Musings from the Cyber Trench
Musings from the Cyber Trench
The Mindset Shift That Makes Cybersecurity Personal | Robert Siciliano | EP 109
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Cybersecurity expert Robert Siciliano joins Vishal Masih on Musings from the Cyber Trench to discuss why cybersecurity is ultimately a human behavior challenge.
Robert explains why traditional compliance training often fails, how cybercriminals exploit human trust, and why organizations must focus on building a human firewall rather than relying solely on technology.
Robert Siciliano is a private investigator, Certified Speaking Professional (CSP), CEO of Protect Now, LLC, and creator of The Strategic Human Firewall™. He is widely recognized as one of the leading experts on cybercrime and identity theft, with more than 500 television appearances, 1,000 radio contributions, and 3,000+ media features.
The conversation explores how companies can build stronger cybersecurity cultures by helping employees understand that protecting company data also protects their own identity and security.
Responsible for ICAM, Zero Trust, or identity security in a federal agency, prime, or large regulated enterprise?
If you’re trying to move from strategy to execution, start with Zephon’s Zero Trust Readiness Assessment: zephon.tech/zt
Questions or guest ideas? Email defend@zephon.tech
Welcome to New Books on the CyberTunes, a podcast that goes beyond Crusader's website to uncover the real challenges and breakthroughs in public sector cybersecurity. Each episode features fewer screens and digital experts for which basic security strategies in some of the most complex environments. This is a space for honest conversations, fresh perspectives, and practical insights designed to empower and inspire. Get ready to rethink what's possible and join a community committed to making cybersecurity stronger, smarter, and more resilient. Here is your host, Vichal Masi.
SPEAKER_02Hello everybody. Welcome to another episode of Musings from the CyberTurch. Our next guest today is Media's Guru Sabbath Security Expert and the creator of the uh the Strategic Human Fire. He's a private investigator, certified speaking professional, and CEO of Protect Now. He's one of the Nietzsche's most trusted voices on Sabra Khan and ID craft. He has built an unparall unparalleled media record appearing on over 500 television shows, including over a thousand radio programs, and being featured as an expert in over 3,000 artists. He is a uh he is a predicated girl that and when he's he is not on stage or on air, you can find him writing his 1987 Harley text with that. Everybody please meet my guest, Robert uh Ceciliano. Welcome to the musings from the uh the Cyber Dr.
SPEAKER_00Thank you so much. Happy to be here.
SPEAKER_02Absolutely. So let's start with this, Robert. Most uh most uh employees don't wake up trying to break security, they just don't think it applies to them. Why does cybersecurity uh cyber security still feel like it's someone else's problem and what's the real cost of their mindset?
SPEAKER_00I I find that employees don't recognize that they're responsible for the security of their organization at all, that they look at security as somebody else's responsibility. It's the CIO, CTO, CISO, and so forth. Like it's not their job, therefore, they shouldn't have to engage in the various processes in regards to managing or reducing risk, like phishing simulation training. And so if they're looking at security as it's not their job, but then the say CTO applies phishing simulation to them, they're gonna look at that as a waste of their time, as something that again is more of a distraction from their actual work. And they're gonna resist it, and in some cases, even resent it, and that's problematic. And and and I see that across the board. I I don't know that the general generic compliance-based check-the-box security awareness training, often you know, delivered via e-learning, which might be you know, a talking head or a cartoon or animated and so forth. I don't know that that's as effective as it as it could be. I think it's doing the job of compliance, it's providing metrics, it's providing the ability for the organization to say, hey, we did this, and so we're doing our due diligence, but I'm not sure that it's necessarily moving the needle in regards to getting the employee to care about security in such a way that they could or should, in order to really be effective in reducing risk.
SPEAKER_02So, how do you change that mindset? How do you make them gay?
SPEAKER_00That is actually an evolutionary process. So I um had a conversation on New Year's Eve with a good friend of mine who is in fact a um, you know, CIO of a of a metropolitan city north of Boston. You know, like a guy my age, like around 60, smart, smart guy, been doing what he's doing for like 35 years. And um we kind of had a little bit of an argument in regards to um, you know, what it takes to get the employee uh engaged in the process of security awareness. And the argument that we had revolved around the fact that he requires that there are metrics, that he needs to see the ROI in the information that they're being provided. That like if he can't see click rates and who passed and who failed, then there's no sense in engaging in that type of security awareness training. However, but you know, like is that how we is that how we engage each other? Is that how we raise our kids? I mean, yeah, you know, when you raise your kids, you need to see that, you know, being a parent and everything else, and the way you're teaching them and the way that you're, you know, bringing them through the world that they're doing well in school, and we kind of look at their grades as a marker to determine, you know, whether or not we're doing our job as parents to make sure that they're doing their studies as students and so forth. Like, I get that, right? But is every life lesson that we treat them, do we have to see an ROI? Do we have to see a metric? Like every single conversation we have with them, is it is it all like based on a spreadsheet and results and metrics? I'm not really sure, you know. I I think that when it comes to engaging humans, that you kind of need to you need to engage that human kind of where they're at with with whatever that uh engagement uh is. So, for example, like if you're talking to a 10-year-old about uh an incident that occurred at school, and that incident, you know, revolved around other kids, and it revolved around, let's just say bullying, and it revolved around you know what your kid did in response. And you know, that that's a conversation that you're sitting down with your child, and you're you're communicating with them, you know, values and in and how um you know each situation uh has a specific result. And you're you're you're kind of like working with that child in regards to their life experience and your life experience, and and and ultimately what the goal of that conversation is for them to in some way, shape, or form increase their learning curve based on the information you're providing them, right? Is there a metric bait is there is there an actual metric at the end of that conversation that you can actually prove out maybe down the road, maybe a year from then, maybe six months from then, and so on. Like I think that people need a little more flexibility in that regard. I think that they need to, they, they, they need to grow with that information that you've just sat down and provided them. And that's gonna take a little bit of time. And and I don't know that fishing simulation training fully actually hits the nail in the head when it comes down to security awareness. I think it solved the problem of phishing to a certain degree, but I don't know that it gets them to truly care about security. And I think that that's where the gap is. The gap is that I don't know that we're actually getting the employee to care about security awareness enough that they're actually being fully effective as they could be when it comes to reducing risk in the work environment.
SPEAKER_02I was going to ask why having care is most important, but you uh but you uh you uh already answered my question. You know, because if we train them and they don't care, they'll be trained on a particular kind of uh a particular a particular kind of attack that they are used to seeing in their in their uh their training. But if they are faced with something that they are not seeing and they don't care, that training may not be that uh that effective look, security is a somewhat scary topic depending on who you're talking to, right?
SPEAKER_00Security goes back to when we were just kids and when we were children and we were in the playground and somebody bit us or hit us, like kids bite and kids hit. I mean, at certain ages, they are, you know, they can be somewhat you know uncivilized when you think about it, right? And so at an early age, when we're affected by, say, some type of like low-level physical violence, right? That kind of gets us thinking like that not everybody is nice and not everybody is kind. And then over time, as we age and as we navigate life, we experience more and more situations where people are not nice and not kind. And in some cases, they might be angry, in some cases they may say awful and mean things, and in some cases they may be, you know, violent, right? And we learn from all these situations. But all those situations, in some way, shape, or form, affect us. They affect us physically, they affect us emotionally, and in some cases, they actually like can traumatize us, depending on the severity of those situations. And so as we age, as we grow older and as we learn that security is a part of our um lifestyle, it's a part of our culture, and then ultimately it's a part of you know, protecting ourselves from harm. And then in the workplace, it's part of our job description to some degree, right? We have all these previous life experiences that we may not necessarily apply effectively to security awareness training due to the fact that there's a lot of childhood emotion there. Now, when you think about it, you know, we we we we don't want to think or believe that bad things can happen to us. It's just not natural to us. We as human beings are what's considered an interdependent species, and what that means is we depend on and rely on each other for our survival. That's just the way it is. You know, we need each other to procreate, you know, without each other, the species would cease to exist. And as an interdependent species, our default, our baseline is trust. We need to trust each other. Without trust, we wouldn't, if all we did was fear others mean to do us harm, if we didn't trust anybody, we wouldn't be social creatures, we'd never get with anybody. We require that trust. And the problem with that baseline of trust is that throughout the day, week, month, year, the people you meet, the emails you get, the phone calls you receive, the text messages that come in, your baseline is that you want to and you need to trust the person who's sending that to you. And so as you're consuming this information, as you're meeting these people, you're giving them the benefit of the doubt. And as we're continually giving the benefit of the doubt, bad guys know this. And they know that our baseline is trust, and they use truthful situations to scam us and they twist things at the very end. And so I from my experience, most security awareness training, especially compliance-based security awareness training, isn't bridging that gap where we basically are trusting creatures and we're being told be aware of this, do this, don't do that, or else. And that's what compliance training does. It's not, it's not, it's not coming to the person and saying, Hey, I understand that you are concerned about a number of different things. I understand that you have worries and fears. I understand that, you know, early on in life, like security was like this thing that we didn't quite understand. As we grew older, we realize that like it's something that we have to do, but it's kind of against our core beliefs. We don't really want to do these things, but we kind of have to. So I understand all that. So let's talk about it. Let's have a conversation that kind of gets you through all of that and what your resistance to it is and why, you know, and and what our what our belief systems are revolving around security and why we resist security, you know, because we trust and so forth. And then there are all kinds of like cultural norms that we all experience that also build on that resistance. So for example, and this is like an actual question. I'm a guy that's got 22 security cameras in my personal and professional life. Like I got security cameras all over my life. Okay. So when you find out, like, okay, the guy's got 22 security cameras, right? What might be your summation, your observation of my belief systems, of my, of my, of, of, of like my observations, of like how I get through the day. Like, if the guy's got 22 security cameras, he must be what? Like, what might what might I be?
SPEAKER_02I would be, I would call you uh paranoid.
SPEAKER_00Paranoid, yeah, exactly, right? Maybe a little excessive, but here's the thing with that, right? We as a culture, we as a species, when it comes to security, all of us, no matter where we are in the world, okay, when we think about security, we think about paranoia. We do. Paranoia is a is a mental health issue. It's a it's a disorder, it's a it's a it's a it's a it's a disease of the mind. That's truly what paranoia is, okay. Paranoia, a person who is affected by paranoia, and I have close family. I have a cousin, she's paranoid, and I think right now she's actually living in her car. And she truly does believe that people are out to get her. She truly does believe that the government is a conspiracy against her, and she truly thinks that her home is bugged and that she's always being watched. She is she is effectively, as far as her mental health is concerned, she is out of control. And that's what paranoia actually is. Security, on the other hand, is about being in control. That's what security is. It's about gathering processes and systems, engaging in certain habits and strategies consistently to reduce risk. And if you engage in all these risk reduction strategies, you put these various systems in place, you're engaging in a form of control to reduce those risks. Now we we know that there's no such thing as 100% security. So security is a process, it's it's it's a journey. It's 24-7365 that we're consistently engaged in to reduce that risk. Okay. Paranoia, on the other hand, is not that. And so the dichotomy of paranoia and security is that if we think to any degree at all, that engaging in the process of security is going to make me worry, it's going to make me fearful, it's going to make me paranoid. We're not going to do it. We just won't. And we don't. For example, like I ask my audiences when I get in front of a live audience, I ask, you know, every single person in the room, how many of you have a home security system installed? If I get 10 to 20% of the room to raise their hand, that's a lot. Usually I get, you know, maybe 10% if that. And then I ask, like, why don't you have a home security system? And the majority of the people say, Well, I don't even know what my house keys are. I haven't locked my doors in years. Others say, Well, we have insurance. So if anything's stolen, insurance will protect us. Or they say, Yeah, my husband says, uh, why bother installing a home security system? If they want to break in, they're going to break in. Like all these fatalist views of a home security system. And then fundamentally, what many of them say is the reason why I don't install a home security system is because I don't want to live like that. And I say, well, what does that actually mean? And they say, well, I don't install a home security system because I don't want to have to worry. I don't want to live in fear. I just want to be free. And you know what that truly means? It means that I don't want to really recognize risk. I don't want to recognize that there are, in fact, predators out there that burglarize homes. I don't want to recognize that there are actually home invaders that come into your house and hurt you. I don't want to think about those things. I don't want to have to worry about it. I don't want that constant reminder in my life. I just want to be free and not have to think about it. I'd rather function in denial that it can't happen to me. And that's what we do. And that's the resistance that employees have to fishing simulation training, to check the box compliance, because it doesn't truly affect them in their lives, where they're at, with their fears and their worries, their trusting by default, and the fact that they're functioning in a certain level of denial that it can't happen to me. And so, in order to be effective, and in order to get people to engage in security awareness, you need to affect them where they're at. And the way that I define security awareness versus what I do is actually I call security appreciation training versus security awareness training. Security awareness training is intellectually, I understand and I recognize risk, meaning I understand you should lock your doors and that you probably should have a home security system. I understand it's a good thing to have identity theft protection and antivirus controls and two-factor authentication. I understand I should change up my passcodes and consider a password manager. I understand all these things. And I recognize risk in that regard. The difference between that and security appreciation is not only do I understand all these different things, I've installed the home security system. I lock my doors. I have a password manager. I don't use the same passcode twice. I have identity theft protection. Of course I have antivirus. I pay for it too. It's not just free, right? And I've sent my daughters to take self-defense training because I know that they face, you know, assault. And I've had uncomfortable conversations with certain people in my life to teach them about personal protection and protecting their data and their identity in their bank accounts. Like, why? Because all these things mean something to me and they matter to me. It's important. That's security appreciation. You evolve from recognizing risk, understanding it, to actually doing something about it because it means something and matters to you. And I don't know that that's being done effectively anywhere. I don't see it.
SPEAKER_02So you have been reaching security uh appreciation, I would say for almost three decades now. So what changed your mindset? Like what brought you to this one to do that uh the way it is done right now is not right.
SPEAKER_00Until organizations essentially flip the switch. So let me give you a little bit of background, right? So prior prior to prior to COVID, um, you know, for me, business was good, and then COVID hit, and that was it. In person, live, interactive training stopped for obvious reasons, right? And then and at that time, or prior to COVID, uh check the box compliance, e-learning, micro e-learning uh training was already on its way. And then COVID hit and it solidified um, you know, remote e-learning training, right? It solidified it. And so 2020, 2021, 2022, 2023, and there was no physical interaction between a live trainer and you know, an audience for security awareness. It just didn't happen. If anything, for me, I did you know virtual stuff, but not a lot of it. Because the check the box compliance was all they needed. For the past couple of years, and especially in 2025, what I'm hearing is from CIOs, CTOs, CISOs, and so forth is listen, We need interaction. We need our people to simply care about security. We just want them to care. They're seeing such a disconnect between what's actually happening in regards to being trained in regards to security awareness and whether they're checking boxes and so forth to actually like the real world, what's going on. And when when your employees kind of throw their hands up in the air and say, my 14-year-old knows more about technology than I do, I don't, while that might be funny, I don't know that that's any longer acceptable. I don't know that it's any longer okay that we kind of resort to, I just kind of give up. My 14-year-old knows more than I do. What am I going to do? I don't know that that's good, especially not for the employee of a company that's handling sensitive data. I think that that same employee would be more, would be more um responsible for the data in which they were entrusted with if you first explain to them what security is, what security isn't, paranoia, trusting by default and how that's used against us, and how we can go about implementing various tips and tricks, strategies, habits to secure our own lives from both physical violence and from virtual security, right? From virtual threats. And once we engage the employee in those processes, then the employee begins to care. 2025 was my best year in business since pre-COVID, due to the fact that companies are realizing now that they're just simply not, their employees just don't care and they need more. They need a dialogue. That it's something that's within their capacity. We lack a significant amount of digital literacy. And that means we can't tell the difference between real or fake online. We don't know whether or not we should be clicking links on the first or second page of Google search. We don't understand what it is that we're doing at with our fingertips in what we're looking and what we're consuming. And most of us are just afraid. That's most of your employees, that's most of your colleagues. They're just afraid. And I get that, you know, and that's problematic. And until that is addressed, until they understand what their options are in regards to personal protection, they're not going to understand how to protect the data in which they're entrusted with.
SPEAKER_02So you're saying that we should focus more on changing their mindset to that make uh making security more uh more personal. The whole cybersecurity industry is based on zero trust. I would say there's a lot of uh there's a big uh uh element of selling fear instead of selling control.
SPEAKER_00Yeah, yes, exactly. So the fear based in the compliance training, and and and look it compliant, and and I and I know I kind of hammered down on compliance training. Compliance training is necessary, we need it. Employees need fishing simulation training, they have to do it, it's important, it's necessary, it does solve certain problems. Okay, so don't don't get me wrong, it's necessary, okay, but it's missing something. And in and until we bridge that gap, because right now, what this compliance training does, it's kind of like hitting people with a hammer. Do this, do this, do this, do this, or outs, or else. If you don't do this correctly, you're gonna be demoted, you're gonna be fired, you're gonna lose your job. If you if you don't get the score right, it there's gonna be repercussions. I get that. I understand that. That is as a result of companies, government agencies being essentially frustrated that the employees, there's a certain element of employees that aren't getting it, therefore, you will suffer the repercussions if you don't get it. Well, that fear-based hammer, hitting them over the head with this, can only go so far. Fear can be a motivator, certainly. We all know this. But is that what we do to our children? Do we parent by fear? I I I don't know that we do that. I don't I don't know that that's a I mean, I know that I don't do that. I I know that I I speak uh occasionally to issues revolving around the negative repercussions of not being compliant. I certainly do that, you know, but I don't threaten, I don't engage in fear tactics when it comes to nurturing my loved ones. I don't know that fear tactics are a good way to encourage or empower. I think all they do is cause fear, you know, they cause you know a certain negativity. And so I think a certain level of you know nurturing, and I know that that might sound a little bit metaphysical and ridiculous to some people. Yeah, you know, I mean, I I as as a girl dad, right? As a girl dad, um, I've had multiple uncomfortable conversations with my girls. Multiple. And when I say uncomfortable conversations, that means that I occasionally get graphic in regards to the negative repercussions of not being proactive when it comes to security. Like if you are a young woman in today's culture and today's society, there is as much as a 25% chance that you, as a young woman, at some point in your life, might be sexually assaulted. As much as a 25% chance, one out of four. So I think it's important to have uncomfortable conversations about the repercussions of, say, going out with your girlfriends and consuming a tremendous amount of alcohol that puts you in a position where you are out of control and unable to react or respond, should somebody be paying unwanted attention to you and mean to do you harm at a fraternity party. So I have these conversations with my girls as if, you know, they are engaged in those exact behaviors. And I'll get graphic to the point where this is what it looks like and this is what happens. And so you end up in this room and this is what it looks like. And like, you know, it's a little, it's a little much, but I'm not communicating this information in such a way where I am hammering them with that. I'm being graphic and allowing them to visualize certain scenarios in their mind's eye so they understand what this looks like. So, in the potential event that that might happen, they've what-ifed and they've visualized these various scenarios in such a way where they can effectively react and respond. So those uncomfortable conversations are about dissecting these various situations revolving around security, whether it's in the physical world or the virtual world. So you you kind of re-you kind of reverse engineer the bad actor's motivations and their tactics and their techniques. And when you understand all of those tactics and techniques, when you understand how the bad actor operates, then you effectively can see inside of what that wrong number text message looks like. You can see inside of what that phishing email looks like and dissecting it and understanding what is actually happening in front of me. When that phone call comes in posing as IT, requesting a password because they can't get into the network and they need your password or else. When you explain that scenario, when you dissect it, when you have what might be considered an uncomfortable conversation, when you're getting graphic with all these various scenarios, you're actually telling effective, it's it's what that is, is it's effective storytelling. And that effective storytelling is painting a picture in that person's mind's eye, in the way in which they view the world. It's personal to them. And that's how you move the needle because you're you're in you're you're involving them in the process of learning about risk management versus hammering them with information, do this or else.
SPEAKER_02You're sharing the consequences in a way that they can train their minds themselves instead of forcing uh behavior to fear.
SPEAKER_00I believe it comes out over time naturally, they they evolve with it. Look at I I I look at being a parent as a constant everyday challenge because it is, and as a parent, I'm finding like at every age or every stage in their development, in their own development, from being babies to being toddlers to being young children to being tweens to being teens to being young adults, each stage in their development poses its own set of challenges, right? And each of those challenges, each of those stages, I need to be a certain person in order to meet those challenges. And I have to be flexible and kind of ebb and flow with the tide of that stage of development and be a certain person and communicate in a certain way. So at each stage, they evolve effectively based on my input towards their development, right? And I don't know that that's even a consideration with security awareness training, especially compliance-based. Compliance-based is a set of facts. Do these different things, these are the basic outcomes you're gonna get, and then there's gonna be these people who don't get it, and these are the repercussions. It's not nuanced to the degree that I think it could or should be. And if it was, I think it would move the needle that much more effectively.
SPEAKER_02So the thing that we always tell our clients is that is if we want to implement zero dos, it starts with a mindset mindset shift at the top level. It has to come be like top down, and it is a journey. So like I would uh suspect that like the same mindset shift and the the ongoing process of being on a journey would also then apply to uh to cybersecurity appreciation.
SPEAKER_00The um leadership aspect of this is a big deal. If the leadership does not fund the necessary training, even if it's phishing simulation training for that matter, if leadership does not believe in security and all the necessary tools and applications and investments that need to be made in the organization to be compliant, to reduce risk, if they don't look at security as an absolute fundamental business function versus you know um an expense that they don't necessarily think they need, then from the top down, that CIO, CTO, CISO is essentially screwed. If they don't get buy-in from the top top, from the board of directors, it makes their it makes their job that much more difficult. Certainly that um that tech person needs to be extremely resourceful, which is always a good thing, but that doesn't necessarily turn into compliance or security for that matter. Being resourceful is a great thing. So top down, and it's it's it's getting the top of leadership on board with security awareness to begin with, and then and then getting those that are responsible for pulling the trigger, again, those you know, uh uh tech uh C-suite executives to actually to actually believe in security to the degree where they understand risk and why people are adverse to it, like like we've been talking about, that people are worried and they're afraid and they have fears and they need a certain there's a certain nuance to the dialogue that you have with them in order to get them to essentially understand risk management and to care about it to the degree where they see this is within their capacity, that it's something that they understand, that they recognize as something that they want and they need in their own lives, and it makes them more effective in a professional environment in that regard.
SPEAKER_02You have defined concept called uh called uh uh uh uh strategic human firewall. Okay.
SPEAKER_00What is the so the the the the strategic human firewall recognizes that technology is not gonna solve all of your security issues? We know that. You know, human hacking is a thing. Human hacking has been going on since thousands of years. Snake oil salesmen back in the 1800s, the Ponzi scheme back in the 30s, that is still very prevalent today in the form of various cryptocurrency pig butchering scams. I mean, we there are thousands and thousands of variations of scams, and but they all have very similar um, they all have very similar uh strategies to to utilize truthful situations uh with with with lies, right? To to to compromise people's ability or need to want and trust other than others. All fraud has the same baseline. Basically, go after good humans comply need to comply with the truth. That all fraud is based on that. And when we understand that as humans, that we need to be that firewall between the bad guy's motivation and what our belief systems are, then we put up a certain firewall protecting us first because we understand what security awareness is. I understand all the various risks and their solutions. Yes, I understand that. I also understand what those risks and solutions are to me and my identity and my data and my dollars and my bank account and my loved ones and my daughters going off to college and my spouse and my home and my stuff and my personal protection. I understand all that stuff and I appreciate the value that this information and these strategies, these tools, these techniques, these habits, I appreciate the value they have in my life. Therefore, as I'm being, you know, bombarded, like every day, we're getting emails and phone calls and texts every single day. I get phone calls and emails and texts to my phone, to my inbox every single day. As this is all coming in, we see it for what it is. We understand and recognize the risk behind reacting to it. And so we become the firewall because Google's not preventing those emails from coming into my inbox. Not all of them. Uh uh, the Federal Trade Commission isn't preventing those text messages from entering my phone. ATT, Verizon, Comcast, whatever your carrier is, isn't they're not preventing it. So technology is not solving all the problems that are coming into my inbox, to my text message. They're not technology isn't fixing the problem. I need to fix the problem. So I need to become the strategic human firewall to defend my life, my data, my dollars, my family. And that only happens by engaging in a dialogue. It doesn't happen by going bang, bang, bang in the head. We're hammering people with security awareness. Whereas the strategic human firewall is not a hammer, it's a scalpel.
SPEAKER_02In south security, we have this comment saying that the chain is as strong as the weakest link, and humans are the weakest link in the chain. So I I appreciate what you're doing here, and because as you make the weakest link stronger, you're making the chains stronger as a whole.
SPEAKER_00It's as simple as that. It really is. And and if we look at when I get in front of a live audience, I know that there's going to be a very small percentage of that audience that they already understand what it is that I'm saying to them. They already like get it, they already understand that they're essentially what we call drinking in the Kool-Aid, right? They already appreciate the value security has in their life. That's a very small percentage of people. Now, those people further your message of security appreciation. They're actually the ones that at the water cooler, they have the conversations about, you know, in my own life, I'm doing all these basic things to protect myself and my family. Therefore, at work, it makes a lot of sense to me. Those people come to the presentation and they hear what you have to say, and they're like, they say, Oh, I know I'm doing it right. This is good, perfect. The others, the rest of them, the 90% of them, when they sit down in the room, they're like this. I don't want to be here, I don't need to be here, I'm told to be here. This is required of me. My boss made me be here. After about 20 minutes, as you're challenging the belief systems, as you're asking them a number of different questions that like challenge the way they've looked at security their entire lives, what happens is this. They begin to drop their arms, they begin to get, they begin to sit back, they begin to start like listening to you, and they begin to say, you know, this does make sense. I I I I've been resisting this stuff my entire life. I I thought that it was like all about worry and fear and and paranoia. And and now they begin to go, yeah, like this is this is a good thing. Like I wish my wife was here with me today. I I I my daughters need to hear this. And then they come up to me at the end of the presentation and they literally say the words, I came here because I was told to be here. I didn't want to come here, I didn't think I needed this. Do you know how many hundreds and thousands of times I've heard that? And then they say, But I'm so glad I came. Do you speak to high schools? You know, because now they're like, they want everybody to hear this message because this message is important. And and I know that we're we're just one dialogue, but all your listeners can take this and they can incorporate it into their own lives. And as long as we do that, as long as we further the conversation, it's gonna, it's gonna change what we how we look at security. And once we begin to stop looking at security as worry and fear and overwhelm, as paranoia, then as we change the conversation, then you'll see the training begin to change too. And the training will be, it might sound ridiculous to people, but it'll be a bit more nurturing, which I think is a good thing. I don't think that's a bad thing. It's a good thing, you know. When you affect people where they're at, then I believe that we will make effective change, and nobody's doing that. Change for the word, I like that.
SPEAKER_02Let's shift gears a little. Yeah. So let's get to know you. Tell us where you grew up.
SPEAKER_00Oh, I'm a Bostonian, Boston, Massachusetts. So that's like where the Kennedys are from. So whenever I get in front of a live audience, one of the first things I say is just so you know, I have never ever parked a car in Harvard Yard ever. Which is true. Actually, I have parked a car in Harvard Yard. I actually have. Actually, it was last year. Yeah, we went to a hockey game at Harvard University. But regardless, you know, I say that all the time and they get a kick out of it. So born and bred in Boston, uh, been here my whole life, you know, I'm 57. And um, I don't know that I'm ever gonna leave. I don't know. Uh, my girls, I have girls, as I think I alluded to. They're they're 17 years old and 20. Uh, I got one daughter that goes to college in the Boston area. Uh, she's getting her business degree, and uh another or MBA. And another one, um, she goes to uh she's still in high school, but her intention is to be a uh uh a dermatologist, a medical doctor. And so my parents are in their late 70s, both of them still alive. And um, I don't know that we're gonna be going anywhere until A, my parents, you know, pass, and then B, we'll probably, I'm thinking, follow our girls wherever they end up. That's probably what we'll do, what we'll do. Because my wife, um, she's like all over these girls, like she is a hundred percent like into their lives, you know. She's you've heard of like helicopter parents. Yeah, I hope the ones like this. She's an Apache, she's a black hawk helicopter parent, you know? Yeah. The way that I often describe my wife and the way she is with our girls, because she'll never leave this side, is like if you've if you've it's it's kind of crude actually, and she doesn't kind of like it, but I think it's funny, and it's true. Like if you watch like if you watch like monkeys and gorillas like on film and you see them kind of like saddling up to each other, and there's like one monkey like kind of pulling all the ticks out of the the hair of the other monkey, that's my wife. She's all over these kids. So we'll be here until you know they move, and then we'll probably follow them.
SPEAKER_02I've been to uh Boston, I was working for uh I think it was uh mass housing in downtown. So I was working on a project for them and I was kind of pleasantly surprised. Like I found in New York City for a long time. Compared to New York and people uh who are listening who are from New York like this. But compared to New York, Boston was a was way uh cleaner. It's very cleaner, the air is more fresh there.
SPEAKER_00Yeah, yeah. I've been in most of the United States traveling on business, you know, spending time in each state, you know, uh gig to gig, hotel to hotel, learning the culture, eating the food. And um, you know, out of all the big cities, you know, Boston, I think, is one of, if not the cleanest. You know, some some are some are equally, if not more, clean, some, you know, but not as big. And uh excellent, excellent food. Our food is excellent, and uh our culture is you know different. It's different. We have rabid sports fans, rabid sports fans. They could be a bit arrogant. I'll I'll agree with that. Um, but in general, a great big walking city, beautiful from the waterfront. We have a boat and we spend time in the water in Boston Harbor. Beautiful city from the water, yeah, and uh a great place to visit.
SPEAKER_02Yeah, I think uh if I'm not wrong, Boston is the first place that I acquired uh Korean food.
SPEAKER_00Uh very diverse, it's a very diverse culture, lots of lots of it, it is a melting pod, and in in and everybody's accepted, you know. It's not that's not like that everywhere in the country, unfortunately, but in Boston, you know, it's actually taken quite some time because we all have our old bad habits, but uh everybody's accepted.
SPEAKER_02And like you said, the seafood there is the purpose. So uh tell us about your 987 uh uh that year.
SPEAKER_00Well, it was my first bike, and um my first bike and my only bike. Uh it's uh it's a it's a model that uh I bought when I was in my late 20s, early 30s, I forget exactly. So I've had it, you know, for 30 plus years, and um it's a model that they haven't made really since that time, and it's a high demand bike as far as the classics or the antiques are concerned.
SPEAKER_02Uh I look it up.
SPEAKER_00It's an Harley Davidson 1987 uh FXR SPO. So FXR S P O. Yeah, FXR S P O. And uh F and it's a high demand classic bike, and uh it rides like a brand new, you know, bagger, they call them, like a big bike. And it's a small sport bike that rides like a big bike, and uh, it's comfortable, it's sporty, it's slick looking, it's different. And um one of my life mottos is no matter what's going on in my life, never sell the bike. I'm always gonna have that bike. It's a beautiful purple. And the kid that I bought it from, the kid that I bought it from, uh, he bought it when he was in high school.
unknownOh, wow.
SPEAKER_00And I would never ever recommend buying a motorcycle while you're in high school because I think it's too dangerous. I think at that age, we have what I consider like rabbit blood. And when you have rabbit blood, which makes you just run around and do crazy things and sometimes dumb things, um, I think that that puts you at a significant risk. And a motorcycle is a big deal. And so uh I would recommend never buying a bike until you're at least 30, and which was around when I bought mine. And the kid that I bought it from was an artist, like a true, like a painter, a true artist. And he he did up my bike um with his vision and view as an artist. And so it's it's it's pretty, it's different, it's got like um uh uh a lot of detail, and and it is basically a piece of art, and I would never part with that thing. I would never part with that thing, and and in point of note, my 17-year-old and my 20-year-old, they've never been on my motorcycle, they haven't been on. I've never taken them on it, and I don't know that I ever will. I I honestly don't want them to get to like it because of safety issues or safety issues, yeah. Yeah, safety issues, primarily safety issues. Yeah, I it's dangerous, it's dangerous as hell. It's dangerous, yeah. It's dangerous. Yeah, I pay attention to the news, and every single spring, every single spring, like April, May, I'm always paying attention, and I always see like the first two or three people to go down at the beginning of the season. That's it just happens every year. People go down, they get killed, and uh, it's because people aren't paying attention, they're on their phone, and then they hit the biker, or they pull out and they back up and they hit the biker. It just every year I see two or three go down, and it's it scares the hell out of me. You know, it just does. It should.
SPEAKER_02Yeah, I've been wanting to buy one, but every time I think about it, I hear the news. Somebody in our town or city just yeah. So it's a lot.
SPEAKER_00I I don't get on it as much as I used to. Uh, you know, we um, but I still I still ride it. We have a boat and uh small boat, just a small boat, uh, small enough that we trailer it in and around the Boston area. And uh we get on that like 25 times a season. So I'm in the water. That's where I spend my time. Uh, we're in the water from like the middle to end of May till like the middle of October. And uh we spent a good amount of time Charles River in Boston, Boston Harbor, you know, up and down the seacoast, Cape Cod. Uh yeah, yeah. So we get a lot of water time. And uh and and the good thing about the boat versus the bike is the boat is family time. It's me and the wife and the girls and the dog, you know, so it's the whole family. The bike is just me, maybe my wife, but uh the the boat is the whole family.
SPEAKER_02Do you also go fishing in the board?
SPEAKER_00A little bit, yeah. I I'll throw the rod in when they're hitting, is how I roll. Yeah, if they're like all around the boat, bang! I'm I'm fishing, yes. Other than that, I don't have the patience.
SPEAKER_02I think uh I think I had uh clam chowder when I do K C Core.
SPEAKER_00Boston area, Cape Cod, clam chowder, best in the world.
SPEAKER_02Well, this was great. How about tell us how people can uh can reach out to you to learn about uh what you do?
SPEAKER_00Thank you for that. I'm so easy to find. Just google me. You know, Robert Siciliano, I'm all over the socials. R-O-B-E-R-T. Siciliano is S-I-C-I-L-I-A-N-O. And then, of course, my website is protectnowlc.com. Again, protectnowlc.com. You can't miss me.
SPEAKER_02Awesome. I would share uh the link of the website in uh YouTube's live too. So protectnowlc.com.
SPEAKER_00Yeah, protectnowlc.com. Thank you, sir.
SPEAKER_02Thank you again, Robert. I'm sure our listeners will love our conversation. Boston, boards, and basics of cybersecurity.
SPEAKER_00Hey, I appreciate you, man. Thank you so much.
SPEAKER_02Thank you for being on the show, Robert. Thank you.
SPEAKER_01Usings from the Fiber Trench Podcast proportions more than a conversation. We take active windows and collective wisdom. If today's episode resonated with you, we'd love to hear your insight. Join the contest culture and help us take the future together. We'll be back with more stories, strategies, and groups or making a couple of things.