Nick Santora is the CEO of Curricula, a cybersecurity awareness training program that strengthens employee security culture using narrative-based learning and phishing simulations. Curricula is endorsed by esteemed organizations across the country, such as AAA, the State of California, Boys & Girls Clubs of America, and many more.
Before his work at Curricula, Nick was the CIP Cybersecurity Specialist at North American Electric Reliability Corporation (NERC), the enforcement agency responsible for regulating the bulk power system across North America. Today, he is an internationally recognized cybersecurity expert who speaks regularly on the topic of security awareness training.
Here’s a glimpse of what you’ll learn:
- Nick Santora talks about his background in IT and cybersecurity
- Why Curricula’s program is much more than just “checking a box” for cybersecurity training
- Nick’s strategies for aligning company privacy and security goals with employee goals
- How Curricula is revolutionizing organizational cybersecurity training: storytelling, rewards, food, and more
- How can you keep privacy and security at the top of your employees’ minds?
- The importance of maintaining a proactive — versus reactive — relationship to cybersecurity
- Nick shares his best personal data privacy tips
In this episode…
Do you want to encourage a proactive approach to cybersecurity and data privacy at your organization? Are you looking for a trusted resource that can help your employees understand and apply basic — but vital — privacy and security strategies on a daily basis?
Creating effective privacy and security training programs for your employees is difficult, but helping your company maintain a consistent security mindset is even harder. That’s where Curricula comes in. As a revolutionary training program, Curricula not only uses story-based educational techniques to inform your employees about privacy and security, but it also makes the training so enjoyable that they can’t help but come back for more. This means that at your company, privacy and security won’t just be buzzwords — they will be core values. So, how can you learn more about Curricula and start creating a safer and more secure company today?
In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels sit down with Nick Santora, the CEO of Curricula, to talk about the benefits of implementing fun and effective privacy and security training at your company. Listen in as Nick discusses the ins and outs of Curricula’s educational program and shares his tried-and-true strategies for making privacy and security a company-wide priority. He also reveals how you can better maintain your personal data privacy today. Stay tuned!
Resources Mentioned in this episode
- Nick Santora on LinkedIn
- Curricula
- North American Electric Reliability Corporation (NERC)
- Jodi Daniels on LinkedIn
- Justin Daniels on LinkedIn
- Red Clover Advisors
- Red Clover Advisors on LinkedIn
- Red Clover Advisors on Facebook
- Red Clover Advisors’ email: info@redcloveradvisors.com
Sponsor for this episode…
This episode is brought to you by Red Clover Advisors.
Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.
Founded by Jodi Daniels, Red Clover Advisors helps their clients comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional services, and financial services.
Their free guide, “How to Increase Customer Engagement in a Private World,” is available here.
You can also learn more about Red Clover Advisors by visiting their website or sending an email to info@redcloveradvisors.com.
Host (00:01):
Welcome to the, She said Privacy. He Said, Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century. Hi
Host (00:22):
Jodi Daniels here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and a certified information, privacy professional, and I provide practical privacy advice to overwhelmed companies and my sidekick. Hi, Justin Daniels here. I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I do that through identifying the problem and coming up with practical implementable solutions. I’m a cyber security subject matter expert and business attorney. And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and established customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SaaS, e-commerce, media agencies, professional and financial services. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there is greater trust between companies and consumers to learn more, visit RedClover Advisors.com. Who do we have here with us today besides Jodi and Basil? Yes, besides the sleeping dog right by our feet. So we can’t move our chairs at all. Well, we have Nick Santora. He founded Curricula after a seven year career at North American Electric Reliability Corporation or the enforcement agency responsible for regulating the power grid across North America. Nick is an internationally recognized cybersecurity expert and speaks regularly on the topic of influencing employees within security awareness programs. Welcome Nick.
Nick Santora (01:56):
Thanks for having me Jodi and Daniel. Happy to be here. Yeah.
Host (01:58):
Yeah. It’s exciting. Well, where should we get started? Well, let’s start from the beginning, Nick, how did you get started in your career to get to where you are today?
Nick Santora (02:09):
So that’s a, probably a traditional path and then with an untraditional ending to that past, but you know, my or middle to the past, but I started in IT you know, I always was tinkering with stuff since high school and, you know, was taking certifications at A Plus and Network Plus and Security Plus and got those at a pretty young age while I was a sophomore or junior in high school. So I knew I wanted to go down this road. Didn’t want to go to college, but I wound up finding my way there to a Rider over in, in the Princeton Lawrenceville, New Jersey area, and started learning more about the business side of things. And I kinda found that I can marry the two together, become kind of a translator for technology into the business world. And, you know, along the way towards the tail end of my college career for undergrad, I found this job that was in the area, had no idea of what NERC was, what they did, what they stood for and got the job.
Nick Santora (03:04):
So I went in as an IT specialist and quickly grew into learning more about what the business actually did, which was protecting the power grid and regulating the power grid or all types of different things on the cyber and operational side. That career led me into a bunch of other things which included finishing my MBA in New Jersey, moving down to Atlanta here, which is what got me here. And then eventually finding a big problem to start my own business on. And that was learning about all of these crazy regulations for the power grid and all of the tough nuance, legal language that people had to follow, but no one understood it. So again, they needed a translator and my idea was take all the technical legal jargon and turn it into something that was fun and easy to understand for everyone involved. And sure enough, that turned into a business that worked in 2015 and then we expanded to more generalized security awareness. And then that is now expanding to even more generalize online education. So we’ve had quite a ride over the past few years and having a lot of fun along the way.
Host (04:08):
Nick tell us. Yeah, it sounds like there was this need to translate in, in the privacy space. I see the same thing. There’s these complex laws and people don’t always understand them. What’s interesting is at the same time people are the weakest link in cyber. I actually say that they’re the weakest and strongest link in cyber. How, tell us a little bit more about how you’re using training or what you’re finding when people understand these complex laws, what they’re able to do to help break down the challenges that make them the strongest and weakest link. And why do you think people are struggling so much to incorporate some of the basic items that you’re probably including in your training?
Nick Santora (04:50):
Yeah, a lot, a lot to take in there. So the, you know, at the root of it is we all know that there’s a problem. I think we can all agree that there’s a problem of, are they the weakest or strongest? Why is that? And you know, when we look at that problem and kind of how to solve it is that if we recognize that the problems there, well, we can’t just throw technology and expect that it’s going to be solved. And if we know that, just getting something done, like you know, checking the box for security awareness for a compliance regulation, well, that just gets you compliant, but it’s not effective because we’re not putting in the effort to get the results we want out of it. A good example is that CISOs and IT directors and decision-makers that are responsible for implementing these programs.
Nick Santora (05:31):
Are IT people, they solve problems through technology. In most circumstances, this is not a technology problem. This is a problem to connect with people, to resonate with people and to influence people, to making better daily decisions. And until we agree on solving that problem in the same way as a community, we’re going to continue to see the things that we see in the news every single day. So, you know, in order to solve for that, I think we have to actually just care. And I know sounds silly, but caring is the number one priority that every single CISOs should be doing to solve. And what I mean by caring is like not just growing technology and compliance training modules and remedial training and stuffing phishing simulations down someone’s throat, someone’s throat, that’s just compliance stuff that just get the job done, but it’s not what you do in this scenario. It’s how you do it. So our goal, and I think the community’s goal is like, well, well, how do we do it? Right. You know, and I think that’s what we’re all trying to work towards is resonating with our employees to get them, to actually understand this stuff, by speaking their lingo and not just putting a bunch of legal language and compliance docs in front of them, because we know that doesn’t work
Host (06:38):
Fair point. Thanks for sharing. I guess I’d like to come at it from a perspective of asking you, you know, a lot of companies go through training, I’ve quarterbacked, many post-breach resiliency plan where employee training was right there at the top. You know, Nick, have you come across any thoughts around some of the incentives that you can provide to employees for, you know, catching phishing, or really making concerted efforts or having certain parts of compensation tied to the cyber hygiene from an employee training perspective, any thoughts that you’ve seen in the last four or five years you’ve been doing this?
Nick Santora (07:08):
I think the biggest one is aligning the institutional goal with the employee goal. For some reason, we kind of think they’re the same thing, right? I mean, an employee doesn’t come into work and says, I cannot wait to report a bunch of phishing emails today. Like that’s just, I’m so looking forward to it, I can’t wait. That’s why I woke up this morning. Absolutely not. And for some reason we think that institutional goal is I do not want to get hacked as a company. I do not want to be in the news. I do not want to have to deal with all the repercussions, how we align those is difficult because it, again, it takes effort and it takes someone caring about that alignment. So incentives and aligning to those incentives, we got to find what makes people tick and what gets people excited.
Nick Santora (07:49):
And each organization is different. One of the biggest areas we see a problem or kind of a misconception is financial motivation as the only motivation money always helps. Right? But there is no amount of money in this world where an organization can continue to pay gift cards or incentives to their employees for doing the right thing. It’s just, you you’d run out of money in the first couple of weeks just from following that model. So we got to look towards other ways to get people motivated for other things that drive them inside of the organization. Not a, not an easy answer. So I wouldn’t tell you that this is an easy problem to solve, but there’s been a lot of cool work on kind of different ways to find motivation, similar to how a, you know, like Reddit communities work and how, you know, Wikipedia works.
Nick Santora (08:34):
People don’t get paid. They volunteer to put this information into this community because they feel reward in one way or another. Not all employees feel that way, but there’s a certain characteristic behind how you do that, where you can start to drive kind of a community motivation inside of an organization. But again, it’s not an overnight problem to solve. It’s something that takes years of dedication to actually figure out and work towards until we actually come to an agreeance on following that path, we’re probably gonna see the same results that we see today on poor performance, high click rates and simulations, cyber attacks left and right. And just people doing the wrong thing. Cause they didn’t know better.
Host (09:11):
It sounds like what you’re saying is you’re trying to find a way to culturally align corporate culture with what employee goals are. So it might be a group of people who aren’t interested in security who start to create a community that creates a groundswell within the ranks of the employees. Like one thing I like to do is do security training that relates to a family and how you protect your kids. Cause a lot of people are struggling with how do I handle my kids online? And a lot of the same concepts that you use protect your kids or things that might be helpful to work. Is that kind of what you’re talking about? Things like that.
Nick Santora (09:43):
Yeah. It’s just, it’s just kind of thinking creatively about the problem. I mean, there’s a good example of uses. I love The Office, the TV show, and there’s this one episode where they are, they’re trying to get their sales numbers up for the organization. Something like that. No, one’s really motivated. And then Bernard’s like, Hey, I’ll go get a tattoo on my butt. If if you guys hit these numbers and people went nuts and they started doing it and they, they met that goal. So it’s that same thing of starting to find these kinds of alignments inside the organization of what, getting everyone to work together versus just kind of individually showing up and hitting a button every day.
Host (10:16):
I was going to ask if you had any clients that you’ve worked with that of course protect, protect the privacy of them, but any interesting creative ways that you’ve seen, that people could learn from?
Nick Santora (10:29):
A lot of different things. You know, something that’s special about us is we use characters and storytelling to help influence people and create kind of a common lingo language. So we’ll see that a lot where people will kind of use our characters in different ways where they’ll make like Slack channels dedicated to certain characters. So when you see something and you start writing on there and you get rewarded for the most people, submitting things on those channels, we’ve seen them use inside of kind of these lunch and learn presentations where they’ll use the characters and kind of the food from an episode and apply it to the lunch and learn and serve those sandwiches and stuff that are based off there. So it’s again, just kind of being creative and having some fun and putting a smile on people’s faces because if you can get them to kind of, if you can prime people to have a smile and come into this positively, you’ll get better results than just kind of doing that the stick approach of like you got to do this, it’s compliance. I don’t care if you like it or not. Well, you’re going to get the results, you know, one way or another, but one of them is going to get people thinking about security positively, the other is more of a chore.
Host (11:32):
That makes sense, no one loves training, but the, if you can make it fun and interactive, or it doesn’t feel quite as much as training, then people are more apt to participate. Kind of like getting our kids to do something…
Host (11:48):
So Nick kind of drilling down on this topic from a different perspective, you know, I’m seeing a real uptick in role-based training, meaning the role that you have in the organization, you could be the administrative assistant to the CEO. You could work in the wire department, you could be working in some other critical functions. So can you talk a little bit about what the trends you’re seeing in terms of the type of cadence and type of training that we’re seeing based on someone’s role in the organization?
Nick Santora (12:12):
Yeah, it’s a good question. Like, especially with online, everything becoming just an overnight priority as of last year, companies had to figure out how to adapt and adopt to like, well, how do I teach people about things that just changed? And I don’t get to see them anymore. And from our customer base, I mean, we’re, we’re security awareness focused and we make tons of content on that, but we’ll never be able to figure out what your access control system does, how you operate it and what processes need to take place. So that’s kind of out of our hands. So for a company, they got to make a choice, right? It’s I like this at a high level, the understanding of why this is important, the awareness of the whole thing. And then I have very specific training that only I know about that I have to give out to individuals.
Nick Santora (12:55):
So we’ve listened over the past year and we’re, we’re launching this really cool tool where you can kind of build your own training off the Curricula platform. But you know the thing about that is that that’ll always change, right? Training is always going to change because technologies and tools and processes always change. So conceptually, I look at this as kind of maturity of an organization as they’re building training, not all trainings created equal, you know, you’re, you build awareness at the beginning around a concept, and then you start to build maturity around you know, let’s get a little bit deeper to the point where you’re making specific training on, you know access control systems for CPAs inside of this specific software, like, well, who could have dreamed of how difficult that individual training was only the company or the individual could do that.
Nick Santora (13:41):
So I see that as kind of the future. Now that online training is becoming a priority for every organization to learn how to not only build this type of training, but to not try to drink the ocean here, like people come out of the gate and they say, I need to build hundreds of trainings on every single thing in the world. It’s like, well, I’ll give you a hint. You can build as much as you want. No, one’s going to pay attention to it. If you don’t do it right. And you got to start with the basics and work your way up to that more detailed, complex stuff. And then more importantly, be on top of it when things change, update it, when you modify a process, modify it in the training, because nothing’s worse than having a stale old incident response plan that has to get dusted off. And all of the processes are incorrect in there. It’s like, well, what’s the point? You know, let’s, let’s keep things current and, and take things one step at a time.
Host (14:30):
The idea of keeping things current is a theme that I’m always talking about, like understand your data. You have to maintain it. Businesses change. We’re always talking about incident response plans, dusting them off, or at least having a printed copy. But the idea from training perspective is kind of similar, right? You want to be able to, a lot of times companies will do you had described it earlier. I kind of like check the box activity. I did that training. We did it once a year. We’re good. We all know here that there’s more to it. I’d love. If you could share a little bit about maybe some stories or how, how you release trainings or help guide companies to make sure that they’re educating employees on an ongoing basis throughout the year. Not just when they’re changing a process, which we all agree as the process, the business changes and evolves. Everything should align with that, but also the idea of how do you keep it fresh in front of people. And I believe you have to hear something at least seven times before you’re even going to pay attention. So I have to pay attention. I have to remember, and I have to do so. I’d love if you can share a little bit about what you all are doing successfully or are seeing what customers are doing to keep this top of mind.
Nick Santora (15:34):
Yeah. It’s you know, number one, gotta care. Think at the end of the day, it doesn’t matter what you’re getting into. If you want to become a faster runner or more fit or anything else in our lives, we have to care to make a change in our lives. So if, as an organization, as the linchpin of an organization, which is the buyer, the system and the IT director employees, as much as they care about this stuff, do not get to make the decision on which programs or training they choose almost ever. It’s always in the hands of someone else. So if the hands of someone else who does not care, you will see the results of, of what we see today. So if we start there and we care, and we understand that the first place that we look at is like treated no different than, you know, a fitness plan.
Nick Santora (16:16):
You know, I don’t go into the gym and try to lift every single weight in one day and run for an hour and eat a salad and say, man, I am a healthy person. Like, no, that takes commitment. That takes weekly regimen of constant progress to eventually meet my goal. And when it comes to security, awareness and training and all this other stuff, sometimes we set goals that are so unrealistic, it’s just unachievable. And then therefore nothing happens. Therefore, no one cares. Therefore the results are what they are. So, you know, if you start on that mindset of saying, I got to make a plan, right. My plan is to get people to think and talk and respond more about X. Okay, cool. How am I going to achieve that plan? By what time? I don’t know. I got six months.
Nick Santora (16:59):
Let’s say to get that done. And I want to see these measurable outcomes. Like I want to be able to talk to people about it. I want to hear this. I want to make a Slack channel about it. I want whatever the case may be. Okay. Then what are the steps to get to that goal? Every month, I’m going to talk about something different, a new campaign, kind of like marketing to help buy in, influence on the people and give them knowledge on different areas of this training that I’m trying to teach. Well, that’s kind of how we approach it, right? If we, if we’re giving a an onboarding and we’re talking about a strategy behind it, we’re being realistic. We’re saying in order for you to get a security culture inside of a company you’re not going to turn this on, stuff, 12 episodes down an employees throat and expect them to perform like that’s insane.
Nick Santora (17:40):
We’re going to make a plan and we’re going to do a 30 day activation. We’re going to talk about running a baseline fishing simulation to see where you are there. We’re going to talk about privacy ethics. Like, do you have any ethics inside the company? Does anyone know? I mean, I don’t know, like, are you just mailing Excel sheets out to people left and right. Are you sending sensitive info? I mean, you got to look at what you got to start and then you get to look at where you want to be. And if companies do that, they have a lot of success with us and I’m sure with other organizations it’s the ones that come in that are looking for the quick fix. You’re just not going to get it. I mean, there’s people that might say that and they might try to sell you on it.
Nick Santora (18:16):
And they’re gonna, you know, maybe be super cheap to do that, to get that done. And that’s, that’s cool. That’s compliance stuff. That’s easy to achieve, but if you’re looking for a true culture change, a true online training behavior change, it takes time. It takes care. It takes a process, a plan, and it takes people to kind of come together to realize like, we, we are all in this together, right? We’re all getting fit as a community, not individually because individually you have half your company who is doing really well. And half the company that doesn’t give a crap about what you’re putting in front of them. Well, what do you think the results are going to be after those six months? So again, it’s, I think that’s at the crux of it is taking a systematic approach to planning structuring these on kind of a monthly basis of new activities and campaigns. And then having a conversation with the management team, the linchpins and the employees, the ones that you’re actually doing all of this or, and seeing if they care and if they do you’re off to a good start, if they don’t, you’ve got to come back to the drawing board and replant.
Host (19:15):
So I think we wanted to ask you a question to go back a little bit in time to your days at NERC and Texas is been in the news these days, or frigid temperatures and interruptions to their electric grid. And when we think about cybersecurity training, just the industry in general, we’re such a digital economy that now electricity, that people don’t always think of until the power goes out is now probably the most important part of our critical infrastructure. And just love to get your thoughts around the grid from a cybersecurity perspective and concerns you might have around that, that maybe people who go about their everyday lives, just aren’t thinking about the cybersecurity and privacy or this little thing off to the side, and we’ll deal with it if a breach happens, but why would anyone want to breach ust?
Nick Santora (20:02):
Yep. This is the ever evolving world of regulatory compliance, right? I mean, you see an event, you respond and then you make rules for it. And it’s just very difficult to do for these events. They call them high impact, low frequency. So when they do happen, they are very devastating. The chances of them happening are very low. So do you put all of your eggs into this basket to focus the entire industry’s investment on solving for this event, a cold weather event in a very historic type of time, or do you focus on things that you know are going to happen and are high impact high frequency? So that’s kind of how the regulatory environment, not a should good work, but you know, supply chain stuff we saw that happen as soon as there was a supply chain regulatory event, let’s make rules and regulations for that.
Nick Santora (20:50):
I do not doubt that there’s going to be regulatory stuff coming out of this for protecting against cold weather. Just part of being a regulator, whether that is where the focus should be. That’s not my decision to be, but what I do know is the cyber side of the fence has had almost a decade of hard work put into it on high impact high frequency event. And that has caused a significant reduction in risk on the regulatory side, where utilities that were not doing anything before are at least doing something. And that’s a good start. Like if we did agree on that, man, that is pretty awesome. Maybe the same thing comes out of this where it’s like, Hey, did you do nothing on, on the planning behind an event like this we’ll do something. So that way, at least, you know how to respond to this.
Nick Santora (21:38):
But in the, in the future of kind of where we’re going to see kind of this risk mitigation, I mean, there are some very scary things I have seen in my careers or in my career at NERC of stuff that no one will ever know about where there’s devices and appliances, that there is no replacement for, that have been just running. It’s like, well, how do you prepare for that thing going offline? I mean, that’s the whole point. The, the electrical infrastructure is the largest machine in the world, and it’s built off this end plus one mentality where things can go down and there’s other routes to keep it stable and up. It’s the fact of when many people deal with that problem and there are no recovery path out of it. How do you deal with that type of event? Cyber is a quick way to have that type of event happening, but, you know, that’s why we’re building rules and regulations and listening and learning.
Nick Santora (22:27):
And having people think about this more from a, from an operational security point of view and not just solving for compliance. And if we can get our operators, our infrastructure to focus on that again, then I think we’ll be in a much better position for the future. And I think on top of all of this, this is a poster child of how to do this, right. And, you know, applying the concepts from NERC into another industry that may not have had anything being done on this side. And now they’re trying to do something for the first time and that’s a denial.
Host (22:59):
Well, first off, I think our dog really agreed with everything that you said because he arose from his lumber. And, but at the same time, you know, as you had just mentioned how you can apply some of these same principles outside of the regulatory industry. I think so many people when it comes to privacy and security training, are thinking about the personal data, I have to protect about the personal data, which is extremely important. I think this could also raise the idea and the thought you should also be thinking about your, your critical assets that run your business. Now, certain situations might my shut a business down more than another, but if we think about the cyber, you know, the, the utilities sure. There’s personal data, but you have an event that can take down an infrastructure. So companies should also be thinking about how to protect their intellectual property, to protect their core asset, whether that’s online or physical space or whatever it is that’s happening. I think you’ll, we’ll start to see a shift you know, to expand on how people are protecting the data.
Host (23:59):
I think the other question is, is now if I’m a company down in Texas and I got shut down because of the grid or other things went down, how does my disaster recovery work when you have external events like that? So how do you work around that problem? Cause really what Nick is talking about is the zero day event where you have a cyber intrusion that has no a quick fix and what do you do about it? And I still think we’re so highly dependent upon digital technology that we are really not thinking through the really significant impacts the cyber intrusion can have on our critical infrastructure, because we’re so interested in all this efficiency.
Nick Santora (24:33):
Scoping is big. Scoping is very big. And I think, you know, don’t drink the ocean, right? If you’re kind of what you said, Jodi is like pick out your assets, the ones that are going to be mission critical to your operation. Like if those things go down, it’s over. I mean, that’s, that’s the, you know, from an operational point of view, that’s why you’re in business. You got other systems that are important, but you can still opt out them if you don’t scope correctly. I mean, that’s what the NERC industry does is they, the first part of the standard requirements is scoping the assets that you have to protect because there could cause and a blackout, and then you build a framework off of how to protect those assets. So I think, you know, the way to at least give my 2 cents and advice on this is for any type of business is like, think about the scope for a second and then practice a scenario in your head or on paper or anywhere at least once a year at a minimum, probably more than that.
Nick Santora (25:25):
And just like walk through it and say, Oh, this just went down. What would happen? And just by saying that out loud with a community of people in your company opens a lot of eyes, cause like, Oh, I don’t know. Like we’ve never even talked about that. Could that even go down who hosts that, who has access to that? Who would we call? Oh, that was the contractor from two years ago. It was the one that set that up. So it starts to like unravel this crazy amount of uncertainty that you should be very certain on if something goes down and if you start there, it’ll start to guide you in the right direction.
Host (25:56):
How much knowledge of all the things that could happen, what do you do to protect your personal data? What’s a good tip that we could leave the audience with.
Nick Santora (26:06):
Yeah. mine, I think one that’s been kind of trending. That’s really exciting and good is like password managers. I feel like, I don’t know how anyone did this before password managers. Like we keep telling people like, remember them and do this and difficult and that, and that, and I can not let, like, I don’t know any passwords of mine. I have absolutely no idea what any of them are. I can’t tell you how many times that thing has been useful in every conversation I’ve had, because now they’re doing crazy stuff where they’re like telling you that these have been part of data breaches and this password has been exposed. It’s like, man, that’s good to know. You know, I shouldn’t use that password ever. And I’ve heard all kinds of cool stories about, so I think that’s number one is like, if you haven’t done that, the password manager that’s number one, number two is on the a multi-factor like, if it’s available, when it’s available, you always turn that on.
Nick Santora (26:55):
I just cannot see a circumstance where it’s like, that’s a bad idea. If there is, tell us about it, we’ll write a blog about it. Cause that’d be really cool. It’s always better than just having a loose password sitting out there and not knowing if someone stole it. And then three is a practice, a scenario yourself of what if someone just got into this, what would that affect? Like, I kind of do that every once in a while. Cause I’m weird maybe, but I I’m like cautious about who has access to what? And I always question like where else has that been or had access to and what does that connect to? And I kind of run these baked scenarios in my head. Well, that’s me doing it, maybe it’s overkill, but it also kind of opens your eyes like Man, if someone got into my email right now, that would be a rough, rough patch for me to clean up. If you do that, I think that would be a, another kind of fun. I don’t know if it’s a fun exercise, but it’s an eye-opening exercise for your own personal security and privacy.
Host (27:50):
We’re big fans of the password manager and the multi-factor authentication over here. Yes we are. So last question when you’re not at the office, thinking about cybersecurity scenarios from which you extricate yourself in the escape room, what do you like to do for fun?
Nick Santora (28:04):
Surprising enough. I think my disconnect is like to get away from computers. I’ve been, I think all of us have been cooking a lot, but you could ask my wife, I think I’ve actually been surprisingly good at it, considering that I’ve never really done it before. And I think it’s from subliminal kind of like watching, cooking shows growing up and everything. And then now I’m just like, almost like I’m on iron chef show. Like, Oh, give me a pile of bananas, some garlic and tortilla. Then I can turn that into something crazy yet. You know, I’ve, I’ve had a lot of fun doing that because I think it just disconnects my head completely into kind of creating some fun stuff. And it’s it’s been exciting for me to kind of learn and experiment with stuff. And if it sucked, it sucked. But most of the time it’s been actually coming out pretty good.
Host (28:49):
Nice Nick, thank you so much for joining us today. If people want to connect and learn more, how do they
Nick Santora (28:55):
They can head over to curriculacom, watch an episode, check out stuff. And I’m always on LinkedIn. You can just search Nick Santora Curricula, something like that. I’ll pop up and follow me. Cause I’m always talking about this stuff on there.
Host (29:08):
Awesome. Well thank you again for joining us today. We shared a lot of really helpful tips to help make sure that employees and companies are staying compliant when it comes to privacy and security and how to make sure that
Host (29:20):
it stick with employees. Thanks for listening to the, She said Privacy. He Said Security podcast. If you haven’t already be sure to click, subscribe, to get future episodes and check us out on LinkedIn. See you next time.
Privacy doesn’t have to be complicated.
As privacy experts passionate about trust, we help you define your goals and achieve them. We consider every factor of privacy that impacts your business so you can focus on what you do best.