Modern Cyber with Jeremy Snyder - Episode
24

Javvad Malik of KnowBe4

In this episode of Modern Cyber, Jeremy chats with Javvad Malik, the Lead Security Awareness Advocate at KnowBe4, to discuss the intricacies of security awareness in today's cybersecurity landscape.

Watch Now
Javvad Malik of KnowBe4

Podcast Transcript

Jeremy Snyder (00:03.527)
All right, welcome back to another episode of Modern Cyber. I'm Jeremy, I'm your host as usual, and I'm delighted to be joined today by somebody who brings a unique perspective to cybersecurity around security awareness. I am joined today by Javvad Malik, the lead security awareness advocate at KnowBefore. Javvad is based in London. He is an IT security professional with over 20 years of experience as a security administrator, consultant, industry analyst, and advocate.

He's also a multi -award winner and is currently a Guinness World Record holder for the most views of a cybersecurity lesson on YouTube in 24 hours. We are definitely going to be talking about that on today's episode. Javvad is passionate about helping people understand the value of cybersecurity and how every department and individual can play their part. He often educates his audience through blog posts, videos, podcasts, and at public speaking events. He holds this SACP and CISSP certifications. I hope I got those right. Javvad, thank you so much for taking the time to join us today on Modern Cyber.

Javvad Malik (01:00.812)
Thank you, Jeremy. Thank you for inviting me. It's a pleasure.

Jeremy Snyder (01:05.189)
Awesome, awesome. Well, I wanna get right into the conversation today around security awareness. I think security awareness is a term that we hear a lot, but as somebody who does this day to day, how do you think about security awareness? What does it even mean to you?

Javvad Malik (01:20.044)
well, yeah. I think that's a great place to start from because so many people have so many different interpretations of what it means and what it is. And I think what I don't think it is is training in the sense of what a lot of people think of it. I think a lot of people think of it as you enter a dojo and there's a grand high master there and he's gonna put you through the ringer and you're gonna end up

getting a next belt up or something like that. And I think of it more as marketing in the sense that when you're out and about, so in London we have see it, say it, sorted. If you're on the underground, you hear that. I think in the US you have like, if you see something, say something. And I'm always like, you never hear them say, well, if you see something suspicious,

Jeremy Snyder (02:12.994)
Yep. Yep.

Javvad Malik (02:19.308)
go over and see how many wires are sticking out and what colors they are, then follow them and are they connected to a clock -like device. And if it's a red one, please try cutting that one. Yeah, because that would be ridiculous because we can't expect the average person to be a bomb disposal expert. All we want them to do is say like, hey, something doesn't look right. Let's phone someone who is qualified to come in and sort this out. And security awareness to me is just about that see something, say something.

You don't want to make them experts. You don't want them to reverse malware. You don't want them to start investigating links or Payloads or anything. You just want them to say hey, there's criminals out there. There's scammers out there They're gonna try and get you to do something that's not in your best interest So if you do get contacted Report it to someone and they will investigate it for you. And for me that is the essence of security awareness It's about changing that behavior to from

falling victim to something, to doing the right thing.

Jeremy Snyder (03:21.793)
That's really interesting because that is so opposite of what we see a lot of organizations actually doing. And what we see a lot of organizations doing is the thing you kind of started by hinting at, which is, you know, when I talk to people who don't work in cybersecurity and I ask them what they experience in their jobs, it's, well, we have the annual security training and we take this online course and we watch, I don't know, three or four hours of video. And then we get some quizzes about, you know,

Why should I not have clicked this link and this email or that type of thing? And I'm curious, what is your perspective on those training courses if you think those are not security awareness? Are they helpful or are they actually harmful to organizations?

Javvad Malik (04:05.673)
I think they're helpful, but a lot of them have their roots in compliance. And we know that anything that grows from compliance is no good, really. It's just to satisfy an auditor somewhere. The auditor is normally some kid out of college, hired by one of the big four, being billed out at two grand a day, who doesn't even know what they're talking about in most cases.

I'm being a bit unfair there, but that's kind of like, I think a lot of people will be able to resonate with that sentiment. And the problem is when you go down that, I think when you go down that compliance route, you abide by the letter of the law, but you forget the spirit of the law, the intent behind those controls and everything. And yeah, I think, does it really matter whether someone understands the difference between fishing, smishing, quishing,

Jeremy Snyder (04:40.223)
Yeah, yeah, for sure.

Javvad Malik (05:02.824)
or whether they understand whether they're being targeted by a criminal or a nation state adversary, or they understand what an APT is. And not really. I think it's kind of like, takes people's attention away from their day job, which everyone really struggles to make time to complete their day job anyway. So you're taking valuable time away to give them knowledge that doesn't almost add to their, add to them.

in any way, shape or form. It's kind of like interesting to know, but it's not really like useful. And so you end up in this situation where people begin to resent it. So even if it's really good information, even if it's very valuable, they just resent it because they don't see the connection between it. And the thing is, as long as people do the right thing, it doesn't really matter whether they fully understand all the underlying reasons behind why they're doing that thing.

Jeremy Snyder (05:34.909)
Yeah.

Jeremy Snyder (05:50.14)
Yeah.

Javvad Malik (06:01.767)
So they might not agree with it, but if they understand the overall arching thing is we're here to reduce risk, we're here to protect the organization, and by not clicking on this or by not doing this, we're helping be secure, then they don't really need to understand, this is how an account takeover will happen, and this is how ransomware will get deployed, and this is how RAT will operate. I think that all becomes excessive information that no one really asks for.

Jeremy Snyder (06:29.819)
It's a really interesting point you raise and the analogy towards kind of a compliance exercise really resonates with me. A while ago, I had a conversation with somebody about cybersecurity not being a tax. And his view, and this is a somewhat prominent podcaster, and I actually made an appearance on his show to argue this point. His view was that cybersecurity had become a tax on organizations because organizations that historically never really invested in

in cybersecurity to the levels that they're having to now, they're facing this as part of, you know, operating costs, and it's kind of a requirement. But they didn't feel like they get value out of it. But when you take the psychological aspect of how people treat taxes, I think that's absolutely the wrong framing around it. Especially here, it might not be the case in the UK, but especially here in the US, people are almost incentivized to kind of cheat on their taxes and to really do

and pay the absolute minimum that they can get away with. And you even see politicians boasting about how they're gaming the tax system, right? And so I just think that that mindset that it creates, if you frame it as a tax, it's okay, well, I'm gonna have to do it, but I'm gonna hate it. And I'm gonna try to kind of wiggle my way out of it as best I can. And that sets out the wrong kind of mentality going into it. Is that kind of how you see the compliance angle playing out in security as well?

Javvad Malik (07:55.203)
Yeah, I think that's such a great analogy. I love it. The tax taxation and how people will try to avoid it because you're right. It's just that negative connotation. It's that compliance. I have to do this. And as soon as you have to do it, as soon as there's a force and like the reasoning behind it is because so and so regulator says so begrudgingly people go through, they'll try to game the system as well. We, you know, we

We've all seen, or we probably all tried to do it. We skipped through the training, go to the quiz, try to guess it as best as possible and go back. And the same thing happens with general, I suppose, usage. You send out a simulated phishing attack and if someone falls victim to it, and they then have to do like 40 minutes of training on the back of it, it's kind of like, at first they tricked me and now they're punishing me. It's kind of like a double whammy. And that doesn't build good relations. That doesn't build good.

Jeremy Snyder (08:48.694)
Yeah.

Javvad Malik (08:50.819)
And I think one of the key things is we need security departments to have good relations with the rest of the organization. If they're being perceived as a department of no, or if they're the ones that are always there to slap someone on the back of the wrist and say, you did this wrong, then they're never going to approach them. And this is why we end up with things like shadow IT. This is why we end up with people emailing stuff to their home because they're trying to get their job done. And they have this feeling that if I ask the security team, they're just going to say no.

Jeremy Snyder (08:51.542)
Yep.

Javvad Malik (09:20.227)
or they're going to like report me or something. I can't deal with this hassle. I've got to get the accounts done by the end of the day. So I'm just going to go ahead and do that.

Jeremy Snyder (09:31.19)
Yeah, it's such a great point. I'm curious about something. You've worked with organizations of probably many different sizes from the smallest to the largest. And how do you think organizations are doing with security awareness right now? Are they doing well? Are they doing poorly? Are they following this kind of compliance -driven path on training? Is that kind of the leading activity that most organizations are embracing right now?

Javvad Malik (09:55.395)
Yeah, I think there's a wide variety of maturity across organizations. So some of them are still quite in the early stages. And so they're just doing the bare minimum. So maybe they want cyber insurance and cyber insurance insurer will say, well, you need to do some form of training. And so they'll do whatever the basic minimum is to tick that box. Others are getting far more mature about it and they're moving

They plan from an awareness plan to a behavior change plan and they're looking at, well, how can we influence the overall culture of the organization? And that then involves a lot of different aspects to it. So you're not just targeting the user, but you're targeting like your senior management, you're targeting your developers and your technicians and everyone and you're trying to...

build this sort of like two -way 360 degree feedback loop so that everyone sort of comes to a general understanding as to what's acceptable or what's not and why, you know, at that high level, not going into the weeds, but just at the high level, why we're doing this. And, you know, building solutions that actually help people solve the problem. Because I think far too often security people are very concerned with being right.

at the expense of being helpful. And so they will say, this is why you need to do this and I'm right because, and then they'll start pulling out papers or referencing people to DEF CON talks or what have you, which is like completely irrelevant. And so, okay, you're right, you win. You're not going to win hearts and minds like that. And I think that's where fundamentally beyond the tool set that people are using and beyond the sort of techniques that they're deploying.

It's more about their approach because at the end of the day we're dealing with people and people deal with people they don't really interact with the software.

Jeremy Snyder (11:59.51)
Yeah.

Jeremy Snyder (12:03.254)
Yeah, yeah, this kind of this soft skills aspect gets left out of so many security conversations again and again, I see it and your point about people being technically correct is another one that I see again and again. There was an example I spotted recently around typo squatting on a domain name using a Cyrillic character that resembles the Roman alphabet A and you know, blaming a user who clicked on a link.

and that's not really relevant or valid in my opinion, or it's not a great way, it's certainly not a great way to foster relationships to your point between the security organization and the rest of the company. So if this kind of blame game doesn't really work well and this kind of being technically right doesn't really work well, what are some good tools? I mean, are things like storytelling a good way to approach building relationships or building bridges across the organization?

Javvad Malik (13:01.311)
Yeah, I mean, storytelling is so powerful and it's so, so, so useful. And it doesn't even need to be a long and elaborate story. It can just be a really short, like 30 second, one minute snippet of something that happened or something that could happen. And what we found is, especially where execs in an organization, they can share a story. Say like, hey, I got a call from someone claiming it was from IT. They wanted me to give them my one -time password code. So I gave it to them.

and then I realized, hold on, that was an IT, so I reported it, and then they locked down my account. That makes a really powerful story because you've got elements of like someone falling for it, and it's an exec. It removes the stigma associated with, my God, I got targeted with, hey, anyone can get targeted. And then these are the steps you're meant to follow, so that's embedded into the story. And also there's a no blame at the end of it. And something like that.

can be far, far more powerful than giving hours of training through a platform by just getting what your CEO or CTO or someone at a senior level just basically, hey, this happened to me and this how it was resolved. And if anything happens to you, or either you can share amongst yourselves or what have you, I think it's just so much more beneficial to everyone. Because, I mean, who hasn't ever?

clicked on a link or downloaded some malware or done something by accident. We all have, if you work with computers, you're gonna do that at some point or another. And that's not the issue. The issue is how do you recover from it? And if you create this environment of fear, people won't report it. And if they don't report it, that small mistake can turn into a full blown incident. And that's what you wanna try and reduce.

Jeremy Snyder (14:24.822)
Yeah.

Jeremy Snyder (14:48.854)
Yeah, absolutely. I think that's such a good point. And we've seen the NIST cybersecurity framework come out with an update just recently, and they talk about, I think it's respond and recover and kind of governing the process across that entire timeline is now really a key tenet of that whole framework. I'm curious though, in your experience, in the sense of...

all the things that can go wrong. And you're right, like we've all clicked on that link, we've all accidentally done that thing that we shouldn't have done. Is there something that we're doing in system designs that is not really making it easy? You know, because it's one thing when it's external stuff, but I think even stuff internally is not often well designed. What's been your experience? Because I think this is an area you've been exploring a lot recently, right?

Javvad Malik (15:42.303)
Yeah, yeah. So this started like a few years ago. There's a Twitter account or X account called Dark Patterns or Deceptive by Design. And it looked at basically websites that kind of trick you into paying for more than what you actually should. So they'll have like...

a big button that says like, click here for a 50 % discount. And then like really small writing underneath is like, this is the ongoing subscription minimum, you know, minimum three month contract. And then there's a very small link under there like, no, take me just through without doing that. So it's like all these things where it's like some websites like Adobe is notorious for like trying to unsubscribe from their software. So they look at the, they call it deceptive designs and you know, dark patterns where, you know, you trick people into

Jeremy Snyder (16:32.022)
Yep, yep.

Javvad Malik (16:38.879)
It's legally okay or in a gray area, but it tricks people. And so I was looking at those and then I was looking at some of the systems we use and especially security systems. And I thought, well, it's not deceptive design at all, but it's not really user friendly. It adds friction to places where you don't necessarily want it to add friction. And I use that term from...

Jeremy Snyder (16:55.67)
Mm -hmm.

Javvad Malik (17:05.919)
like James Clear in his book Atomic Habits, he talks a lot about adding friction to bad habits and reducing friction to where you don't want it. So if you want to get fit, you put your running kit out by your bed so that in the morning the first thing you do, it's there, it's ready, you just put it on, you don't need to think about it, your earpods are charged, you go for your run. And when you come back, there's no soda in your fridge, there's only water or there's healthy snacks.

So you don't, you know, and this is how you architect, you know, your own life to make it easier for you to do the right thing, which is to get fit and avoid, you know, the unhealthiness. And when we look at security, we unfortunately see there's a lot of friction added to where people shouldn't have friction. So simple things. I love multifactor authentication as a control. I think it's one of the best things out there, most effective.

Jeremy Snyder (17:35.446)
Yep, yep.

Javvad Malik (18:02.911)
but it's not very, very convenient in a lot of cases or the way it's implemented. So if I want to log on to something, I have to then like enter my ID, then I have to find my password, which is normally in a password manager, which auto locks after a period of time. So I need to unlock that. And then some websites don't allow auto filling. So then I have to manually copy and paste it or something. And then I go to the next stage where it's like, okay, we're going to text you a code now or go into an app and then find the code from there. And sometimes on the phone,

Jeremy Snyder (18:07.574)
Yeah.

Javvad Malik (18:32.575)
If you go from the website to your authenticator app, it throws you back. So then you have to go back in and log in really quickly and then copy the code and paste it in before the 60 seconds expire. There's loads and loads of hurdles there that even technical people get frustrated who work with this day in day out. Now for me to convince my wife to use something like that, she would just go mad. She would like, you know, just throw the phone against my head after like a...

Jeremy Snyder (18:48.421)
Yeah.

Javvad Malik (19:02.111)
you know, a short period of struggling with that. It's just, we don't make it easy for people to do the right thing. And it's to go back to your point about the Cyrillic letters and what have you, there's no amount of training. There's no amount of training that you can give to people and to teach them how to spot the difference. What you need is some better ways of formatting or some notification or some pop -up to say, hey,

Jeremy Snyder (19:04.612)
Yeah.

Javvad Malik (19:30.495)
we see this and then auto block it or give that information to the user and say like, look, you thought you're going to Microsoft .com, but this is actually not Microsoft. This is whatever, M1, Crosoft and like, you know, and just highlight it in a different color, put it in their face and then let them make the choice that way. But if we just like letting things be as they are and then expect and then wondering why people aren't making the right choice, I think we need to...

Jeremy Snyder (19:42.692)
Right. Yep.

Javvad Malik (19:59.967)
take a good look at how we're designing stuff. There's the marketer Seth Godin, he said about on the top of marketing, he said, if I say something and you don't understand it, that's my problem, not yours, that's not your fault, that's my fault. And I think this is another thing. I would love to live in a world where security awareness isn't really a separate discipline. I mean, I know I'm talking myself out of a job right now, a current job, but...

If we didn't have to exist, I think that would be brilliant because that means that our systems are designed in a way that it's useful, users know it's intuitive. It's just like people know, we make it easy for people to do the right thing.

Jeremy Snyder (20:45.38)
Yeah, it makes a ton of sense. And I mean, this point about multi -factor authentication, just using that example, I will tell you, I recently did a talk to a room full of senior executives from kind of medium -sized companies just in my home state of Virginia here, who are all looking at exporting for the first time in their company's history. And, you know, sending products overseas, it's a big step for them to kind of grow and grow internationally.

Probably a lot easier for us to say from a pure software standpoint because software can be global from day one and that's been the case for our company, thankfully. But for a lot of them making physical products, this is a big step. And they're looking at going overseas and they asked me to come in and talk about the risk of cybersecurity as you expand international operations. And I asked the question to the audience, how do you feel about cybersecurity? Just generally, no kind of.

Prejudice, no thoughts in advance. And the only reactions that I got were these visceral negative reactions. Nobody said, hey, it's great. Nobody said, we really need it. Nobody said, it's super important. The only reactions I got were, we hate it. And I'm with you, if we lived in a world where our jobs weren't necessary, I'd actually be totally fine with this.

I can find many other things to do with my time, and by the way, many of them might be a lot more fun, right? And they won't involve being part of the perceived department of no, and they won't involve this kind of friction and this kind of stress when you respond to an incident and all the negative things that do come along with the jobs, which by the way, we willingly signed up for, so I'm not trying to say anybody coerced me into this or anything like that, but I would be thrilled if there was no need for our jobs.

Javvad Malik (22:10.431)
You

Javvad Malik (22:25.983)
Yep.

Jeremy Snyder (22:31.3)
if information was just secure and if it wasn't valuable in the hands of the bad actors and if there were no bad actors to actually go after it. So I'm with you a thousand percent on this and I really think it's interesting this point about MFA because again, going back to that audience, when I asked for some follow up, that was the number one complaint was having to get MFA codes and getting locked out and not getting the code in in time or, you know, punching one digit off and then after

three attempts at it, it locks in five minutes, all the things that go along with it. So this design aspect of it, I think is really important. And in reality, when we think about MFA in particular, what we're really trying to do is just kind of establish either authentication or authorization, I would say in most cases, authentication. And when you're looking at doing that, wouldn't a system where you just kind of push a request to a device that has biometrics involved and just says, hey, like, hey,

Javvad Malik (23:02.111)
Yep.

Jeremy Snyder (23:29.956)
is that Jeremy? And I can just hold up my phone, look at it, do the facial scan or do the fingerprint or whatever it is. That would be a much lower friction, simpler design, right?

Javvad Malik (23:42.047)
Yeah, exactly. And that's something that the phone manufacturers have made really easy. So people like, how many people do you see? They have the latest iPhone, they just hold up facial recognition, say it's reduced the friction and increases security at the same time. Isn't that a brilliant thing? I often think about vehicle design and how they've improved over the last 20, 30 years the safety of cars so much.

Jeremy Snyder (23:59.3)
Yeah.

Yeah.

Javvad Malik (24:11.243)
yet the user experience or user interface and interaction has remained virtually unchanged. So, you know, in the 80s, ABS probably wasn't a thing in cars, most cars. Then ABS came into cars, yet there wasn't additional training you needed. There wasn't additional like, this is how you use a brake pedal now. It was exactly the same. Drive as you normally would. And if there's an emergency, this technology will assist in that case.

What we do is we're like, here, get used to using a user ID and password. And now we want to make it more secure, but now we're going to have to make you jump through another five hoops to get there.

Jeremy Snyder (24:52.104)
Hmm, yeah. So I want to change gears for a second. I want to talk about InfoSecurity Europe. We were both there. I think it's about four weeks back at this point or something like that. You had a really interesting little write up of your experiences to it, which I think started with a motorcycle ride to the venue, if I'm not wrong. Yep. Is that is that an annual tradition? You kind of take the bike over there every time?

Javvad Malik (25:16.648)
Yeah, pretty much anywhere in London I'll take the bike as long as it's not snowing or I don't need to be in a suit and it's raining a lot, which is a lot of the times unfortunately. But yeah, no. So actually it's like, I don't like Excel as a venue. I think it has no soul to it. It's just a large warehouse and normally the acoustics are horrible. It's just a giant place. There's nothing interesting nearby.

Jeremy Snyder (25:28.484)
Yeah, yep.

Javvad Malik (25:46.214)
There's no cool places to go and eat or anything. So unlike when it used to be in Earls Court or Olympia, where, yeah, okay, sometimes it got really hot in Olympia and what have you, it's like a giant greenhouse. It is like soulless, but it is for me personally, it's a far more convenient commute. I just hop on the bike and within like 30 minutes, I'm there, parked up, free parking for motorbikes. So...

I do enjoy that part of the Excel experience.

Jeremy Snyder (26:21.188)
Gotcha. How did you find the content? I mean, was there anything, any themes that jumped out at you or anything new or interesting that you learned this year?

Javvad Malik (26:30.374)
Nothing. There wasn't anything new, new. There was, you know, obviously there's a lot of AI. There's a lot of, you know, everyone's got AI in there. There was a, you know, there wasn't like, I didn't feel like there was a lot of, you know, a big theme of new stuff. There was a lot of people obviously talking about reduced budgets and reduced head counts or freezes on head counts and what have you. So.

It was like the age old thing of how do you do more with less kind of thing. But also I found like because of the way they laid it out this year, the booths were, they give everyone a bigger booth. I think they were just like fewer vendors or they had just like spread it out a bit more. So everyone had a bigger booth and there was like a lot more walking space and they had like this big walkway in the middle, which was really good. It was big, it was wide and you could walk through.

So from a attendee perspective who wanted to network with people or just wander around and you know, the acoustics were really good because they had carpet everywhere and it wasn't that echoey. It turned out to be a very pleasant place just to be and have conversations with because normally it's very noisy and echoey. From a vendor perspective, I think that worked against them because there was so much space for people just to wander around.

and not get close to the booths so they didn't really see anything. There was less opportunity for the people at the booths to interact with attendees or ask them what they're looking for or just have a bit of a chat. So I think in that way, it was slightly counterproductive from a vendor side, but from an attendee side, looking to network and catch up and be very selective, I think it was a lot better than it was last year.

Jeremy Snyder (28:28.068)
And do you think in general conferences are becoming more relevant, less relevant in the age of kind of remote work?

Javvad Malik (28:39.489)
It's interesting, I was speaking to a couple of people about this before and I think like most things we go in cycles, like there were like lots of conferences and then people started getting bored of them and then we had lockdown. And then for a couple of years, all we had was virtual conferences, which on paper sound really good. It's efficient, you can attend a whole conference and you can not travel and you save costs and everything.

Jeremy Snyder (29:01.14)
Yep. Yep, yep.

Javvad Malik (29:04.769)
But then people realize, I think, how much that human interaction actually matters and it makes such a big difference. Those hallway conversations, those just random little comments that you hear, I think those are invaluable. And I think just for that, conferences would always have an importance or a place in the industry for sure.

Jeremy Snyder (29:10.708)
Yep. Yeah.

Jeremy Snyder (29:28.627)
Yeah, it's been interesting. I've had kind of a couple of reactions from people when I've asked this question and, you know, I'll tell you my opinion is I think they're actually becoming more relevant. And I'll tell you kind of two reasons why. One is what was the last virtual conference that you actually attended? And I don't mean you had running an A browser tab and a device on a screen on your desktop paying it one third to one half attention. Right. So that's that's

you know, the first point. And the second point is, it's actually almost the only business travel that most people are doing anymore. You don't find a lot of, we're gonna come visit you in your office, because so many, you know, so few people are actually going to an office on a regular basis that, you know, the conference is the only place that you can have those face -to -face interactions and you can have, to your point, those interesting hallway conversations and the possibility of bumping into somebody and having an interesting chat.

So that's been kind of my take on them. We're coming close to time here, but I've got one last thing I really wanted to talk to you about. I loved this detail from your bio about being a Guinness World Record holder for the most views of a cybersecurity lesson in YouTube in 24 hours. So first thing is, how did you get inspired to do this?

Javvad Malik (30:47.423)
So this was a kind of like a joint project. It was like put forward by a PR agency. Said, wouldn't this be fun? And we said, that would be great fun. And then we done it in conjunction with another vendor.

I can't remember their name just escapes me that the certificates right behind me on the wall. I you could probably see I don't know if if this goes out as a video podcast that but that's the certificate right there. One login that's that they're the ones I think that that were with us. So you know, because there's a lot of resources and time and preparation you need to put into this and you need to market it a lot and get people on board and what have you. So that was kind of like it started off just as a like.

Jeremy Snyder (31:12.688)
Yeah. Yeah, yeah, yeah.

Javvad Malik (31:35.261)
Basically a PR exercise like well, what can we do? That's not being done out there in the industry. That could be a bit of fun. It could be like useful to people and what have you. And then there was like, well, you do security awareness. Yeah, we do security awareness. Why don't you do a webinar on security awareness and see if you can break a world record because that's not being set. You'll set a world record because it's not being set yet. So we were like, well, so, you know, so we can get like 50 people and it'll be a record. And they're like, well, it doesn't quite work like that, but they set some threshold there or what have you, but we.

We met that and now it's forever immortalized as a Guinness World Record holder. So it was a great experience to go through. And I think it's also just, for me, one of the biggest benefits is that, well, A, it's a great conversation star, or like now I'm never stuck where people say like, tell us an interesting fact about yourself. So I always like pull that one out. But.

Jeremy Snyder (32:23.949)
Yeah, yeah.

Jeremy Snyder (32:27.661)
Yep, yep.

Javvad Malik (32:31.483)
Also, I think it was a really good activity in bringing the message to a far newer and broader audience than what we usually used to speaking to. So normally it's within the industry, you go to an infosec or something like that. If it's not security professional, it's technology professionals have a good idea. But by doing this, it was like, it went to a far broader world and like, you know, people who never interacted with cybersecurity or, you know, have very little, and so they, they were like, this is interesting.

Jeremy Snyder (32:51.693)
Yep, yep.

Javvad Malik (33:00.602)
So I think there's a little bit of good that was done there. So I'm quite proud of that.

Jeremy Snyder (33:07.885)
And what was the actual topic that you delivered?

Javvad Malik (33:11.514)
The topic I delivered on was on ransomware. It was just like a brief history of ransomware, where it started from, how it developed, where it is now, and what things people can do to protect themselves and their organization.

Jeremy Snyder (33:27.723)
Awesome. And how many views in 24 hours?

Javvad Malik (33:30.778)
I can't remember the exact number. It was something like 1500. It wasn't huge. It was a really low number or something. It got more views after that period, but it was 1500, 15 ,000, something like that. I can't remember. It wasn't a large number, but yeah, we still set the record. So we got the certificate. We got put into the online website, not the actual physical book, but still it was...

It was something there for us.

Jeremy Snyder (34:03.979)
Awesome, awesome. We will try to include a link in the notes for today's episode along with a link to deceptive patterns that we talked about earlier in the episode as well as to Know Before and Javvad Malik, your own channel on YouTube, which I've just found as we've been talking here and I know there's a lot of great content there for people to consume. It's been a real pleasure talking with you today, Javvad. Thank you so much for taking the time to join us on Modern Cyber.

Javvad Malik (34:29.047)
Yeah, thank you so much for having me.

Jeremy Snyder (34:32.843)
All right, and to everybody listening, remember, please do us a favor, rate, review, share all that good stuff. And we will talk to you next time on the next episode. Bye bye for now.

Discover all of your APIs today

If you can't see it, you can't secure it. Let FireTail find and inventory all of the APIs across your organization. Start a free trial now.
Start Trial

This site uses cookies

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Got it!