Simplifying Cyber

This show features an interactive discussion, expert hosts, and guests focused on solving cyber security and privacy challenges in innovative and creative ways. Our goal is for our audience to learn and discover real, tangible, usable ideas that don't require a huge budget to accomplish. Shows like “How It’s Made” have become popular because they explain complicated or largely unknown things in easy terms. This show brings the human element to cyber security and privacy.

All Episodes

Simplifying Cyber

The Evolution of Human Risk

May 19, 2026 • Aaron Pritz, Cody Rivers • Season 2 • Episode 18

0:00 | 44:16

Send us Fan Mail

You can’t just “train harder” to mitigate human risk. We sit down with Ashley Rose, CEO and co-founder of Living Security, to unpack why classic security awareness training (SAT) often produces neat dashboards with flimsy outcomes, and what it takes to build a security culture that people actually engage with. Ashley shares her non-traditional path into cybersecurity, how marketing principles map nicely to behavior change, and why the security team has to become approachable if we want employees to ask questions, report issues, and stop working around controls.

We trace Living Security’s early days running security escape rooms, then zoom out to the bigger shift: human risk management (HRM) as a true risk management function. That means moving beyond completion rates and phishing simulations to quantify likelihood and impact using real signals across behavior, threat, and identity. We get specific about what that looks like in practice: endpoint compliance, MFA adoption, password hygiene, dark web credential exposure, privilege levels, and blast radius. The payoff is prioritization and focus, including the uncomfortable reality that a small percentage of users can drive a majority of measurable risk.

We also dig into the hard parts that make or break programs: integrating data in messy enterprises, avoiding noisy alert floods, and operationalizing outcomes through automation and adaptive controls. One of the most practical takeaways is simple but sharp: make the secure path the easiest one to follow. When people repeat risky actions, it often signals friction and broken business processes, not “bad users.” We close by looking ahead to a hybrid workforce where humans and AI agents share access, shifting the workforce attack surface again.

If you’re a CISO, security leader, or practitioner trying to prove ROI, reduce phishing and insider risk, and modernize security awareness into measurable human risk management, hit play. Subscribe, share with a teammate, and leave a review, then tell us: what’s the most broken workflow in your organization that security should fix first?

🔗 Connect with Us & Get in Touch

Tune in to Simplifying Cyber wherever you get your podcasts, or watch exclusive video content right here on the channel. Subscribe for hot takes on emerging technologies, tips and tricks for everyone looking to stay secure, and in-depth conversations about complex cybersecurity topics.

No gatekeeping and no BS. We’re here to simplify.

Official Website: www.revealrisk.com

LinkedIn: https://www.linkedin.com/company/reveal-risk

🤘 Stay Secure with Us

If this content helped you understand cybersecurity better, please give it a thumbs up, subscribe to our channel for more expert insights, and hit the notification bell so you don't miss our latest updates.

Reveal Risk delivers cybersecurity results, not just reports.

Welcome And Why Human Risk

SPEAKER_02 0:11

Thanks for tuning in to Simplifying Cyber. I'm Aaron Pritz and Cody Rivers. And today we're pleased to be here with Ashley Rose, the CEO and co-founder of Living Security. And I'm especially excited for this talk because I've been an advocate as well as a critic, all things security awareness and human risk back from my corporate days when I walked into a reboot of a cyber program after a FBI arrest of individual insiders and trying to get the business outside of IT to understand and do things very, very differently. So I'm excited for this. Ashley, it's been a long time in the making, looking forward to this conversation.

Ashley’s Unusual Path Into Cyber

SPEAKER_02 0:52

Before we dive in, let's hear a little bit of the Ashley story and how did you find your way into cyber?

SPEAKER_00 1:00

Yeah, um, I think like many in cyber, I have a non-traditional background, but um, you may hear people that just kind of fall into it, whether it's like military or you know, government work or marketing and comms. I think we see a lot of, especially in the human risk phase. So um, and that's you know, really but had been my path. Um, I went to school for business marketing, uh, actually fell in love with business through a a um program called DECA. And I it's top of mine because I hosted my daughter's, uh, my senior daughter's DECA end-of-year party yesterday at the house. So that was very cool. And really like what I learned about myself through that program and then through my years in schooling is that I just love to solve problems. And so that like that's as simple as I can state it. And during, you know, first in high school and then sort of post, or I'm sorry, during college and post-college, um, I actually got my feet wet in entrepreneurship, but building an infant and ch and children's swimmer line. So yeah, that's probably surprising to people. But what was what was really great, and I look back on that experience fondly, is I had to go from customer research, problem identification, design a solution, bring it to market, deliver it to the customer, and then solve the customer problem over and over and over again. And so, like that in essence is what entrepreneurship is. And so doing that once, I learned a lot and was able to apply it to future states. So, you know, I spent some years in private company marketing. And then um I ended up actually um, you know, really kind of getting my um feet dirty, my hands dirty, my feet wet in cyber, kind of more from the audit and compliance um angle. So I ended up on a product as a product manager and a product team. This is what product people do, right? They're solving problems. So I was like, this is great. I can go solve problems with tech. And I was actually building an internal identity and access management solution at my last organization. And that's, you know, that's when I started kind of learning about the technical side of cyber. My husband, his background is more traditional. He came from a military background. He went MI military intelligence, spent a couple of years over in the with the Marine Corps doing cyber network and operations. When he came back post-deployment, he was building the cyber program at the company that I was working on, the identity solution. And I was actually able to witness firsthand the problem that he was having in the space. And I remember just like a very vivid conversation. Um, this was happening. He, you know, he'd be coming home and building games. And um at the time he was building an escape room uh for security training. And I remember asking him, like, you're a cyber guy. We're a tech guy. Why are you building cyber like games for people? And he said, Ashley, like my number one challenge is getting the people to care, getting them to engage with cybersecurity so that when they have a question, when they have a problem, that they'll come to me. Right now, everyone is like scared of the cyber team. They think they're we're gonna tell them no, we're gonna shut off access, we're gonna block them from doing their jobs. I need to start working on the culture. And then that was kind of my aha moment as a problem solver, entrepreneur. I said, okay, like this this really makes sense. Um, and then we asked ourselves, if you're having this problem, how many other security leaders are having the same challenge in their organization? Um, and so just to kind of fast forward to not quite the end of the story, but maybe the beginning, I found myself on the black hat floor with a tablet, interviewing CISOs about what was going wrong within their human risk uh cyber program. And I learned a lot. And you know, maybe the rest has been history, but I'm sure we'll we'll close the gap on that today.

SPEAKER_02 4:41

Well, that's awesome. And it didn't click for me when we did the prep call a couple of weeks ago. But when you think about it, marketing as well as entrepreneurship is really a lot of the problems and the basis for the workforce or the human risk factor. And like some of my on the corporate side, some of my best people that I brought into roles that ultimately went on to become besos and lead insiders threat programs were from marketing, marketing and a little bit of finance. So I do think like the cross-functional, like bringing people in that aren't traditional really helps us from a diversity of thought standpoint, but as well as like, how do we get people's attention? Well, that that's marketing. That's comms, that's we are, right?

SPEAKER_00 5:26

Well, let's, I mean, I know we'll get into SAT, but who built the original security awareness and training programs? IT professionals. And so, like, if we just like we take that for what it is, it's you know, people that are working mostly with computers and tech, less on the business and people side, they're trying to solve a business and people problem. And for all intents and purposes, the stats, you know, make the claim that has not been successful, in my opinion. And so I think like it was actually a competitive advantage for us that I came more from a business, you know, marketing perspective. And to your very point, marketing's job is to drive behavior change. The behavior that they're looking for is how can I get you to follow my path, click my link, you know, go make a purchase and become a brand advocate and ambassador in a similar way when we're building a security culture, trying to drive positive behavior and become a security advocate or a champion. We're taking a very similar approach. So, yeah, a lot of kind of the methodology, like things I learned on the marketing side, we've been able to apply to the human risk side as well.

SPEAKER_02 6:35

Love that. And I was in a conversation yesterday on sales automation, and I made the comment like sales automation and automating people to click things and emails. The converse of that is the the cyber criminals and the fishers, right? It's all about social engineering. There's the white hat social engineering, which is probably some benevolent thing, like, hey, come look at my product and click the link, and I want to get you into the funnel, uh, you know, that will ultimately lead to the sales. But on the flip side, like criminals, criminals are selling your entrance into their ransomware. So so many parallels. That's not a great parallel. And sorry to my sales friends that I was gonna say, Aaron, did you side to that?

SPEAKER_00 7:13

Did you just equate marketers to cyber criminals? Because that's kind of what's the way right now. Salespeople.

SPEAKER_02 7:19

Marketers are cool. Yeah, Ashley, you Braunwin, you're you're in the cool club. Salespeople, I might have just all those sales people know of you know, yeah. Uh anyway, let's move along before I dig my hole any deeper.

SPEAKER_01 7:31

Yeah, well, and I'll just say real fast too, actually, I think I love that that your background is not the traditional route because a lot of times I tell people with like our clients, like when you're trying to sell to people, IT and cyber, we know they kind of understand or have the foundational understanding of why this is important, but we're trying to get those who don't care about cyber, who don't think about it, you know, like my most furthest uh stakeholder from it. And I would say marketing kind of gets the picture there, they're but they're to your point helping to sell the uh the intention to sell the dream. So I I I love that. That's why I love what you're doing over there and excited to chat more here on the podcast.

SPEAKER_02 8:05

All right.

Escape Rooms Turn Training Into Engagement

SPEAKER_02 8:06

So we've gotten through the entrepreneurial marketing background, the the babies and kids swimwear, the pivot to cyber through both your own intrigue and your husband. Now let's fast forward to early days of living security. And I remember you guys like coming out with the escape room stuff before anyone was doing it. How did all that come to fruition? And then ultimately let's pivot from SAT or security awareness and training to HRM and really get into maybe our listeners that aren't as familiar with that. It's not just another tool, but the tools have to look very different from what we've seen over the last decade.

SPEAKER_00 8:43

Yeah, absolutely. So um I'll actually go back to that black hat floor because the two insights that I heard just from every conversation, um, they're they're actually you know quite similar. One, there's a lack of engagement with cyber. People were not paying attention, it was not presented in an understandable and you know, an approachable way. And therefore they're zoning out, tuning out, and still doing the same things post the training, despite you know, clicking through and getting all the answers correct. Um, so there was no behavior, there's no engagement, no behavior change. The second thing that we learned was that outside of, you know, I would say kind of easily fraudulent metrics, completion, click rate, report rate, right? We can make our click rate go down if we make our fishing scenarios easier. We did not have any way to effectively measure and quantify human risk. Those were the two things that really stood out in my conversations. And so I actually remember sitting at a park, I can tell you like the exact location. And Drew and I sat on a hill and we like debated hardcore which one are we gonna go after first? Because like we couldn't do both, right? When you're when you're like a new startup, you are two people and little like a little bit of funding, you got to choose. And ultimately, to you know, maybe my dismay, because I probably would have built human risk management in Unify back in 2017 and it would have absolutely failed, fallen uh flat on its face, and nobody would have bought it. Um we opted to go, it was ahead of its time. Uh we had to go the engagement route. And so we said, fine, let's do it. And so, what was the fastest way to get product to market? It was to we Drew and I were not technical coders, although now with AI, I actually do a little coding myself. Vibe it, vibe it really goes I'm a I'm a viber, a vibe coder. So um, and yeah, so we said, well, what can we do? We can, you know, take these escape rooms that were like were really, really popular. They were just kind of hitting, you know, a big streak, just kind of like with the general public as well. And we were gonna turn those into security training. And so we were literally like, you know, going to Goodwill in the beginning, picking up props and then retrofitting them to basically like mimic security situations, packing them up in boxes, like literally luggage and suitcases, jumping on planes, and then getting on site with early customers and running these escape room experiences for their employees. And I'm talking like turn and turn, like every 30 minutes, we're getting like eight people in a room. And I'm on site for days at this point, right? Because we're trying to get like mass audience through. So, what I what was really unique about that opportunity is I got to sit next to these program owners, the CISOs, the leadership team that they wanted to bring through. And I got to hear firsthand for hours at a time, days at a time, weeks at a time, what was going on within their human risk and cyber program. So, like unify, like the human risk management concept was actually like birthed on the ground floor in security escape rooms, like alongside of the customers. And so that's truly like how this concept really developed. Like we knew we needed to be able to quantify risk, but we didn't really know how or like what it would look like. But we actually really got to materialize that while we were on site with the customers doing the escape rooms. And so there was a really like natural progression there. I'll say, you know, to kind of quicken that. So the escape rooms were very popular, customers loved them. One of the things that it truly did that I think you do have a hard time doing sort of with like mass scale online training, is like the security team was in the room and they got to see like the benefit and value of the program that they were providing firsthand. Because the aha moment would like it would pop up and you'd almost see this person, like the light bulb go off when they learned something like unique, or they would ask a question or say, I saw this thing on my phone come through. Like it was so visible, the ROI. Still hard to quantify, but very visible. And so that really motivated the customers to keep like wanting to do that more and more. Um, it actually probably wouldn't have been for like out you know, outside of COVID, that I don't know that it would have been really hard to shut it down because it was so beloved. Like we still have people today come back and say, Do you have these escape rooms? Um, but anyway, COVID obviously accelerated, you know, accelerated the need to be online and to achieve scale. And so it was through 2020 and then some capital raising that we went after problem two, right? Which is how do we how do we get visibility? How do we quantify risk? How do we deploy interventions at scale? And how do we drive an ROI from our programs? And so that was really like the accelerant for us was through, you know, like many businesses, like the COVID pandemic, you have to pivot and go with where the market's going. And it's been a great journey from there.

SPEAKER_02 13:34

Love it. So, Ashley, talk about because I think when HRM was kind of relabeled, Forrester

Measuring Human Risk Beyond Phishing

SPEAKER_02 13:41

declared it. I know you mentioned to me in the prep that Gartner just asked if uh if we could do another, if it needs to be renamed again. And I think both of our reactions were very similar. But talk to me about, I think there was a misperception early on that risk quantification was going to be on the human risk signals that were available today, like phishing, like we're we're doing metrics better. But talk to me about like the broader signals that you know an evolving HRM prop uh program should be pulling in and really how it starts to look very different from what SAT was able to measure and metric over the past.

SPEAKER_00 14:20

Yeah, absolutely. So we started very intentionally, and the naming convention was also very intentional. We called it risk management because I believe that is our job. You know, we are human risk managers, we're not human risk eliminators, and risk management is a business security function. They have to work hand in hand, right? So um and I do believe, I said this on the prep, that I think risk is not inherently good or bad. I think there is acceptable risk, and sometimes you know, you have to take risk to drive competitive advantage. So when you have CIOs and CEOs saying, hey, everybody in your organization needs to be using AI tools, and there's like not a lot of you know, security governance and restriction, the question is at that point, how do we like, how do we manage the risk around this? And ultimately you're weighing out the the upside, right, the potential benefit of letting people do that with the downside risk that could come with a security incident, a breach, right, yeah, privacy, all that. And so, um, and we know where that's landed, I think generally. Many most companies that I've you know have talked to, like they want their teams interacting with AI and they're gonna go figure it out after the fact. Now we have, you know, maybe more compliance oriented or uh people that have, you know, maybe not quite that risk tolerance that are blocking, restricting, I would beg that, you know, I would say there's probably a lot of like shadow AI in those environments, but we'll we'll talk about that later. Um, but back to your question. So started out with okay, this is truly like a risk management function. How do we quantify risk today? Likelihood and impact, right? And so how then can we quantify human risk in the form of likelihood and impact? And so with that was that was really like the basis of where we started. And so we said, well, what are we learning from our metrics today? Well, how what's the propensity of somebody to click on a phishing email potentially? Because you know, these are also simulations, they're not real, but like it's giving us some signal. And then are they taking their training and are they compliant? And like that's really not a lot of depth, right? When we're thinking about risk quantification. And so it had to be more. And so then the next question was like, well, where can we get some of these risk signals from? And so we realized that like a lot of this signal aggregation was already happening in the security teams, right? We had Sims and SOARs like gathering and collecting data across your entire infrastructure and security tech stack, but they were like feeding it back into a solution that was um really optimized to manage your network, your assets, your devices, like it wasn't tailored for user risk. And so, in a similar way that the SIM was collecting the data, we realized we could actually start getting a lot of behavioral data about users, not it through simulations, but just how they were interacting with their in their environment. Was their endpoint compliant? Are they clicking at real phishing email? How are they handling data? What websites are they browsing? Are they using MFA? Are they setting strong passwords? Like the list goes on, but a lot of behavioral signals. So that was great. That was a great signal start. I would say there's some companies out there that will stop there. We said, well, that's not really true, livelihood and impact either. And so how do we how do we move beyond? So we need we need a threat vector. We want to know, like, is this person getting targeted? Right? Well, there are signals, contextual signals outside of the behavior that really matter here too. So maybe we can get some of those. Three threat and tell platforms. Can we see people who have breached credentials, for instance, that were found in the dark web? Um, absolutely. And so then the next piece was all right, now let's think about the impact. Where can we get that signal from? Well, we we can tell who has admin privileges, right? Who has privilege escalation if their account's compromised? You know, what's the blast radius for this individual? And so we wanted to go after the sort of inherent risk signals, the identity signals. And we really we believe that if we could marry these two, these three areas, the behavior, the threat, and the identity, we could give you a really, really solid um risk quantification engine or an HRI score and really give you the opportunity to start prioritizing where you spend your time. How do you get to that 10% of individuals that are driving 73% of the risk? And that's a backable claim by a study we did last year. So um, I think that answered your question, but like it really was that simple. It was just what do we need to get, what do we need to accomplish? Where is the data? Can we connect it? Does this make logical sense? And then let's go after it.

SPEAKER_02 18:59

Well, and one follow-up on the can we connect it?

Connecting Data Without Creating Noise

SPEAKER_02 19:02

For those of us that went through like UEBA, you know, probably five, 10 years ago, UEBA implementations and lots of actually one of the managing directors on our team, when we he was first getting introduced to HRM, he was like, oh man, I went down this with UEBA and all the connectors and trying to get everything, and it always sounds great from the vendor perspective, but then nothing connects right. But that was 10 years ago. APIs are different, the world is more interconnected. What does that look for you guys and the kind of promise of the great things you can do if you connect everything to actually connecting it? What does that take?

SPEAKER_00 19:37

Yeah, that's a great question. So certainly we have stumbled quite a bit. I have all the bumps, the bruises, and the scars to prove it is what I tell people when I'm especially when I'm speaking to the enterprise. I'm like, we've seen it all. Like we work with the biggest companies in the world. There's a lot of messy identity, you know, out there, like a lot of messy identity systems. And so one of the first things that we did was realize like we needed to create our own entity resolution and identity graph in this solution because we're gonna like see Ashley and her, you know, and at on the endpoint and in the web application firewall and like in the email security tool, and like Ashley's gonna look different in all of these systems. And we needed a way to bring it all together and see like who Ashley was, what she was doing, right? All of those things. And so that was the first thing we did. And so then it didn't like we like a source of truth, right? Typically that's coming through like an HR system, a workday, maybe it's coming from your Okta or your sale point, like an identity solution, but we could then orient everything else around it. And we're really kind of like cleaning up the identity mess in a lot of these organizations. Um, so that was the first piece. The second thing was when you go out to these APIs and you're bringing in signal, we knew we did not want to be like an alerting and noise platform. Um and actually, something I think is worth noting that you said, right, when you did UABA, like oftentimes the complaint was like this was very noisy, there was a lot of alerts, like you couldn't really find the needle in the haystack that you were looking for. And it was also like very reactive in its approach. It was meant to be more of a detection response system. Um, HRM, our focus was on how do we shift left and how do we go to predict and prevent so that we're finding the signals and the sequencing that could lead to an incident and getting in front of it before the incident and the breach occurs. And so it was a very different like mindset and approach. And so the data model had to support that as well. And so we said we don't want all the data, we want the meaningful data. And so we got really specific about like what parts, what feeds, what signals and streams we're gonna be pulling in. It had to add context and value to our model. And the output needed to not be noise or junk either. We wanted the output to be actionable. And so when we started building like the signal library and all that, like it was with the mindset of how do we make this actionable. I'll say, like, maybe this last third thing to answer your question. There are a lot of systems out there, I would say pre AI. It was very like time consuming and costly to build out a lot of APIs direct to these systems. And we found like enterprises would have, I have this homegrown system or something you've never heard of. And so our team spent a lot of time like building out custom connectors. And we had, you know, sort of an internal, like secure, you know, sales engineering position where we would have to go out, we'd build this custom connector, we'd work kind of directly hand in hand with the customer, and making sure that there was trust in the data that was coming in. That was absolutely critical. Um, is actually why one of the first reasons we started outreaching to partners like Reveal Risk, right, and others is because we said, hey, there's there's really a need for services in the upfront like implementation of this for these enterprise customers that have complex environments. And um, so yeah, I'm not gonna like say that it was really easy. We learned a lot. I think we've gotten very good at this. It's like one of the things that is standoutish about our company. And then certainly with AI, um, we're we're doing some really cool things where you know, now deploying like AI against an API, you can actually do things like best guess matching and then surfacing up, you know, signals that you haven't seen before. Like the AI can kind of like map that to the data models. And so there's some really cool advancements which we which we can get into. But um, but yeah, complex environments takes a lot of work. Um, and we spent the years to figure it out.

SPEAKER_02 23:17

Love it. Ashley, do you have a dog in the office?

SPEAKER_00 23:20

I do.

SPEAKER_02 23:20

Did she no, no, it was it was perfectly it was perfectly timed because when you were talking about signals, all I saw was a little tail wagging right below your name. And I'm like, perfectly timed. It was on cue. Love it.

SPEAKER_00 23:33

Yeah, so she was supposed to be with uh I have a a child from school in the back of the room who's supposed to be keeping the dogs quiet.

SPEAKER_02 23:40

So we we we applaud when when office office uh canine workers make an appearance. So that's welcome on this show.

SPEAKER_00 23:48

All right, good, good. Well, she may jump up in my lap if we let if you know we we keep saying what a great opportunity that is for her.

SPEAKER_01 23:54

But Ashley, you've done a lot of cool things. And I want to talk about kind of like the the action out of what what you're we're gathering the data. And I think is that a prep call or was on an interview I think I read that you did recently, but you said something that stuck

Make The Secure Path The Easy One

SPEAKER_01 24:06

with me. And it was like, make the secure path the easiest one to follow. So kind of give us what that looks like in practice.

SPEAKER_00 24:15

Absolutely. So, first and foremost, CISO security leaders, like they need to know where to spend their time actually learning about which pathways are broken. Because I think a lot of times we actually don't know because we're trying to like combat the thing that's like on fire in front of us, and we're maybe missing out on some like really big opportunities to, you know, enable faster work streams, drive business efficiency, and like enable the business to drive operational results in a secure way. And so the first pass of that, the first requirement of that is can we go figure out is there like an unknown unknown in our environment, like an area of risk that's just like we haven't quite figured out? And we've seen that in a couple of our customer environments where it's like, okay, this group of people continues to do this same thing over and over and over again. And in the past, I think we would have said, oh, those, you know, stupid users, like they don't care about security. Why are they doing that? Reality is that guess what? We're putting a lot of friction in their job. They need to go get something done. They have a goal and out and outcome, right? These people were hired, they're smart people, right? They were there in an interview process, they were given a mission, and so they're trying to get their job done most of the time, and something's in their way. So, you know, an example I gave, uh, maybe it was in the prep call was, you know, we were working with a healthcare system, and they were like, hey, these, you know, nurse practitioners and doctors, they keep like sharing their password, and you know, they're not, you know, they're bypassing MFA and all these things. And it took actually like going and having a conversation with that business and even like maybe getting on the ground floor, like going to the hospital system and saying, like, what is happening? Why are we behaving like this? To realize these healthcare workers, like their number one job is to save patients' lives. So they're on the floor, they're trying to get their job done, and like this system's logging out pretty consistently, and like they're moving carts around, and it's just taking so long to get, you know, to the patient record and and whatever else. And so, you know, that's a risk, a risk decision for the business. Like, do we do we want to keep this type of you know, log out time on the on the system? Maybe we want to we want to extend it. Is there like a different type of tool that can make it easier for these you know doctors and nurses to log in? You know, there's there's something here that it's not what we're doing now because the behavior that we want that is not happening, right? The behavior we don't want is happening, so that's not secure. And on the flip side, we have frustrated clinical staff. And so that's just an example, but like it required the data to be surfaced to start and like ask the question like, why is this happening? Go investigate, go spend time with feet on the ground, or go have a conversation with if you have a viso, right? Your your business owner over there, and then really co-author and work together to strategize what's gonna work for our business, what's our risk tolerance, and let the business make the decision, right? Is this acceptable risk or not? Do we want to pay to mitigate it, to transfer it, to reduce it, whatever that is? And so that would be like one, you know, kind of on the ground example. There's plenty of others, but like sometimes it's a systems issue. It may not be the bad users that keep doing something wrong. I mean, maybe it's a problem, but we're not gonna train that away, right? Like, and we if we could have, we would have by now.

SPEAKER_02 27:32

Yeah, I actually I'd like to double down on like the business process issue piece.

Broken Processes And DLP Reality Checks

SPEAKER_02 27:38

Cause so when I was on the corporate side and had the FBI arrest and the insider threat, you know, the you know, no lack of executive support to fix it, which not a lot of cyber leaders get, you don't want to get that level of support. But when you've got you get it, you can do a lot of things that you maybe couldn't if they're still kind of doubtful that it'll happen to them. But on broken business processes, right after this, obviously we really amped up the data loss prevention capabilities because data loss, data going out the door, exfiltration, that is insider threat. And when we were first turning it on in the high-risk countries as well as the high-risk business areas, all sorts of alerts. And some of it was white noise, but a lot of it was in that case, like insider threat. HR is doing interviews and you're doing investigations. And if it's, you know, not a false positive, then like, you know, potentially some someone is doing something bad. But what we realized early on is there's so many broken business processes, and people have done things a certain way, you know, emailing to vendors in clear text, very, very sensitive files, or pick whatever bad behavior it was. And it wasn't anything, any security awareness training once a year, quarterly, bite size, it wasn't gonna fix it. Like somebody needed to go re-engineer that business process. And then the second thing on Cody's question, like making it easier, hey, if you're gonna, you know, if you have the signals from a quality tool, HRM, DLP, wherever you're identifying the gap, and you're gonna go in and fix the business process to make it secure while in there, why would a cyber person not want to take some credit for like getting rid of unnecessary steps and making it go very much quicker? We had a bunch of success when we used Six Sigma black belts to kind of parachute in. And again, it's hard to ask a business process owner to be like, hey, here's a here's a um HRM report and your business process is broken. On top of everything else you're doing, go fix this on your own without direction. That won't work. So I'm a big advocate for our industry and CISOs have understaffed SAT. It's usually a lot of companies we see is like a half of a person. If we want to get HRM right, we can't expect, even with the greatest tools, if you don't have the human capital around them to enact the positive change, there'll be a lot of good signals and tools that and we can block stuff, but like let's let's put some effort and resources behind this and and do all the things that CISOs wish with wish the human side of cyber could help. Uh so I get a little passionate about that. But what are your thoughts on the let's how do we go fix it?

SPEAKER_00 30:16

Yeah, there was like so much goodness there in the story that you just

Giving Awareness Leaders A Real Seat

SPEAKER_00 30:21

told. Um, so a couple of things really stand out to me. First and foremost, it's not just about adding capacity, but it's also empowering, enabling, and like actually elevating that particular individual. So I remember like one of the first um or individuals, because one of the first decks that we built around human risk management, and again, in partnership with the customer, it was like there was like a table, and you know, SecOps was there and like insider threat and TRC and like the network security team, and like you know, we could keep the list goes on. And it, you know, they're at like the table and they're like enjoying a conversation, and then there was like the kid table over to the side, and the security awareness person was like sitting at the kid table, and like this analogy came from our customers. They were like, We are invited to the conversations, like we don't have a seat at the table. And so, how do you expect them to go help solve like your number one risk is your people? Like, stats are clear, and like you put a person on that that is great, like they are they are motivated, but they do not have the tooling, right? They do not have the access, they oftentimes do not have the executive support, and they don't have the budget. And so that is like a really hard position to be in. And so when we talk to this type of individual, they are like, they're always telling me they're like, I want to do more for my company. I want to be able to prove out that the work that I'm doing, like I know it's doing good, like I can feel it, like right. I can see it, like I can see the light bulb moments, but like I have no proof of my effort. And so it's hard for me to communicate to that around that, and I can't get budget, right? So that is like still very much, I'd say, the state of the industry, which we need to do more work there. Um, so yes, we need to give them a seat at the table, and we need the cyber teams and we need CISOs to recognize that this is like a critical attack service, and you need to manage that well and you need to staff it well. And you need to be breaking down the silos in your security team. And so then moving to the tool, right? How do we do that? We we always say like human risk management tools, when implemented and operationalized effectively, are breaking down the silos. So, first and foremost, we can't do anything without the security data. So we need sec ops at the table, we need the tool owners, we need to be pulling in and ingesting the data, but that should not stop there. When we are able to categorize and derive really important insights and prioritization of risk, there's so much value for these tool owners and context that we can provide them can actually enhance the value of the tools they've already invested in and that they're spending their time. So let me give an example. The DLP uh issues that you were talking about, you probably like weren't gonna go block every type of you know DLP alert that came through. Actually, many times, like the DLP UEBA solutions when they're first put into practice are in like read-only. There's like not a lot of right happening. And we've seen that and like people have you know negative connotations about like the first pass of this. But like the real reason was because it is it is noisy and like there was a lot of risk if you blocked somebody from getting their job done, and especially when it was like maybe not a malicious insider, right? There's a lot of false positives in there. But what if we could start prioritizing those alerts for you? What if we could marry high-risk individuals across numerous systems, across their identity system, across their email system? Like, you know, what are they doing within phishing and all of that? So on their endpoint, their endpoint out of compliance, what if we could see very clearly that this person holistically is very high risk, and now we're also seeing a lot of DLP alerts. Maybe we would turn on a block for that individual, right? Um, you know, and then people that are more vigilant in nature, right? They're reporting phishing emails, they're taking their training and they're doing their they're setting strong passwords or using MFA. You start seeing that, like maybe you're gonna not block it right off the bat. Maybe you're gonna send them a training, you're gonna send them a nudge and like redirect them to the appropriate business process. So you can start providing contextualized and adaptive controls and policies when you have the context of that individual from a risk perspective. So I think there's a lot of value for security teams in doing that. And then I think there's two other points I wanted to make from what you said. Efficiency is key. Uh we have small teams across all of security. We are we are understaffed, not just in the human risk side of things. And so it was really important for the platform to be able to enable a lot of efficiency and workflows. And so there's a lot of business, like broken security business practices. Like if you want to just like clean up your own house first, you know? And so, for instance, for instance, like I had a customer tell me, okay, well, when when there's like an exception policy that's requested, you know, the the the plan is, the path is that they need to go and they need to take their training. Once they take their training, we can give them the exception. And then, you know, if they don't have it, after so many days, we need to go like revoke that access or exception. And that this was all happening manually. Like it's tickets going into like ITSM and ServiceNow, and then somebody's like getting a list and they're like sending a training, and then they have to go track and see if that person took their training. And then maybe like if they go check on it, you know, they're gonna go check on it later. Maybe they didn't take it, so we have to go send like another ticket back. We're gonna revoke their access, and then that user is like pissed. They're like, I can't get my job done. Like, what if that whole thing could be automated, right? Through a platform, like an HRM platform. And so this is where like workflows and automation can be really helpful in achieving scale. If you can clean up some of like the operational burden and friction of just like the management of these programs, you can actually like take those resources and like reposition them and pivot their focus to something that is more strategic and they can get more done, you know, get more done, you get more, you know, bang for your buck with your security budget, if you will. Um, and then the last thing I think you said was around ROI and measurement. Um, that's critical because um if you can't, you know, especially today, like if you can't provide business justification and some sort of ROI story, it could be as simple as hey, instead of requiring everybody in my organization to take 30 minutes of training a month, I'm only gonna target risk-based training to the people that need it. And that's probably about 10% of my staff. And so the 90% that equates to 10,000 people. We're saving 30 minutes a month. Average, you know, cost per hour of wages for our people are this. This is like the potential cost savings for the business by going into more of a risk-based approach versus requiring training for everybody all year long. Like that was just one example, but um, it is very more concrete, right? It's black and white than trying to say, like, okay, what is like the risk avoidance? Like, how do we quantify that? Certainly we're working on those things as well. But I think we need to get more creative and like that financial oriented mind that you said earlier, that's sometimes really great to be a part of the security team, like they can be helpful in those, you know, business calculations.

SPEAKER_01 37:29

Love it. Yeah.

Hybrid Workforces And The Next Risk Model

SPEAKER_01 37:31

And thinking too, like, we've been, you know, years in the game now in security awareness training. I think HRM now is kind of catching, catching some of some of the fire. And I think we're getting some of the grounds well. Do we get to critical mass? Does the name change again? I mean, what are your thoughts there? How do we start to get this in the limelight, or does the narrative shift again on the name of what we're trying to accomplish?

SPEAKER_00 37:51

Yeah, great question. So if you look at like analyst coverage today, they'd probably say that we're still at about 15%. And I would say that's growing and it's accelerating adoption of true human risk management. Um, I again, I do believe like the last, I would say the last maybe three, four quarters to almost a year, like we've actually seen a huge uptick and we track things like number of RFPs that are coming in, and we can see like customers and all that stuff. So that's really good news for all of us because as you know, like third-party risk and supply chain is a big thing. So if we're all safer, if we're all more secure, like everybody benefits, right? Um, so we should all be advocating for this. Look, I think um naming convention, I feel pretty strongly like this is a risk management function. So I think that's great. Human risk management, who knows, right? Because the workforce is changing. And that's really where we're spending some time is really understanding that the workforce is now hybrid human and AI agent. And so then, therefore, like the workforce attack surface is changing before our eyes. We know that humans and agents are interconnected because we're delegating access and we're creating them. We have agents working on behalf of humans. And so we need to get our arms wrapped around the broader workforce challenge and equation right now. And so, does that turn into something like unified workforce risk management? I think there is probably over the next decade some sort of change that's going to occur. But for right now, as we're maturing this category, you know, we talk about this as like, hey, it's, you know, we're a human risk management vendor, we operate in this category, and we're not thinking about the hybrid workforce, which is inclusive of our AI agents.

SPEAKER_02 39:31

Yeah, no, that's a great point. What I do know is I don't want it to follow the path of GRC. You know, similar Gartner Forrester renamed GRC Integrated Risk Management or IRM, and now it's back to GRC, or there's confusion. Are we back? Are we not? And what didn't happen was the tech the technology didn't shift material. And if analysts are calling for name change because the technology category is not showing value, that's not a naming problem. That's a adoption, people process technology, making it all work together, and a technology capability problem. So I've already seen a more substantive change in HRM from SAT than there would, I think the GRC to IRM was more hype and surface label or lipstick on a pig than it really was materially changing what we're focused on from a practitioner standpoint.

SPEAKER_00 40:25

That that's right, Aaron. So I will say there's still, you know, and this always happens, but you always have like those vendors that are saying, oh, well, like I need to jump on the hype wagon, I'm gonna call myself human risk management. But if you like peel back the covers, it's really like fishing and training with a you know stop light, you know, like numerical system on top of it, red, yellow, green, zero to a hundred, whatever you want to say. Um, and they're saying, oh, we're doing human risk management too. We can give you risk scores, but like it's really like the same old metrics, like in a different way. So look, I think that's up to the market, right? When they're going through RFPs and they're putting out criteria. It's why like we win our POVs 90% 90 plus percent of the time, because truly like the the um the value and the proof is in you know in in the delivery, but we cannot be be remiss. We have to recognize that human rights management is a strategy. And you can't like deploy a tool and expect you know results overnight. Um, it does require business conversations, it requires breaking down silos, it requires strategic alignment, it requires executive sponsor, like the the companies that are doing the best are the ones that their CISO are on the QBRs. Their CISO is at, they're at, they're trying to figure out what's going on in my in this, you know, in this human attack service, like how what's this platform showing me? And they're helping to drive business change and they're you know bringing teams together around that and they're saying, oh, I can use this data over here as well. And so I think executive, um, executive alignment is absolutely key. And then, you know, partners like reveal risk as well. They're not, you guys are not paying me to say this, but like it's I'm a true believer that if you can find like a really strategic partner to come in um and that understands like the ins and outs of security organizations, like friction and all that, like that can help you navigate, you know, deriving, getting all the right stakeholders there, and then like implementing, executing, and managing a program, like that can be an unlock for a lot of companies, especially if they don't have the resources internally. So um I think you know, we're we got a match made in heaven in front of us.

SPEAKER_01 42:33

Agreed.

Fun Fact And Closing Plans

SPEAKER_01 42:35

Um, thank you, Ashley, again. We always have one question for our guest, and this is this is because it's a VIP experience. But for those who who wouldn't know Ashley Rose or you know, or personally, give us give our crowd like a fun fact. What's into that, you know, that maybe no one knows. It could be brand new or it could be something that you've been.

SPEAKER_00 42:52

Well, you know I found it a swimmer line. I think that's a pretty fun fact. Um so I so one of my one of my goals in life is to get my pilot's license. And so I've taken a couple, I've taken a couple flights, uh, but I still have a lot of ways to go. I think that's a pretty fun fact um about myself and I will get there. I don't know if my husband will ever let me fly my children around, but I'll be up there. I'll be up there in the in the sky. So yeah, I would say that's like an you know an unmet dream um that I'm pretty excited about. So I'm sure there's more, but hopefully that one's good enough.

SPEAKER_01 43:29

No, that that's great. I'm sure at some point when we see in the future, I could share a story he had when he was doing his pilot's license.

SPEAKER_02 43:34

But I don't want to scare Ashley away from the uh pilot experience that I had in high school as I was I was prepping. But that's that's a story for part two of this podcast. Ashley, thanks so much for joining us and looking forward to seeing you in Boston, where I think we're both gonna be at HealthSec and and hosting a dinner. So uh would love to meet uh uh mutual fans of both companies as well as great uh cyber practitioners doing great things when uh if anybody's out in Boston.

SPEAKER_00 44:00

Amazing, yep, see you there.

SPEAKER_02 44:02

Thanks so much. Have a good day.

Aaron Pritz

Host

Cody Rivers

Co-host