C (3:18)

Yeah, you're 13. Yeah, you don't know.

A (3:20)

I was 13 back then we didn't know. It wasn't like today.

C (3:23)

Right.

A (3:24)

And so my dad explained to me, the birds and the bees, enforceable rape in the exact same conversation. Yeah.

C (3:30)

Wow.

A (3:30)

So from that point on. Yeah, exactly. So from that point on, I had a very different perspective than other kids my age in regards to personal protection. So what happened to me, the multiple attack situation, the girl that I was fond of and what happened to her? And from that point on, I started to take self defense and teach self defense. And my thing in my teens and early 20s was teaching women's self defense. So I come from the world of personal protection.

C (3:56)

Okay.

A (3:57)

And then in 1995, having this small business, I had a small mail order business that I, I created a website and I had products that I sold online videos and products for personal protection. I had a dial up connection to the Internet with AOL. My first computer was an IBM PS1 consultant that was the make model with a Windows 3.0 and 150 megabyte hard drive. Shortly after connecting to the Internet and having dial up and getting merchant status to accept credit cards, I got hacked in 95.

C (4:35)

Wow. Wow.

A (4:36)

Yeah.

C (4:37)

It wasn't me, by the way. It wasn't me. I'll just tell you that right now. Even though I did get, when I was in my youth, I did get in a little bit of trouble, but that wasn't me.

A (4:47)

That, that one wasn't me too, by the way. So I, you know, lost thousands of dollars in credit card fraud. And while I was like devastated because that was a lot of money for me, I was astonished and amazed at what, what they did and how they did it. And I was like, as awful as it was, it was awesome to me and I wanted to understand it. And so from that point on, I started to focus on what that meant in digital security. Hacking wasn't such a thing back then at all. Like, data breaches didn't even make the news. But in the mid to late 90s, identity theft became a problem. Social Security numbers being exposed with the Internet, government agencies having their databases wide open, and the identity theft Prevention and Deterrence act of 1998 came into play. I met victims of identity theft and that became my focus. So now my focus is personal protection in the physical world. But it's evolved to information security because I got hacked and because friends of mine, their identity was stolen. And so now I'm talking about this, speaking about this. And in the early 2000s, I started to see all around me, you know, university In California has 600,000 records compromised. University over here has 400,000 records compromised. And it makes national news. And so I started to see like, yeah, this is actually starting to come true. And then you may remember Choice Point was this information broker that like was around in the early 2000s. And Choice Point, yeah, they had a data breach, so to speak. What that meant was Nigerians, I think at the time, went in through the front door, signed up for their service and got thousands of Social Security numbers on Americans and stole identities. And so when that was discovered, Choice Point notified the residents of California because that's all they had to do. They only notified Californians because California was the only state in the union that had a data breach notification law back in the early 2000s. And so choice Point became the poster child for what not to do.

C (6:58)

Right, right. I remember that.

A (7:00)

So I'd already been like speaking and training and educating on personal protection. Right after 911 I had gone full time with what I was doing because 911 was the impetus for many of us. And, and now like I'm doing a lot of TV revolving around data breaches, you know, and so for the next like 15 years, I'm talking data breaches and identity theft and credit card fraud and you know, just all that stuff. And I've been doing that for 30 plus years now. That is origin.

C (7:40)

That's, that's incredible, right, because you've, you've been that personal security thing, you've, you've noticed that it's full shifted over into the virtual world where I think the damage could be pretty, pretty devastating. Yeah, right.

A (8:01)

Because of where I come from, my philosophy is and has always been and will always be, and I have a unique understanding of this, and we can talk about it today, is that all security fundamentally is personal security. And what that boils down to is that security as it is begins with the self. It begins with your person. And that means like security in the physical world, like avoiding and preventing violence. Right. And then from there it goes to your identity. Like it, you don't get more personal than your identity. Right. Your Social Security, your name. Right. And then your data and your dollars. And so when you treat security as if all security is personal and you begin with the individual, right? So as a company who's providing, say, phishing simulation training, and they're like, okay, do this or, or else, you know, take this training. Because if you don't, you, you know, it's gonna. We're gonna, you know, demote you. And the employee doesn't get that. Like, they're not focused on that. You know, like, personal security has been around since the beginning of time. Security has been around for thousands of years. Cybersecurity is brand new. It's been around for what, 20, 25 years?

C (9:14)

Yeah, maybe. Maybe 25.

A (9:16)

Yeah, if that, you know. And so cybersecurity, yeah, is necessary and important. We've got to engage. But if you begin teaching cybersecurity as if it is all personal to begin with, then the learner begins to understand. I'm kind of getting ahead of myself, but that's where I come from.

C (9:36)

So, so this is really interesting because a lot of efforts in large corporations and a lot of money is spent on prevention and things like that. And we do, I do get the IT phishing email, and if I click on it, I get in trouble and I have to take the course. Those happen. But I like what you're saying here that it's an individual thing, because we all know the biggest data breaches that we've seen, the biggest ransomware attacks are personal attacks. That's how they start, right? And, and I've, I've had a guest on here before that said the, the, the most popular day to it to do a cyber ransomware attack is Christmas Eve and Christmas Day. And I thought, well, why? And he goes, because that's when the emotions are the highest. Family's in town. You know, people are taking time off. That's when you attack, when people's guards are down. I thought, wow, this is fascinating. Are you seeing the same sort of thing? This personal. That's where most of the attacking is happening at the personal level. The social. The social attacks that we're seeing, hands.

A (10:50)

Down, you know, so I've created what I call the strategic human firewall. And obviously, you know, we've all have all this technology in place that's designed to manage and reduce risk. It's supposed to, you know, shore up and update and download and, you know, fix backdoor vulnerabilities and so forth, and that's all good and well. Okay. And we have all this training, phishing simulation, training, compliance check the box, get her done. Which is all necessary.

C (11:20)

Right.

A (11:22)

But you mentioned, you know, the emotions that revolve around all of this stuff. And I don't know, and I've never seen anyone in my field address that at least the way that I do. Because when it comes to security, being thousands of years old and. But cyber only being, you know, 20, 25 years old, and now, like, the most security training that most humans engage in right now is phishing simulation training. That's the most.

C (11:53)

That's it, right? Yeah.

A (11:54)

Okay. We didn't have security training growing up. We never really had thoughtful, in depth, potentially uncomfortable conversations with loved ones in regards to security, if that, you know, I mean, I know that I did, and I do with my daughters, and I think that everybody should, but it's just not something that's part of our, you know, we just don't do it. And there's reasons behind that. And so that's kind of what I do with my audiences, is as I. We could do it too, is like, I. I break down what security is and fundamentally what security isn't. And I also talk about, like, why we as humans resist security. Because we resist security to such a degree that we don't want to or think or ever believe that these bad things can ever happen to us. Like, that's how we're wired. Right. And part of it is, you know, we trust by default. Like, I can explain all that stuff to you, and what I do is, is like, I. I have these conversations with my audience up front so that once we start getting into the actual security awareness stuff, being aware of all these various risks, once you get to that point now they're like, okay, yeah, that makes all kinds of sense. Like, I understand why I resist security, but now what do I got to do? Like, this makes sense to me. I want more of this. That's not being done. I hear you.

C (13:08)

So. So my thing that popped into my head on this is, is there a fundamental difference in. Or what are the big differences between physical security and cybersecurity? Because I understand the resistance.

A (13:22)

I don't.

C (13:23)

I don't want to walk around paranoid all the time. I don't. Right.

A (13:29)

I love that you said that, because.

C (13:31)

A lot of people feel that way. But I also have my head on a swivel, especially when I'm in areas that I'm not familiar with, or I see thing, or I see things in my neighborhood, for example, that are out of place, don't belong. I put my head on a swivel that's a natural thing that. That I have, but I don't live in fear. Yeah.

A (13:53)

So you've said all the right things. You've said.

C (13:56)

I finally said something right When I.

A (13:59)

Tell you you are everybody or your most people. Okay?

C (14:03)

Okay.

A (14:03)

Probably, honestly, probably a little more savvy than most in regards to, you know, digital literacy and such, but you're just as human as everybody else. You mentioned the words fear and worry and paranoia, and that is everybody. Let me explain, okay? Let me.

C (14:18)

Let me.

A (14:18)

Let me get to the beginning of that, okay?

C (14:20)

Yeah.

A (14:21)

So in order to get people to drink the Kool Aid of security, in order to get. In order to get them to believe in security, you got to explain to them why they react to security the way they do, why they react to risk the way they do. And most people, including your cisos, don't really truly understand this, okay? Because they haven't just spent the time or it hasn't been explained to them. Maybe they. Maybe they have, maybe they haven't. All right? So we are what is called an interdependent species. Obviously, we depend on each other for our survival, and that means that without each other, we would cease to exist. We require each other for code, for procreation. Simple enough. And the basis of that. The basis of that is trust. We need to. And require that we trust each other. That is our baseline, which means that when you come out of your mama, you trust. And throughout your entire life. Yeah, and throughout your entire life, you want to. And you need to trust when you meet people face to face, when the phone rings, when an email comes in, when you get a text message. Your baseline is, I want to trust that this person has my best interests in mind. That. That. That baseline is that you are giving the benefit of the doubt all day, every day, for your entire life. You do? We do. And so people say, well, I don't trust anybody. And I say, yeah, you do. You do. You know, otherwise you'd be living in a cave in Montana. You know, like, that's. You'd be.

C (15:49)

There are. Wait, there are some people out there that do that. Right. I mean, But you're right. You're right. You're absolutely right. I trust when I go the grocery store and I buy something that whoever packaged that food did a. A good enough job that I can eat. Eat it, for example.

A (16:15)

And the people that are in the grocery store aren't going to shoot it up.

C (16:18)

Yes, yes.

A (16:20)

Trust that your fellow man is good and kind. Okay, so we've got that. That kind of works against us. I call it the human blind spot. The human blind spot is like this cognitive need to trust others, but it basically blurs. It blinds us from the reality that not everybody is worthy of our trust. And what that means is that 97% of all the people that you ever have or ever will meet in your life are worthy of your trust. 97%.

C (16:50)

That's a lot.

A (16:52)

Which also means that 2 to 3% are not. Okay? And throughout 30 years of investigating this, I can back that up with stats that said 2 to 3% of the world's population are what the medical community calls antisocial personality disorders. Okay? Sociopaths, psychopaths, basically, hardcore narcissists that don't experience empathy, sympathy, guilt, or remorse. They look at us as their prey. They are the lion and the wolf. We are the gazelle or the rabbit, okay? And they look at us as we owe them. They are. We are their natural prey. Okay? Most people.

C (17:30)

That's a lot of people. That's a lot of people.

A (17:32)

Yeah, yeah, it. It, it is. If you look at prison populations, if you look at. I mean, the medical community says one to one and a half percent are, in fact, antisocial personality disorder. And then I can get into some other details, but we'll do that another time. All that said, like, on top of it, all right, we resist security because. And you use the particular word like. Let's just say you don't know what I do for a living. You don't know me at all. And you hear like, okay, this guy's got 22 security cameras. Which is actually true, maybe a bit excessive, but, you know, I'll get a lot of them for free for reviews and such. But the guy's got 22 security cameras. What words come to mind with a guy that's got 22 security cameras?

C (18:16)

Paranoid.

A (18:17)

Exactly.

C (18:18)

Paranoid. Yeah, you're one of those. Okay, paranoid. Yeah.

A (18:22)

Whatever the case is, here's the problem with that. So if you've spent any time on this earth, you would know that paranoia is a mental health disease, is a disease of the mind. And the people who suffer from paranoia, they are, in fact, at odds with their universe. They do truly believe, many of them, that others are out to get them. Like, they do think that their phones are chopped and bugged. And like they. Their. Their existence is. Is completely overwhelming at all times. And I know this for a fact because I have close family that. I think she might be living in her car right now. Like, she just.

C (18:58)

Oh, it's so sad.

A (19:00)

It's awful. But that is truly what paranoia is. And so when we as a culture and we as a society to any degree look at security as, yeah, that guy's always looking over his shoulders. He worries like, he's just paranoid. We discount the value that security has in our life. We look at it as a bad thing. We look at it as worry and fear. We look at it as something that we don't want. Who wants to be paranoid? And so as a result of that, because the way that we're wired, here's what we do. Let me ask you a question. So you're watching the six o' clock news and something tragic happens in a neighborhood somewhere. Something bad happens. And the news channel goes in with the journalist, you know, a reporter and the camera guy, and they start knocking on doors. The next door neighbor, she opens up her door and the reporter sticks the microphone in her face and she asks her a bunch of questions. So what do you think? What do you think? What does the neighbor always say?

C (20:01)

I always thought that person was a nice person. I've seen that time and time again, right at first, right? How could that happen here?

A (20:10)

Bingo. How could that happen here? Never happens here. Nobody ever wants to think. They always said the same thing. Nobody ever wants to think or believe it can happen here. They never want to think that. Nobody ever wants to think that. When I ask people my audiences, like, this is what I do, like, I ask them a bunch of qualifying questions to kind of like break down their resistance to security. And I ask them, I tell them, like, did you know that, like, every year in the United States, 1.5 to 2 million homes burglarized every year? Which means, like, in 10 years, that's like 15 to 20 million homes that are burglarized. And I asked them, how many of you have a home security system? If I get 20% of the room to raise their hand, that's a lot. It's usually like less than 10, right? Which means 80% of the population doesn't have a home security system. And then I said, well, you know, okay, I get it, like, but why don't you have a home security system? Why don't you, like, why don't you do that? And you know what they often say to me? I don't have a home security system because I don't want to live like that. I don't want to have to worry. I just want to be free. As if acknowledging risk. Installing a home security system to reduce that risk is going to make you worry all Day long, it's going to make you paranoid that bad things are going to happen to you. Like, that's how we're wired. We would truly rather function in a state of denial than recognize risk in the physical world. And so we do nothing about it. And ultimately, like, security is not my job, it's not my responsibility. It's about paranoia, it's about worry, it's about fear. I don't want to live like that. I just want to be free. And how do you expect an employee to effectively engage in phishing simulation compliance training if that's their mindset?

C (22:01)

Yeah, we got to change. We got to change that quite a bit, but. Yeah, quite a bit. But fear is motivator. That's one of the motivators because we had someone come and steal something from our porch following the Amazon truck around, right? Stole stuff from our porch. Very next day, I put up more security cameras because I had some blind spots, right? Which. Why didn't I do that before I knew I had the blind spots? So a lot of time that fear, it is, is a motivator, but that's not the best motivator out there. Right? So.

A (22:36)

But that's, that's. Fear is good to react to, but.

C (22:42)

You can be proactive with fear.

A (22:45)

So fear is. Is what we use reactively to engage in risk management, right?

C (22:51)

Yeah, exactly.

A (22:53)

But, like, why wait until you have cancer to eat good, good. Why wait until your arteries are plugged up till you get a heart attack? What, and change your weight? Like, why. Why not be proactive with your health and your diet and your mental health and your physical security and your finances? And I don't know if you could.

C (23:21)

Solve that problem, Robert. You could. You could just save a lot of people a lot of money. Right?

A (23:28)

But that's what security. Security is fundamental to living. It's like security on the hierarchy, on the hierarchy of human needs. At the base of the triangle is like, you know, our physiological needs. Eating, sleeping, drinking. And right above that is safety, security, stability, structure, protection. So we just haven't thought this through. We haven't. As a culture, as a species, mainly as a culture. And often as a species, I see it all over the world. Certain parts of the world, they think about security all the time. In certain parts, they don't, you know, like in, in. In. In Israel, like, since the early 90s, they.

C (24:05)

Yeah, they'd been on top of security there.

A (24:08)

They are required by law, their building codes to install safe rooms in every house by law, since the 90s, you know, wow. For obvious reasons. That said, like, their mindset is wired for security, and some of the best cyber security companies on the planet come out of, you know, Israel. That said, like, we in this culture are just comfortable, you know, and, and I hear it all the time, like, well, where's law enforcement when, when, when you need them? You know, like, like, law enforcement is supposed to serve you and protect you. It's like, yeah, but, you know, in the end, we're kind of on our own. Like, we kind of are on our own. Like, we've got to take a certain amount of personal responsibility for this thing. And that includes, like, in our physical world, in our virtual world, too.

C (24:54)

Thanks, Robert.

B (24:55)

Make sure you catch our next episode where we continue our interview with Robert, where we talk about personal digital security and its effect on corporate cybersecurity. Thanks for listening to Embracing Digital Transformation. If you enjoyed today's conversation, give us five stars on your favorite podcasting app or on YouTube. It really helps others discover the show.

C (25:16)

If you want to go deeper, join.

B (25:17)

Our exclusive community@patreon.com embracingdigital where we share bonus content. And you can always connect with other change makers like yourself. You can always find more resources@embracingdigital.org until next time.

C (25:32)

Time.

B (25:33)

Keep embracing the digital Transformation.