The ART of Security Summit: Strategic Risk Management for CISOs | Roger Grimes, KnowBe4

Clips
More from The ART of Security Summit: Strategic Risk Management for CISOs

Roger Grimes

Data-Driven Defense Evangelist

KnowBe4

play_circle_outline Importance of cybersecurity training for avoiding risks and educating employees on phishing attacks.

play_circle_outline Impact of cybersecurity training on reducing successful breaches and improving security awareness.

play_circle_outline Need for ongoing, regular security training and immediate education following failed phishing tests.

Info

Roger Grimes, KnowBe4

Roger Grimes

Data-Driven Defense Evangelist KnowBe4

search

Jackie McGuire

>> Hello, everybody. Welcome back to The ART of Security Summit. I'm Jackie McGuire, practice lead and principal analyst for security at theCUBE and SiliconANGLE. Today we're back to talk about avoiding risk. And I'm really happy. I have Roger Grimes with me today. So he's the data-driven defense analyst from KnowBe4. And we're going to talk about what I would consider probably the most important piece of avoiding risk, which is educating people about where risk comes from, how to spot it, and how to avoid it. Welcome, Roger. Thank you for being here.

Roger Grimes

>> So glad to be here. - Awesome.

Jackie McGuire

>> So let's start with a fun fact. Last week we were going favorite Bay Area rappers because I was talking to somebody from the Bay Area, but who is your favorite band in general, Roger?

Roger Grimes

>> Oh, actually, a Gainesville, Florida band called Sister Hazel. Been big fans of them for going on three decades.

Jackie McGuire

>> All right. I remember Sister Hazel from the 90s. That's pretty awesome. That's a great throwback. Fantastic. All right. The first step in the art process that we're talking about today is avoiding risk. And so sometimes that means doing nothing at all, right? You say, "This project is just too risky, let's just avoid the risk by not doing anything. " But in this case, we're going to avoid it through better training. And I often see employees, and I think you guys say this as well, is they're both the largest attack surface, but they're also your last line of defense. And just depending on which study you read, somewhere between 70 and 90% of compromises happen at the end point, which is generally involving someone either clicking on something silly, not noticing something. So employees really need training on both sides, both as kind of the attack surface as well as lines of defense. So can you talk to me a little bit about how you think about cybersecurity training in the modern enterprise and how KnowBe4 approaches that last line of defense?

Roger Grimes

>> Yeah, sure. I mean, let me say, for sure I think most people know that phishing and social engineering is a big part of how attackers attack companies and people and networks, but I don't think most people realize that it's literally the largest portion by far, like you said 70 to 90%. It's a lot of risk and if you don't address training, it really can be successful in most organizations. I mean, I like to say this, that social engineering and phishing is involved in 70 to 90% of successful data breaches after it's bypassed every defense you've thrown in its way. It's gotten past the firewalls and intrusion detection and antivirus and all that sort of stuff. So I'm like... Every once in a while someone would say, "Well, why should I train them? " Like, "How could you not? " I mean, it's literally, most of these attacks you're getting past everything else technically and policy-wise that you've thrown in its way. You have to train people to help decrease risk because your end users for sure are going to have to make some cybersecurity decisions and you want to try to help them make the right decisions.

Jackie McGuire

>> Yeah. And I always think of it as even as security evolves and we automate things or make them more intelligent, humans are always still going to be the people on the front lines of doing the bad things. So you probably also still need the best trained humans on the line trying to prevent the bad things regardless of how good our tools and detections and automations get. So one of the things I've talked about as well, and I think this is a great, to your point about having when everything else fails, I also like to think about security more as not really a program or a team or an objective as much as a culture. And I've experienced this myself. And I also liken it to compliance. So I come from financial services originally. That's where I spent the first several years of my career. And compliance was the same way, and that it was either something that you kind of eat, sleep and breathe, and it was safe to ask questions and safe to say something looked wrong or it wasn't. And I saw the effect at the financial institutions I was at. And now coming into security, it's actually the same exact thing with security. It's either a culture where security is there to help you, they're there to be your backstop, or it's a culture where security's kind of the department of no and slows things down. So I always feel like one of the best ways to create a security culture is to create a culture where people feel safe to ask questions and learn rather to get in trouble. And you guys are in a great place because you are the people that help people learn. Would you agree with that, and assuming you agree with me, how do you feel like having better cybersecurity helps contribute to that culture, or better training? Sorry.

Roger Grimes

>> Yeah, I mean, for sure all of that. Culture's a big deal. I mean, we have the saying that your users may be aware of something but not care. And the idea about a culture is hoping to impact people's behavior so that they're really making the right security decisions. And I think that a lot of times when I walk into an organization, I can pretty quickly see whether or not the organization takes cybersecurity kind of seriously. I mean, even a little thing like if you see a bunch of laptops on people's desks and they're away, they're at lunch, they're visiting somebody in a meeting, are they locked? Right? And some places I go, you see all these screens open and no one's locked. And in other places, if someone's almost accidentally left their screen unlocked, they'll come back and lock it, right? You've created a culture of people trying to keep themselves and the organization safe. You certainly want to make them feel safe in reporting things. I mean, I've heard of some people, especially in the financial services where they're like, "If you fall for a simulated phishing test, a real phishing attack or something, you're fired first offense. " And that's going to make people try to hide things. What you want to do is create this safe environment because no one's trying to hurt themselves or the organization. You want to make them feel safe in trying to report something that they may suspect like, "Hey, I opened this email and I clicked on this link, and it's possibly that this was malicious. " And I have a great example. Years ago, I was at one of the world's largest companies, Fortune 10, Fortune 50 company, and one of the smartest people there had been on the Super Bowl day had accidentally opened up a spear phishing attack email. It appeared to come from someone that had knowledge of an internal project and said, "Hey, here's this document that kind of relates to our project. " And when he opened the PDF, he's like, "This doesn't have anything to do with our project. " And he closed it. But an hour or two later he's like, "Man, maybe that was a spear phishing attack. Maybe I should report it." And so he did. And when he did it, they found out that indeed his workstation had been compromised by a zero day. They had placed a Trojan, but they had stopped the attack before it was able to move beyond his endpoint. And so I love that example for two reasons. First of all, super smart guy, nobody knew more about the environment than he did, and he still fell for this attack. And number two that he started saying, "Hey, maybe I was attacked," and he felt safe in reporting it, not going to be fired. And that helped better protect the organization. Even maybe another thing, people will say, "Well, can I do simulated phishing attacks where we're claiming they got a bonus or they got a raise or maybe we're taking away a raise or something like that. " I'm like, "If you're making your coworkers angry by the way that you're trying to train them, you're not really training as effectively as you can. You want to train in such a way that people feel empowered, they feel safe, and that they will see and try to put down risk and report risks that maybe they missed at first."

Jackie McGuire

>> Absolutely. I always wonder why companies don't do some type of... When they're doing the phishing attacks, it would always be better to have positive reinforcements. So every time you spot a phishing email successfully, you go into some drawing for some electronic or something like that. Because I agree with you. I think when you make things punitive and you make it just a more a culture of check the box, I did the training compliance, people will always be more hesitant to share information. And it also becomes kind of a... I think when you don't fully integrate security training into a company company wide, there still creates that kind of gap between the security people or the technical people and everybody else. And you really need kind of open lines of communication where technical people are treating everybody else as if they are intelligent enough to understand the things we're dealing with because they are. And I think that in turn enables the whole organization to look at security not as the hoodie people who sit in the security team, but as your partners, people who are just trying to help you more efficiently do your job without putting the company at risk. And I think one of the surprising things for me was the percentage of successful compromises that happen at the VP level or above, how often those compromises come from not your average everyday customer service rep. These are a lot of times it's people with higher- level access because of spear phishing, because they're very busy and on the go all the time. And I think that's also something that we maybe don't acknowledge all the time that we should.

Roger Grimes

>> Yeah. And I do know many organizations that actually don't test those sea levels. And I always say no one gets promoted because they successfully phish their boss. But to exclude them means that the only time they're going to be tested is when a real phishing attack comes. And that's not necessarily the best way to reduce risk either. So you want to, again, create a healthy culture. You're trying to build in, coach in certain behaviors where they make the right decisions and they feel safe that if they fail during a simulated phishing test, that they'll get some education so if the real thing comes along they're making the right decision. And you really don't want to exclude anybody. Anytime you exclude somebody, you're just increasing risk to the organization. And like you said, a lot of these attacks happened to IT, to the C-level. And Barracuda Networks back in 2023, it might've been '24, they had a really great stat that I live by. They said that less than 0.1% of all email attacks are spear phishing attacks. So a phishing attack meant at a particular person or group of people, like C-level employees or IT or something, but they're responsible for 66% of successful data breaches. So I mean, that to me is a big, big deal, meaning that you need to train people and certainly your most high-risk people, that means accounting, that means HR, that means IT, that means C-levels, anybody with access to money and financials and things like that.

Jackie McGuire

>> We're going to talk about identity and access management in a little bit, but I could also see that that being because those are also the people who... Because they don't want to have to put a ticket in to access something over the weekend, those people also tend to have too many privileges and elevated access. So even worse. In the data statistics, I'm a data scientist, so I love statistics, you guys have a really strong presence across the space. So I'm wondering if you could share data that you've learned along the way about the impact of stronger cybersecurity training, so what your customers look like when you get there, and then what the impact of actually implementing a robust training program is.

Roger Grimes

>> Yeah, sure. I tell you, I think KnowBe4, we've been doing this 11, 12 years. We're the leader in the industry. We have more customers than anybody else. So we've actually looked at massive amount of data in real life, over 60,000, 70,000 customers, tens of millions of security awareness training sessions and simulated phishing assessments. And I can tell you this for sure. We have the data to show that the more often you train and simulate phish, an employee, the less likely they are to click on a simulated phishing email or a real phishing email. Matter of fact, our latest data, and we've published this in a white paper, shows that customers who train, our customers, are at least eight times less likely to get breached than our non-customers. The average company throughout the world gets breached each year between 20 to 40%. And at first I was like, "Man, that's way too high. " 20 to 40% of organizations will be breached each year. A lot of times through ransomware. And now 90, 95% of ransomware now exfiltrates data, creating this data breach. Well, our customers are only 2.37. Only 2. 37% of our customers have ever been breached. Most of those, something like 66% of them were before they were our customers. And once they're our customers, they're far less likely to get breached and get breached less times.

Jackie McGuire

>> I think that's compelling in and of itself.

>> Over 10 years to show that training does work.

Roger Grimes

>> And really, why wouldn't it? It's not like we let people drive a car without training them first. Right?

>> Yeah. - Every single area in our lives training helps.

Roger Grimes

>> But every once in a while you get somebody who goes,

Roger Grimes

>> "I don't think it helps in cybersecurity. " I'm like, "How could it not by educating somebody, how could it not help?"

Jackie McGuire

>> Yeah. And you guys have a phishing security test that really kind of helps assess and address that market. And I think you're right. We all go on autopilot so much. We all have so many things to remember to do. And when I open my laptop, there's always 900 things, squirrel, that need to be done. And accidentally clicking on something, accidentally opening something, when you're in autopilot, and that's like a secondary function, you're just trying to clear your inbox out, it happens a lot more frequently than if it's something top of mind because you're frequently being reminded that actually specifically in your email, in your text messages, you need to be a little bit more intentional about how you go through them and what you're looking for. So I guess last question around your phishing security test. So can you explain, just kind of TLDR in a few seconds how that works and then how you work with companies after the test to try to help address some of those things?

Roger Grimes

>> Yeah. We're certainly big believers in training more than once a year. We think that every time someone gets hired, they should be given longer training, whatever that means, 15, 30 minutes, 45 minutes, and each year thereafter get this longer training where you're trying to create all kinds of different behaviors. After that, they should receive monthly training, but shorter, maybe 1, 2, 3 minutes and get at least simulated monthly, simulated phishing tests. And if someone fails a simulated phishing test, that they get immediate education. You don't want them to fail a phishing test, and then they get an education about why they possibly failed that test 30 days later. You want it to be immediate. They have more ability to maintain it, or to retain it, that's the better word. And I would also say what you just pointed out, where you're really busy. We know for sure that even a well-trained person that has been trained in security awareness training and phishing and stuff, like myself, I have been successfully phished, at least through simulated phishing tests. And I would say that I'm among the top 1% of the world about how to fight phishing and social engineering. But yeah, I was busy, I was multitasking and I opened it and click or whatever. So we do try to create this sense of it's more than just training, it's more than just awareness. It's about trying to tell people that if you see an unexpected message that's asking you to do something you've never done before, that you need to slow down and research it outside that message's contact information before performing. And let's say we all, all of us get these unexpected messages from our boss going, "Hey, what about this? What about that?" That's normal. But what we want to communicate to employees is that if you get an unexpected message no matter how it arrives and it's asking you to do something you've never done before, at least for that sender, that's a high-risk message. You need to slow down. You need to be mindful. You need to possibly hover over the link. You possibly need to go to call that person or call that company in a known good phone number or go to a website. And if you can really teach that resilience across your workforce, you are going to significantly decrease cybersecurity risk.

Jackie McGuire

>> Absolutely. I think that's a great place to wrap it up. I couldn't thank you more. So the last thing I want to cover is we have RSA coming up very shortly, so I'm sure you'll be there in full force. Is there any particular events or things that you're doing, that KnowBe4 is doing at RSA that we should come find you for?

Roger Grimes

>> Well, we certainly have a booth there and we'll have a big presence. Everyone always looks forward to the RSA parties, but I guess I really like going to the educational sessions and learning different things. I'll be presenting on the different ways to hack MFA, which I've been doing for years and years and years. But for sure I'm going to have some new ways, new ways that MFA could be bypassed. And so I'm a very big believer in actually going to the sessions. It's not just about networking, it's not just about RSA parties, but it's about actually learning about what's changing in the cybersecurity space, like what's going on with AI, when will agentic AI malware be upon us, and when do we have to start teaching that?

Jackie McGuire

>> Absolutely, yeah. Visit the villages if you get a chance. That's always a really good way to get in close with the really technical people, whether it's lock picking or identity or any of those things. All right, well thank you so much, Roger, for being here today. Again, really emphasizing that avoiding a lot of security risk really comes down to understanding where that risk comes from and trusting your employees with the information to be able to handle it. For The ART of Security Summit, I'm Jackie McGuire. We will be right back with more information about avoiding, reducing, and transferring risk.

Roger Grimes, KnowBe4

search

Jackie McGuire

>> Hello, everybody. Welcome back to The ART of Security Summit. I'm Jackie McGuire, practice lead and principal analyst for security at theCUBE and SiliconANGLE. Today we're back to talk about avoiding risk. And I'm really happy. I have Roger Grimes with me today. So he's the data-driven defense analyst from KnowBe4. And we're going to talk about what I would consider probably the most important piece of avoiding risk, which is educating people about where risk comes from, how to spot it, and how to avoid it. Welcome, Roger. Thank you for being here.

Roger Grimes

>> So glad to be here. - Awesome.

Jackie McGuire

>> So let's start with a fun fact. Last week we were going favorite Bay Area rappers because I was talking to somebody from the Bay Area, but who is your favorite band in general, Roger?

Roger Grimes

>> Oh, actually, a Gainesville, Florida band called Sister Hazel. Been big fans of them for going on three decades.

Jackie McGuire

>> All right. I remember Sister Hazel from the 90s. That's pretty awesome. That's a great throwback. Fantastic. All right. The first step in the art process that we're talking about today is avoiding risk. And so sometimes that means doing nothing at all, right? You say, "This project is just too risky, let's just avoid the risk by not doing anything. " But in this case, we're going to avoid it through better training. And I often see employees, and I think you guys say this as well, is they're both the largest attack surface, but they're also your last line of defense. And just depending on which study you read, somewhere between 70 and 90% of compromises happen at the end point, which is generally involving someone either clicking on something silly, not noticing something. So employees really need training on both sides, both as kind of the attack surface as well as lines of defense. So can you talk to me a little bit about how you think about cybersecurity training in the modern enterprise and how KnowBe4 approaches that last line of defense?

Roger Grimes

>> Yeah, sure. I mean, let me say, for sure I think most people know that phishing and social engineering is a big part of how attackers attack companies and people and networks, but I don't think most people realize that it's literally the largest portion by far, like you said 70 to 90%. It's a lot of risk and if you don't address training, it really can be successful in most organizations. I mean, I like to say this, that social engineering and phishing is involved in 70 to 90% of successful data breaches after it's bypassed every defense you've thrown in its way. It's gotten past the firewalls and intrusion detection and antivirus and all that sort of stuff. So I'm like... Every once in a while someone would say, "Well, why should I train them? " Like, "How could you not? " I mean, it's literally, most of these attacks you're getting past everything else technically and policy-wise that you've thrown in its way. You have to train people to help decrease risk because your end users for sure are going to have to make some cybersecurity decisions and you want to try to help them make the right decisions.

Jackie McGuire

>> Yeah. And I always think of it as even as security evolves and we automate things or make them more intelligent, humans are always still going to be the people on the front lines of doing the bad things. So you probably also still need the best trained humans on the line trying to prevent the bad things regardless of how good our tools and detections and automations get. So one of the things I've talked about as well, and I think this is a great, to your point about having when everything else fails, I also like to think about security more as not really a program or a team or an objective as much as a culture. And I've experienced this myself. And I also liken it to compliance. So I come from financial services originally. That's where I spent the first several years of my career. And compliance was the same way, and that it was either something that you kind of eat, sleep and breathe, and it was safe to ask questions and safe to say something looked wrong or it wasn't. And I saw the effect at the financial institutions I was at. And now coming into security, it's actually the same exact thing with security. It's either a culture where security is there to help you, they're there to be your backstop, or it's a culture where security's kind of the department of no and slows things down. So I always feel like one of the best ways to create a security culture is to create a culture where people feel safe to ask questions and learn rather to get in trouble. And you guys are in a great place because you are the people that help people learn. Would you agree with that, and assuming you agree with me, how do you feel like having better cybersecurity helps contribute to that culture, or better training? Sorry.

Roger Grimes

>> Yeah, I mean, for sure all of that. Culture's a big deal. I mean, we have the saying that your users may be aware of something but not care. And the idea about a culture is hoping to impact people's behavior so that they're really making the right security decisions. And I think that a lot of times when I walk into an organization, I can pretty quickly see whether or not the organization takes cybersecurity kind of seriously. I mean, even a little thing like if you see a bunch of laptops on people's desks and they're away, they're at lunch, they're visiting somebody in a meeting, are they locked? Right? And some places I go, you see all these screens open and no one's locked. And in other places, if someone's almost accidentally left their screen unlocked, they'll come back and lock it, right? You've created a culture of people trying to keep themselves and the organization safe. You certainly want to make them feel safe in reporting things. I mean, I've heard of some people, especially in the financial services where they're like, "If you fall for a simulated phishing test, a real phishing attack or something, you're fired first offense. " And that's going to make people try to hide things. What you want to do is create this safe environment because no one's trying to hurt themselves or the organization. You want to make them feel safe in trying to report something that they may suspect like, "Hey, I opened this email and I clicked on this link, and it's possibly that this was malicious. " And I have a great example. Years ago, I was at one of the world's largest companies, Fortune 10, Fortune 50 company, and one of the smartest people there had been on the Super Bowl day had accidentally opened up a spear phishing attack email. It appeared to come from someone that had knowledge of an internal project and said, "Hey, here's this document that kind of relates to our project. " And when he opened the PDF, he's like, "This doesn't have anything to do with our project. " And he closed it. But an hour or two later he's like, "Man, maybe that was a spear phishing attack. Maybe I should report it." And so he did. And when he did it, they found out that indeed his workstation had been compromised by a zero day. They had placed a Trojan, but they had stopped the attack before it was able to move beyond his endpoint. And so I love that example for two reasons. First of all, super smart guy, nobody knew more about the environment than he did, and he still fell for this attack. And number two that he started saying, "Hey, maybe I was attacked," and he felt safe in reporting it, not going to be fired. And that helped better protect the organization. Even maybe another thing, people will say, "Well, can I do simulated phishing attacks where we're claiming they got a bonus or they got a raise or maybe we're taking away a raise or something like that. " I'm like, "If you're making your coworkers angry by the way that you're trying to train them, you're not really training as effectively as you can. You want to train in such a way that people feel empowered, they feel safe, and that they will see and try to put down risk and report risks that maybe they missed at first."

Jackie McGuire

>> Absolutely. I always wonder why companies don't do some type of... When they're doing the phishing attacks, it would always be better to have positive reinforcements. So every time you spot a phishing email successfully, you go into some drawing for some electronic or something like that. Because I agree with you. I think when you make things punitive and you make it just a more a culture of check the box, I did the training compliance, people will always be more hesitant to share information. And it also becomes kind of a... I think when you don't fully integrate security training into a company company wide, there still creates that kind of gap between the security people or the technical people and everybody else. And you really need kind of open lines of communication where technical people are treating everybody else as if they are intelligent enough to understand the things we're dealing with because they are. And I think that in turn enables the whole organization to look at security not as the hoodie people who sit in the security team, but as your partners, people who are just trying to help you more efficiently do your job without putting the company at risk. And I think one of the surprising things for me was the percentage of successful compromises that happen at the VP level or above, how often those compromises come from not your average everyday customer service rep. These are a lot of times it's people with higher- level access because of spear phishing, because they're very busy and on the go all the time. And I think that's also something that we maybe don't acknowledge all the time that we should.

Roger Grimes

>> Yeah. And I do know many organizations that actually don't test those sea levels. And I always say no one gets promoted because they successfully phish their boss. But to exclude them means that the only time they're going to be tested is when a real phishing attack comes. And that's not necessarily the best way to reduce risk either. So you want to, again, create a healthy culture. You're trying to build in, coach in certain behaviors where they make the right decisions and they feel safe that if they fail during a simulated phishing test, that they'll get some education so if the real thing comes along they're making the right decision. And you really don't want to exclude anybody. Anytime you exclude somebody, you're just increasing risk to the organization. And like you said, a lot of these attacks happened to IT, to the C-level. And Barracuda Networks back in 2023, it might've been '24, they had a really great stat that I live by. They said that less than 0.1% of all email attacks are spear phishing attacks. So a phishing attack meant at a particular person or group of people, like C-level employees or IT or something, but they're responsible for 66% of successful data breaches. So I mean, that to me is a big, big deal, meaning that you need to train people and certainly your most high-risk people, that means accounting, that means HR, that means IT, that means C-levels, anybody with access to money and financials and things like that.

Jackie McGuire

>> We're going to talk about identity and access management in a little bit, but I could also see that that being because those are also the people who... Because they don't want to have to put a ticket in to access something over the weekend, those people also tend to have too many privileges and elevated access. So even worse. In the data statistics, I'm a data scientist, so I love statistics, you guys have a really strong presence across the space. So I'm wondering if you could share data that you've learned along the way about the impact of stronger cybersecurity training, so what your customers look like when you get there, and then what the impact of actually implementing a robust training program is.

Roger Grimes

>> Yeah, sure. I tell you, I think KnowBe4, we've been doing this 11, 12 years. We're the leader in the industry. We have more customers than anybody else. So we've actually looked at massive amount of data in real life, over 60,000, 70,000 customers, tens of millions of security awareness training sessions and simulated phishing assessments. And I can tell you this for sure. We have the data to show that the more often you train and simulate phish, an employee, the less likely they are to click on a simulated phishing email or a real phishing email. Matter of fact, our latest data, and we've published this in a white paper, shows that customers who train, our customers, are at least eight times less likely to get breached than our non-customers. The average company throughout the world gets breached each year between 20 to 40%. And at first I was like, "Man, that's way too high. " 20 to 40% of organizations will be breached each year. A lot of times through ransomware. And now 90, 95% of ransomware now exfiltrates data, creating this data breach. Well, our customers are only 2.37. Only 2. 37% of our customers have ever been breached. Most of those, something like 66% of them were before they were our customers. And once they're our customers, they're far less likely to get breached and get breached less times.

Jackie McGuire

>> I think that's compelling in and of itself.

>> Over 10 years to show that training does work.

Roger Grimes

>> And really, why wouldn't it? It's not like we let people drive a car without training them first. Right?

>> Yeah. - Every single area in our lives training helps.

Roger Grimes

>> But every once in a while you get somebody who goes,

Roger Grimes

>> "I don't think it helps in cybersecurity. " I'm like, "How could it not by educating somebody, how could it not help?"

Jackie McGuire

>> Yeah. And you guys have a phishing security test that really kind of helps assess and address that market. And I think you're right. We all go on autopilot so much. We all have so many things to remember to do. And when I open my laptop, there's always 900 things, squirrel, that need to be done. And accidentally clicking on something, accidentally opening something, when you're in autopilot, and that's like a secondary function, you're just trying to clear your inbox out, it happens a lot more frequently than if it's something top of mind because you're frequently being reminded that actually specifically in your email, in your text messages, you need to be a little bit more intentional about how you go through them and what you're looking for. So I guess last question around your phishing security test. So can you explain, just kind of TLDR in a few seconds how that works and then how you work with companies after the test to try to help address some of those things?

Roger Grimes

>> Yeah. We're certainly big believers in training more than once a year. We think that every time someone gets hired, they should be given longer training, whatever that means, 15, 30 minutes, 45 minutes, and each year thereafter get this longer training where you're trying to create all kinds of different behaviors. After that, they should receive monthly training, but shorter, maybe 1, 2, 3 minutes and get at least simulated monthly, simulated phishing tests. And if someone fails a simulated phishing test, that they get immediate education. You don't want them to fail a phishing test, and then they get an education about why they possibly failed that test 30 days later. You want it to be immediate. They have more ability to maintain it, or to retain it, that's the better word. And I would also say what you just pointed out, where you're really busy. We know for sure that even a well-trained person that has been trained in security awareness training and phishing and stuff, like myself, I have been successfully phished, at least through simulated phishing tests. And I would say that I'm among the top 1% of the world about how to fight phishing and social engineering. But yeah, I was busy, I was multitasking and I opened it and click or whatever. So we do try to create this sense of it's more than just training, it's more than just awareness. It's about trying to tell people that if you see an unexpected message that's asking you to do something you've never done before, that you need to slow down and research it outside that message's contact information before performing. And let's say we all, all of us get these unexpected messages from our boss going, "Hey, what about this? What about that?" That's normal. But what we want to communicate to employees is that if you get an unexpected message no matter how it arrives and it's asking you to do something you've never done before, at least for that sender, that's a high-risk message. You need to slow down. You need to be mindful. You need to possibly hover over the link. You possibly need to go to call that person or call that company in a known good phone number or go to a website. And if you can really teach that resilience across your workforce, you are going to significantly decrease cybersecurity risk.

Jackie McGuire

>> Absolutely. I think that's a great place to wrap it up. I couldn't thank you more. So the last thing I want to cover is we have RSA coming up very shortly, so I'm sure you'll be there in full force. Is there any particular events or things that you're doing, that KnowBe4 is doing at RSA that we should come find you for?

Roger Grimes

>> Well, we certainly have a booth there and we'll have a big presence. Everyone always looks forward to the RSA parties, but I guess I really like going to the educational sessions and learning different things. I'll be presenting on the different ways to hack MFA, which I've been doing for years and years and years. But for sure I'm going to have some new ways, new ways that MFA could be bypassed. And so I'm a very big believer in actually going to the sessions. It's not just about networking, it's not just about RSA parties, but it's about actually learning about what's changing in the cybersecurity space, like what's going on with AI, when will agentic AI malware be upon us, and when do we have to start teaching that?

Jackie McGuire

>> Absolutely, yeah. Visit the villages if you get a chance. That's always a really good way to get in close with the really technical people, whether it's lock picking or identity or any of those things. All right, well thank you so much, Roger, for being here today. Again, really emphasizing that avoiding a lot of security risk really comes down to understanding where that risk comes from and trusting your employees with the information to be able to handle it. For The ART of Security Summit, I'm Jackie McGuire. We will be right back with more information about avoiding, reducing, and transferring risk.