Security Masterminds
The podcast that brings you the very best in all things, cybersecurity, taking an in-depth look at the most pressing issues and trends across the industry.
Connect with us on our LinkedIn page! - https://www.linkedin.com/company/security-masterminds-podcast/
Security Masterminds
Security Awareness by Blending Entertainment and Education for Engaging Employees, with Special Guest, Rob McCollum
Check us out on our new LinkedIn Page! - https://www.linkedin.com/company/security-masterminds-podcast/
Are you struggling to raise cybersecurity awareness despite following the same old advice? Discover the power of storytelling and engagement in transforming cybersecurity training and arming your workforce against message fatigue and over-reliance on technology.
In this episode, you will be able to:
- Delve into the connections between storytelling, engagement, and effective cybersecurity training.
- Gain insight into striking the perfect balance between factual content and captivating storytelling.
- Find out how relying too much on technology can jeopardize cybersecurity efforts.
- Master techniques for countering message fatigue in the cybersecurity industry.
- Explore the power of humor and entertainment in raising security awareness levels.
Rob McCollum, a versatile voice actor with a background in sales, marketing, acting, and improv comedy, has lent his talents to over 300 anime roles and a plethora of corporate training videos. Joining forces with Twist & Shout, a KnowBe4 company, Rob ventured into corporate storytelling and cybersecurity training, working on projects for major companies such as Barclays Bank, AT&T, Warner Brothers, and Sony. His unique approach to storytelling and engagement in cybersecurity training has revolutionized the industry, keeping viewers intrigued and eager for more.
About Rob McCollum
- LinkedIn - https://www.linkedin.com/in/robert-mccollum-23b1a86
- Rob McCollum Facebook Anime Fan Page: https://www.facebook.com/RobertMcCollumFanPage
Show Notes:
- The Inside Man Series: https://info.knowbe4.com/inside-man-ga
- Favorite Books:
- After On, Year Zero, by Rob Reid - https://www.amazon.com/stores/author/B000AP8X36/allbooks?ingress=0&visitId=3058ab80-2f93-42c9-9be8-a1d49c3fec86&store_ref=ap_rdr&ref_=ap_rdr
Connect with us:
Website: securitymasterminds.buzzsprout.com
KnowBe4 Resources:
- KnowBe4 Blog: https://blog.knowbe4.com
- Erich Kron - https://www.linkedin.com/in/erichkron
- Jelle Wieringa - https://www.linkedin.com/in/jellewieringa
- James McQuiggan - https://www.linkedin.com/in/jmcquiggan
- Javvad Malik: https://www.linkedin.com/in/javvad
- Music Composed by: Brian Sanyshyn - https://www.briansanyshynmusic.com
- Announcer: Sarah McQuiggan - https://www.sarahmcquiggan.com
This show's sound is edited by ProPodcastSolutions -https://propodcastsolutions.com/
Show Notes created with Capsho - www.capsho.com
I am a big proponent in the power of the voice and they, there is some science on it. It is a burgeoning area of neuroscience, but there is a fair amount of research and I think there will be more about the way that audio straight into the brain mainlines and is remembered in a way that is different from data that is consumed in other formats. Hey, this is Rob McCollum. I am the co-creator and the writer of the Inside Man for KnowBe4, as well as the head writer for Twist and Shout communications, a KnowBe4 company.
VoiceOver:Welcome to the Security Masterminds podcast. This podcast brings you the very best in all things cybersecurity. Taking an in-depth look at the most pressing issues and trends across the industry.
Jelle Wieringa:Drawing employees into corporate education programs requires a mix of marketing, storytelling, and engaging content. By promoting the training as an entertaining and appealing series, corporations can motivate employees to actively participate without feeling pressured by. Mandatory assignment.
Erich Kron:Rob McCollum, a talented voice actor with experience in over 300 anime roles, is well versed in the art of engaging content for corporate education. As the co-creator and writer of the inside Man, Rob's unique approach to storytelling has transformed how organizations approach it, security awareness, and training.
VoiceOver:This is episode 18, evolving Security Awareness by Blending Entertainment and Education for Engaging Employees. With our special guest, Rob McCollum.
Jelle Wieringa:Hello everyone and welcome to yet another glorious episode. Today we're going to talk about something that's not so much cybersecurity in itself. And we've got none other than Rob McCollum as one of our guests today.
Erich Kron:You know, Rob is on kind of the forefront of a new way of training. we've really grown as an industry when it comes to tackling the human problem. And that's where he really stands out a new way to get security principles across to people while keeping them engaged in it. And that's through some amazing storytelling. I would say this is such a revolutionary way to get and keep people's attention that this is a really important thing to consider, especially when we all know that the human side of cyber may need a little bit of work. So we asked Rob, what is your origin story? Like, What got you into cyber?
Rob McCollum:I started out as a sales and marketing guy that then got into acting and improv comedy and voiceover work, which is about as far from internet security and IT securities you can possibly get. But I have voiced like 300 roles in anime, as well as hosting hundreds, if not more than hundreds of really bad corporate training videos, welcoming you to your 401k or your sexual harassment policy video. And in hosting them, I realized they were really bad. Just terrible unwatchable by human beings. And through that started going back 20 years now, writing them for other people. And then I met a crazy British man named Jim Shields, who had a company called Twist and Shout, who did live events and the video content for live events like your corporate sales meeting, Q3 quarter sales meeting, and they had an interview with the V vice president. So we would do those videos and started as an add-on to that, doing kind of corporate storytelling for corporations. We had one client. That was Barclays Bank in the UK hired us and said, Hey, could you help us do like some kind of a training video for our IT security department? First time Jim and I had ever even thought about IT Security and it was a small project, small budget, kind of under the radar just for internal and while we were working on that project, a reporter in the UK found all of the British national employees social security numbers un shredded in a dumpster behind a Barclays bank. Suddenly it became very important to Barclays to talk about how seriously they take security training for their employees. So our little project suddenly became a very important project with C level investment and involvement. And then once it was done, we made a massive, massive project out of it. And they took it on the roadshow because again, from a PR standpoint, they were like, look what we're doing, we're doing comedy and we're doing innovative things, things that have never been done. So we found ourselves at all these industry trade shows and we're the comedy guys for IT security overnight, having done one project and with no information other than the bullet points they gave us. So over the next, I would say seven years, we made something like 250 projects, mostly all on IT security, and had to learn really fast. I mean, luckily we had smart people helping us, but, I think that's the reason we were successful is that we did not come from industry out. We came from storytelling in and then got the information from smart people like you guys that know how to say, like, these are the things we want you to talk about. But we came from, from an idea of like, how do people. Watch stories. What are they like in sitcoms? What are they like in TV shows? What do they like in movies? How do we bring that into this world? But with very unintentional that we became it security experts. But we ended up doing things for probably, like I said, 250 projects, probably over a hundred companies from all the way down to small projects and learned how to talk people about awareness. And that was the other key thing is that we were timed very luckily in the moment when awareness was becoming the conversation where it was no longer just about the technology. And it was, not just about, building the firewalls and getting the software online, but it was about let's start engaging our people. In those early days, we're talking mid two thousands was when finally the awareness conversation started to become a part of the puzzle, and we were just lucky enough to be hitting at that time.
Erich Kron:We have limited people in cybersecurity and a lot of places they look to hire from outside, but thinking outside the box and over and over again, we see people that didn't start in cyber that are making huge splashes in what's going on because somebody took a chance on them from outside of the industry. So I would say look inside your organization, look at different ways to do this kind of thing. That doesn't necessarily always have to be from people that are already cyber.
Jelle Wieringa:Yeah. Most people in cybersecurity have a specific skillset set that's geared towards cybersecurity. And that's, I think where Rob comes in. He's he's learned, about cybersecurity by simply doing it and, and building those videos but in essence, he's a storyteller. And storytelling is at the heart of communication. It's a powerful way to motivate people, to get people on board of cybersecurity and that's where people like Rob come in.
Erich Kron:Yeah, now, this is a story that demonstrates good security without necessarily just telling people, Hey, you should do this. You should follow that policy. And that storytelling was what drags them in. So we asked them when, when they came up with the inside man, which is now on its fifth season. But what was the goal behind that?
Rob McCollum:When KnowBe4 approached Twist and Shout and said, we want to bring you in we said, okay, but we really wanna do something different. We wanna do something you don't already have. We want to add value to that proposition. What do you not have? There's a ton of information on the Mod store and it is all useful information and is well delivered. But in terms of video as opposed to flash animations or web talks or any of the other things, video is not great at information. Video is great at emotion. Video is great at storytelling. So can we do something that thinks about the why and not the what. It's not gonna bog down in the how it's going to say. There's a lot of information on how to do this. We want to talk about why you should care, why should it matter to you? And in terms of explaining the why's, that's storytelling that's gone back, you know, a hundred thousand years of human evolution. Like we did not explain that there were dangers in the woods and that there was a chance that neighboring villages might come over, or we don't know what animals might be out there. And we said, no, there's a witch. She has a housemate of candy, and you can't go into the woods. So suddenly now we're engaging through story instead of bullet points. And yes, we could have sat down with the packet with our children and shown them statistics of household incidents in wooded areas, and they would've glazed over. But we told children stories and that still applies today. So we said, how can we make a story be really engaging? What if there's a hacker and we tell the story from the side of the bad guy? That's where it all started. Like, let's show it from the perspective of the attacker. And then we realized, well, that's not gonna last long because no one's gonna care about this person. So what if the hacker decided he didn't wanna be a hacker anymore? Why would he do that? Where would that come from? Okay, let's figure that out. And so we built a story. At that time, we thought it might be one season, it might just be 12 little short episodes. But we built a story around this idea of, of putting a person who was brought into an organization as a bad actor and then changes his mind and sees the light. For the first time, people were like, Hey, when can I get the next one? Not just clients, not just, you know, CISOs who were applying it or whatever, but actual employees, end user recipients who were going Hey, can I see another one of these? And a lot of the IT professionals were like, this has never happened to me in my life. No one's asked me for training before. No one's asked to see more. And that's kind of when we realized we were onto something with doing a story first, information second, also making sure the information was in there and the learning moments were in there. There are lessons to be learned, but really being brave enough to lead with story first.
Jelle Wieringa:So basically if you haven't seen the inside man yet, it is cool! so the thing I like about it though is that he talks about emotion and how video can convey emotion. We always try to motivate people, motivate people to care about security, but even motivate people to just be there when there's a security training or watch the videos or play together or whatever you do to become more aware. The thing with emotion is emotion is a great intrinsic motivator. And that's what I think is really cool about this inside Man series. You don't have to force people to go and look at a video that teaches them about security. No especially after seeing a couple of episodes, They want to, they ask for it , they want to see more. The plot at the end of the first season, they want to know what's gonna happen the next season. Is my character gonna die? It is a really good way to make security something not top of mind yet, but it's something that people really, really care for.
Erich Kron:They're demonstrating good security actions as opposed to just saying, do this, do that. Actually demonstrating it throughout and I gotta tell you, I mean, I've heard from so many people what he was talking about with saying that these non CSO type people the employees are actually coming in going, Hey, when can I get the next episode? And that's what makes this so much different. What I wanted to know how does he think this storytelling and voice acting can really be used to raise awareness about these cybersecurity issues?
Rob McCollum:Well, I am a big proponent in the power of the voice, not surprising, cuz I started off as a voice actor. But I love audiobooks. I love podcasts and they, there is some science on it. It is a burgeoning area of neuroscience, but there is a fair amount of research and I think there will be more about the way that audio straight into the brain mainlines and is remembered in a way that is different from data that is consumed in other formats. And so I think it's a huge opportunity. And I think that ties in with the power of storytelling. It's not just a historical reference that we can say why stories are important. There's only so many ways you can make a believable elephant come crashing through a wall and to have it look good, but the sound of a wall crashing and an elephant trumpeting puts that image in your mind in higher resolution than any studio could ever create. I did a whole podcast on the Civil War reconstruction, and we had battle scenes and everything you need because it's all sound and your brain fills in those places. There's a lot of research about the way synapses form and memories form, and when something is presented as data and we are asked to like file this way. This is something you'll need to remember. You might be quizzed on it later. It goes in a, "this is important because there's a quiz". One file, one direct synapse, one chain of access. But when something is approached through story, there are memories of when something else happened. Oh, I saw a building that looked like that. Oh, the scent, the smell, the fear. I remember a time that I was scared cuz I was trapped in a room I couldn't get out of, or Oh, the embarrassment of screwing up. And also, oh, I like the look of that shot. That reminds me of a thing I saw on a James Bond movie. It looks like the same skyline, so the same bullet point or factoid now has 35 different pathways, neural pathways to remember it. You put music in on top of that, then you've added 12 different emotionally evocative points that hit different senses of the sectors of the brain and tie back to that. So it's like, instead of saying, here's a roadmap and there's one path to it, we're gonna give you 35 to 50 to a hundred to a thousand different mental neural pathways to get to this idea. And that's what I think storytelling does, but I think that's also what sound and music and imagery beyond words on a page do no offense to a white paper. Hey, I love a good white paper as much as anybody, but in terms of remembering it, it's a different way of approaching data.
Erich Kron:I think that by doing the storytelling, it really does make a difference in how it's processed. I like what he talked about there, where when you see certain things, you may even associate smells or other things that have happened that are related to that. And, and I know I can absolutely relate to that myself.
Jelle Wieringa:Yeah. I think it's like the way Hollywood uses storytelling to, to make you emotional when you see a sad scene or whatever. It's a really powerful tool. It's a learning tool. And I think that as powerful, storytelling, voice acting and audio is as a learning tool itself. You have to cement it. And that's where written tests come in. It's the combination between having somebody give you the story from which you learn, but then take the test as a way to anchor it in your mind the test is just to figure out have you understood the story? So it's the combination between storytelling and testing that makes it so powerful. And that's a step that a lot of organizations skip. They present information to people and they think they're done. No, you have to challenge the people. You have to challenge them whether or not they understood it and are able to apply it.
Erich Kron:So I wanted to know from Rob, when, when he is putting together something like this, how does he strike a balance between providing the accurate information with cybersecurity and maintaining and engaging storytelling. This is how he went about doing that.
Rob McCollum:Well, in the early days it was all bullet point driven like we would get from our client or from, you know, whoever was commissioning this project saying these are the things we want to train on. Here are the six issues, the eight issues. Usually back in those days we would try to do a season of six episodes if we were doing our sitcom like restricted intelligence and we would get feedback pull in 10 people on a call and say what is. What's hot right now? What do people care about? What are people interested in? And then I would educate myself about the nuts and bolts of that world and then we would start to retro engineer it to like, what's funny about that? What's that like? This is a bit like what are metaphors that would apply and still be not so torturous to climb through that you could see how it tied back, and what are the outcomes. That's the other big thing that we really try to stress in all the things that we make is let's talk about the results of poorer actions, not to the company, not to the bottom line Reputational damage does not matter to someone who is answering the phones at the front desk or someone in the accounting department. I mean, it kind of does, but you can say like, oh, three years from now, this will affect my profit sharing. But embarrassment factor of Carol down the hall has to fix this problem and I have to walk past Carol's desk every time I leave the building. So I'm now crawling from trash can to trash cans. So Carol won't make eye contact because I've made her spend an extra 10 hours solving this problem I've made. That's human connection. So trying to take information from largely technical people, largely people that know, consequences from a data point standpoint and say, okay, where's the human side of this? What is the impact of this in terms of affecting the humans around me, my workplace? You know, there's always the threat of somebody's gonna get fired if they make a huge mistake, but eventually you bang that gong too many times and it becomes noise and retro engineer backfit from the bullet point, the learning moment, and then say, what are some human consequences? And we try to show consequences for everything. And usually not the we've been fired. It's usually the, oh, I hate you now because you put my proposal is now on the internet because you let somebody look at it over your shoulder at an airport lounge, and so you're not invited to the cookout. You don't get to come to our squash league anymore and then just make 'em funny. The benefit of having series, and we've always been big believers in series set characters that come back again and again, and again and again, is that you can build on those characters and you develop a shorthand and there's a lot more opportunity for comedy or real connection or growth because we're on a character journey. If inside man were the same production value and the same bullet points and all of the same work, but were individual standalone episodes about an issue, they wouldn't have the same impact because you've grown up with Mark Shepherd and you saw him try to Pinocchio and become a real boy like you are invested. And so we can use that shorthand to propel the story forward. And when you care about the characters and the emotional consequences, you don't mind that there's also some detail coming in. Your brain actually craves it. Cause you're like trying to figure out like, okay, what are they doing here? They're sending this email. Why is this person clicking on it? You're trying to figure it out because you want to follow the story and you don't realize that you're getting the phishing message that is embedded beneath it. But I will say I think they have a responsibility to get it right because it's lazy storytelling and the audience knows we've made sure with our series to really get the details right. Even if we gloss over them and don't explain them, is the thing happening, a thing that can happen? Is this a way that it would actually happen? Will this work? Maybe there's a little creative license, maybe there's a little dramatic flare in how it happens, but everything that happens can happen and has happened somewhere. And when I watched some really big budget shows that clearly have immense writing staffs and no one's done anything, it looks like Wikipedia level research on some of these shows and I don't know that it is failing the responsibility to inform about IT, security issues. I think it's failing to respect your audience, that they want the real information and you need to know it, even if you don't give it all to them. And it's lazy writing and I'm like, I'm amazed that it gets through. I do think anything that, again, it goes back to the awareness idea. Anything that reminds people that their threats are out there is probably good. I do worry that the, oh my God, these operations are so sophisticated. There's no way that lulo me is gonna be able to do anything. If they want my stuff, I'll let 'em have it. I think there's a fear fatigue that is like, I made sandbags for 20 years, but now if the river rises, the river's gonna rise. Nothing I can do. There's a danger there, and when the shows are just hackers, unstoppably winning all the time, because that is convenient for their story. I feel like that's not a great message.
Erich Kron:So I get that it's a challenge you have to keep it a little bit exciting, but I really appreciate Rob's, desire to make sure that what he's putting out there is actually real and accurate. unfortunately, We have to battle that misconception that sometimes comes out of these shows where people think they've learned something that is absolutely untrue.
Jelle Wieringa:So if you wanna teach something to someone, you have to make it personal and you have to make it believable. If either of those two aren't dared, then it's not gonna work. So, um, we tend to forget in cybersecurity who we are doing it for. So we do security awareness training to reduce, reduce the risk on our organization. That's mainly beneficial to the organization. Security awareness training itself, we do for the people. Therefore we need to make it personal. We need to get them to invest. And you're more invested when it is something that is directly personal to you rather than when it's just something for the organization. So that's an in important distinction to, to keep in mind who do we do security awareness training for, it's the people that's your audience, not your CEO. So I think there's value in every show that's about cybersecurity. It helps you. And if it's an entertaining story, hey, good. Maybe you'll pick up something.
Erich Kron:Yeah. I, I think we just have to be very careful with misinformation, as much as anything else. Not just leaving stuff out. Far too often misinformation is out there and, and people trust and believe in that. It's an interesting topic that we could probably go on for days and days. So I was interested, what's some other creative ways Rob has seen or used to communicate cyber concepts and the best practices maybe to a wider audience.
Rob McCollum:I have become a real big believer in a quick hit. It's kind of the polar opposite of the inside man approach, which is eight to 10 minutes of detailed story and involved narrative. I also think a humorous or interesting 60 seconds on one idea and one concept is also really powerful. I'm working to try to get that even shorter. Can we do TV commercials about concepts is basically what I'm saying. 30 seconds. It's a little bit funny and you remember one thing from it, like that's what commercial advertising agency writers have been doing for 50 years. Make it funny. It has one concept, it has a little thing that you remember. Maybe it's a character. I feel like that's the next threshold that we should be moving into. We did one called Security Snapshots, that is all voiceover, so it's easily scalable to any language and it has slow motion in music and one idea, and they're about a minute and a half. But I, I wanna start pushing for the thirty second blipfort. The idea of like yes, we can try to give all of the information and all of the details, or we can give one good idea well, and get out. And so that I, I haven't seen a lot of that, but I think the ninja approach or the scalpel approach is also useful. And that's where I'm trying to work my brain and my creativity towards applying that to the industry. But it's gotta be really funny. That's the other thing. Because there's so much out there to cut through that noise, you have to be good at it. And there's people that do great, you know, the two-sided conversation where people are playing both sides of it, which is big in the reels and in TikTok as well. Super funny for the people that do it well, there's a million people trying to do it that don't do it well, but the ones that do like, yeah, that works. And you could use that format to train anything. Yeah. You have to learn from the environment around you. And it's going shorter and shorter and faster and faster to the point that even something people enjoy, if it's three minutes long, they're like, I love this, but I don't have time and they'll, they'll not finish it. We did a series in all different genres and I think they're really funny, but it's five sketches around an idea. So there'd be five sketches on passwords, five sketches on Phish in an episode. And we realized, even though they're all individually funny, people are like, Ugh, I got it. Yeah, don't write on your password, okay. Don't click on a phishing link. Got it, got it. Move on, move on. So for season two of Clickbait, we're doing single sketch standalones instead of six longer episodes, it's gonna be 18 standalone episodes that again, aren't as short as I'm hoping for, but are quicker, like one, one and a half minute The same way that the, like a sketch show of season one, it moved from Sketch to sketch to sketch. Now we're just gonna have each individual sketch as a standalone and see if that works.
Erich Kron:No, that's a really interesting point. Jelle, you know, we, we have to adapt and adjust to how things are going. His point about taking shorter sections and learning, we, you know, even from the television ad creators, But also talking about the reels and TikTok type stuff, that's super fast, super quick humor is a great way to get, I know me involved in things, but it's also kind of risky sometimes too. So I think you kinda have to be careful with that.
Jelle Wieringa:Well we're, most cyber security professionals are known for their creativity per se when it comes to building security awareness campaigns, and I know I'm, I'm going on a ledge here, but most people I talk to have a hard time figuring out how they can address their audience in a fun, lasting way and that's exactly, that's what Rob is great at. He truly understands how to move somebody how to play with the emotion of the audience, how to get them involved. That's exactly what he's good at. That's where we can learn and if, if you like me, are not the most creative one, go look for people that are.
Erich Kron:Yeah, that's always a good option, looking for people that are, don't tie yourself down to your one little expertise when you have lots of people perhaps around you that have stuff that they can help you with. You know, marketing, PR, those groups like that, definitely their jobs revolve heavily around changing behavior or dealing with human behavior, so, absolutely no doubt. So this is one of my favorite questions that, that we get to ask the guests on here, and that is what was your greatest fail or mistake and error, and how did you learn from it?
Rob McCollum:Okay. I'll give you the glossy answer that you would give in an interview if you were trying to get hired, and then I will give you the real answer. I think we complained a lot about things being bad in the industry, and I think everybody does that rather than trying to fix it or thinking you could, like I made bad corporate training com and communications for years before I started making good, and it just meant telling the client, no, you don't wanna do that. I know you're hiring me to do that. That's not what you wanna do. Jim Shields was the one that was brave enough to do this and fired a client and said, no we make things that are better than that. We don't make that kind of thing anymore. And they went, whoa, whoa, whoa. What? Hold on. What, what is it you wanna make? But only when he fired them as a client and walked away, did we get to have that conversation. So, so I would say the, the business answer is, is to don't suffer through. Go ahead. And if there's something you think strongly about, just push it cuz you're probably not the only one that thinks that. I was the host of a morning show in Texas. Which in and of itself is probably a fail. Just the idea that that was something a person should do, but then I did it. It was not good. I was not particularly good. And then in an effort to try to fix it, I stayed on as a producer for about a year after I left as the host. So it's like staying on as the life coach from the girl you just broke up with. It was not a good environment, and I realized it was not fixable. Like they were not going to let me do any of the things. I kept suggesting things in the host role, like, we could do this and do this, and they're like, no, we can't do that. So I thought once I became producer, I would get to do those things and then was still told no and left. So it was like six months of my life I'll never get back that I could have been doing other things, but, but I was the host of Good Morning, Texas on W F A A in Dallas for almost two years. Good morning, Texas.
Erich Kron:I think that's great. One of my favorite reminders to me because I I'm not good at letting go sometimes is it's okay to fail, but fail quickly and not hang on to things like that. I tend to try to make it all work out.
Jelle Wieringa:I'm not doing a TV show, that's for sure. So failing quickly is cool. That's good, as long as you also learn from it and you next time don't make the same mistake again. That's basically it. I really do like these questions that we ask our, or this question that we ask are, are our guests, because it gives you a look into their mind, it makes it very personal and it's different for everyone. And in, in the case of Rob, the answer suits him so well. First of all, the guy did Good Morning, Texas and. Trust me, I've been looking for pictures on the internet of him presenting that show. They're not there anymore. And if you're a listener to this, uh, podcast, please do send in your pictures if you find one of him online on the show good Morning, Texas.
Erich Kron:Now, another question we'd like to ask the guests, and this is always very eye-opening because it comes from so many different perspectives, especially those that are outside of cyber sometimes because we can get a little bit, uh, tunnel vision sometimes, but I always like to know what is the greatest threat they see in the next 10 years. And this was what Rob thought.
Rob McCollum:I would say it's kind of the same thing that we had already been talking about. The belief that the technology is the answer. That these are things that are too big for me to understand. If this email got through my spam filter or my company's firewall, it's probably fine or it's just too much for me to do. So belief in the technology and, and that just all of the investment to try to stay ahead of things from a technology standpoint are gonna be the solution. The other is message fatigue. You hear about everything and eventually you, you, like I said, if the flood's gonna get me, it's gonna get me, there's nothing I can do. And you throw up your hands and you say, oh, well, if they get my credit cards, I can cancel'em, there's systems in place. It's too much to, to worry about and that I think is a danger both for individuals and personal front, but also for corporations to just, that people decide to do that. And I think the other side of that coin: the overreliance on the software to protect you also means that they're not as cautious as they should be. I just saw a post the other day, someone talking about ChatGPT and said, it's incredible. I loaded all of my company's financials into it and it gave me my taxes better than my accountant did. And I checked it again and they said, no, I really tested it. I looked at what ChatGPT spit out and I looked at what my accountant did and they were almost verbatim exactly the same. And all I'm thinking is, you've loaded all of your financials into ChatGPT, you have no idea what their security is. It could be great, I don't know what their security is, but you definitely don't know what their security is and you've put all of that information there to see what happens. That's the kind of reliance on the fact that like, oh, this is a big thing. It's probably safe. Someone's tested this, someone's checked this. And the next thing that comes along and the next thing that comes along, especially as we move into AI, if people just start opening up their whole hard drives and let AI find something and say, yeah, write my memoir. Here's my laptop. You can probably find enough information on it. A, it would probably be not a bad memoir, which terrifies me as someone who makes a living writing, but also is a huge security risk. And there's a chance that you may even hear some of that story in upcoming seasons, because that interests me. Speaking of AI as writing, we are I may actually let it write a season six, not because I will use that, but because I found out from some video game developers. They asked ChatGPT what their season four of their new video game was going to be, and it spit it out exactly correctly. And they were like, oh, so we need to write something else because we can't have the thing that AI figured out was gonna be the thing. So they're u you use it as a stop gap to make sure you're not making the obvious choices.
Erich Kron:Yeah. It is interesting to see all the stuff that's happening with AI and, and ChatGPT and people just not thinking about how to handle things like that. So that's an interesting point. I mean, people throwing their tax information in there, throwing financials in there. Imagine what some people are doing with organizations trying to use this thing and have no idea what's happening with that. That's a very interesting point.
Jelle Wieringa:It's very closely linked to the belief that people have insecurity, that technology will fix everything. We have an over reliance on technology and we're constantly blindsided by it. I fervently hope that technology will prove its inability to protect us. Truly. I just hope that it doesn't cause calamity or Skynet or World War Three or whatever. That's the thing. I think that technology is there to help us. It cannot meant what we do, but in itself, it's not enough. And it is too easy for us to just go like, ah, I spent money. I booted it. I maintain it. It will save us all. That's not how it works, and I'm pretty sure that it's not intended to work that way. So I do agree that one of the greatest threats in the next years is our overreliance on technology. I also think that our message fatigue that's, we have to really, as cybersecurity professionals, be careful not to overstate the message too often, or, or wrong ways, because that will lose our audience., but that being said is I have great faith in our learning ability to adapt and to figure that one out along the way. So losing our audience won't be that much of a problem, I think.
Erich Kron:Excellent. Now I love it when we get into the personal feelings of the people we interview and, and some of their choices and, and kind of look a little bit into their personalities. So as we ask so many of our other guests, I wanted to ask Rob, what are his favorite books, like personal books or career related books? So this is what Rob had to say.
Rob McCollum:Actually, one of my favorites when I first heard about KnowBe4 and we were being courted and possibly they were gonna make an offer to take, Twist & Shout under their wing. I got Ghost in the Wires, which is the, it's not a cybersecurity book per se, but it is the story of Kevin Mitnick in his early days and I got the audio book version, which is read by Ray Porter, who's one of my favorite audio book readers. I love audio books and will follow a reader, a narrator from title to title. And Ray porter's really great and it's just a super compelling story. And again, it's, it is about the early days of, of hacking and security and a lot about social engineering, but it is all told through a compelling narrative of this guy who's just trying stuff and gets in over his head and then tries to avoid getting caught and so it was a good model for what eventually became the inside man, just in that it was like narrative first details embedded in. I liked that a lot. And then you asked about personally one of my favorite books. It also has a cybersecurity tie-in. It's a book called After On by Rob Reed. It is a really funny take on the birth of AI and where the first sentient AI will come from and how it will come about. Rob Reed's written a couple books. He, he wrote one called, year Zero that is about the earth's music permeating the universe and the galaxy's reaction to earth music cuz it's better than any other music and is actually kind of at its core about copyright law, which shouldn't be fascinating, but it's really hilarious. But no" After On" a lot about Silicon Valley and aqua hires and companies that are being bought and added together and scooped up and their code is being scooped up. And it's just so, it's kind of a fascinating look at that world, but then also has some really fascinating AI thoughts and permutations that I think maybe are not that wrong. both of them are super funny. Shout out to Rob Reid.
Erich Kron:So I think it's interesting. I mean, Kevin Mitnicks book is definitely a good book. I think it's fun reading. It tells a story. There's, there's a lot of, good information in there and as well, and I actually really like the idea that he mentioned about in the other books with the earth music being the best. I mean, that's kind of funny. It, it feels like something you might see in like Guardians of the Galaxy or something like that. You know, where where the earth music is the one that changes everything. I mean, there is that little touch in there with them dancing, but, you know, it, it kind of comes down to that, kind of funny, kind of quirky.
Jelle Wieringa:Well again, comedy is perfect to entice people to get 'em on board. And again, in that book it is about copyright law boring, but it's done in a very good way. This, this was a really fun interview to do. Rob McClellan is a great person. He's not directly from the cybersecurity industry, which actually makes it all the more interesting to me. He's a voice actor, he's an actor, he's a writer. He wrote a cybersecurity series or co-wrote the cybersecurity, , series, The Inside Man, which I personally love for multiple reasons. Yes, it is great fun to watch, but me being somebody that works actively with people that do security awareness training, I am impressed by the power this has to influence people, to persuade people to make people care about security in a way that most of us fail to do if we do regular tools. It's been fun, um, and I actually learned a couple of things and that is really cool. Say goodbye, Eric.
Erich Kron:Goodbye Eric.
VoiceOver:Coming up on our next episode of Security Masterminds,
Bryson Bort:the challenge that a security vendor has is the balance of me protecting you and me not getting in the way I get in the way I'm out immediately. So that's why threat intelligence is stuck in this groundhog Day of doing the very basic static IOC stuff.
VoiceOver:We invite you to join us with our special guest, Bryson Bort. You've been listening to the Security Masterminds podcast sponsored by KnowBe4. For more information, please visit know KnowBe4.com. This podcast is produced by James McQuiggan and Javvad Malik with music by Brian Sanyshyn. We invite you to share this podcast with your friends and colleagues, and of course, you can subscribe to the podcast on your favorite podcasting platform. Come back next month as we bring you another security mastermind, sharing their expertise and knowledge with you from the world of cybersecurity.