WEBVTT

1
00:00:00.120 --> 00:00:02.839
<v Speaker 1>Welcome to the deep dive. We're here to cut through

2
00:00:02.839 --> 00:00:05.559
<v Speaker 1>the noise, dig into your sources, and get you the

3
00:00:05.639 --> 00:00:09.279
<v Speaker 1>key insights fast. You know, when you picture cybersecurity, what

4
00:00:09.400 --> 00:00:11.839
<v Speaker 1>usually comes up. It's that classic image, right, the hacker

5
00:00:12.279 --> 00:00:15.119
<v Speaker 1>hoody up, dark room screens blinking.

6
00:00:15.279 --> 00:00:18.879
<v Speaker 2>Yeah, that intense image of someone furiously typing code. And

7
00:00:18.920 --> 00:00:23.160
<v Speaker 2>that picture suggests security is this really technical, almost hidden

8
00:00:23.199 --> 00:00:25.600
<v Speaker 2>thing that only a few experts get exactly. But that

9
00:00:25.719 --> 00:00:29.039
<v Speaker 2>core idea that it's all about technology, well, that's kind

10
00:00:29.039 --> 00:00:30.839
<v Speaker 2>of led us down a tricky path. We keep trying

11
00:00:30.839 --> 00:00:35.439
<v Speaker 2>to patch software when maybe the real issue is somewhere

12
00:00:35.479 --> 00:00:36.679
<v Speaker 2>else entirely right.

13
00:00:36.719 --> 00:00:39.600
<v Speaker 1>Because the source material we're diving into today argues pretty

14
00:00:39.600 --> 00:00:43.640
<v Speaker 1>strongly that most security problems they're not tech problems at

15
00:00:43.640 --> 00:00:44.399
<v Speaker 1>their heart, they're.

16
00:00:44.320 --> 00:00:46.679
<v Speaker 3>Human problems, ave for you. And yeah, so our.

17
00:00:46.520 --> 00:00:48.880
<v Speaker 1>Mission here is to really get that shift in thinking

18
00:00:49.359 --> 00:00:51.799
<v Speaker 1>security is a behavior, it's not just a skill you learn,

19
00:00:51.960 --> 00:00:54.560
<v Speaker 1>like tying your shoes. And we'll do that by looking

20
00:00:54.560 --> 00:00:57.799
<v Speaker 1>at the first three sort of foundational habits you need.

21
00:00:58.119 --> 00:01:01.000
<v Speaker 2>And to really frame why this human angle is so crucial.

22
00:01:02.159 --> 00:01:05.959
<v Speaker 2>Let's jump back in time, way back like six hundred years. Okay,

23
00:01:06.040 --> 00:01:07.879
<v Speaker 2>think about Johann Gutenberg.

24
00:01:07.439 --> 00:01:11.439
<v Speaker 1>Gutenberg printing press guy right, mid fourteen hundreds.

25
00:01:11.000 --> 00:01:11.599
<v Speaker 4>That's the one.

26
00:01:11.799 --> 00:01:13.959
<v Speaker 2>So he gets his funding, you know, from a venture

27
00:01:13.959 --> 00:01:17.040
<v Speaker 2>capitalist back then he perfects his invention, ready to go.

28
00:01:17.519 --> 00:01:20.680
<v Speaker 2>Then just two years later, boom, he's being sued by

29
00:01:20.680 --> 00:01:21.400
<v Speaker 2>his own backer.

30
00:01:21.599 --> 00:01:23.280
<v Speaker 3>Sued why what happened?

31
00:01:23.319 --> 00:01:26.319
<v Speaker 2>An insider threat, his most trusted employee a getting Peter.

32
00:01:26.760 --> 00:01:30.439
<v Speaker 1>Oh wow, so Peter was what leaking info.

33
00:01:30.439 --> 00:01:34.319
<v Speaker 2>Totally feeding financial details, trade secrets, everything back to the VC.

34
00:01:34.959 --> 00:01:40.920
<v Speaker 2>And then supposedly he even destroyed key partnership documents, sabotage man.

35
00:01:41.040 --> 00:01:45.319
<v Speaker 2>So Gutenberg ended up broke, died penniless, his world changing

36
00:01:45.359 --> 00:01:49.159
<v Speaker 2>invention basically snatched away in a hostile takeover, all because

37
00:01:49.200 --> 00:01:50.040
<v Speaker 2>of betrayed trust.

38
00:01:50.200 --> 00:01:51.799
<v Speaker 3>That's incredible, and.

39
00:01:51.719 --> 00:01:53.959
<v Speaker 2>The lesson there is just so stark, isn't it. The

40
00:01:54.040 --> 00:01:58.120
<v Speaker 2>security problems we wrestle with now, insider threats, stealing secrets,

41
00:01:58.400 --> 00:02:00.840
<v Speaker 2>they're the same human problems from six centuries ago.

42
00:02:01.000 --> 00:02:04.680
<v Speaker 1>Detect changes, the vulnerability stays the same. It's about people.

43
00:02:04.920 --> 00:02:05.280
<v Speaker 3>Okay.

44
00:02:05.359 --> 00:02:08.800
<v Speaker 1>So that brings us nicely into part one, this core

45
00:02:08.879 --> 00:02:13.599
<v Speaker 1>shift in thinking. If security is about people, what about

46
00:02:13.639 --> 00:02:18.479
<v Speaker 1>that classic model, you know, the three pillars? People process technology.

47
00:02:18.639 --> 00:02:20.879
<v Speaker 4>Right, that's what security pros often talk about.

48
00:02:20.960 --> 00:02:24.919
<v Speaker 1>But wait, if people write the processes and people build

49
00:02:24.960 --> 00:02:28.360
<v Speaker 1>and use the technology, then isn't it all people?

50
00:02:28.479 --> 00:02:28.800
<v Speaker 4>Really?

51
00:02:29.319 --> 00:02:31.879
<v Speaker 1>The Source seems to argue they're maybe the only link

52
00:02:31.919 --> 00:02:32.479
<v Speaker 1>that matters.

53
00:02:32.719 --> 00:02:35.280
<v Speaker 2>Well, the stats certainly lean that way. It's something like,

54
00:02:35.599 --> 00:02:39.159
<v Speaker 2>what ninety five percent of all incidents traced back to

55
00:02:39.199 --> 00:02:39.919
<v Speaker 2>a human element.

56
00:02:39.960 --> 00:02:41.400
<v Speaker 1>It's staggering ninety five percent.

57
00:02:41.439 --> 00:02:41.759
<v Speaker 3>Wow.

58
00:02:41.879 --> 00:02:45.360
<v Speaker 2>And yeah, traditional thinking sometimes dismisses people as the weakest link.

59
00:02:45.680 --> 00:02:47.840
<v Speaker 2>But if you look at it through this behavioral lens,

60
00:02:49.120 --> 00:02:51.879
<v Speaker 2>maybe they're the only link we can actually truly.

61
00:02:51.639 --> 00:02:54.719
<v Speaker 1>Improve, which explains why so much awareness training kind of

62
00:02:54.719 --> 00:02:58.439
<v Speaker 1>falls flat. It treats security like a skill, like learning

63
00:02:58.479 --> 00:03:00.280
<v Speaker 1>a Gulf swing. You can read all the tips, keep

64
00:03:00.280 --> 00:03:02.919
<v Speaker 1>your head down, follow through, but just knowing it doesn't

65
00:03:02.919 --> 00:03:04.120
<v Speaker 1>mean you can do it under pressure.

66
00:03:04.280 --> 00:03:06.159
<v Speaker 4>That's a great analogy. The source had one too, about

67
00:03:06.159 --> 00:03:06.520
<v Speaker 4>a manager.

68
00:03:06.520 --> 00:03:08.479
<v Speaker 1>Oh yeah, the filing cabinet one exactly.

69
00:03:09.039 --> 00:03:11.680
<v Speaker 2>You ask them about security, says oh yeah, physical files

70
00:03:11.719 --> 00:03:14.280
<v Speaker 2>always locked, right, But then you look and the key

71
00:03:14.319 --> 00:03:16.439
<v Speaker 2>is just dangling there in the lock.

72
00:03:16.719 --> 00:03:19.360
<v Speaker 1>He knows the skill lock the cabinet, but the actual

73
00:03:19.400 --> 00:03:23.400
<v Speaker 1>behavior taking the key out, making it routine that's missing.

74
00:03:23.520 --> 00:03:26.680
<v Speaker 2>So the answer has to be habit. We need less

75
00:03:26.719 --> 00:03:34.199
<v Speaker 2>code debugging maybe, and more insights from neuroscientists psychologists.

76
00:03:33.479 --> 00:03:36.319
<v Speaker 1>Because security is a behavior. It's not just something you know.

77
00:03:36.400 --> 00:03:39.080
<v Speaker 1>It's something you do consistently.

78
00:03:38.479 --> 00:03:41.360
<v Speaker 2>And you can't just force behavior change overnight. Mark Twain

79
00:03:41.400 --> 00:03:43.240
<v Speaker 2>had that great line, right, Yeah, you can't just toss

80
00:03:43.240 --> 00:03:44.159
<v Speaker 2>habits out the window.

81
00:03:44.280 --> 00:03:46.240
<v Speaker 1>You have to coax them down the stairs, one step

82
00:03:46.240 --> 00:03:47.400
<v Speaker 1>at a time exactly.

83
00:03:47.840 --> 00:03:52.400
<v Speaker 2>So getting better security means using these frameworks for changing behavior,

84
00:03:53.199 --> 00:03:55.879
<v Speaker 2>like these nine cybersecurity habits we're starting to unpack.

85
00:03:55.960 --> 00:04:00.319
<v Speaker 1>Okay, let's get into habit one. Literacy, building that foundation

86
00:04:00.439 --> 00:04:02.240
<v Speaker 1>of knowledge. I remember earlier in my career, we were

87
00:04:02.240 --> 00:04:05.800
<v Speaker 1>always playing whack a mole. You know, ransomware pops up,

88
00:04:05.919 --> 00:04:07.520
<v Speaker 1>Quick train everyone on ransomware.

89
00:04:07.680 --> 00:04:09.080
<v Speaker 4>Right, then fishing gets bad.

90
00:04:09.240 --> 00:04:12.520
<v Speaker 1>So focus on phishing emails. We were just constantly giving

91
00:04:12.599 --> 00:04:14.479
<v Speaker 1>people fish, not teaching them how to fish.

92
00:04:14.520 --> 00:04:17.120
<v Speaker 2>And that's where making it practical comes in. The Girl

93
00:04:17.160 --> 00:04:18.879
<v Speaker 2>Scouts approach is brilliant here.

94
00:04:19.000 --> 00:04:21.399
<v Speaker 3>Oh the merit badges, Yeah, tell us about that.

95
00:04:21.720 --> 00:04:25.519
<v Speaker 2>They use agile methods, basically breaking down really complex stuff

96
00:04:25.639 --> 00:04:30.040
<v Speaker 2>into tiny, doable relevant pieces.

97
00:04:29.959 --> 00:04:32.319
<v Speaker 1>Like teaching kindergartener's binary code.

98
00:04:32.319 --> 00:04:33.360
<v Speaker 3>How do you even do that?

99
00:04:33.560 --> 00:04:36.639
<v Speaker 2>Instead of ones and zeros, which is abstract, they use

100
00:04:36.680 --> 00:04:40.000
<v Speaker 2>blue and yellow beads on a bracelet. Suddenly it's tangible.

101
00:04:40.040 --> 00:04:40.519
<v Speaker 2>They get it.

102
00:04:40.519 --> 00:04:41.000
<v Speaker 3>That's clever.

103
00:04:41.160 --> 00:04:45.800
<v Speaker 2>And for slightly older kids, brownies, they teach networking by

104
00:04:45.800 --> 00:04:47.519
<v Speaker 2>passing a ball of yarn around a circle.

105
00:04:47.720 --> 00:04:48.160
<v Speaker 3>Ah.

106
00:04:48.160 --> 00:04:50.480
<v Speaker 1>So it shows the connections visually exactly.

107
00:04:50.240 --> 00:04:53.480
<v Speaker 2>And it shows how easily something malicious like malware could

108
00:04:53.480 --> 00:04:56.480
<v Speaker 2>travel along those connections. Simple, practical, relevant.

109
00:04:56.720 --> 00:05:00.759
<v Speaker 1>So literacy isn't just facts. It's two things. First, know thyself,

110
00:05:00.800 --> 00:05:03.120
<v Speaker 1>what are your critical assets, your crown jewels?

111
00:05:03.199 --> 00:05:04.839
<v Speaker 4>Right, what do you actually need to protect?

112
00:05:04.879 --> 00:05:08.199
<v Speaker 1>And second, know thy enemy and for that you need

113
00:05:08.199 --> 00:05:10.279
<v Speaker 1>a framework like the cyber kill chain.

114
00:05:10.480 --> 00:05:15.839
<v Speaker 2>Yeah, those seven steps attackers often follow reconnaissance, weaponization, delivery.

115
00:05:15.920 --> 00:05:18.279
<v Speaker 1>You don't need to memorize every single step.

116
00:05:18.040 --> 00:05:20.720
<v Speaker 2>Name, No, not at all. The key is understanding. They

117
00:05:20.720 --> 00:05:22.319
<v Speaker 2>have a process, a map.

118
00:05:22.120 --> 00:05:24.319
<v Speaker 1>They need to follow, and if you know their map.

119
00:05:24.240 --> 00:05:26.040
<v Speaker 2>You just need to break the chain at one point,

120
00:05:26.639 --> 00:05:30.800
<v Speaker 2>block the reconnaissance maybe or stop the delivery. One break

121
00:05:31.079 --> 00:05:31.959
<v Speaker 2>and the attack.

122
00:05:31.720 --> 00:05:34.519
<v Speaker 1>Fails, you win, which brings up a really interesting point

123
00:05:34.600 --> 00:05:35.480
<v Speaker 1>in cybersecurity.

124
00:05:35.560 --> 00:05:36.160
<v Speaker 3>Things change.

125
00:05:36.240 --> 00:05:40.040
<v Speaker 1>So fast attacks of all of daily So how useful

126
00:05:40.079 --> 00:05:41.360
<v Speaker 1>is memorizing facts?

127
00:05:41.519 --> 00:05:41.839
<v Speaker 3>Really?

128
00:05:42.079 --> 00:05:45.000
<v Speaker 2>Not very in the long run, it's about tactical literacy.

129
00:05:45.199 --> 00:05:46.600
<v Speaker 2>Think about a manual Lascar.

130
00:05:46.720 --> 00:05:49.759
<v Speaker 1>The chess champ held the title for what twenty seven years?

131
00:05:49.839 --> 00:05:55.120
<v Speaker 2>Yeah, and he famously spent decades deliberately forgetting information.

132
00:05:54.879 --> 00:05:56.480
<v Speaker 1>Forgetting what he believed.

133
00:05:56.680 --> 00:05:59.319
<v Speaker 2>Having a small amount of well organized knowledge plus the

134
00:05:59.360 --> 00:06:02.279
<v Speaker 2>ability to figure things out was way more powerful than

135
00:06:02.439 --> 00:06:04.360
<v Speaker 2>just memorizing old games or openings.

136
00:06:04.480 --> 00:06:07.519
<v Speaker 1>So it's not about having all the answers memorized.

137
00:06:07.079 --> 00:06:09.240
<v Speaker 2>It's about having the framework to find the answers you

138
00:06:09.279 --> 00:06:13.120
<v Speaker 2>need when you need them, like the Socratic method, always questioning,

139
00:06:13.319 --> 00:06:14.800
<v Speaker 2>always learning what's relevant now.

140
00:06:15.000 --> 00:06:18.000
<v Speaker 1>But there's a barrier here, isn't there this cursive knowledge thing?

141
00:06:18.079 --> 00:06:18.879
<v Speaker 4>Ah? Yes?

142
00:06:19.040 --> 00:06:22.600
<v Speaker 2>The Stanford research experts just they assume everyone knows what

143
00:06:22.639 --> 00:06:22.879
<v Speaker 2>they know.

144
00:06:23.120 --> 00:06:25.240
<v Speaker 3>They overestimate the baseline.

145
00:06:24.759 --> 00:06:30.639
<v Speaker 2>Knowledge massively, and that makes communication incredibly hard. How do

146
00:06:30.680 --> 00:06:33.680
<v Speaker 2>you find common ground when you can't even agree on

147
00:06:33.720 --> 00:06:36.959
<v Speaker 2>the starting point. It's a huge hurdle insecurity awareness.

148
00:06:37.319 --> 00:06:40.199
<v Speaker 1>So if just knowing facts is hard to apply and

149
00:06:40.240 --> 00:06:45.079
<v Speaker 1>even harder to communicate, maybe the answer isn't more knowledge,

150
00:06:45.319 --> 00:06:47.560
<v Speaker 1>but questioning the systems we rely on.

151
00:06:47.959 --> 00:06:51.079
<v Speaker 2>That's perfect lead in to habit too skepticism.

152
00:06:51.240 --> 00:06:54.319
<v Speaker 1>Right, we're talking about trust here, or rather not trusting.

153
00:06:54.600 --> 00:06:56.399
<v Speaker 1>The zero trust idea.

154
00:06:56.240 --> 00:06:59.560
<v Speaker 2>Yeah, pioneered by John Kinderveg. He looked at the old model,

155
00:06:59.759 --> 00:07:02.879
<v Speaker 2>you know, strong walls, but once you're inside, everything's trusted.

156
00:07:03.000 --> 00:07:04.639
<v Speaker 3>Castle and mote approach.

157
00:07:04.439 --> 00:07:08.480
<v Speaker 2>Exactly, and he said that's broken because once the bad

158
00:07:08.519 --> 00:07:09.480
<v Speaker 2>guys get inside, that.

159
00:07:09.439 --> 00:07:10.800
<v Speaker 1>Parameter chicken roam free.

160
00:07:10.879 --> 00:07:11.079
<v Speaker 4>Right.

161
00:07:11.360 --> 00:07:14.079
<v Speaker 2>His big insight was that trust itself is the vulnerability.

162
00:07:14.120 --> 00:07:17.040
<v Speaker 2>We shouldn't inherently trust something just because it's inside.

163
00:07:17.120 --> 00:07:19.279
<v Speaker 1>He had that great line, didn't he People aren't on

164
00:07:19.319 --> 00:07:21.279
<v Speaker 1>the network, packets are yes.

165
00:07:22.120 --> 00:07:23.920
<v Speaker 2>Don't trust based on location.

166
00:07:24.519 --> 00:07:25.120
<v Speaker 4>He argued.

167
00:07:25.160 --> 00:07:29.959
<v Speaker 2>Firewalls should basically ship with everything blocked, all ports labeled

168
00:07:30.360 --> 00:07:31.879
<v Speaker 2>untrust by default.

169
00:07:31.959 --> 00:07:32.959
<v Speaker 3>That's a total flip.

170
00:07:33.000 --> 00:07:35.839
<v Speaker 1>It reminds me of that Reagan quote, the Russian.

171
00:07:35.480 --> 00:07:37.319
<v Speaker 4>Proverb trust but verify.

172
00:07:37.560 --> 00:07:41.120
<v Speaker 1>Yeah, Kindervag said, that's basically admitting you shouldn't have trusted

173
00:07:41.120 --> 00:07:41.800
<v Speaker 1>in the first place.

174
00:07:41.839 --> 00:07:44.000
<v Speaker 2>If you have to verify, it kind of undermines the

175
00:07:44.040 --> 00:07:45.279
<v Speaker 2>trust part, doesn't it.

176
00:07:45.279 --> 00:07:50.160
<v Speaker 1>It does, But okay, here's a tricky part. Psychologically we

177
00:07:50.279 --> 00:07:53.839
<v Speaker 1>hear all the time in security maybe unofficially that people

178
00:07:53.879 --> 00:07:57.079
<v Speaker 1>are the weakest link. That sounds pretty cynical.

179
00:07:56.800 --> 00:07:59.399
<v Speaker 2>It does, and it clashes with things like the Pygmalion

180
00:07:59.439 --> 00:08:01.199
<v Speaker 2>effect from psychology, where.

181
00:08:01.079 --> 00:08:03.639
<v Speaker 1>High expectations actually lead to better performance.

182
00:08:03.720 --> 00:08:06.519
<v Speaker 2>Exactly if you constantly tell people they're the weakest link, mm,

183
00:08:06.720 --> 00:08:09.879
<v Speaker 2>maybe they'll live down to that expectation. To actually improve

184
00:08:09.920 --> 00:08:13.040
<v Speaker 2>security behavior, you have to believe change is possible. You

185
00:08:13.079 --> 00:08:14.800
<v Speaker 2>can't be purely cynical.

186
00:08:14.959 --> 00:08:18.000
<v Speaker 1>So how do you square that? Be super skeptical of

187
00:08:18.079 --> 00:08:20.120
<v Speaker 1>systems but optimistic about people.

188
00:08:20.160 --> 00:08:23.120
<v Speaker 2>That feels like a contradiction, It sounds like one, but

189
00:08:23.199 --> 00:08:26.360
<v Speaker 2>the source calls that sweet spot good judgment. It's holding

190
00:08:26.399 --> 00:08:29.360
<v Speaker 2>both ideas at once. High trust in the potential of

191
00:08:29.399 --> 00:08:33.159
<v Speaker 2>people your colleagues can learn and adopt better habits, but

192
00:08:33.320 --> 00:08:38.879
<v Speaker 2>high skepticism for everything digital, the packets, the emails, the requests,

193
00:08:39.200 --> 00:08:42.879
<v Speaker 2>because trusting those blindly is the vulnerability.

194
00:08:43.000 --> 00:08:48.039
<v Speaker 1>So skepticism in practice means what slowing down?

195
00:08:48.240 --> 00:08:51.720
<v Speaker 2>Slowing down? Yeah, calculating the risk, like a little mental

196
00:08:51.759 --> 00:08:55.159
<v Speaker 2>cost or tax before you click or approve or connect.

197
00:08:55.360 --> 00:08:57.159
<v Speaker 1>And we see the need for this even outside of

198
00:08:57.200 --> 00:09:00.480
<v Speaker 1>pure cybersecurity, right like dealing with salespeace, Oh.

199
00:09:00.320 --> 00:09:04.200
<v Speaker 2>Absolutely, sales tactics often mirror social engineering. They have those

200
00:09:04.240 --> 00:09:06.399
<v Speaker 2>probing reconnaissance questions.

201
00:09:06.039 --> 00:09:08.679
<v Speaker 1>So what kind of firewalls are you running currently exactly?

202
00:09:08.960 --> 00:09:11.480
<v Speaker 2>Or they name drop other clients to build authority, just

203
00:09:11.519 --> 00:09:14.200
<v Speaker 2>like Fisher might pretend to be from Microsoft.

204
00:09:13.679 --> 00:09:16.440
<v Speaker 1>Or your bank, or the calendar invite trick. That one's sneaky.

205
00:09:16.759 --> 00:09:19.399
<v Speaker 1>Explain that vendor sends you a meeting invite, but they

206
00:09:19.480 --> 00:09:23.080
<v Speaker 1>see see like five of your colleagues. So you see it,

207
00:09:23.159 --> 00:09:25.399
<v Speaker 1>you see your team is on it, and you just accept.

208
00:09:25.480 --> 00:09:29.360
<v Speaker 1>You assume someone else okayate it or requested it, exploiting.

209
00:09:28.799 --> 00:09:31.559
<v Speaker 2>That natural tendency to trust when others are involved. It

210
00:09:31.639 --> 00:09:33.080
<v Speaker 2>bypasses your own skepticism.

211
00:09:33.159 --> 00:09:36.320
<v Speaker 1>Check gets their foot in the digital door without really asking.

212
00:09:36.559 --> 00:09:40.000
<v Speaker 2>Yeah, and those kinds of tactics should set off alarm bells.

213
00:09:40.440 --> 00:09:44.879
<v Speaker 2>Slow down, be skeptical, verify whether it's a salesperson or

214
00:09:44.879 --> 00:09:45.799
<v Speaker 2>a potential.

215
00:09:45.480 --> 00:09:48.039
<v Speaker 3>Fisher, which leads us right into habit three.

216
00:09:48.519 --> 00:09:49.960
<v Speaker 2>Vigilance staying alert.

217
00:09:50.200 --> 00:09:54.519
<v Speaker 1>The source frames this like the where's Waldo challenge? Finding

218
00:09:54.519 --> 00:09:57.320
<v Speaker 1>that one specific thing in a sea of distractions.

219
00:09:57.399 --> 00:10:00.639
<v Speaker 2>Right, vigilance is impassive. It takes effort, it's a state

220
00:10:00.679 --> 00:10:02.440
<v Speaker 2>of mind, really, and it.

221
00:10:02.440 --> 00:10:03.360
<v Speaker 4>Involves two steps.

222
00:10:03.480 --> 00:10:04.159
<v Speaker 3>Okay, what are they?

223
00:10:04.320 --> 00:10:07.440
<v Speaker 2>First, you have to filter, cut out the noise, silence,

224
00:10:07.440 --> 00:10:10.720
<v Speaker 2>the constant pings and notifications, at least temporarily.

225
00:10:10.200 --> 00:10:11.320
<v Speaker 1>Get rid of the distractions.

226
00:10:11.360 --> 00:10:11.840
<v Speaker 3>Makes sense.

227
00:10:12.000 --> 00:10:15.879
<v Speaker 2>Second, you have to actively scan. You're not just daring blankly.

228
00:10:15.919 --> 00:10:20.720
<v Speaker 2>You're looking for something specific, red flags, anomalies, waldo.

229
00:10:21.039 --> 00:10:24.440
<v Speaker 1>People have actually studied finding WALDO like mathematically.

230
00:10:24.480 --> 00:10:27.799
<v Speaker 2>Apparently so, a programmer named Randy Olsen found the optimal

231
00:10:27.799 --> 00:10:31.320
<v Speaker 2>search path start bottom left, move up diagonally like an

232
00:10:31.320 --> 00:10:33.120
<v Speaker 2>inverted big dipper roughly.

233
00:10:32.919 --> 00:10:35.639
<v Speaker 1>Ah, The point being, it's not random staring, it's a

234
00:10:35.679 --> 00:10:36.679
<v Speaker 1>structured scan.

235
00:10:36.879 --> 00:10:38.519
<v Speaker 2>It's applying an intentional method.

236
00:10:38.799 --> 00:10:42.080
<v Speaker 1>Okay, so how do we apply that intentionality in our

237
00:10:42.159 --> 00:10:45.919
<v Speaker 1>daily work? We need practical ways to boost vigilance when

238
00:10:45.960 --> 00:10:49.759
<v Speaker 1>we need it. The source mentioned slow down and frown.

239
00:10:50.240 --> 00:10:53.000
<v Speaker 2>Yeah it sounds a bit funny, but there's neuroscience behind it.

240
00:10:53.080 --> 00:10:55.080
<v Speaker 1>Really, how does frowning help?

241
00:10:55.200 --> 00:10:59.639
<v Speaker 2>Well, think about smiling. It releases endorphins, makes you feel relaxed,

242
00:11:00.960 --> 00:11:02.639
<v Speaker 2>which actually lowers vigilance.

243
00:11:02.960 --> 00:11:03.240
<v Speaker 3>Okay.

244
00:11:03.840 --> 00:11:07.120
<v Speaker 2>Frowning conversely, is thought to send a little signal to

245
00:11:07.159 --> 00:11:11.559
<v Speaker 2>your amygdala, the brain's thread detection center. It basically says hmm,

246
00:11:11.799 --> 00:11:15.440
<v Speaker 2>environment might be unsafe and that naturally ramps up your alertness,

247
00:11:15.519 --> 00:11:16.200
<v Speaker 2>your vigilance.

248
00:11:16.320 --> 00:11:19.480
<v Speaker 1>So the advice is literally, if you're reading through emails,

249
00:11:19.799 --> 00:11:21.120
<v Speaker 1>maybe try frowning or at.

250
00:11:21.120 --> 00:11:24.159
<v Speaker 2>Least separate the reading an analysis part from the responding part.

251
00:11:24.519 --> 00:11:28.480
<v Speaker 2>Read with a skeptical, maybe even slightly frowning focus. Then

252
00:11:28.519 --> 00:11:31.399
<v Speaker 2>maybe relax and smile when you craft the reply. That

253
00:11:31.399 --> 00:11:33.440
<v Speaker 2>physical act might shift your mental state.

254
00:11:33.919 --> 00:11:37.159
<v Speaker 1>Interesting, But what about things that just drain our vigilance

255
00:11:37.200 --> 00:11:39.639
<v Speaker 1>in no matter our facial expression, like time of day.

256
00:11:39.840 --> 00:11:40.120
<v Speaker 4>Ah.

257
00:11:40.200 --> 00:11:44.480
<v Speaker 2>Yes, timing is huge. Daniel Pink's research on chronotypes.

258
00:11:43.919 --> 00:11:44.440
<v Speaker 4>Is key here.

259
00:11:44.720 --> 00:11:46.919
<v Speaker 3>Our brains aren't consistent throughout the day.

260
00:11:47.080 --> 00:11:50.399
<v Speaker 2>Not at all for most people. Analytical skills, the kind

261
00:11:50.399 --> 00:11:52.080
<v Speaker 2>you need for vigilance peak in.

262
00:11:52.039 --> 00:11:54.639
<v Speaker 1>The morning, and the source had some stark data on

263
00:11:54.679 --> 00:11:56.360
<v Speaker 1>this from phishing tests.

264
00:11:56.399 --> 00:12:00.480
<v Speaker 2>Extremely stark. Employees were eight times more likely to click

265
00:12:00.480 --> 00:12:03.399
<v Speaker 2>a bad link late in the afternoon compared to the morning.

266
00:12:03.200 --> 00:12:06.200
<v Speaker 1>Eight times when exactly was the danger zone.

267
00:12:06.320 --> 00:12:10.200
<v Speaker 2>The clicks spiked significantly between three wards zero pm and

268
00:12:10.279 --> 00:12:14.039
<v Speaker 2>five points zero pm. That afternoon slump is a real

269
00:12:14.120 --> 00:12:15.200
<v Speaker 2>vulnerability window.

270
00:12:15.360 --> 00:12:19.559
<v Speaker 1>Okay, that's incredibly actionable. Knowing that you can plan your.

271
00:12:19.519 --> 00:12:23.399
<v Speaker 2>Day right, do the task that need high alertness, scrutinizing

272
00:12:23.399 --> 00:12:26.600
<v Speaker 2>weird emails, checking financial reports in the morning when you're.

273
00:12:26.519 --> 00:12:29.679
<v Speaker 1>Sharpest, and save the more routine, less critical stuff for

274
00:12:29.720 --> 00:12:31.200
<v Speaker 1>that afternoon danger zone.

275
00:12:31.240 --> 00:12:32.960
<v Speaker 2>Exactly, manage your energy and attention.

276
00:12:33.440 --> 00:12:35.600
<v Speaker 1>So, wrapping this up, what's the big picture for you,

277
00:12:35.679 --> 00:12:39.200
<v Speaker 1>the listener, We've hit three key habits literacy, having the

278
00:12:39.240 --> 00:12:45.120
<v Speaker 1>right framework, skepticism, questioning trust itself, and vigilance managing your

279
00:12:45.120 --> 00:12:45.919
<v Speaker 1>focus in timing.

280
00:12:46.080 --> 00:12:49.279
<v Speaker 2>And the common thread is it's all about behavior changing

281
00:12:49.320 --> 00:12:52.080
<v Speaker 2>how we act, not just buying another security tool.

282
00:12:52.240 --> 00:12:54.279
<v Speaker 1>Definitely, And the final thought we wanted to leave you

283
00:12:54.360 --> 00:12:58.320
<v Speaker 1>with it connects back to vigilance. How hard is it

284
00:12:58.360 --> 00:13:01.960
<v Speaker 1>to stay vigilant against an enemy you can't see a nameless,

285
00:13:02.000 --> 00:13:02.960
<v Speaker 1>faceless threat.

286
00:13:03.200 --> 00:13:06.960
<v Speaker 2>It's really difficult psychologically, which is why there was value

287
00:13:07.240 --> 00:13:10.360
<v Speaker 2>historically in giving enemies a face a name.

288
00:13:10.320 --> 00:13:13.279
<v Speaker 1>Like in security operations centers when I started naming threats

289
00:13:13.360 --> 00:13:16.000
<v Speaker 1>heart bleed, fancy bear, want to cry Exactly.

290
00:13:16.360 --> 00:13:19.000
<v Speaker 2>It wasn't just for cool names. It gave the team

291
00:13:19.200 --> 00:13:21.000
<v Speaker 2>something concrete to rally against.

292
00:13:21.000 --> 00:13:22.600
<v Speaker 4>It boosted engagement.

293
00:13:22.480 --> 00:13:25.720
<v Speaker 1>And in one case mentioned it actually helped triple the

294
00:13:25.759 --> 00:13:29.759
<v Speaker 1>security budget because leadership finally saw the enemy they were fighting.

295
00:13:30.080 --> 00:13:31.000
<v Speaker 4>It made the threat real.

296
00:13:31.120 --> 00:13:37.159
<v Speaker 1>So getting these habits right, literacy, skepticism, vigilance, it's foundational.

297
00:13:37.639 --> 00:13:40.039
<v Speaker 1>Maslow puts safety and security right near the base of

298
00:13:40.039 --> 00:13:43.679
<v Speaker 1>his hierarchy, didn't he It's essential for reaching your potential.

299
00:13:43.360 --> 00:13:46.399
<v Speaker 2>Absolutely, So the challenge is to start noticing your own habits.

300
00:13:46.440 --> 00:13:49.240
<v Speaker 2>Apply these frameworks, and the sources suggest, you know, maybe

301
00:13:49.240 --> 00:13:50.879
<v Speaker 2>find a coach or a mentor if you need help.

302
00:13:51.200 --> 00:13:54.840
<v Speaker 2>Making security a collective behavioral effort, that's how we really

303
00:13:54.879 --> 00:13:55.519
<v Speaker 2>move the needle.