Hope Is Not a Strategy: What Leaders Get Wrong About Cybersecurity

Show Notes

Most leaders assume cybersecurity is being “handled.” But in today’s threat landscape, assumptions create risk. 

In this conversation, CEO Tyler Smith and COO Chris Harp dig into the mindset shift every organization needs to make: moving from reactive, tool-focused thinking to a proactive culture where people understand the role they play in keeping the business safe. 

They share the pitfalls of relying on “no news is good news,” why small businesses are the most common target, and how simple, consistent training dramatically reduces risk. Tyler explains how to build “cyber clarity” at the business level (without getting lost in technical jargon) and outlines a practical annual, quarterly, and monthly rhythm leadership teams can use to stay accountable without micromanaging. 

Chapters

• 0:00: Framing Cybersecurity As Leadership
• 2:20: Assumptions, Tools, And The People Problem
• 6:45: Training First: Recognize Phishing And Urgency
• 12:00: Proactive Strategy Over Reactive Hope
• 15:55: Cyber Clarity: Plans, Micro-Training, Onboarding
• 20:30: Small Business Risk And Culture Wins
• 24:36: Sponsor: Clear IT Partner Program
• 25:20: Trust Without Abdication: Accountability Rhythm
• 31:20: Measuring Progress On A Risk Continuum
• 36:10: Define The Problem, Then The Plan
• 41:20: Simple Attacks, Urgency Traps, What-Ifs
• 48:10: Annual, Quarterly, Monthly Security Cadence

Transcript

Framing Cybersecurity As Leadership

SPEAKER_02 0:00

You're listening to Behind the Screens, presented by the Clear IT Partner Program from Matson and Isum Technology Consulting. If you've ever wondered how confident, forward-thinking businesses make smart technology decisions while others fall behind, you're in the right place. Every episode we pull back the curtain on the systems, tools, and leadership decisions that keep growing companies running strong so you can apply them in your own business. Now, let's get into it with your hosts, Tyler Smith and Chris Harp.

SPEAKER_00 0:34

You know, cybersecurity is less about the tools and more about the leadership mindset. So I guess let's uh you know unpack that a little bit. Take me through what you know what you mean by that.

Assumptions, Tools, And The People Problem

SPEAKER_01 0:43

Yeah, I feel like cybersecurity is one of those topics, like you said, that just it's it can be scary. Uh people hear stories, uh, they whether that's on the national news or from friends and family sometimes where something's happened and it was it was it was horrible, right? It was a bad experience. And so there's this feeling that, you know, when it comes to cybersecurity, this is something to just be like, ah, I'm afraid of it, I'm scared of it. I don't, you know, and and like anything, when you're afraid of something, the the urge is to run away, right? So just try to ignore it, try to just not even think about it. And uh you and I talk all the time about, you know, there's this this mindset I think that a lot of small businesses have that the right tool uh will will solve this problem, right? Like I could just I you know what I could I could buy a firewall, I could, I could buy uh an antivirus tool or an EDR or some new fancy thing, and that will solve the problem. And uh there's this temptation as a leader to think of it as here's a problem, I'm gonna uh buy a tool, that tool's gonna solve the problem, move on, don't think about it anymore. And I think one of the reasons why we always try to reframe that as a a leadership mindset is cybersecurity has way more to do with your people and and making sure they understand what the uh what the landscape looks like and what to do and what not to do than anything else. Um when it when it comes down to it, tools are part of the solution uh of keeping a business safe and and working and and efficient. Um but it's it th they're not the solution, right? It's just one part of many. So it's it's about framing that as a leader as a problem uh that requires ongoing discipline and training and knowledge, uh, and not just you know buying a tool, slapping it in and calling it good. It's way easier to just trick a human than it is to hack a firewall.

SPEAKER_00 2:40

Yeah, social engineering. Yeah, right. Yeah. Um so when you're talking about um, you know, I've I feel like most leaders assume things are being handled, right? Like let's assume um they're not always sure what handled means, though. So we can clarify that a little bit. When you're talking when you talk specifically to business leaders, what's the most common assumptions that they make about cybersecurity? Um We hear this all the time and I twitch every time.

SPEAKER_01 3:08

Uh no news is good news, right? No news is good news. I've I've never been hacked before. My people have never done this thing. Uh so that's good. And uh my my counter to that is always, no, no news is no news, right? It's uh the absence of of this is not a necessarily a good thing. It just means um you you know nothing's happened yet or nobody's tried yet. And uh I feel like the important thing to reframe it around when when we talk about how is it handled, whatever, it really comes down to training, training, training, training, training, getting your people the right uh basic understanding of the typical attacks that that come through. I think everybody at this point has received maybe a phishing email, right? Uh uh something that says, hey, your your password has expired and needs to be immediately reset, or there's suspicious activity on your account. Please click here to to try to uh reset it and confirm that you are indeed okay, uh, creating that sense of urgency, that sense of, hey, you need to do this thing right now. Um, the the most important thing for for small business leaders uh to think through is you know, the whole, is it handled, is it not handled, assumes kind of a binary state, like an on-off state to security. And security is never just on or off. It is multidimensional and the best and wide spectrum, right? I guess if you want to label it. Uh the most thorough thing to do is to is to teach your employees how to recognize these threats and and spot them and not do that, right? Not immediately react.

SPEAKER_00 4:46

Yeah, and I know we focus a lot on on education side of things, right? Um I'm a firm believer, we are a firm believer that you can't have too much education in that way. And the emails are getting good. You know, you assume someone else is watching the door, maybe nobody actually is, right? Right. Um what you know take me through the specifics or maybe the pitfalls of what happens when people assume that it's handled, right? That it's I'm gonna I pay, you know, an MSP, I pay my IT partner, I pay my IT department. It's I'm assuming it's handled. Right.

Training First: Recognize Phishing And Urgency

SPEAKER_01 5:24

Yeah. I think I think that comes back to that same basic idea of if you believe that cybersecurity is a tools problem and not a people problem, then you assume that it can be solved with with tools, right? So that means um, you know, somebody's got it handled, meaning I'm paying someone else to put tools in place to keep this problem from happening. Not I'm investing in my employees' understanding and knowledge to keep them safe proactively, right? And we constantly talk about this idea of being reactive versus proactive, and I think all leaders in small business have a basic sense that it is better to be proactive than reactive. If you are on your front foot and planning ahead and not making assumptions, but rather having a strategy, having an actual plan about, okay, this is how we're going to reduce the likelihood that one of our employees will be tricked by the bad guys, then you'll shift from that mindset of I assume I've got this covered to this is an ongoing thing that we need to invest in and make sure that we're doing consistently because it also changes every quarter, every year. You know, the strategies the bad guys use to try to get in through your people are always evolving. Uh and like you said, getting better. So rather than assume that it's just handled, it basically we we advocate that shift in mindset to this is something to be on the forefront of leaders' minds. It doesn't have to be scary, it doesn't have to be this like, oh, you know, we're we're having this big long drawn-out conversation about security. It really is just simple training plans and behavior reinforcement and and creating this culture of cybersecurity in your organization that celebrates when somebody raises their hand and says, I think I got a fake email from you. And you go, Yeah, you did. Good job. Nice, nice, uh, nice spotting of that, right? Like uh making sure that you're celebrating those wins and shifting from that like back burner assumption mindset to instead, you know, proactive strategic plan for actually handling this ahead of time.

SPEAKER_00 7:39

Aaron Powell You do need a little bit of visibility, right? So so walk me through what exactly that means, you know, because um cyber clarity, right? So that's I think if we if we could label it, I guess it's called cyber clarity. You don't need to know the details, but take me through what that cyber clarity, the definition of that means. What does that mean?

SPEAKER_01 7:56

Aaron Powell Yeah. So first off, it's understanding what the real problem is. Um so if if you if you look at uh most people's vision or or understanding of cybersecurity, it's a big, dark, scary thing that's coming at you. Um and while I would say that can be true, um, it's being clear about what your business can do to keep your data and your people safe is all about um having a plan, having a training uh schedule for people that just says, here's how we're going to prepare in advance for these attacks that are going to come. Trevor Burrus, Jr.

SPEAKER_00 8:37

At the business level, not at the technical level. At the business level.

Proactive Strategy Over Reactive Hope

SPEAKER_01 8:41

So that people, as a part of their annual uh reviews, you know, there's if you have training of any kind in whatever business you're in, make sure that a part of that is basic behavior training on how to recognize cyber threats that are coming at your employees. Because I guarantee you they're coming at them all day, every day. They're coming through text messages, they're coming through uh more and more through uh deep fake phone calls, they're coming through emails, that's the the far and away right now, the most common way. They're coming through social media, they're even coming through Google searches, people going on the internet, typing in a search and having the top five search results be fake. Um, you know, teaching your team how to recognize what those cyber threats are is the first step in cyber clarity. Uh it's being proactive, it's being on your front foot and not waiting for an incident to occur before you recognize that there you need to take action, but rather knowing that this is just an ongoing thing, this is a discipline, this is part of being a business in the modern age. If people use electronic devices that are connected to the internet, you need this in your strategy. Most people have that assumption that, okay, oh man, I gotta send my people away to training. That's gonna be really disruptive, that's expensive, that means they're not doing their job for you know a day or two and they're traveling to some, you know, uh place to actually do this thing. Maybe I have to stay overnight. Like that's that's kind of the old way, right, where this is it's all in person and it's it's extensive. Most of these uh training platforms now offer very small, focused, two to five minute uh trainings that are very specific. Like here's how to spot a phishing email, here's how to spot a phishing text, here's how to behave when you know you get an inbound phone call that that says it's from somebody and you're a little bit you feel like maybe it isn't. Um all of those things now are in these platforms that are yeah, two to five minutes. And so you absolutely can just apply this in microdoses uh throughout the day and get your people uh trained up on how to recognize it without sending them away to a you know a half day training or a full day training or something like that that's very disruptive. Don't wait until your employees are, you know, a year on the job before you tell them, hey, if you get a a text message, quote unquote, from the quote unquote CEO, um maybe you should be suspicious of that. Um do that as a part of onboarding, do that as a part of the like uh offer letter acceptance process. You know, like we never ask anybody for these kinds of things. And it feels maybe a little bit uh peculiar, like we're a small business. What that's never gonna happen to us. And I think you said it earlier, you are the most likely target for this kind of thing because the bad guys specifically try to target small businesses because they know the processes are usually not as well built out. In an enterprise company at scale, they have very detailed processes and tools and teams to handle this stuff. So small businesses are more likely the target of this kind of behavior and activity than the large ones.

SPEAKER_00 12:02

Yeah, the larger ones are most likely are putting forward a you know full-fledged investment. They have a strategy, a defined business continuity plan. They're putting forth uh a concerted effort in this area. Their attack vector is a lot larger. Um the smaller businesses, to your point, maybe don't have that. I mean, we work with a lot of businesses that do, which is great. Um, but maybe they don't have that. And so they are while they are a smaller attack vector, if you can get five of those, five fifty-person offices is you know better than targeting, you know, one 250-person.

SPEAKER_01 12:38

This happens. It happens all the time. Don't be afraid of it. Don't put your head in the ground and try to just um hope that it doesn't happen, but rather plan for it and give your people, including the newest employees, the tools, the simple tools in behavior modification to actually handle that and not think twice. Cyber clarity at the end of the day means you are prepared, you have a plan, and you've trained your people. And uh also you have tools, right? But way more about the the preparation and the planning and the and the the training side of things than than the tool side of things. Absolutely.

SPEAKER_02 13:21

This episode of Behind the Screens is brought to you by the Clear IT Partner Program from Matson and Isom Technology Consulting. If you've ever had that sinking feeling that your tech just isn't doing what it's supposed to, you're not alone. Maybe it's the constant tickets, maybe it's the security risks, or maybe you just don't know what you're paying for half the time. That's where Clear IT comes in. We built it for leaders who want to stop firefighting and start planning. With the Clear IT Partner Program, you get a dedicated team, real strategy, and systems that just work. No more waiting, no more guessing. Imagine your IT actually helping your team get more done and your business feeling more in control. That's the whole point. Want to see how it would work for your business? Schedule a free consultation today at mitcs.com slash hello. Now, back to the show.

SPEAKER_00 14:14

All right, so a lot of leaders genuinely trust their IT providers or their IT team, right? Their internal IT team. Um, but that trust can sometimes turn into distance, right? Maybe they they have it, you know, we go into the assumption side of it, you know. Um how do they stay engaged without micromanaging? And in another another way of phrasing that is what's the difference between trusting your IT partner and abandoning responsibility?

SPEAKER_02 14:40

Yeah.

Cyber Clarity: Plans, Micro-Training, Onboarding

SPEAKER_01 14:41

I think this is a a great topic because it's you see it all the time, uh, especially in in areas like IT and technology where there's a lot of complexity. You know, there are a lot of tools, there are a lot of acronyms that get thrown around. And um when it comes down to it, having this kind of basic understanding of accountability around uh cybersecurity is really important. So uh what does that mean, right? And we talked a lot about training already, but um accountability around training, it means having a tool that actually tells you uh or reporting on maybe a monthly basis that says how many of my staff are actually taking this training, how many are completing it? Um if you have testing tools in place where you're literally sending out emails trying to see if your employees are more likely to click on fraudulent links, um, then you're you're reviewing those reports, right? You're you're shifting from, okay, we have a plan, we're on our front foot, we're proactive, so we're we're getting out of assumption land, and now we have a plan. Security only works if you actually hold that plan accountable in some way. And so one thing to ask of your your internal IT or your IT partner is what can we do on a regular basis to to confirm that this plan is actually happening? And uh it like I said, it can be as simple as you know monthly uh reports that just show, okay, yeah, I have you know uh 25 employees, 35 employees, and of those 35 people, uh 80% of them are taking the cybersecurity training and passing it, you know, just just doing the basic, simple, yes, they watched it. Um and maybe those those people who didn't yet take it were following up with them. You know, hey, uh I need to make sure you do this. Maybe that's something that you can delegate to the tool and you only check on it quarterly or something. Um but cybersecurity is all about diligence and making sure that these things are actually happening. So moving from assumptions to accountability is all about having some basic things to measure. Is the plan working? Um because if you put a plan in place and nobody actually does it and you get uh compromised because the person that fell for that one fishing email was one of the only people in the organization that literally didn't take the training, um then that becomes the Achilles heel, right, of your strategies because if you if you just put the plan in place and you never actually ask, are we doing it, then um then there's too much gray area.

SPEAKER_00 17:22

So how do you balance that then? Because you could you could one could make an argument to say, like, okay, how do you avoid micromanaging on that, right? Like that's a hard Yeah. You know, you want to be involved, you want to know the details, you want to understand it, you don't need to dive into the tool set or anything like that, but you gotta find a way to to balance that out without jumping in and trying to micromanage something.

SPEAKER_01 17:44

And it's a spectrum. So I think you know, we talked a little bit earlier about the idea that cybersecurity is not a light switch. You know, you don't it's not either on or off. It's a it's a continuum. And if you're going from zero strategy and zero training to a strategy that includes training and making sure that people are doing what they're supposed to be doing, um I tend to want to measure success on how far have we come, right? So not did we reach 100%, which is the light switch model, right? Like it's it's we're 100% protected because every single employee has taken every single training we've asked them to. But if you can go from nobody has taken any training to 75% of the staff have taken training, you've already dramatically reduced your risk profile in in the world of cybersecurity. Now, the other important thing to know is there is no such thing as eliminating your risk profile, short of literally disconnecting from the internet and going back to just like you know, paper and abacus or something, as you'll say. Uh there's always some level of risk, but it's it's important to understand that it's a continuum of risk. And it goes from we've got no plan and we're just hoping that nothing happens. Hope is not a strategy, uh, to we are very diligent and we make sure every single person in our organization does everything all the time. The reality is, as a small business, you're probably not going to get to the 100% mark. It's just it's probably just not going to happen. But it's also not a bad idea at all to get from 0% to 50%, right? If you can get half of your staff effectively trained on this, you're cutting your risk in half. You're not eliminating it, but you're significantly reducing it. Trevor Burrus, Jr.

SPEAKER_00 19:27

That could be complex, right? I mean, even the just the dynamic in itself can be complex. You know, and I think most executives, I think uh, you know, I think we we really gravitate towards clarity over anything. Try and avoid complexity because if you can clarify something in the weeds, if you clarify something, you can measure it, right? Um complex things are challenging to measure, so until you can clarify it, you can't measure it. So um, you know, what's your idea on you know how leaders can create visibility? without you mentioned getting stuck in the weeds, without getting stuck in the weeds, without the micromanagement, without operating here while you can still maintain your high-level perspective on things, but you still want to create that visibility at multiple levels.

Small Business Risk And Culture Wins

SPEAKER_01 20:16

Yeah, I think it comes down to helping people understand what the problem is. And that's what any good leader does to start with, right? You can't or you shouldn't have a strategy unless you have clarity on what the problems are and what the vision is, right? What do you do as an organization? What's keeping you from getting that thing done? And if you establish the problem as there's just a bunch of bad people out there and uh we don't have good enough tech to keep them out. That's a different problem than our employees are being targeted every day to uh to be tricked into giving away data. And if you frame the problem well as a leader, then you can help people buy into the strategy of solving that problem. And so you know the stuck in the weeds part usually is the f the first scenario of, you know, our tools aren't good enough, so we're going to deploy a a new EDR, we're going to have a whole new system and we've got to do this and that and the other thing and there's all these little steps involved and then people's eyes kind of glaze over and they're like, oh great. More stuff, you know, more tech. More money to spend on the tool. Right. That's it. And so you you don't want to get mired in that if at all possible. You want to focus first on the principal problem, which is people getting targeted and and tricked. But then it starts to lead you into like, okay, well what happens if someone does click on the link? What happens if someone does put their username and password or their email and password into that fraudulent website that then steals their credentials. What do we do then? Right. That next stage of planning is really important because that can actually help how you address those things when they happen. And I do say when and not if because even if you have like we said before 75% of your people are trained that 25% just they can never quite get that training done. They're super busy. They're already working 50 hour weeks this is one more thing. You know, I'll get to it eventually. And then surprise they're the ones that get compromised right having having an actual business continuity plan and then thinking ahead about okay what if this happens or what if this happens and when this happens how do we do that? I think that's a good conversation to have proactively with your provider as well.

SPEAKER_00 22:42

Yeah and I think what if you know what if scenarios are are challenging in it of itself because you could what if all day long, you know, but at least you're having the conversation, right? And and you know so we do we do strategic planning meetings, we were, you know, work with a lot of businesses. When we're having these conversations or you're you know maybe at a an event with other business leaders, what surprises people when when these what if scenarios come up? You know what what is the the thing that really is like, I you know I never thought of that or or anything.

Sponsor: Clear IT Partner Program

SPEAKER_01 23:15

You know what is what do those surprises look like I feel like there's there's two two answers to this question. One is um the like outlandish, super rare, weird, clever scenarios that are like man, that that'll never happen twice. And those are fun stories to tell right they do happen. But I think what surprises people most about these conversations is just how simple most of these attacks are. They're not super sophisticated like nation state compromising a somebody's phone in their pocket which then infects the refrigerator which then bounces over the security camera which then gets into an email account of a vendor which then emails it's like you know that doesn't happen very often. Now if you're like the Department of Defense or somebody with you know a billion dollars and literally one account somewhere, maybe that'll happen to you. But I think most people are surprised by just how simple most of these attacks are it's that text message hey I've got something for you to do can you respond and let me know that evolves into eventually giving away some kind of the social engineering. The simple human-to-human or sometimes bought to human um ways of tricking people it's I think that's most surprising to people because they you know people watch movies, right? They oh they see all these clever things and like George Clooney uh you know typing in a a really complex password and immediately bypassing all the systems it's like wow that's really clever. And I think most people are just surprised that the vast majority of these attacks are the opposite of clever. They're super simple and they just rely on good people who trust being tricked through urgency.

Trust Without Abdication: Accountability Rhythm

SPEAKER_00 24:56

Trevor Burrus Yeah urgency is a huge one because I think that's the that's the prey mentality is this has to happen right here, right now. Well let me go and ask so and so no no no it's got it's got to happen right now you know and preying on that urgency because if there's a sense of urgency from a business leader, from a CEO, from a CFO, some from a COO it inspires action. It inspires action quickly now. Yeah I don't want to let them down. Yep as part of a leadership rhythm specifically a leadership rhythm right um how often should business leaders be having these conversations?

SPEAKER_01 25:29

So at minimum annually right when when you get to the business continuity the the high level business planning um you should be with your leadership team um you know sitting down uh on an on at least an annual basis try to maybe align it with your business plan right if you're doing an annual budget if you're kind of laying out what the next year is going to look like part of that conversation should be around business continuity, cybersecurity, what are we doing to improve this? Because at the end of the day a lot of this is a risk conversation. So the way most small businesses deal with risk is they buy insurance right they they go out to a marketplace of third parties that say here we if you pay us X amount per month we will insure you up to this amount of risk and uh so I think most people at this point have a cyber insurance policy through their insurance provider and they believe that checks the box. And what we always advocate is at least on an annual basis review that do you even know what your cyber insurance plan covers? Do you know what it requires? Have you ever done the due diligence to just review that in a business level not a technical or a super deep dive but just do you know what it actually even covers and whether or not it will pay if you haven't done certain things like implement an employee training program. So that's annual on a quarterly basis I think you need to be reviewing with your internal IT team or your partner to say you know what have we done in the last quarter? What's what do we have coming up? What's our training to get towards that 90% to get to get that accountability plan in place. So you can create the plan on an annual basis but you do need to look at it quarterly to say are we doing what we thought we would do? Do we have tools that can tell us if we have 35 employees how many of them have actually taken the training we told everybody to take in the kickoff meeting for the year? Is it 2%? Is it 10? Is it 20? Is it all of them? So quarterly there should be that accountability rhythm you know how are we doing along that plan? And then on a monthly basis there should be the the real um the little bit more dialed in portion which is just the touch point you know uh are we doing those uh how are we on that quarterly progress? Sure so beautiful, quarterly, monthly. If there's no plan and you're going from nothing to something, then it might take a little bit more attention than just once a year. But once you've gotten some some outlines of a plan in place that says what will we do if our if our internet connection goes down? How will my staff continue to work?

SPEAKER_00 28:07

Very much depends on your industry. So you have the business plan, then you have an incident response plan. And I do believe on a lot of cybersecurity insurance forms we do see do you have a business continuity plan? Yeah. Yes or no? Do you have an incident response plan? Because that's the what if scenario.

SPEAKER_01 28:21

Aaron Ross Powell When's the last time you tested this plan, right? Like those these are questions that that are asked because they're important questions. And they define I I always tell people pay very close attention to what that cyber insurance questionnaire is because every question on that form is there for a reason. And it's because it helps them understand how big of a risk are you to insure? If you answer no to too many questions on that form, one, you probably won't get a policy. Two, if you do get a policy it'd be a lot more expensive. And three, you really should stop and think why do I why am I answering no to every one of these questions that an expert third party is asking about my risk profile. That should tell you something that your risk is higher than it should be and that there should be a plan to address it. Because I mean look like at the end of the day the job of a leader in a small business is to define the why, right? To define the vision of the organization and why are we here, why do we do what we do they can they can partner with a team that defines the how, right? Like that can be your internal IT, that can be a third party partner. But but where businesses are successful in preventing these cyber attacks is when you know the leaders establish why are we doing this? Why are we why do we have a business continuity plan? Why are we doing the training? And then a partner says here's how we're implementing those things and here's what it looks like and here's how accountable we can hold everybody. When those two things stay connected your risk drops dramatically. You just end up going to okay now we have an organization that is much more resilient and ready to withstand the the attacks than the one down the street that hasn't clarified the why or the how.

SPEAKER_00 30:08

Sure we have the we have the proactive measure over here we have the reactive measure here in the event of something happening.

SPEAKER_01 30:14

And if all you have is the how by the way that's a problem too because no one will do it, right? Sure if you haven't clarified the why and inspired people to take action, the how matters a lot less right.

SPEAKER_00 30:26

Absolutely okay so fear can get quick compliance, right, when we're talking about that, but it rarely builds long-term accountability. Why would you say that fear is one of the worst motivators for cybersecurity?

Measuring Progress On A Risk Continuum

SPEAKER_01 30:40

Yeah we we we talk about this all the time and we hear this from people like this idea that you know uh the best way to motivate quick action on cybersecurity is to scare people right and um I I think you put it perfectly just now like it's a great short-term strategy. We've seen this over and over again in and uh throughout everything like if you can make people afraid you can inspire quick action. But people get numb very fast to fear. And the way that most people uh deal with fear in long term is they just start ignoring it. They're just like oh man yeah out of sight out of mind. Didn't you say last week that uh all of my data could get be compromised and uh my kids' photos could be stolen from me and like man I've heard this story before like I no I'm just gonna shut off right and so if if the way you try to build a culture of of cybersecurity in your organization is through trying to scare people then basically that works exactly once and then and then never again because people are like well I was scared and then it didn't happen and so all of that fear and anxiety was wasted.

SPEAKER_00 31:54

No I I would agree that fear, you know, probably one of the worst motivators to cybersecurity it's a single point of failure.

SPEAKER_01 32:00

Like you said as soon as it doesn't happen, you prepare for it as soon as it doesn't happen it's like well that and I would say the worst part about it is it's exactly the tactic used by the bad guys, right? They're trying to motivate quick action through fear and it's causing anxiety, right? Like it's maybe you're not directly afraid but you're worried and uh that kind of um way of motivating action is exactly what the bad guys use in the the fishing uh tactics that are are the the primary method of attacking people. So like whatever you do as a as an organization, as a leader in a small business, like don't lead with fear because again that's that's a one shot strategy and you're actually kind of indirectly reinforcing the tactic of the bad guys by saying ah be afraid be very afraid do this action and then you're basically training people to do the same thing with with with incoming emails. So don't don't use fear. I think people need to understand the stakes so they need to understand generally that why the why you know hey the reason we're having these conversations the reason we're taking this training the reason we're celebrating it when somebody raises their hand and says you know hey I think I just got a a malicious email maybe uh maybe I'll forward this to our IT partner to analyze instead of just clicking on it celebrating those things as as as the what you want the behavior that you expect in the organization is to have people that are cautious and mindful and careful when it comes to you know incoming messages that that drive that sense of fear.

SPEAKER_00 33:40

This is a hard line to walk as a business leader because it's scary.

SPEAKER_01 33:46

You know I mean it really is we talk about I think you know you see things from Oceans 11 to you know any any other movie right um it's scary so it is uh fearful but you don't want to lead don't lead with fear with fear um because one it just it it drives numbness over time and the more something doesn't happen using that fear drum means that um people just get numb to it and they just stop listening. They're like you know what you tried to scare me before it didn't happen and it's and and here we are again so I'm just not going to listen anymore. So so creating that that culture of cybersecurity where you're saying hey the stakes are high we need to do this as an organization so that we can achieve our mission. As a business as an organization as a nonprofit whoever you are you have a mission and cybersecurity is one of those things that is a risk that can derail your mission. The worst ones are the ones that can actually completely interrupt or take away your mission right by some very public compromise. And so there's absolutely a an undercurrent of fear in this but if people as leaders and organizations can convert that into motivated ongoing action then it's much more useful.

Define The Problem, Then The Plan

SPEAKER_00 35:02

Yeah I think one of the ways you know that we've been successful um in in having these conversations uh in our organization is we frame it as an investment like we are investing in our security posture we are investing in not so much the tool set but the the frame the mind the mindset of it you know and so um I love the idea of um security should be part of how people work not something oh I gotta add that into my my mind I got to oh this is just one more thing I gotta think of you know and and and I think leaders can help instill that um without the fear side of it. Yeah. And um so I I like the idea of it's more of of uh part of how people work um from from your perspective um how can leaders create that culture we talked about culture you know and how we frame it you know is very much an investment um you know how can leaders create a culture where people speak up uh they learn something then they take ownership of something it starts with establishing the vision it starts with as you said incorporating it into what people learn and how they do their job not as a bolt on like a side thing you know do all of this and also by the way take this thing right but rather front and center.

SPEAKER_01 36:32

This is a part of of how we do what we do and how we stay safe and how we manage risk and how we achieve our overall goal, our mission as an organization. So making sure that that is discussed that it's brought up at company meetings um making sure that like we said before that that you are celebrating when people speak up right when somebody gets that targeted text message or that uh email that looks really convincing or they're out on uh Google search and they see you know a website that says like hey download the Zoom client today you know and they look at it and they just say there's just something a little bit off about this and then they pause, they reflect, and then they involve an expert like an IT resource to to help them reassure either that it's valid or invalid. Celebrating those things is part of what helps build culture. And if you always treat cybersecurity as something that's just oh it's a hat we have to do this take the training you know I'm so sorry. You know if you as a leader are approaching it as a like I I'm apologizing for this extra work I'm giving you then you're automatically framing it as something that isn't important that you just they just have to do it's not something that uh they need to do not a priority. Not a priority. Yeah if you instead say hey like I understand this is some additional work but this is really important and here's why sometimes involving some personal stories or saying like talking about the stakes and understanding like you know we as an organization with our mission especially when it's like nonprofits we help this number of people every day if you have those stats or those numbers so an outage or downtime or or or compromise means that like that would prevent us from being able to help a dozen people right um like understanding the stakes in a way that is not just cataclysmic like ah the world is is ending but but tying it to actual business outcomes is part of how you build that culture. And I think the best advice that we give people is just building it in, baking it in to your overall organization. This is how we do what we do and it is important and it does add a layer of security and reduce our risk which is how we better achieve our mission.

SPEAKER_00 38:52

Aaron Ross Powell Sure and so you're talking about like you know baking this in just this this is just part of our everyday right so um how are the cybersecurity criminals baking in AI into you know what the these type of uh you know attacks and how are they leveraging it?

SPEAKER_01 39:12

That's a good question because you know th I would say even just three years ago, maybe even just two years ago uh one of the main strategies for teaching people how to spot fraudulent emails, spot fraudulent uh communication in general was to look for simple things like misspellings or grammatical issues or any kind of a sign that might tell you that whoever is sending you this might not be a native English speaker. That was like one of the top five tactics for spotting uh phishing and fraudulent fraudulent communication with AI and the advent of large language models meaning you don't have to be a native English speaker to generate absolutely perfect text means that's off the table. That's really less and less is that a strategy to recognize you know My boss doesn't typically speak in fragments with commas with spaces between them and a period kind of at the middle of a sentence that doesn't make sense. They can actually build AI models that make that more and more and more convincing. So at the end of the day, it's about training more and understanding that this is somewhat of an arms race with AI where the bad guys are getting better at creating more and more and more convincing fraudulent email and text. And your IT teams are hopefully getting better at implementing better and better and better tools to recognize and keep those things from even getting to you. But at the end of the day, it's training. It's it's seeing examples of these things so that people can understand any email that you get that tries to compel quick action out of you through a sense of urgency should be looked at more than once and should be carefully evaluated for authenticity.

Simple Attacks, Urgency Traps, What-Ifs

SPEAKER_00 41:00

Yeah, and I think you know, training, I think historically has always felt kind of like a checkbox. You know what I mean? Like um, you know, checkbox, we we talked a little bit about culture before and and creating a culture where people, you know, speak up. You had mentioned you want to celebrate that those kind of items. Um how do you make training relevant? You know, like how do you how do you bake that in? I mean, is you can't just show up and start announcing like, hey, this is our new, you know, this is what we're doing. You know, you gotta you gotta bake that in, you gotta make that relevant. How do you do that? What's the approach to that?

SPEAKER_01 41:34

Um and this is where, you know, we've said tools, tools, tools, we're less about the tools, more about the process, more about the mindset. Uh this is a place I feel like where the right training tool does make a difference because you want training materials that are relevant and that demonstrate the kinds of things that people need to look for in a way that's accessible. Uh if it's super dry and dull and you know, it's like uh watching paint dry is the level of engagement that you're expecting out of the next next content. Then even if people watch the material, they may not actually internalize it, right? So I feel like uh you do need a training platform tool partner that uh that does create modern, relevant, and compelling content for your employees to consume. And also that it's uh we mentioned this earlier, but it's it's uh short enough to be consumed in one sitting, right? Like uh or a series of sittings where you're just doing five minutes here, five minutes there, micro sitting down and doing an hour-long training on cybersecurity, you know, cybersecurity or four-hour-long training. Um but trying to make it uh short, practical, you know, um, and and at the end of the day, help empower them to feel like they have tools to recognize this kind of fraud, uh this kind of attack, uh, where before it might have just been some big abstract concept like don't let the bad guys in, you know. Right. Okay.

SPEAKER_00 43:00

All right. Lock the door.

SPEAKER_01 43:01

Then yeah, I'll lock the door exactly. I'll watch the door, make sure nobody comes through. Um but just having a series of trainings that are uh kind of just focused on getting practical strategies to your employees to be able to recognize and uh and identify what these threats look like so that ideally they don't fall for them.

SPEAKER_00 43:22

Trevor Burrus Yeah, and I think uh the term that you used a couple times is the effective, right? It's it's got to be training that is effective, not overwhelming. We've all been to trainings that are overwhelming.

SPEAKER_01 43:31

It's like you know, it's all fear, right? Yep. Ten million dollars was stolen from this company and this person lost their job and this company had to close, and you're just sitting there through the training, wide eyes, like, oh wow, that sounds awful.

SPEAKER_00 43:45

I'm closing all my bank accounts.

SPEAKER_01 43:46

I want to just go home and not touch a computer ever again, you know. But uh that's not effective, I feel like. That it maybe that helps set the stakes so you understand why it's important. But if the if the training program you subscribe to is fear-based, um long term that's just not gonna work.

SPEAKER_00 44:04

Yeah. And uh you know, as business leaders, you know, I think tone matters.

SPEAKER_01 44:08

Yeah.

SPEAKER_00 44:09

You know, I think the overall tone matters. You had mentioned the the the phrasing things. Um I had mentioned, you know, the phrasing of an investment, right? We're investing, we're doubling down on what we're doing. Um, you know, tone matters and how leaders talk about security. I believe that that shapes how people react. Yes. Right? How you how you frame it, how the tone comes across, that shapes how people will react to it, how they will respond to it, how they will engage with it, because engagement's a huge thing with security. You know, and you had talked about effective training. Um, you want that training to be effective, but you want them to be engaged in it, really truly learning it. Are we learning it for the moment or do we truly understand it, the core of it? You know, and and I think that tying it back to earlier conversations is clarifying, you know, what are what's what's our goal, what's our vision, what's the problem that we're solving, all the way down to people engaging in those trainings. Yes.

SPEAKER_01 45:05

Yeah. And remember, it's a continuum. So you want to go from, if you have nothing now, from nothing to the beginnings of something, and then measure it and uh and look at it over time to judge progress and set a goal. You know, all good leadership sets goals. Um we want to have X amount of this training under our belts and people aware by you know Q2 of 2026 or you know, sometime in the next six months. Um and basically set that out and then measure it over time because it it won't be that you implement a new training platform and assign everybody a course and everybody takes the training and you know, remember get back to this light switch metaphor. Now we're clip secure, right? No, it's it's an ongoing process, it's a continuum, and it's about reducing risk as an organization intentionally and over time rather than uh trying to buy a magic bullet that you know solves this problem for you.

SPEAKER_00 46:08

You know, as business leaders, we have an obligation to, you know, um to our employees to help them through that, right? It's not to to set the tone out of fear, it's to drive the clarity, you know, um uh go back to what that problem is that we're trying to solve, what are we trying to get ahead of and plan for it, and then what do we do in the event of something happening. Right. Um and so I think tone sets the stage for for really all of it, yeah. Um, to your point of what you were saying.

SPEAKER_01 46:39

Aaron Powell Absolut.

SPEAKER_00 46:40

So if we leave our listeners with one thing today, um it's that cybersecurity, frankly, isn't a department, right? It's not a team, it's not kind of a essentially a label, anyways. It's a it's a decision that you make every day as a leader, setting that tone, driving that clarity. What problem are we solving?

Annual, Quarterly, Monthly Security Cadence

SPEAKER_01 46:56

Aaron Powell Yeah. I mean you do not want to have this as something that's just set off to the side, right? That again is a light switch. Uh, oh yeah, we just need to buy a newer, better tool, and this problem will be solved for us. Um you have to own the plan. You have to think of this in the same way that you think of a business plan. How do you manage risk as an organization overall? Cybersecurity is a part of that strategy. Um, and so it should involve basically everybody in the organization. As you grow and mature and get better at this, it should involve your vendor partners, it should involve the people that you interact with. Um but ultimately uh you have to look at this strategically because hope is not gonna protect you, right? Um creating clarity and creating a plan that specifically tries to move from wherever you are to further along that trail of being more protected by making sure your people know what to look for, that's what's gonna protect you, that's what's gonna lower your risk, that's what's gonna help you uh do whatever it is you do better and um and with less risk than just crossing your fingers and hoping that you won't get attacked. Thanks for listening to Behind the Screens. If you're ready to take the guesswork out of technology and lead with greater clarity, we'd love to help you build a plan that works. Visit mitcs.com/slash hello to take the next step. And we'll see you next time.