Ashish Rajan: [00:00:00] What's the 2025 version of social engineering?

Bobby Ford: It's not just humans, you know, influencing and trying to control an outcome for individuals. Now we're talking about generative ai, large language models. What happens when you can no longer recognize a suspicious email or recognize a suspicious voice?

We're saying that these attacks are hyper-personalized. We're seeing that they're across multiple channels, and then we're also seeing that it's happening at speed and scale. A lot of people sometimes use the word phishing. Is that the right term to use for this then? I don't think so. I think that we've moved way beyond phishing within the, like the next 12 to 18 months we won't be tracking clicking scores.

Phishing scores really? I think so. So how should people plan for defenses for this? It takes AI to defeat ai. The ultimate goal is that even before it gets to your device, before it even gets to your inbox, that we've taken out the infrastructure,

Ashish Rajan: I'm sure you've heard of social engineering. At least in the traditional way these days.

AI agents have been prolific in social engineering and in perhaps ways [00:01:00] that you may not have thought of. I had a conversation with Bobby Ford who has been a CISO for a little over 14 plus years across industries, and we spoke about, perhaps some people may consider it one of the oldest problems or the well understood problem and how that's a and why it needs to change, and phishing technically is probably not the right term to use today for describing the way industry has evolved around this.

So Bobby and I spoke about where phishing is today, where social engineering is today, how that has changed and what should people be building towards, especially even if you are in a scale up today, what does true social engineering look like? And it would be incomplete if you just rely on security awareness.

If you know someone who's working on this particular problem, definitely share this episode with them. And as always, if you are watching or listening to the episode of Cloud Security Podcast for a second or third time, I would really appreciate if you drop us a subscribe or follow in the audio version, which is whether on Apple or Spotify or on the video version, which is on YouTube.

On LinkedIn. Thank you so much for taking that one [00:02:00] second to hit the subscribe follow button. It means a lot when you show support to the work we do. Thank you so much for that. I hope you enjoyed this episode with Bobby and his fashion as well. Like me. I'll see you in the next episode. Peace. Hello.

Welcome to another episode of Cloud Security Podcast. Today I've got Bobby. Hey man, thanks for joining me on the show. Hey, man, I've been looking

Bobby Ford: forward to this, so thank you for

Ashish Rajan: having me. Ah, I'm, I'm, I'm looking forward to this.

Bobby Ford: We have no one. I think we've known each other on the internet for a long time.

For a long time we've been internet friends longer than we've been like real life friends.

Ashish Rajan: Yeah. Yeah. Now we are automatic friends. Yeah, we're automatic. Yeah. Yeah, yeah. Uh, tell, tell us a bit about yourself, man. What's your professional journey been so far? Uh, so people get context about your background as well.

Yeah.

Bobby Ford: Yeah, so I, I like to say that I'm a soldier turned CISO with a degree in philosophy. Oh. And so what does that mean? What that means is that I started in the military. Mm-hmm. Uh, and then after I got outta the military, and that's where I got introduced to cybersecurity. Yeah. After I got outta the military, I went to school, but I didn't go to school for cyber.

I didn't even go to school for technology. I went to school for philosophy. Okay. And I did that during the day and I did cyber at night. [00:03:00] Uh, and then sort of worked my way up to, uh, from everything from compliance to incident response to information assurance, ultimately becoming the CISO for some really large organizations.

So I've been a CISO in Fast Moving Consumer Goods, so I've been a CISO in. Life sciences. And then most recently I was a CISO at a tech company. Oh, wow. But now I'm doing something completely different that I'm extraordinarily excited about.

Ashish Rajan: Yeah. I mean, we are gonna talk about social engineering as well.

Yeah. I feel like, and I, I've actually, before I go into it, I should call out that one of the few people who have some fashion. In the cybersecurity, I definitely count you in there. Oh, I appreciate it. Yeah. Yeah. So it's like every time I see Bobby, I like that dude knows his, knows his style. I, I appreciate it.

Bobby Ford: Yeah. I, I, I think that's when I really started tracking you. 'cause I was like oh. Like I'm super competitive, bro. Oh. Like I'm super competitive and so like, I want to be known as like the sharpest dude in cyber. Yeah. Then I saw you and I was like, dang.

Ashish Rajan: I, I appreciate you saying that. But I think it's to [00:04:00] me, um.

I always find that cybersecurity is a lot about knowing the finer details. Yeah. Just kind of goes into clothing. It's to your point about how you look, how you present, how you tell the story. Exactly. There's so much more to being a CISO than just being a Yeah. For, for lack of a bit of a technical person.

Yeah, and there's nothing wrong with it, it's just that. In the current season of my life, uh, and I'm sure you in yours as well, we just wanna dress a certain way. Yeah. And it's like,

Bobby Ford: how do you show up and then how do you want other people to perceive you? A hundred percent. A hundred percent. Yeah. Yeah.

Yeah. So I'm, I'm, I'm, I'm there with you. Like there's a lot of about cyber that's attention to detail. Yeah. Yeah. There's a lot and there's a lot about fashion That's attention to detail. Yeah.

Ashish Rajan: As. It's very easy to pick up once, you know, yeah. You realize and you start talking about style. Like I say, again, I'm going in a very different tangent, but, but in a way, in a way, fashion is tied to social engineering as well.

'cause to your point about how you show up and how you kind of present yourself is Yeah. Is what builds trust in people as well. So

Bobby Ford: yeah.

Ashish Rajan: Social engineering is one of those topics, which I feel has been, at least since the time I've been cybersecurity. Yeah. Everyone has known about it. [00:05:00] Yeah, yeah, yeah. I wonder what's the 2025 version of social engineering? How you describe it to people today?

Bobby Ford: Yeah. So, so when you think about what social engineering is, it? It's an expression that I think was first used in the late 19th century. And then it really got popularized in the mid 20th century by a philosopher.

Ashish Rajan: Oh, right.

Bobby Ford: Uh, and it was this philosopher who thought if you treated humans like machines, you could optimize them. Okay. And so why don't we look at how we would engineer. A human or a, a collection of humans to, to perform at like, optimal performance. Uh, so that's what social engineering is.

And then Kevin Mitnick, who we all know as like the original hacker Yeah. Uh, he really popularized it in the cyber community mm-hmm. To mean something bad. And so what social engineering is, is how do I get an individual to, through my behavior. To change their behavior, to do something that I want them to do, like, so I can achieve an outcome.

So the question that you [00:06:00] ask is like, what does that look like in 2025? Yeah. Well, it's, it's not just humans, uh, you know, influencing and, and, and trying to control, uh, an outcome for individuals. Now we're talking about generative ai, large language models. And so what does that mean? What that means is that I believe that there was a time when you could, with a naked eye or the naked ear.

Tell that this isn't an individual that I know.

Ashish Rajan: Yeah.

Bobby Ford: What happens when you can no longer recognize a suspicious email or recognize a suspicious voice? That's where we're headed.

Ashish Rajan: Yeah. And to your point, I mean, deep fake and all of that is like a very much it's an individual. There are a lot of scams on.

I wonder what's the landscape now with the AI pieces in the, into the mix? Yeah. To your point about the social land, the social engineering landscape has changed. What are some of the real life examples that you guys have come across?

Bobby Ford: So I can tell you some, some real life examples. Lemme start, lemme take a step back.

So what are we seeing [00:07:00] differently about social engineering attacks? There's a couple things. The first thing is that we're seeing that they're hyper personalized. They're hyper personalized. Whereas before they were more generic and so I could recognize it because it was generic. Now they're like.

Email, text, or LinkedIn messages from you to me that says, Hey, remember we talked about fashion? Yeah. Uh, because they were able to pull down sources or pull information that go back to this podcast. Yeah. So it's, they're hyper personalized first. The, the second thing that we're saying is that it's happening across multiple channels.

Before we only had to worry about email. Now we have to worry about email. SMS WhatsApp signal. Social media, slack messages, help desk, slack, team Zoom, like you, you name it. So hyper personalized, multi-channel. And then the last thing I'll say is that we're seeing them at scale and speed. And so what I like to say Ashish is, is i, I, I like to say that AI has turned days and hours into minutes and seconds. So whereas [00:08:00] before when you think about like the Lockheed Martin kill chain for a cyber attack it used to take me a while to gather reconnaissance. Yeah, right. It would take me a while to weaponize or to to scan.

It would take me a while to sort of weaponize the vulnerabilities like a while from recon to attack. Yeah. Yeah. Now, not only can that happen within minutes. It can happen at scale. So before I would have to do recon on you. Yeah. Right Now I can do recon on your entire social network like that. Yeah. So, so that's what we're seeing now.

We're seeing that these attacks are hyper-personalized. We're seeing that they're across multiple channels. And then we're also seeing that it's happening at speed and scale. So

Ashish Rajan: a lot of people sometimes use the word phishing. As a way to describe this as well. Yeah. Is that the right term to use for then ?

Bobby Ford: I don't think so. And, and, and I've posted about this quite a bit. Mm-hmm. That I think that we've moved way, way beyond phishing. We've moved way beyond Smishing. Mm-hmm. And phishing to where [00:09:00]now I'm less concerned about that and I'm more concerned about my social engineering susceptibility.

Mm-hmm. Right. Okay. So now I wanna know, not, not just how likely is my organization to fall for a phishing attack, or how likely is my organization to fall for a SMS attack or a social media attack, or a help desk attack. I wanna take it. Upper level. To say, when I look across my entire organization and I think about social engineering, here's my susceptibility score.

I, I'm willing, I'm willing to sort of predict that within like the next 12, and I think this is kind of controversial, but I'll say it anyway, within like the next 12 to 18 months, we won't be tracking clicking scores. Phishing scores. Really? I think so. Yeah. I think over the next, next 12 or 18 months, we won't be, because when you think about it, it only takes one click.

Yeah. It only takes one click. And so while we do, and I'm not saying we want to get rid of our education and awareness program, right? We wanna get rid of our phishing programs. I'm not saying that by any stretch of the imagination, but I'm saying I don't think it's a very useful [00:10:00] metric because we do more than just communicate via email.

Yeah. We do more than just work via email. It's across multiple channels.

Ashish Rajan: Actually, to your point, I could get a conversation may start with a LinkedIn dm. End up in an email and follow the chain from somewhere else. Or I could just upload a PDF on you LinkedIn DM as well. Hey, this is a resume for this latest job that was there.

Yeah. And you social engineered that thing.

Bobby Ford: And when you think about it, here's something I I was thinking about recently, most of our initial contact happens online. Yeah. Most of our introductions happen online. Yeah. So what happens when I establish. A brand new relationship completely online.

I've never actually even seen the individual. Yeah. I've never even, talked to the individual or even heard the individual's voice before. Yeah. And we're focusing on email.

Ashish Rajan: Yeah. Actually it's funny 'cause you know, a lot of ways [00:11:00] how you and I described by interaction where. You and I saw each other online.

Yeah. I saw this guy's fashion sense. I would love to connect. We connected. Yep. Spoke here and there on the dms. Yep. And technically I could be a ai. You could and, and, and in the future you will be. Yeah. I'm like, how so? What is the I feel like. So a lot of the phishing initially was, uh, at least for, for me as CISO of what was more focused was, Hey, who's targeting the executives?

Yeah. Hey, making sure they are doing the security awareness training, all of that. I, I described, I laugh about this today, that it's been a while since I got an email from a Nigerian prince for my sending money. But nowadays it's a lot more specialized and personalized, hyper-personalized.

They know that I did a particular episode on a particular topic, Hey, uh, I made a joke about, Hey, I would love to get that. A hundred million or whatever from Meta CISO, and I get dms for people asking, Hey, oh, would you want a job with ciso? And I'm like, how do I vet this thing for being a legit thing versus someone random on the internet?

Especially by the way, for [00:12:00] people who are considering I, I guess. It does happen at scale where you don't respond to people after a while the account disappears. Mm-hmm. And you almost question like the person clearly had a history profile. Yeah. Professional and all that.

Bobby Ford: An entire infrastructure just for you.

Ashish Rajan: Yeah.

Bobby Ford: Yeah. Just for that message.

Ashish Rajan: And you're going, wait, so it felt very legit. 'cause you do your, to your point, security hat on. You've gone through, done the research. The company seems legit. It's just a thing on the website saying, I work for, I don't know, Microsoft. You not going into Microsoft to check that I'm actually working in Microsoft.

Bobby Ford: No. I could write whatever I want. Yeah. You know how many people have like fake titles, right? Like, like legitimate people with fake titles on LinkedIn. What happens when we sort of get towards agentic AI and, and they're creating fake titles and fake resumes and fake jobs that they've held.

Ashish Rajan: So is the value, because a lot of that used to go down the path of, hey, someone wants to impersonate the executive.

That's where that fair used to come. So is that changed now?

Bobby Ford: Has it changed? I, I [00:13:00] think there still is, first off, there still is a level of impersonation for executives happening, right? Very much so. Okay. Very much so. And you need an organization like Doppel to address that. Yeah. Right. So, so that, that very much still happens.

I think the motivation behind it has changed a bit. Okay. And, and what I mean by that is I believe that the motivation behind it used to be because I wanted to launch an attack. Impersonating that particular executive. Yeah. Or I wanted to gather information intelligence about that particular executive.

And what we've seen now is that that impersonation just becomes a pivot point. So it's not even about that executive, but it's about. Third party or this connected individual. And when you look at this individual over here, you see that they're connected to this executive over here. So that gives them some credibility.

Yeah. Yeah. And so that's what we sort of talk about when we talk about like the connectedness of social engineering [00:14:00] attacks. That it's not a one for one anymore, that they're building entire, or that the adversary is building entire infrastructures. They're setting up entire infrastructure, entire social networks to launch an attack.

Ashish Rajan: So how. Should people plan for defenses for this? Because I And where does the current part, current way of doing this fail? Where does security, yeah. Have we, 'cause to your point. Phishing has been there for a long time. Yeah. Social engineering has been there for a long time. Why does it fail in the AI world?

Let's start there first. Yeah. Why does it fail? Fail in the AI world?

Bobby Ford: It fails in the AI world. It goes back to something I, I mentioned earlier because for, for forever it feels like forever. Uh, for the longest time we've trained individuals on how to recognize a suspicious email. Hmm. It's, it's always been that like, look for misspelled words.

Yeah. Yeah. Um, look for them not, you know, using your full name. Yeah. Like, or look for misspellings, look for, uh, improper grammar domain name. Yeah, yeah, yeah. Look for stuff like that. Check out the domain name. Yeah. And so we were [00:15:00] training individuals to recognize it with a naked eye. In the AI world, you, you can't, like, you, you can't, you can't recognize it with a naked eye.

So I, I think that's the first thing. Because multiple channels. Is that why to what you Well, you, you can't because it's so hyper-personalized that there are no mistakes in the email. Oh, right. Okay. To your point, it's almost So we tell people to like, look for mistakes in the email. Yeah. What happens when there are no mistakes in the email?

Yeah. Like what? What happens? What ha we, we've told people, look for malicious domains. We're seeing legitimate domains being established. Right? Legitimate domains being established for social engineering attacks. So what happens when you can't recognize it with a naked eye?

Ashish Rajan: So how do you build defenses for this?

Bobby Ford: Yeah, I, I think that I, I, here's what I love to say. It takes AI to defeat ai. Interesting. Okay. Yeah. It takes AI to defeat ai. And so what that means is that hopefully you're leveraging a solution that's incorporated AI to recognize the, the, the [00:16:00] malicious and the suspicious, right?

Ashish Rajan: For, I think there was a scattered supply spider thing going on.

What was that about as well? If you don't mind me, I, I guess if you wanna add some color to that as well.

Bobby Ford: Yeah. Yeah. So, so when you think of what scattered spider it, it, it's a well known adversarial group that specializes in social engineering attacks. And I can't say with definitive but they have been known and publicly available.

There's information about how they've compromised some really large organizations here in, in Las Vegas. Yeah. As well as compromised some really large organizations recently in the retail space in London, you

Ashish Rajan: can Yep.

Bobby Ford: And so. From my perspective or from our perspective, what Scattered Spider has done that's truly, I know you're not supposed to use the word innovative, right?

Uh, to talk about attacks, but what they've done that's truly innovative is it's not a one size fits all. Oh, it's not a one size fits all. It, it's by chance. It's like they're looking across multiple channels. So if we feel like, Hey, an [00:17:00] email works for Ashish, we're gonna leverage an email. If we feel like SMS works for Ashish, we're gonna leverage SMS if we feel like the help desk works for Ashish we're gonna leverage the help desk.

Yeah. And so that's what scatter spiders has done. That to me is sort of different. They, it's not a one size fits all. They haven't selected, Hey, we're going to look for web facing you know, web facing applications. Like, it doesn't matter. However, we can compromise you. Like we will compromise you.

Ashish Rajan: Truly what a malicious attacker does, which is, yeah, I don't really care how, I don't care. I just want the lowest, uh, I guess the lowest or the easiest path to get into the company. Yeah. If it's an SMS, it is an SMS,

Bobby Ford: it's, it's the easiest path to get into the company. And again, it, it's forever we've looked at protecting technology.

Yeah. We've looked at. This will also be controversial. We've also looked at protecting data. Looked at protecting applications where it, it really doesn't matter. It's like, what's the objective? I'm [00:18:00] not compromising the application for the sake of compromising the application.

Yeah. I'm compromising the application because ultimately I want to exfiltrate some data because ultimately I wanna make money off of that data. It's always monitoring. Yeah. Yeah. And so it doesn't matter how I do it, like I don't have a set playbook for, for, or I, I'm not bound by any sort of regulations or bound by any requirements to do it one certain way.

Yeah. Yeah. It's like, you know, Malcolm X by any means necessary. Yeah, yeah. Like, I'm going to use any means necessary to get to achieve my objective.

Ashish Rajan: Do you feel like people need to change the way they measure success for phishing and security awareness? Because at, at the moment, to your point about click through rate is what people kind of go with.

Mm-hmm. If, I hope I found that out. The 10,000 employees, we have only 20% that the click or whatever.

Bobby Ford: Yeah. 9% and then it's still too many.

Ashish Rajan: Yeah. Because it only takes one click. Yeah, that's right. But. What should the new ROI be then, I guess, or how do you discuss this metrics to the executives?

Bobby Ford: Yeah. I, again, like I mentioned earlier, I think it's through [00:19:00] social engineering susceptibility.

Like you'll hear me keep saying that like I will be successful in what I'm trying to do in my new role. Yeah. If a year from now CISOs are reporting to their board on their social engineering susceptibility score. Interesting. Like, I will be successful because I think that's the metric we need to track.

And that looks across multiple channels. It says that if I were to call my help desk, uh, how likely is my help desk to give away, you know, valuable information. Mm. If I were to send my organization SMS messages, how likely is my organization. To respond to those SMS messages. And here, here's one of my favorites.

Whenever I hear, oh. I had a conversation recently with a CISO who told me that his organization doesn't do business via SMS. Okay. And I was like, okay. It, I was like, okay. How do you know? Yeah. [00:20:00] Like, how do you know? Like, I think there are so many ways. I mean, that we do business, we do business we trade military secrets.

Yeah. Everything via text, so,

Ashish Rajan: yeah. Yeah. Yeah. I mean, I think, uh, I've heard WhatsApp groups, signal groups. I've also heard telegram groups. Yeah. I think in my couple of roles before the ciso, uh, the executive group was a WhatsApp group for people making people aware there's a, there's an incident.

Hey, who's, who's department looking after all that? That's all messages. There's no, there's no slack going around at that point in time.

Bobby Ford: So the, there, there, there's one organization that I worked for where there was a WhatsApp group with all of the executives on it. Yeah. Yeah. And that's how we conducted business.

That's right. Like board presentations via a WhatsApp group.

Ashish Rajan: Yeah. Yeah. Yeah. I definitely feel. To in today's day and age, I think you've summarized it really well, where whatever it takes to do the business Yeah. In the quickest way possible. Right. That's what people are looking for. Yeah. Like I was not on WhatsApp before that.

I was primarily Signal person, but I had to be on WhatsApp. You can't really tell the rest of the executive, Hey, actually I don't think it's [00:21:00] secure. Yeah. You can my tell whatever. Like, yeah.

Bobby Ford: You, you fi you figure out a way to secure it. Yeah. Yeah. Like, and that, that's what our role as. Security professionals is, yeah.

It's to figure out a way to secure the environment. Business has to get done. I but if, if you think about it, remember there was a time when we told, our organizations that they couldn't use social media. Yeah. There was, yeah. Like think about it, like, go back even further.

There was a time we told our organizations you can't use the internet. Yeah. Like, like do not like, it was the like, do not use the internet. That's where business happens. Yeah. Then we said, you can't use social media. Yeah. Like, that's where business happens now.

Ashish Rajan: We were saying, don't use ai. Right.

Bobby Ford: Don't use like. That's where business happens.

Ashish Rajan: Yeah. Yeah. So you

Bobby Ford: gotta figure out a way to secure it.

Ashish Rajan: Yeah. And do you find now that the, there is a i, I love that you're going with social engineering. What was the susceptibility? Susceptibility,

Bobby Ford: yeah.

Ashish Rajan: To measure that. How would you say people, because I guess.

In today's day and age when someone is built thinking about social engineer, social engineering, or how susceptible they're to social [00:22:00] engineering. Yeah. A lot of CISOs may go down the path of saying, Hey, I've got a security awareness program. Right? Right. We've done phishing campaigns to see how effective they are.

We've tried all these other things such, which makes me feel we don't need to really go down the path. 'cause social media monitoring in itself is like a whole ordeal at that point in time that no one wants to be part of. Right. Because it's almost like a, some people may think it's, I. Too intrusive.

Yeah, too intrusive. Yeah. Too, like people are almost like, oh, why you, why do you want access to my personal social media?

Bobby Ford: Right, right. And it's like, there is, there's so many, and it's like some people feel like it's a violation of privacy.

Ashish Rajan: A hundred percent. A

Bobby Ford: hundred percent.

Ashish Rajan: So where, where do you kind of, how do you even go down the path of implementing something like this?

Bobby Ford: Yeah. So what we've discovered is that there are two parts to it. There is the visibility into it, and then there is the, uh, remediation. So what I like to say is that. It's not just about identifying it. Okay. It's about like fixing it. Like you can't just identify, Hey, look, look at all these problems we found.

Look at all these issues we found. So it's about identifying it, but then [00:23:00] it's also about remediation. So back to your question, like how do you solve for it? Most of what can be done when you recognize these malicious domains and these malicious infrastructure that has been stood up for the purpose of social engineering attacks.

You can take it down at the infrastructure level. Yeah. And so the ultimate goal is that it doesn't land on a mobile device. It doesn't land in an inbox. The ultimate goal is, Hey, listen, we're monitoring for these malicious domains, whether it's, you know, on, on. Webpages, whether it's paid ads, whether it's telephone, social media, whatever it is, we're monitoring for that and we're taking it down.

Mm. So that, like I said, the ultimate goal is that even before it gets to your device, yeah. Okay. Before it even gets to your inbox that we've taken down the infrastructure, like that's the ultimate goal. Like I think that's how you remedy it. How do I solve for it? I fix it so that I'm not putting the onus on the user.

Interesting. I'm, I'm addressing it. It's, it's truly preventative. Truly preventative.

Ashish Rajan: [00:24:00] And would you say with the current way organizations all, they already have a security awareness program. They have a. Like I, I almost feel where you are coming from is almost an uplift to an existing model where the current model doesn't look at social and susceptibility.

Yeah. It doesn't look at what the multiple data points I may be bitching about my boss on Twitter for whatever reason. Right. Without calling them out. Right. I, but people can link, look to my, look up my LinkedIn, know that which company that I work for. Yeah. Who potentially my bosses.

Bobby Ford: Yeah.

Ashish Rajan: Now these are the websites connect the dots.

Yeah. Yeah. They can easily connect the dots and take it all the way. Yeah. And you can do it at scale.

Bobby Ford: Yes. Yeah. You can connect the dots at scale. So whereas before you would think of an individual that had to stitch all of that data together. Yeah. And now it's like, you know, give me a report on Ashish and I get it all.

But then once I get it all in, in the hands of the adversary Yeah, like, it's like, it's like, you know, shooting fish in a barrel.

Ashish Rajan: Yeah. So to your point, if people were to approach this today, even [00:25:00] from an uplift perspective, have that visibility and remediation kind of like a two, two phase part, where, how much visibility do you actually have today in terms of your security awareness?

Social susceptibility. How much of the social monitoring is happening? At what level? Yeah. Like should it be every employee, every department, or it,

Bobby Ford: It, it depends, and I, I would say that visibility into it now. Happens via a bunch of stitched solutions. Oh, they try to stitch 'em together. So you have something for dark web monitoring, right?

You have something for threat intelligence. You have something else for social media monitoring. Mm-hmm. You have something for malicious domain monitoring. You have something for phishing. Right. And so you have all of these point solutions. Yeah. I think that and what we believe, uh, at Doppel is that the next generation.

Not even the next generation. This generation requires a solution that creates a platform that looks at that and then can respond and [00:26:00] remediate because you need the

Ashish Rajan: context. Because I think a lot of the incidents I, I think, uh. I remember an example where I was on, I think it was an energy sector company.

Things started on LinkedIn dm, the person was given a link, clicked on the link, and he, and they, the person knew it is a work hour. So they were between the nine to five period,

Bobby Ford: right?

Ashish Rajan: They would be on their work laptop. They had access to LinkedIn on their work laptop. So they opened it up and there was a malware and all of that.

And I think the one thing that we struggled with at that point in time was we could stop the thing on our side. There was no LinkedIn contact. Who do you contact? LinkedIn?

Bobby Ford: Well, well, we do work, uh, I can say for us, at Doppel, we do work with a lot of the social media organizations in order to, to do take downs.

Right. And yeah, so there, there, I mean, LinkedIn does have a department that specializes Oh, there is, there is a department that you can contact. I'm not saying that it's easy.

Ashish Rajan: Yeah,

Bobby Ford: okay. Right. I'm not saying that it's easy, but yeah, they do have like, you know, a arm that you can work with.

Ashish Rajan: Do you feel is just for everyone then?

Because I feel like it's hard for a lot of CISOs to go [00:27:00] beyond. Like nine or 10 times. A lot of conversation that I had with companies in different stages where people in startups, I'm gonna not mention that, but say people who are scale ups. Mm-hmm. Tech first growth companies, they have said, Hey, I need a ISO compliance, or I need a SOC two compliance, so I need have security awareness.

Bobby Ford: Yeah.

Ashish Rajan: How do you. I guess share the idea of social susceptibility to them, social engineering, social susceptibility to them. Because I find that at an enterprise level, a lot of people are already aware of it. They realize the risk of it. So there's a brand association, there's a brand risk. Is that, is this something which is primarily affecting people at that level, or is that across the board?

Cause I'm curious on the insight.

Bobby Ford: Yeah. I think, and if I, if I understand the question correctly, it's like how do you educate. Some of the smaller organizations on the importance in going beyond traditional education and awareness. Yeah, yeah. 'cause most of them would just stop at security awareness and that'll be it.

And say like, check the box. Yeah, check the box. I, I think it's, how do you [00:28:00] define. What education and awareness is. Hmm. Uh, because truly like social engineering and the way that we combat against it is through education and awareness today. Yeah. So it's elevating it up a level to say that it's not just about point solutions.

It's about like a holistic approach. Yeah. So I think that's how, at least that's how I would do it, just to make sure that when they're looking at education and awareness, that they're looking at it holistically. Mm-hmm. And that it doesn't, it is not just about recognizing a suspicious email.

Ashish Rajan: Oh, I love that approach.

I think for people who are almost thinking this of a maturity, maybe examine their current program today. Yeah. Uh, I feel like visibility is a good place to start. Right? Uh, would you say, I think, and is there like different stages they can use it as a maturity for what are the easy levels to kind of jump up on as they uplift the program?

Bobby Ford: Yeah, as they uplift. I, I think visibility. Like you, you can't fix what you can't see. Yeah. Right. So, so definitely visibility. But, and, and I appreciate that question. It's not just visibility across one [00:29:00] domain. So, so I, I know that it seems like I'm, I'm staying on one topic, but when you talk about visibility right now, we've mainly focused on visibility, email. Yeah. Yeah. The industry. Yeah. Yeah. We focused on visibility.

It's visibility across all the channels and he, here's where it really gets dicey is most of the CISOs that I talk to, they get antsy when you talk about mobile devices, they get antsy, like, and I always ask the question, what are you doing for SMS or for Smishing? Yeah. And most of 'em say nothing.

They have no solution. I'm like are you testing your organization? No. My, I can't push anything out to my user's devices. The adversary doesn't think like that. Yeah, yeah. Like the adversary doesn't think like that. And I can tell you in my previous role as a CISO, I've had individuals who have transferred large amounts of a company's money.

Because of an SMS message. Oh. I've had individuals who've lost some of their own money because of [00:30:00] WhatsApp message. And so whenever I hear CISO say, uh, my users don't want me to push anything out to their devices, I'm like, I wonder what would happen if you open up a program and look for volunteers.

Yeah. And just said, Hey, listen, we wanna push something out, or we want to test you just to see what you would get.

Ashish Rajan: Yeah. Because

Bobby Ford: the adversary doesn't stop and say, Hey, I'm only sending an email. They don't. And so you talk about visibility, it starts there across multiple channels. Yeah. And then you move beyond vis, I mean, you move beyond visibility to get to remediation.

What are we doing to take down these infrastructures that are trying to target us? It's not necessarily hacking back. Mm. It's not necessarily hacking back because I don't think organizations should do that, but it is what are we doing to take down the infrastructures that are targeting our users?

Ashish Rajan: Yeah.

I, I love that. I mean, those are mostly. Technic questions of, of court. I've got three fun questions for you as well.

Bobby Ford: I like fun questions. I enjoy your fun questions. I told you like I'm a huge fan. I appreciate that, man. Like, like, I like, I'm, I'm being like, I'm being so transparent. I know. I'm trying to play Cool.

Hopefully I'm looking cool and sounding cool. You're definitely, I hope. Yeah, I hope so. But bro, like I'm a [00:31:00] huge fan. Like just sitting here in front of you, like I listen to you all the time. I appreciate that talk. And so I think when I, when I, when we saw each other in San Francisco, like I ran to you on the street.

Yeah. And I was like, I gotta go stop it. I appreciate that I'm a huge fan because. Like your content. I'm not just blowing smoke, like your content is so poignant. I appreciate that. And it's so informative and especially for like, once you get to a certain level, you get scared to ask questions. Yeah.

Because you don't wanna look like an idiot to your staff. Yeah. Right. Yeah. You would be surprised how much you've educated me. So there are times when I'm listening and I have a notepad out and I'm taking notes. So again, I, I know the fun questions, so.

Ashish Rajan: Perfect. Thank you. So, so let's do it. So the first one what do you do when you spare time, when you're not working on solving this phishing problem?

Social engineering problem in the world?

Bobby Ford: Yeah. Yeah. I spend way too much time at the gym like

Ashish Rajan: I do. I can see that for people should watch the

Bobby Ford: video some guns. I, I appreciate you saying that, but most of the time I'm at the gym, I'm just talking.

Ashish Rajan: Oh,

Bobby Ford: [00:32:00] like I spend way too much time at the gym talking way too much time in the sauna and the cold plunge like, like the gym is like my me time, so I spend way too much, and when I say way too much, three, three and a half hours and I'm not working out the entire time.

I'm just in there hanging out.

Ashish Rajan: It's like a regular gym where you go for cross. Fit or one of those ones. I mean, they have that. I don't do it. Oh, right, right. I mean, you're just talking to the

Bobby Ford: guys doing the CrossFit.

Ashish Rajan: Yeah, yeah, yeah. I just talked to Yeah, exactly. When they're on their break, I go talk to 'em.

Yeah, fair. Like when you're done with the ma muscle up, I'll talk to you, hang out. Fair. Uh, second question. What is something that you're proud of that is not on your social media?

Bobby Ford: Yeah. And when you, when, when you ask that question, like I've always had a great response. What am I proud of that's not on my social media page is that, um, my first gig in cybersecurity was me scraping stickers off of hard drives.

Ashish Rajan: Really?

Bobby Ford: Yeah. Yeah. And I, and I go back to that and I remember at that time thinking like, [00:33:00] how can I make a living doing this? Yeah. Wait, so what was the purpose behind doing that? So I was in the military. Yeah. And in the military whenever you had classified hard drives, you'd have to put classification stickers on them.

Okay. Right. So you had to put like the red stickers on them that said secret or the yellow that said, SEI. And so when it was time to decommission those hard drives, we'd have to decals them. But before we dals, then we have to scrape the stickers off because we didn't want, you know, if any, if it fell into the wrong answer.

Of course. To know of This used to be a classified drive. Yeah. Yeah. And so that was my gig. Oh wow. That was my gig. I was scraping stickers off of hard drives, putting 'em through the Dals, man. That's how I got my stock

Ashish Rajan: starting there

Bobby Ford: all the way up to CISO. All the way up to CISO and from CISO to startup.

Ashish Rajan: Wow, man.

Yeah. Uh, final question.

Bobby Ford: We're very fortunate.

Ashish Rajan: Yeah. Yeah, dude. And thanks for sharing that as well. I appreciate that. It's a, it's a humbling start as well. You realize that I think a lot of people are thinking about different ways for. They all want a cool CISO job straight up. Mm-hmm. But they don't talk about like the [00:34:00] journey to get there.

Yeah. Is, is a, is a long one, man.

Bobby Ford: Yeah. It's it's a long one. Yeah. Yeah. And it doesn't always start off. And so that would be like my word of encouragement to anyone that's listening. Like it doesn't always start off in compliance. It doesn't always start off, sometimes it starts off in like in a really crappy gig, but you just stick with it and put yourself in position for opportunities.

Ashish Rajan: Yeah. Yeah. Oh, no. Thank you for sharing that. Yeah. Um, final question. What's your favorite cuisine or restaurant that you can share with us?

Bobby Ford: My favorite cuisine is I am a fan of Michelin starred restaurants. I'm a huge fan. And my favorite restaurant is this, uh, three star Michelin restaurant. Called the Inn at Little Washington.

It's outside of dc. Okay. Uh, and it's in the middle of nowhere, right? Like it's in the middle of nowhere, but they've served presidents and queens and kings. I mean, you should like really look it up because it's like a hidden gem and an entire town has been built around this one particular restaurant. So you asked what's my favorite [00:35:00] cuisine?

It would be Michelin Star restaurant, and the restaurant would be the One Inn at Little Washington.

Ashish Rajan: Interesting. And is that like a farm to table? Is that why, or it's,

Bobby Ford: it, it, it's definitely farm to table. I'm not exaggerating, like the entire town has been built around. So there are farms, there are gardens.

It's all like right there. This like the chef, there's a rock star. Wow. Like, he's like legit, like a rock star. He walks around taking, like selfies with people, signing autographs. Uh, he's giving birth to other Michelin Stard restaurants.

Ashish Rajan: Oh, wow. Well, I think you, you and I align out there as well. So my wife and I are on a mission for trying all the Michelin star restaurants.

I know it's like gonna be a list that we'll continue into as we get old as well. Right? Right. So every time we go to a new city, we try and make sure we at least book one Michelin starred restaurant. Very cool. Yeah. At least very cool. It's like it becomes a special meal, but at the same time. It's also an experience that you would've never had otherwise.

Exactly. We were in I think we were in Norway and Finland, and it's like all the Nordics in [00:36:00] Scandinavia, but the way they. Sounds so silly to say that it's like a salmon soup, but that was one of the best salmon soup I've ever had in my life. Okay. Okay. And I'm like, it's just salmon soup. I'm like, how good a salmon soup can be.

But I'm like, it was great. And I'm like, I, I, I go back to that when you mentioned Michelin Star, and every time I talk to someone who. Knows what that is. 'cause I, I think it's almost an acquired taste as well. Yeah. You could totally be happy with McDonald's. Nothing wrong with it. Yeah.

Bobby Ford: Listen, I tell anyone that goes to if you go to a Michelin star red, you don't go there to get full.

Yes. Like, you legit have to be prepared to eat a meal after that. Yeah. You go there for the experience. Yeah. And, and I'm in, I'm in pursuit of a perfect bite. That's what, that's what my ultimate goal is. Like I want one perfect bite. I've come close. Yeah. Okay. I've come close, but I just want one bite that makes me say, oh my God.

The best saying this day. Yeah, yeah, yeah. That, that, that's what it's all about. And so that's why I'm a fan of like the Michelin star. 'cause like they have like these one bites that they bring you.

Ashish Rajan: Yeah. That it's like, oh my. [00:37:00] Awesome man. I thank you for sharing that. I did have another question 'cause obviously you've done the gigs in cybersecurity across different areas.

Mm-hmm. Now you moved over to Doppel. Yeah. Why that changed? Why not go to another CISO gig Yeah. At another place?

Bobby Ford: Yeah. So I've, I've done the CISO thing now for 14 years. Right. I've been a CISO for 14 years and what I found Ashish is that I was joining organizations that were very, very late stage.

So, joining organizations that had been around at a minimum for 80 years. Right. And so I'd built programs, but I'd never really helped build an organization or build a company. Build a brand. I was attaching myself to large brands. I never really helped build a brand. And not only are we building a brand at Doppel, but we're also creating a category.

Mm. And to me that's legacy.

And I'm at a point in my career where I'm really thinking about legacy. Yeah. So that, I think those are like the first two reasons, right? To actually build an organization. It's something about legacy. And then the third reason I think, I don't know if our co-founders have been on the podcast. No, not yet.

No. Okay. I, I think [00:38:00] that if you meet them, bro, like you're going to be so impressed. Right. Okay. Yeah. Like super impressed because I mean, these are like, like they're former Uber engineers, but just like these brilliant minds that came up with like this brilliant concept in the tech work. So you say like, so why Doppel and not another organization?

I would say because of those reasons. Like I, I believe in building something. Yeah. Yeah. I believe in creating a legacy. Yeah. And then like we have brilliant co-founders. That's

Ashish Rajan: awesome, man. And, uh, where can people hear more about Doppel and the amazing work they're doing?

Bobby Ford: Yeah, so, so, so definitely follow us on, on social media, so on LinkedIn, and then you can go to our website as well, doppel.com, uh, and learn more about us and then, you know, check out the content that we create.

Ashish Rajan: Yeah. And we can people

Bobby Ford: find you on the internet? Yeah. Yeah. They can find me on LinkedIn. I'm, I'm really active on LinkedIn and when I'm not like, commenting on your content, uh, they can find me at a gym.

Ashish Rajan: Three hours later, Bobby still there? Exactly. Yeah. Fair. No, now thank you so much for that, for sharing that.

Thank you. And thank you for coming on the show as well, man. Yeah, thank you. I really appreciate that.

Bobby Ford: No, I [00:39:00] appreciate the invite. I appreciate being here. Like I said, it's, it's like I'm, I'm high now. Like this has been phenomenal for me. I appreciate that, man.

Ashish Rajan: Thank you so much for saying that. And uh, thank you everyone from tuning in as well.

This you next. Thank you so much for listening and watching this episode of Cloud Security Podcast. If you've been enjoying content like this, you can find more episodes like these on www.cloud security podcast or tv. We are also publishing these episodes on social media as well, so you can definitely find these episodes there.

Oh, by the way, just in case there was interest in learning about AI cybersecurity, we also have a sister podcast called AI Cybersecurity Podcast, which may be of interest as well. I'll leave the links in description for you to check them out, and also for our weekly newsletter where we do in-depth analysis of different topics within cloud security, ranging from identity endpoint.

All the way up to what is the CNAPP or whatever, a new acronym that comes out tomorrow. Thank you so much for supporting, listening and watching. I'll see you next time.

‍