Click for Full Transcript

Intro  0:01  

Welcome to the She Said Privacy/He Said Security podcast. Like any good marriage we will debate, evaluate and sometimes quarrel about how privacy and security impact business in the 21st century.


Jodi Daniels  0:21  

I Jodi Daniels here I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant, and a certified Information Privacy professional, and I provide practical privacy advice to overwhelmed companies.


Justin Daniels  0:37  

Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I do that through identifying the problem and coming up with practical implementable solutions. I am the cyber quarterback helping companies design and implement cyber plans and also quarterbacking when they deal with the data breach.


Jodi Daniels  1:00  

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields including technology, SAS, e-commerce, media agencies, and professional and financial services. In short, we use data privacy to transform the way companies do business. together. We’re creating a future for there’s greater trust between companies and consumers. To learn more, visit


Justin Daniels  1:34  

I see your very business II


Jodi Daniels  1:36  

today. Business see me, you’ve got


Justin Daniels  1:40  

on your business shirt. You’re busy.


Jodi Daniels  1:42  

I’m not in like a T-shirt, I like what I do. I’m not in the casual. Yeah, that’s true. All right, are you going to introduce into your desk shaven or casual? You’re going to introduce our guest today? Sure.


Justin Daniels  1:57  

So Zack Schuler is the CEO and Founder of an NINJIO, a cybersecurity awareness training company that empowers individuals and organizations to become defenders against cyber threats. He is a member of the Forbes Technology Council and his thoughts on the future of cybersecurity have appeared in dark reading innovation in tech today Home Business Journal, ink magazine, cyber defense magazine, seaso magazine and more.


Zack Schuler  2:21  

With Zack, welcome to the show. Well, thank you so much for having me. And you do look very business II compared to me as well, because I’ve got the same t-shirt on the Justin does just color. You know,


Jodi Daniels  2:35  

I just thought I’d mix it up a bit.


Justin Daniels  2:39  

You know, as I thought about your intro, Zack, it’s like if you publish things in the dark reading, it’s you’re helping bring people into the light when it comes to cyber security training.


Zack Schuler  2:47  

I hope so. That’s that’s the plan. Okay.


Jodi Daniels  2:52  

Well, we always like to get started by understanding where you began your career in cybersecurity and how you found your way just starting NINJIO.


Zack Schuler  3:04  

I’m not going to give you the whole story because that would be about two and a half hours. And we’ve only got about 20 minutes. So I’ll give you a very truncated version. I’m back in 1995, I started an IT consulting business when I was 21 years old. And that business grew from me being what was called back then a trunk slammer where I would go around from company to company and work on their IP issues. I got pretty busy doing that. So I hired people. And over the course of 18 years, I built what’s called a managed services provider, that that serve small and medium-sized businesses for their IT support built that company up to about 100 employees and roughly 20 million of annual revenue and one of the things that I saw pretty consistently especially toward the latter years of the business, were people being breached and at that point I didn’t have much of a cyber mission but I was forced to get one and you know, we would have to respond to breaches and help give people you know, kind of back up and running again and then we officially started a cybersecurity practice about three years before I sold that that business. And so sold that business in 2013. And then 2015, July 15. Specifically, I had the idea for NINJIO because when looking at all the cyber awareness training that was out there there were these death by PowerPoint 45 minute long, you know, put you to sleep type lecture based learnings. And I just had this epiphany that there’s got to be something better that there’s no way that this format of training is working. And that there just has to be something better than that. And so kind of took out a blank canvas and thought you know, if I were Joe your average, everyday end user wanting to learn about Cyber something that I don’t really need to know how to do to get my job done. How would I, you know, how would I want to be educated and came up with just some core concepts, right, three to four minute long, animated stories. So our stuff is story based instead of lecture based, and, you know, using a real Hollywood writer to create the stories to make them engaging. And that really, you know, kind of set the foundation for the start of an NINJIO.


Jodi Daniels  5:28  

I love that your story based and thank you for sharing the background, I think it’s always really, really interesting to understand how kind of your history and your experiences shaped the next iteration. Thank you again for sharing. Yeah.


Justin Daniels  5:43  

So what can we learn from neuroscience, which is a big part of what NINJIO does to help people not beat the link link?


Zack Schuler  5:51  

Or cybersecurity? Yeah, I think when we talk about neuroscience, we really talk about how it, how it plays together with our solution and how our solution was kind of developed with, with, you know, some behavioral, you know, behavioral things in mind as things were getting developed, and so on. When I think about neuroscience in cybersecurity, I think about the way that people learn, right? And there have been studying upon study upon study, and this whole new term of kind of micro learning started coming out, probably seven, eight years ago. And I think we were the first to jump on the bandwagon with respect to doing our training in micro learning, which is three to four minutes, right four minute is kind of that magic number of where you can still keep people’s attention. And then a lot of the other principles of neuroscience that we applied number one, storytelling, because people can get emotionally engaged into a story, they cannot get emotionally engaged to a lecture. Another piece that we targeted about, you know, neuroscience being really, the study of the nervous system, is emotionally engaging the end user in the first scene of every episode, right? It’s kind of like a good book, you know, open up a good book or a good movie, and you want that first part to just be impactful and really suck you in. And we do everything in our power to do that in every episode that we create. Another concept that we have kind of, you know, really latched on to is, is how do you get people to retain information, again, another kind of neuroscientific principle. And so rather than just showing somebody a piece of learning one time, you need to show them that piece of learning, you need to knowledge, check them on that, and then you need to reinforce that learning, you know, over and over again, for a period of time, so that it really anchors the learning into the brain. So I would say that’s kind of how neuroscience plays into our solution.


Jodi Daniels  7:59  

So you had just shared about how you need to have people be able to retain that information? Is it that you create different stories for the same concept? Or is the suggestion to have people hear literally the same one, but you need to hear it multiple times? Because the big theme, so many companies do training one time they’ve checked the box, they’re like, well, that’s great. So you could do the four minute increments, what do I check the box by once a year? I’m good. And I think what we’re talking about instead is no, actually you want to do this probably every couple months, or every month introduce some type of concept, not just one day a year because there’s 364 other days of the year.


Zack Schuler  8:38  

Yeah, that’s right. So um, yes, we do cover the same type of topic, take it like ransomware, right. ransomware is what we call one of our core four episodes. And so every season, we will cover ransomware. And so we’re in season six right now, so you can get you can bet that we’ve done six episodes on ransomware. However, when I talk about retention, I’m going to take it a step further. And that yes, we released an episode every 30 days like clockwork, we’ve never knock on wood missed a deadline. But our methodology is such that on the first if you’re following our methodology on the first Tuesday of the month, your employees your learners will watch one of our episodes as I said, they’re, you know, three to four minutes long. The second week of the month, we release a an infographic that is reinforcing the teachable moments of the episode that they saw the week prior. And that can get consumed in about 30 seconds. And it’s really critical that the consumption rate of content be very small, especially after the team for minutes already. And so we have the 32nd infographic that goes out the next week. The week after that we have what we call an anchoring cartoon and be consumed in about 10 seconds. And it’s just a quick little cartoon Again, reinforcing that teachable moment. And then we provide our clients with a wealth of other assets, things like lock screen. So when you lock your computer, you see the characters that were in our episode for that particular month and the teachable takeaways that are associated with that. We’ve got posters, we’ve got just all sorts of different collateral that really helped reinforce that message of whatever that message might be throughout that particular month. We’re very fanatic throughout a month. And we really want to pound those teachable takeaways into our learners head. Sounds like if they had the TED


Justin Daniels  10:38  

lasso episodes, the cybersecurity they’d have you in a second?


Jodi Daniels  10:44  

Read, there would actually be a talk on that. I don’t know if you watch that show. But they include privacy and security a fair amount. It’s really interesting. They really do. But I guess,


Justin Daniels  10:55  

you know, to build on this topic is it sounds like these characters and the episodes and you’re kind of telling a story? Is that really what stands out about NINJIO training? Because I’ve had training at my job, and it literally can put me to sleep, and it’s by one of the largest players in the space. So talk a little bit more about that.


Zack Schuler  11:16  

Yeah, sure. Thank you. Yes, it is, it is the competitive differentiator. And I’ll go a little deeper into that. But I want to explain, because Justin brought this up. There are companies in the industry and this industry is growing with companies almost by the day. And there are companies in the industry that take what we call a phishing first approach. And so simulated phishing, for the audience that might not know is where the company will actually send out a fake phishing email. See how many of its employees actually take the bait and and click on the email, when you click on the email, it doesn’t do the business any harm, it just says up, you took the bait, you clicked on email. And then there’s a bunch of different actions that can happen after that, depending upon kind of the company’s approach. And so a lot of our competitors, or let’s just say that the 800 pound gorillas in the industry, they have a fishing first mentality where they will. And we call that testing, where they’re gonna fish the employees first and train them second. We say, well, when you go to college, when you walk in the door on the first day, you don’t take a test of your, you know, biology course, right? You learn for a couple of weeks, and then you take the test after that. And so we have very much of content first and education first approach, where we want to train people on the threats that they’re going to face. And then we will run our simulated phishing campaigns after the training has has been done. And so being a content first company, we get hyper focused on the content the quality of the content. Our writer is a former writer for CSI New York and Hawaii Five o every episode since season, the end of season five, features a celebrity actor and so we’ve had Jon Lovitz on a whole number of our episodes, Robert, Davi Stacy Keach, you know, lots of famous celebrity voice actors are within each one of our episodes. And, you know, to this day, from a content perspective, we are still kind of known as the kings of content in the industry. And and that’s really our differentiator, what we like to lead with.


Jodi Daniels  13:45  

So what do you think are some of the big challenges that companies face and getting people to absorb, retain, and even take or sign up


Zack Schuler  13:56  

for training? Um, there are a multitude of challenges. Number one is Justin, so adequately pointed out, he’s taken training before that puts people to sleep, nobody wants to take trains gonna put you to sleep. And if that’s the case, you’re kind of going to do everything that you can or to avoid that training. So from a company perspective, number one, you really need to try to, you know, make training mandatory. The biggest reason why people don’t take it is because it’s not engaging. They feel like it’s a waste of time, they feel like they’re not learning anything from it. And so everything that we have done has been to combat that argument. Right, and we don’t want it to be like this massive chore for you to have to do even once a year to sit down for 45 minutes and go through this. We certainly don’t want people taking training where the training is running, and it’s on one side of the screen, you’ll get these big screens not so you can read the training on one side, put your outlook up on the other side. No Work, work, work, work work training is going on. Oh, all of a sudden they’re asking me a question. Let me take a good guess click. Right. So we’re trying to avoid all that and keep people engaged. And what I can tell you, unequivocally beyond a shadow of a doubt. Engagement is the number one thing that a company needs to focus on, is getting their employees engaged in the training and our solution, we do everything on our power to make that as easy as possible for our clients. Make sense?


Justin Daniels  15:35  

Curious on that topic? Yeah. Do you find in the situations where people are really engaged? How does the messaging from the C suite come into play when you’re trying to deploy your training?


Zack Schuler  15:50  

so important? That’s a great question. The C suite. In most organizations, you’ve got, you know, most organizations have, say, 500 people or greater, you’ve got a chief information security officer, CSO, CSO, whatever the acronym is, you want to call that person. Most of the time when training is released, it’s coming either from the SES or from the Office of the CFO. Now, where we have been Uber successful, is when the seaso has gone to the CEO and said, we’re signing up for this training, or maybe the CEO blesses the training, if they’re small enough, whatever, when you can have messaging coming from the Office of the CEO, that says, if we arm our clients with all this information, you know, dear employees, we’re going to be adopting a new style of trading, it comes from a company called an NINJIO here that, you know, points to look after, and here’s what it’s all about, etc, etc, if that introduction comes from the C suite. And not only that, but you’ve had the entire C suite, I’m sorry, comes from the CEO, and you’ve had the entire C suite, prior to that messaging, bought into the solution, so that they and their departments can also push out messaging that really stresses, you know, the importance of security awareness training, that’s when you’re going to end up with the best result, people are sick and tired of just getting emails from the cybersecurity department about training, or from the seaso, you know, about training, or whatever it is, it has to be a top down mandatory exercise that ultimately, if the CEO can be the one that’s pushing it from the top down, the results are going to be dramatically different.


Justin Daniels  17:43  

I’m glad you made that point. Because I deal with a lot of companies at that C suite level. And if they don’t buy into any of this, it’s dead on arrival. So I really appreciate you making the point about why the C suite buy in and be even great if they had a video watching the CEO do the training him or herself, that would even be better.


Zack Schuler  18:03  

But that’s a good idea. We might work that into our onboarding process. Maybe give the CEO the voice of like Stacy Keach or somebody did that too. Yeah.


Jodi Daniels  18:14  

Anyway, people do love watching their leaders do things that they don’t expect them to do. So if they’re able to be in a character, it puts them in a different place almost more equal, so they have the respect of the position, but then it’s a while you’re just a person like me, you can be silly or interesting, or, like, you’re who, what? And then they’ll connect


Justin Daniels  18:37  

Yeah, build the CEO is one of the characters in the story, that would be awesome.


Zack Schuler  18:41  

Anyway, you guys are giving me some ideas as we’re sitting here.


Jodi Daniels  18:45  

Glad to help. The things that I found so fascinating about how you’ve approached training is not only about making sure employees are aware of the security risks and taking training, but also by extending it to the families. Yeah, of an employee. And, you know, when Justin, I do a fair amount of speaking, we often will use stories about for any parents in the audience, we have a big passionate about keeping kids safe online. And we’ll use stories like that to try and help or even just a personal story, because then when the person realizes it in their personal life, they’re a little bit more encouraged and willing to apply it at work. Can you share a little bit more about the philosophy and kind of what you do around that education to the whole family and not just to the employee?


Zack Schuler  19:39  

Yeah. 100%. So back in 2017, I was on a call with our Gartner analyst at the time, a gal by the name of Joanna, Houston, Iseman, and she in no uncertain terms said that you were the only provider. That person uses content that can equally apply to people at home, as it can at work, right, we get ransomware at home, we get ransomware. At work, we get fished at home, we get this to work, etc. So, not really having a motivation to monetize the consumer that wasn’t, you know, really part of our plan. And we decided to create this program called friends and family use rates. And so essentially, what happens is the first Thursday of the month, the family members that the employee signs up, will get the same NINJIO episode that the employee got a couple days prior to that. And now this is where neuroscience really starts to come into play. Or it might even not be called neuroscience at this point. But we we call this going up beyond behavioral change, because what the end goal is, is to get the entire family educated on the same topic. And then to get them sitting around the dinner table. And having a conversation about that. And once the employee at the company knows that they’re sharing the education that they learned with their family and protecting their family, they have this epiphany of like, Oh, it’s not just a company, forcing training down my throat, they now view it as a four minute break out of their work day, or more importantly, a benefit an employee benefit that they’re given the crosses over to the family, they naturally now become the subject matter expert of cyber within the family. And this creates this really strong personal connection between the employee and Cybersecurity Awareness, believe it or not, the end result of that is they go back to the organization. And they’re that much more aware, their radar is that much more up. Because now they’ve taken this, they’ve gotten this personal connection to awareness training. And so not only have we changed employee behavior, we’ve done what we call, we’ve changed their digital security identity. And if you’ll allow me one more minute to kind of explain that. You know, when when you and I’ll ask a question here. If you take your car and you drive into a busy parking lot in Costco, I’m assuming you have Costco is where you are right? And and you get out of the car, what’s the first thing that you do? lock it in, I


Jodi Daniels  22:29  

take all my things with me.


Zack Schuler  22:30  

There you go, you lock it. And do you have to remember to like pull out your key and hit the button to lock the car, I’m assuming you don’t have a Tesla, which we just walk out and it locks by itself. But you really don’t have to remember to lock the car, right? You just, it’s a guessing game. Like you reach out into your pocket, boom, hit the thing. instinctually when you leave for work in the morning from home, if you’re you know not working from home, like we all are, but let’s just pretend that you leave your home for vacation, you lock the front door, it’s like you don’t really have to think about it. It’s kind of a natural habit. So we’re hoping and not hoping but what’s happening is as a result of employees getting so engaged in Cybersecurity Awareness and bringing their family into it, is we’re reshaping their identity or reshaping a little bit about who they are, and so on. When they get an email that has a phishing link in the email, most people’s natural instinct, because this is how we’ve been ruined over the last 15 years since there’s been links in email is to click on the email, right? That’s the instinct of most people is to click on the link in the email. But what we’re doing is we’re taking people from and that’s being curious, we’re taking people from being curious to what I call cautiously skeptical, right. And so we don’t want everybody running around and ever clicking on links, because a lot of times, most of the time links are good. And they provide information, the back end of it. But we really want people to scrutinize those links, and and the identity change that happens throughout our processes is really critical and getting people to like, not just instinctually want to click on a link, but they want to, you know, be cautiously skeptical of that link.


Jodi Daniels  24:17  

If that makes sense. It does. And by bringing it home, you’re not only furthering that chain that we just talked about, you’re also educating the younger generation I want to be looking for and our poor kids, whether they like it or not get a daily training on privacy and security topics to the tune that our little one wrote a whole story about data breaches the other day as her fun pastime so the kids are listening people they are listening to what you’re saying, and that’s a good


Justin Daniels  24:46  

thing. We could just get the husbands to start listening, you


Jodi Daniels  24:49  

know, yeah, you know what more conversations can be bonus training.


Justin Daniels  24:56  

Well, maybe with the right incentives that


Zack Schuler  24:57  

will work anyway. Changing gears a little bit,


Justin Daniels  25:02  

can you share with us what your best personal cyber tip is from all of your years in cybersecurity and it as well.


Zack Schuler  25:13  

My best tip, my best tip is is would be the to watch your NINJIO videos as as they are released, take them in, and then you know take in the reinforcement material. Um, I guess that’s you self promoting, but but let me think about my best my best tip. I think my my my number one tip in it is to hackers are social engineers, they prey on what they can find out about us on the internet, which in my case is quite a bit. Um, my number one tip would be scrutinize everybody that follows you on Facebook, you don’t know them. Don’t let them follow you. Make sure that all your posts are private, both on Facebook and on Instagram and on you know, you can make private posts I guess really on on TikTok. But really watch what you’re disclosing about yourself online that isn’t kind of general or public knowledge. Because hackers use some of these word hackers is that hackers are both good and bad, bad actors can use that information against you. And they can create an entire persona about you online. And not only will they use that, to perhaps fish you or socially engineer you even equally as bad. They’ll use that information to create an identity out of you and have your identity stolen. So just be very careful about what you’re putting out online and making sure that you know you’re as private as possible. If If your persona allows for that.


Jodi Daniels  27:20  

Those are some very good tips. Now, when you’re not giving privacy and security tests, we’re running a security training company. What do you like to do for fun?


Zack Schuler  27:30  

probably my biggest and most fun hobby that I try and do as much as possible is I paddle and it’s a combination of paddleboarding and surfing. It’s essentially where you’re on a short surfboard kind of deal but you have a big paddle in your hand and you go out into the waves and you paddle in the waves and you serve them just like a surfer would you


Jodi Daniels  27:56  

go there’s your next door you’re gonna try like the nice and Zack thank you so much for sharing all your insight here today if people want to get in touch with you what’s the best way to do so?


Zack Schuler  28:09  

shoot me an email. tz it’s


Jodi Daniels  28:20  

Awesome. Well again, thank you so much for joining us here today. We really appreciate you helping to keep everyone safe.


Zack Schuler  28:28  

Well, thank you very much for having me.


Intro  28:34  

Thanks for listening to this. She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.