The Scary Future of AI-Driven Social Engineering — Are You Ready?

Humility And The Third Why

How's it going, Bobby? It's it's great to get you on the podcast. I'm really excited about today's conversation. You know, this is it's a really relevant timing, I feel, because social engineering AI-based attacks are becoming so relevant now, so much so much more common than they were even 12 months ago.

Absolutely agree, Joe. Thanks for the invitation, fans. So I consider it an honor to be here on the show. So yeah, so thanks for having me.

That's that's always interesting to hear. I mean, like, my audience uh has heard me say it before, that it's like always interesting to hear, but it like always catches me off guard when people say that they're a fan, that they've listened to episodes and anything like that. Because I mean, literally, I just assume no one listens, yeah, you know.

I I I think it speaks to like the humility that you have. Uh and that's rare, especially in this industry, because typically when you meet people that are as smart as you, they know that. And when they're brilliant, they know that. And so oftentimes we felt find that brilliant in conflict with that. And so I mean that sincerely. So it doesn't, it doesn't uh shock me that you're surprised when people tell you that they're fans. And everyone listens.

Yeah. Well, I I definitely appreciate that, you know, and it's uh you know, you you're right though, like there's a lot of smart, really smart people in this field. You know, I I feel like you just have to be to be successful in cybersecurity, you know, like you have to have a unquenchable curiosity with you that is insane.

Yeah.

And, you know, I I actually hear, you know, similar feedback like that sometimes, where, you know, though someone will ask me a question of a fairly broad, you know, topic or domain, right? And rather than just saying like what 98% of people would say is, oh yeah, I know everything in that domain or whatever it might be. Like for IAM, for instance, right? I'll immediately start saying the stuff that I don't know. Well, I don't do IGA very well, right? Like I haven't worked with this kind of technology, I've worked with this kind of niche technology or whatever it might be, just to just to paint the picture properly, right? Not to oversell, not to undersell, but paint the picture properly to get the expectations correct. Because I feel like that's more important long term, you know?

I absolutely agree. That speaks to the confidence that someone has to have. You have to be confident in what you do know in order to be vulnerable with what you don't know. And oftentimes, especially in cyber, oftentimes we find people who are unsure in a certain area. And because they're unsure in multiple areas, they try to dominate a conversation or they try to sort of show their knowledge in a certain area where it's really and I think that all you do when you do that is a disservice to yourself and a disservice to those who are around you because I heard you speak confidently about an area where you know absolutely nothing.

So how can I cannot take your word for the area where you should know something? Right.

No, that that makes a lot of sense. And you know, I I won't I won't mention any names, obviously. I mean, we would both get in trouble. But, you know, I've I've had people on the podcast sometimes, and a lot of the times those episodes don't even go live where, you know, someone's on and they're they're saying that they're an expert, and you know, I don't know, IT careers or whatever might be networking, you know. And I'm not an expert in networking, but when someone's talking to me about networking, I understand it, right? Because I'm in security, you have to know networking, you know, but you don't have to be a network engineer. Like, I don't want to log into a Cisco router ever, anytime, you know, like I don't want to log into my home router, you know?

I've I've logged into enough of both of us.

Yeah, yeah. You know, like it's it's not something I want to do. And and as soon as they start talking, you know, and you start like incidentally poking holes in the knowledge, it's like, man, you don't really know, you don't really know much here, and you don't know what you don't know like at this point, you know?

Yeah, I I call it the third why. And anyone who's ever worked for me, like they they will have heard me say that before. Like, can we get to the third why? And and I became a SISO really early in my career. I've been a SISO before taking on this role that's more on the go-to-market side at Doppel. I was a SISO for the previous 14, 15 years. And so becoming a CISO really early in my career, I remember there were people that would try to test me and they would try to, you know, sort of I wouldn't be as knowledgeable as they pretended to be. I'll say that. And my my test for that is always I get to the third why. But they said that we should do something, I'd say why. And then I would listen to see if the response sounded intelligent. Then I say, okay, well, why should we do that? And then they start getting, you know, flimsy on like the second why. By the time you get to the third why, you will know whether or not they actually know what they're talking.

Yeah, I I interviewed for a place, you know, years ago, and the one of the hiring managers like got to like five whys with me, and I started to get frustrated because I'm like, hey man, I answered this four times perfectly. If you're looking for an acronym or some terminology that I'm not using, like I don't know what to tell you. You know, like we're at five right now, you know. And five might be too many. Right. It's funny, he apologized, right? And then, you know, a couple years later, one of my listeners turned out to being, you know, one of my future bosses. And during the interview process, like, because he he listened to the podcast so much, he knew, like, hey, let's not test Joe like too much because it's just gonna frustrate frustrate him at some point. I've already done it through the podcast, you know, and like that was like the ease. How's it going, everyone? Welcome back for another episode of the Security Unfiltered Podcast. So today, Doppel is sponsoring this episode. I'm interviewing a really great person from Doppel. You know, I I actually ran into the use case for Doppel a year ago, before I knew about Doppel, where, you know, it's a real story. I tell it in the episode where if we would have had this sort of technology, it would have prevented it, you know, right from the very beginning. And so that's why when I was introduced to Doppel, I had to partner with them. I had to spot get them to sponsor the podcast because, you know, I love innovative new technologies that are coming out on the market. So I wanted to bring you guys this episode because I think that the tech is really cool. I think that you would find it really interesting. So go ahead and check it out. All of the links are in the description of the episode. Yeah,

Sponsor Message And Why Doppel

and can continue on with the episode. Thanks, everyone. Right. It's funny, he apologized, right? And then, you know, a couple years later, one of my listeners turned out to being, you know, one of my future bosses. And during the interview process, like, because he he listened to the podcast so much, he knew, like, hey, let's not test Joe like too much because it's just gonna frustr him at frustrate him at some point. I've already done it through the podcast, you know. And like that was like the easiest interview process ever, you know, it was so easy. The technical was a conversation. He was already a fan. Yeah, yeah, very true. Well, Bobby, you know, we kind of just dove right into the conversation without giving your background, but I'm really interested to hear it because it's not often that I hear about anyone becoming a CISO early on in their career. And when I do hear about it, it's usually like a major red flag, but you didn't hit any of those red flags, so to speak. So I would love to hear, you know, how you got into security, what made you go down this path? How did you make the jump into CISO? What just tell me the whole story?

Thanks for the opportunity to tell the story. So the first thing I'll say is like most security professionals, I didn't choose security. Security chose me. And what I mean by that, Joe, is that when I enlisted into the military, I enlisted because I wanted to be a programmer, I wanted to be a software analyst, I wanted to be a coder. But when I enlisted, we had tons of people that were coding and tons of software analysts. But what we didn't have when I got my first duty assignment, we didn't have anyone that was looking at the overall security of the technology that we were leveraging. And so the first sergeant or the company commander and the first sergeant at that time had this idea why don't we take a group of the soldiers and have them focused on things like scanning floppy disk, decommissioning and de-gousing hardware. Now, that that's a term that I know really shows my age when I

From The Military To CISO

say de-gousing hardware. The de-gousing hardware. And then I parlayed that into an assignment at the Pentagon and became one of the charter members for the Pentagon Computer Intelli Response Team. Uh, spent some time in the military, and then when it was time for me to get out of the military, I went to work for the Department of Defense Computer Emergency Response Team. Went from there, stayed in the aerospace and defense industry, and ultimately became a CISO at a mid-sized AD company called Excelis. And that was like my first executive role. That was my first CISO role. And at the time, I don't even know if we had settled on calling it a CISO back then. I think I might have been like a cybersecurity manager or something. But responsible for the overall security of our information systems. And then after uh Excelis was acquired by a company called Harris, I went to work for first Abbott Labs, and I was the first CISO at Abbott Labs. I then went to work at Unilever, was the first CISO at Unilever, and then ultimately got to HPE and was the CISO at HPE for almost four years. Then at the end of 2024, I took a hard pause because I had done the CISO thing and I had known what it was like to be an operator. But I'd never worked on the venture capital side, had never worked in the startup community, had never worked for an actual cybersecurity provider, solution provider. And so thought that that would make like a logical next step for me to either go work on the VC side or to go work on the solution provider side. And so ended up here in the startup world working for what I believe is the most brilliant cybersecurity company that there is right now. And it's because our focus at Doppel is on social engineering defense. And having spent, you know, 10 years as a CISO, I never had a single platform that I could rely on for social engineering. And that's what Doppel does. And so that's why I'm here. Not as much an operator on the security side, but I'm the chief strategy and experience officer. And so what that means is that I lead thought leadership, manage category creation, and then also we're spinning up a threat research team. And so I'm leading that effort.

Hmm. That's really fascinating. You know, you you probably got into IT or like security overall at a really interesting kind of foundational stage of security, right? And I'm saying that because not only did you know the word de-gausing, but you did de-gousing, right? Like I know the word, but I never did it. Right. So there's a difference there. It tells you exactly where I started that, you know?

Exactly. You probably studied it on a test.

Yeah. I had to know it for a for a test, you know, is the term. Like that's literally it.

Yeah, uh-uh. I ran the de-gausing machine. And not only, this is really shows you where we were back then with security. You want to know what you had to do after you would degause the hard drives?

I would assume drill holes into it.

You got it. You got it. So next to the next to the degauser machine was a black and decker drill. Because after they came out. Drill the hello through it. And now it's finally decommissioned. Wow.

I'm kind of surprised that there's like not a machine to do that. I'm sure that there is now, right? Because all it takes is like one person to get like minorly injured, and the military would be like, all right, we need to just automate this.

Right, right, right. It it's I think it's probably the entire process is now automated. I'm sure you're probably incinerated at this point.

Yeah.

Yeah. It's uh, you know, just to like go down that little caveat, right? Like, I I think I heard the FBI make recommendations two years ago where they updated how many times you have to wipe a hard drive before it's actually wiped. And I think they increased it from like seven or nine to fifteen times now you have to wipe it with a certain like wiper software. And it's insane the extents that you know people hiding data or getting rid of data have to actually go to truly get rid of it at this point in time, you know?

Yeah, and and when you think about it, it it really speaks to the advances in technology that we've made to recover data. And so had had we not made these, you know, step changes in our ability to recover

Data Destruction And Forensics Reality

data, then we wouldn't have to on the other side compensate by going through all of these wipes in order to destroy data. So we can recover it up to a certain extent, then that means that we have to destroy it beyond that extent. Yeah.

Yeah, that that's interesting. You know, when I was doing my masters, I took a forensics forensics class, and it was it was pretty crazy because like I would wipe a hard drive like five times and still restore the registry. And from the registry, I'm pulling in like user activity and you know, all these different functions that they were running, all the configuration changes and stuff. And you're able to like piece it together with so such little data. You know, it's kind of it's kind of crazy to think that.

Yeah, you're absolutely right. And that's why maybe it's time to get back to degausing and drilling colds and machines.

Right. Yeah. With uh with social engineering, so I actually started my first like security dedicated role. I was running the you know, fishing simulation tool that we were that we were running. And you know, my logic with it was that I was gonna make these tests as difficult as possible, as realistic as possible, because an attacker is not gonna say, oh, this is unfair, you know, to say, you know, your 4K bonus just hit check it here, right? An attacker is going to do that exact thing. They're gonna spoof the Vanguard domain, they're gonna do all these different things to be able to make it look realistic enough for people to click. And I mean, I was very proud of it. I got like a 98% click rate. I was very, I was very convincing. And my CISO pulled me, pulled me aside

Phishing Simulations Without Gotchas

one time and goes, Hey, can we make it a little bit easier? Because like I just got got by it. And I was like, Well, do you think the attackers are gonna give us a break? Like, ah, we got you with something unfair. You could try it again, you know. Like, that's never gonna happen. And we've been breached before. Like, let's not, let's not, you know, skip on this, right? And I did end up having to make it a little bit easier, you know, but they were still pretty difficult. I mean, I was still failing like 85%. So that was great.

Here's what I say. I I would say, and I'm not trying to play Switzerland here, but I I think you you both are right. Honestly, you I I think you're both right. I think that you're absolutely right in that the adversary is not going to take it easy on our organization. And as a result of that, we have to have realistic training. I'll say that. But I also think that that the SISO is also right in that hey, are are we building and implementing the testing so that we can witness our organization fail? Or are we building and testing the organization to ensure it's resilient? And resilience requires the users to know when it's not a legitimate email, but it also requires my security organization to have built-in control allow someone to click on an email and not take my entire organization out. Right. Um so we we talked to our customers because one of our products is around phishing simulation, and and we talked to our customers about this, and the customers that we sing to customers that we find have the most success leveraging phishing simulations are customers who believe that I'm using this to test my existing controls, not to catch my users. Like it's not a gotcha game with the users. And what I mean by that is if I know that someone has gone outside of a control or gone outside of a policy, then the simulation should allow me to catch that. Because most times what we find with security incidents is it's really it boils down to a policy violation. And so how do I leverage this technology to test whether or not people comply with the policy that says you shouldn't make updates on Swift accounts, you know, until you get the right authorization, regardless of how urgent the phone call makes it sound.

Yeah. That's a really good point that you said, you know, you're kind of validating the controls that you are investing in in the environment. These controls are not cheap. You know, and when you're selling it to a board, you're saying, hey, 100%, this is going to work every single time, you know. And if one gets through, that's not a good look, you know, for you. It's not a good look for the team, not a good look for the technology. I mean, that's a real big, that's a big problem.

Yeah, it's a huge problem. And that's why I don't I don't know if I I talked about it earlier or not, but that's why when I talked about we as a site, so I had no one that was solving social engineering defense. And for me, what social engineering defense is, is it's this combination of human risk management with digital risk protection. And the reason why I think it's so important to have both of those, Joe, is because if if uh the attack lands in the inbox, I think that we've already lost. If the phone call gets through to my help desk, I think that we've already lost. And so I want a technology that looks at the entire social engineering attack chain and has elements that will allow me to either test that chain or disrupt that chain. That's

Defining Social Engineering Defense

why I think you need both digital risk protection. You need a technology that's looking outside of your perimeter. You need a technology that's disrupting infrastructure outside of your perimeter. I won't go into geopolitics right now, but you sometimes have to go outside of your area in order to defend your area. So I think you need a technology that does that. But then you also need a technology that tests inside your perimeter based on the stuff you see outside of it. So again, my hope and my goal is that we prevent the attacks from ever landing in the inbox, that we prevent the attacks from ever getting to your help desk.

Yeah, what you're describing is really kind of two layer two levels of maturity in organizations, right? I would say maybe 85-90% of organizations are focused on their own internal controls. They're not looking externally, they're hoping that the controls that they build or buy are doing that for them. But they're not they're not looking at you know an NPM vulnerability and saying, how did this happen? How would it, you know, impact us? How can we prevent it? They're honestly, they're they're still looking for like that solution, that silver bullet to an extent, to come into the environment and do it all for them. You know, like there's a lot of really powerful technologies out there, and the market leaders, at least in the in the scenario that I just described with a supply chain attack, essentially, it's still difficult to use, right? It's still hard to weed through all the noise and the tool and really find what you're looking for and correlate it across the environment and everything. It's it's definitely challenging. So to come across a technology like Doppel that actively goes out and looks out into the world of what's going on and then really proactively protects your environment and filters it before it ever even gets to the end user. I mean, that is something that is something that is so valuable, it can't even be understated, especially as a security professional, where it's like, hey, this is what we've been looking for for quite a long time.

Yeah, I agree. I guess when when I first came here, my initial thought was, damn, why didn't I think of that? That was like my first thought. Like And then my and then my second thought was how do I make sure that as many people as possible know about it? Because for the longest time, when we thought about what what is social engineering, let's start there. Because I I even though I know that you know your users are brilliant, there might be somebody who is new to cyber. So let's just talk about what social engineering is. Social engineering is basically this concept that says that I can engineer a human, that I can improve a human's behavior towards. Toward a desired outcome. You can socially engineer for good, you can socially engineer for bad. And so we're protecting against the bad social engineering. Because I think it was Kevin Mitnick that said, I don't need to hack your systems, I can just hack your humans. It's easier to compromise a person than it is to compromise a system. When we think about most of the defense technologies in it, most of the defense technologies now that we leverage are protecting systems, they're protecting

Generative AI Makes Fakes Believable

applications, they're protecting servers, they're protecting data. And I believe, like what Robert Mueller said, we have to put a focus on the hands behind the keyboard. And so it's like, all right, how do we how do we protect the people? And protecting the people isn't just putting this onness and accountability on them that tells them, recognize the suspicious email. Listen for a malicious phone call. And the reason why you have to go beyond that is because with the introduction of generative AI, and we're talking about the impact of AI on social engineering, with the introduction of generative AI, you can no longer tell what's real and what's fake with the naked eye or the naked ear. And if I can no longer tell what's real or what's fake with the naked eye or the naked ear, then I need a technology that helps protect my users so that the accountability and the onness isn't completely up on them, but that I've equipped them and I've put the right controls in place that guards them, ideally before it gets to their inbox. Ideally before it gets to their inbox.

Yeah. You know, I think it was last week. Last week I was literally looking at some phishing emails from from someone trying to, you know, masquerade as Zoom and some other some other solutions out there. And I was looking at it, and I mean, a hundred percent I would have been fooled. It had the right domain, it had the right meeting link, it had the it had everything with it that I was expecting that I would ever expect from a Zoom email, right? I mean, it it's almost becoming unfair, you know, to any to any user. It's if it's difficult for a security professional, I mean, almost impossible for a security professional to look at it, do all of our checks, still say yes, and we were wrong, then it is completely impossible for my 60-year-old mother to, you know, encounter a phone call with my voice attached to it and know it's not me, right? I mean, there's no chance of her ever defeating that, which is insane to me. It's almost like it's almost like someone needs to step in and come like, I don't know if commoditize is the right word, but just make these kinds of security features like Doppel built into the infrastructure, you know, of the nation overall, right? Like to kind of stop it before it even happens.

Yeah, I mean, I I again I agree. I sound like a broken record. I keep saying I agree with you, but I agree with you. And and that's why I talk about moving count accountability, moving it from the user to the technology, moving it from the user to the technology. I think that we're past the days of, and I don't want this to be a hot take. So I think that education and awareness is still necessary. I do, I do. But I think that we cannot education and awareness our way out of this problem. And the problem is AI, AI-enabled attacks. We cannot education and awareness our way out of AI-enabled attacks.

Right. Yeah, because there's okay, there's some correlations there, and it totally makes sense of what you were saying. You know, when you think about AI attacks, right, you immediately think about a computer generating the attack that would work most effectively against a human or another computing system, right, to fool it. Previously, when we were really, you know, focused on education and awareness, we were focused more on the attack that was bit being built by a human to fool a human, right? That's a different level of difficulty, complexity, you know, believability that it has to have to actually work. It's just a different thing. So, you know, education awareness, like you said, is extremely important. We shouldn't deprioritize it, right? Because what will happen is the AI attacks will become more defeated consistently, you know, every single time. So attackers and these, you know, hacking organizations aren't going to invest that much money, time, and resources into social engineering in that way. Well, the blue team, the good guys, will stop pushing education and awareness because we got this tech in place, and the org already doesn't like to do the education and awareness and fall back into being vulnerable to the human-made attacks again, just the you know, creatively crafted email or text or whatever it might be, right?

Yeah, I definitely think that it will be cyclical. I definitely think that it will be cyclical. And I think that in this period, right now, in this time, we have to slowly shift, like I said, the balance and slowly shift towards demanding solutions that help protect our users. Something else I'll say. We talk now about AI-enabled attacks against our users, but we're also starting to see AI-enabled attack against our agents. So if you're talking about AI versus AI, because you got AI to defend against AI, but there will also be AI to attack AI. And we talked about humans not being in the I don't know. I don't have a good answer, but what does that scenario, what does that future look like when an AI agent would know how best to, you know, attack another another AI agent and it happens in seconds, you know, if not millis if not milliseconds.

Right. You know, when when I was trying to get into

AI Versus AI And Internet Localization

security or, you know, maybe early on in my security journey, DARPA would put on this competition at DEF CON. I don't know if you remember this, but DARPA would put on this competition at DEF CON where they would just hook up two servers to each other with, you know, very simple instructions, hack the other, patch your own servers and repeat, right? And go until you know one is completely breached and you know you can't defend it, right? And they stopped doing it because they were finding so many zero days that they decided it was not a good idea to expose those zero days to the top 50,000 hackers in the world, including China and Russia and everyone else. And so they stopped doing it. But you know, that that's exactly what that sounds like, right? Where, you know, we have it's interesting. I mean, this is just how I picture it in my head. You know, we have militaries, we have physical militaries, there are tanks, there are soldiers, there are jets and everything, right? Everything under the sun, right? And Russia has the same thing, China has the same thing. Well, on the digital front, I wouldn't be surprised at all if we have like a digital army of AI agents or servers to some extent to provide some sort of function and capability at the global level, I immediately think about China's great great firewall, right? Or the great firewall of China and how they essentially proxied the rest of the internet through China's policies to be able to filter out what they don't want their people to see, which isn't anything new, but when you think about it in terms of a proxy and how a proxy works, it's like they they're they're controlling it like that. Like that's insane. You know, like whoever thought about that is like so so smart. And then to be able to handle that amount of traffic and everything, right? So we already have real-world examples of it. And it seems like we're we're just inevitably going down that path.

Yeah. You talked about the the great firewall of China, and and I think that's a great that's a great use case for going beyond data localization, which we sort of all know about, but but looking at internet localization. And I think that the future, and this isn't what we're talking about, but if we start talking about like these AI versus AI, AI defending against AI, you you brought up having, you know, militaries having AI, AI, like special forces units. I think once if we move to that world, which realistically we could get there really quickly if we wanted to, we could get there really quickly. If we move to that world, then I think that internet localization becomes more relevant and that you don't just see the great firewall of a certain nation, but you see great firewalls in every nation. Because that's the only way to actually guard against and protect, because the way that like the internet's connectivity is is at the backbone of it. Like you want to be connected. But I think that if we move to this sort of, you know, this environment where we're attacking each other at scale using these AI agents, then yeah, we have to make sure that all nations have great firewalls so that they can still operate independent of the connectivity. And in that environment, in that environment, how do we view trust? How do we view security technology then? Like, do we push technologies out further or do we move them closer in? There's always been, we talked about, at least I always thought about security. I think about it from identity to the cloud. And when I break down identity to the cloud, it's, you know, identity, then there's data, data, then there's devices, devices, then there's a network, network, then there's a cloud. And so when we think about where security typically falls, right, I think we've given up on identity. Like that's such a mess.

Yeah. Don't tell that to my uh I am guy.

Such a mess. Most people just like hope and pray that they have some really, really smart people to be in charge of that and they just trust them, right? Even though we call it zero trust. But nevertheless, I hope that I have really, really smart people. I think that we tried to lock down the data, but again, that was like another thing that we sort of kicked the can down the road. Then we looked at, uh, and there are some great organizations that are addressing that. But again, like I think that until those organizations can, you know, become sort of like just proliferate their technologies, I think that that's still something that we'll just continue to monitor. Then we looked at the devices. We tried to lock down the devices a little bit, and we got better there. So we're a little bit more mature there, super, super mature on the network. Because everyone like sort of started, at least when I got my first start as a site, so the first thing I was told was lock down your data center. If you do nothing else, lock down your data center. So you like that. So we got super, super mature on the network, and we had technologies for the networks like IDS and ITSs, and that's the thing about that's where security was born with the firewall team. Like most security organizations were built out of the firewall team. So, really, really mature there. Not as mature on the cloud side, but because of the nature of the cloud and the way that it can scale, the potential for security is there. And because you were letting someone else be responsible for security of the cloud, you could be more secure because then my responsibility was security in the cloud, and I would let the big hyperscalers secure, you know, the overall cloud. So I didn't have to worry about guns, gates, and guards for my data center anymore because, you know, the ISPs did that. I just had to worry about securing the data that I was putting in and out. So it allowed me to be more secure. I say all of that to say that in this future world where you have this, you know, AI cyber getting, that I'm curious to how we think about security and where would the what where will most of the security controls go? I know, I know I said a whole lot there, but but you got like some insight into sort of the ramblings in the mind of Yeah, no, I mean it it's so relevant today, right?

I I have a good friend of mine who's in charge of identity at a pretty big company, right? I actually have a couple friends that are in that same sort of thing and different companies that are huge.

I almost thought you I almost thought you were gonna put a period there. I thought you were gonna say, you know what? I actually have uh a a bunch of friends, period.

Yeah.

Right, right.

Right. But you know, I was talking I was talking to them about like a gentic AI and and you know having it run in their environment, what they're doing with it. Both of said the same thing. Yeah, we dove right in head first. We got the really smart people on our team that are really utilizing it. It's great. And then we looked at the identity side, and that was such a hard problem that we don't know what to do. But now we can't slow down the business because they're operating at a thousand miles an hour and security is kind of just trying to keep up, you know?

Yeah. Security is always playing a catch-up game because it's just unless you're in the business, and I've learned this now, being on the solution provider side. Unless you're being, I mean, sorry, unless you are in the business of providing cyber solutions, then cyber ain't your business. And if cyber ain't your business, then cyber isn't making decisions. Cyber is managing the risk that the business, if you're in FMCG or if you're in life sciences, if you're in aerospace and defense, whatever that business is, that's who's making the decisions. If you're in entertainment, hospitality, that business is making the decisions. Your role as a cyber professional is to ensure that when that business makes a decision, you secure it. You secure it. Which again, bringing it back to why I'm such a huge advocate for Doppel, is because if that's my responsibility, I have to shift how I think. Because I can't operate from saying, no, we can't build that data center in Dubai. No, we can't put our data in that cloud environment. No, we can't leverage that SaaS solution. No, my mentality is how do I secure that data center? How do I secure that cloud environment? How do I secure that SaaS environment? So it shifts. And having a solution that protects my users wherever they are, especially that protects them from social engineering attacks wherever they choose to operate is ideal. And you do that again, remember what I said, operating and controlling and reducing the risk and the infrastructures that are built outside of your environment. So I'm not just protecting you inside, I'm protecting you outside of it as well.

Yeah, that makes a lot of sense. You know, like security professionals for such a long time had a bad rap for saying no all the time. I mean, I was definitely guilty of this. That's how I was taught, you know, say no three times. And if they're still persistent, you know, hear them out, really try to work with them then, you know, but if they make it to four, it's it's probably a real deal, right?

Right.

And I I just remember when I was working for a credit bureau, and the business wanted to do some sort of work in China, right? And security was just saying, absolutely not. We had a we had a pen testing, or it's like an offset offensive security director that came straight from the NSA and his whole team, you know, he just pulled directly from the NSA, and they essentially like had

Security Enables Business Outcomes

a black budget from the security department, which kind of frustrated everyone else to put it lightly. And they were pushing back super hard on it. And when they got overrode by the CEO saying, no, like we're gonna open an office in China, you guys need to figure out how to make this work. They immediately said, Okay, well, can the people just live in China? Do they have to come back? And they're like, No, we need executives to be able to go from here to there and no problems. Like, figure it out, right? And of course, you know, through us working with them, you know, we come up with a burner plan where you have a burner phone, you know, you have a laptop burner, you figure out how to transfer data if you need it, you know, like all that sort of stuff. All these different policies that wouldn't have existed beforehand. It's like, okay, now we took our we took our security skill set, adapted it, and made it work for the business. And I think that that's something that a lot more people are picking up on, but it's still a dicey area with AI because I feel like the security people are trying to just keep up with the technology itself. You know, they're trying to just learn the new the new technology as well.

Security people are trying to keep up with the technology and and ensuring that as the organization continues to use these emerging technologies that we can maintain some level of security. And and you talk about the history of the security organization and the role that the security organization plays. I'm old enough to remember, and again, I got started, you know, super young, but I'm still old enough to remember when we questioned whether or not we would allow people to use the internet their work computers. Wow. I'm also old enough to remember when we would question whether or not people could make personal phone calls from a work phone. I remember when we would question whether or not we would allow people to use their personal email on a work computer and whether or not we would allow people to use social media work. And so when you think about it, security has always sort of played, I'm going back to the the point that you were making, like playing catch up. Security was always seen as like this organization that would determine whether or not you could leverage the emerging technology. But guess what happened every time? Every time, guess what happened?

We gave in every time.

I wouldn't say we gave in. I was adapted. I would say that that we I would say that we enable the business to take risks.

Yeah, right.

You see, that's that's fight.

That's that, that's that, that's that old mentality in me, you know. Like my my CISO, one of my former CISOs would describe me as like pit bull on a chain. He's like, look, I'm gonna hold back Joe as long as I can, but when I can't, he's gonna have his way with you.

And I would say this, and and I say this from experience. And every SISO needs a Joe. Yeah. I have yet to work at an organization where I did not have a Joe. Every security organization needs a Joe. Because you do need people who when the CISO is like, we enabled the business, you didn't need someone in your corner saying, no, we didn't. We gave up. Yeah.

I won't let you forget we gave up.

Yeah.

Yeah. No, it's uh it's an interesting dance. You know, it's like I don't want to call it politics, but it's it's an interesting, you know, concession that you're making, that you're negotiating with the business. You're maybe not even negotiating. You're you are literally forced to be creative, which is something that I never viewed myself as being, you know, I never viewed myself as artistic or I just viewed creativity as like an art, you know, an art discipline, right? Not something with technology. But security really makes you be creative because you have to figure out, you know, oh, okay, we need to allow gambling sites in our environment, but only 15 people need it. Well, how do we make it work for those 15 people wherever they are? And it has to go through our technology because we still have to capture it, still have to monitor it, you know. That's a creative problem. That's a creative solution that you have to come up with, you know. And and yeah, like I I totally agree with you. I feel like CISOs definitely need someone like that, you know, in their corner that isn't just like ready to fight, but like willing to fight, and but also is calculated, right? Where it's like, hey, the CISO tells me, you know, hey, let's be a little bit, you know, relaxed on this area. It's like, okay, you know, I'm not gonna fight you on it. Here's the risk, but I'm not gonna fight you on it, you know.

He

That same CISO also described me as like a a serber merc cyber mercenary, because he was in the military too. And he he said, you know, Joe operates like a mercenary that we work with in the military. You tell him the end goal that you want. Maybe you give him a timeline as to when you want it. And when he delivers, which they do all the time, every single time, you don't ask him how he did it, right? You don't ask him where the bodies are. You don't ask him what he had to do, who he had to pay off, how many drinks he had to buy. Like none of that matters. It's done. It's in front of you. That's all you need to be looking at, you know?