Welcome to this new episode of Techzine Talks on Tour . My name is Sander and I'm at the RSA conference in San Francisco and I'm here with Stu Schauermann , founder and CEO of Nob4 . That is correct . Yes , welcome to the show . Glad to be here .
So yeah , nob4 , you're a bit different from many of the other vendors at RSA , right , because it's usually about technology the new XDRs , the new MDRs , all that stuff , sure , but for Nobby4 , you're in a different space .
We like to call it the human risk management space , simply because you do have the tools XDR , sim , et cetera , et cetera but you also need to create a strong security culture and that's your humans , and so you need to train them .
They need to understand what risky behavior is , and that's why , 13 years ago , I started Nobifor to handle that side of the InfoSec risk management .
So how would you rate the awareness of security awareness training in the market ?
It has been a little slow in the first few years , but afterward it's gone skyrocketing . We have 70,000 customers globally . We're training 60 million people . Here's a fun little stat Walk on the street . In any city in the United States we train one in ten people .
Okay , that's a nice statistic .
Yeah , that's a fun little stat .
So next time we go out in the US , you will probably see someone that's being trained by 94 .
You will . Now we need to get the other nine .
Yeah . So the current state of affairs when it comes to sometimes also called HDR , to just as sort of a nice play on MDR and XDR , obviously . So the current state of affairs is quite . Is it good ? Would you rate it as security awareness training is getting enough attention ? I mean , it could always be better , obviously , but what's your assessment by now ?
yes , if you look at the 2024 Verizon data breach investigation report , it is still a super high percentage of data breaches caused by human error , and so you do need to address that specific problem , and the KnowBe4 platform is specifically built for that . It's easy to use . We're expanding .
The big news at the show is that we are acquiring a British email security company called egress . Is that because email is still the the most ?
important attack factor . People interact with email , obviously . Yeah , email is still the most important attack factor . People interact with email , obviously .
Yeah , email is still the number one attack factor that bad actors use to get into the account . The email makes it through the secure email gateway . It makes it through the standard spam filter . It winds up in the inbox . It's very sophisticated , so egress can grab that last bit there that everyone else misses .
Yeah , but it's not too big of a digression for Nobby Ford to go into the I would almost say proper security space . But that's not the right word .
But you know what I mean . Right , I know exactly what you mean . No , it is actually the best of both worlds . We're better together . We've been integrating for the last 12 months , and so it's a two-way street for data . And the more data that you have , the more you can see what that end user actually gets in their inbox the better .
You can train them for it , so it works great .
Yeah , and when you look at the rest of the stack , of the security stack , how does KnowBe4 , or maybe more broadly , security awareness training ? So how does that integrate into that world , because it sits on top of basically everything , right , yeah ?
Well , apart from security training and phishing testing , we have a product that is called Security Coach . And what happens with Security Coach is we interface with all the existing products in the security stack . They all have a cloud interface , they all have cloud APIs .
So we ingest their alerts , we figure out which ones are user generated and which ones are indicating risky user behavior , and so we can , for instance , we integrate with CrowdStrike , so CrowdStrike throws an alert . We see it . We send a little security tip to that user with hey , you just went to risky website so and so . And that's how we integrate .
So then you're actually getting closer to the resolution point , right , because if you're only focusing on on on training , then you're obviously that's very important , but you also want to be able to , to , to act as soon as something happens , yes , which we now can't , yeah , yeah well , I , that's a , that's an interesting , uh extra I mean extra feature .
Extra feature feature right .
Yep , but how do you measure whether security , awareness , training and everything that you do so , the human element , whether you've been successful in actually achieving the goals that you set out , because that can be quite difficult to measure .
Very good question .
The only way to do that is if you have a baseline with the existing call it risk score , and so we have a huge amount of metrics that we know per user , and then , once you have a baseline for that user and you know the click percentage over time , you can then actually see that after 90 days the click rate goes down by half , and in 12 months it goes
down over 80% . And so there's just hard numbers .
And does it stay down ?
It stays down .
Even if the attacks differ , people get smarter in general .
Well , yes , that is all predicated on one very important thing you do need to send these people one phishing test a month and you need to give them a two , three minute little training module to keep them on their toes with security top of mind .
Yeah , if you do that , yes , Okay , and obviously you don't want to annoy them too much . No , because it should be sort of , can it be fun to do ?
It can , and if you do it right , it is because you make it a game . You make it a contest . We have gamified leaderboards . You can play the game with the people in your department .
You can do some extra training and get a higher score If you present it as hey , this is a game we play to keep our organization safe and oh , by the way , you will also learn how to stay safe at home . Then you get people's buy-in and there's no problem whatsoever .
And how do you I think , especially when you look at the email security , I get that right . So that's very tangible how do you and that's something that is very risky so , when you go for a risk-based approach , which is what a lot of companies do nowadays , sure , when you go for a risk-based approach , how do you determine what's risky ?
I mean , obviously , email is one , but then you have a lot of other stuff that you need to take care of and you're not able to actually do everything in terms of training as well , I would imagine right .
There are many different types of risk , you're right . Well , I would imagine right , there are many different types of risk , you're right . One example is you find a USB stick in the parking lot with layoff plans this quarter . Yeah , and you know that is obviously left by bad actor . Plugging that in your machine is tantamount to inviting disaster .
Yeah , so we do train about a whole bunch of different risky behaviors .
Yeah .
But if you can also see it when it happens and the endpoint protection throws an alert , then you can do this real time and that truly works .
Does it differ per sector or per vertical what you should prioritize more over other stuff ?
Well sure , different verticals have different rules . The most extreme example that I ran into is that banks they said if you haven't finished your security awareness training by Friday , end of business . Don't bother to show up on Monday because you're fired .
Now , that is a little extreme , that is a little extreme , but there are highly regulated industries where this type of training is mandatory .
It's a compliance issue and you just have to do it . But then also those industries have different prioritization lists in terms of what they deem most risky .
Yes .
Yeah , okay . So because that's obviously , organizations need to determine for themselves what they give in terms of risk scores to different kind of vulnerabilities , right ?
Totally , and that's why we have something called smart groups . You can identify groups in your organization as higher risk and lower risk .
You can put those into a smart group and then the smart group you can say okay , for these folks they need individual training on and you specify topics , okay , and then ai is rolling out exactly the training for that particular person yeah , yeah , it's funny , you should AI .
Obviously we need to talk about that as well , because that's a big thing , not only on the defense side , but also on the attack side . Right ? How do you prepare your people for , for for AI based ?
attack by showing them how AI based attacks look you do example deepfakes . You show them example voice , which is cloned and stolen .
You make them aware the fact that it is more important today than ever , that especially when it gets it's urgent they are , they are made or asked to do something there is an action that they need to slow down and think twice yeah and go into .
Let's make sure this is not a scam yeah , but but I would especially the deep fakes are extremely difficult to recognize sometimes , right .
And more so by the month .
Yeah , and now they used to only be audio . Now video is getting more popular and better as well .
Yeah , Ever better . It's very . It's getting very scary yeah .
Well , that's not very hopeful message for the listeners . Yeah Well , that's not a very hopeful message for the listeners no , no . Is it even possible to have a human determine , based on training , whether something is a deepfake or not ?
Well , the human needs to keep in mind a few ground rules that never change regarding social engineering , whether it is text or email or slack , or teams or deep fakes , wherever they come from , which is is somebody trying to manipulate me ? Is there some sense of urgency ? Are there things that they want me to do that could be risky ?
If you keep those ground rules in mind and stay cool , calm , collected , then whatever type of social engineering and tech comes your way , you will still be able to say hold on a minute .
But that's common sense , yes .
And that's what we're training people in yeah common sense , whereas it might be . Um , they have a recording of your daughter , yeah , um , and a scary person calls you up and say we have your daughter , I need $20,000 . That's the time when people need to be understanding oh okay , well listen , I'm hanging up .
I'm going to call my daughter on her phone , Maybe also , especially when this gets very widespread . You have to determine some sort of a safe word or something .
Absolutely that could work . Yes , a safe word that you have with your this absolutely that that could work . Yes , a safe word that you have with your family is a super good idea , yeah okay , yes , I just I just thought that up here . So that's a yes , this is okay . Starts to become a very popular thing .
Yeah , well and I think it makes perfect sense . Yeah , and what about the ? The ? The your side of the of side of the argument ? Do you foresee integrations with deepfake kind of solutions , like you do with email security , for example , or with CrowdStrike , but maybe specifically with deepfake kind of , because that's not a very big area yet .
But the winner of the sandbox innovation . Sandbox this week at RSA conference is a deepfake detection kind of engine Right . Is that something that you see as a potential interesting integration ?
for you as well . Yeah , absolutely . Deepfakes are obviously a technology attack . You can use technology to protect against those attacks as well . It is still relatively easy to get around the watermarks , but it's day one of AI , so we will get there .
You don't really know what everything is going to look like at 4 years time anyway , right ?
No .
So what do you prepare yourself for or against ?
This is hard , yeah , it's very hard to determine . You have to play it by quarter .
Yeah . That's as far as you can see the old saying that for American companies , the future is in 90 days , but that used to be the saying for financial stuff but it's the be the saying for financial stuff , but it's , it is .
It is wild to see how fast AI is developing the in the new models , of new frontier models coming out are the fastest technological development I've ever seen , and I've been in this business for 40 years .
Are you in general ? Are you ? Optimistic about the future of cybersecurity in general , with everything that's coming our way .
It is a chess game . Unfortunately , the bad actors have white , so they always have the advantage . But if you're smart enough and you can plan some of that future and you build a really strong security stack on the technical side , combined with a really strong security culture , you have a pretty good chance on keeping the bad guys out .
And there will always be the outlier cases . I mean , I've heard people say , people that actually know very well what it's like to be phished and you know all that stuff , but then after they just called their bank , they actually did get an email from that bank just so accidentally in terms of timing .
Yes , those things I mean you cannot protect yourself against those things . In general , it's very hard to do , at least very hard to do , do it's ?
never perfect .
Yeah .
But if you can , you know , take 90% of the risk down . You are already way ahead of the game .
Yeah , okay , I think that's a nice thought to .
That's a wrap .
Yeah , to close it off .
Yes , I think we're almost out of time . Anyway . Yeah , my PR gal over here said it's time .
People are getting upset and anxious , yes , so thank you very much for your conversation . Absolutely Sander Nice to do my pleasure and , well , I hope to talk to you again sometime , absolutely .