Yep, no, that's great. Yeah, I think you guys have both covered it. I would say awareness to me. You know, when I was running this on the corporate side, it kind of the term felt short right, Like it was I'm going to make people aware of a problem or a need or an opportunity, but it didn't necessarily mean anything was going to change or their behaviors were going to change. So when I got to the consulting side, you know, at the time this is five plus years ago we were kind of trying to recast it to awareness, behavior and culture change and it was ABC and then the Delta sign and I think to me, I hope that human risk management, you know, as a category that's broader than just awareness content and phishing messages, which is largely what it's mostly been for the last decade.

Speaker 1: 4:02

My hope is that it is more holistic. And then, Jason, to your point. I think data is the catalyst that brings all that together, Because if you're not measuring, you don't know what's working and if you aren't making changes based upon what's working and not working, you're in an echo chamber, You're not really doing the things that matter most, Because most programs don't have unlimited resources and the shots on goal that you're going to take better, be the best ones, so you're maximum successful.

Speaker 2: 4:29

Yeah. So I mean kind of getting in, I think, and you got a good point there. But, jason, from your perspective, like how has the definition and scope of these programs evolved over the past few years? I know you can go back and it was just the training, but from your perspective, talk about the scope and the evolution.

Speaker 3: 4:45

That's an interesting question. I think I'm going to have some probably unpopular opinions and views on this Love it man, I love it.

Speaker 3: 4:52

I actually think that what we are calling human risk management right now, I think, where it's in a dead zone and I don't know that it's going to, I don't know how we get out of it unless we just like blast right through and just say, okay, this is okay, but we need to move forward.

Speaker 3: 5:08

And I think we see vendors kind of like falling in that trap right now, but it's still like in the right direction to me. And so I think the scope has shifted from like more of that technical tool of like I can send simulations and I can assign training via an LMS, to like having more organic conversations, maybe around like human behavior, and I think there's a gap where we've introduced this concept in human risk, of like behavior change. And I still think, like most practitioners and vendors I'll say, don't really have that qualifying education to even like frame them the right way, I think. And so, like I don't know to wrap this up, maybe I think it's a necessary shift. I don't think it's the right shift and I think we're. I'm interested to see what comes next.

Speaker 1: 5:52

Right, yep, so maybe the pain point that you're starting to get into, let's put some big, hairy pain points on the table, let's discuss them a bit and then we'll move into, kind of you know, this group of thought leaders kind of ideating for the future. So the first one I'll throw out there. We'll get some reaction. Then we'll go through second one, third one. The first one is SAS or MSP, commoditization of awareness training. And, jason, you alluded to it, 95% of the focus of most awareness programs out there that aren't, you know, staffed with two to three people or plus, is basic phishing training, quarterly, sometimes monthly if you're getting a lot of it. Online training, like you mentioned, jammed into the LMS, starting to be more bite-sized, but it's still canned, it's not tailored to the company. And then you know metrics and reporting on top of that. So, pausing there, cody, your experiences, jason, your experiences. What's wrong with this picture?

Speaker 2: 6:46

Yeah, so I'll kind of dive in.

Speaker 2: 6:49

I think a lot of it is like there's a lot of focus on, to your point, aaron, the basic, like social engineering and the clicking, the phishing, but then I think what they're missing is going beyond that and like, look at, like insider risk or AI policy and certain things that are going to be bespoke or tailored to an organization, and you're really not getting the depth of education or what you want, like the.

Speaker 2: 7:11

So what they're outside of, like the table stakes, here's what this is, don't hit a fish. And so I think, getting beyond and say, okay, if I want to educate my workforce and drive awareness or drive even just a sense of accountability, that like it isn't just the responsibility of cyber IT to protect the organization, I think you kind of got to get is like how do how do we do that? Is it we report this way? Is it we are? We are aware of the type of data we have, whether it be like data classification or we see someone doing suspicious things. But the first part is educating and kind of understanding what is what's my other users accountability in this, in this giant picture of cybersecurity?

Speaker 1: 7:48

of cybersecurity, I'll just chime in there. Like approved tools to do good, secure behaviors. I feel like many cyber programs don't do a good job of setting up a great user experience. To do the right thing right, the awareness piece, or the human risk side, is making people aware of the tools that are there to use. But to me, if I'm a CISO, I'm putting dedicated resources on making it super easy to whether it's encrypting data or minimizing accidental email leaks or wrong sender Like pick your 90% of human flaws that lead to the breach and wrap your tool structure you spent a lot of money around and really focus on that human and create an ecosystem of like. I know exactly what to do, I know the data that I'm using, I know the tool that I need to secure that data and I know why it's important to do that, jason. Other thoughts?

Speaker 3: 8:44

I think the only thing I would add is at least what I'm observing, with MSP starting to really deliver awareness services or HRM services, however you want to kind of like frame that MSPs can only be as effective as, like, their platform tooling allows them to be. It almost seems like where they're MSPs are providing a very much needed service for small businesses and smaller entities and stuff like that, right. So, like, I don't blame them in any way. I think they're only limited by the robustness of the tools, and so when you look at like a Novi4, which is a SaaS company at its core, you know they, once they introduced multi-tenancy, then MSPs were like oh, I can now sell this, right.

Speaker 3: 9:30

You're still missing that, and this is the thing that I always like to echo and amplify is like, but you're still missing that education of the person administrating the platform, which, when Nobifor launched it, was the awareness practitioners, but as soon as they introduced multi-tenancy, msps are now the practitioners, and if they don't have that experience and knowledge on how to manage a program, they're kind of starting out where Nobifor did 15 years ago, right, which is they're figuring it out on their own, and so I think that there's some damage that can be done by kind of like not QAing that platform, by educating the MSPs, and I just what I would like to see is more focused by those vendors to educate the MSPs and ensure that they're applying the best practices from production.

Speaker 2: 10:12

Yeah, jason, I think also on that too, like there's a difference from like playing not to lose and playing to win. And I think in that case it's like, hey, I'll do the basics so I don't lose. But to your point, we're not like playing to win basics so I don't lose, but to your point, we're not like playing to win, we're not really getting better, we're just kind of covering a checkbox. And it's kind of changing that mindset like let's push the bounds and let's, let's drive a change versus, you know, check a box yeah, I always like refer to like the snake eating itself.

Speaker 3: 10:36

it just kind of feels like that cycle of like, just because you can do it, should you kind of thing. You know, and it's like I always I always ask vendors and practitioners and be like, just think about it. One more step, like yes, you can do this, and we'll probably get into this, maybe on another topic of like all the startups coming in now that are implementing AI. It's like, yes, you can, but should you be doing that? Like, is that actually beneficial?

Speaker 1: 10:56

One interesting observation is you know we do a broad number of services across cyber and strategy operational stuff. Awareness is one of our capabilities but 99% of our clients all have, you know, usually know before a proof point or one of the other solutions out there and we're not trying to displace that. I'm not rushing out to be one of the you know the hundredth tool that does that, because I think a lot of what's missing and, jason, both you and Cody alluded to this is beyond the what you can get in a box. I'm four, I don't want to recreate the basic training things but, cody, all those things that you mentioned, what's the strategy of how we're going to roll out InfoClass and data protection and DLP and appropriate use policy? So we're not doing HR investigations of thousands of DLP trip messages that hit because we have broken business processes and people don't know how to do the things we expect them to do but never told them.

Speaker 1: 11:51

So I think there's a lot of work beyond just the tool, which kind of leads us into the next pain point, which is I think historically this is changing a bit, but 10 years for sure ago, most CISOs or senior cyber leaders came out of a very technical background and, a lot of times, infrastructure. I, too, started my career as an IT developer right, so I'm a technical person by background. But I think if you have a prominent or a heavy portion of your community of leaders that grew up there, they were rewarded for developing, delivering tools. It's hard to get out of that mindset to not just solve a solution completely with a tool deployment and a solution so I think we've already kind of alluded to it is like there's layers here. But, jason Cody, what are the layers that you know beyond a tool, that we think either tools need to be starting to solve or what are the? What are the examples of human and process things that a tool will probably never solve? Yeah, go, jason.

Speaker 3: 12:59

This might be a venting here, so I think like what's missing continues to miss, and even there was a big announcement today on a huge funding for a startup that just came out, like $30 million or something, and I went and looked at the site and they're automating things.

Speaker 3: 13:15

That, from a technical standpoint, is a lot of toil right and for an awareness practitioner, I see a lot of these HR and for an awareness practitioner, you know, I see a lot of these, these hrm platforms focusing on the workflow automation and I think that's great. But everyone is stopping short, literally at the most crucial element I think that they can provide is risk reduction action button that an end user can take if you're going to interrupt them and you're going to auto assign this, this fancy workflow automation, because they clicked on a phishing simulation or a voice phishing simulation, instead of serving them content to train. See what other data do you know about them? And I think the example that I'm referring to is you have externally shared files and the solution is, hey, you should go and unshare these, but how powerful would it be if it's just like do you want me to unshare these? And they just click it and all that risk is reduced, and then you can actually take that away from the store.

Speaker 1: 14:10

A teachable moment and a workflow that helps them undo what they the accident they were about to make versus backend manipulation.

Speaker 3: 14:17

Yeah, like, do not show. If you're going to interrupt them, give them something to do. Don't give them like a homework assignment that they have to go and figure out through policies or some other page. Be like do you want me to take you there right now and do it? Yes, boom, done. All I have to do is say yes or no. And I think that once we can get to that point, that's when you can start seeing user risk scores being actually valuable and reducing them with one click. You like hey, your risk score is this. If you just click this button right here, I can take your score from a uh 55 all the way up to an 84, right, because you're removing this risk. And those are the tickets that get created with. You know, um, with like uh, sec, ops, and it ops, it's like it's still just removing that last mile of toil, you know, with everybody. So sorry, that was a big, big point spot on I like it.

Speaker 2: 15:01

I think and I think to your point about additional things. My thought is like the process or the approach to this is also important because, like you know, I think of a client we had which is a 70,000 user oil and gas company. They're in 40 different countries. They have guys on oil rigs in the middle of the ocean. They don't even check their email, and so it's like, how's the tool going to solve that? And this is a process, or there's a one pager, there's a town hall, a stand up. But I think, jason, to your point, a lot of people aren't looking for, like, more things to do. Like I have plenty of time, what else should I do? So you're taking time from something? You're going to be competing for time on someone's calendar. So, like, be brief, be brilliant God, I probably messed that up. Be bright, set up, be right, oh, whatever whatever it is.

Speaker 2: 15:39

oh, we all know that thing. But I think with that is like, let me not send like financial wire fraud training to someone who's you know pulling a switch on my my ot line or my my manufacturing line, right? So like, have an approach multi-channel some are, some are videos, some are audio, some are, some are just a line leader with with a slide in in the all hands that that week or something that like do Omnichannel, make it relevant to that person. So it's like this is relevant to me, how I can help. I'm not getting like finance, I don't touch accounting system, so this is not relevant to me.

Speaker 2: 16:10

So, to your point, use that time wisely, build their trust and then engage them. So they're like okay, this makes sense, it's relevant to me, I know what to do. And then I think really the next challenge you kind of face is, you know, measuring effectiveness. But that's another topic here as we get going. But that's kind of my thought I think you'd miss out is you know you look for, send the emails and the training out and so many of my employees either don't speak the language I don't have different, you know translations or the content is just not relevant to them.

Speaker 3: 16:34

Yeah, when you said something there, cody, you know this, this omni-channel approach now, where we can do slack and teams and email and sms and stuff like that and I think that's my biggest concern right now is because I think that's what ai and the technology right now is unlocking for a lot of vendors is like the ability to do that at scale. And if all you're like my fear is people are every vendor is going to have their own slack bot and they're just going to use it to remind people hey, here's your training, you need to complete it and like you can just do so many more effective, risk reducing actions than just automating that like email outreach. It's just a fancy email reminder at that point, right, and so yeah, no, I, I totally agree.

Speaker 2: 17:15

We see a lot of them, probably later on too, but a lot of our programs we've done our larger programs are like, built like a spokesperson or a character and it's animated, makes it fun. So I'm getting like there's a video or it's like. You know they use like an internal um yammer system or something. But like, to your point, find a way that's engaging. Like lord knows, we've got a thousand, you know, teams alerts, like alerts, email alerts, especially in security. You know we've got so many of those. So like, how does this stand out? How does this look different than what else? I'm getting to make me be like, oh, I should, I should look at this one.

Speaker 1: 17:43

Well, we'll get back to characters, cause I know Jason spent some time at Disney and Sony, so I want to. I want to see what characterization came up there. But before we do, one more pain point. And Jason, this is kind of where you. You've been on my feed for a number of years. We connected many years ago when we were both at different companies, but I think you had a video post which was your first if I would call it a series where you were kind of not so happy, I would say, with the vendor market that you had seen out on the floor at RSA. So unpack that for us. What drove those feelings and how have you since culminated the general industry concern? And then we're going to use that as a jumping off point into kind of how do we solve both the tech side as well as the stuff that the tech will never, never really resolve?

Speaker 3: 18:31

Yeah, so you saw that. Huh, sorry about that. Yeah, I think, like I was, I think, going into RSA. You know I was kind of seeing a lot of chatter on LinkedIn leading up to it about you know, I was kind of seeing a lot of chatter on linkedin leading up to it about you know, different um vendors. Once it was all said and done, I kind of looked back at I was like there was really nothing exciting, at least from the hrm and awareness space.

Speaker 3: 18:53

I think maybe I was just disappointed and I think what I'm seeing is and this is again, this is just what I think and feel, and it's having been on both sides with VCs without VCs is, I think, that founders are coming in as software developers, creating a great platform, but then they fall into that VC cycle of like you got to feed the monkey, right, you got to raise every 18 months, 12, 18 months, and so you get into this like relationship of like well, what does the VC want me to do? And if you have a great VC, I think like that's really healthy. But I think there's also some VCs or, you know, just investors that are like I don't care that employee's time most valuable and to build trust between the security team and I just don't. I was just disappointed. I didn't see anything happen, yeah.

Speaker 1: 19:50

One thing that worked really well for me. It was actually at a different conference. I was at DEF CON in 20, what was it 2023 and got to see. It was, I believe, one of the security researchers for CyberArk that filled room. I mean, they call it line con for a reason. It's tough to get into some of those rooms but it was probably a room of 500 people and he had been given the special assignment to deep fake the CEO of CyberArk in real time on stage in video and audio, and I was so excited to see it and I knew it would be good. But I didn't know it would be good and even since then that's been almost two years ago the technology and the compute speed has just gotten so high so I left there.

Speaker 1: 20:30

I'm like shit, this is getting like voice the voice stuff, like the CEO BEC now becoming CEO, phone call, becoming CEO Zoom meeting fraud and I was concerned as an awareness practitioner. Like this opens up a whole new aperture for what we need to be educating people about. So yeah, didn't immediately action it, but early that next year it was actually right before the first big case the $25, $26 million Hong Kong manufacturer huge wire fraud scam, multiple deep fakes running in a Teams meeting. They definitely did their homework, but we decided to do something very tailored to organizations and we said what's the best way that we're going to show people how this works? And it's going to be with their CFO and CEO and showing an actual attack in reality. So obviously this is not something you can sass, but we've built over, I would say at this point, 15 different large company threat scenarios using real CEOs, cfos, cisos, and we usually make the CISO the hero in which they're the one receiving the team's call or the Zoom call. It's an attack, exactly what's going on in the wild, using them, and then both leaders together educate the workforce on how they stopped it.

Speaker 1: 21:54

And we've had some of the feedback like established companies, of like hey, this was some of our best received feedback and you know why it was different is it wasn't something out of a box, right, it was real people with people they know that they wouldn't have expected to go. You know, be game with some of this stuff. So so maybe, maybe shifting with that let's, let's jump into kind of the art of the possible and the solutioning, and I've got a few things to guide our conversations Forgetting about tech and Jason, I want to maybe start with you and some of the things that were maybe creative, that you did at Disney or Sony, but like program wide and not the basics, not the tool, not the know before, not the proof point. What are some of the things that you've done in the past or have thought about for the future that work, that are the above and beyond that really capture attention of the workforce?

Speaker 3: 22:45

I mean clear standout for me. I did it at both companies and it was it was in an effort to create an event for October, you know, for cybersecurity awareness month. The red team at Disney that I was partnered with they were just like they were down for this idea. And I was like we always talk about like don't click the link, the link, don't click the link, but we never like talk about what happens after the click. Right, I was like what if we just did a life hacking session, I'll volunteer. You can life hack me in front of everybody and try and show what happens after I click on it. And the.

Speaker 3: 23:13

The concept was like we would do that, we would have both screens, we would have like my, my laptop that I was presenting from.

Speaker 3: 23:19

And then there's kind of like mr robot style and um, so they did it.

Speaker 3: 23:23

They sent a payload after finding like I think I had just gotten married at the time, so I still had like my wedding website up and so they just pulled it from that.

Speaker 3: 23:30

They sent me an invoice from a vendor with a payload and you know, and like I knew it was happening. So I had to like act it out and it was a for a live, for a live audience, and it was recorded so it was available. But that moment when I clicked on it and all of a sudden my face was up on the red team screen because they just taken over my camera, like the gasp in the audience, that like it took like 10 seconds for that to happen, right, and so like that was my. That continues to be my favorite example. When, when I when I see people talking about what they want to do for october coming up and people are planning for it right now, I was like if you can pull off a life hacking demonstration in a way that's safe, people eat that up, and like that's something that they'll go home and talk to their families about.

Speaker 1: 24:09

Yeah, no, that's key the. If you're talking to your wife or your spouse or your friends, you know that it's sunken, and then they're teaching others, which means they're reinforcing it themselves.

Speaker 3: 24:17

Yeah, social currency you give them.

Speaker 2: 24:20

Yeah, one thing I have been hit on a little bit, but this is a challenge we see a lot of and even we're big on metrics for program metrics and vulnerability and risk reduction. But measuring effectiveness in a human risk awareness, human risk management program, how do you think they recommend? How do organizations measure success or failure of their initiatives? Do metrics matter? I mean, I want to get your thoughts there.

Speaker 3: 24:49

I mean, I think it's going to come down to you know what vendor they're using, what platforms they're using and really like what the goals are. If there's a strategy behind what they want to do with their awareness program or their HRM program, then I think metrics can be great. You know, it's just like with any any event, any marketing event, any, anything like. You want behavior change in some way, and so if you know what that behavior is and you know how to track it, then I think metrics are great. If you're just doing it because that's what's available on the dashboard and you haven't thought more about it, then throw it out, you know.

Speaker 1: 25:18

Great point. I think it's the same challenge. Metrics effectiveness is the same challenge that marketers have in commercial marketing, right, like so you think about how do marketers measure? You know events, you know well. How many impressions did we have at the booth, how many people came by? Well, that didn't necessarily convert to how many buyers. Same thing with cyber programs, right, like how many people opened the email and how many people did the training? It only gets you so far.

Speaker 1: 25:43

So I think, jason, you you kind of touched on it Like what's your goal? And you no-transcript, what are you trying to push? And then, most you know, the biggest thing is, like what are you going to learn from metrics of things you're not going to do? Right, don't keep repeating the same stuff if it's not getting the eyeballs, if it's not getting the behaviors. And I think that's where the volume metrics can come in. Like them or not, they're limiting, but that is something that you can at least say okay, I'm going to. This topic was really effective, at least from a volume standpoint. Let's do more on that and see if that continues or take a different slant on it.

Speaker 3: 26:59

Yeah, and like it reminds me that when I was with Habituate you know, selling my product my everything I did was like working with my customers to help them improve their programs and even just working within like the SANS community, like the human risk community that they have, like everyone like talks and has the same issues over and over again and I always come. What I noticed was like it always came back to like, would you have a program plan for, like, what you want to do for the next year, or are you just kind of like reactively doing something because the CISO said, well, we need to do fishing, we need to do content, and I was just finding that, like you know, it's a nascent space. If you don't have a strategy, work on that first, because everything else falls in line. You know once you understand, like, where your baseline is and stuff like that.

Speaker 1: 27:46

So, jason, you mentioned your October kind of live hack. I've done one of those. I would like to do more because we've had a similar effect. What are some of the other greatest hits? If you will both, cody, jason, I'll give a few like what are your favorite things to do?

Speaker 3: 28:04

again, beyond the commodity tool things, I think the other thing I always tried to do and this was because I was either with Disney or Sony, so I had like a very global audience and like in-person events are great, but like that serves like 5% of the population, probably 10% I started.

Speaker 3: 28:17

I really like the idea of like um, an online scavenger hunt that you can have people kind of participate in each week, and I always just tied it back to like something I wanted them to know about or some behavior I wanted them to practice. So like I think I, right before october, I had introduced like a one-page aup document which I had gotten down from like eight pages. So like I just wanted people to go to where it was hosted on the internet site and read what was on line 85. Right, and that was the answer they had provided, but I got them to go to the internet site, you know, and then you just do a series of that throughout the month. You can get creative with what you want them to know and do and it's a nice way to involve everybody. Everybody can participate in that you mentioned global.

Speaker 1: 28:58

We've had a lot of success and on the corporate side we had a very extensive cyber champions program and it was really helpful to us and me to one to not have it kind of be from the voice of corporate but kind of bring that down into the various you know it was a multinational company and pharmaceuticals, so you know different cultures, different sub entities, different divisions. Some were acquisitions and had a completely different way of working. So it's one of the hardest and most time consuming to grow something right, right Cause you're. You're essentially getting volunteers or voluntolds in some cases. Sometimes a voluntold is good If it's a pointee of somebody at a senior level that's like this is your influencer for commercial sales, because they know the whole organization and people listen to them.

Speaker 1: 29:41

I would take that over a general volunteer any day, but ultimately it's blood, sweat and tears to build up the knowledge of that group. Meet with them frequently and then start to feed your content through them and start to get the tailoring and Cody, you mentioned translation issues. Champions can be your friend if they've got the time and the ability and the driver to like okay, you're going to take this mini poster that we're putting up on digital bulletin boards and you're going to translate it. You're going to make it more meaningful within the culture, cause some of the stuff might not come across the way the way that we talk about it and you know the U S corporate side. So for me, the champions again, it's not the easiest one, but you usually by year two or three. If you're not into a champions program and really building it into the culture, there's missed opportunities. You can only go so far.

Speaker 2: 30:28

Yeah, I think your point on like the champions or influencers I think of like popular brands, like what do they use? They leverage like celebrities or people that have influence in the communities or they'll have like or leadership right, if it's important to them. It's to be important to me and I think you're going back to what's what's engaging is like. Yeah, I think even sometimes like humility, you're going to see that like, oh man, my c-suite is also vulnerable and they they made a mistake or they showed there. So I think getting that like sponsorship, that engagement using like champions. On influencers, it definitely helps on when you're looking at representation across the globe, geographically, or even just like business unit diversity. So operations, manufacturing, sales, r&d, clinical, you know, whatever the different business units are there you get some good feedback and oftentimes I found if you engage those groups in like a way, it's a two-way street of feedback. They're going to give you feedback to make it more relevant on the ground and they're also going to give the team and take your message and say, hey, here's how we're going to echo that message so easy way. You know, a lower operating budget. There's a cost to kind of get it up and running and manage that effectively and what's a good starting point and what's a good trajectory to build it?

Speaker 2: 31:35

I know one of our global clients. They're about 35,000 employees. Their first year their program was 13 champions. That was their first goal. Hey, let's get a chart, let's get 13 champions, let's train them. Now they've got they're in year two or three on it and now we're doing like recruiting and we've got kind of more swag and there's like a little moniker for the email. So there's a little bit of like clout internally. But all these things began with like an idea and like let's just start somewhere simple and then build it. And to your point, aaron, they've done things like translations, you know, and like local representation and then as well as language.

Speaker 1: 32:03

So, Jason, I got to ask you Disney did you get to use Mickey? Did you get to use Kermit, Any of the Muppets?

Speaker 3: 32:09

I got hard nose every single time. I had so many fun ideas and Disney is a brand brand protection, like master class in every way, and it's because they're so successful. I think it's because of this, but they like their. Their response was well, mickey would never be in that position, what, he would never be in that world, where kermit would never be in that world. And I'd be like, okay, well, can we do espn like when we used to do the espn commercials, where the players would be like in the office trying to make a copy and they're like yeah, no, she would have got terry tate man.

Speaker 1: 32:38

That would have been.

Speaker 3: 32:39

It was it's like sky's the limit, like we had pixar, we had lucas films and everything. It was just it was enough. So it had to be creative, you know, and and just work around it and stuff like that. We filmed at disneyland for our training, like our cso at the time uh, I should say I think he was a vp, security Greg Wood. He was part of a video we filmed in like the animation hat. That's at the studios. It's like one of the oldest buildings there and so like we found ways around it, but we could never. We never had the blessing of that, would you know? It was always that wouldn't be in their world.

Speaker 1: 33:09

So maybe and Disney, you're right Brand protection, brand is everything for Disney. I think I ran into it on the corporate side and we run into it with the clients and I think anything above a Fortune 1000 client usually has a PR arm as well as corporate comms, global comms. So let's talk about building partnerships, because I think a lot of times the instant answer is no, you can't do that. But I think building those relationships and getting to a compromise, even though it might not be as creative as we all want, it's a necessary investment in your time. So, jason, what's been your experience? Maybe, as you've moved on to Sony, did you take any learnings to get further with that, because Sony has obviously lots of brand assets as well.

Speaker 3: 33:52

Yeah, Sony was a really great experience.

Speaker 3: 33:55

I know I went in post breach, you know, and that was like the most notorious breach at the time.

Speaker 3: 33:59

So I was in a very interesting environment and, to your point, I was or I mean I used to sit with legal hr corp com at sony and I was like here's the idea that I want to do, how can we do this? And like most of the times they loved it. They're like oh well, this could align with october, this could align with august because of this, and I think it was like the clarity and the transparency that I was bringing um that gave them confidence to say I'm going to co-sign this because if this screws up it's going to make me look bad. Right, so if you could like, get them on board. So I'm always a champion of that. Also, I wanted to mention always a big fan of security champions, security ambassador programs Highest impact you can get if you put in the time up front. But relationship building, one-on-one I think every program should have either like an advisory board from HR legal CorpCom so they at least see what you're trying to do and they can support you when it's in time.

Speaker 2: 35:02

Man, hold on One more time for the folks in the back. Say that again, Jason. I love that. Say that one more time.

Speaker 3: 35:09

The advisory board team. Yeah, it's something that I've always like encourage folks. But I think if you have a program and you don't currently have a program plan and you don't have an advisory team, I think your biggest, most efficient wins, time and time again, is to make relationships with you know, corp Coms for sure, hr for sure because it'll affect training periods and stuff like that and legal, if they're open to it. Right, they might not want to provide the team, but if you can get them onto a steering committee, an advisory board, and you just say here's what I want to do with my program for this year. I want to do this, this and this, here's where I need your support and they see that and they can build, they can have the confidence that they're not going to look bad by doing it and they give you a thumbs up, a superpower right with your program, I just don't think.

Speaker 2: 35:58

I don't think enough programs, spend time making those relationships. Yeah man, I couldn't agree more. I think that we've seen the best success unlocked when that happens. So I think that's a huge thing. And, you know, I wish more folks invest in that thing because, to your point, it's like, even if you have the input, you know HR and legal could also be offices of no, and if they're aware, then it's like you're kind of greasing the skids and you got to push through.

Speaker 1: 36:16

I hate to say it, but is it a true statement that post-breach companies typically get to more openness? Because I did see that on the pharma side after an incident, we got a lot of support to do a lot of really cool stuff live video, use of employees, heavy adoption of champions with support of senior leader executives. I try to push that knowledge and experience down to other companies that we help, because no one likes to build a program right after an incident. It's a lot of chaos. Was that your? Would that be your takeaway as well?

Speaker 3: 36:53

In my I would say in my direct experience and what I've observed from others 100%. You go from constantly fighting and justifying what you want to do to just being like, yep, do it, and that's. I mean, it stinks that, that's what it takes, but it is certainly an unlock Kind of want to get like.

Speaker 2: 37:13

Give me, like your concluding, your final thoughts or even like your advice for, like security leaders that are grappling with either getting one off the ground or rebooting a program, what?

Speaker 3: 37:27

are some like Jason's insights. So I love Stu, I love Perry and I've always called it like the know-before effect. I see a lot of programs in that spot where, like, they're either with no before or like another provider on a three-year contract, and it just kind of gets a little stale is to take a step back and assess your program. If you can, I put together this tool. I don't know if you might be talking about it or not. It's uh, it's been a passion project for me. It's been a passion project for me Not really understanding the wholeness of awareness programs and what they can be outside of just phishing, simulations and content, and I wanted to make a way to better understand like, even like the latest NIST requirements that came out. It's all technical and there's a slew of like or you know, suggestions, recommendations and um.

Speaker 3: 38:19

So I I chunked it into this like framework.

Speaker 3: 38:20

It's called seat s-c-a-t, so it stands for strategy.

Speaker 3: 38:23

You gotta put strategy up first, right um, and then the engage, ascend training, and so it's a easier way to understand all the components of an awareness program and then you can assess yourself based on those questions and everything aligns to nist and and what's great, I refer to it as like my blue apron concept. So if you're familiar with, like the meals, the service delivery, it's like you go in and you tell what you want to eat, what you like to eat, it sends you a box of recipes and ingredients and tells you how to cook. You still got to do the cooking. So it's like, at the end of this assessment, if you don't have a maturity baseline for your program, this can help you do it in like 15 minutes and then you can actually plan your strategy for the rest of the year based on where you didn't perform. So I just always go back strategy, strategy, strategy. If you, if you don't have one work on it, you know, do it for October, do it for beginning of the year, anything like that.

Speaker 1: 39:10

Think outside the box, think outside the tool Cause Because, again, I think all of us here we use the basic tools in all the programs we do, but it's those things beyond the tool that a lot of people miss and that's really the missed opportunities for more than just click impressions but really workforce culture change and getting executives on board and getting champions to be that grassroots driver upwards within your program.

Speaker 3: 39:38

Assess yourself before you wreck yourself. Yeah, I mean it is. It's that other 90% of effort that people don't focus on. You know they feel like, well, we got it all down to 90%, but it's like there's the other 90%. You know that you have to do kind of concepts.

Speaker 1: 39:48

Awesome. Well, jason, appreciate you coming on the show, love talking about this topic, Enjoyed our conversation. Continue doing what you do Continuing to apologize but also solutionize, because I think there's a lot of help that's needed out there and appreciate your time.

Speaker 2: 40:04

Yeah, Jason, this is awesome. Thank you, sir.

Speaker 3: 40:05

Yeah, thanks for having me on, guys.

Speaker 1: 40:06

Appreciate it, bronwyn, if you want to pop back on and let us know if we needed to do anything else.

People on this episode

Aaron Pritz

Host

Cody Rivers

Co-host