Mon, 19 July 2021
In this episode, Chris Hadnagy and Ryan MacDougall are joined by Michael Fortune. Michael is the Security Behaviours Team Manager for British Telecom (BT) UK. Michael has been with BT for an amazing 22 years, where he is currently BT’s expert on security behavior, insider threat behavior, and social engineering, and helps guides the business around these risks. With over 160 thousand employees across the globe in his charge, Michael helps run a team of experts who support and drive security programs for the company. July 19, 2021
00:00 – Intro
03:37 – Michael Fortune Intro
05:22 – Michael’s Path – how has your background in psychology helped with cyber and information security?
06:10 – Have you been able to use psychological principles in eduction?
07:27 – How do you keep education engaging for 160,000 people?
10:07 – Top down approach
12:51 – You are essentially performing an SE gig in order to get an SE gig
14:03 – What’s your rule set?
15:59 – Senior Management Buy In – people are afraid of doing that so they don’t do it. How do you approach that?
19:08 – Where is the ethical line in using social engineering to get buy-in?
21:21 – Explaining to upper management the repercussions of not doing this training
22:52 – Were your CISO and Director of Protections always on board or did you have to convince them?
25:56 – What have you learned from your hundreds of thousands of SMishing attacks under your belt?
29:18 – Advice about getting buy-in from the top down can work for any sized company
30:30 – When you talk about personalizing the sessions that you do, do you personalize to the department, or
33:05 – Following through with a good program
36:24 – The idea is to get people to do it
36:38 – What colleagues do you respect most in the industry?
39:22 – What are some action steps that corporations should start doing right now?
42:00 – Experience is everything
44:48 – You need patience, because human being is different and complex
45:13 – Michael Fortune on the internet: Michael.2.Fortune@bt.com
Direct download: Ep._150_-_Security_Awareness_Series_-_Getting_Senior_Management_Buy-In_With_Michael_Fortune.mp3
Category:Security Awareness -- posted at: 2:00am EDT
Wed, 16 June 2021
Ep. 148 - Security Awareness Series - Three Degrees of Separation from Neil Fallon with Rockie Brockway
In this episode, Chris Hadnagy and Ryan MacDougall are joined by Rockie Brockway. Rockie is currently the Practice Lead for the Office of the CSO for TrustedSec. With over 28 years' experience in information security and business risk, Rockie specializes in Business Risk Analysis and the inherent relationships between data, assets, adversaries, and the organization’s brand value. He provides strategic and tactical advisory services to TrustedSec’s clients, assisting them in maturing their organizations’ security programs.
00:00 – Intro
Breaking Security Awareness Virtual Conference by Living Security – Chris will appear June 24
03:35 – Rockie Brockway Intro
07:25 – A little about Rockie’s background and how he got started in the industry
10:35 – Rockie's feelings on the past 29 years, from the first virus he saw vs what we see now
12:35 – Rockie was in a math rock band called Craw, Rockie played shows with CLUTCH!!!
17:15 – What should I have or learn to get a job in a company like yours?
21:52 – How do you take curious and knowledgeable people’s knowledge and bridge that gap between them and the decision makers?
23:43 – How can young people get the qualities you suggest?
25:20 – Never be afraid of failure
27:45 – How important is top-down leadership support, or what are the most important aspects of doing your job?
31:25 – Are there more or less “future thinking” proactive security concerns than there were years ago?
36:02 – What level of organizations are bringing you in for your assistance?
37:28 – Action steps for corporations to start doing now
40:42 – Colleagues you respect most in the industry
42:45 – Book recommendations
44:33 – How to contact Rockie
Direct download: Ep._148_-_Security_Awareness_Series_-_Three_Degrees_of_Separation_from_Neil_Fallon_with_Rockie_Brockway.mp3
Category:Security Awareness -- posted at: 1:19pm EDT
Mon, 17 May 2021
In this episode, Chris Hadnagy and Ryan MacDougall are joined by Jason Frank. Jason has an extensive background in helping both government and Fortune 100 organizations, and has served a course instructor for the Black Hat security conference. Jason is now currently the COO at SpecterOps, where he is accountable for execution of the company. He oversees the Adversary Simulation and Detection delivery capabilities, where he helps clients to understand, detect, and respond to adversaries. May 17, 2021
00:00 – Intro
03:05 – Podcast Guest Jason Frank Intro
03:22 – Jason at BlackHat
03:30 - SpecterOps
04:34 – How Jason got to where he is
08:50 – Curiousity and motivation born from failing at a CTF
09:50 – Adversary Simulation – why is Jason using this phrase?
12:32 – Where are we in the current security culture?
16:11 – How to get attention of stakeholders, what concepts do you put in play?
18:03 – Reactive vs. Proactive
21:56 – How can corporations prepare for and mitigate attacks?
23:39 – What are the business repercussions of not letting machines talk to each other, and only the server?
25:45 – What are the more recent attacks you’ve seen coming up that people should be looking for?
28:14 – Knowledge bombs – terminology that people can look up to recognize “low hanging fruit” they may be missing – Bloodhound
30:00 – Cycles where certain things can be exploited such as ActiveDirectory
30:50 – What other things do companies need to be watching for
32:14 – PowerShell
33:44 – What are some action steps that corporations should start taking right now?
34:51 – Colleagues Jason respects most in the industry
36:50 – Jason's Book Recommendations
38:31 – Wrap-Up
@joemontmania on Twitter (Ryan MacDougall)
@HumanHacker on Twitter (Chris Hadnagy)
@InnocentOrg on Twitter (Innocent Lives Foundation)
Direct download: Ep._146_-_Demand_Transparency_with_a_blue_shirt_with_Jason_Frank.mp3
Category:Security Awareness -- posted at: 8:47am EDT
Mon, 15 March 2021
In this episode of the SECurity Awareness Series of the SEPodcast, Chris Hadnagy and Ryan MacDougall are joined by Brian Phillips who is responsible for information security at Macy’s. Listen as they discuss how to: build an information security organization, hire the right people, and get buy-in from executives. March 15, 2021
00:09 – Intro
01:54 – Introduction to Brian Phillips
02:44 – Security in a retail environment and impacts from the pandemic
07:25 - How to build an information security organization from the ground up
10:14 – Changing an organization's mindset for better security
14:20 – The most desirable quality in a team member, and how to recognize it in an interview
18:21 – How to nurture an outsider into a security professional
22:48 - How to align corporate security initiatives with business goals
26:38 – The importance of buy-in from the C-level down, and how to get it.
38:13 – Key takeaways that corporations should start doing now
40:17 – Brian’s most respected colleagues
42:14 – Brian's book recommendations
Robin Dreke's Books:
Joe Navarro’s Books:
44:03 – Conclusion
Direct download: Ep._142__You_Can_Be_Right_and_Still_Be_Wrong_with_Brian_Phillips.mp3
Category:Security Awareness -- posted at: 2:09am EDT
Mon, 15 February 2021
In this episode, Chris Hadnagy and Ryan MacDougall are joined by industry professional, Julie Rinehart. Julie has spent the last 10 years building and enhancing Fortune 500 enterprise Security Awareness programs. Listen as they discuss using empathy to improve security awareness and the flaws in the “stupid user” philosophy.
00:10 – Intro
01:56 – Introduction to Julie Rinehart
02:28 – How Julie got into the industry
06:21 – Dismantling the “stupid user” philosophy
07:53 – How to interview your employer
10:34 – The biggest milestones in Julie’s career
14:31 – How you can encourage users to report the phish they clicked on
19:22– What we can learn from “people who try to do the right thing and then mess up”
25:25 – The benefits of making security personal
28:34 – Julie's biggest challenges in the industry
30:28 – Increase security awareness using gamification
35:13 – Julie's mentors and most respected colleagues
38:54 - Julie’s podcast recommendations
43:52 – Outro
Direct download: Ep._140__Empathetic_Security_with_Julie_Rinehart.mp3
Category:Security Awareness -- posted at: 1:00am EDT
Mon, 18 January 2021
In this episode, Chris Hadnagy and Ryan MacDougall are joined by industry professional, Marcus Sailler to discuss his experience as the red team information security manager at Capital Group. Marcus shares some great tips on creating a successful security team and how you can prevent it from becoming the "No Police". They also go over the recent changes in the industry, including how big hacks have increased security awareness in the general public.
00:09 – Introduction to the new Security Awareness Series
01:28 – Introduction to Ryan MacDougall
02:32 – Introduction to Marcus Sailler
04:20 – How Marcus got into information security
06:08 – Recent changes in the infosec industry- How a big hack increases security awareness
12:09 – How a red team and security awareness team can collaborate to enhance security
14:25 – Introduction to Capital Group
16:17 – Coming up with relevant attacks for a global company
18:08 – How a security team can avoid becoming the “No Police”
21:39 – Why it’s better to build a blue team first
22:24 – The importance of attitude and ego for a red teamer
25:04 – How a red team benefits from partnership
26:53 – Emulate the bad guy, but remember to be good
29:18 – Steps corporations should implement now
30:58 – Some of Marcus’ most respected industry professionals
34:47 – Marcus' book recommendations
39:18 – Marcus' contact info
14:38 – Outro
Direct download: Ep._138__Security_With_Marcus_Sailer_of_Capital_Group.mp3
Category:Security Awareness -- posted at: 1:00am EDT