Episode 65
Joseph Carson:
Hello, everyone. Welcome back to another episode of the 401 Access Denied podcast. I'm Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea, and I'm the host for today's episode. I'm really excited. This is something I've been waiting for a long time.
This episode has been in the works for ... I've had the plans for quite some time. I'm really excited to be joined by the most entertaining person in cybersecurity, Ian Murphy. Ian, over to you. Can you give us a bit of introduction about yourself, what you do, and what brings enjoyment to your life?
Ian Murphy:
Thank, Joe. Thanks for the lovely, kind words. As a working class lad from Liverpool, I take praise very difficultly. So if I'm not effervescent in my thanks, that's just my upbringing. Bless you for saying those things. What do I do? What do I find enjoyable?
I essentially do stupid videos on social media and for awareness campaigns that hopefully bring a little bit of fun back into cybersecurity. With the main aim of helping those of us not in cybersecurity increase our cyber savviness. My thinking behind that is if I can get people engaged in a one, two, three, four-minute video, instead of boring the living daylights out of them with presenters who shouldn't be let anywhere near another human being, to be quite honest ... Then, I think I've done my job. I think I've got people engaged.
My whole raison d'être really is to help the people like my dad or my wife or my son or my brother, or my wider family who don't have a clue about cybersecurity, and will never want to have a clue about cybersecurity. I just want to help them pause a little bit. I just want to help them pause. Even if that means picking the phone up to me and saying, "Ian, you're in IT. What about this?" I've done my job, then.
By the way, if people do watch this podcast and then pick the phone up to me, you're getting hung up on straight away. I've been in cyber about 30 years. Kind of fell into it in the early 90s, as most people do, because I wasn't a good enough footballer. My dream was just football then.
Nobody wakes up and goes, "I want to be in cyber." It's like people waking up and saying, "I want to be a bass player." Nobody ever does it. I fell into cyber after a failed football career, where I managed to play semi-professionally, but just not good enough to make that much of a living out of it. The other reason is I once lost a million quid live on TV.
Joseph Carson:
I remember that. Was it Who Wants to Be a Millionaire? No.
Ian Murphy:
It was a Dec show called Red or Black? That was backed by Simon Cowell.
Joseph Carson:
That's what it was. Yes. I remember that video. Watching it.
Ian Murphy:
It's a simple choice. Red or black. Right? You had to do a bunch of stupid games. Got to the end. Live TV. Nine million viewers. Red or black? I'm a Liverpool supporter. I chose red. Of course, I did. It came up black. That's a sobering experience to be the first person to have done that.But as I say, I've been in cyber 30 years. I've done everything from working in government, to working with software vendors, to working in consultancies. To now, running my own business and doing my own consultancy. I've worked for myself for the past 16, 17 years. Because really, nobody else will employ me, and I have a distaste for people in general. I don't like being around people in general, to be quite honest.
Joseph Carson:
You like talking to people though.
Ian Murphy:
I don't mean that in a nasty way. I mean that in the fact that I think I'm an introverted extrovert. Put me in a room full of people I don't know? To network? I'm a wallflower. I'm stood against the wall. I'm clutching my bottle of beer or whatever, thinking, "Is there anybody here who wants to talk to me about football?"
Because I don't do chit-chat. I'm not very good at it. Put me in a room full of people? Of friends? Give me a couple of beers and point me at a karaoke and you can't get me off it. It's strange that I would in later life consider a career as a standup comedian, because it's the worst thing in the world for that type of feeling.
Joseph Carson:
For that type of character. It's always good to challenge yourself. Actually, we have so much similar backgrounds. Even for myself, I'm still trying to kick off my football career today. It doesn't go so well. Even a few weeks ago, I got a good headbutt to the jaw.
Ian Murphy:
Wow.
Joseph Carson:
Actually, I'm so lucky for this podcast that I actually ended up with a cracked tooth.
Ian Murphy:
Oh, gosh.
Joseph Carson:
I just had the dentist. It was on Tuesday this week, so I finally got the tooth repaired. But I just can't stop playing football. I can't stop having that wish that my football career would kick off, but it's not. It's that getting away. Just being physical. Having a challenge that's outside of what we do. Because we started our careers back in the '90s.
Ian Murphy:
Yep.
Joseph Carson:
I don't know about you, but I always thought when I started the career, there was a lot more opportunity to have fun. It was enjoyable. You had a laugh. I remember even doing ... I think it was Windows 95 training. I used to work for the NHS. It was actually the South & East Belfast Trust. I remember going and training all the people who had these big typewriter on their desks how to use Windows 95, and how to basically do word processing.
Oh my goodness. The laughs I had. When I went into some people's desk, and there was a drink can sitting in the CD tray. The mouse was on the floor. They're whacking the mouse with their foot. Just the fun that you had. But for me, I think over the years it's gotten very serious. It's very mainstream news.
And it's gotten to a very scary place. Have you had the same feeling? Have you felt that we've gotten to the point where cybersecurity has become such a serious thing that it's not as fun anymore? Is that something that you've felt over the years?
Ian Murphy:
It's the thing that drove me to do what I'm doing, to be quite honest. I've got a whole 15, 20-minute cyber routine around that type of stuff. I think partly, it's socially in the era that we're in now, where everybody's afraid of offending somebody. Or, "You can't say those." Well, you can say whatever you like. There may be consequences for it, but you can actually say whatever you like.
I think if you intentionally set out to offend people, there's something wrong with you. I think you're just a displeasurable character. Or an unpleasant character, I meant to say. But if actually somebody takes offense at something you've said ... There's not nothing you can do about that, because they've had an emotional reaction to something you've said. They're asking you to do something about their emotions, which is something we can't do. We can't control.
We can barely control our own emotions without worrying about other people's. There's a special kind of character as well who takes offense on other people's behalf. I'm like, "What's that all about?" They say, "You can't say that." Or, "I was offended because you said that about that." You're actually talking to the person who they're getting offense on behalf by.
You're like, "What's your point? Do you just want somebody to talk to?" I'll talk to you if you want, but if you come over and ask me to do something I've got no control over, my response is going to be really short. It's going to be two words and the second one will be, "Off."
Joseph Carson:
Cyber Off. Is that the reason it's Cyber Off?
Ian Murphy:
That's the reason I called my company Cyber Off. Nobody else gets it. That's the reason I called it. It's an insult to people. I know that could limit business. But the idea was, I personally think if you're not telling somebody to, "Fuck off," once a day, at least once in the IT industry, you're not paying enough attention. Instead of doing that and people getting upset ... Because people get upset if you swear at them. Not me. I don't particularly.
I've had people in the shouting obscenities at me. Left, right, and center. It's not a problem for me, but that's why I thought of Cyber Off. Because the weird thing about cyber is everybody uses it now as a kind of mystique term. "I work in cyber." It's a bit, James Bond-y. What people forget about cyber is that back in the early '90s, "To cyber," was a verb.
To cyber meant to have online relations with people. "I cybered with them last night," which is essentially you knocking one out over a webcam. That's the problem. People are using a term that back in the day meant you were a wanker. That's where we are in the industry. We're going around proudly telling everybody we're in cyber, and I'm thinking in the back of my mind, "You've just admitted to being a wanker." That's where cyber comes from. It's like a tongue-in-cheek.
If anybody's talking bollocks about cyber, which people invariably do most of the time. Invariably. Then, I can just shout at them, "Cyber off." And if they say, "What was that?" I'll just say, "I thought you asked me what my company name was." See? Totally ingenious.
Joseph Carson:
It's a good way of saying it. I love it. It actually reminds me. When I went to university in the US ... I'm Belfast born and bred. Our native language is not the most pleasant.
Ian Murphy:
Quite true.
Joseph Carson:
I went to university in the US and people must have thought I was the most vulgar person ever. People were like, "What in the hell? This person's saying everything F this and S this." I was just like, "Okay." At that time in the US when I went to university, I slowly turned into Father Ted. I literally turned into Father Ted.
Everything I had to change. I actually literally changed all the words. It went to, "Feck." And then, it went to, "Shite." And then, it was, "Sugar." Literally, I just changed the words to something that wasn't as bad. That took some time for me to learn to just clean up. Now, when I go back to Belfast, people are like, "Where are you from? You're not from here. We don't talk like this."
Ian Murphy:
I get that when I go back to Liverpool as well, by the way. I've been away over 28 years and I've still got an accent. I know I've still got an accent. But when I go back home, it's not as strong as it used to be. So I still get that. I'm a southern softie when I go back to Liverpool now, which is hilarious for my friends. If nobody else takes anything from this podcast, other than they gen up on Father Ted and the back catalogue on Craggy Island, our work is done here. Our work is done.
Joseph Carson:
Bring Father Ted back. It was so entertaining. For me, it was just kind of ... What was it? Because I was living away from home. At that time, Father Ted was on air. Even Derry Girls as well. Derry Girls is always good.
Ian Murphy:
Bloody good. Bloody good.
Joseph Carson:
Absolutely. For me, I think the message for security definitely needs to go simplified. For me, one of the things I've gotten into passion in the past couple of years is to start bringing that fun back. It's to start bringing that simple message back. I think what you're doing is great. Because for me, I've seen a lot in the past couple of years. A lot of burnout.
Even with my co-host, who is unfortunately not here today, Chloe. She talks about burnout and PTSD. In this industry, it's sometimes ungrateful. You can go for months basically working around the clock. Incident after incident. Cyber threat and attacks. Just continuously. One of the things that I enjoy is, every now and again, when I turn run and look at my feed, and I see a video from you. You know what? I just pause everything else and I just watch it end-to-end.
Because what you do in your message is you really take something that a lot of vendors make overly complex and really get it scary. Well, you bring it back down to reality. You're the translator for security challenges into everyday society to what it really means for the impact. Focusing on the impact. How do we make that much more? How do we get vendors to also go into that direction as well? Also, not to take themselves so seriously as well. Because I think vendors sometimes get into that very serious approach. How do we really bring down those barriers?
Ian Murphy:
Bravery. It comes down to bravery. I'm not saying I'm brave. I'm not saying that at all, but it comes down to the big vendor with a huge following and a social presence and stuff like that. It requires bravery to bring humor into the equation. You see it with ... Specsavers do it from time to time. When a referee makes a bad decision, they come out with a tweet that says, "Should have come to us," or stuff like that.
I think that's a genius type of marketing. Or Paddy Power. Not that I endorse gambling or anything, but their approach to marketing is great. I think the problem with security is for so many years we've sold on fear, uncertainty, and doubt. Nobody's dumb. Let's be honest, when we buy a security product or technology, we're buying an insurance premium really. We don't want the bad things to happen. It's a risk balance and all that type of good stuff.
But in a sense, we're buying asteroid insurance. We're hoping that none of the attacks happens to us. We'll come out with scare stories and figures of, "Within six months of having a breach, all SMEs go out of business," and all that type of nonsense. Or we come up with spurious figures that aren't backed up, "Six trillion is the amount that is lost to ..." All of that. It's just like, "Pick a figure out of the air and go after it."
I think when you have to be real and authentic with people, and you then want to start injecting fun with ... It's difficult to change that tack from where you've been for a very long time. It's easy for me, because that's me. That's my personality and I get that, but let's say it was a big firm. One of the big awareness firms. KnowBe4 or Proofpoint or Cofense or CybSafe. Or any of those big guys. If it was any of those guys, I understand why they don't do it. They don't do it because actually they may have a lot of investment in customers who would think less of them for that type of fun approach. It's actually that.
When I've spoken to customers or potential clients in the past that have gone, "Not safe for work." Despite the fact that my videos have had millions and millions of views on social media. Hundreds of thousands of comments and likes and shares and all that type of stuff. Despite that fact of the engagement, they go, "I don't know if we would get behind that from a coaching point of view." It's not because it's their culture. It's because the people making the decision as a CISO or in HR are fearful of their own reputation, if they're seen to back something that may upset Karen or Dave in accounts.
They're happy to keep the rest of the company risk-free from that type of offense, but open the risk to more scams and more threats coming in, because of a couple of people in the organization. That just seems screwy to me. It seems screwy, that. I get that people may not like swearing. I get that they may not like sexual innuendos. I get all of that. Don't watch it then. Don't watch it. Put it out with a disclaimer that says, "This has adult content."
Ricky Gervais says it and he said it really well on his recent tour. It's almost like somebody puts up an advert of guitar lessons, you take off the tab with the number, and phone them up and go, "I don't want any guitar lessons." You're raging at them for something that you don't want. Don't do it. Don't do that stuff then. I also advocate for vendors or for organizations to have that layered approach.
I don't think I'm the one and only answer. I don't think the other big boys are the one and only answer. We have a layered defense and everything else. Why don't we have a layered approach in getting engagement and content and awareness and fun to people? Some people might like the more adult themes. Some people might like the stuff that Kathryn and her team at Cybermaniacs do, with the puppets, which is great.
There's a whole breadth of that spectrum. Don't tie your colors to one flag. I think that's where vendors as well do get it wrong. Because they're serving themselves. They're serving their shareholders. They want to make money, they want to make profit, and they want to potentially be bought at some point in the future. They're not then going to go into a collaboration with me or with Cybermaniacs.
Joseph Carson:
It might not also work on a global audience as well. For the content you're creating, which I love it ... For me, I think it works great in UK and Ireland and probably parts of Europe. It may not have the same in Asia. It might work well in Australia as well. North America might be a little bit different. It might mean that you might have to tailor different things for different regions.
Ian Murphy:
I agree.
Joseph Carson:
Rather than having it so.
Ian Murphy:
You're right, which is why I brought the animations out. I brought the animations out, which enables localization easier then. Instead of me on the screen with terrible dubbing, it's then just the animation. You could do the dubbing with an actor within that local language. And then, you make the jokes relevant to that local language. That's why I did the animations. I also deliberately made the animations safer for work as well, so people don't have an excuse not to use them.
Joseph Carson:
You actually bring up one of the lessons I learned many ... It's kind of a long time ago. It was late 2000s. Around 2008, 2009, I think it was. I was doing a risk assessment for a large transportation company. We were going down the path. I think I've mentioned this before on the podcast. We were basically doing ... A consultant had went and did a risk assessment. We were going in and we were reviewing that risk assessment, and making recommendations of what they can do to minimize the risk.
What we realized was that they were in silos. They had patch management doing over here. They were doing vulnerability assessments here. They were doing asset inventory here. It was all silos. Nothing was correlated. They had no good visibility about the overall state of security. They had it in individuals. They knew how many machines had been patched, but out of those machines that had been patched, they didn't know which ones may have not had the last vulnerability scan run. Or whether the content that the person was looking at was safe.
At the time, we went made recommendations. Our recommendations were a disaster. We were going down to the hammer, the enforcement of security, and making employees feel uncomfortable. We were preventing them from being able to do their work, because it was taking them longer to do things. They had to think and pause in performance and stuff. It was actually ironically one of the days we were having the room in the company location. The same day, there was a bunch of kids. It was like, "Bring Your Kid to School Day," or something like that.
Ian Murphy:
Yep.
Joseph Carson:
They brought the kids in and we were running ... It was actually six months into the project. There was no success and we needed to find quick alternatives. One of the people on the team said, "We might as well ask the kids." We thought, "It's an interesting idea. We haven't tried that. Let's try it." We actually went and we asked, "Can we get the kids in a room? We want to test our approach, to see if there's anything we can do differently." The point was, one of the questions to the kids was, "We're trying to communicate. We're sending emails to all employees, giving them this awareness training, and policies and things they should and shouldn't do."
The kids were like, "Huh? Why don't you try it in a comic style? Text doesn't mean anything to us. If we see an image, that's more impactful." We thought, "Huh? That was interesting." What we ended up doing was we took those policy-based emails about awareness, about plugging USB sticks and clicking on links, and we turned them into cartoons. We turned them into images. Little basically images. To your point, when we did that, it actually made translation much easier. Because then, you only need to change certain text and different boxes.
It actually meant translation was much more easier globally. You could actually translate it for different reasons, different locations. The best thing was, I always remember one of the funny comments afterwards. It was one of the kids. We were like, "How do you think we should make this available? Do we put it in everyone's desks? How do we send this out? Do we use email to send it out?" One of the kids put their hand up and said, "Why don't you put it on the back of the bathroom doors? Because every day, someone needs to take a crap." We're like, "That's actually a very smart thing."
It was two minutes of uninterrupted time of IT security policy on the back of the bathroom doors. For me, you're absolutely right. I think how you've evolved your message going into that same path definitely shows that we do need to bring a lot more of that. Images. I think what also your message really gets down to is the impact. It's also, "What is the impact to people?" Because I think that same project that I worked on. We were looking, "Who's the best people to be our communicators and go-to people within the business units?"
Ultimately, what it resulted in is that the best people to talk to was the victims. People who knew what it was like. Who had been victims before. They were the best people to portray the message. They became cyber mentors or cyber ambassadors. Whatever different names different companies have for it. But it was a great way. Us seeing that evolution.
What you're doing today really has carried that on to the whole new delivery message, delivery mechanism. I think it's absolutely great. Can you show the audience, what does it take to create those videos? You probably have a lot of fun in the background creating them. I think it's with your green screen and your costumes. Do you have a costume shop that you go to?
Ian Murphy:
No. We've got quite an extensive range of them now. Mostly about the wigs. People comment on the wigs mostly. I'm sure they think this is a wig as well. From a creative point of view, I think the important thing is to surround yourself with smarter and more creative people than you. Because everybody thinks they're funny. Everybody thinks they've got a creative gene. Everybody thinks they can sing on karaoke or whatever.
The reality is somewhat different from that. If I had a pound for everybody who'd said to me since they found out I've done standup comedy, "Here's one for you," I'd have at least 70 in quid at the moment. Everybody thinks ... By the way, most of them would get Bernard Manning canceled off TV. By the way.
I'm like, "I'm not going to tell that and it's not funny." But, "No it is. It's funny." "No. I'm not telling it." From that creative process, it's about getting in a room. Kicking ideas about. Or getting over email and kicking ideas about, "What about this? What about that?" And then, scripts being formulated. "What about ..." "We can't say that." "What about saying this?" Just getting to the fun.
Sometimes I'll come up with the idea and send it to my guys. Sometimes they'll just come up with a completed script and I'll go, "That's it. That's it. That's genius." Or sometimes I'll say, "We can't say that. That's technically incorrect to say that." Those bits and pieces. But I think for them, their goal is to strip any remnants of dignity away that I may have had. That's the guiding principle. I'm sure they want to get me to a point that I just lose it, become a diva, and walk off set.
Joseph Carson:
Permanently. That becomes the permanent character.
Ian Murphy:
I've been close once. I've been close once. It was the Cyber Girls video I did. There was different dresses, right? There was one that was ...
Joseph Carson:
The alternative to the Spice Girls one. I remember that one. It was so scary.
Ian Murphy:
Most people are still having therapy for it now. One of the dresses for Victoria was so tight and so clingy. I just felt really exposed in it. I just felt really exposed. If I was blessed in certain parts of the department more than I am, I might not have had a problem. But I was like, "I can't do this." They talked me around and they did it. It was one of my best videos actually to do.
But I think, for me, and I hope it comes across in the videos ... We just have so much fun doing it. We have loads of bloopers that we generally don't put out. Every now and again, we'll put out, but there's just so much fun in doing it. A lot of it is my background, is my upbringing from Liverpool. My working class upbringing and watching the likes of Tommy Cooper and Morecambe and Wise and Cannon and Ball. All of those guys. And then, Billy Connolly, who's my ...
Joseph Carson:
Billy Connolly is one of my favorite. He's one of my all-time favorites. I was fortunate enough to get to see him live in Belfast many years ago. Just watching him talking about one thing. And then, he segues off and there's so many other jokes. Eventually, he's like, "What was I originally talking about?" He finally winds himself back to the original. Definitely, I enjoy good comedy. I enjoy a good laugh.
I just feel that in the industry, I would love to see more of it coming back. I remember some of my early days of the career. I remember. Every day in work, I couldn't stop laughing. I've been fortunate enough to be in companies over my career where that's continued. Sometimes it might not be the company culture, but it might be your team's culture that you can still have that good laugh and enjoy it.
I remember there was one person on my team that always kept me entertained. I used to be responsible for a large support team. When you're working in support, you get a lot of really intense calls. People's angry. People's upset. This one person always reminded me. He was the most calmest person when those types of calls came in. He would always turn it into something entertaining.
He would always be able to turn it around in the end. The person on the end of the phone would end up laughing. Especially, in those very tense moments. I think we definitely need people that are really good at being able to do that in the industry. I definitely think I've worked in a lot of incident response where I believe that we need to surround ourselves with people that can actually make sure that we can actually recover from those intense moments. To get us out.
Because I think comedy and entertainment is what helps us get back on track again. It's what helps put people back in-path. I've seen a lot of, unfortunately, people leaving the industry because of burnout and other things. I think that entertainment and comedy is a good form of therapy. It's a good form of keeping people just connected and communicating. For me, it's such an important area.
And so, when you're producing them, how long does it roughly take? I've produced a lot of content. When I see some of the stuff you're doing, I'm like, "It must take weeks." To do the editing, the scripts, the content. Ordering the costumes. Trying the costumes on. How long does roughly take to create the content?
Ian Murphy:
I think for a Bespoke animated video for somebody, for instance, it'll be a five-week process. It'll be an initial idea. Coming up with those, pitching those, storyboarding them. Writing the script. Getting the sign-off on the script and the ideas. Doing a first rough draft. Getting them to sign off on that, and then doing the final edit and stuff like that. That's like a five-week process.
On the live video, that's a little bit shorter, because the animation does take longer. It's probably two weeks on the live one, if we can agree the content and the script and things like that. On the videos for what I put out on LinkedIn, which is twofold, really. It's to raise my profile and obviously entertain, educate. But hopefully, that's the reason of the profile. People will come in and say, "I like what you do. I like the animation stuff. Can we get involved in this and this?"
Which would be great, but we've got the video stuff down to a fine art. Now, we kind of know where we are in terms of script. What we've started doing recently, we started filming in different angles. It's going to sound boring, but it adds more depth to what you see for the final. Rather than just a straight-off.
Joseph Carson:
Rather than just a straight. You have the side, and then ... Okay.
Ian Murphy:
You're actually filming the scene three or four different angles, three or four times. It takes a little bit longer. So it's taking a little bit longer now because of that, but the output is much better. One of the best backhanded compliments I ever got was somebody who turned around and said, "I don't think I'm interested in that. They're poorly produced." I'm like, "Do you know how long it takes to make them look poorly produced?"
Joseph Carson:
That's the skill. A lot of the ingredients goes into making it that way.
Ian Murphy:
Almost a bit like Acorn Antiques from Victoria Wood, where the set would shake behind and all that type of ... All of that comes into the mix. I think people who don't get that, don't then get the sense of humor and are probably not in my target market anyway.
They're a wonderful tool to qualify people in or out straight away. Because actually, they'll either go, "Yeah. That's not for me." Or, "Love what you do. How can we get involved?" And it's still in its infancy, really. The company is just over a year old.
Joseph Carson:
It feels like much longer. For some reason, to be honest, it feels like years already. It feels like we're on season five.
Ian Murphy:
I know. Well, I think because initially, going back three or four years, I started to make more of an effort with LinkedIn and to start using my profile. I was VP of a different company then and doing bits and pieces and helping them as a startup. I thought I'd raise the profile, help raise the profile of the company, blah blah blah.
Out of that came Cyber Off. Out of doing that stuff came the idea for Cyber Off. Without that stuff to begin with, it wouldn't have evolved into Cyber Off. Really, as a growing business concern and a formulated limited company and all that type of stuff, it's about 18 months old. Or something like that.
Now, it's about raising the profile. Get more customers in. More and more people are being turned onto the fact that fun is required. Especially, after COVID and stuff like that. Fun is required. People aren't engaged enough. I keep telling people, "If you want to get more people to pay awareness in the awareness side of things, you have to give awareness of personality." Most of the time now, it just does not have the right personality. It has the personality of mandating training on people.
Joseph Carson:
Enforcing, pushing, and not really getting it to the same level of enjoyable.
Ian Murphy:
Exactly that. Almost trying to trick them with phishing tests. I get the people say, "Phishing tests work." I get the value of the thought of phishing tests. I get the idea of, "If we show them what a bad phishing approach is, then they'll learn from that."
I always say to them, "But when you were taught by your parents about not putting your hands on the hot stove or in the fire, did they take the tip of your finger and stick it in the fire? Or stick it on the hot stove?"
Joseph Carson:
They throw your hand in it.
Ian Murphy:
Exactly that. And then, people say, "Well, it's like a fire alarm." No, it isn't. It isn't like a fire alarm. We do fire alarms because health and safety regulations say we have to do it. It's in law. It's legal. We do phishing tests because the vendors have spent a lot of money in marketing that this stuff works.
It gives us a tick in a compliance box. It does not make anybody any better at spotting phishing attacks. Or making them fall foul of phishing attacks. We will all fall foul of phishing attacks. And I think that's the bit we have to realize.
Joseph Carson:
It's the impact. It's what happens after.
Ian Murphy:
Exactly.
Joseph Carson:
The message to tell people not to click on stuff is telling them not to do their job. That's counterproductive. The internet is created to click on. The button on the mouse is to click on things. The browsers are to click on things.
Ultimately, your job is spent, probably most of the day, clicking on things. To tell people not to click, "These are the bad things. Don't click on them. These are good things." What we have to do is become much more, "What's the result of the clicking on it?"
Ian Murphy:
Yes.
Joseph Carson:
How do we minimize that? How do we make sure? There's also a big gap as well. A lot of people don't realize what security is in place. What they're protected against and what they're not protected against as well. Transparency between the security controls and the people also needs to be better communicated as well.
One of the things. I think what we have to do, me, you, and Jake and a few of the others. Dan. We have to get together and we have to do ... The next version of this is the cybersecurity as a reality TV show. I think that's the next one. The next step. I always laughed when the European Bloggers Award, when Jake said ... What was it? The Influencer Award? The LaViola one. I laughed at that so hard. Maybe the next version is a security reality TV show. The next phase of this.
Ian Murphy:
Maybe a version of the Kardashians?
Joseph Carson:
Kardashians. Yeah. Clicking on things and seeing if bad things happen.
Ian Murphy:
I'm working on a Kardashians video, so be warned.
Joseph Carson:
If you're taking requests, I would love to see a Father Ted and a Mrs. Brown.
Ian Murphy:
Father Ted would just be amazing. I could do Father Jack right now. Maybe a version of Kicking Bishop Brennan Up the Arse. Maybe we'll do a version of that episode.
Joseph Carson:
That would be brilliant. Definitely. At some point, when I'm coming over, maybe I can also make a guest appearance as well.
Ian Murphy:
Of course.
Joseph Carson:
But I'm not up for the singing part. I don't know about that.
Ian Murphy:
Neither am I. Do you hear my voice?
Joseph Carson:
But when you've got the music going, you can put a tune. You can make it go. Definitely.
Ian Murphy:
Because I keep saying to them, "Let's do a Frank Sinatra or a Dean Martin one. Because most people are okay at crooning. Let's do that." They're like, "No." They're going to pick The Communards or stuff like that. Something I could just never do in a million years.
Joseph Carson:
It's always brilliant. You won an award recently. Can you share a little bit about the award itself? What does it mean for you? Because I've seen you in dicky bows and dressed up giving awards, which is also great to see and entertaining. But I think it's fantastic to see you receiving an award. Share a little bit about what happened.
Ian Murphy:
It was the European Vlogger of the Year thing. It was for my Cyber Girls video as well, which is amazing. I think I've scarred enough people that they voted for me on the proviso that I'd never do anything like that again. I think what's nice for me for awards is other people find it useful. Other people find it useful enough to vote for, which is kind cool. I think the awards ... I like it.
When I was a player, the awards that I put more stock in was the Supporters Award of the Year or the Players' Player Award of the Year. Because it's voted for by your peers. Or the people who were watching you. Those are the things that meant more to me than, say, the manager's one or the chairman's one or stuff like that. They never really meant too much to me.
To be voted by others is awesome. I think it's something that we can get carried away in, to be quite honest. We haven't split an atom here. It's not a Nobel Peace prize. It's a bit of wood with plastic on it.
Joseph Carson:
Well, to be honest. As I mentioned earlier, what you're doing is important to help with mental health and the stress and burnout in the industry. For me, you have probably helped a lot of people that woke up one day and didn't feel good. You give them a couple of minutes of entertainment and change their outlook for the day.
I strongly believe that, for me, we need a good way to tackle the burnout and mental health in the industry. What you're doing is definitely having an impact. When I look at giving the award to you, that's what it meant for me. How you're helping people in the community.
Ian Murphy:
Well that's very kind and humbling, to be quite honest. I think that's a nice byproduct. I think I could turn around and go, "Well, that's what I set out to do." But I didn't really, I set out to make a bit of cash and buy a place in Barbados, to be quite honest with you. No. I didn't. I set out to bark at the security moon. That's what I set out to do.
I set out to call out the terrible practices that exist in our industry. That make other people not want to invite us to office parties. That gets us the reputation of the company that likes to say, "No." Or the department that likes to say, "No." Where people think we are arrogant, we do operate with hindsight, and we do talk down to people who are quite dissident. Almost like you're going into an episode of The IT Crowd, where you can't enter into mission control for fear of being savaged.
I wanted to change all of that and change that perception. Hopefully, I've done a little bit of that. Also, as well, I kind of want to change some of the FUD that gets out there from vendors, who should know better and are still spunking VC money up against the wall, from a marketing point of view. Not staying in a profit, but are considered industry leaders in their field. What's that all about? What is that all about?
Because that's just a self-fulfilling prophecy that those guys are up with. To say, "We're the market lead in this. Worldly." That's just marketing bullshit. I want to be the voice that other people wish they'd had, but can't do it for whatever reason. Maybe that's where the mental health comes in. To turn around and call bullshit on all of that stuff and on all those people.
Joseph Carson:
I think that's an important message. Even when I do go to events. Walking around, looking at the messages, and trying to see, "What is real value? What is the things that's really changing the society for the good?" Or what definitely makes an impact? That's the message I would like to see the industry start to focus on. The message of, "How are we helping people do their job better? How are we helping society?"
I love Mikko's ... He tweeted out recently, and I mentioned this in the previous episode. It was around, "We're no longer protecting computer systems. We're protecting society." That's what it's extended to. We have to realize that, at the end of the day, it's about people. It's about helping people's lives be better. Their lives basically be much more fulfilling. We are an important part of making that happen. Absolutely.
Ian Murphy:
I agree. I've heard people say, "Cyber is a people problem," but they do it in a negative way. Cyber is a people issue, but I also think the people are our best hope for the future. Almost like Star Wars: A New Hope and stuff like that. But I don't mean from the point of view of trying to build human technology on the back of it. Or use terrible terms like, "Human firewalls," and things like that.
Change, "Firewall," for, "Shield." Because that's where that term comes from. Human shield. Look at what a human shield is. See if that still resonates when you realize the derivation of where that comes from. Again, it's marketing bullshit. I think we need to show more compassion and more empathy. We need to be able to connect with people more. And I think that's what the videos are meant to do. Connect to people more.
When people see me at events or whatever, they'll go, "All right, Murph." I've had that recently and it's a weird thing. It's a weird thing. I'm ultimately humbled. Thank you very much for those people who do that. More people come up and talk to me. By the way, it's no problem. As long as you're buying beer or coffee, we're all good.
But it's almost that. Where you think, actually, you've said something or done something enough to touch somebody that they feel they know you, that they can come up and use your nickname. I'm like, "That's cool. That's brilliant." I'm happy then. Even when I've been out having dinner and somebody's gone, "Are you Ian Murphy?" I always pause and think, "Do I owe you money?"
Joseph Carson:
What are you after? What do you want?
Ian Murphy:
No. That's my brother.
Joseph Carson:
That's a very Belfast thing to do. If anyone talks about Zero Trust, I always say it came out of Belfast. You don't trust anybody. If you wanted to know the origin, it wasn't Forrester. It was Belfast society. Anyone ask you, "What's your name?" "Mickey Mouse," is typically the common response.
For you, what's next? What's your next plans? I would love to see this turn into a Netflix series. That would be my wish. Because I think it's great for social, but I really think that we need to take this to global, to mainstream. It needs to get broad. I'd love it to see go further.
Ian Murphy:
I want to make Cyber Off the Headspace of cyber. What Headspace did for meditation and mindfulness, I want us within Cyber Off to build a community to do a similar thing for cyber. To raise the awareness of it. To help people improve their savvy. I'm redoing the website. I've got an app built and all that type of stuff.I want to build a cyber community around the funny content, but I don't want to do it in a boring, LMS-type point of view. I want to do it in an iTunes approach, where you're creating playlists for friends and families to go and watch that stuff. Other people can create playlists, and then other people can put their own content in and stuff like that. That's in the back of my mind the grandiose plans.
The more immediate stuff is, I'm off to the Fringe next week to see a couple of friends of mine who are performing. I'm going to perform there next year. It's a little bit too late to get involved this year. I'll probably perform there next year for a couple of weeks. Something like that. That's in the works.
Joseph Carson:
The Fringe. That's the comedy show in Edinburgh, isn't it?
Ian Murphy:
Yeah. The Fringe Festival. It runs for the month of August. I may try and do a couple of weeks. My other plans are to do more standup. I've got several corporate gigs in the works for people who want me to present a different view of awareness. I've just come back from doing one for a corporate over there with.
I kind of mix an awareness presentation with standup to almost do a Connolly-esque meandering of around awareness to get back to a point that I didn't know I was going to make in the first place. Because I love Billy's point of not writing stuff down. Trying to do it from experiences, and trying to be like your funny friend down at the pub who can tell those stories.
Joseph Carson:
That's my childhood. My childhood. I was a barman for many years.
Ian Murphy:
People who can capture and hold an audience in their hands. 10 or 15 people around them in the pub house, to tell them a story. I've no loathe to them in my life. They're just funny, funny, funny people. To do a bit more of that, do a bit more corporate gigs. Awareness Month is coming up.
I was just thinking about Awareness Month, what I'll probably do on LinkedIn and other socials. I've got about ... I don't know. 60, 70 videos now. I'll probably flood Awareness Month with maybe three videos a day. Just to give people the view of what's gone on in the past.
Joseph Carson:
You're trying to get my productivity, but my mental health increased.
Ian Murphy:
And then, actually I've just released an early adopter program for Cyber Off. I think to get more organizations involved, you've got to give them a say in what's coming out from a topic point of view. The idea of the early adopter is a monthly subscription service to a new animation that isn't released on socials anywhere. It's just purely for the paying early adopters, where they then get to vote on the topic that we develop the animation about.
Joseph Carson:
Fantastic.
Ian Murphy:
We may give them three ideas of animation, so they may get to vote on that. That might be passwords in an Indiana Jones style-y type of thing. Or vulnerability scanning in a James Bond style-y. Or stuff like that. We do that for the early adopters.
Much to my surprise, because I thought my niche would be SMEs and stuff like that, I've got several large organizations who want to take me up on that. I mean, large organizations as well.
Joseph Carson:
Definitely, there's a place for this in large organizations for sure. It might have to be tailored for depending, as I mentioned, geographical locations. It might have to be tailored for certain elements in the organization.
But definitely, I think we need to stop taking sometimes everything too serious. We need to sometimes make fun of ourselves a little bit and enjoy. Get the balance back where it's all about entertaining.
Ian Murphy:
Yep.
Joseph Carson:
I think that's where the future of cybersecurity should be, is about making it enjoyable. A place that we all feel included and inclusive and entertained.
Ian Murphy:
Indeed. I think anybody who may watch my stuff or see my standup or whatever and think, "Well, he may be offensive at those bits and pieces." Please rest assured that I don't care what your opinion is. Please rest assured that your opinion is your opinion. It makes no odds to me. But I never go out and I never set out to offend people. Never ever do I set out to offend people.
Joseph Carson:
No. Absolutely. I think it's always important. That's a cultural thing. I was brought up the same way. You're there to look at a specific topic, but it's not to offend anyone. At the end of the day, usually the biggest people we offend is our ourselves.
Ian Murphy:
Exactly that. That's why I'm the butt of all my jokes. You'll know. Growing up in Northern Ireland, if you offended somebody, you were likely to get a smack in the face from it.
Joseph Carson:
You knew it. You knew it immediately.
Ian Murphy:
Right?
Joseph Carson:
Absolutely. It was immediate response. There's been several times that I've had Guinness poured over my head. Those would be moments we can chat in the pub over. But Ian, it's been awesome having you on the episode. I think for me it's so important to raise this and to get this message out.
To really start changing awareness to being something that people can consume, that people can relate to, and that people want to hear and enjoy hearing. Definitely, keep up the amazing work. I definitely think you well deserved the award, and I'm pretty sure more awards will come. Especially, around the community side. Your content is definitely making a difference.
Ian Murphy:
Thanks, Joe. I appreciate that. It means a lot.
Joseph Carson:
For everyone, this has been awesome having the Vlogger of the Year on the show today. Definitely. We need to bring the fun back into cybersecurity. We need to entertain ourselves. We need to enjoy every day, because the most valuable thing in this world is time. It's our time. The more we more value we use our time, the more we use it wisely, the more fulfilling your life is going to be.
Let's make our industry a fun place to be. Let's make it the place where other people want to join in and be part of. For everyone out there, again, this is the 401 Access Denied podcast. It comes out every two weeks. If you'll subscribe, go back and listen to previous episodes, definitely you'll get to hear more of awesome guests such as Ian. I definitely look forward to hopefully catching up with you sooner than later. We'll definitely have a good time. Maybe to catch one of your standups.
Ian Murphy:
Awesome. Thanks, Joe.
Joseph Carson:
You're welcome. Thanks everyone and all the best. Take care. Goodbye.