Aaron Pritz
The Evolution of Human Risk
You can’t just “train harder” to mitigate human risk. We sit down with Ashley Rose, CEO and co-founder of Living Security, to unpack why classic security awareness training (SAT) often produces neat dashboards with flimsy outcomes, and what it takes to build a security culture that people actually engage with. Ashley shares her non-traditional path into cybersecurity, how marketing principles map nicely to behavior change, and why the security team has to become approachable if we want employees to ask questions, report issues, and stop working around controls.
We trace Living Security’s early days running security escape rooms, then zoom out to the bigger shift: human risk management (HRM) as a true risk management function. That means moving beyond completion rates and phishing simulations to quantify likelihood and impact using real signals across behavior, threat, and identity. We get specific about what that looks like in practice: endpoint compliance, MFA adoption, password hygiene, dark web credential exposure, privilege levels, and blast radius. The payoff is prioritization and focus, including the uncomfortable reality that a small percentage of users can drive a majority of measurable risk.
We also dig into the hard parts that make or break programs: integrating data in messy enterprises, avoiding noisy alert floods, and operationalizing outcomes through automation and adaptive controls. One of the most practical takeaways is simple but sharp: make the secure path the easiest one to follow. When people repeat risky actions, it often signals friction and broken business processes, not “bad users.” We close by looking ahead to a hybrid workforce where humans and AI agents share access, shifting the workforce attack surface again.
If you’re a CISO, security leader, or practitioner trying to prove ROI, reduce phishing and insider risk, and modernize security awareness into measurable human risk management, hit play. Subscribe, share with a teammate, and leave a review, then tell us: what’s the most broken workflow in your organization that security should fix first?
Listen and watch wherever you podcast:
On Spotify, Apple Podcasts, or Buzzsprout.
Or watch the whole recording here on our YouTube Channel!
Full transcript of this episode:
Aaron Pritz (01:02.158)
Cool. All right, I'll kick us off. And then Ashley, CEO, co-founder of Living Security. Is that the right title? Okay, awesome. All right. Thanks for tuning in to Simplify in Cyber. I'm Aaron Pritz. And today we're pleased to be here with Ashley Rose, the CEO and co-founder of Living Security. And I'm especially excited for this talk because I've been an advocate as well as a critic for
Cody Rivers (01:17.313)
Cody Rivers.
Aaron Pritz (01:31.19)
all things security awareness and human risk back from my corporate days when I walked into a reboot of a cyber program after a FBI arrest of individual insiders and trying to get the business outside of IT to understand and do things very, very differently. So I'm excited for this. Ashley, it's been a long time in the making, looking forward to this conversation. Before we dive in, let's hear a little bit of the Ashley.
story and how did you find your way into cyber?
Ashley Rose (02:03.566)
Yeah. Um, I think like many in cyber, I have a non-traditional background, but, um, you may hear people that just kind of fall into it, whether it's like military or, you know, government work or marketing and and comms I think we see a lot of, especially in the human risk space. So, um, and that's, you know, really had been my path. Um, I went to school for business marketing, uh, actually fell in love with business through a, uh, uh, um, program called Deca.
and I, it's half of mine because I hosted my daughter's, my senior daughter's DECA end of year party yesterday at the house. So that was very cool. and really like what I learned about myself through that program and then through my eight years in schooling is that I just love to solve problems. And so that like, that's as simple as I can state it. And, during, you know, first in high school and then sort of post, or I'm sorry, during college and post college, I actually got my feet wet in entrepreneurship.
Cody Rivers (02:38.547)
Yes.
Ashley Rose (02:59.756)
but building a infant and children's swimmer line. So yeah, that's probably surprising to people. what was really great, and I look back on that experience fondly, is I had to go from customer research, problem identification, design a solution, bring it to market, deliver it to the customer, and then solve the customer problem over and over and over again. And so that, in essence, is what entrepreneurship is.
Cody Rivers (03:05.816)
That's awesome.
Ashley Rose (03:25.954)
And so doing that once, I learned a lot and was able to apply it to future States. So, you know, I spent some years in private company marketing, and then I ended up actually, you know, really kind of getting my, my, feet dirty, right? My hands dirty, my feet wet in cyber kind of more from the audit and compliance, angle. So I ended up on a pro as a product manager and a product team.
is what product people do, right? They're solving problems. So was like, this is great. I can go solve problems with tech. And I was actually building an internal identity analysis management solution at my last organization. and that's, you know, that's when I started kind of learning about the technical side of cyber. my husband, his background is more traditional. He came from a military background. He went MI military intelligence, spent a couple of years over in the, with the Marine Corps, doing cyber network and operations when he came back.
Uh, post-deployment, was building the cyber program at the company that I was working on the identity solution. And I was actually able to witness firsthand the problem that he was having in the space. And I remember just like a very vivid conversation. Um, this was happening. He, you know, he'd be coming home and building games. And, uh, at the time he was building an escape room, uh, for security training. And I were asking him like, you're a cyber guy. We are tech guy. Why are you building?
cyber games for people. And he said, Ashley, like my number one challenge is getting the people to care, getting them to engage with cybersecurity so that when they have a question, when they have a problem that they'll come to me. Right now, everyone is like scared of the cyber team. They think they're, we're going to tell them, no, we're going to shut off access. We're going to block them from doing their jobs. I need to start working on the culture. And then that was kind of my aha moment as a problem solver entrepreneur.
I said, okay, like this, this really makes sense. and then we asked ourselves, if you're having this problem, how many other security leaders are having the same challenge in their organization? and so just to kind of fast forward to not quite the end of the story, but maybe the beginning, I found myself on the black hat floor with a tablet interviewing CISOs about what was going wrong within their human risk, cyber program. And I learned a lot and you know, maybe the rest has been history, but I'm sure we'll.
Ashley Rose (05:49.272)
We'll close the gap on that today.
Aaron Pritz (05:50.124)
Yeah. Well, that's awesome. And I didn't click for me when we did the prep call a couple of weeks ago. But when you think about it, marketing as well as entrepreneurship is really a lot of the problems and the basis for the workforce or the human risk factor. like some of my, on the corporate side, some of my best people that I brought into roles that ultimately went on to become BISOs and lead insider threat programs were from marketing.
marketing and a little bit of finance. So I do think like the cross-functional, like bringing people in that aren't traditional really helps us from a diversity of thoughts standpoint, but as well as like, how do we get people's attention? Well, that's marketing, that's comms, that's PR, right?
Ashley Rose (06:35.65)
Yeah, that's absolutely right. Well, let's, mean, I know we'll get into SAT, but who built the original security awareness and training programs? IT professionals. And so like, if we just like, we take that for what it is. It's, you know, people that are working mostly with computers and tech, less on the business and people side. They're trying to solve a business and people problem. And for all intents and purposes, the stats, you know, make the claim.
Aaron Pritz (06:46.734)
Yeah.
Ashley Rose (07:04.364)
That has not been successful in my opinion. And so I think like it was actually a competitive advantage for us that I came more from a business, you know, marketing perspective. And, and to your very point, marketing's job is to drive behavior change. The behavior that they're looking for is how can I get you to follow my path, click my link, you know, go make a purchase and become a brand advocate and ambassador.
In a similar way, when we're building a security culture, trying to drive positive behavior and become a security advocate or a champion, we're taking a very similar approach. yeah, a lot of kind of the methodology, the things I learned on the marketing side, we've been able to apply to the human risk side as well.
Aaron Pritz (07:47.342)
Love that. And I was in a conversation yesterday on sales automation and I made the comment like sales automation and automating people to click things and emails. Like the converse of that is the cyber criminals and the fishers, right? It's all about social engineering. There's the white hat social engineering, which is probably some benevolent thing like, Hey, come look at my product and click the link. And I want to get you into the funnel, you know, that will ultimately lead to the sales. on the flip side, like criminals.
criminals are selling your entrance into their ransomware. So, so many parallels. That's not a great parallel. And sorry to my sales friends that maybe I didn't get the good side of that one.
Ashley Rose (08:22.776)
Well, I was gonna say, Aaron did you just equate marketers to cyber criminals? Because that's kind what I took away from that. Salespeople.
Aaron Pritz (08:30.07)
No sales people. Marketers are cool. Yeah, Ashley, you're in the cool club. Sales people, might have just, you know, yeah, anyway, let's move along before I dig my hole any deeper.
Ashley Rose (08:38.272)
All those salespeople.
Cody Rivers (08:40.792)
Yeah. But I'll, well, yeah. Well, and I also say real fast too, Ash, I think I love that that your background is not the traditional route because a lot of times I tell people with like our clients, like when you're trying to sell to people, IT and cyber, we know they kind of understand or have the foundational understanding of why this is important, but we're trying to get those who don't care about cyber, who don't think about it, you know, like my most furthest stakeholder from it. And I would say marketing kind of gets the picture there, but they're to your point.
Ashley Rose (08:42.894)
You
Cody Rivers (09:09.368)
helping to sell the intention to sell the dream. I love that. That's why I love what you're doing over there and excited to chat more here on the podcast.
Aaron Pritz (09:17.996)
All right. So we've gotten through the entrepreneurial marketing background, the babies and kids swimwear, the pivot to cyber through both your own intrigue and your husband. Now let's fast forward to early days of living security. And I remember you guys like coming out with the escape room stuff before anyone was doing it. How did all that come to fruition? And then ultimately let's pivot from SAT or security awareness and training.
Ashley Rose (09:18.99)
Absolutely.
Ashley Rose (09:25.164)
You
Aaron Pritz (09:44.738)
to HRM and really get into maybe our listeners that aren't as familiar with that. It's not just another tool, but the tools have to look very different from what we've seen over the last decade.
Ashley Rose (09:56.727)
Yeah, absolutely. So, I'll actually go back to that black hat floor because the two insights that I heard just from every conversation, they're, they're actually, you know, quite similar. One, there's a lack of engagement with cyber people were not paying attention. It was not presented in an understandable and, know, in approachable way. And therefore they're zoning out.
tuning out and still doing the same things post the training, despite, you know, clicking through and getting all the answers correct. so there was no, there's no engagement, no behavior change. The second thing that we learned was that outside of, know, I would say kind of easily fraudulent metrics, completion, click rate, report rate, right? We can make our click rate go down if we make our phishing scenarios easier.
We did not have any way to effectively measure and quantify human risk. Those were the two things that really stood out in my conversations. And so I actually remember sitting at a park. can tell you like the exact location and Drew and I sat on a hill and we like debated hardcore. Which one are we going to go after first? Because like we couldn't do both, right? When you're, when you're like a new startup, you are two people and little, like a little bit of funding you got to choose. And ultimately.
to maybe my dismay, because I probably would have built human resource management in Unified back in 2017 and it would have absolutely failed, fallen flat on its face and nobody would have bought it. We opted to go, it was ahead of its time. We had to go the engagement route. And so we said, fine, let's do it. And so what was the fastest way to get products to market? was to, and I were not technical coders, although not with AI. I actually do a little coding myself.
Aaron Pritz (11:30.558)
Mm. It's ahead of its time.
Aaron Pritz (11:47.214)
Vibe it, vibe it.
Cody Rivers (11:47.916)
There we go, now we're talking.
Ashley Rose (11:48.399)
I'm a, I'm a viber, a vibe coder. So, and yeah, so we said, well, what can we do? We can, you know, take these escape rooms that were like, were really, really popular. They were just kind of hitting, you know, a big streak, just kind of like with the general public as well. And we were going to turn those into security training. And so we were literally like, you know, going to Goodwill at the beginning, picking up props and then retrofitting them to basically like mimic security situations.
packing them up in boxes, like literally luggage and suitcases, jumping on planes, and then getting on site with early customers and running these escape room experiences for their employees. And I'm talking like turn and turn, like every 30 minutes we're getting like eight people in a room and I'm on site for days at this point, right? Cause we're trying to get like mass audience through. So what I, what, what was really unique about that opportunity is I got to sit next to these program owners.
Aaron Pritz (12:31.182)
you
Ashley Rose (12:46.028)
the CISOs, the leadership team that they wanted to bring through. And I got to hear firsthand for hours at a time, days at a time, weeks at a time, what was going on within their human risk and cyber program. so like Unifi, like the human risk management concept was actually like birthed on the ground floor in security escape rooms, alongside of the customers. And so that's truly like how this concept really developed. Like we knew we needed to be able to quantify risk, but we didn't really know how or like what it would look like.
but we actually really got to materialize that while we were on site with the customers during the escape rooms. And so there was a really like natural progression there. I'll say, you know, to kind of quicken that. So the escape rooms were very popular, customers loved them. One of the things that it truly did that I think you do have a hard time doing sort of with like mass scale online training is like the security team.
was in the room and they got to see like the benefit and value of the program that they were providing firsthand because the aha moment would like you'd pop up and you'd almost see this person like the light bulb go off when they learned something like unique or they would ask a question or say, I saw this thing on my phone come through. Like it was so visible. The ROI still hard to quantify, but very visible. And so that really motivated the customers to keep like wanting to do that more and more.
Um, it actually probably wouldn't have been for like, you know, outside of COVID that I don't know that it would have been really hard to shut it down because it was so beloved. Like we still have people today come back and say, do you have these escape rooms? Um, but anyway, COVID obviously accelerated, you know, accelerated the need to be online and achieve scale. And so it was through 2020 and then some capital raising that we went after problem two, right? Which is how do we, how do we get visibility? How do we quantify risks?
how do we deploy interventions at scale and how do we drive an ROI from our programs? And so that was really like the accelerant for us was through, like many businesses, like the COVID pandemic, you have to pivot and go with where the market's going and it's been a great journey from there.
Aaron Pritz (14:55.084)
Love it. So Ashley, talk about, because I think when HRM was kind of relabeled, Forrester declared it, know you mentioned to me in the prep that Gartner just asked if we could do another, if it needs to be renamed again. And I think both of our reactions were very similar. talk to me about, I think there was a misperception early on that risk quantification was going to be on
the human risk signals that were available today, like phishing, like we're doing metrics better. But talk to me about like the broader signals that, you know, an evolving HRM prop program should be pulling in and really how it starts to look very different from what SAT was able to measure and metric over the past.
Ashley Rose (15:43.735)
Yeah, absolutely. So we started very intentionally and the naming convention was also very intentional. We called it risk management because I believe that is our jobs. You know, we are human risk managers. We're not human risk eliminators and risk management is a business security function. They have to work hand in hand, right? So and I do believe I said this on the prep that I think risk is not inherently good or bad. I think there is.
Aaron Pritz (15:59.362)
be nice if we could.
Ashley Rose (16:12.01)
acceptable risk and sometimes you know have to take risk to drive competitive advantage. So when you have CIOs and CEOs saying hey everybody in your organization needs to be using AI tools and there's like not a lot of you know security governance and restriction the question is at that point how do we like how do we manage right the risk around this and ultimately you're weighing out the the up
side, right, the potential benefit of letting people do that with the downside risk that could come with a security incident, a breach, right, privacy, all that. so, and we know where that's landed. think generally many, most companies that I've, you know, have talked to, like they want their teams interacting with AI and they're going to go figure it out after the fact. Now we have, you know, maybe more compliance oriented or people that have, you know, maybe not quite that risk tolerance.
that are blocking or restricting, would beg that, you know, I would say there's probably a lot of like shadow AI in those environments, but we'll, talk about that later. Um, but back to your question. So started out with, okay, this is truly like a risk management function. How do we quantify risks today? Likelihood and impact, right? And so how then can we quantify human risk in the form of likelihood and impact? And so with that, that was really like the basis of where we started. And so we said, well,
What are we learning from our metrics today? Well, how, what's the propensity of somebody to click on a phishing email potentially, because, you know, these are also simulations. They're not real, but like it's giving us some signal. And then are they taking their training and are they compliant? And like, that's really not a lot of depth, right? When we're thinking about risk quantification. And so it had to be more. And so then the next question was like, well, where can we get?
Aaron Pritz (17:54.734)
It was that? Yeah.
Ashley Rose (18:03.15)
some of these risk signals from. And so we realized that like a lot of this signal aggregation was already happening in the security teams, right? We had SINs and SOARs like gathering and collecting data across, you know, your entire infrastructure and security tech stack, but they were like feeding it back into, you know, a solution that was really optimized to manage, you know, your network, your assets, your devices, like it wasn't tailored for user risk.
And so in a similar way that the SIM was collecting the data, we realized we could actually start getting a lot of behavioral data about users, not it for simulations, but just how they were interacting with their in their environment. Was their endpoint compliant? Are they clicking at real phishing email? How are they handling data? What websites are they browsing? Are they using MFA? Are they setting strong passwords? Like the list goes on, but a lot of behavioral signals. So that was great. That was a great signal start.
I would say there's some companies out there that will stop there. We said, well, that's not really true likelihood and impact either. And so how do we, how do we move beyond? we we need, we need a threat vector. We want to know like, is this person getting targeted? Right? Well, there are signals, contextual signals outside of the behavior that really matter here too. So maybe we can get some of those through threat intel platforms. And we see people who have breached credentials for instance, that were found in the dark web. Absolutely. And so then the next piece was.
All right, now let's think about the impact. Where can we get that signal from? Well, we can tell who has admin privileges, right? Who has privilege escalation. If their accounts compromise, you know, what's the blast radius for this individual? And so we wanted to go after the sort of inherent risk signals, the identity signals. And we really, we believe that if we could marry these two, these three areas, the behavior, the threat and the identity, we could give you a really, really solid.
risk quantification engine or an HRI score and really give you the opportunity to start prioritizing where you spend your time. How do you get to that 10 % of individuals that are driving 73 % of the risk? And that's a backable claim by a study we did last year. So I think that answered your question, but like it really was that simple. It was just, what do we need to get? What do need to accomplish? Where is the data? Can we connect it? Does this make logical sense? And then let's go after it.
Aaron Pritz (20:27.65)
Well, and one follow-up on the, we connect it for those of us that went through like UEBA, you know, probably five, 10 years ago, UEBA implementations and lots of, actually one of the managing directors on our team. When we, he was first getting introduced to HRM. was like, man, I went down this with UEBA and all the connectors and trying to get everything. And it always sounds great from the vendor perspective, but then nothing connects right. But that was 10 years ago, APIs are different. The world is more.
Cody Rivers (20:45.272)
You
Aaron Pritz (20:56.704)
interconnected, what does that look for you guys and the kind of promise of the great things you can do if you connect everything to actually connecting it? What does that take?
Ashley Rose (21:03.266)
Mm-hmm.
Yeah, that's a great question. So, certainly we have stumbled quite a bit. I have all the bumps, the bruises and the scars to prove it is what I tell people when I'm, especially when I'm speaking to the enterprise. I'm like, we've seen it all. Like we work with the biggest companies in the world. There's a lot of messy identity, you know, out there, like a lot of messy identity systems. And so one of the first things that we did was realize like we needed to create our own entity resolution and identity graph in this solution.
because we're going to like see Ashley in her, you know, and at on the end point and in the web application firewall and like in the email security tool and like, is going to look different in all of these systems. And we needed a way to bring it all together and see like who actually was what she was doing, right? All of those things. And so, so that was the first thing we did. And so then it didn't like, we like a source of truth, right? Typically that's coming through like an HR system, a work day, maybe it's coming from your Octa or your sale point, like an identity solution.
but we could then orient everything else around it. And we're really kind of like cleaning up the identity mess in a lot of these organizations. So that was the first piece. The second thing was when you go out to these APIs and you're bringing in signal, we knew we did not want to be like an alerting and noise platform. And actually something I think is worth noting that you said, right, when you did UEBA, like,
Oftentimes the complaint was like, this was very noisy. There was a lot of alerts. Like you couldn't really find the needle in the haystack that you were looking for. And it was also like very reactive in its approach. it was meant to be more of a detection response system. HRM, our focus was on how do we shift left and how do we go to predict and prevent so that we're finding the signals and the sequencing that could lead to an incident and getting in front of it before the incident and the breach occurs.
Ashley Rose (22:57.452)
And so was a very different mindset and approach. And so the data model had to support that as well. And so we said, we don't want all the data. We want that meaningful data. And so we got really specific about what parts, what feeds, what signals and streams we're going to be pulling in. had to add context and value to our model. And the output needed to not be noise or junk either. We wanted the output to be actionable. And so when we started building the signal library and all of that, it was with the mindset of how do we make this actionable?
I'll say like maybe this last third thing to answer your question. There are a lot of systems out there. I would say pre AI. It was very like time consuming and costly to build out a lot of API is direct to these systems and we found like enterprises would have. I have this homegrown system or something you've never heard of and so our team spent a lot of time like building out custom connectors and we had you know sort of an internal like you know sales engineering position.
where we would have to go out, we'd build this custom connector, we'd work kind of directly hand in hand with the customer and making sure that there was trust in the data that was coming in. That was absolutely critical. It's actually why one of the first reasons we started outreaching to partners like Reveal Risk and others is because we said, hey, there's really a need for services in the upfront implementation of this for these enterprise customers that have complex environments. so...
So yeah, I'm not going to like say that it was really easy. We learned a lot. think we've gotten very good at this. It's like one of the things that is standard ish about our company. And then certainly with AI, we're, we're doing some really cool things where, you know, now deploying like AI against an API, you can actually do things like best guess matching and then surfacing up, you know, signals that you haven't seen before. Like the AI can kind of like map that to the data models. And so there's some really cool advancements which we can get into, but
But yeah, complex environments takes a lot of work and we spent the years to figure it out.
Aaron Pritz (24:54.784)
Love it. Actually, do you have a dog in the office?
Ashley Rose (24:58.242)
I do. Did she? I can't hear.
Aaron Pritz (24:59.702)
No, no, was perfectly timed because when you were talking about signals, all I saw was a little tail wagging right below your name. I'm like, perfectly timed. was on cue. Love it.
Ashley Rose (25:12.055)
yeah, so she was supposed to be with, I have a child from school in the back room who's supposed to be keeping the dogs quiet. So I'm going have to shoot her a text.
Aaron Pritz (25:19.702)
Hey, we applaud when office canine workers make an appearance. So that's welcome on this show.
Ashley Rose (25:26.292)
All right. All right. Good. Good. Well, she may jump up in my lap if we let her if you know we keep saying what a great opportunity that is for her. But we'll see.
Cody Rivers (25:27.732)
yeah, yeah.
Aaron Pritz (25:32.935)
Hahaha.
Cody Rivers (25:33.656)
Ashley, you've done a lot of cool things. And I want to talk about kind of like the action out of what you're gathering the data. And I think, is that a prep call or was on an interview I think I read that you did recently, but you said something that stuck with me. And it was like, make the secure path the easiest one to follow. So kind of give us what that looks like in practice.
Ashley Rose (25:55.937)
Absolutely. first and foremost, CISO security leaders, like they need to know where to spend their time actually learning about which pathways are broken. Cause I think a lot of times we actually don't know. Cause we're trying to like combat the thing that's like on fire in front of us. And we're maybe missing out on some like really big opportunities to, you know, enable faster work streams, drive business efficiency and like enable the business to drive operational results in a secure way.
And so the first pass of that, the first requirement of that is can we go figure out, there like an unknown unknown in our environment, like an area of risk that's just like, we haven't quite figured out. And we've seen that in a couple of our customer environments where it's like, okay, this group of people continues to do the same thing over and over and over again. And in the past, I think we would have said, those, you know, stupid users, like they don't care about security. Why are they doing that? Reality is that.
guess what, we're putting a lot of friction in their job. They need to go get something done. They have a goal and out and outcome, right? These people were hired. They're smart people, right? They're either an interview process, they're given a mission. And so they're trying to their job done most of the time and something's in their way. So, you know, an example I gave, maybe it in the prep call was, you know, we were working with a healthcare system and they were like, Hey, these, you know,
nurse practitioners and doctors, keep like sharing their password and you know, they're not, you know, they're bypassing MFA and all these things. And it took actually like going and having a conversation with that business and even like maybe getting on the ground floor, like going to the hospital system and saying like, what is happening? Why are we behaving like this to realize these healthcare workers, like their number one job is to save patients' lives. So they're on the floor, they're trying to get their job done. And like this system's logging out.
pretty consistently and like they're moving carts around. It's just taking so long to get, you know, to the patient record and in whatever else. And so, you know, that's a risk, a risk decision for the business. Like, do we, do we want to keep this type of, you know, log out time on the, on the system? Maybe we want to, we want to extend it. Is there like a different type of tool that can make it easier for these, you know, doctors and nurses to log in? You know, there's, there's something here.
Ashley Rose (28:14.126)
that it's not what we're doing now because the behavior that we want is not happening, right? The behavior we don't want is happening. So that's not secure. And on the flip side, we have frustrated finished clinical staff. and so that's just an example, but like it required the data to be surface to start and like ask the question, like, why is this happening? Go investigate, go spend time with feet on the ground or go have a conversation with, if you would be so right, your, business owner over there.
And then really co-author and work together to strategize what's going to work for our business. What's our risk tolerance and let the business make the decision, right? Is this acceptable risk or not? Do we want to pay to mitigate it, to transfer it, to reduce it, whatever that is. And so that would be like one, you know, kind of on the ground example. There's plenty of others, but like sometimes it's a systems issue.
It may not be the bad users that keep doing something wrong. mean, maybe it's a problem, but, we're not going to train that away. Right. Like, and we, if we could have, we would have by now.
Aaron Pritz (29:17.514)
Yeah, I actually I'd like to double down on like the business process issue piece because so when I was on the corporate side and had the FBI arrest and the insider threat, you know, you know, no lack of executive support to fix it, which not a lot of cyber leaders get. You don't want to get that level of support, but when you've got you get it, you can do a lot of things that you maybe couldn't if they're still kind of doubtful that it'll happen to them.
Cody Rivers (29:39.798)
you guys on.
Aaron Pritz (29:45.346)
But on broken business processes, right after this, obviously, we really amped up the data loss prevention capabilities, because data loss, data going out the door, exfiltration, that is insider threat. And when we were first turning it on in the high-risk countries as well as the high-risk business areas, all sorts of alerts. And some of it was white noise. But a lot of it was, in that case, insider threat. HR is doing interviews, and you're doing investigations. And if it's
you know, not a false positive than like, you know, potentially some, someone is doing something bad. But what we realized early on is there's so many broken business processes and people have done things a certain way, you know, emailing to vendors in clear text, it's very, very sensitive files or pick whatever bad behavior it was. And it wasn't anything, any security awareness training once a year, quarterly bite size. wasn't going to fix it. Like somebody needed to go.
re-engineer that business process. And then the second thing on Cody's question, like making it easier. Hey, if you're going to, you know, if you have the signals from a quality tool, HRM, DLP, wherever you're identifying the gap and you're going to go in and fix the business process to make it secure while in there, why would a cyber person not want to take some credit for like getting rid of unnecessary steps and making it go very much quicker? We had a bunch of success when we use Six Sigma Blackbelts to kind of
Parachute in and again, it's hard to ask a business process owner to be like, hey, here's here's a HRM report and your business process is broken on top of everything else you're doing go fix this on your own without direction that won't work. So I'm a big advocate for our industry and CISOs have understaffed SAT. It's usually a lot of companies we see as like a half of a person. If we want to get HRM, right, we can't expect even with
the greatest tools, if you don't have the human capital around them to enact the positive change, there'll be a lot of good signals and tools that, and we can block stuff, but like, let's put some effort and resources behind this and do all the things that CISOs wish the human side of cyber could help. So I get a little passionate about that, but what are your thoughts on the, how do we go fix it?
Ashley Rose (32:00.824)
Yum.
Ashley Rose (32:06.444)
Yeah, there was like so much goodness there and in the story that you just told. so a couple of things really stand out to me. First and foremost, it's not just about adding capacity, but it's also empowering, enabling, and like actually elevating that particular individual. So I remember like one of the first, or individuals because one of the first decks that we built around human risk management, and again, in partnership with the customer, it was like,
there was like a table and, you know, sec ops was there and like insider threat and TRC and like the network security team and like, you know, we can keep the list goes on and it, you know, they're like the table and they're like enjoying a conversation. And then there was like the kid table over to the side and the security awareness this person was like sitting at the kid table. And like this analogy came from our customers. They were like, we aren't invited to the conversations. Like we don't have a seat at the table.
And so how do you expect them to go help solve? Like your number one risk is your people, like stats are clear. And like you put a person on that, that is great. Like they are, they are motivated, but they did not have the tooling, right? They do not have the access. They oftentimes do not have the executive support and they don't have the budget. And so that is like a really hard position to be in. And so when we talk to.
this type of individual, they are like, they're always telling me they're like, I want to do more for my company. I want to be able to prove out that the work that I'm doing, like I know it's doing good. Like I can feel it, like, right. can see it. Like I can see the light bulb moments, but like I have no proof of my effort. And so it's hard for me to communicate to that around that and I can't get budget, right. So that is like still very much. I'd say the state of the industry, which we need to do more work there. so.
Yes, we need to give them a seat at the table and we need the cyber teams and we need CISOs to recognize that this is like a critical attack surface and you need to manage that well and you need to stop it well and you need to be breaking down the silos in your security team. And so then moving to the tool, right? How do we do that? We always say like human risk management tools when implemented and operationalized effectively are breaking down the silos.
Ashley Rose (34:31.32)
So first and foremost, we can't do anything without the security data. So we need sec ops at the table. We need the tool owners. We need to be pulling in and adjusting the data, but that should not stop there. When we are able to categorize and derive really important insights and prioritization of risk, there's so much value for these tool owners and context that we can provide them can actually enhance the value of the tools they've already invested in and that they're spending their time. So let me give an example.
the DLP issues that you were talking about, you probably weren't going to go block every type of DLP alert that came through. Actually, many times the DLP UEBA solutions when they're first put into practice are in read-only. There's not a lot of write happening. We've seen that and people have negative connotations about the first pass of this. But the real reason was because it is noisy.
And like, there was a lot of risk if you blocked somebody from getting their job done. And especially when it was like, maybe not a malicious insider, right? There's a lot of false positives in there, but what if we could start prioritizing those alerts for you? What if we can marry high risk individuals across numerous systems, across their identity system, across their email system, like, you what are they doing within phishing and all of that? So on their end points, their end point out of compliance, what if we could see very clearly that this person holistically is very high risk?
And now we're also seeing a lot of DLP alerts. Maybe we would turn on a block for that individual, right? you know, and then people that are more, more vigilant in nature, right? They're reporting phishing emails, they're taking their training and they're doing them. They're setting strong passwords or using MFA. You start seeing that, like, maybe you're going to not block it right off the bat. Maybe you're going to send them a training. You're going to send them a nudge and like redirect them to the appropriate business process. So.
you can start providing contextualized and adaptive controls and policies when you have the context of that individual from a risk perspective. I think there's a lot of value for security teams in doing that. And then I think there's two other points I wanted to make from what you said. So efficiency is key. We have small teams across all of security. We are understaffed, not just in the human risk side of things.
Ashley Rose (36:54.656)
And so it was really important for the platform to be able to enable a lot of efficiency and workflows. And so there's a lot of business, like broken security business practices. Like if you want to just like clean up your own house first, you know? And so for instance, for instance, like I had a customer tell me, okay, well, when, when there's like an exception policy that's requested, you know, the, the, the plan is the path is that they need to go and they need to take their training. Once they take their training, we can give them the exception.
Cody Rivers (37:07.256)
You
Ashley Rose (37:23.694)
And then, you know, if they don't have it after so many days, we need to go like revoke that access or exception. And that this was all happening manually. Like it's tickets going into like ITSM and ServiceNow. And then somebody is like getting a list and they're like sending a training and then they have to go track and see if that person took their training. And then maybe like if they go check on it, you know, they're going to go check on it later. Maybe they didn't take it. So we have to go send like another ticket back. We're going to revoke their access. And then that user is like pissed. They're like, I can't get my job done.
Aaron Pritz (37:40.59)
So much waste.
Ashley Rose (37:51.843)
Like what if that whole thing could be automated, right? Through a platform like an HRM platform. And so this is where like workflows and automation can be really helpful in achieving scale. If you can clean up some of like the operational burden and friction of just like the management of these programs, you can actually like take those resources and like reposition them and pivot or focus to something that is more strategic and they can get more, you know, get more done. You get more, you know, bang for your buck with your security budget, if you will.
Aaron Pritz (37:51.928)
Yeah.
Ashley Rose (38:20.75)
Um, and then the last thing I think you said was around ROI and measurement. Um, that's critical because, um, if you can't, know, especially today, like if you can't provide business justification and some sort of ROI story, it could be as simple as, Hey, instead of requiring everybody in my organization to take 30 minutes of training a month, I'm only going to target risk-based training to the people that need it. And that's probably about 10 % of my staff. And so the 90 % that equates to 10,000 people we're saving 30 minutes a month.
average cost per hour of wages for our people are this. This is like the potential cost savings for the business by going into more of a risk-based approach versus requiring training for everybody all year long. Like that was just one example, it's more concrete, right? It's black and white than trying to say like, okay, what is like the risk avoidance? Like, do we quantify that? Certainly we're working on those things as well. But I think we need to get more creative and like that financial oriented mind.
that you said earlier, that sometimes really great to be a part of the security team. Like they can be helpful in those, you know, business calculations.
Aaron Pritz (39:25.699)
Love it.
Cody Rivers (39:26.166)
Yeah. And thinking too, like we've been, you know, years in the game now in security awareness training. think HRM now is kind of catching, catching some of the fire. And I think we're getting some of the groundswell. Do we get to critical mass? Does the name change again? I mean, what are your thoughts or how do we start to get this in the limelight or does the narrative shift again on the name of what we're trying to accomplish?
Ashley Rose (39:49.431)
Yeah, great question. So if you look at like analysts coverage today, they'd probably say that we're still at about 15 % and I would say that's growing and it's accelerating adoption of true human risk management. Again, I do believe like the last I would say the last maybe three four quarters to almost a year like we've actually seen a huge uptick and we track things like number of RFPs that are coming in or we can see like customers and all that stuff. So so that's really good news for all of us because as you know, like.
Third party risk and supply chain is a big thing. So if we're all safer, if we're all more secure, like everybody benefits, right? So we should all be advocating for this. Look, I think naming convention, I feel pretty strongly like this is a risk management function. So I think that's great. Human risk management, who knows, right? Because the workforce is changing. And that's really where we're spending some time is really understanding that the workforce is now hybrid human and AI agent.
And so then therefore, like the workforce attack surface is changing before our eyes. We know that humans and agents are interconnected because we're delegating access and we're creating them. have agents working on behalf of humans. And so we need to get our arms wrapped around the broader workforce challenge and equation right now. And so does that turn into something like unified workforce risk management?
Aaron Pritz (41:11.374)
you
Ashley Rose (41:11.726)
I think there is probably over the next decade, some sort of change that's going to occur. But for right now, as we're maturing this category, you know, we talk about this as like, it's, know, we're a human-responsive vendor. operate in this category and we're not thinking about the hybrid workforce, which is inclusive of our AI agents.
Aaron Pritz (41:31.18)
Yeah, no, that's a great point. What I do know is I don't want it to follow the path of GRC, you know, similar Gartner, Forrester renamed GRC integrated risk management or IRM. And now it's back to GRC or there's confusion. Are we back? Are we not? And what didn't happen was the tech, the technology didn't shift material. And if analysts are calling for name change because the technology category is not showing value, that's not a naming problem. That's a.
adoption, people process technology, making it all work together and a technology capability problem. So I've already seen a more substantial change in HRM from SAT than there. I think the GRC to IRM was more hype and surface label or lipstick on a pig than it really was material changing what we're focused on from a practitioner standpoint.
Ashley Rose (42:25.866)
That's right, Aaron So I will say there's still, you know, and this always happens, but you always have like those vendors that are saying, oh, like I need to jump on the hype wagon. I'm going to call myself human risk management. But if you like peel back the covers, it's really like phishing and training with a stoplight, you know, like numerical system on top of it, red, yellow, green, zero to a hundred, whatever you want to say.
And they're saying, we're doing human risk management too. We can give you risk scores, but like, it's really like the same old metrics, like in a different way. So look, I think that's up to the market, right? When they're going through RFPs and they're putting out criteria. It's why like we win our POVs 90 plus percent of the time, because truly like the value and the proof is in, you know, in the delivery, but we cannot be remiss.
we have to recognize that human resource management is a strategy and you can't like deploy a tool and expect results overnight. It does require business conversations, it requires breaking down silos, it requires strategic alignment, it requires executive sponsor. The companies that are doing the best are the ones that, they're CISO are on the QBRs.
Aaron Pritz (43:20.941)
Mm-hmm.
Ashley Rose (43:41.945)
They're CISO is at, they're trying to figure out what's going on in this, you know, in this human attack service, like what's this platform showing me? And they're helping to drive business change. And they're, you know, bringing teams together around that and they're saying, I can use this data over here as well. And so I think executive, executive alignment is absolutely key. And then, you know, partners like Reveal Risk as well. They're not, you guys are not paying me to say this, but like it's, I'm a true believer.
that if you can find like a really strategic partner to come in and that understands like the ins and outs of security organizations, like friction and all that, like they can help you navigate, you know, deriving, getting all the right stakeholders there and then like implementing, executing and managing a program, like that can be an unlock for a lot of companies, especially if they don't have the resources internally. So I think, you know, we got a match made in heaven in front of us.
Aaron Pritz (44:35.97)
Agreed.
Cody Rivers (44:37.588)
Well, thank you Ashley again. We always have one question for our guests and this is this is because it's a VIP experience But for those who wouldn't know Ashley Rose or you know, or personally give us give our crowd like a fun fact What's into that? know that maybe? No one knows you it could be brand new or it could be something you've been keeping back on us
Ashley Rose (44:51.223)
Hmm
Ashley Rose (44:54.83)
Well, you know, I founded a swimwear line. I think that's a pretty fun fact. So I, so one of my, one of my goals in life is to get my pilot's license. And so I've taken a couple, I've taken a couple of flights, but I still have a of ways to go. think that's a pretty fun fact about myself and I will get there. I don't know if my husband will ever let me fly my children around, but I'll be up there. I'll be up there in the, in the sky. So.
Aaron Pritz (45:05.132)
Nice.
Ashley Rose (45:22.402)
Yeah, I would say that's like an, you know, an unmet dream that I'm pretty excited about. So I'm sure there's more, but hopefully that one's good enough.
Cody Rivers (45:29.208)
That's awesome. That's great. I'm sure at some point we'll see the future. could share a story he had when he was doing his pilot's license, but it'll be BF.
Aaron Pritz (45:37.306)
I don't want to scare Ashley away from the pilot experience that I had in high school as I was prepping, but that's a story for part two of this podcast. Ashley, thanks so much for joining us and looking forward to seeing you in Boston, where I think we're both going to be at HealthSec and hosting a dinner. So would love to meet mutual fans of both companies as well as great cyber practitioners doing great things if anybody's out in Boston.
Ashley Rose (46:03.65)
Amazing, yep, see you there.
Aaron Pritz (46:05.518)
Thanks so much. Have a good day.
Cody Rivers (46:06.784)
See you.