Introduction (00:09) You're listening to KBKast, the cybersecurity podcast for all executives cutting through the jargon in height to understand the landscape where risk and technology meet. Now, here's your host, Karissa Breen. Karissa (00:25) Welcome to the show. Now, I've been following you on LinkedIn for a while. I've seen your stuff, I've seen your videos. I like what you do. I think what you do is different and that's why I wanted to bring you on the show today. So, before we jump into a little bit more about Cybersecurity awareness, getting your thoughts, what are you seeing in the market? We always like to start our podcast off. We're talking about you and your journey. So please walk us through where did you start and how did you get to doing what you're doing now? Ian Murphy (00:55) Well, now there's a story. Hey, KB, thanks for having me on. This is absolutely wonderful and a pleasure. Where did I start? I grew up in the UK, in Liverpool in the 70's and 80's and I first started as a mechanic. That was my trade. Jobs were very hard to come by. Having a trade was all important, but I realised through my apprenticeship that I wasn't cut out to be a mechanic. I enjoyed it, but it just wasn't for me. So I was really interested in electronics. The computer boom is happening. Then there's expected Commodore 64, all of that type of stuff. So I decided to block my way onto a university course because I had no qualifications to speak of. So I got onto what's called the HND, which is probably just below a degree, and talked my way into an electronics course. We kind of fell into security from there. I joined the Ministry of Defence from that point of view, and this was the early ninety s and it was 1991, so I joined the Ministry of Defence. And then ever since that, security just felt like home wasn't even security then. It just kind of felt like just coming back to my Alia street. Ian Murphy (02:16) So my dream was to be a professional footballer. That was my dream growing up in Liverpool and to play for Liverpool. Karissa (02:22) Now, when you say football, soccer, you mean soccer, right? Ian Murphy (02:26) I mean football. The rest of the world gets it wrong. Okay. Karissa (02:31) I was confused about that. You guys call it it's soccer, but yeah, everyone listening on the same page. So soccer for all the Americans and football if you're in the UK. Ian Murphy (02:42) Exactly that actually I used to live out in Australia and Brisbane, so I am used to it being called soccer. That was my dream. Never quite made it as a semi professional footballer and had some decent success at that. But it wasn't enough to earn a living that I joined the Ministry of Defence and then spent about ten years with those guys doing really cool stuff. Really enjoyable stuff, doing stuff that people generally would never get to do in their life with great big machines and things like that. So it was really cool, obviously stuff we can't talk about. And then found my way into the.com bubble in London in 2000, where I seem to stay drunk for about a year. I think it's probably my personal best at staying drunk. Don't drink kids, by the way, for about a year. Before then I joined Semantic for five years and we had a ball for five years and then I went out working for myself. And so for the last with all we know, 2022. So for the last 16, 17 years, I kind of been working for myself in one guy or another, doing consultancy, all the normal stuff, security, architecture, ISO 27,000 on NIST, all of that type of stuff. Ian Murphy (04:13) And now some see so stuff as well. And then recently I found out that being an idiot from Liverpool and dressing up on video can be a career. That's kind of how I've gone from young lad in Liverpool to old grumpy person from Liverpool dressing up in stupid clothing and making an idiot of himself on video. Karissa (04:36) Wow. Okay, so I like that you start off as a mechanic, but then you sort of navigated through doing different roles, various roles, and you touched on the football career for a moment. I'm keen now, so obviously people probably do know who you are and your videos and stuff like that. So I wanted to bring you on to talk about your perspective on the cybersecurity, like the awareness side of things. Now, I guess it depends on who you speak to. You are going to get varying answers, but I'm just keen to hear your take. You see things differently, you want to do things differently, you want to bring a level of modernity to the space. So I think this is really important for people to hear your thoughts and perhaps maybe where people are going wrong. Ian Murphy (05:23) Even so, yeah, I think for the last few years I've kind of been concentrated more on how do we make awareness a little bit more fun and a little bit more engaging. Because, to be quite honest, most people would rather go in for a root canal than to sit through a ball and hour long presentation telling people not to click on links. Right? I've all been there and organisations who do this seem to get the most monotone, uncharismatic person in the world to deliver that type of train. And so no wonder people find it snooze fest, right? And apologies to everybody who's ever delivered that training and who's listening to this, but other people are far too polite to tell you that it's not that interesting. I think part of the issue is that we can't be ourselves in work. If we're ourselves outside of work, inside of work, we'll probably get fired within five minutes. Right? That's why we can't be ourselves in work. And I think that's a shame. I think that's a shame because there's a lot of outside of work, there's a lot of fun and there's a lot of humour and there's a lot of reverence. Ian Murphy (06:32) At least it's permeated my life for all of my life. And I thought to myself, why can't I bring that into work? And actually, even before doing the videos, I was always that person. I was always the person who made the silly quip in a meeting, who'd lighten the mood. Because actually it's a bit too serious, isn't it? Business. Unless you're a brain surgeon or a copper or a fireman and stuff like that. We're not saving lives, are we? Let's face it, or we're not digging roads, it's not proper work. And yet people take themselves so serious and that's what I want to do, I want to remove that seriousness from it. Because when you go home to your wife or your husband or boyfriend or girlfriend or significant other, you don't turn around and say, shall I prepare a meal? That's holistic and synergistic for us all. You turn around and you say, what are we having for dinner tonight? Love what you fancy. And it's that type of and that's what I want to bring to it. Because I think when we do that and we show our human side to people, I think people become more human back and they're willing to trust more because evolutionary, from an evolutionary point of view, that's how we develop societies in our ability to help and trust, because otherwise we wouldn't have banded together to get off the savannahs and ward off all the other Homo erectus type of species and save ourselves from, saber tooth tigers and probably being anachronistic there, by the way. Ian Murphy (08:03) I don't know. But as human beings, that's what we want. It's also our failure as well. Our failure and being helpful and trusting is why we click on links, is why we fall for scams. Another thing that drove me to do it was people being disparaging about their fellow colleagues in terms of using terms like the weakest link or I want to build a human firewall. It used to wind me up because it's almost an arrogance from people to say, Oh, that's common sense, or you're the weakest link because you've clicked on that news flash for everybody, by the way. Anyone can be susceptible to that type of scam. Anyone can be susceptible to clicking that link and if you don't think you can be, you're even more susceptible. There's plenty, plenty of studies on this stuff that show the more intelligent people are, or they think they are, the more they have a blind spot to things like that. As long as you pick the right enticement to get people into it. That's what largely I wanted to do, I wanted to give a human voice to the monotone corporate boringness that was out there at the time and actually, it's still out there now. Karissa (09:20) Monotone corporate boringness. Yeah, you're so right. 100%. I mean, look, I worked in a number of different organisations. I used to fail the trainings because I was in security at the time too, which is, like, really bad, but I think I failed it because I didn't want to pay attention to what I had to watch from memory. It was like a series of videos and it was just awkward. And I was just like, Why? They paid all this money to get these videos actually handmade, let's call it that. And I just found that it wasn't very appealing. So I was worried, me, was that I was failing these videos and I was in that space. So imagine other people that are not in security that are viewing this stuff, that are probably my eyes glazing over, like, this is so boring. So I'm curious to know that do you think people are aware that it is boring, but they just choose to do it anyway because they've got to do something, right? Ian Murphy (10:21) Yeah, I think that perception of boringness pervades. So they may not even have Sat training at that point, but somebody's told them, Oh, God, I got to sit this. It's the annual training, I don't want to do it, but there's a bunch of other stuff I think, that leads up to that, that puts people off being told they have to do it for the kickoff. Right. I think when it's mandated that you have to do this stuff, then you instantly have some values up against it, because let's make no bones about it. Outside of cybersecurity, people do not care about cyber security. And I'll go to battle with anybody who says, Yes, I cared about no, you don't, you don't. You only care about it when it happens to you. If people cared about cyber security outside of cybersecurity, there'd be no breaches. Stuff would be patched, would do the basics, like we tell people to do the basics. So I would challenge anybody to turn out and say, yeah, we care about cyber security. No, you don't. You care about your share price, you cared about your profits. The last thing you're going to care about is cybersecurity until it starts to affect that stuff. Ian Murphy (11:31) For me, it's recognising that and it's recognising that for the people who you're trying to educate. And the other thing as well is if I think back on my school days, I try and think back on the teachers that made an impression on me. Now, there was enough sadist at my school from a teacher point of view, that were willing to batter you, right? So corporal punishment was still in school. They could hit you with a cane, they could slap you around the back of the head, they could throw chalk and board rubbers at you and things like that and that regularly went on. And you could probably expect it from a teacher that's trying to control 30 pre pubescent boys in Liverpool right. You can probably expect that type of stuff. But the one I really remember was the teacher that made me laugh was the teacher that made the lessons interesting. I try and bring that through into the videos. If I can make the video interesting, if I can give a hook within the video that keeps them watching every ten or 15 seconds, 30 seconds, and keeps them interested to watch it through to the end, and they take one little snippet away from that, I don't know, change my password, make it stronger, download the password, whatever it is. Ian Murphy (12:44) If they can take something away from that, my job is done. And I don't think much training offers that. There's some other good training out there, by the way, I'm not saying mine is the only training available, there is still good stuff out there, but it's few and far between. You have to wade through a load of rubbish, and unfortunately, that rubbish. Spend more money on marketing and SEO and stuff like that than the little vendors, so you don't get to the little vendors and you think that rubbish is the only game in town. Karissa (13:13) Yeah, you're so true. Do you think people are offended by your videos, though, perhaps? Ian Murphy (13:18) Oh, I don't care. So there's an easy answer to that. I don't care because I know I'm setting out not to offend people, so I know where my videos are coming from in the context of where my videos are coming from, and it's not to offend anybody. So I'll pick targets, but I'll never pick individuals at targets unless it's a big individual like Elon Musk or stuff like that. And I never really go after I'm not stupid. I may look stupid, but I'm not stupid, but organisational beliefs or things like that as targets rather than rather than individuals, and I think is when you're never attacking the little guy, when you're never attacking the underdog, when you're always kind of punching up to the bigger concepts that we can believe in and challenge you're always on safety grounds, but you will always offend somebody. I cannot please all the people all the time. And I realise I'm marmite or vegemite to people. I understand that for the people that don't like it, then they can scroll on past or not do business with me. For the people that do like it, they love it. It's a breath of fresh air for them. Ian Murphy (14:29) And I say quite often when somebody says I'm offended, I'm like, So what are you offended at? First off to just cheque. I haven't transgressed the line when I realise I haven't, because I'd be morally offended if I have offended somebody myself, because that's not what I've set out to do. But if I have transgressed the line, I'll try and make reparations for that. But all the time people have pointed stuff out in a video, which is not very often, to be quite honest. I've gone back and I've looked in and gone no, you've missed the point of what I'm talking about. That you've come at it from your context. And actually now you're asking me to solve an emotional reaction you've had to something. And there's no way on earth that I can do that. Because it's your emotional reaction, it's not mine. Karissa (15:18) Now, I say that because people on the Internet, they're just offended by anything. I mean, I had one woman years ago, I used an analogy about fishing, an analogy. And then she said, I think she commented something that's really stuck with me. The specificity of what she said, it sort of escapes me now. But she said I don't like the analogy. Use can you use an analogy about planting trees instead? I was like, I talk about an analogy, I didn't say I was out there fishing. Sometimes people can one word could just trigger them or something that you say. So it's interesting. And I asked this because I put myself out there and I understand what it's like for people to sort of lock onto one word and then say oh well, you meant it that way. It's actually no, I'm pretty sure I know what I meant. You've missed the point. Or people will say oh, but you didn't consider this thing. It's not yet, but if I considered every single thing, I would be here for years. So I can empathise with and I can understand your position because I've been in those positions before. Karissa (16:18) But yeah, it's very simple. Just scrolling past, like just move on and don't worry about it. But some people do feel this need to comment negatively or whatever it may be. But I just know that being on the internet in this day and age, people are offended by everything. Like anything. Ian Murphy (16:34) They are. And the weird thing is the people who get offended want to watch more of it, to be even more offended. It is almost like I know we've gone past May the fourth now, but it is almost like being a Jedi Knight and fighting Sith person. Because actually hate leads to anger. Anger leads to the dark side and it's an emotion that feeds off itself and people get more and more angry. They're probably part of the audience that will watch all the videos right to the very end. And even the silly stuff I stick on the end sometimes, the bloopers and things like that. And I get even more offended at that. And I'm like just chill out, go somewhere else, don't bother somebody. Because what I am sure of, right? And this is what the internet gives people. The Internet gives people the anonymity and the distance to be rude that they would never do if they were in your company, right? No matter who you are. And I happen to be a six for four scouser. Scouser somebody from Liverpool. I happen to be a six for four scouser who is not afraid of telling somebody where to go, right? Ian Murphy (17:43) So if somebody was rude in my presence like that, I would tell them where to go quite easily. Now, I know violence is not the answer. It's the answer for some people, but I know violence is not the answer. But actually, that kind of aggression they show you over the internet, that passive aggressive. I didn't find that. And all of that stuff is almost the same. It brings in another interesting concept. It's almost like a bullying concept, right, where if they don't like it, they may get some of their friends to jump in on that conversation to say they don't like it. Twitter is great for this. Twitter does this all the time. Not so much on LinkedIn, but I've had it on Twitter and I'm thinking, well, there's now five of you telling me that you don't agree because you're backing your friends up. How different is that now than what you think I've done to offend you? How different is five of you having to go, me telling me this, that and the other, and calling me names and stuff like that? How different is that from what you've now been offended at? Ian Murphy (18:52) And you have to grow a thick skin on social media, you really do, because there are morons everywhere and I include myself as a moron. We all have the moronic gene, right? We all have the capability to be morons times in our life, but it seems that certain aspects in certain corners of the social media world is where they gather more. Just seems to me. Karissa (19:15) No, you're so true. But the other thing that what still gets me is, why would you waste your time being negative towards someone just so hypothetically? I saw something like that. I don't comment, I just moved past it. That's it. Because I don't want to also exert my energy onto something negative, because then it ruins your day. Oh, that Ian guy, his post annoys me. So then I'll get five of my mates onto it and then start berating you for no real, like, I don't want to foster that type of energy or that type of behaviour. I don't do that. If I don't have nothing else to say to sensitivity at all, that's it. End of story. I don't want to be harsh towards people. I also believe that people that put themselves out there, it's a hard job. And so when people that comment, that have never put themselves out there, that's what really makes it interesting. Ian Murphy (20:05) Oh, yeah, there's a famous I think it's Teddy Roosevelt, the President at the time, who talks about the man in the arena, about people. No matter whether you fail or not, if you're covered in blood and sweat and stuff like that you've had a go. And that's important to me. That's important to me that you have a go. I go to a lot of soccer matches. My team is Liverpool, as I may have mentioned, I'm from Liverpool, so I go to watch those guys regularly and I sit next to guys who are criticising professional footballers on the pitch for not doing the pass that they thought they should have done or not doing certain things. And I'm thinking you guys have no idea what it takes to be that professional footballer. The hard work they put in, the sweat and teeth, the stuff they go without. Yes, they get paid handsomely, but the stuff they go without, you know, the very disciplined athletes and all that type of stuff. And this guy who's criticising the professional football on the pitch gets out of breath standing up out of his seat and I'm thinking there's lots of people who coach from the sidelines, lots of people who coach from the sidelines. Ian Murphy (21:15) There's very few people who pull the boots on, strap in and go out there and do it. Karissa (21:20) Yeah, that's so true. I think I was talking to him about this the other day, I think I was using a basketball analogy. It's really easy to sit at home on your couch and have a go at someone about why they missed the last shot or whatever it is. Now, the terminology I'm probably not great at, but it's like you've never had a foot in their court at all. So how are you in a position to do that? And it's just hard because I think I have this level of empathy now because I've been on both sides. I know what it feels like to be able to criticise you. I get you've got an opinion, everyone's got an opinion. But since you've done it, I don't think you're really in a position to, like you said, coach from the sidelines. And it's something that I do see often. But then do you think that because people are afraid and they are worried that they are going to be coached from the sidelines, maybe that's why they're not pushing the boundaries when it comes to CyberSecurity awareness. Obviously you are, but you're like one person and there are 7 billion people on the planet. Karissa (22:20) So I'm just curious to know the behaviour around why we're not pushing the boundaries. Ian Murphy (22:25) Because people don't want to show their true selves at work. They don't want other people to think both of them, they want to project an image. So they want to project an image that is professional. Whatever that means is corporate toes the party line. They don't want to send anything out of order in case somebody else gets offended or all of those types of things. And I think we are breathing in existence now that's going to be Stead Island in several generations where you'll be afraid to say anything you'll be afraid to express an opinion, and I think that's damaging for all of us. And I think that's why people yes, there's the social media thing. I can tell people that haven't done this for a few years now, that you will get people come on. Not liking certain things, but actually, it's not the end of the world. I get that people don't like me, that's all right. I can live with that. As long as the people who are close to me, around me, like me, that's all right. So I can accept that. But, yeah, I think when it comes to others doing it, putting themselves out there, it takes a lot of bravery to do, and it takes a certain amount of talent as well. Ian Murphy (23:47) Right. It's not for everybody. Not everybody wants to go in front of the camera, or like I've started doing latterly, do stand up. Not everybody wants to do that because it's petrifying to them, right. So we get that for social as well. I think the thing of it is that sometimes emperor's new clothes. So I'll speak to CSOSA and I'll talk to them and I'll talk to them about how I do the videos and what I do and why I do it. And they're like, Yeah, we're good for that. Because I started my own videos. And in my mind, instantly in my mind, I'm thinking David Brent, right, from The Office. I'm thinking Ricky Gervais's character from The Office, where they think they're funnier than anybody else. They think everybody loves them, whereas the problem is the emperor's new clothes, and nobody is willing to turn around and say, boss, that video is shit. That video is shit, and didn't engage anybody because you're just not that funny, right? And the production wasn't great and all of those bits and pieces. Or I'll get people who say, Yeah, this is great. We've got a package from so and so. Ian Murphy (24:52) That's great. What type of engagement are you getting from now? It's brilliant. Yeah, we're getting people and then if you go around the individual people who they think are really engaged in it, they're watching it because they have to. They're not watching it because they want to. They're watching it because it's part of and it's tied into the fishing exercises that they do, which is something that still puzzles me, by the way. I have a lot of puzzlement in the awareness space. One of the puzzling things is why do we fish? Our employees? Now, I know on the high level it sounds great. Phish them, teach them what to look at, and they won't fall for it again. But like I've said earlier on, anyone can fall for a phishing link, so showing them more and more efficient links won't make them better at it. Right. Everybody has the ability to fall for it. And I always talking about analogies that sometimes upset people. Here we go. Here's one so I always talk to people when they say, yeah, we phish our employees. I'm like, but that can break trust really easily. If it falls into the wrong hands, I do get the positive sides of it, but if it falls into the wrong hands and you try and fish them by, say, offering them a bonus, which several firms have done, and get them to click on that link, then actually that's entrapment and it breaks trust with your employees and you push them further away from you, they think secured it even more a bunch of our souls than they already think we are, right? Ian Murphy (26:20) And I know this is some harsh truth for people in security, but it's true. I've been in the game 30 years. Maybe they just think I'm an asshole, that's okay, I don't mind, but it distances them even further. I give them this analogy. I say, look, when I was a kid, we were told about stranger danger, right? We were told about stranger danger, about not getting into a car with strangers. There was adverts on the TV, parents used to tell us, to tell us all the time, don't get into cars with strangers, blah, blah, blah. I said, what you're doing with fishing is akin to my parents employing a stranger to come and pick me up from school in a car and drive me around whilst I'm going out my wits worrying about that I'm in a car with a stranger, only to drop me back off at my mum's house at the end of the day with my mum standing there with a disapproval look on her face, turn around saying, See? Told you not to get into cars with strangers. Will you listen now? So it's that kind of approach that people take with fishing to try and teach them. Ian Murphy (27:20) My point is, it's not that we shouldn't try and raise the awareness of phishing and all the other scams that are out there, but we can do it a little bit better and we can do it a little bit more inclusively and we can do it with getting people on board and we can do it with engaging them. And the answer to that is fun, because it's the emotion that we attach most of our instantly recall memories, too, right? So even if you haven't seen your friends for years, the moment you see them, you'll go, do you remember that time when and it's always a funny story. It's never a terrible story. It's always a funny story. remember that time when we did this, oh, yeah, brilliant. And you start laughing about it again. And that's exactly what I try and do with my video. I try and build into that the ability for people to come back and keep watching them and keep finding different funniest stuff in it as well. Karissa (28:11) You are right. No one's sitting there talking about, Oh, I remember this time and it was like a really macabre situation that happened. So I do hear what you're saying. So one of the things that I want to know now is how do you balance creative, cool content with it not being, like, too cringe right now? I say too cringe because I've seen stuff before, and I was like, this is cringe. Like, I feel awkward watching it now. I can't say company's names. There was a company in particular, and I said, there is no way in hell I am talking about this, because this is awkward. And I felt uncomfortable as an employee thinking that this was, like, some next level revolutionary thing, and I felt incredibly uncomfortable. Ian Murphy (28:58) I mean, some people have said cringe on some my videos, but I think they then missed the point of the video, was that the production values and the way we approach it and the parity effect of it as well, it's kind of meant to allow people to go, Oh, yeah, and have that moment where, Oh, yeah, I may have done that, but the cringe for me, not for them. Right? So I'm the idiot in the sketch. I'm the person of Derision in that video, and it's almost like giving them a proxy to go, I remember when I did it, and it was slightly cringe for me then, but this person showed me that. Now, don't get me wrong, when I'm filming the videos, there's certain things in there that I go, I'm uncomfortable with that. So when I'm working with the team and when we're planning the videos and writing the scripts and going through that stuff, I'm like, Oh, I'm slightly uncomfortable with that. Certain things. But actually, what we've got to then trust in is the process of making something that seems so bad funny and overcomes the cringe worthiness, if that makes sense. Karissa (30:10) So can you give an example of what something that seems so bad? Ian Murphy (30:15) I did a Cyber Girls one with a dressed up as the Spice Girls. Karissa (30:21) Which one? Ian Murphy (30:22) I dressed up as all of them. Okay, so we did it, and the one outfit that I really had a problem with was Victoria's outfit. And because it was skin tight, right? And it was just uncomfortable. It was uncomfortable. I'm a middle aged man with a dad bod, right? And it was uncomfortable. It was uncomfortable to see. Yeah, still did it. Or we did The Rocky Horror Picture Show one, where I dressed up as Frank and fertile as well in stockings and suspenders and stuff like that. And that was slightly cringy. My wife doesn't watch them, by the way. My wife will watch some of them, but won't watch all them. She's like, can't believe you've done that. Can't believe you've done that. So if there's anyone to answer the cringe, you think it's probably my wife. Karissa (31:13) Oh, my gosh. Well, so you take concepts that perhaps people like, roll their eyes out, and then you sort of poke fun of it or you try to find a little bit more empowering by dressing up and doing all these things. Have I got that right? Ian Murphy (31:33) Yeah, and we try and lay it as well. We'll normally stick to one concept in a video or laterally animation, so I've started doing animations and we'll try and stick to one concept, but we'll try and layer it. So we'll try and give people a narrative through it, but then also giving them I think it's important as well, you know, without being teacherish on it, without being so what have we learned today, kids? Without being Sesame Street, right? We've learned two and three. It is a bit full on, so I see it as a way of offering information into the subconscious by making it fun to get into the subconscious. That is almost like my I'm using the video as the syringe to inject the drugs into the body for another terrible analogy, right? But it's about getting that information into the psyche and the amount of people who come back to me and say, I showed my wife that video the other day, she downloaded the password manager. I showed that video to my grand last week and she's actually gone and changed the password. I get that all the time, which is brilliant. Ian Murphy (32:50) That's the bit I love. Yes. I want to sell them and make money and stuff like that, so I can keep making more videos and keep being an idiot, but I also want to get those idiots involved at some point as well, in the future, where people just don't have to watch my face all the time, right? But that's the real reason that I do that stuff, is for the individuals. It's for the likes of my dad or my son or my wife or my family and friends, so they can watch it and go, Oh, I didn't realise that. I didn't realise that you could get a link that would offer you fake AV, you know, stuff. I didn't realise that if I clicked on the link and I entered this, then it could have been that and stuff like that. So it's just about I keep calling it cyber savvy. It's just increasing people's cyber savvy. I don't want to make them security professionals, I just want to increase their cyber savvy that helps them stop and think. Karissa (33:50) And I think that's fair, right? We're not asking people to become like a full on practitioner. You need to know everything from the Nth degree. It's just having a bit more awareness about what you are doing and maybe it's the way in which we deliver and how we frame things, like through your videos or whatever it may be. So people go, Okay, well, that resonated with me, right? Okay, so I'm keen now to then look at the other side of this is where would you say, companies in the past have invested the wrong types of programmes historically, because at the end of the day, a lot of people are just like, I've got to get the security awareness programme in place. Have I done that? Tick. Maybe it's not the right one, maybe it is, but I'm just curious to know, what have you heard? What's the word on the street? What are people saying? And how can other people learn, perhaps, from your experiences? Ian Murphy (34:43) So I've run several I've been in many different types of awareness things and I think the overarching problem, as I mentioned earlier on, is people don't really care that much about cybersecurity. And I think the problem with that is that with programmes, businesses get the equation wrong. Businesses put the business first. So the reason for people attending the training is to protect the business, and that's just wrong, right? The reason people should be trained in cybersecurity awareness is to protect themselves and their wider family and friends. That's a real tangible reason for them to join, right? That's a real tangible reason for them to get behind this stuff. I'm going to learn something that will help protect my kids in an online world. I'm going to learn something that will help protect my nana or my granddad in an online world, or my dad or my mom. If we start thinking that way and we start making it a benefit for people to improve their own knowledge on it, because one of the best ways of improving your knowledge on something is teaching it to somebody else, right? So if they're seeing content that they can then share with their family and friends, that's interesting content, by the way, I've got to say that we live in a world where the tablet or the phone is king. Ian Murphy (36:05) Now, we're attached to people 24 hours a day and they've got fleeting attention spans. If you want to sit them down and put them through a mini series of 1520 minutes episodes of How Not To Do Security, they are not going to do it. Or if they are, you better make it bloody funny, right? So they're not going to do it. That's where I think programmes should be going. The companies I talk to, the Cecils I talk to, that's where they want it to go. They want to empower their people. And the lovely benefit of that is you don't have to tell people not to then do stuff in work or not to do stuff inappropriately that may cause a breach, because they're already in power, they're already savvy and they're already building that savvy. And the sharing stuff amongst their friends and family, the sharing videos, have a look at that. And that's my whole raising debtor, actually. I'm going to be launching the community approach later on this year, which will be a social approach. I'll do that again because my watch just said sorry, could you say that again? I'm going to be launching a community approach later on in the year. Ian Murphy (37:18) Where I want to build a cyber community that's based around fun, but that's based on a social platform as well, and allows people to share this type of content with their family and friends, allows them to build wider networks of family and friends. And I also want to get away from the Boring LMS type thing where you do a lesson or watch a video or do a quiz, get a certificate that's born. Nobody needs that, right? So I'm bringing in more of a kind of itunesy Spotify type feel where you can create playlists for your family and things like that, but it's more of an album type thing where you can say like the Beatles White Album or stuff like that, or Abby Road to be an album cover on a theme on the album and stuff like that. So it gets people more interested in them, it talks to them as individuals and tries to play on their need for interest and stuff to keep them engaged. I think once you can start doing that, and once you can start building up that trust and community for people, you got half a battle then of having a more informed workforce, a more informed family and more informed population of what the Scammers do, how they do it, what their usual approaches are, and those bits and pieces. Ian Murphy (38:41) So I think that's my ultimate goal is to do that and then also then help organisations build that community internally. Because most people talk about the culture word and let's be honest, culture is not something you buy from a software package. Culture takes a long time to grow, and yet I see many awareness vendors now talking about culture, behavioural, culture and all that type of stuff. And I'm like, no, that's not how it works. Build a community first. Build a community that's interactive, that's helping each other, and it'll develop its own culture. That's the lovely thing about culture, it develops on its own. Once you get the right people in the right room, obviously you can go down a bad route, but if you're developing it around fun and around interesting content and around kindness for the community, I've got one rule on the community, don't be a dick. Right? So it's just be kind to other people again. There's another Ricky Javey show called Derek, and Derek is a guy who works in an old people's home and his saying is just be kind, kindness is magic. And it's true. You don't have to be horrible to people, you don't have to be unkind. Ian Murphy (40:05) And I think if you can build something around those tentative fun and kindness and not being a dick, I think you got half a chance of building an inclusive community for everybody that like that type of content and fun approach to learning stuff and hopefully sharing their farm wise with their family and friends. Karissa (40:26) Yeah, you're so true. I think there's definitely yeah, I do agree with what you're saying. And I have seen people selling the culture type of stuff and it's not something you can just buy for shelf and then that's it one and done. It does take a bit of time and there's a few people that need to be involved. Do you think that perhaps people overlook to go back to earlier, point around doing an LMS sitting through, it's a bit boring, click, do the little course thing at the end and oh, you failed, which is what I used to get. And then I think I was on a non compliant list, which is quite unlike me because I am a very compliant person when it comes to the world. So I guess I'm just curious to see that. Do you think that people that are subscribing to cybersecurity awareness platforms with other vendors, for example, they just perhaps a little bit out of touch with what is the attention span of people nowadays? How do people like to learn? Because other people like to read versus listening to a podcast or whatever it may be. So there's different modalities to learning something. Karissa (41:33) So do you think that people are out of touch with the reality of what their staff need to go through in order to gain that level of awareness? Ian Murphy (41:44) Yeah, I think they're massively out of touch and I think you don't care this well. And you'll get companies saying, we care. You don't really do yet, because there's duplicity in life all over the place. What they care about is shareholder value and profits and stuff like that. And that's cool, right? I'm not decrying that. Of course that's a valid thing to care about. But don't say you care in human beings or staff when you've got a CISO who's calling them wet saxamito. That happened the other day, by the way. I was on a conference call when that happened. Or you've got a head of it who wants to sanction employees if they click on links. Again, that happened. You don't care about people if you're doing that stuff. You just don't. So don't try and tell me you do, then, afterwards, caring is about going around, all right, for multinational work. There's thousands and thousands of workers. This isn't possible. But Ken is understanding that Dallas in accounts need time off to take his son to whatever. I'm going, all right, Dallas, don't do it. Or that David in it needs to nip off early at 03:00 because he's a single father. Ian Murphy (42:58) Go on, Dave, go and do it. That's caring. That type of stuff is caring. No, just saying it for platitudes. And I think also as well, when you put compliance before your people, again, that's not caring. You do care, but you care about the wrong thing. You're caring about ticks in boxes and you're not actually caring about people's emotions or feelings and what they want from it. You just want to get the audit and I think that's a whole different podcast, to be quite honest, around people managing security via compliance, because we all know anybody who's been in the industry five minutes knows that compliance doesn't equal security. Karissa (43:40) Yeah, true. So I guess, like, having you on the show today, it just maybe brought that level of awareness around. Maybe people haven't considered we are using an LMS, maybe we should consider how our employees, how our staff actually learn how they engage, maybe just giving them that thought of perspective. So I guess that sort of leads to my next question. Like, you are right? No one perhaps really cares at the end of the day. And, I mean, why should they? Like, if you're sitting in an organisation, you don't really care about what Vanessa or Human Resources is doing, right? Like, you don't really care about your role. I guess there's this fallacy that people should care more about security. Now, I get the reasoning for it, I really do, but it's that's just human nature, right? You just don't want to, you don't have to, whatever. So I'm curious to hear from your perspective now, Ian, is I don't know, even if Steven Spielberg created a film on cyber awareness, like, do you just think that people just don't care at the end of the day? And maybe this is a real reality that, yes, of course we need people to care, but they just don't, right? Karissa (44:48) Like, maybe if we just accept that and we find other mechanisms too, like I said, not like pushing them on the compliance front and everything, is this just the reality that we all need to hear? Ian Murphy (45:00) I think it's constant reminders, right? So people generally don't care until stuff happens to them. And that's a truism of life. I'll give you an example. As a 17 year old child, I was involved in the Hillsborough disaster in the UK, where 97 supporters lost their life at an FA Cup semi final when Liverpool played Nottingham Forest. It was only then, after that, that the authorities started to take fans safety into account of football grands. Up until then, we were headed like cattle, we were treated like cattle. So if you treat people like cattle, they behave like cattle, right? They behave the way you're treating them. And even after that, so fast forward that was 1989. Fast forward to today, which is 33 years later, on in 22, you still have fans. You still have fans at football games when they're offering a minute silence on the anniversary of that disaster, booing them in its silence. Opposition funds. And that's the problem. It's not that I'm saying they're terrible fans because all walks of life have those type of people. The point I'm saying is that people forget that stuff, right? People don't care enough about that stuff because they haven't been involved in it. Ian Murphy (46:26) I can tell you, when you are involved in that stuff, it affects you and it affects you mentally, deep down and for the rest of your life as well. And I think when other people do it from a tribal nature, you know, to say, oh, you're the team, we don't like, you're the team, we don't like it, it's kind of people just have short memories from that point of point of view, which is akin than to, why should people then care about sad security? Well, they don't care because nothing bad has happened to them, right? If they then lost their job or lost their living, or if a sad security disaster had happened that led to people losing their lives, right, for whatever reason, people would start to care more, would probably see more legislation coming in then that actually made it illegal not to care about cybersecurity, right, because that's where health and Safety came about. Health and Safety came about. The legislation around that, around things like the Piper Alpha disaster and things like that. So when those types of disasters happen, legislation come in. Up until that point, people don't care enough about it. Ian Murphy (47:36) And even if they then do come in at a point of time, if you're not learning from those mistakes all the time, people are going to forget it. And we have a human ability that saves us from that fear. We have our cognitive side of our brain that stops us thinking about that too much, because it would send us in a downward spiral. And I think that is the same for cybersecurity, I think, until we see something major inside security, and we've seen people can argue with seen major stuff inside security, with the massive breaches and data loss and stuff like that, but it's always happened kind of to an organisation, and unless you're working for that organisation or a partner, that it hasn't really affected you. I think when you see maybe a cyber attack on the nation state, which we've seen bits, of course, but that cyber attack on the nation state wipes out all the nuclear power or all the electric power and stuff like that, and this, that and the other, and you can't get it back for whatever reason. And I'm painting a bit of an apocalyptic view. I think that's then, when people only start to care more about it, I. Karissa (48:53) Mean, it's like anything, right, you'll be talking to someone and then they'll say, Oh, well, I used to eat like KFC and McDonald's, and then all of a sudden, I don't know, have diabetes, and then that's what gave me the awareness to stop doing that. But they wouldn't have cared up until something catastrophic major had happened in their life, because it didn't impact them. And unfortunately, we have to get to that stage. It's kind of like if you're hanging yourself and you realise that it hurts, then you stop, right? Like it's the same thing if you're eating badly, this, you got breached, that sucked. We're not going to do that again. I guess we better pay closer attention to it, better not make that mistake again. Better be more conscious of it. Unfortunately, I think it's just human nature and we can't care about everything in the world either. Ian Murphy (49:45) Correct, you can't. And there's the other side of it, right? The criminals know we don't care, right? They're not daft. Criminals are not daft. They know we don't care. And they know it's easy pickings as well. They know people aren't putting enough money into the Saudi security defences. They know people aren't putting enough money into educating their people or educating them in the wrong way. They fully understand all of that and they know how to play on that because guess what? Again, human nature, there has always been people that will look for the angle, that will look for the shortcut, that will look for the chance to steal somebody else's nuts and bees rather than go out and collect them themselves. Again, it's part of being a human. You have people who are like that. Ian Murphy (50:30) Unfortunately Karissa (50:32) no, you're so right. Unfortunately, we do have this vision. We do want people to care. I think as it relates to consumers on an individual personal level, we will care. And if we sort of show that in an awareness capacity, I think everyday people will care a bit more. Because I know people that have called me in the middle of the night saying, oh, something's happened to my online banking or someone stole my identity or something. And then they are a little bit more cautious after that incident because it has impacted them in their life and their livelihood, their reputation, whatever it may be. So we don't want it to get to that stage. We don't want people to learn the hard way, but in some cases it's really the only way that you learn. Like it's when you're a kid and your mom's like, don't touch the stove, or you guys call it a hob and you touch it and then it burns, you don't touch it again, she could have told you that to your blue in the face, but until you touch it, you're like, Oh, that hurts. You stop doing it then. Karissa (51:30) Unfortunately, it is just human beings and we cannot code things in a way where we can remove a lot of the potential downfalls in human beings. You can't do that. Ian Murphy (51:42) I agree. And we have to accept that. And that's part of what I talk about to people as well, is that actually, you know, when I get fed up with people saying human errors is 90% of all breaches, I'm like, Bullshit, it should be 100%. Unless there's squiddles or something like that involved. Because actually there's a human involved in all of it and that's okay. We shouldn't use that as a stick to beat our colleagues with. We should just go, people are going to make mistakes. You don't mean to, and it's our job to help them not to make mistakes. But when they make mistakes, obviously, if it's not deliberate, it's a mistake. When they make mistakes, we need to show a bit more compassion and empathy, actually. If they then double down on that mistake and make it more difficult for themselves. I'm thinking of recent breaches where people haven't come out and been genuine in their PR side of things, then actually, you're going to get more people piling on. I think we're now in a world where you don't want to be honest and upfront in terms of saying, we messed that up, we messed that up, we're really sorry, we're trying our best to get it back. Ian Murphy (52:46) You'd still get criticism for that, of course you would. But actually, you're being genuine with people. And most people, the majority of people see that. They see you being genuine. I can spot a disingenuous person a mile off. Most of them are called politicians, by the way, but I can spot them a mile off. And when they're not being human in front of people, when they're not being themselves in front of people, you can see that. And I think that's where we come back to. Why I do what I do, is that I want to give that kind of human approach to it, that genuine approach. I want to turn around to people, go, It's all right if you make a mistake. Life is full of mistakes. I've made loads of mistakes. I continue to make mistakes. That's okay, but let's learn from it and move on. Let's try and not repeat it again. If you repeat it again, fair enough, that's no problem. Let's try and get a little bit better the next time after that. And I know that sounds a bit liberal and a bit compassionate, but actually, what's wrong with that? Ian Murphy (53:47) What's wrong with treating people that way and caring them a bit more about them than saying, I need everybody to do the training, and if they haven't done it by October, I'm going to cut their access off to the network? I'm like, you're a bit of a prick then, aren't you? Karissa (54:02) Yeah, that's a pretty intense so, yeah, I guess it's having that we're dealing with humans at the end of the day, like they have a mind of their own. We can't engineer things in our favour. So, yeah, I definitely agree with what you're saying. Love what you're saying. Love what you do. Really appreciate you coming on the show today, sharing your thoughts. Yeah, can't wait to do it again. Thanks again. Ian Murphy (54:23) Lovely. Thanks, KB. Karissa (54:24) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. If you'd like to find out how KBI can help grow your cyber business, then please head over to KBI Digital. This podcast was brought to you by KBI Media, the voice of Cyber.