Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

SoSafe: Military Lessons for Cybersecurity Culture & Awareness

SoSafe
07/01/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


I will do. I'll be very careful how I sit down. That's maybe a good first leading point, right? I understand that it's a special time of the year, so to say, for you right now. And maybe also the audience noticed that David isn't wearing the typical attire of a cybersecurity conference right now. Maybe for the people who are not aware, you might want to say a few words on that. Okay, first of all, can you all hear me okay? This is very new to me and I'm getting the background info as well. So first of all, hi everybody. Thank you for being here today and thank you for allowing me to speak to you guys today. Yes, as mentioned, I'm wearing my military uniform today or certainly my military medals. I didn't come through the academic route. I came through a military route in November, especially the 11th of November at 11 a.m. is our remembrance. So we wear the poppies to remember all of those men and women who paid the ultimate sacrifice to allow us the freedom to be here today. I also wear the poppy to remember the girls and boys who didn't make it home or the guys that did come home and then had difficulties transitioning. Sadly, a lot of my friends now, they've killed themselves since coming home. So for me, it's really to remember those really strong, powerful ladies and gentlemen who served the country, regardless of what country you're from. It's very important that we remember those guys and girls who paid the ultimate price. Hopefully, we can learn some lessons and hopefully we won't repeat those incidences. But sadly, with everything that's happening geopolitically right now, there's many different wars and I pray for the day where you don't need guys like me. I pray for the day where we stop giving medals out. But until that day comes, then I'll certainly remember all of my friends and family and all my really, really good friends that aren't with us anymore. So for me, it's important to wear. It's important to remember. It's above my heart. And I think it's something that is really important. We should always be trying to look for the lessons learned. And when you pay a price like this, you do need to learn those lessons well, I think. Thank you for sharing with all of us. Thank you. And thank you for being here with us today. So maybe let's start very broadly, right? With your experience in cybersecurity, how have you seen the threat landscape evolve lately? Okay, so for me, the threat landscape started in the digital age, in the analog age. So my understanding of the threat landscape started in the end of the 90s. So my first deployment after military training was to the streets of Northern Ireland. It was to fight in the wars in Belfast, in Logan. We had a lot of problems with IRA. We had a lot of problems with UVF. But the devices that they were using as a young 17 year old soldier was all digital and analog. So the threat that we faced then was very much an IED, an improvised explosive device, which could be initiated by using a cellular device, a mobile phone, digital and analog. Nothing really too high tech, but very, very effective. And the IRA and the UVF and the terrorist organizations in the province of Northern Ireland used it very effectively against us. Now, like you said, I don't come from an academic background. I came through the military route. So when I left Northern Ireland, we went straight into the next conflict, which was the Iraq War. And from Northern Ireland to Iraq, the changes and the leaps in modernization of warfare, of global technologies, it was a huge impact on the soldiers in Iraq. We've gone straight from an analog digital world before even the Internet, without letting on my age too much. But the threat landscape, it came from an old fashioned system. And in Iraq, we were already starting to see biometrics. We were already starting to see the use of drones, especially. And the advancements that we had in weapons to defeat the threat was huge. Fast forward again, we end up in Afghanistan. Again, we're still looking at the threat, which is improvised explosive devices. But this time technology stepped up to meet the requirement. Now we're not looking at cellular devices or analog devices. We're looking at passive infrared. We're looking at different technologies and systems to initiate devices. Now as an operator, every single mission I've ever conducted over the last 20 years was led by intelligence. It was led by data. You can be the best sniper in the world. You can be the best soldier in the world. Every single military operation over the last 50 years at least has been led with data and intelligence. So the more the threat landscape evolves, the more we need to react to that threat. But the threat landscape, it's a very broad subject for me. Because again, it's from the late 90s into now. Now we have deepfake. Now we have AI. Now we have many different tricks of the trade. And ultimately, the landscape's changed, but the human element actually hasn't. We're still falling for the same traps that we fell in in the 90s. We're still falling for the same trips and traps that we used in Iraq. It's the human element. The threat landscape, it is a very dangerous place. I mean, we need to be very honest. The things that you can find on the dark web, on the deep web, and you don't even need to look that hard. I personally have watched it go from being very almost caveman-esque in a way, very analog, very digital. And now we're into the high-tech stages of the global war on terror. Now it is biometric reading. It's AI data. It's getting surveillance footage from drones. All of these basic security fundaments, I think, provides a good insight into the threat landscape. Yeah. So I think for many people, it might sound like a very tangible thing, like an explosive device or something like that, right? In this kind of sense, it's something you can touch. But then we see that now, apart from battlefields, in everyday life of working in a company, deepfake and AI pose fascinating possibilities, but also dangerous possibilities. It depends on the angle or who you ask, right? I believe so. Where would you say, as an expert, are these technologies being utilized? And what are maybe also the steps we can take to prepare ourselves, our employees against those techniques and maybe also their misusage? That's actually a really good question. There's a couple of answers there that I think are quite prevalent. I mean, to finish the very last question, how do we prepare the environment? How do we make people aware? Honestly, from my standpoint, the current level of education and services and e-learning modules and phishing services that SourceSafe provides, they are literally mission critical. Because it's the human element that is perhaps not the strongest, but it's also the human element that needs to be reinforced and re-educated. So when we're talking about what could we do to arm ourselves against AI, I think we're already on a very good way. We engage people. We talk to people. We show them the risks of what AI could or could not possess. I personally don't see the risk in AI as much as maybe some other people in the security industry do. Because if you look at what AI has already managed to achieve in the medical industry, for example, we're now advancing breast cancer screening by five years due to the implementation of AI. I mean, the current standards we have in place are good. If we use AI for the good of mankind, for the good of humanity, then I think AI is a fantastic tool. And I think everybody, regardless whether you want to accept it or not, I think within the next two to five years, we're going to be seeing some major changes in our environment with the use of AI. But I personally don't think it's anything to be afraid of. I think if used correctly, I think it's going to advance everything we do in all aspects of business and ultimately in all aspects of our relationship and engagement. The deepfake stuff, I think we're already seeing quite a lot. And I would actually quite like to ask the audience. So my current organization, we've already started to see a lot of deepfake videos coming through. They're getting mixed up in the queue for emails and, hey, congratulations, we're going to invite you to this. Congratulations, you've won that. Is anybody else in this room currently seeing deepfakes in their own environment? Okay, one person, two people. Okay, there's a couple more hands going up now. So that's good. So we're already starting to see what the possibilities are with these deepfakes. I personally spoke to my CEO two weeks ago because there is a LinkedIn WhatsApp group with his name, credentials, and face. And he's sending messages to his employees and friends in very much a phishing-style format with a sense of urgency. Hello, such and such, please click on this link to activate so-and-so. Now, I'm really lucky. We've got a very good cybersecurity awareness team. And we educate and we advise. And we try to, I hate the word upscale. I really didn't want to say that, but it's a good word to totally educate the environment. We are going to see more deepfakes. It's just the next trend. It's on its way of being slowly played out. But then the new wave of attacks are going to be even more technical. They're going to be even more tricky to see and to make tangible. Yeah. I want to follow up a little bit on what you said there because now we're talking, obviously, about educating people and new emerging threats. We need to find new answers and new paths of education for them. Do you have experience in establishing cybersecurity awareness strategies and culture in organizations from scratch? So, what were the initial challenges you faced each time trying to do this? And how did you bring this consciousness to the forefront of an organization? I've got two answers I could potentially give here. I'm weighing up which one's going to make the least impact in my career. Okay. So, yeah, I love building teams. In the military, in the operator environment, that's what I spent my 20, 30 years doing is building teams. It's building resilience. It's making sure you've got the right people to do the right job at the right time. And it's absolutely essential that we have those things in place. And just so you know, I'm completely… Can you say that question again? So, we were talking about the initial challenges. The initial challenges. When you try to establish something like that in an organization. Okay. Well, I'm actually very lucky. Whichever answer I give. So, in certain organizations I've been before, the challenge was actually to make people aware of what cybersecurity is, let alone what awareness is. I think as awareness managers or awareness individuals, it's very important to have the qualifications, the current competencies, and to know your subject matter. But you need people who can make the awareness journey for everybody to engage. So, I don't or we don't aim for the CEO or for the head of procurement or for the head of legal. We aim for the cleaning staff, the front desk. We're looking for the guys in the procurement teams or the legal teams or the teams where they don't get the same amount of training that IT maybe do. And we need to focus on those individuals. And the challenges there is I like to make it personal. So, when I'm doing a Cybersecurity Awareness Session, I'll ask questions like, okay, who has Ring cameras at home? Who has Alexa in the house? Who has Facebook? Who has Instagram? Who has all of these online portals? Because the amount of information that you can gather from those online portals is immense. And the challenges is getting people to understand. Guys, I'm going to be completely honest now, completely off script. In my experience, I've noted that I would suggest 90% of this room has something they don't want somebody to know. Every single face or nearly every single face in this room has some secret. Now, there are people out there like me who want that secret. They want that information. We want to blackmail you. We want to take your money. We want to break your credence. We want to do bad things. We are attackers. It's what we do. So, the more information you put out there, the easier you're making it for us. And when we're talking about the challenges we face, we need to make every individual aware of what they're doing online and the bad security consequences that can follow up. Yeah. In other organizations, I was very lucky where the cybersecurity awareness wave was already in full flow. And they just needed somebody to come in and build the team and show them some good tips and tricks and how to build an environment where people are free to express their ideas. Safe environments are very, very important for the teams. But the challenge is always to get the buy-in from everybody. Not to look at the CEO. Not to look at the heads of or the directors or the C-suite. Every single person in that organization needs to be trained and educated. So, when they do get a phishing mail, and they probably will, they'll be able to recognize what the phishing mail is. And then hopefully, I mean, you guys have got a great tool, the reporting button from Source. We've implemented that now in my company. And we are seeing guys and girls like yourselves who are maybe not the most IT or security-minded. We've actually got the process now of being able to report phishing mails. So, for me personally, that's a huge step. That's one of the challenges that we've faced. Raise the awareness. Show them what the problem is. And then make it personal. Show them how I can hurt them. Yeah. And if it's not me, it's going to be somebody else who will go after them. And attackers, we don't make – we're not interested if you're the CEO or you're not. If you're a CEO or somebody in charge of finance or banking or somebody with critical information, well, if we can't get you, we'll go for your family. There's no moral compass here. We will use whatever tool we have to make sure we get your information. Ladies and gents, this isn't a nice subject, but it's the truth. You can wrap this up in fluffy cotton wool and give yourself a warm fuzzy feeling, but there are some horrible people out there. And all they want are the secrets that you guys are hiding. And I've already seen three or four people who, honestly, I would like to check your hard drive. But I digest. I digress. Sorry. All right. So, I think you've already touched upon that subject with various of your comments, right? But what is the decisive factor why cybercriminals focus so much on the human layer? Like, what triggers them? What makes it? Because you guys are easy. Yeah. You guys are easy. And I mean that in the nicest possible way, but I'm not a technical man. I'm not a university degree. I don't have an MBA or a BA or anything like that, but I do know the culture and I do know how people attack. And I do understand the criminal mentality very, very well. My entire journey into this environment was because I was involved in crime as a kid. I got in with the wrong people. I was doing a lot of things that are very negative. So, I understand the criminal mindset and I understand why they do what they do. It's because we as human beings, we make so many mistakes. We make so many mistakes. And the people sat here or maybe the people online, they might think, oh, well, I'm a manager in this role. I'm not important. But you still have access to information that I want, that I need. It really doesn't matter what rank or what skill you are. Everybody has something that they don't want brought out into the light and everybody has something they're trying to hide. And if we put that in a business context, we're talking about business information. We're talking about customer information. We're talking about procurement rights. We're talking about legal lines. It's the whole spectrum. And the human, I'm sorry to say, the human is the easiest person to attack. You can have the best technology in the world. You can have all the tooling in the world. You can have the best AI in the world. I or somebody like me will find something that you personally don't want brought out and we will attack that vector. And we will manipulate you. We will torment you. We will block your devices. We will encrypt everything because we don't care about the personal damage that we cause. Attackers, we don't care. We just, we don't care what damage we cause. We don't care the loss and the misery and the damage we do to business or to a person's reputation. The reason we attack humans is because it's easy. Yeah. Sounds scary, right? In a way. I mean, there's so many different ways you could come to the cybersecurity awareness topics. But for me personally, it's always been tell the truth and let the people know that it isn't a nice, safe, warm environment. And you can have many different ways to produce your goal. But it's not my job to sell a warm, fuzzy feeling. It's my job to tell you guys, look, these are the threats that you face. And with you conducting yourself online or sharing pictures. And I've got to be honest, men are particularly quite bad at sharing pictures on communication tools that maybe somebody like me could get a copy of and then blackmail you. And ladies and gents, I think we all know what we're talking about. Men are sometimes a bit more vulnerable to messages. But every time you send pictures or images, we're watching. And we just need one picture and then we've got you. Literally got you. Yeah. So I think it's really fair to say there are personal effects or implications of that, but also business implications. This is a business of service. It's a business of service. You go into any of the forums. You go into any of the portals. And you can buy an attack for as little as 50 euros. You can buy a ransom attack. You can buy a phishing campaign. I was watching something the other night. There was a 12-year-old in America who was in the process of doing a massive attack. And when he was caught and found, they just said, well, what made you do that? And he just said he was bored. He wanted to try something. And this is a young kid. And he's already streets ahead of people like me. I'm a dinosaur. I'm from the analog age. These guys are putting codes together. These guys are putting traps and phishing systems in place. If the human doesn't catch it, then where is it going to go? It's going to go on your server. And then when I'm in your server, guys, I'll be taking your money and moving to Tahiti. So you've taken SoSafe globally, right, from South America to China. What role does SoSafe play in your overall strategy in that sense? Shameless plug time. Yes. Okay. To be completely honest. So when I came to my company just short of three years ago, we didn't actually have a cybersecurity awareness culture in place. There was literally nothing there. There was a lot of C-level people shouting and screaming about phishing attacks and emails and blah, blah, blah, internet security, but they didn't really have a plan. I spent a lot of time in the vendor selection, a lot of time. Before I came across SoSafe, I must have taken in about 12 different vendors, all providing the same service. The difference with SoSafe, in my humble opinion, is the human element that supports the tool and the processes. So I know if I ever have a problem, that the SoSafe guys are really, really good at replying to you and making sure that the product's a very finely polished product. And more importantly, when we looked at the SoSafe packages all those years ago, we had to throw away a lot of those modules because they weren't fit for purpose. They weren't fit for my audience. They weren't fit for my style. And then SoSafe went away and then created a completely new format for me. Since then, I've been lucky enough to hire my best friend to come and work with me on the subject. And we take those very important key messages. We take them to South America. We take them to China. We take them to India. We take them across the world because this is going to be quite controversial. I don't know many people that really, really enjoy digital learning. I know a few guys that have to do it because it's mandatory. I know quite a few guys that roll their eyes when it's that time of year. What myself and Nixon have identified is when you take the content from SoSafe, or you take your own content, or you do a tabletop exercise, or you do a whatever, you need to be in the same room. You need to speak to the people one-to-one. What use is it? Me sat behind a screen. Are you guys sat behind a screen just clicking a button and going through all your training? You guys aren't taking anything in. I'm not giving you anything of any value. We need to understand. We need to educate and continuously train the users and the people. And I honestly think, shameless plug, I think SoSafe is the best for that. I've had nothing but positive feedback from the SoSafe modules and also from the live sessions that we've done in Singapore and China. Online, there are many different comments about the e-learning modules, and some of them are really, really funny. Some of them are like, please stop sending me this module. I am so sick and tired of doing e-learning. I've got one that said, this is a waste of human life. I've got another comment somewhere, and it's rated one star. I'll never get this hour back. And I love that because we've made a difference. I mean, there's no such thing as negative feedback. These guys have done the training. They didn't like it. So we take that digital content. We jump in the car. We jump in a plane. We go and visit those people. And for me, very luckily, I've got a little toolbox, and I'll take that into that session. I'll say, this is my camera. This is my hacking device. This is my RFID device. This is how I'm going to get through your access management system. These are the credentials I'm going to steal in the smoking area when I'm stood next to you with my reader. Then I'm going to take all your credentials. I'm going to go inside, and I'm going to be an absolute menace in your building. And these are all things that you can only do live. That's super interesting. I had to go and visit the CEO last week in The Hague. Now, I shouldn't be able to just walk into the CEO's office. There needs to be about seven different security platforms there. ID card, badging, badge out, access management. I socially engineered that whole situation that within 10 minutes, I bypassed one of the most secure buildings in The Hague, and I was actually sat with a cup of coffee waiting for the CEO to come in the room. I mean, these are the things that humans can do. And these are the things that we need to share to these guys. Look, your technology is great. Your tooling is amazing. Your click rate is fantastic. Your open rate is amazing. But the human element, there's always going to be somebody trying to get in, always. And you need to take that away today. It doesn't matter if they use the front door, the back door. It doesn't matter. The easier you guys make it for people like me, the more havoc we're going to run. It's as simple as that. Thank you so much. One last question from my side before we can open up to the audience. And I think it's interesting because I've already heard some of these, I think, topics within your answers and comments, right? Educating people is one thing. The next step is empowerment, right? Like the reporting button or other things to also not only recognize threats, but also be able to treat them, react to them, etc. So what would you say helps people to feel empowered in the face of these threats? By building an effective and safe security environment for people to work in. I don't like yes men. I don't like yes women. I don't like egos. I don't like people saying, oh, but this is the way we always do things. So this is the way we're going to do it. You need to really, this is one of the most important things. You need to establish a safe culture where you express or you give the team the freedom to express different ideas. Some of the best ideas that I've ever heard have come from the person I would least expect that suggestion to come from. And if you're leading and you have a good team of people who are all on the same page, all working to the same goal, it doesn't really get any better than that. It really doesn't. A safe and loving and warm, secure environment for people to work in. I want people to enjoy working. I want them to come into the office. I want them to come to places like these. Everybody here, everybody here has a different opinion. They have a different perspective. They have a different idea of how we do things. And what sort of ego would we have if we said, yeah, but we're this and we're that and we know everything. That's not the case. You know, without the interaction, without the one-on-one to your teams, to your junior team members, your senior team members, they have to feel safe. And I'm saying the word loved. The need to feel warm and safe and loved and that they're in an environment where failure is acceptable. It's okay to fail. If you're going to fail, it's okay. You know, land on your back so at least you look in which direction you're going. You get up, you start again. Not everything that we've done in the last 10 years has worked. In fact, if anything, I've had more failures than wins. But we always identified a different area, how to achieve that win. Safety, security, a loving and safe environment where people feel genuinely enabled and genuinely empowered. That's what we should all be aiming for. No more yes men. No more nodding. And you'll notice that in your next teams or your next meetings. Somebody at some point is going to ask a question to the group and people are just going to do that. All right. Thank you so much, David, for those closing remarks. This speaks for itself. That was terrifying. So, we are pretty short on time, but maybe we can squeeze in one last question from the audience. If there are any questions, please raise your hand. We'll have somebody with a mic come around. There's always that one kid in school, isn't there? Yeah, there usually is. I'm really sorry. It's okay. I think I'm through my nerves. Go on. I'll do my best. I'll make it easy for you, probably, but it's a difficult question. When we are sensitive people with cybersecurity and we tell them, don't tell the world anything about you. Be as careful as possible with all your information. There always comes a question, yeah, but it's just my name and my mail address. What can you do with it? And, yeah, it's just my number, my insurance number, anything. And then you are standing there and say, yeah, okay, I'm not criminal creative enough. That's the word we created in turn to tell you exactly what I could do about it. But you can be sure there will be people who are creative and they find a way to hurt you or to do damage with it. Okay, so I took a quick look at the attendance list before I sat on the stage. I identified three people in the audience who are going to be here today, and I learned more about them in five minutes online with just their job title and their name than you could possibly imagine. Any information you give online, anything, if it falls in the wrong hands can be traced, and it will be traced. It will be tracked. A like, a comment, a smiley face, a thumbs down. The more you put out there, the more I'm going to get. But with just your name and your title, I can already do some work on OSINT, open source intelligence. I can go on the social media apps. I can go on the professional media apps. I can find out what company you work for. Then I'll find out the address of your company. Then I'll find out what time you go to work because I'll sit outside your building and look for you. I'll find out your routine. And in the security industry, the most important thing for me is pattern of life. If you guys are still setting the same routines, going to work every single day on the same route, in the same car, with the same people, you're setting patterns. When you set a pattern, we're going to find you. By setting patterns, you're telling us what you're going to do next. You're making it even easier. And then we take the cyber threats and we make it a physical threat. You know, we put teams outside your house. We monitor your family. We monitor your parking spaces. We find out where you go to the gym, what time you go to the gym. We find out if you're having an affair. We find out who you're having an affair with. Any information you can give, we will use against you at some point in some way. It really is quite scary. I'll be completely honest. But you're not protected, guys. It's as simple as that. You know, we all like to think that we're protected in our antiviruses and our policies and procedures. Guys, 9 to 5 is great, but we work out of hours. We'll get your information 9 to 5, but we'll still come knocking on your door at 2 in the morning. It is a dangerous world out there, but maybe a final note because I see the big red tan dipping down here. Yes. Just be aware of your surroundings. Don't set patterns. Change your passwords. Don't do basic mistakes. Make it as difficult as possible for people like us who do have criminal energy, who do want to steal and hurt and damage and maim. So just be careful with what you're sharing is really my only takeaway today. Yeah. Thank you so much, David, for this delightful conversation today. Big round of applause for David. Thank you so much. Thank you, guys. Thank you very much. Really, thank you for putting up with me for half an hour. Thank you.

TL;DR

  • Cybercriminals target humans because people are easier to exploit than technology—attackers use personal vulnerabilities, secrets, and behavioral patterns to bypass even the strongest technical defenses
  • The threat landscape has evolved from analog IEDs to AI-driven attacks and deepfakes, but the human element remains the constant vulnerability across all technological eras
  • Effective security awareness requires in-person engagement that makes threats personal and tangible, not just digital training modules that employees click through without retention
  • Building resilient security culture demands psychological safety where employees feel empowered to report threats, challenge assumptions, and learn from failures without fear
  • Organizations must educate all employees—not just IT or executives—because every person with access to information represents a potential attack vector that criminals will exploit

From Battlefield to Boardroom: Military Perspective on Cyber Threats

David Mossop draws on two decades of military experience—from Northern Ireland to Iraq and Afghanistan—to frame the evolution of cybersecurity threats. He traces the threat landscape from analog improvised explosive devices initiated by mobile phones in the 1990s to today's sophisticated AI-driven attacks and deepfakes. Mossop emphasizes that while technology has advanced dramatically, the human element remains the constant vulnerability. His military background informs his approach to cybersecurity awareness: every operation was intelligence-led, teams required safe environments to express ideas, and failure was acceptable as long as lessons were learned. This perspective shapes his conviction that cybersecurity awareness must be personal, direct, and honest about the real dangers organizations face.

Why Humans Remain the Primary Attack Vector

Mossop delivers an unvarnished assessment of why cybercriminals target people rather than technology: humans are easy to exploit. He argues that regardless of technical defenses, attackers will find personal vulnerabilities—secrets, compromising information, or behavioral patterns—to manipulate individuals. Drawing parallels to military intelligence gathering, he explains how attackers use open-source intelligence (OSINT) to build detailed profiles from seemingly innocuous information like job titles and social media activity. The session addresses emerging threats including deepfakes targeting executives, with Mossop sharing a recent example of his own CEO being impersonated on WhatsApp. He stresses that attackers operate without moral constraints, targeting not just employees but their families, and that cybercrime has become a service industry where attacks can be purchased for as little as 50 euros.

Building Effective Security Awareness Culture

Mossop advocates for a fundamentally different approach to security awareness training—one that prioritizes in-person engagement over digital modules. He describes taking SoSafe content globally, from South America to China, but insists the real impact comes from face-to-face sessions where he demonstrates physical hacking tools and social engineering techniques. His methodology focuses on making security personal: asking employees about their Ring cameras, Alexa devices, and social media presence to illustrate how much information they expose. He emphasizes targeting all employees, not just IT or C-suite, with particular attention to procurement, legal, and support staff who may receive less security training. The goal is creating a safe environment where employees feel empowered to report threats using tools like SoSafe's reporting button, which his organization has successfully implemented to increase phishing detection and reporting.

Leadership and Cultural Transformation

The conversation concludes with Mossop's philosophy on building resilient security cultures through leadership that values psychological safety over hierarchy. He rejects 'yes men' and rigid thinking, arguing that the best ideas often come from unexpected sources. His approach emphasizes creating environments where failure is acceptable and teams feel genuinely empowered to challenge assumptions. Mossop shares a telling example of socially engineering his way into his CEO's office in The Hague within ten minutes, bypassing multiple security layers, to demonstrate that human factors consistently override technical controls. He stresses that effective awareness programs require continuous education, pattern disruption (avoiding predictable routines), and honest communication about threats rather than 'warm fuzzy feelings.' The ultimate goal is building teams that understand security as a shared responsibility requiring constant vigilance and adaptation.

Chapters

0:00 - Introduction & Military Remembrance
2:55 - Evolution of the Threat Landscape
6:00 - Iraq War & Modernization of Warfare
8:39 - Deepfakes & Emerging AI Threats
10:08 - Building Security Awareness Culture
15:00 - Why Attackers Target Humans
19:12 - SoSafe's Role in Global Strategy
24:17 - Empowerment Through Safe Environments
26:44 - Audience Q&A: OSINT & Pattern Analysis

Key Quotes

5:29 "The threat landscape, it's a very broad subject for me. Because again, it's from the late 90s into now. Now we have deepfake. Now we have AI. Now we have many different tricks of the trade. And ultimately, the landscape's changed, but the human element actually hasn't. We're still falling for the same traps that we fell in in the 90s."
12:33 "In my experience, I've noted that I would suggest 90% of this room has something they don't want somebody to know. Every single face or nearly every single face in this room has some secret. We want to take your money. We want to break your credence. We want to do bad things. We are attackers. It's what we do."
16:35 "The human, I'm sorry to say, the human is the easiest person to attack. You can have the best technology in the world. You can have all the tooling in the world. You can have the best AI in the world. I or somebody like me will find something that you personally don't want brought out and we will attack that vector."
18:32 "You can buy an attack for as little as 50 euros. You can buy a ransom attack. You can buy a phishing campaign. I was watching something the other night. There was a 12-year-old in America who was in the process of doing a massive attack."
23:07 "Your technology is great. Your tooling is amazing. Your click rate is fantastic. Your open rate is amazing. But the human element, there's always going to be somebody trying to get in, always. And you need to take that away today. It doesn't matter if they use the front door, the back door. It doesn't matter. The easier you guys make it for people like me, the more havoc we're going to run."
28:47 "Any information you give online, anything, if it falls in the wrong hands can be traced, and it will be traced. It will be tracked. A like, a comment, a smiley face, a thumbs down. The more you put out there, the more I'm going to get."

FAQ

Why do cybercriminals focus on targeting people instead of just attacking technical systems?

Humans are fundamentally easier to exploit than technology. Attackers can manipulate personal vulnerabilities, secrets, and behavioral patterns to bypass even the most sophisticated technical defenses. As Mossop explains, everyone has something they don't want exposed, and attackers will use that leverage—whether targeting the individual directly or their family members—without moral constraints.

How can organizations make security awareness training more effective than standard e-learning modules?

Mossop advocates for in-person engagement that makes threats tangible and personal. This includes demonstrating physical hacking tools, showing how OSINT can build detailed profiles from public information, and conducting live social engineering exercises. The goal is creating memorable experiences that drive behavioral change rather than compliance checkbox exercises that employees forget immediately after completion.

What role does leadership play in building a strong security culture?

Leadership must create psychologically safe environments where employees feel empowered to report threats, challenge assumptions, and learn from failures. This means rejecting hierarchical 'yes men' culture, valuing diverse perspectives, and ensuring all employees—not just IT or executives—receive security training and feel their contributions matter to organizational resilience.


Categories:
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Security Operations
  • Best Practices
  • Technical Deep Dive
  • Threat Intelligence
  • Executive Briefing
  • Human Risk Management
  • Security Awareness Training
  • Social Engineering
  • Deepfakes and AI Threats
  • Military Intelligence Applied to Cybersecurity
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: SoSafe: Military Lessons for Cybersecurity Culture & Awareness

              Upcoming Webinar Calendar

              • 07/02/2026
                10:00 AM
                07/02/2026
                Building Resilience: Insights from Hybrid Threats Amid Cloud Challenges
                https://www.truthinit.com/index.php/channel/2011/building-resilience-insights-from-hybrid-threats-amid-cloud-challenges/
              • 07/09/2026
                01:00 PM
                07/09/2026
                The HUMAN Experience: Empowering Agentic Trust in Practice
                https://www.truthinit.com/index.php/channel/2026/the-human-experience-empowering-agentic-trust-in-practice/
              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting an Elite Security Team to Achieve Championship-Level Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-an-elite-security-team-to-achieve-championship-level-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in AI Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-ai-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/21/2026
                01:00 PM
                07/21/2026
                HUMAN Dialogue: Insights from Attackers During the FIFA World Cup
                https://www.truthinit.com/index.php/channel/2029/human-dialogue-insights-from-attackers-during-the-fifa-world-cup/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies for Mastering the DPDP Framework
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-mastering-the-dpdp-framework/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                02

                Building Resilience: Insights from Hybrid Threats Amid Cloud Challenges

                07/02/202610:00 AM ET
                • Jul
                  09

                  The HUMAN Experience: Empowering Agentic Trust in Practice

                  07/09/202601:00 PM ET
                  • Jul
                    14

                    Crafting an Elite Security Team to Achieve Championship-Level Defense

                    07/14/202601:00 PM ET
                    • Jul
                      14

                      Understanding the Crucial Role of Context in AI Data

                      07/14/202602:00 PM ET
                      • Jul
                        21

                        Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                        07/21/202604:00 AM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version