The Phish Whisperer: A New Approach to Cybersecurity

Episode 57

Tired of feeling "gotcha'd"? Craig Taylor is changing cybersecurity training from a punishment to a positive, gamified experience. His mission is to empower employees, not shame them, making everyone a stronger link against cyber threats.

Listen on Spotify

Guest

Craig Taylor

Follow on LinkedIn

Visit Website

About the Guest

Craig Taylor is a 30-year cybersecurity veteran and Certified Information Systems Security Professional (CISSP) since 2001. He is the co-founder and CEO of CyberHoot, a cybersecurity training platform built to teach cyber literacy through positive reinforcement, gamification, and automation, particularly for SMBs to Enterprises, and MSPs or MSSPs, and their clients. Throughout his career, Craig has led cybersecurity programs across diverse sectors, including web hosting (CSC), financial services (J.P. Morgan Chase), and manufacturing (Vistaprint). He also leads a growing virtual CISO practice that has delivered strategic security guidance and compliance programs to more than 50 companies across multiple industries. Beyond the boardroom, Craig is a Toastmaster, a committed Rotarian in Portsmouth, NH, and a passionate fundraiser for cancer research. He has raised over $150,000 for Dana-Farber through 11 years of riding in the Pan-Mass Challenge.

Episode Highlights

The Phish Whisperer: A New Approach to Cybersecurity

Craig Taylor, co-founder and CEO of CyberHoot, is on a mission to change how the world approaches cybersecurity, particularly the pervasive threat of phishing attacks. He argues that the traditional method of punishing employees for failing fake email tests is ineffective and actively harms company culture. Instead, he advocates for a positive, psychology-based approach, inspired by his own academic background and a core belief that people learn best through positive reinforcement, not fear and shame.

The Flaws of Traditional Cybersecurity Training

Traditional “attack phish” methods, where companies send fake phishing emails to employees and then scold those who click, are fundamentally flawed. According to a study of 20,000 participants from the University of Chicago and San Diego, this method showed a mere 1.7% improvement in outcomes, and in some cases, actually made users more likely to click on malicious links. This is because when employees fail, they are often sent a remedial video, but as Craig points out, “you don’t want to train someone when they’re in a mood.” The average person watches only 10 seconds of these videos, leading to widespread disengagement.

The Power of Positive Reinforcement

Taylor’s company, CyberHoot, offers a different path based on the principles of operant conditioning. Similar to how a dog is trained with treats rather than a shock collar, CyberHoot rewards good behavior. Their “HootFish” approach sends a training email that is clearly marked as a non-trick, inviting employees to an interactive assignment. The goal is to teach users the “puzzle pieces of phishing”—like sender, subject line, and urgency—in a structured, engaging way. By walking employees through what to look for, the program builds muscle memory and teaches them to respond to emails rather than react to them.

Gamification: Making Cyber-Safety Fun

A key component of the CyberHoot method is gamification. Employees earn points, receive certificates, and can see their personal avatar grow in ferocity as they complete assignments. This positive feedback loop fosters a sense of accomplishment and encourages active participation. This approach not only improves security but also enhances company culture by promoting psychological safety and trust. Instead of making employees feel “stupid” for falling for a sophisticated scam, it empowers them with the knowledge and skills they need to protect themselves and their company.

A Proactive Approach to Profit

Ultimately, an ounce of prevention is worth a pound of cure. Breaches, which are often underreported due to stigma, are costing businesses billions of dollars annually. By taking a proactive, positive approach to cybersecurity training, companies can improve their overall resilience, boost employee morale, and protect their bottom line. CyberHoot offers a free individual training platform to help everyone get into “cyber shape” and encourages companies to try a free trial to see how a positive, engaging approach can transform their security culture.