Phishing has been one of the most reliable tools in an attacker's arsenal for decades. Despite endless simulations, mandatory trainings and a growing set of tools, the problem hasn't gone away. AI-driven targeting makes it smarter, faster and more personal. But the issue isn't just the threat itself. It's how we teach people to recognize and respond to it.

In this episode, we sit down with Craig Taylor, a 30-year cybersecurity veteran and co-founder of CyberHoot, to explore why traditional phishing exercises fail to change behavior and how shame-based or punitive approaches are undermining security culture. Craig explains how a multidisciplinary, psychology-backed approach can transform user engagement, reward good behavior and build real security resilience.

Whether you're leading a security program, responsible for awareness training, or simply curious about how phishing has evolved in the age of AI, this conversation will change the way you think about user education.

Highlights:

• Why traditional phishing simulations often hurt security culture
• How AI is reshaping phishing attacks at scale
• The psychology behind behavior change and what most programs get wrong
• Why positive reinforcement works better than punishment
• How to build a learning-driven, user-friendly security culture
• Practical steps organizations can take to modernize phishing education

Craig Taylor is a seasoned cybersecurity leader with over 30 years of experience across web hosting, finance, manufacturing, and more. He is the co-founder of CyberHoot, a cyber literacy platform for small businesses and MSPs, and has served as a virtual CISO for more than 50 organizations.

CyberHoot Resources

• 20% Off CyberHoot for 1 year using code "Cyber Compliance and Beyond"
• Main Website: https://cyberhoot.com/
• Individual Registration (Free Personal Training for Life): https://cyberhoot.com/individuals/
• Businesses and Managed Service Providers: https://nest.cyberhoot.com/autopilot-signup/
• Newsletter Sign Up: https://cyberhoot.com/newsletters/
• Blog: https://cyberhoot.com/blog/
• Cybrary: https://cyberhoot.com/cybrary/

Organizations chasing CMMC often jump straight to "what tech should we buy?" but scoping begins with people, policies, processes and how information actually flows across the business. In this episode offers Clear, candid guidance for any team wrestling with scope and architecture for CMMC and trying to do it right the first time.We walk through the real trade-offs between enclave vs. enterprise approaches, why enclave complexity can hurt day-to-day work, and where a hybrid model can make sense if you have the internal expertise (or the right MSP).

We discuss practical criteria for selecting MSP/ESP partners, break down the 36-month assessment window, the kinds of environmental/business changes that might trigger reassessment, and explore NIST SP 800-171, Revision 3 readiness.

Highlights:

• Start scoping with people, processes, and information flow—not the "shiny tech."
• Enclave vs. enterprise vs. hybrid: reduce user complexity, weigh operational realities and plan for 36 months.
• What to ask MSPs/ESPs: Level 2 status, shared responsibility matrix specifics, contract gaps, and insurance.
• Changes that can trigger reassessment and how proactive change control avoids surprises.
• Revision 3: prepare now; certification momentum on Revision 2 still pays dividends.

We all say security is important, but does our behavior reflect it? In this episode, we explore what it really takes to build a true culture of security inside organizations.

Traditional awareness training and phishing simulations often feel surface-level and at times punitive. So how do we move beyond compliance checkboxes to meaningful behavioral change?

Joining us is Robert Siciliano, cybersecurity leader, speaker, and creator of the Strategic Human Firewall™. Robert shares how AI-driven social engineering, deepfakes, and synthetic identities are bypassing technical controls—and why the workforce is now the most critical line of defense.

We discuss:

• Why security culture starts with mindset
• The "Human Blindspot" and the instinct to trust the familiar
• Shifting from "I trust what I see" to "I verify everything"
• Turning security awareness into true security appreciation