Matt (00:00.632)
Lance, welcome to the show.

Lance Spitzner (00:02.924)
Hey Matt, thanks so much.

Matt (00:05.03)
This is going to be fun. so I figured let's just, let's just jump right in. you've, you've had a fascinating career, from serving in the army's rapid deployment force to founding the honey nut project to the work you've done at sans. How did, how did you transition from being a tank platoon leader to becoming what I consider to be a pioneer in cybersecurity?

Lance Spitzner (00:29.528)
Sure, and in many ways, the career or the steps I took replicate so many others. So many people in this field, which I think is a wonderful thing, don't have what you would consider a traditional background, like something like computer science. And mine definitely is not traditional. So I started in college as a history major because I was very interested in and thought I'd be making a career in the military.

So technology was nowhere on my radar. So I served four years as a tank officer in the military's Rapid Deployment Force, something called 24th ID for anybody out there that has a military background. And what was really interesting in the military, they taught us the importance of know your enemy or this idea of military intelligence. So even though I was

Matt (00:57.264)
Hmm.

Lance Spitzner (01:24.512)
a tank officer. remember we do a lot of training things like in the Mojave Desert, we'd have the whole company battalion out and we'd be briefed by something called the S2. S2 in the military world, they're the intelligence officers. And so they would brief us on, okay, we're going to be going against the Krasnovians, which is code for the Russians. And they would explain, well, this is how they fight. This is how their military set up. This is what a Russian tank platoon looks like. Russian tank.

company, this is how they can operate. The whole idea was the better you knew your enemy, the more likely you could defend against and defeat them. So four years in the military, loved my service, but said, you know what, this is not the long-term career for me. So got out and I'm like, okay, I'm a history major. I was a tank officer, but not really sure how that's going to translate to the business world. So decided to get my MBA to figure out

Matt (02:10.757)
Hmm.

Lance Spitzner (02:22.946)
what I wanted to do when I grew up. And while I was getting my MBA, just fell in love with this new thing coming out. And remember, this is the mid 1990s technology, IT, this new thing called the internet. So that's where my passion was. And while I was getting my MBA, I interned at a IT consulting company. Mainly they worked in the Solaris Sun Microsystems world. So grew up learning Unix.

Matt (02:49.671)
yes.

Lance Spitzner (02:53.036)
while getting my MBA. And what was funny is they were primarily a database company. And there was this new thing coming out that nobody knew anything about called a firewall. And me being the new guy, they said, hey, new kid, you get stuck learning this new technology called the firewall. So in 1997, 98, I was certified trained on this new thing called the firewall. And that really started.

Matt (03:04.879)
you

Lance Spitzner (03:21.74)
my career in cybersecurity. So that's how I started in cybersecurity. Now, if you're interested, I can then give you the transition into how that came into the Honeynet project.

Matt (03:33.615)
That would be awesome. you're probably the third guest now that I've had over the last couple of years who's had, again, this non-traditional pathway.

into cybersecurity and you know, the, the honey nut project, which I definitely want to hear more about that was, that was one of the reasons when I was in college in the late nineties that I really got into cybersecurity. let's, let's talk about that now. Like, how did you go from being the, you know, the firewall admin of an company to then launching the honey net project? And then maybe just tell us to tell us, know, what is the honey nut project? I did, what did that do?

Lance Spitzner (04:07.118)
Sure, sure. So while I was getting my MBA, like I said, I was interned or working for this IT consulting company and I was the firewall guy. But what was interesting was it was not so much I was in charge of the firewall at the company. It's they were a database company and all their customers were starting to ask for this thing called a firewall. So my job was to install these firewalls at all these different companies. Nowadays.

That's not a big deal, but in the 1990s, that was pretty big deal. And what ended up happening is I was like, okay, once again, my job is to defend companies against these bad guys. It's just instead of the bad guys shooting bullets, the bad guys are shooting IP packets. And once again, I wanted to know my enemy. But in the 1990s and even the early 2000s, there was absolutely

No cyber intelligence, if you will, cyber threat intelligence, nothing about who you were defending against. So I said, okay, I'll just figure it out myself. And I kind of learned about this thing called honey pots. But back then in the 1990s, honey pots were very, very crude. They were emulated. So I came up with the idea. Okay. I'm not really good at coding, but I know firewalls and I know operating systems. So what I designed is I took and built a firewall.

Matt (05:28.367)
Hmm.

Lance Spitzner (05:32.736)
And back then I had access to all enterprise stuff. So I've got enterprise checkpoint. I've got enterprise Solara systems. So I said, you know what? I'm going to reverse this. I'm going to set up a firewall and I'm going to let anything in, but nothing out. And behind that firewall, I'm just going to set up a bunch of computers and network and see if anybody hacks into it. And then I'm going to capture everything they do so I can know my enemy and the

Matt (05:54.405)
Hmm.

Lance Spitzner (05:59.822)
This is 1997, 1998 and boom, I was getting hits and learning. I was learning so much and getting so much data. I didn't know how to process it all. So I started reaching out to these people that were also working in this field. And back then they were brand new. Like this guy named Fedor wrote this new tool called Nmap. This guy named Marty Rush, who wrote this tool called Snort. And I'm reaching out to all these people asking them for their help to better create these honey net environments.

and better learn and share this intelligence about cyber attackers. And that really was the genesis of the Honeynet project. Nowadays, it would just be called an open source cyber threat intelligence project, which it was. It's just that back then, the concept was new and the tools were new. So was a fun learning experience for just about everyone involved.

Matt (06:52.346)
That's amazing. That's a great way to learn, right? Like hands on, just figuring it out, pioneering your way through it. Now you've mentioned a couple of times, know your enemy. that, was that a book that you, did you write a book? Know your enemy? Like that really stands out in my head.

Lance Spitzner (07:04.428)
Yes. Yep. Yep. Yep. Yep. So the experience I had with the Honeynup project, we wrote this book called Know Your Enemy. Nowadays, once again, you'd read the book and you're like, duh, this is common sense. But back again, 20, 25 years ago, it was pretty radical stuff. know, we're capturing data about cyber criminals, how they're coming after us. And once again, it was a great

learning experience. And really that was what the Honeynet project was all about. Not only learning, but sharing with the public everything we learned. And that's, like you said, that really helped develop me because I don't have a computing background, a computer science, a coding background. So everything I was learning was learning hands on.

Matt (07:53.094)
So you started off being maybe not a programmer, but still deeply technical, being able to understand, build these things out. there a specific moment or event in your career that made you realize that the human element of security was the key to reducing risk rather than just technology?

Lance Spitzner (08:00.418)
Yep.

Lance Spitzner (08:13.166)
Well, absolutely. So it was after about, I'd say around 2010, around there, 2005, 2010, wasn't a specific moment, but you could see this progression where I just repeatedly saw it was people that were involved, both people as in the cyber attackers, but also people as in the victims or the target. And in the early 2000s, technology made a radical difference. You know, the concept of

Hey, you know what, maybe we'll have the firewall turned on by default. So that was in 2004. Absolutely radical. You know what, we'll have the computers automatically update on their own. Absolutely radical. And the whole idea is I quickly saw how technology was having a huge impact. But around 2000, especially about 2008, 2009, we hit a point of diminishing returns because we started getting really good at using technology to secure technology.

And through my watching and learning of cyber attackers, I've simply saw them shift what we would now call their TTPs, tactics, techniques, and procedures, and really their methods and how the methods shifted from targeting technology to targeting the human. And really what was happening is we were getting so good at using technology to lock technology down that the cyber threat actors were simply shifting and now targeting the weakest or most vulnerable operating system.

Which would be us, the human.

Matt (09:45.933)
Interesting, interesting. So it wasn't one specific thing, but it's

Lance Spitzner (09:49.198)
Oh, back to your question. No, it was not one specific incident. It was just this idea of I started seeing it more and more and more. And the part that was really frustrating me is I was seeing this progression, but the rest of the security community was just locked in 100 % on the technology side. In some ways, we still suffer from that. So I almost felt it was like both my passion and mission.

to try to get the entire community to realize, hey, this is not just a technology issue. It's also a human issue. And I think we're hitting that tipping point where we're, know, sissos on down are beginning to realize that.

Matt (10:35.526)
agree with you. I think we're slowly getting there after 20 plus years. I'm reminding almost on a daily basis, helping to run a business where I'm at now. And I see things all the time, right? And we're a cybersecurity company where I'm like, okay, it is really the human element that is the large portion of it. so I think when most people think about the human element, immediately they go to, they think security awareness.

And I know that you're passionate about that. You've been really been posting recently on security culture versus security awareness. I'm curious, like how does security culture, how is that different from security awareness and why should organizations focus on culture instead of just training and behavior?

Lance Spitzner (11:25.336)
Sure, so they're both good things. They're both all about addressing the human side. Security awareness, it's not one or the other. Security awareness is a subset of security culture. Security culture is more broad and strategic. Security awareness is one part that contributes to your security culture. So traditionally, you'll see organizations start with security awareness.

That's where they're training their workforce to exhibit the behaviors we want. And really that's what security awareness is to me. Different people have different definitions. And I'll be honest, security awareness has a bit of a bad reputation and in some ways, rightfully so. Traditionally, 10 years ago, security awareness was very much compliance. Once a year, death by PowerPoint, once a year, annual training.

Hey, we checked the box and that's it. Now, is that gonna secure our workforce? Absolutely not. So in today's world, security awareness means a very structured, a very regular interaction, engagement with your workforce to really help drive behavior change. But like I said, security culture is above and beyond that. Think of it this way, security awareness is about behavior, what people do.

Matt (12:27.087)
Nope.

Lance Spitzner (12:49.174)
Security culture is about attitudes, perceptions, and beliefs, what people think. So if you have a very strong security culture, people are going to prioritize security, believe it's their responsibility. So in a strong security culture, people are far more likely to exhibit the behaviors we want. And security awareness training helps drive and build that security culture.

but so too do many other things. Your security team, your security policies, your executive leadership, these are all additional drivers to building that strong security culture. So think of it this way, security culture is very broad, security awareness is one part or one contributor to that security culture.

Matt (13:41.19)
That's interesting. Cause I think, I think at least in my experience, many organizations still think just in terms of awareness, like, Hey, if I just make people aware of something that will automatically make things better. So maybe let's go one level deeper into how someone goes about changing culture. You mentioned that changing culture requires changing the environment, sometimes the structure. What are, what are maybe some key elements of an organization structure that

Maybe someone needs to look at organizations you have to look at in order to address or rather to foster a strong security culture.

Lance Spitzner (14:18.232)
Sure. So, and there's a fantastic five minute YouTube video by a guy named Armand Trost that explains this and does it so well. So first of all, when it comes to changing culture, there are decades and decades of research on how to approach this. So we don't need to reinvent the wheel within the cybersecurity world. Organizations have wanted safety cultures, wellness cultures, innovative cultures. So we can simply adapt.

that decades of research. So research like John Cotter's Eight Steps, the Adcar model, there's frameworks, there's case studies, amazing books, Daniel Kahneman's Thinking Fast and Slow, Dan and Chip Heath, Thaler and Sunstein. So you go to all of that research and they say it in different ways but we're all saying the same thing. So to answer your question, really what it comes down to is

When you want to change culture or build a certain culture, remember the definition, the shared attitudes, perceptions, and beliefs. Culture is what people think and feel. So do change culture. You don't change culture. It sounds a little weird, but I can't tell you, hey, trust the security team. Hey, prioritize cybersecurity. To change culture, those attitudes, perceptions, beliefs,

you change the environment. And by changing the environment, that will ultimately drive both behavior and then ultimately the culture change. So for example, I can't tell people, hey, security is important. What I need to change the environment, so compensation models, bonus models, promotion models, KPIs include elements of cybersecurity.

So for example, this is precisely what Microsoft is doing right now with their secure future initiative. I can't tell you, hey, trust the security team. They're good guys and gals. Instead, the security team has to interact and engage with the workforce and be perceived, approach it from a approachable, a collaborative, enabler, helpful. What we don't want is the security team to come off as punitive, arrogant, or egotistical.

Lance Spitzner (16:40.78)
So how the security team interacts with your workforce is going to drive that culture. Same thing for policies. Are the policies easy to understand and simple to follow? Or are they complex, overwhelming, and slow you down? Same thing for the security training. Is it engaging? Is it relevant? Or is it boring and overwhelming and really long and unapplicable? So what ends up happening is

And this is what my job and passion is now is to build that strong security culture. We don't walk in to say we're going to change culture. We help organizations structure their environment so it ultimately drives that security culture that we all really want.

Matt (17:27.065)
That's interesting. I don't think I've heard that before, but you know, you mentioned, Dr. Trust and you, there was a couple, was looking at one of your LinkedIn posts from a few weeks back. And again, he was talking about, he gave some insights around building culture through actions rather than directives. Maybe, maybe talk a little bit, get really, get really practical for us. Maybe what are, what are some steps that security teams can take to lead by example?

Lance Spitzner (17:43.363)
Yes.

Lance Spitzner (17:55.662)
Sure, so let me take it just a step back and just provide an example that we all are well aware of. what happened, so example, I've been working in culture for over 10 years now and I keep finding myself working with human resources. Like I said, organizational culture is not new. And the whole idea of building the culture you want is called organizational change. It's a whole field of study. And when working with HR, they have a...

fantastic term called music versus words. The music is what your workforce truly thinks, feels, and believes. That's your culture. The words are what leadership says. And in a healthy environment, what leadership says, the words, and what people think, the music are aligned. So leadership will say

Hey, we are an employee friendly, family friendly, supportive environment. We take care of our people. We are a family. That's what leadership says. Now, what does people think? Well, that depends on what leadership does. Leadership says we're a family. Now, are they giving people time off? Do they have good health care? Are people working 40 hour weeks or 60 hour weeks? What happens if one of their children becomes sick? So in

when leadership says we're family friendly, do they really enable that through their actions? So in other words, are they giving people time off or are they telling them, you can't go take care of your sick child? Are they making them work 40 hours a week, 60 hours a week? So what leadership says does not drive the culture. What leadership does drives the culture. In other words, what behaviors do leadership reward? What behaviors do

leadership punish or in some ways what are the worst behaviors that leadership tolerates that can quite often drive your culture. So once again that's this idea of the environment our security culture is going to draw be driven by the environment. So for example let's walk in and the first thing I always do is try to get a vibe of what's the organization's overall culture because how the security team interacts

Lance Spitzner (20:17.452)
with the overall organization is driven in part by the culture. I like to say we're not trying to change people's culture, we're trying to embed security into it. So let me give you a very specific example. Let's say we walk into an organization, their culture is a little bit more outgoing, or maybe they're trying to become a little bit more innovative. So for example, the adoption of AI.

And quite often security teams can be a blocker to innovation. Innovation is scary. We're trying new things and security teams often say no. And especially in an innovative environment, if security teams just say no, they're quickly perceived as a blocker. They're quickly start avoiding, hey, and this is where we start changing attitudes, perceptions, and beliefs. Security is friction. Security is a blocker.

Do not interact with the security team. need to avoid them. And as a result of these negative attitudes, perceptions, and beliefs, security is no longer built into the processes because the security team is perceived as blockers. I want security to be seen as approachable, helpful, enabler, collaborative. But I can't just tell, hey developers, the security team is great. You should interact with them. And yet,

Matt (21:40.613)
Hmm.

Lance Spitzner (21:41.204)
every interaction with the security team is painful, drawn out, overwhelming and complex. So I can't tell people to trust and approach the security team. I've got to change the process. So what I would do is, for example, for the security team, I would create a partnership template. And anytime developers, product managers, business units approach the security team, I would say security team, here is a questionnaire.

Start with this questionnaire and what the questionnaire does is it starts the security team to start asking questions. Okay, what does your team do? What's your goal? What's your mission? How do you contribute to the overall business? How do you like to communicate? What are your biggest challenges? So now what we're doing is the security team is trying to better understand the business unit so we can always get to yes.

So a business unit may go, hey, can we do X? And the security team will say, no, you cannot do X because it's too risky. But then goes the extra step, but to help achieve your mission, we're gonna help you do Y. And if we do Y, then you will be able to achieve your mission far more securely. So the security team is no longer just

Matt (22:46.437)
.

Lance Spitzner (23:05.624)
technical experts saying yes or no, they're becoming business partners, enabling all these different teams to achieve their goal. Really the biggest mentality, and this is what I love about Amazon, Amazon has one of the strongest security cultures and they call it job zero. Amazon has really built into their security teams to help drive this culture that the security teams, and this is literally Amazon's words, security teams,

are in the customer support business. They're a customer service business. Business units, product units, different departments do not exist to be secure. They exist to achieve their mission, which contributes to the overall organization. We in the security world, we are simply here to support those internal teams to achieve their mission. So our job is customer service. And it can be a radical

change in how security teams approach things, because far too often security teams can come off as very egotistical or very mandating. So if I want to drive culture change, I start with the security team from a very customer service perspective. And to make that actionable, one of the things I'll often start with is, hey, here's a partnership template. Long answer to a really good question.

Matt (24:28.749)
I love it. I mean, it makes complete sense. you and the organizations that I've worked in over last 20 years, you know, I've seen various different cultures in effect. Like you said, both the overall organizational culture, which definitely plays then into the security culture in the organization.

I've been in organizations where the culture has been toxic. And if you have a toxic culture, it doesn't matter what you try to do as a security team. It's you're not going to overcome that, that greater, greater organizational culture.

Lance Spitzner (24:51.95)
Yep.

Lance Spitzner (24:59.234)
Yep. So two quick things on that. It's one thing I like to say is every organization has a security culture. The question is, is it the one you want? And I loved your toxic example. Let me give you a more specific example. I see a lot of organizations, a lot of security teams spend a lot of time training their employees, their workforce to identify and report an incident.

or report a suspected attack like a phishing email or maybe a social engineering phone call. So that's great. But let's take your point of a toxic culture. Let's say we have a toxic security team and people are afraid of the security team. Now the security team's done a real good job of training and making people aware of how to identify and report an incident or an attack. We're developing the human sensor. But to your point, the culture is toxic.

So now the question becomes, how safe does an employee feel reporting an incident if they know they caused it? If you have that toxic or punitive culture or very arrogant egotistical security team, people may know, hey, my computer's infected. But if I report it, I'm going to get in trouble. So maybe they're like, maybe if I just pay the $500 ransom, the cyber attackers will go away and nobody will know.

Matt (26:07.191)
off.

Matt (26:20.133)
You

Lance Spitzner (26:27.02)
So absolutely, and that's an example of where you can have the best trained workforce in the world, but if you have a very toxic culture, people are not going to exhibit the behaviors we want.

Matt (26:39.046)
So you mentioned having a partnership template, right? Something that teams can start with when they engage with somebody in a business unit, basically anybody outside of cybersecurity. I love that concept. Is there, you mentioned Amazon kind of as a role model in this space, you know, they want to create the most customer centric organization. I think that's their mission statement, something like that, or it used to be. So that, makes sense that that would then bleed out into their, their cybersecurity team.

Lance Spitzner (26:42.2)
Yes.

Lance Spitzner (26:50.53)
Bingo. Yeah.

Matt (27:07.011)
So beyond the partnership template, is there any other practical steps, maybe one or two things that if someone's listening and they're like, this makes total sense. Where do I start? So partnership template, what else might you recommend?

Lance Spitzner (27:20.184)
Well, like I said, first of all, take a step back and look at the biggest levers. The biggest levers that drive your security training are the security team, your security policies, the security team, security training, security policies, and just leadership in general. I often like to start with the security team because that's the one we have the greatest influence over. It's hard for me to go to the CEO and say, hey,

We need to change the compensation structure to include cybersecurity. Quite often we don't have that influence, but I like to start with the security team and or the security policies. So let me give you a couple more examples. First of all, like with security policies, one of the things you can do is review and identify which policies do our workforce hate the most. And that's really easy to find out.

and then you can then try to simplify two or three of those policies. And I've got a whole process on how to simplify policies. In fact, that might make a good blog post. But to your point, well, what are some easier or quick wins on how to really start building that culture? Here's two more quick wins, and I'm gonna go with the security team. One, security teams, especially if they have highly technical people, tend to be horrible communicators.

not only because do we lack the training in it, but there is, once again, we're going to the field of human science here, something, a cognitive bias called curse of knowledge, which states the more of an expert you are at something, the worse you are at communicating it because for you and me, cybersecurity is simple. It's our expertise. So we assume it's simple for everyone else. So what happens is traditionally

security professionals who are already by nature quite often bad communicators send out emails or communications to the workforce and we tell people to do X and they don't do X and then we get all mad at them thinking the X is so simple obviously they're not motivated it's not a motivation issue it's an ability issue we're telling people about things like VPNs and MFAs and single sign-on

Lance Spitzner (29:38.764)
and they just don't understand us and the behaviors are really difficult and overwhelming. So one step I see a lot of organizations with stronger security cultures, what they'll do is they'll onboard embed within the security team somebody with a lot of communications expertise, either hire an individual or partner literally with the comms department. And quite often this individual is not a security expert and that's a good thing. I already have enough.

security experts. What I need is somebody that has communication expertise. Now they're going to learn the fundamentals of security and the concepts, but in some ways it's almost an advantage if they're not highly technical because they act as a gatekeeper. If the security team wants to roll out a new tool or messaging and that gatekeeper does not understand it, neither will the workforce. So one of the ways you can start making security simpler,

the security team collaborative and more approachable is hiring that communications expert who not only communicates in a way where it's easier to understand, but part of the translation effort is, hey, how you, the individual is going to benefit from this. So, hey, we're rolling out password managers. What's the benefit? We're going to make your life so much simpler. Hey, we're going to be rolling out MFA. What's the benefit?

we're gonna allow you to fight back against those evil attackers, take total control of your life and lock them out out of all of your accounts. So I would A, start with the communication, make the security team and security much easier to understand, much more collaborative, much more engaging. Another easy, simple win, it takes a little time, is...

a great way to make the security team more approachable is create a Slack channel, a Microsoft Teams channel forum where people can come and just ask questions. Too often security teams are very isolated and if I email them, I get an auto responder and then maybe two days later I'll get an email replying to me and I probably won't understand it. So they seem very, very cold, very, and it's not.

Matt (31:39.247)
Hmm.

Lance Spitzner (31:57.858)
That's not the security team's goal, obviously, but very aloof, very cold. It's almost like trying to reach out to legal. That's a scary process. So what ends up happening is what I would do is create a Slack channel. Hey folks, come and ask us any question. And it doesn't even have to be about the company. It can be things like, hey, what's your favorite password manager? What antivirus do you recommend? Things along those lines.

Matt (32:06.115)
Okay.

Lance Spitzner (32:27.118)
And what you're doing is you're making the security team much more approachable, much more collaborative. You're enabling people. And really this is what it comes down to is there's not one single thing we do to build our culture. We're continuously building our security culture every day. And it's really driven by people's daily interactions. Every time they have a positive security interaction,

we're building a stronger security culture. Every day they have a negative security interaction, we're driving a more negative security culture. So what we want to do is increase the number of those positive interactions and lower those negative interactions. And like I said, normally that starts with the training, the security team or the security policies. And I always like with the security team. And just one final thing, it's

Not that the security teams are causing harm with malicious intent. They just perceive things through technology. And the biggest difference between securing a computer and securing people is computers do not have feelings. People do. And if you can engage people through that lens of empathy, that is where you start really driving that culture.

Matt (33:27.087)
Hmm.

Matt (33:49.85)
You mentioned a couple of minutes ago that you mentioned AI and AI is obviously becoming more integrated into the workplace. Pretty much any app that I use anymore has some type of co-pilot that is in it. Even I opened up a document documents in Adobe Acrobat. It's like, Hey, do want me to summarize this document for you? And how, do you see that impacting?

Lance Spitzner (33:53.987)
Mm-hmm.

Lance Spitzner (34:02.358)
Yes.

Matt (34:15.243)
security culture. I guess the second part of that would be, there, are there any steps that you think organizations should take now to prepare for AI driven changes specifically around cyber?

Lance Spitzner (34:27.096)
So yeah, AI is, ultimately, it's just like a technology. In many ways, we went through this process 10 years ago when we did the cloud. Just like you said, 10 years ago, you could tell what was cloud and what was not cloud. Now everything's so blurred. It's kind of hard to do anything now without touching the cloud. And we're quickly going the same way with AI because just about every cloud tool we use has AI functionality built into it. If you're using Microsoft Office,

Guess what? You're using AI. So once again, it's a very, powerful tool. And what it comes down to is, you know, how does that impact security culture? Well, there's two sides to it. There's one where, well, here's all the risks related to AI and we have to manage those risks. More innovative cultures, excuse me, more innovative cultures are going to be like, yes, let's adopt AI. So in those environments, security teams,

cannot say stop, no AI, it's evil. You can't do that because then people are going to go just around it and we're building a very bad security culture. What those security teams have to do is, hey folks, there are some risks with AI, let us show you how to use it securely. things like only use these certified enterprise versions of AI or things like don't share any sensitive data with AI.

AI can give you bad results. And so there's all these ways we can manage those risks. We just simply can't say no. There are certain organizations where security teams will say no, but those tend to be very conservative, very risk adverse organizations. But on the flip side, you could also leverage AI to help drive that strong security culture. So for example, I mentioned earlier, your

policies can be one of your biggest drivers of a negative culture because your policies are confusing, overwhelming, people don't understand them and can't follow them. Why not take all of your security policies, dump them into an AI and say, AI, how can we make these simpler for people to understand and follow? And then for people who are losing their minds about saying you cannot put your policies into AI, organizations...

Lance Spitzner (36:49.708)
have enterprise versions of AI where that data is not analyzed, stored, or processed. It just only helps, at your data just for you. So that would be a recommendation using with enterprise data. But I'm teaching security teams, hey, security teams, let's say you cannot hire a communications expert. Use AI as your comms intern. So security teams, let's say you're rolling out MFA.

And the security teams create an email and instructions on how to use MFA. Load that into AI. Hey, AI, how can we create these communications so it's much easier to understand and focus on how people personally benefit? So AI introduces new risks, which we have to help manage, but it also introduces new opportunities. And the big one there is security teams can often be really struggle.

with engaging their workforce because we forget people have feelings. I use AI every day now to help me craft my emails to my workforce and I say, AI, pretend you're a communications expert, pretend you're a marketing expert. So now I'm sending out emails to people that really engage. AI, help me simplify these policies. AI, help me really develop training that focuses on relevant learning objectives for these different roles or departments.

So AI can help security teams in these areas that they've often struggled with too.

Matt (38:25.029)
I love how you mentioned, you know, from a prompting perspective, and this is one of those hacks I picked up in the past couple of months is giving it that context of you are a X, right? So you are a PR professional or you are someone on a marketing team who is not technical. And if I find a lot of times, if you prompt these different models with who they should act like,

Lance Spitzner (38:34.69)
Yes.

Matt (38:48.646)
you get really different and much more accurate results. So I totally do it all the time too when I'm working with it. And I've just learned that in the last couple of months that it really helps focus the model and give it context. Otherwise it's just gonna give you like a generic response. if you've interacted a lot with the model, it oftentimes will try to give you a response that matches how you prompt it. So if you're very technical and you're constantly doing very technical prompts, a lot of times the response will also be very technical. So.

Lance Spitzner (39:04.173)
Yes.

Matt (39:16.909)
telling it who it should be like is really important.

Lance Spitzner (39:19.566)
So I teach a five day course on security culture, security culture for leaders. And a bigger and bigger part of that course is how to leverage AI to help you build that strong security culture. Because a lot of security teams are understaffed, but also don't have that skills or expertise. So one of my favorite prompts to get around that problem you just brought up is, first of all, you splot on. You have to give context. Hey, I'm on the security team. We're rolling out MFA.

We're really struggling with it. Our workforce doesn't understand it. Can you create me an email or an infographic that explains what it is and make it easier for people to understand? And to your point, especially chat GPT, every AI has their own personality, but I have found chat GPT tends to be both very technical and both very analytical. A lot of times when I'm interacting,

with chat GPT, I almost feel like I'm interacting with Spock from the movie Star Trek. So to your point, what I'll do is I'll say, create me an email and infographic, whatever that I need to engage my workforce and it creates it. And then I always reply, do it again, but make it sassier, make it edgier, make it cheekier. And it really puts a much more human fun spin on it. And now all of sudden the security team is fun.

collaborative, interactive. So to your point, absolutely, but you can always come back in. Make it more fun, make it more engaging. Make it less technical, but make it more focused on how people personally benefit. That's the key word, benefit. Don't give me the features, give me the benefits. And it really enables security teams to not only better engage, but start driving that security culture.

Matt (41:14.383)
So as we get to begin to wrap things up here for the podcast, I'm curious, so you've influenced a lot of people through your work. How do you measure personal success? Is it through impact, feedback, or something else entirely?

Lance Spitzner (41:31.042)
That's a really great question. So for me, in today's world, I love my job. So I work at the SANS Institute. really my passion, my focus is training people and helping them be better. And what I love doing is training people on not only how to build better programs, security awareness, security culture, but really help them in their lives and their career. So always teaching them how to use AI to accelerate your career.

So how do I measure success? Just the impact you have helping people. So for example, we hosted two day summit every August. Hundreds, not thousands of security awareness and culture professionals come together. And it's always fantastic. People just like you come and say, hey, you helped me here. You had an impact. So for me, the impact is, I'd say two areas. One, when individuals say, hey, Lance, you really helped. And that's the best impact.

of all. But then two, would say just at a very high qualitative level, I start seeing security awareness and security culture talked more and more in our field. And it's not about death by PowerPoint, but really about how can we truly secure our workforce? How can we truly just secure the organization from the human side? And the more I see that conversation happening, the more I'm smiling.

Matt (42:57.443)
Is there anything else I should have asked you or that you wanted to cover?

Lance Spitzner (43:01.63)
No, I think you've really done a fantastic job. And folks, like I said, there is a huge community out there to help you on this. And if you're interested in the human side of cybersecurity, please reach out to me, my email address, lspitzner at sans.org. I'm a huge believer of the human side and it's my passion. So here to help.

Matt (43:25.615)
I love that. Thank you for coming on the show today. This has been fun.

Lance Spitzner (43:28.886)
No, and thank you for this opportunity. I really appreciate it.