Phishing For Answers
“Phishing for Answers” brings you insider knowledge from the front lines of cybersecurity. Listen in as we speak with seasoned professionals about overcoming phishing attacks, managing user training, and implementing solutions that work. From practical insights to actionable strategies, this podcast is your guide to strengthening security awareness across your organization.
Phishing For Answers
Click Bait: Why Even Tech Experts Fall for Social Engineering
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Dive into the fascinating world of social engineering with Joshua Crumbaugh and his guest Arnaud Lucas, CTO at Cambridge Mobile Telematics. This eye-opening conversation reveals why human psychology, not technology, sits at the heart of cybersecurity defenses.
From Arnaud's childhood journey into coding (when his father refused to buy him a gaming console and challenged him to code his own games) to his development of security-first approaches at major companies, the discussion explores how technical leaders can build truly effective security cultures.
You'll discover why role-based security training dramatically outperforms generic awareness programs, with studies showing it's 15 times more effective when contextual to daily work. The conversation tackles the counterintuitive truth that the best security measures don't add friction—they remove it, making secure options simpler than insecure alternatives.
The most chilling segment explores the rapid evolution of AI-enabled threats, particularly deepfakes that can clone voices and create hyper-targeted attacks. While technology has its place in defense, Arnaud and Joshua agree that organizational culture, robust processes, and employee empowerment provide the strongest protection.
Whether you're a security professional, developer, or business leader, you'll walk away with actionable insights on securing your organization through simplicity rather than complexity. Because as Joshua reminds us, "We're not hacking systems, we're hacking behaviors"—and understanding this principle is your best defense.
Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.
PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!
Show Introduction
Speaker 1Firewall where human insight trumps every trick . We're not hacking systems , we're hacking behaviors . So you won't click no complicated code , just tried and true brain science at play . Social engineering for good . The best defense is in your mind today .
Speaker 2Welcome to Phishing for Answers . The opinions expressed here are solely those of the individuals involved and do not reflect the views of their employers , of their employers . Get ready , because the next live episode of Phishing for Answers is starting right now with your host , joshua Crumbaugh , the .
Speaker 1CEO of Phish Firewall .
Guest Introduction: Arnaud Lucas
Speaker 3All right . Hello and welcome to another episode of Phishing for Answers . Today I've got Arnaud Lucas with us . He is from Cambridge Mobile Telematics . Arnaud , tell us a little bit about yourself .
Speaker 4Sure , as you can hear from my accent right , yeah , I'm OG for France , but I've been in the US for more than three , six years now , and so I'm currently based in the Boston area . So on the East Coast I'm a CTO , VP of Engineering . I do different . I've done different things over the years and I like kind of to inspire , like high growth technology first organizations . I did that at TripRaiser , I did that at Wayfair as well .
Speaker 4I started as an engineer , very much with hands-on expertise in technology and architecture , but I've done plenty of technical innovation projects using AI , data cloud technologies . I'm very much concerned about security , because that's always a threat that exists in any organization at any level . So that's something that I deeply care about , and you could say that one of my superpowers that seems like a very product thing to say is to kind of bridge the gap between strategic ambition and technical execution , so being able to effectively deliver what your companies actually want . And I'm passionate about technology . I'm passionate about building and scaling diverse high-performing teams , and voila , that's me . And voila that's me .
Speaker 3Jeff Pelliccio . I mean that's awesome . So how'd you get into technology ? What was the draw ?
Early Journey into Technology
Speaker 4It started a long time ago , when I was nine , so don't try if you want to go that far , but ultimately right . So when I was nine years old , for Christmasmas I asked my , my father , hey , I want a game console . And my father said no , and my friends were going to give you a computer instead , and that time it was a mo5 I think it was a french computer , personal computer and so as I could ?
Speaker 4your computers can run games . Uh , sounds good to me . But then when I received the computer I was like where are the games . And my father went when are the games ?
Speaker 3I remember having that same thought when I first got onto a computer myself , but continue .
Speaker 4Yeah , so exactly . So I was like , where are the games ? And my father was like , well , if you want games you have to code them . So I was like , okay , so I don't know if you remember by the time when this typing , listing thing that can be in actual catalogs and stuff , and there was always a mistake in those things for some reason .
Speaker 4It never worked , and so I started debugging those problems to make them work and then went from there and started coding , and then I took computer science classes in high school , then I did computer science major and so on . So that's really how I got started Really from the coding side . Hey , I want to play games .
Speaker 3I mean , for me it was similar . I mean , it wasn't really as much about wanting to play games , but I wanted to know how things worked and so just getting out of the computer , initially it was well , how does this work ? And then I ended up helping everybody . And then it was well , how does this work ? And then I ended up helping everybody , and then it was well , why don't I just write an application to do all of this help for me , so that I don't I'm not constantly providing this tech support ? And uh , and it just sort of went from there . But I know , early on the thing that just fascinated me was the internet . And uh , and how do we build these websites and these web applications ? And I just thought it was the coolest thing in the world . I still do , I mean , and it still is . And look at all of the things that come from the internet .
Speaker 3Almost daily we still get new uh new uses and and , uh , incredible things that we're able to do with it . So , yeah , it was just . It was that desire , and I know , wanting to know how things work leads to well , how do you break them ? And that , I guess , is how I ended up being a hacker . So you spent a lot of time in development Secure coding . Well , it's barely something they teach now . It was certainly nothing that they taught back in the day . So talk to me about how you got exposed to cybersecurity .
Entry into Cybersecurity
Speaker 4So when I moved to the Boston area , I actually worked for a company called Iron Mountain , which is a Boston-based company , and traditionally their business is paper archiving and paper trading , but I worked for their digital division , which was focused on doing the same thing , but for digital assets . At that point , what I loved about Iron Mountain is that they were very concerned about and part of that because they are very big customers they are very concerned making sure whatever they create is very reliable , like the quality is there , but also very safe , because obviously , if , because I was working on this next generation digital archives and obviously both things were not safe or both things were not reliable , then that's a big problem for the customers for no reason . So and they specifically hired somebody very security focused and that person said you know , promoted the same thing that you're promoting , which is , ultimately , everybody in the company should care about security , especially the engineers , especially the software developers right , because at the end of the day , it actually doesn't take more time necessarily for you to code something insecure versus something secure . It's more like a state of mind something insecure versus something secure . It's more like a state of mind . Are you thinking about creating secure code versus not creating secure code .
Speaker 4So back then that person decided that it would be good to teach people about security and I was one of the students . I was an architect on the platform and then but with the goal of that person becoming effectively evangelist for the team that they are on , to make sure that everybody else then cares about secure coding processes . So it's kind of a domino effect or pyramid scheme , but so that I get to learn about security and security coding practices , I get to hack different systems and to understand what it means , obviously in a safe , self-guardian environment , and then , based on that , I can talk intangibly with my peers about why it's always things that we're doing . It's important to do that a certain way . So that's how I got started when I went to TripAdvisor , when I joined TripAdvisor , tripadvisor was not that old , actually , it was still very small , like all the engineers could fit in a conference room , which obviously exploded after that . But two other same thing like a lot of the content that TripAdvisor was showing were public content . So as a security , you know , people care , but like anybody else , right , that was the thing because there was not much to protect .
Speaker 4However , one of my first projects at TripRaiser was to implement instant personalization with Facebook , meaning that they find that you know , if you come to the TripRaiser website , we recognize that you're a Facebook user and we personalize your experience . It's on your friends content on to browser . At that point , facebook is like well , that's great , but then you are getting access to one of our own token for the user . That needs to be properly protected . Therefore , you need to run a penetration test , you need to understand your security . Sponsor , of course , yeah , and so , which makes sense to understand your security posture , of course , yeah , and so , which makes sense .
Speaker 4I mean totally agree with that , but that was a change for TripAdvisor that if we had to drive , so in addition , to actually implement instant position and drive effectively improving our security posture at TripAdvisor . But from that I recognize effectively , effectively improving our security posture , as cheap as they are . But from that I recognized effectively , because I got exposed to OWASP and OWASP Top 10 , specifically on the web aspect of things , and I realized that there was a need to something educate software engineers on the secure coding practices and the danger of not following these secure coding practices . So I started to run training on a regular basis with a whole engineering team to get them exposed to that Well , that brings up a really good point .
Speaker 3Role-based training , I think , is an incredibly critical part of any training program , and the reason is is that , while cybersecurity is everyone's responsibility , the developers have a very different role in maintaining cybersecurity than your finance team does , and so you know you want your developers being trained on OWASP , top 10 and those different types of attacks and how to prevent their code from being vulnerable to it , but that wouldn't do your finance team any good . So what is your thought on that ? I mean , I see a lot of companies still doing that sort of one size fits all and not necessarily doing that developer training as part of their awareness program .
Speaker 4I mean ultimately . I think that's obviously a mistake , right , but for multiple reasons , right . There is a fact that that's the right thing to do . To your point about getting engineers I can say that exposed to how code could be compromised , but also , what are the best practices , therefore , to change our code , and specifically here , in the case of Tupac , what that meant for me is , because we did the pen test , I could actually match up . This is the always vulnerability , this is example in our code where we were impacted and this is the solution , which usually , most of the time , is not a big solution necessarily Like it doesn't take that much time to fix , and so I could really get the developer to say this is the issue , this is the compromise card , this is how you fix it and really get that full circle . The other reason why it's important to do this whole best training is for even co-plans . I've been paid in companies where we take payments , so we have to be PCI compliant , for example , and PCI calls out that you're physically , you're a software engineer .
Speaker 1Yes .
Speaker 4Or security practices right .
Speaker 3Well , and your payment cardholder data handlers , which your finance people . They call out that one as well . Yeah , exactly .
Speaker 4But , to your point , there are different things that you have to teach each one of them , right ? So you know , and I think that's what they call it , and I like that . But the point that there is also a compliance aspect that companies need to be aware of , yes , point that there is also a compliance aspect that companies need to be aware of , yes , um , which may not be the main , well , you want to be compliant , but you start the most appetizing thing to say , oh well , doing things because of compliance , yeah , but ultimately , I do believe in this case , that's actually the right thing to do so yeah .
Speaker 3I mean , I , I , I wish I could remember it . I saw this really great definition of GRC earlier today , um , uh , on LinkedIn , but uh , but if I try to repeat what I saw , I'm just going to tear it to like that just .
Speaker 1I'm going to butcher it .
Speaker 3So I won't Um , but I think that in general , if we just do the best that we can , we're always going to be on the right side of compliance , and that's why , to me , we've got to strive more for best practices than anything else . Back to the role-based training . It's been proven that when we can make training contextual to somebody's role , that it is 15 times more effective , and it's because it goes from hey , you know , there's this anonymous threat that exists somewhere on the Internet that might get you to hey . Let me tell you about a threat that you're going to face every day in your job , and it just makes it that much more personal . But the studies have shown 15x improvement .
Speaker 4Yeah , I'm not . I mean , I haven't seen that . But yeah , I will not be surprised . That sounds right for sure . But because it's more applicable , right , it's not this random thing somewhere that you most likely employees will say I don't care about that , so maybe they should , but they don't understand the relationship .
Speaker 3Yeah , so what are your thoughts on how to go about doing training
Role-Based Security Training
Speaker 3? Because there's a lot of different approaches that I see , but a lot of what we do isn't effective . And so what have you learned over the years to make those efforts more effective ?
Speaker 4I think it depends on the person , but the way I learn is by doing . For me that means two things . One is that if there is any training more as an exercise . There are plenty of exercises we have done over the years to get people understanding security practices , but not by studying or books or by going through actual watching videos or watching a conference call , but actually by doing , by exercising not knowledge but understanding , even getting exposed to somebody to try to hike into their system and then trying to respond to that or something like that . So I think it's very interesting .
Speaker 3I think the more hands-on that you can do anywhere in training , the more effective it becomes . So I'm a really big fan of Duke .
Speaker 4LUDOVIC BLECHER but it's a bigger time commitment . It's much easier , to be honest , to give a one-hour presentation and to organize an exercise where the team will spend half a day battling each other in some shape or form . So that's one way . The other way that I believe is more in creating your systems so that the easier thing to do is the secure way , if that makes sense . So meaning that you're putting things in place already from the tools , from a platform standpoint , from a process standpoint . You name it where it's easier for you to do things securely than otherwise . And people say that engineers are lazy . It's not that they value their time , but also they value simplicity , and that's a very engineering thing .
Speaker 3You know that's how you fish a developer is that you just promise to save them time , no matter . I mean , if you want them to click , that is the trick . Now it has to be a fish specific to their tech stack , but that's not that hard to figure out these days , right ? So you promise to save them time and in my experience , that gets them to click . It's interesting . I have noticed that , uh , that developers and salespeople tend to be about equally prone , but they don't click on the same things at all . Uh , developers click on things that'll save them time . They click on operational , like that traditional spearfish , whereas those salespeople they click on anything social media , so the traditional Facebook fish . They're going to click on that . So I found that interesting . Just the differences and how different people are susceptible to attacks like that .
Speaker 4Yeah , and so for engineers ? Basically , what that means is having the right set of tools and things that are easy to use that already do the right thing for them . For example , at TripAdvisor we used to have a long time ago , or they used to have , a UI framework that was inherently insecure and that would not properly escape things , which as you know is bad , because that means that you can trick to be vulnerable to XSS in some shape or form .
Speaker 4And so , yes , you can keep on trying to find the things and fix the things , but usually it's your paying catch up . Or you can keep on trying to find those things and fix those things , but usually it's your paying catch up or Start with a framework that's secure from the ground up .
Speaker 4Exactly . You start with a framework that will escape everything by default , and if you want something not escape , then you have to put some kind of your special things that make it so that it doesn't escape , and in that case that's something you can actually flag . Yeah , what the city commences . So that's the difference .
Speaker 3I think that can go beyond just development teams . I mean , I think that keeping things simple and making it where it's easier to have security than to not can go everywhere . And I'll give you an example . We've recently deployed Passkeys as a company . Now , initially everyone was freaking out about it , but it's easier for everybody and everyone likes it better than typing in their password because we have it tied to biometrics . And so now , all of a sudden , I've got much , much better password security and or I guess you know access control security , but it's easier for my people to access their accounts than it's ever been before .
Speaker 4Yeah , exactly . So this is exactly what you're mentioning , which is that you make it easier for them and , ultimately , that makes it more secure , like it's a win-win .
Speaker 3But I think that should be the goal everywhere . I mean , for so long , cybersecurity was that thing that just got in the way .
Speaker 1I mean .
Speaker 3I hate to say it , but we weren't exactly the friendly department . It was hey , you've got to do cybersecurity because we said so . And while there's a lot of value to gathering the troops and sitting down and talking through all of your vulnerabilities , I also think that I don't know , I lost my train of thought there completely .
Speaker 4I'm sorry , no worries but I see what you mean . If you focus on creating that foundation , then you're going to have a much better security posture than trying to fix it with processes and other things .
Speaker 3Yeah , what he said . What he said , I joke , okay .
Making Security Easy
Speaker 3So one of the things that you mentioned was doing that hour long class , um , and I think that there's a lot of value in in doing things like that , particularly with more complex subjects , um , but what do you think about more short form content at a higher frequency , like , instead of having that one hour , what if you just have one minute every single week of the year devoted to cybersecurity ?
Speaker 4I think , to be honest , I've never tried like a one minute . I do so I mean it depends how you want it to be ingested , Because nowadays what is nice is for training to be on people's own schedule , where they can click into it whenever they can . And obviously , if you want that to happen during business hour , which is usually what your engineers would prefer as well , it means that especially more busy people with lots of meetings , the content has to be shorter so that they can do that maybe in between two conversations and so on . So I really like that from that principle . It makes it more efficient because people can say , oh , I can just do that quickly in between these .
Speaker 4The question is more what kind of content will it be and how well can it be digested by the employees ? It's not just giving them content for the sake of content . It's actually that they are going to remember it . They are going to do something about it . I think it's great if we can make it shorter . It's great that if we can make it available at any time so that people can do it whenever they have a minute , so it doesn't get in the way as much . But I think there is opportunity as well for people to be able to ask questions . I think there is opportunity as well for people to be able to ask questions , to get answers , and usually that requires , or at least have better results , when there is an actual in-person discussion or something somebody to talk to .
Speaker 3I love to use vulnerability reports to enhance those conversations . And you know , hey , we're seeing a lot of injection vulnerabilities across our code . So for the next eight weeks we're going to talk about injection . You know , this week it's SQL injection , next week it's LDAP injection , the next week it's XML injection , and just sort of going through different things like that . I think that it can help to keep it front of mind and in my experience , it doesn't matter if we're talking about injection or password security , if we're talking about security . Security is still front , front of mind and all of those topics you've learned about stay fresh uh , but if we're not talking about it .
Speaker 3those topics may fade away and all of a sudden , you know , whatever new shiny object there is becomes the top priority . And and when I say shiny object I just mean whatever the new priority is , you know there's always that urgent client demand that you're having to meet as a development team , and if security isn't constantly being talked about and pushed , I think you run the risk of , you know , pushing that code without ever thinking about security , not because they don't care , but because they're on . You know they're focused on other things .
Speaker 4That sounds good . Yes , I agree with that To your point . It's a combination of making it easy for people attacks that we assume are enabled through AI or these large language models .
Speaker 3But what are you seeing ? Targeting developers ?
AI-Enabled Threats and Deepfakes
Speaker 4For me , what I've seen targeted is more like the executives , because I got a few where people say , oh , this is my CEO and I need this from you . Or targeting HR saying , hey , I need you to change my bank account for getting my paycheck .
Speaker 3I get those all the time for my employees I mean , not really my employees , don't worry , I don't think it's actually you but about once a week , if not more , I get a text message and it'll be like hey , this is whoever just wanted you to know . I just changed my bank account . Can you get it updated for me ? Or I'll get an email and you know it's just . I think that's a fascinating side of it , though , because everyone gets the fish that comes from the boss pretending to be the CEO , but so few people see the other side of it , where you know where it's the email from the employee trying to target the CEO . But there's a lot of that too .
Speaker 4Yeah , nothing like that , but I would argue I haven't seen this specific thing for engineers , but what I've seen is much more targeted to specific people , makes sense . For me it's like text , but I know some friends like they got codes from people that seems to have the voice of whoever is calling and you're telling them hey , you need to do this , and usually obviously they make it .
Speaker 3So there's a dramatic situation so that people don't feel things too hard about it , but people don't say things too hard about it , so you know people that have already seen or heard deepfakes .
Speaker 4Yes , exactly so I have a friend that got targeted like that and for me , I want to see the future . The text message will become something much more sophisticated . That will look much more problematic will be oh , it will look much more , probably gonna get so much worse uh-huh , uh , so I'm not looking forward to that , but I also know that .
Speaker 4You know there's the technology exists , so that that's just .
Speaker 4Uh , you know , it's just , you know , to get done on the list to the point that I've become a target or anybody else in the organization is becoming a target .
Speaker 4If we could , it's just a question of time . So , and and the point with that is that , yeah , I think it goes through um , I would say training helps , right , didn't be able to recognize some of these type of attacks or some targeting more effectively , which I think something that CMT does very well , because that's the reality , but these things will become harder and harder to spot and to potentially's the problem with that . It's really on the employees to detect them , to figure out . Oh yeah , this is clearly not . No , this is not from Arnold telling me to give him a gift card . So , and the problem with that is that , yeah , I'm not sure what technology can help necessarily with that , and because it's so easy , you know , to fake a phone number or to fake anything , really , at this point that you know , I feel like it's going to be on the employee to figure things out , and the only way for employees to figure things out is through proper training , and even there , the training will have to keep on catching up if you go into new methods and ways well .
Speaker 3So I mean to that I I think it's it's not just on the employee , it's on the company the responsibility to provide training that stays current and up to date on the modern threats current and up-to-date on the modern threats .
Speaker 3But the other area that I think is on the company is to provide that employee with a really good framework .
Speaker 3I believe it's process and procedure that protects us from deep fake attacks , more so than any technology ever would , and that's low tech checking out a band calling , texting , emailing , whatever it happens to be , but using out of band communications methods to validate it , having multiple people sign off on things you know , sort of like the two keys to enable the nuclear weapon type thing . So I really do think that there's we're going to have to get tight around our process , our procedure and our training , because when we don't , that could be a million dollars like that , and we've seen it a bunch of times through business email compromise attacks , where they get massive amounts of money because they get in the middle of a wire . Well , what if they can trick people ? Now , and in Hong Kong it was $10 million , I've heard of a bunch of these similar to what you said , where they haven't been massive dollar amounts , but it's only a matter of time before we see some massive like really really big losses as a result .
Speaker 4And I agree in terms of process . But in the situation where you can , you're able to push the employee towards like your sense of urgency . The employee , even if the employee
Defending Against Evolving Threats
Speaker 4is aware of the processes you know , may decide to forego these processes for whatever reason .
Speaker 3I mean , I think that's part of the reason culture is so important when building out a security awareness program , because if that employee is afraid to say no , I need to validate this . This doesn't sound right . I want to make sure it's actually my CFO . Then they're going to have those losses . That employee has to be empowered and I think that starts with culture . That starts with a CEO that says you are welcome to question us on a wire before it goes out , you know , or a CFO that says that . So I do think how we think about these things and approach them , and and and and culturize what we're going to do when these happen . I think that's really critical and we've got to be thinking about how do we want our teams to react .
Speaker 4Yeah , totally agree , like there is a cultural aspect for sure . Well , people should feel confident that they can question and double check . Yeah , so I agree with that .
Speaker 3Well , and we saw the recent social engineering in the open source community I forget what it was , I don't know some core element of a Linux or of the Linux platform . And so this guy is a contributor to this open source project . Guy is a contributor to this open source project , gets elevated to approver or authorizer and pushes malicious code . Spent five years working on that plan . That's scary enough that somebody could do that . But someone infilt that's . That's one of those maybe realistic , uh risks . You know we're going to try to prevent it , but you know we can't prevent everything . But what about when a computer can do , because we're getting close , where a computer could write code , could impersonate , that person could contribute , could participate in a project to get to that level of status ? What do you think about that ? I mean , do you think that's a valid attack path or am I just being paranoid ?
Speaker 4Well , I think it's not the case yet . I think what you're mentioning is the notion of agentic or something like that . Not only you ask something like a genii about something , but your genii is able to take action based on its own thinking . I want to say thinking , but gen , you know , jni doesn't think , it forecasts , but based on its own deductions , it can be able to take its own action without having any human intervention in the middle . That's what we're going to do effectively For now . The way that I've been seeing Gen-AI used effectively is more Gen-AI as a tool for humans to use to improve their own productivity .
Speaker 4I agree worry that towards having these agents right you know where . Potentially , then , that AI could just you know , based on what it sees , or based on what is being the data is being prompted with , makes a determination . For example , a customer says hey , you know , I bought this ticket here . I need to get a refund . This is why , blah , blah , blah , and they are saying , yeah , okay , I'm going to give you a refund and then trigger an actual refund to that person , even though , potentially , that person is committing fraud .
Speaker 3So I agree , we're not there yet , but a lot of the experts are saying they think we'll get there in 2025 , where agents will enter the workforce , maybe not as senior developers initially , but certainly as junior developers , has junior developers and uh and and so I know it's not there yet , but I I do worry about a world where a computer uh , I guess a rogue ai , if you will can social engineer us at a level we haven't considered that I'm not worried about the rogue , yeah , oh , let's just say that if there is a rogue AI , when I say rogue AI .
Speaker 3I don't really mean rogue AI , I mean like an AI developed by a criminal organization .
Speaker 4Exactly so . It's more than AI , that's I call them a bad human . Behind the bad AI then is able somehow to cause problems , and yeah , I mean that's very possible . The problem is , right now what we're seeing is more from an external standpoint . Right , you have the generic knocking at the Ruby's door's door , effectively , and hoping that one of them opens , but the point there is that that could also be , as as the as we evolve the technology , that could also be an internal threat . You know , within the company , tools , through other aspects , where we introduce something that we don't fully understand , directly or indirectly , that can cause this kind of issues . And , yes , that's very possible as well . I think something like how do you prevent that ? I think companies need to be very careful , just like they have always been , about what they install in their own ecosystem . That's always step number one . Right is to be very careful and aware of what systems are being installed on every system in the organization , including your own laptop that you're using for work . Oh , come on .
Speaker 3I can't just install whatever I want . I learned the hard way that .
Speaker 4I cannot do that yeah , I'm not playing to . So that's one way I believe we can try to protect ourselves in a different way . But there are still opportunities that even if , let's say , cmt does that effectively which I think it does well , the company that we're trusting to bring the right tools over to CMT may not have this kind of safeguards .
Speaker 3And they get compromised ?
Speaker 4Yeah , I mean , that happens all the time where ?
Speaker 3it's not us getting compromised , it's our , our vendors , our partners getting compromised . That is our weakest link , or our achilles heel exactly so .
Speaker 4that's , and there's something with the body is not different one than having a bad tool , but potentially we allow it to do much more .
Speaker 3Absolutely so . We are just about out of time here . Before we wrap up , any additional bits of wisdom here for the audience .
Speaker 4What I've seen traditionally is security being like this . I mean , we touch on that right , being this kind of demanding beast that feels outside of what we should care about , but yet we have
Keeping Security Simple
Speaker 4to comply for different shape of form , and I think we talk about that right . We talk about best practices , we talk about having the tools that do the right thing in the first place . I think it's really , for me , what I care about , which is that how to keep it simple keeping it simple for engineers , keeping it simple in terms of infrastructure and keeping keeping simple in terms of infrastructure and keeping simple in terms of software , because , ultimately , a lot of the vulnerabilities and issues that we're having is because of the complexity associated with those things . Right , it's complexity in how we do things , process , complexity in the software itself that we have created , complexity with the tools that we're using that are not fully understood by anybody across the organization , and so there is the notion of keeping it simple , but I think it can go a long way if companies prioritize that .
Speaker 3I like it . I like it , thank you . Well , this has been another phenomenal episode . Thank you for joining us and we'll see you again tomorrow .
Speaker 4Thank you so much .