Phishing has been one of the most reliable tools in an attacker's arsenal for decades. Despite endless simulations, mandatory trainings and a growing set of tools, the problem hasn't gone away. AI-driven targeting makes it smarter, faster and more personal. But the issue isn't just the threat itself. It's how we teach people to recognize and respond to it.

In this episode, we sit down with Craig Taylor, a 30-year cybersecurity veteran and co-founder of CyberHoot, to explore why traditional phishing exercises fail to change behavior and how shame-based or punitive approaches are undermining security culture. Craig explains how a multidisciplinary, psychology-backed approach can transform user engagement, reward good behavior and build real security resilience.

Whether you're leading a security program, responsible for awareness training, or simply curious about how phishing has evolved in the age of AI, this conversation will change the way you think about user education.

Highlights:

• Why traditional phishing simulations often hurt security culture
• How AI is reshaping phishing attacks at scale
• The psychology behind behavior change and what most programs get wrong
• Why positive reinforcement works better than punishment
• How to build a learning-driven, user-friendly security culture
• Practical steps organizations can take to modernize phishing education

Craig Taylor is a seasoned cybersecurity leader with over 30 years of experience across web hosting, finance, manufacturing, and more. He is the co-founder of CyberHoot, a cyber literacy platform for small businesses and MSPs, and has served as a virtual CISO for more than 50 organizations.

CyberHoot Resources

• 20% Off CyberHoot for 1 year using code "Cyber Compliance and Beyond"
• Main Website: https://cyberhoot.com/
• Individual Registration (Free Personal Training for Life): https://cyberhoot.com/individuals/
• Businesses and Managed Service Providers: https://nest.cyberhoot.com/autopilot-signup/
• Newsletter Sign Up: https://cyberhoot.com/newsletters/
• Blog: https://cyberhoot.com/blog/
• Cybrary: https://cyberhoot.com/cybrary/

Organizations chasing CMMC often jump straight to "what tech should we buy?" but scoping begins with people, policies, processes and how information actually flows across the business. In this episode offers Clear, candid guidance for any team wrestling with scope and architecture for CMMC and trying to do it right the first time.We walk through the real trade-offs between enclave vs. enterprise approaches, why enclave complexity can hurt day-to-day work, and where a hybrid model can make sense if you have the internal expertise (or the right MSP).

We discuss practical criteria for selecting MSP/ESP partners, break down the 36-month assessment window, the kinds of environmental/business changes that might trigger reassessment, and explore NIST SP 800-171, Revision 3 readiness.

Highlights:

• Start scoping with people, processes, and information flow—not the "shiny tech."
• Enclave vs. enterprise vs. hybrid: reduce user complexity, weigh operational realities and plan for 36 months.
• What to ask MSPs/ESPs: Level 2 status, shared responsibility matrix specifics, contract gaps, and insurance.
• Changes that can trigger reassessment and how proactive change control avoids surprises.
• Revision 3: prepare now; certification momentum on Revision 2 still pays dividends.

We all say security is important, but does our behavior reflect it? In this episode, we explore what it really takes to build a true culture of security inside organizations.

Traditional awareness training and phishing simulations often feel surface-level and at times punitive. So how do we move beyond compliance checkboxes to meaningful behavioral change?

Joining us is Robert Siciliano, cybersecurity leader, speaker, and creator of the Strategic Human Firewall™. Robert shares how AI-driven social engineering, deepfakes, and synthetic identities are bypassing technical controls—and why the workforce is now the most critical line of defense.

We discuss:

• Why security culture starts with mindset
• The "Human Blindspot" and the instinct to trust the familiar
• Shifting from "I trust what I see" to "I verify everything"
• Turning security awareness into true security appreciation

In this Q&A-style episode, we revisit the CMMC landscape following the implementation of the rule and the finalization of the Title 48 procurement rule. We break down what's changed, how CMMC requirements are phased into contracts and most importantly, the types of CMMC services available to help you take your next best step.

We dive into boundary identification and definition, gap analysis/assessment, documentation support, readiness assessments, and formal Level 2 C3PAO assessments, along with key questions you should ask service providers to avoid confusion and unnecessary costs.

Whether you're just starting out or preparing for assessment, this episode is designed to help you better navigate CMMC confidently and with clarity.

References

• Episode 11 – CMMC Rollout Q&A
• Phased Implementation of CMMC (each one year in length)
  • Phase 1: Level 1 and Level 2 self-assessments; possibility of Level 2 C3PAO
  • Phase 2: Level 2 C3PAO for initial contract award; possibility of Level 3 and Level 2 C3PAO for option year awards
  • Phase 3: Level 2 C3PAO for option year awards; Level 3
  • Phase 4: Level 3 and full implementation across all contracts
• Key questions to ask CMMC service providers
  • Does the assessment allow me to still leverage you as a C3PAO?
  • Does the assessment mimic a full formal assessment, including all evidence collection? This is important, as some only include interviews and live demonstrations, but do not include formal evidence gathering.
  • Can I use evidence collected in one of these preparatory assessments during my formal assessment? Generally, the answer is yes, but a good rule of thumb is that the evidence shouldn't be more than 90 days old during a formal assessment.
  • Do you offer a scoped preparatory assessment? Alternatively, you may want to only cover the controls for which a POA&M is not allowed. Ask if these are a possibility. They'll save you money, time, and give you the peace of mind you're looking for.
• Contact the Kratos CMMC team
• Cape Endeavors

In this episode, we take a practical look at how cyber insurance fits into the broader world of organizational risk. While we often talk about risk from a security and compliance perspective, insurance brings its own lens, which has become increasingly important as threats evolve, and claims grow more complex.

Today's guest, Mark Westcott, President & CEO of ACNB Insurance, breaks down the types of risks insurers care about most, how cyber policies are shaped and the key factors that influence underwriting decisions. We also explore how compliance frameworks and certifications play into premium pricing, risk scoring, and eligibility.

Learn about:

• The types of risks insurers prioritize—and why
• How insurers approach cyber insurance
• The connection between compliance standards, certifications and insurance rates
• Core benefits of cyber insurance beyond financial protection
• Whether regulations mandate cyber insurance and what drives adoption
• Key questions organizations should ask when evaluating cyber coverage

There's no shortage of cybersecurity tools, but most compromises don't happen because of technology failures, they happen because of a failure in organizational processes. In today's episode, we explore how penetration testing and red teaming expose the people, processes and operational weaknesses that technology alone cannot.

We discuss why security is ultimately a people problem, why organizations struggle to identify their own blind spots and how offensive testing reveals hidden vulnerabilities that technologies alone miss.

In today's broad ranging episode, we cover the following:

• Penetration testing vs. red team engagements
• What a real red team assessment looks like
• Attack vectors that still work surprisingly well
• Interesting "ins" from the real-world
• The ongoing role of social engineering
• Custom tooling vs. off-the-shelf frameworks
• Staying current with attacker techniques
• Finding business-logic flaws automated tools miss
• The hardest parts of offensive security work
• Common organizational mistakes that create risk
• Making findings actionable for engineering teams
• Skills the next generation of operators should build
• Soft skills that matter in offensive security
• How AI and cloud are changing modern red teaming
• Underestimated attack surfaces
• Whether offense will always outpace defense

In this episode, we dive into Zero Trust and how organizations can put it into practice. With the rise of cloud computing, traditional on-prem networking architectures began to fade. Yet the need for strong security never went away – it evolved. That's where Zero Trust comes in. At its core, Zero Trust isn't just about technology. It's about people, access, and trust – starting with the principle that no one is trusted by default.

Tune in to learn:

• Why Zero Trust is more of a mindset and not a technology or set of technologies
• The challenges organizations face when adopting it
• How Zero Trust technologies differ from traditional networking technologies

Reference material:

• NIST SP 800-207
• CISA Zero Trust Maturity Model

Waste, fraud, and abuse. These three words usually make headlines when government resources are misused on a massive scale. But the truth is, efforts to eliminate waste, fraud, and abuse extend far beyond the headline-grabbing cases.

In this episode, our experts explore how the government combats waste, fraud, and abuse, and why cybersecurity is now front and center in the conversation. Over the past 40 years, federal agencies have increasingly relied on contractors, which has in turn increased the need for enforcement mechanisms to combat waste, fraud, and abuse.

This episode goes over:

• The history and role of the False Claims Act
• How the Department of Justice's Civil Cyber-Fraud Initiative is using it to tackle cybersecurity-related fraud
• The unique role of whistleblowers, who gain both protections and incentives to report fraud
• A real-world use case that illustrates how enforcement plays out
• Practical strategies organizations can adopt to reduce their False Claims Act risk

If your organization works with the federal government, this conversation is a must-listen.

Resources:

• DOJ's False Claims Act website
• The False Claim Act (law)