And what that boils down to is, is that security, as it is, begins with the self. It begins with your person. And that means, like, security in the physical world, like, avoiding and preventing violence, right? And then from there, it goes to your identity. Like, you don't get more personal than your identity. Welcome to Embracing Digital Transformation, where we explore how people process policy and technology drive effective change. This is Dr. Darren, Chief Enterprise Architect, Educator, Author, and most importantly, your host. On this episode, Cyber and Physical Security, with security analyst, author and speaker Robert Siciliano. Robert, welcome to the show. Hey, thank you so much. Happy to be here. Hey, we talked just earlier this week, or was it last? Yeah. Earlier this week? Wow. We're on top of things here at Embracing Digital Transformation. Surprisingly enough, because I'm the one scheduling things right now. It's amazing I can schedule myself anything right now. Walk in Shugum. Yes. Some days it's more difficult than others, for sure. Before we get started, today we're going to talk about cybersecurity and specifically individual cybersecurity, how that has a big role in securing companies. We'll go over all that. I don't want to dive into it yet, because everyone that listens to my show knows that on my show, I only have superheroes. Every superhero has a background story. Robert, what's your origin story? Yeah, so probably a bit different than most to get into the world of cybersecurity. Some good, some bad. At the age of 12, downtown Boston, my dad let my brother and I get in the train, do some shopping for his birthday. We get off the train, and we got mugged by five kids. Five kids approached us and demanded we give them our money. I said, no. They beat me up and took my money. I go home all beaten and bloodied. Dad, and he explained to me that those boys were the lions, and I was the gazelle. I didn't have the thought process to run, because I had my little brother with me. I learned firsthand that not everybody is as nice as mommy and daddy. Then about a year later, I was 13, and now we're talking 40-something years ago. I was at summer camp, and there was a girl that her and I connected, and we liked each other and we were sitting on the bus holding hands on the way home. One day we go to her house at summer camp, and we're sitting on her front stairs, and she says to me with a solemn look on her face, she says, I think you should know that my mother's boyfriend raped me. I'm looking at her, and I didn't understand other than looking at her face and hearing it in her voice, I understood that something bad happened. Probably afterwards, I go home, and I said to my dad, dad, what is rape? Because I had no idea what she was talking about. Yeah, you're 13. Yeah, you don't know. I was 13. Back then, we didn't know. It wasn't like today. My dad explained to me the birds and the bees enforceable rape in the exact same conversation. Yeah. Wow, right. So from that point on, yeah, exactly. So from that point on, I had a very different perspective than other kids my age in regards to personal protection. So what happened to me, the multiple attack situation, the girl that I was fond of and what happened to her? And from that point on, I started to take self-defense and teach self-defense. And my thing, in my teens and early 20s, was teaching women self-defense. So I come from the world of personal protection. Okay. And then in 1995, having this small business, I had a small mail order business that I created a website, and I had products that I sold online, videos and products for personal protection. I had a dial-up connection to the internet with AOL. My first computer was an IBM PS1 consultant that was the maker model with a Windows 3.0 and 150 megabyte hard drive. Shortly after connecting to the internet and having dial-up and getting merchant status to accept credit cards, I got hacked in 95. Wow. Wow. Yeah. Me, by the way. It wasn't me. I'll just tell you that right now. Even though I did get, when I was in my youth, I did get in a little bit of trouble, but that wasn't me. That one wasn't. Me too, by the way. So I lost thousands of dollars in credit card fraud. Oh, yeah. And while I was devastated, because that was a lot of money for me, I was astonished and amazed at what they did and how they did it. And I was like, as awful as it was, it was awesome to me. And I wanted to understand it. And so from that point on, I started to focus on what that meant in digital security. And hacking wasn't such a thing back then at all. Data breaches didn't even make the news. But in the mid to late 90s, identity theft became a problem. Social security numbers being exposed with the internet, government agencies having their databases wide open. And the identity theft prevention and deterrence act of 1998 came into play. I met victims of identity theft and that became a focus. So now my focus is personal protection in the physical world, but it's evolved to information security because I got hacked and because friends of mine, their identity was stolen. And so now I'm talking about this, speaking about this. And in the early 2000s, I started to see all around me, you know, University in California has 600,000 records compromised. University over here has 400,000 records compromised and it makes national news. And so I started to see like, yeah, this is actually starting to come true. And then you may remember, choice point was this information broker that like was around in the early 2000s and choice point. Yeah, they had a data breach, so to speak. What that meant was Nigerians, I think at the time, went in through the front door, signed up for their service and got thousands of social security numbers on Americans and stole identities. And so when that was discovered, choice point notified the residents of California because that's all they had to do. They only notified Californians because California was the only state in the union that had a data breach notification law back in the early 2000s. And so choice point became the poster child for what not to do. Right. Right. I remember that. So I'd already been like speaking and training and educating on personal protection. Right after 9 11, I had gone full time with what I was doing because 9 11 was the impetus for many of us. And and now like I'm doing a lot of TV revolving around data breaches, you know. And so for the next like 15 years, I'm talking data breaches and identity theft and credit card fraud and, you know, just all that stuff. And I've been doing that for 30 plus years now. And that is origin. That's that's incredible, right? Because you've been that personal security thing. You've you've noticed that it's full shifted over into the virtual world where I think the damage could be pretty pretty devastating. Yeah. Right. The the the because of where I come from, my philosophy is and has always been and will always be. And I have a unique understanding of this and we can talk about it today is that all security fundamentally is personal security. And what that boils down to is, is that security as it is begins with the self. It begins with your person. And that means like security in the physical world, like avoiding and preventing violence, right? And then from there, it goes to your identity. Like you don't get more personal than your identity, right? Your social security. Right. Yeah. Your name, right? And then your your data and your dollars. And so when you treat security as if all security is personal and you begin with the individual, right? So as a company who's providing, say, fishing simulation training and they're like, OK, do this or or else, you know, take this training because if you don't, you know, it's going to we're going to demote you and the employee doesn't get that. Like they're not focused on that, you know, like personal security has been around since the beginning of time. Security has been around for thousands of years. Cyber security is brand new. It's been around for what? 20, 25 years. 20 years. Maybe 25. Yeah. If that, you know. And so cyber security, yeah, is necessary and important. We've got to engage. But if you begin teaching cyber security as if it is all personal to begin with, then the learner begins to understand and kind of get ahead of myself. But that's where I come from. So so this is really interesting because a lot of efforts in large corporations and a lot of money is spent on prevention and things like things like that. And we do I do get the I.T. Fishing email and if I click on it, I get in trouble and I have to take the course. Those happen. But I like what you're saying here, that it's an individual thing, because we all know the biggest data breaches that we've seen, the biggest ransomware attacks are personal attacks. That's how they start, right? And I've had a guest on here before that said the the most popular day to do a cyber ransomware attack is Christmas Eve and Christmas Day. And I thought, well, why? And he goes, because that's when the emotions are the highest. Families in town, you know, people are taking time off. That's when you attack when people's guards are down. I thought, wow, this is fascinating. Are you seeing the same sort of thing, this personal? That's where most of the attacking is happening at the personal level, the social, the social attacks that we're seeing. Hands down, you know, so I've created what I call the strategic human firewall. And obviously, you know, we've all have all this technology in place that's designed to manage and reduce risk. It's supposed to, you know, shore up an update and download and, and, and, and, and, you know, fix backdoor vulnerabilities and so forth. And that's all good and well. OK. And we have all this training, phishing simulation training, compliance, check the box, get it done, which is all necessary, right? And what you mentioned, you know, the emotions that revolve around all of this stuff. And I don't know. And I've never seen anyone in my field address that, at least the way that I do. Because when it comes to security being thousands of years old and but cyber only being, you know, 20, 25 years old. And now, like the most security training that most humans engage in right now is phishing simulation training. That's the most. That's it, right? Yeah. OK. We didn't have security training growing up. We never really had thoughtful, in-depth, potentially uncomfortable conversations with loved ones in regards to security. If that, you know, I mean, I know that I did and I do with my daughters and I think that everybody should, but it's just not something that's part of our, you know, we just don't do it. And there's reasons behind that. And so that's kind of what I do with my audiences, as I we could do it, too, is like I I break down what security is and, fundamentally, what security isn't. And I also talk about like why we as humans resist security, because we resist security to such a degree that we don't want to or think or ever believe that these bad things can ever happen to us. Like that's how we're wired, right? And part of it is, you know, we trust by default. Like I can explain all that stuff to you. And what I do is is like I have these conversations with my audience up front so that once we start getting into the actual security awareness stuff, being aware of all these various risks, once you get to that point, now they're like, OK, yeah, that makes all kinds of sense. Like I understand why I resist security, but now what do I got to do? Like this makes sense to me. I want more of this. That's not being done. I hear you. So it's my thing that popped into my head on this is is there a fundamental difference in or what are the big differences between physical security and cybersecurity? Because I understand the resistance. I don't I don't want to walk around paranoid all the time. I don't. Right. I love that you said that because a lot of people fail that way. But I also have my head on a swivel, especially when I'm in areas that I'm not familiar with or I see or I see things in my neighborhood, for example, that are out of place, don't belong. I put my head on a swivel. That's a natural thing that that I have. But I don't live in fear. Yeah. So you've said all the right things. You've said what I finally said something right. When I tell you you are everybody or your most people, OK, OK, probably a little honestly, probably a little more savvy than most in regards to, you know, digital literacy and such. But you're just as human as everybody else. You mentioned the words fear and worry and paranoia. And that is everybody. Let me explain. OK. Let me let me let me get to the beginning of that. OK. Yeah. So in order to get people to drink the Kool-Aid of security and in order to get in order to get them to believe in security, you got to explain to them why they react to security the way they do, why they react to risk the way they do. And most people, including your CISO's, don't really truly understand this. OK. Because they haven't just spent the time or hasn't been explained to them. Maybe they maybe they have maybe they haven't. All right. So we are what is called an interdependent species. Obviously, we depend on each other for our survival. And that means that without each other, we would cease to exist. We require each other for code for for procreation. Simple enough. And the basis of that, the basis of that is trust. We need to and require that we trust each other. That is our baseline, which means that when you come out of your mama, you trust and you have to be your entire life. Yeah. And throughout your entire life, you want to and you need to trust when you meet people face to face, when the phone rings, when an email comes in, when you get a text message. Your baseline is I want to trust that this person has my best interests in mind. That that that baseline is that you are giving the benefit of the doubt all day, every day of your entire life. You do. We do. And so people say, well, I don't trust anybody. And I say, yeah, you do. You do. You know, otherwise you'd be living in a cave in Montana. You know, like that's you'd be there. But wait, there are some people out there. That do that, right? I mean. But you're right. You're you're absolutely right. I trust when I go to grocery store and I buy something that whoever packages that food, did a good enough job that I can eat it, for example. And the people that are in the grocery store aren't going to shoot it up. Yes. Yes. Trust that your fellow man is good and kind. OK, so we've got that that kind of works against us. I call it the human blind spot. The human blind spot is like this this this cognitive need to trust others. But it it it it over. It's it basically blurs. It's a blinds us from the reality that not everybody is worthy of our trust. And what that means is that like 97 percent of all the people that you ever have or ever will meet in your life are worthy of your trust. 97 percent. That's a lot. Which also means that two to three percent are not. OK. And throughout 30 years of investigating this, I can back that up with stats. That said, two to three percent of the world's population are what the medical community calls anti social personality disorders. OK. Social paths, psychopaths, basically hardcore narcissists that don't experience empathy, sympathy, guilt or remorse. They look at us as their prey. They are the lion and the wolf. We are the gazelle or the rabbit. OK. And they look at us as we owe them. They are we are their natural prey. OK. Most that's a lot of people. That's a lot of people. Yeah. Yeah. It is if you look at prison populations, if you look at. I mean, the medical community says one to one and a half percent are, in fact, anti social personality disorder. And then I can get into some other details, but we'll do that another time. All that said, like on top of it all, right? We resist security because and you use the particular word. Like, let's just say you don't know what I do for a living. You don't know me at all. And you hear like, OK, this guy's got 22 security cameras, which is actually true, maybe a bit excessive. But, you know, I'll get a lot of them for free for reviews and such. But the guys get 22 security cameras. What words come to mind with the guy that got 22 security cameras? Paranoid. Exactly. Apparently, yeah, you're one of those. OK, exactly. Paranoid. Yeah. Whatever. In cases. Here's the problem with that. So if you've spent any time on this earth, you would know that paranoia is a mental health disease, is a disease of the mind. And the people who suffer from paranoia. They are, in fact, at odds with their universe. They do truly believe many of them that others are out to get them. Like, they do think that their phones are chopped and bugged. And like, they their their existence is completely overwhelming at all times. And I know this for a fact, because I have close family that I think she might be living in her car right now. Like, she just. Oh, it's so sad. It's awful. But that is truly what paranoia is. And so when we as a culture, when we as a society to any degree look at security as, yeah, that guy is always looking over his shoulders. He worries like he's just paranoid. We discount the value that security has in our life. We look at it as a bad thing. We look at it as worry and fear. We look at it as something that we don't want. Who wants to be paranoid? And so as a result of that, because the way that we're wired. Here's what we do. Let me ask you a question. So you're watching the six o'clock news. And something tragic happens in a neighborhood somewhere. Something bad happens. And the news channel goes in with the journalist, you know, reporter and the camera guy, and they start knocking on doors. The next door neighbor, she opens up her door and these reporters fix the microphone in her face. And she's just a bunch of questions. So what do you think? What do you think? What does the neighbor always say? I always thought that person was a nice person. I just say that many times again, right? At first, right? How could that happen here? Bingo. How could that happen here? Never happens here. Nobody ever wants to think. They always said the same thing. Nobody ever wants to think or believe it can happen here. They never want to think that. Nobody ever wants to think that. When I ask people, my audience is like, this is what I do. Like I asked them a bunch of qualifying questions to kind of like break down their resistance to security. And I asked them and I tell them, like, did you know that, like, every year in the United States, one point five to two million homes burglarized every year. Which means like in 10 years, that's like 15 to 20 million homes that are burglarized. And I asked them, how many of you have a home security system? If I get 20 percent of the room to raise their hand, that's a lot. It's usually like less than 10, right? Which means 80 percent of the population doesn't have a home security system. And then I said, well, you know, OK, I get it. Like, but why don't you have a home security system? Why don't you? Like, why don't you do that? And you know what they often say to me? I don't have a home security system because I don't want to live like that. I don't want to have to worry. I just want to be free. As if acknowledging risk, installing a home security system to reduce that risk is going to make you worry all day long. It's going to make you paranoid that bad things are going to happen to you. Like that's how we're wired. We would truly rather function in a state of denial than recognize risk in the physical world. And so we do nothing about it. And ultimately, like security is not my job. It's not my responsibility. It's about paranoia. It's about worry. It's about fear. I don't want to live like that. I just want to be free. And how do you expect an employee to effectively engage in fishing simulation, compliance training, if that's their mindset? Yeah, we got to change that quite a bit. But yeah, quite a bit. But fear is a motivator. That's one of the motivators because we had someone come and steal something from our porch following the Amazon truck around, right? Stole stuff from our porch. Very next day, I put up more security cameras because I had some blind spots, right, which why didn't I do that before? I knew I had the blind spots. So a lot of time that fear. It is motivator, but that's not the best motivator out there, right? So that's that's fear is good to react to. But you can be proactive with fear. So fear is what we use reactively to engage in risk management. Right. Yeah, exactly. But like why wait until you have cancer to eat good? Why wait until your arteries are plugged up until you get a heart attack and change your weight? Like why why not be proactive with your health and your diet and your mental health and your physical security and your finances? And I don't know if you could solve that problem, Robert. You could you could you could save a lot of people, a lot of money. Right. But that's but that's what security security is fundamental to living. So security on the high right on the hierarchy of human needs at the base of the triangle is like, you know, our physiological needs. Eating, sleeping, drinking and right above that is safety, security, stability, structure, protection. So we just haven't thought this through. We haven't as a culture, as a species, mainly as a culture and often as a species. I see it all over the world. In certain parts of the world, they think about security all the time. In certain parts, they don't, you know, like in in in Israel, like since the early 90s, they had been on top of security there. They are required by law. They're building codes to install safe rooms in every house by law since the 90s, you know, for obvious reasons. That said, like their mindset is wired for security and some of the best cybersecurity companies in the planet come out of, you know, Israel. That said, like we in this culture are just comfortable. You know, and I hear it all the time, like, well, where's law enforcement when when when you need them? You know, like like law enforcement is supposed to serve you and protect you. It's like, yeah. But, you know, in the end, we're kind of on our own. Like we kind of are on our own. Like we've got to take a certain amount of personal responsibility for this thing. And that includes like in our physical world and their virtual world, too. Thanks, Robert. Make sure you catch our next episode where we continue our interview with Robert, where we talk about personal digital security and its effect on corporate cybersecurity. Thanks for listening to Embracing Digital Transformation. If you enjoyed today's conversation, give us five stars on your favorite podcasting app or on YouTube. It really helps others discover the show. If you want to go deeper, join our exclusive community at patreon.com slash Embracing Digital, where we share bonus content and you can always connect with other changemakers like yourself. You can always find more resources at embracingdigital.org. Until next time, keep embracing the digital transformation.
