Transcript
Hi Mike Matchett with Small World Big Data. We are here at RSAC 2025 talking all the latest and greatest cybersecurity vendors. We are here with KnowBe4, which you've probably heard of. Uh, tell us a little bit, Roger, what does KnowBe4 really focus on in cybersecurity? I know it has something to do with social phishing and the rest of it. How would you say it? Uh, human risk management trying to decrease cybersecurity risk. That's due to humans. So a big part of that is security awareness training, where you're trying to help people recognize and avoid being scammed. That's a piece of it. Uh, coaching them, nudging them to make the right security decisions. Uh, part of our thing even involves, uh, addressing inbound email and outbound email to see if it has signs of phishing. And we tag that email to tell the users, hey, this is external. Seems to have a weird link in. It seems to have a QR code. These are things that could be, you know, a high risk. So really focusing on US cyber security risk around the humans. Let me say that 70 to 90% of data breaches involve some sort of social engineering. So it's the most important part you can do. Yeah, and I know everyone says we should put everything to the AI, which has been trained on all that human stuff, but I'm not sure automating human intelligence is going to get us all that at the end of the day. It's interesting, though, that the human human, everyone wants a human in the loop, though still. But humans are a lot of the problem with security. Um, what? How do you do training? How do you think about training somebody to be more secure? What's sort of the overall approach to getting people into a security mindset all the time? And by the way, we don't call it humans. The big problem. We say they can be the best part of your defense. But certainly, I mean, a big part of it is they even if they're aware of something, they may not care. Uh, you know, really what you're trying to do is influence human behavior and really culture throughout the organization so that everybody's kind of in this, hey, I'm going to have a healthy level of skepticism. A new message comes in asking me to do something that I've never done before that, you know, we're trying to encourage them to see that as a sign of a high risk message. Make sure that you research it. Use an alternative method outside the message before you perform it. We all get messages from our boss going, hey, I need you to do this, do that. But what we're saying is, if the message is unexpected, no matter how it comes, even if it's in person, you do something you've never done before. Slow down. Be mindful. Research a little bit before you perform it. That's a big part. But it's also, again, even putting the tools and the policy things, making policies harder for someone to take be taken advantage of. Like if you have a policy that says, hey, never pay an invoice that doesn't have, you know, an order with it. Uh, you don't want to circumvent the system, you can get in trouble. Or another policy could be make sure you lock your desktop before you whenever you leave it. Uh, never give your password out to someone calling you so you can create policies that help reduce risk? Then you have your technical tools that would be like your email scanners, your endpoint detection and stuff. And then you have the human component. And again it's a it's a huge thing. Think about it. 70 to 90% of successful attacks involve social engineering that have made it around every policy and technical defense you have. So you got to do it. All right. Look around here at the RSA conference. There's 25,000 people here. There's some common themes going on. What would you say you've been hearing and how KnowBe4 can help people with that? Yeah, certainly AI is a big deal. And what I would tell people, like so many companies, agentic autonomous Agentic AI and certainly we're big believers in that all of our stuff is agentic AI. First, we've been doing AI for seven years, but I would say make sure you're concentrating on features not, you know, if you give me a good feature that's doing something better and reducing cybersecurity risk better for me, I don't care if it's autonomous agentic AI or if it's a basic if then statement, right? Focus on the feature. But I do think you're going to see a I and I start to provide value, like we have an AI agent that helps pick the phishing templates, simulated phishing templates. And we know that if you allow our AI to do it versus the human admin, it's 17% more effective at tricking people, which sounds like a bad thing, but you're making them fellow phishing test. But that then allows you to give an additional educational opportunity. So we don't see it. We're like, oh, that allows you to educate people 17% more, and I think you're going to see a lot more of that where the Agentic AI is going to start providing real value, real decrease in cybersecurity risk. But, you know, it's funny, I hear I agentic I sometimes I want to just run away and scream. Yeah. Me too. Like I try not to say agentic ai too many times. But I just say so concentrate on the feature set and if someone tells you, oh, we've got agentic ai go. Okay, tell me what that's really giving me over what you had before. Yeah. So I understand that you are a not understand. I know you're a famous author. You've written lots of books on things. What's your what's your latest thing? My latest book I've written 15 working on my 16th and 17th one, but my latest one is called Taming the Hacker Storm a framework for Defeating Hackers and Malware. It literally I wanted to title it How you Fix all of Internet Security. It has a solution that, if followed, would significantly diminish the amount of hacking and malware on the internet. And I've been presenting it to all kinds of colleges and universities. Mit, I sent it to Cisa. Most of the people have seen it, have liked it and said, yeah, that would work. But, you know, it's funny. If implemented, it would probably work to significantly decrease hacking and malware. But you can't get people around your dinner table to agree to do anything. It's really tough to do that in a global world where people have and agencies of all sorts of other motivations, but I'm hoping to I've got about ten years. I'm 58, got about ten years before I retire, and I'm hoping that literally my life's goal is to fix internet security. And if I do it, my career will have been worth it. And if not, it will have been an utter failure. I'm not here to fix the little problems. I'm here to fix the big problems. You know, it does sound like you could put those concepts together and build a Roger Grimes Agentic AI to carry on your legacy and carry that carry that agenda forward. So let's just finish up a little bit. If someone wants to know a little bit more about KnowBe4, particularly if they're in this kind of crowd full of CISOs and the rest of it. Where would you have them start looking into stuff? Knowbe4. Com. We have a lot of information on there for CISOs to everyone on down. Or if someone wants to email me I'm Roger g r o g e r g@knowbe4.com. If you have a question you want to get some information. Certainly we can I can get that to you. All right. Thank you so much, Roger. It was a pleasure to meet you. Thank you. Take care folks.
