What could be more gripping than exploring the fascinating realm of security awareness training with an industry leader? Shaun McAlmont, the president and CEO of NINJIO, lets us in on a novel approach of using animated episodes to break down the complex world of security training. He discusses how NINJIO is creating a human firewall equivalent in importance to a company's technical firewall, thereby reducing risk in a fun, engaging way. Believing in making the training process not just informative, but also enjoyable, these animated episodes feature Hollywood-level writing and voice acting, ensuring the message sticks with an unforgettable charm.
Technology, a double-edged sword, brings with it an array of challenges. We get to explore these hurdles, ranging from data breaches to the dark web exploiting information. Shaun elaborates on how NINJIO faces these head-on with its captivating animated shorts.
As the conversation unwraps, we dip our toes in the waters of NINJIO's expansion. Shaun enlightens us on how the company has branched into the phishing platform and SaaS for profile building and risk reduction reporting. This extended offering has led to the sales team adapting to new challenges, and Shaun provides insight into the product's global reception. By the end, the message is clear: security awareness training is a critical component of risk management in the modern world. So join us for this enlightening discourse on how NINJIO is changing the game in security awareness training.
What could be more gripping than exploring the fascinating realm of security awareness training with an industry leader? Shaun McAlmont, the president and CEO of NINJIO, lets us in on a novel approach of using animated episodes to break down the complex world of security training. He discusses how NINJIO is creating a human firewall equivalent in importance to a company's technical firewall, thereby reducing risk in a fun, engaging way. Believing in making the training process not just informative, but also enjoyable, these animated episodes feature Hollywood-level writing and voice acting, ensuring the message sticks with an unforgettable charm.
Technology, a double-edged sword, brings with it an array of challenges. We get to explore these hurdles, ranging from data breaches to the dark web exploiting information. Shaun elaborates on how NINJIO faces these head-on with its captivating animated shorts.
As the conversation unwraps, we dip our toes in the waters of NINJIO's expansion. Shaun enlightens us on how the company has branched into the phishing platform and SaaS for profile building and risk reduction reporting. This extended offering has led to the sales team adapting to new challenges, and Shaun provides insight into the product's global reception. By the end, the message is clear: security awareness training is a critical component of risk management in the modern world. So join us for this enlightening discourse on how NINJIO is changing the game in security awareness training.
Welcome to this episode of Security Market Watch, the show that goes straight to the source for security market insights. My guest today is the president and CEO of NINGEO. He said just to call him Sean, so I'm going to say Sean McAlmott, but I still want to say Dr McAlmott. My guest today is Sean McAlmott, president and CEO of NINGEO. Sean, thank you for joining us today on this episode of Security Market Watch.
Speaker 2:Hey, thank you for having me. Josh, Very excited for this conversation.
Speaker 1:Well, your neck of the woods entails everything about security awareness training. That is the slice of the industry that NINGEO specializes in. So could you tell us a little bit about NINGEO, what kind of product it is, and let's start there, and then we can dive into talking more about security awareness training.
Speaker 2:Yeah, you've got it, josh. It's interesting With 80 to 85% of breaches today being caused by some sort of human action. Ningeo is formed with the basis that we actually have to get our workforce populations aware and trained to reduce risk in that human element. And if we can do that on an individualized and personalized way, ultimately the risk for a company goes down as well. So our founder, zach Shuler, a number of years ago found that typical corporate training was kind of despised.
Speaker 2:I mean, I hate to say it that way, but for a lot of corporations when you've got that one or two hour session that you know is coming, you keep getting reminders. It's kind of static. You've done it time and time again. You don't look forward to it Much less. Some people try to game the system so they'll have a screen open with their training and a screen open with their work and they try to get the minimum passing to get through that annual training. The problem with that is you don't learn. If you go about the process that way, you won't retain that information and you certainly won't change behavior to reduce your personal risk or the company's risk.
Speaker 2:So we decided to take an approach that was very focused on engaging the human element, making sure that we build almost a human firewall to go alongside a company's technical firewall, and the stronger we can make each human and the more aware of the tactics that bad actors are using, the better for the company.
Speaker 2:So that's how the company started and for anybody that goes to our website and looks at one of the episodes we have available to anybody that goes to the site you'll see that it's a four minute animated episode that's focused on a real breach.
Speaker 2:So as adults, we learn very differently than when we were younger. The whole science of pedagogy for younger people transforms when we get older because we don't have as much time. We really want to be motivated to do the learning. It's got to be something really relevant that I can use tomorrow, or be rewarded for it, or my career is going to be better. So the motivation behind that learning makes us develop items and types of learning. That's actually shorter and more easily consumable, but it's got to engage the learner. So that's what NINJO does animated episodes that are delivered once a month to a company or client and ultimately that employee becomes aware of all of the different types of breaches that are happening in real time around us through that episodic approach, and a little later in the conversation I'll talk about exactly how we do it.
Speaker 1:I must admit, and I'm kind of ashamed of this, but even being in security I've been in security for like five years and I hate those trainings. I do not like the security awareness training. I was one of those people who just kind of like clicked through it as much as I can and as quickly as I could. One of the things that struck me when I first saw an ad for NINJO was that it was animated and I thought it wasn't just animated in that you know, boom, to tune, to tune, to tune. It was like a fully produced clip, like a short, you know some, almost like a Disney short and I thought, well, this is really clever. Is everything like this, like, is this just a gimmick?
Speaker 1:But what you're saying is that it's not just for advertising. What is the approach that you've taken to awareness training? Sort of another option to gamifying, which is one other way to do it. But you've done the. You've gone the entertainment route to make it highly engaging for those to do those. I'm telling you, if we had NINJO, I would have been a lot more interested in my security awareness training, because I love cartoons.
Speaker 2:That's the feedback we typically get and I want to mention, if you think about it, josh, the workforce is getting younger and younger over time. We find that when a customer talks to us about the animated approach, they ask us why? And we say, look, it's flexibility. We can produce it in a way that builds dramatic effect around a real breach. And so you know, we really enjoy it, even within the company. I mean, we all consume our own awareness training and we love it. We can't wait to see what the design team brings up next.
Speaker 2:We use Hollywood voices and you're right, it's writing that comes right out of Hollywood as well for that dramatic effect, because it does engage learning in a different way. Like you said, it keeps you interested in the topic long enough for you to gain insights on that one particular breach, and then you know you're going to get another one next month. And, by the way, throughout the month there are other anchoring elements that remind the employee or the end user about that particular breach. But, with that said, the flexibility and our ability to create new content is limitless. We don't need live actors, we have a full animation team on staff and, again, we take the experts in our field, the real breaches that are out there, and we build the episode around those breaches. So you're learning in a dramatic way, in a short way. It's not punitive, it's not boring and you know it's only going to take five minutes out of your month to watch that episode.
Speaker 1:I'm sure you collect all kinds of data on the effectiveness of this approach. What is the impact on retention? Are you able to track retention over time and can you give us a little bit of insight into? You know, maybe it's the length of the clip or the type of animation what are some of those elements that contribute to the retention of those security awareness training videos?
Speaker 2:Yeah, it's a great question. You know, I'm not an engineer. I didn't come out of the tech environment, et cetera. I come out of learning and training and workforce development and kind of finding the fastest path between skill development and that type of focus training to changing behavior or changing someone's life circumstances. And so what attracted me to NINGEO was that that's what we're doing in a very micro way, every single month. We're trying to make somebody aware of issues that are real, issues that are happening out in the world, and how they can be aware of it and protect themselves and their companies from it.
Speaker 2:And, with that said, I would say, based on all the types of learning I've seen over a 30-year career, this is extremely effective in retaining the level of knowledge, and a lot of that retention comes from the fact that as adults, we really like case studies, like give me something that happened, tell me how good or bad it was, so I can learn from it and not do the same thing myself. And so every one of our episodes starts with the intro that talks about the breach. And you know, sometimes you have to protect the name of the company and such, but we talk about the nature of a breach that happened recently to a major company and we use 30 seconds to introduce it as a case study. As adults, that is so meaningful to us. When you've got a busy day, you've got to get this thing done. You want to learn from it very quickly that that third and a 40 second intro engages you in the real thing that happened. From that point the rest is is is a dramatic effect around that topic. So then we essentially strengthen the training around the real breach. So again, two very important components of adult learning. We want to make sure that it's something that's easy to consume, it's relevant and it's experiential and it's like a case study. So it kind of hits a certain side of your brain as an adult learner and somebody in the workforce, and then the drama around it, just you know, engages you even more so in the next like four minutes. So, with that said, like all those components really strengthen that, that, that engagement and the ability to, the ability to retain the information over long periods of time.
Speaker 2:And we found that there are there are many of our clients that that use the content on a monthly, mandatory basis. They can track the bad click rate if you will, you know, into fishing campaigns and they can see that going down dramatically. Like we have one client, very large client that has about 60,000 employees in multiple countries. At first, when they implemented NINGEO, they had it as a as a involuntary way of engaging employees to introduce the concept. Very quickly they realized that, okay, look, we can track our risk scoring, if you will, or our bad click rates, against how we use NINGEO content. When they moved to mandatory, which is about three months afterward, they saw their click rates go down dramatically. So they saw decreasing risk happen almost immediately.
Speaker 2:Because what we talk about in our episodes are business, email, compromise. You know up smishing using text. You know the most common elements keep happening for different companies in different ways and so we're not talking about anything that's extravagant or out of the ordinary. These are things that it's a knowledge level that people should have on a daily basis. They start seeing the elements showing up in fishing campaigns. They can recognize something that's risky and that whole circular effort continues to work and bring down that risk score over time. So, to answer your question, engagement becomes very high based on this approach. Retention of the information they remember it because it's a story. We tell a story around the breach and they'll remember that story and they'll remember the attack vector. So it's, it's, it's. It sort of keeps building on itself over time and becomes very effective.
Speaker 1:Some would argue that what you're doing is probably the best way to do security. I've talked to so many security leaders over the years and the human element how to get our arms around the human element has always been a challenge, and so we've. From the engineering perspective and the technical perspective, we think, okay, they're going to stick a USB in there, we're going to make it so that they don't do that we're going to. I mean, those controls are important, but it doesn't get to the heart of the issue, which is that human beings are human beings and so you have to come at them in a way that that they're used to, or in a way that complements just the way they think right. So if you try to put technical controls on a human being, oh, come on, we're smart enough to. We don't like to be in cages, we don't like to be chained up. So I love this approach of, I love the gamifying approach, but I love even more or just as much, maybe, maybe I think a little more than the gamifying approach. I love the entertainment approach and I love starting with the breach, because the first thing that people, I think, ask themselves, or when they, when they're faced with a security demand or mandates is what does this have to do with me? I am so disconnected from the whole security world but when you hear that you know Verizon got breached or Samsung got breached or whatever they go, oh, I know who that is, and that could be me. I could be next.
Speaker 1:Hey, maggie, maggie Dylan is in the house. Okay, maggie is our hurricane. I call her Maggie the Hurricane Dylan. So, maggie, this is Sean McAlmont. This is a really good time to pause and say this is Security Market Watch. You're listening to Security Market Watch and my guest today is Sean McAlmont, and our wonderful co-host, maggie Dylan, has just entered the room. Maggie, welcome.
Speaker 3:Hello thank you for your time, sean. We're excited to talk to you.
Speaker 2:Yeah, thanks, maggie.
Speaker 1:So this is a good time for me to summarize everything that we've talked about so far and you can tell me if I'm on the mark or not, right, okay, okay. So NINGIO is a different approach to security awareness training. So, instead of telling people, you know you have to read all this stuff and you know, click on this and click on that, and most of the time what happens is they kind of scroll through it and they, you know, you just do this thing and hopefully you get a good score and there's no retention, right? So we've all been part of those awareness training programs.
Speaker 1:Ningio takes a different approach, where they use little animated shorts to espouse the the virtues of security awareness training or of security awareness of security. So, in a nutshell, what they do is they take these short clips, they start with a breach or talking about a breach, and then they talk about some element of security that impacts the company, that impacts that employee, using the breach sort of as an anchor or jumping off points in order to make the point. So they talk about phishing. Here was a breach, and the breach occurred because somebody opened an email and they clicked on a link. That and without inspecting it, and this led to this breach that cost the company lots of, you know, millions of dollars or whatever. This is brilliant, by the way, because it goes right to the pain point, which is it can happen to me, it can happen to my organization, and here's the risk, you know, mainly in the form of financial loss. So how have I done? Catching us?
Speaker 2:up Excellent, excellent. I mean, you could have done my part.
Speaker 1:No, I could not, I could not, I you know, and so we were talking about engagement and I had never really thought about this before, and Sean comes from more of a, an educational training, human enlightenment development standpoint.
Speaker 1:So that's his background, mike. So now that we're all caught up and and we're here, I have a question about sort of the happy approach. Right, it makes you feel good when you're looking at one of those videos and doing your training that way. What impact does that have on you know? I don't want to say scare tactics, but does it sufficiently get people to react to the dangers of a breach? You know, do they kind of go oh this is a cute video, this is great, I remember all that stuff, but do they? Do they still have? That response of this is really bad. If this happens, you know, this could spell disaster for me, my co-workers and my company. Have you seen what is the approach to ninja? That ninja takes to? A sort of the fear tactics that we've seen in other tools?
Speaker 2:Yeah, it's an excellent question. You know, even though our approach is not necessarily punitive, because there's no punishment. I mean, what we're trying to do is expose a breach or like a case study, very quickly in the early intro to the episode, but then the dramatic effect is built around that in that there are characters who go through the, the, the process of what happened in the breach. So one of the things that engages people is they, they, they love a character or the character brings them some level of pain as they go through this real-life situation. You know, we we just did a, I did a webinar with a real estate and a title association that covers that industry.
Speaker 2:We happen to have about four or five episodes around wire fraud From a personal perspective, title company, real estate in general and impersonation.
Speaker 2:And if you look at the episode around wire fraud, there's one that happens to a family where you know mad actors get in and they change the wiring instructions through malware and it changes the routing number and you don't even know because you're still following the instructions you had, but that critical information and where you wire the funds was changed and so a family in one of the episodes ends up losing their life savings and it was based on a real circumstance.
Speaker 2:So I think the feedback we got is people felt that emotional connection. Everybody remembers or is fearful about the house buying process and you're wiring a lot of money right out of your bank into some other bank and when you get the word that the money didn't show up into the bank a day later, the panic that sets in is tremendous. And so we try to recreate what happened to somebody in real life through these episodes, even though it's animated. You know, through animation you can still bring the dramatic effort through music, the character development and the actual drama in the scene. So we end up bringing in the fear and all of those emotions into the episode.
Speaker 2:Now, I'll say this you know that the next phase of NINGEO that we've just recently launched is more about a SaaS platform approach. So, on the front end, a company that we contract with will see those awareness episodes to start building that knowledge base of real breaches. Then, in the background, we do the simulated phishing and we do it in a way that there's a lot of it going on for the company. Employees don't know until they start seeing those emails or not, recognizing them as fraudulent or not, and we build a profile based on the data we collect, and that profile is based on vulnerabilities. We have seven vulnerabilities that cause people to click bad links. Sometimes it's fear, it's urgency. You know you get a note from your boss at 4.30 pm on a Friday that says open this link immediately. I need you to do something for me. Most people are going to click it and once you click that, a bad actor is in your system. So if somebody responds to urgency or fear, they have a propensity to click that particular link.
Speaker 2:What we try to do, then, is build that profile based on the vulnerabilities of your employee base, and we have a new episode now in development that's 60 seconds and it's tied specifically to fear, to urgency and to those seven vulnerabilities or greed and you're going to get that served up after we build your profile. And we find that that's how we build awareness on the front, test that awareness through simulated phishing, build a profile and then frame to change the behavior. We find that it's we had something very novel on the front end, but it's not enough to now just make you aware. Now we have to help change your behavior and if we can do that on an individual and personalized basis, it will change the risk profile of the employees and the company. And so we find that this whole human firewall development concept takes multiple steps now, not just one or two.
Speaker 1:Why the switch, this ass?
Speaker 2:You know, really because of the phishing platform. So initially we were content first so we could send content out. You could see that content on our platform or we could send you the files so you could put it on your LMS or your platform and show that content. The platform that we built and it was through an acquisition of a company that did just platform phishing was to tie the awareness training, the phishing and the behavior training together in a technical solution that a company could run for all of their employees and show that process of learning and behavior change. That's it. That's it. It's a more technical approach to running the training than just sending out content.
Speaker 1:Great Maggie, I have a question. Yeah, I know, I can see it in your eyes. I can see it.
Speaker 2:Oh it's looking away, sean, because I'm a note.
Speaker 3:I'm so old school, but as I'm hearing you talk about this and I'm thinking of a case study that recently I heard about that and this is a real life situation, probably not that common, at least how it started. So the situation was with a hospital and a employee of the hospital had befriended somebody from another country who was in love with her and unfortunately this is a hacker and he was able to he they whoever was able to pack into her account within the hospitals employee payroll system and then get into the whole whole account and to plead it. Especially with hospitals obviously very hot topic We've got hospitals literally closing doors because of hacks. This is a critical issue. Is there anything that Ninja has done specifically for the healthcare industry or anything that you've seen that's maybe like an outlier versus other industries?
Speaker 2:Great question, maggie, it's so timely. So we have we have a couple of major hospital organizations as clients, but what you're describing is something that the FBI actually came to us to develop a very specific custom episode for and it's got a name, and the name is not very appealing, but the name is is pig butchering. And and then the reason it's called pig butchering is because a bad actor will strike up a relationship with somebody and they do it. Sometimes they do it in those wrong, wrong texts, wrong text address, right, you get this text and you're like, oh, I'm sorry, wrong person, and they'll say they'll strike up a conversation and they'll find out your single soul, my, and they have all of these methods to build a relationship of trust and what they start doing is they start encouraging you through that relationship to either invest in something that is fraudulent or give access because the relationship is stronger to to your personal information or your work information. So, whatever direction it goes, the bad actor is conceptually fattening the pig for butchering they're, they're loading the person up with with, with love and care, so so called, they're also gaining access to critical pieces of information and personal finances.
Speaker 2:The one that the FBI was focused on with with us was they wanted us to train, not in in healthcare per se, but it was in personal investing, and one of those bad actors through that process essentially got an individual to change one of their investment strategies to invest in some sort of cryptocurrency, and that that crypto was was just sort of a bad actor environment In the first place. So they shifted their investment from you know one of the broker brokerage companies to this shady crypto company and eventually, when, when all of the person's personal investment and it was couple of $100,000 was was there, the money was gone and so was the relationship. And that can be done in a number of ways and it is a. It is a horrible approach because it again, when you look at vulnerabilities, it preys on the vulnerability of a person and these bad actors are figuring out what all those vulnerabilities are. That's exactly what led us to to look at. How do we identify vulnerabilities through just simulated phishing in a company sending out hundreds and thousands of those emails with different campaigns? Who clicks on what link like? What is it that's attracting somebody in their own DNA to click something based on where they are in their life at that moment and when we, when we can build that profile again. It's not to embarrass anybody, but we will serve up content that's again very digestible, based on their vulnerability, and then we watch it over time and hopefully it goes down.
Speaker 2:This is such a sensitive topic that you don't want to expose it. You don't want to again be punitive with somebody in the workplace because they have the vulnerability, but let's at least identify it and train to it. But I think it's an area, maggie, that is right for all kinds of issues down the road. I mean, I think even if you look at the old school Nigerian Prince or you know, I've got this money and I need somebody to help me manage it those schemes continue to work. Yeah, praying on the elderly, I mean there are so many elements that that a bad actor will will take advantage of, and it's all based on human vulnerability.
Speaker 3:Absolutely Well and I. That was a great answer and it's something that there's so many different ways to attack the issue. It's hard to overcome because everyone acts so differently. We're all individuals. We all have different things going on in our lives at different times. How do you pinpoint? Okay, we can build a profile, but I think one of the biggest things and this is a follow up question to that more of a psychological basis how do we get the message across to people that what you're doing is truly helping protect them? Just as if a single woman by herself were to go hiking in a park, Is she going to go do it at midnight or is she going to do it at 12pm when the sun's out? Can you walk us through that from a psychological perspective? Maybe some successes you've had.
Speaker 2:Yeah, it's. It's very similar to physical, physical security or any other type of security. I mean, we, we spend, you know, millions and lots of time and energy to make sure we we do things the safe way and we take precautions, and we, you know, get systems that alert us to other types of security issues. But why is it that in this area there's such a gap? And I think the gap is because technology is taking over all of our communications. We're sitting on it daily. You know, the whole concept of social engineering is an interesting one. The reason a bad actor can target you or spearfish you in your own company is because all your stuff's not linked in on Facebook. We've made it very easy. In this real estate organization, this real estate association, they were basically saying that there's so much of their information in the real estate process that's public that you can build your own bad actor profile just on the information that's out there to give somebody comfort. And now, with AI, you can change a voice. You can, because things are fluid. You can have AI recognize where you are at any given time to attack your vulnerability. So the the increase in technological awareness and access and the fact that we all rely on it now on a minute-by-minute basis in some cases has opened up a slew of issues.
Speaker 2:I almost related Maggie to AI and how everybody now is talking about. Are there going to be government regulations because it's out of control? Or Boston Dynamics robots look like they can create an army that can overtake humans tomorrow. Are there going to be regulations? There's a similar feel here because we as humans are accessing technology at unbelievable rates now, at the youngest of ages.
Speaker 2:You know something that happened the other day out here in Los Angeles. The LA Unified School District had a breach and the district said look, we're not, we're not going to pay ransom. And so the bad actors put all that information out into the dark web, as they typically do. But the fact that they're putting young people who haven't even started high school or their careers in many cases they're putting that information out there is heartbreaking.
Speaker 2:So it again our access to technical and technology related sources, our reliance on it, has opened this up dramatically. All we can do is say, when you're in the workplace or you're at home, there are a number of things you can do to protect yourself and your family, and we try to expose people to those things that are most common and try to build good behavior, good technical and data hygiene, and build the habits that make you more aware as a consumer and user of technology. Outside of that, it's very difficult. I think that's why we keep talking about the fact that the majority of breaches like 80% plus happen because one person in a company clicks a bad link and lets a bad actor in. It's incredible and it keeps happening.
Speaker 3:Yeah well, and I was just gonna side comment, with you being in Los Angeles, near Hollywood, we need good actors, so how about you create a movie about this entire topic or Netflix series? And we can kill a bunch of birds with one stone.
Speaker 1:No, that's a really good idea. Feature length, ninja. I mean you're already making them like five minutes long. All you got to do is tack on another hour and 25 minutes.
Speaker 2:We have a couple of great writers I mean, one of them wrote on the Hawaii 5-0 series and you know a number of series but they have a way of taking the issue, understanding the security related angle to it and writing, and writing a dramatic episode around it, and we just found that, look it's. It's a little more costly, but it's what draws somebody in, versus having them say I don't want to do this thing.
Speaker 1:So I love the idea that we'll feature length. Yeah, I love it. I would watch it. Maybe we'll put you in the credits.
Speaker 3:All right, that's fine, as long as it's more people being safe all around and being educated and us all just kind of joining hands and singing safety kumbaya, as I'm all about it.
Speaker 1:Absolutely, yeah. Yeah, so are your writers on strike as well?
Speaker 2:with the, the strike that's going on in Hollywood, I probably shouldn't mention anything, but I think how we're not a part of Hollywood per se, I mean we're more of a corporation. So as they write for us, it's outside of their Hollywood writing.
Speaker 1:The productions. From what I understood, you know it's that's a thing between the actors, the writers and the production studios.
Speaker 2:Exactly.
Speaker 1:It's like a problem for the production studios, not so much for a company like yours. I just had to ask because it's yeah, yeah, of course, trust me. The first thing I asked yeah, yeah, yeah, are you guys gonna go on strike too? Okay good, good, glad to hear. So let's pivot to more of the business of security awareness training. What was the go-to-market strategy in the early days of NINGEO?
Speaker 2:Yeah, great question, and it was very straightforward. It was really approaching companies that we knew were in there infancy, if you will, about seven years ago in this area, or companies that were typically struggling with that standard annual one or two-hour training, as we mentioned before. We thought let's give them an alternative, and so the go-to-market strategy was how do we promote these episodes, promote the fact that, again, they're structured in a way that they cover a real breach. It's micro-learning and it's the exact opposite of what you're training someone on today. And we had a lot of takers.
Speaker 2:A lot of takers, I mean large companies, small and medium businesses, major league sports, you know, organizations, banks, hospitals we probably cover every sector in the economy and it's because humans are humans. You know, we have government contracts. Sometimes those government agencies want something a little different or something tied to their particular regulation, and we're fine to do those customizations as well. But the go-to-market strategy ended up being successful just a chest of the concept. It flew and a company was created. What we've done recently again is we've added the phishing platform to build the profile, to then train one more time based on those vulnerabilities, and that's how it's evolved. So that evolution was yet another go-to-market for us to introduce the new platform, new process and risk reduction reporting over time.
Speaker 1:And then SAS will be sort of the next iteration and continuation of that process.
Speaker 2:If you think about it, it takes time to build those profiles. So you know, multi-year contracts make sense to us and then we hope people renew. We hope that they continue to go because, as Maggie said, your life circumstances change your vulnerability today might be greed because of how your mindset works and tomorrow it might be fear because of some other circumstance at work. So the constant profile building and adjustment is algorithm-based and it will serve up the right type of adjacent content in the 60-second version as well.
Speaker 1:And maybe this is a mood point, but I'm going to ask about product market fit. And it seems like your product fits every market. You know it fits right in. But let's go over, let's go international. So I know that in America, in North America, maybe even Europe, this would be very well received because it's a Western Hollywood type of production. How is the product received in other markets, or have you entered other markets or are you looking to enter other markets?
Speaker 2:Yeah, it's a great question. We have, I would say about 25% of our business is international, and so our episodes are used around the world and they're subtitled, at a minimum, and fully translated at best. You know, we acquired a company based in Israel and so you know we quickly created episodes that were done in Hebrew to test that market. There are probably 15 languages that we get requests for and they're the major languages used around the world. So we haven't seen an issue in terms of the international market and how we promote our products. But we know we can do a better job.
Speaker 2:If we decide to say, look, there's going to be a country that we will focus on because of their cyber needs, we might have episodes that start, you know, sort of meeting the cultural needs for those particular countries. As of right now. We write them in a way that they're very general and, because they're based on a breach that anybody anywhere can relate to, they work. You know, I think that if you're looking for something that's a little more sort of culturally tied to a population, we can do work there too. Again, because of the flexibility of animation, we can build character development, change things on the fly or develop adjacent content as well.
Speaker 1:Storytelling is universal. I mean, if you're a Joseph Campbell type of person, you believe the hero's journey is basically, you know, deep rooted, it's in your brain, it's in the psychology. So, like it's a psychological control for a psychological problem, I love it, I love it Exactly.
Speaker 3:I have a question as far as talking about a sales standpoint. Obviously we talked about the go to market and you're in a national spread here. What are you doing to bring on a sales team with this type of product that might be different from other organizations? It's very forward thinking. It's got just a lot of bells and whistles which are so cool to hear about, but is there anything additional that you've done to maybe build a sales team and maybe successes that they've had?
Speaker 2:Yeah, you know we've had a sales team and what we've had to do over time is train them up to sell the fuller service. So you know, initially they were selling content first. The methodology worked. We had great, great content sales. But we thought to be even more competitive. We needed something that was a fuller service, that had content fishing and some differentiating factor that could help a company really move their culture toward one of security awareness and risk reduction.
Speaker 2:So our methodology, with the behavior training and the vulnerability assessment and algorithm, et cetera, came out of just trying to have a differentiated approach that really relates on the individual. So our sales team, in selling content first, has shifted now to still selling the fact that, by the way, our content has been rated number one and Gartner voice of the customer. You know it feels like you name it. I mean, people just love the content. We're not moving away from it, but we're tying it to these other elements. And that's what the sales teams had to do. They've had to expand their knowledge base and their ability to talk about a methodology that's fuller versus just the content. And then, secondly, maggie, we're also moving to partner sales and so selling through sales channels as well. So that's forcing us to figure out how to prepare a partner to sell into their network, and on and on throughout those ecosystems.
Speaker 2:And so that's how it's shifted, so it's not a wholesale change for us from the sales perspective, but it's an enhancement to the product that the sales team can then learn, enhance their sales messaging and promote it in a little bit of a different way and makes us more competitive with some of the larger competition out there and differentiates us from the smaller.
Speaker 1:I'm trying to think of who the competition even is.
Speaker 2:Hey man, you know I'm not going to tell you I'm not going to like you. I know you're not.
Speaker 1:So I'm trying to think of it, but I will say I can't think of who your competitors would be. I know that you know it would be obviously the companies that are doing security awareness training, but you're so differentiated, your methodology is so different, and you know.
Speaker 2:I can't imagine Exactly, josh, exactly, you know. By the way, that's how we feel about it today. We feel that our approach is pretty differentiated. The only challenge for us is how broadly we and how quickly we can promote what we're doing, because ultimately, our success is, you know, really not shutting down but lessening the risk and the fear and the angst that companies have right now.
Speaker 2:You know, I think I went to Rembreche at a former company and it is jarring to the organization. I think what's even tougher is the after effects, like, if you have millions of people's data compromised, you've got to communicate with them, you've got to give them, you know, access to credit bureaus, like there's a lot of work you need to do to shore them up after a breach, and those records can be, yeah, the hundreds of millions, depending on the size of the company. So, with that said, it's painful. And then the thought of a bad actor sitting in your system and watching how things happen to be able to spear fish and, and, you know, set set a company up for a breach is just, it's just a Is that. It's a terrible Circumstance and if we can help reduce that, based on the human side of things, man, I think we've won.
Speaker 3:I don't expect you to put any names out there, but in your experience, what was one of the worst breaches you've you've had with Ninja?
Speaker 2:I Ninja hasn't had a breach per se.
Speaker 3:I'm sorry, not ninja itself having a breach, but just with some of the clients that you you've seen or even heard about in your own network. What would you? Say is more of the worst case scenarios you've seen.
Speaker 2:I think it's, it's the, it's the, it's a type of breach. It's a type of breach that that that locks up critical end user or or patient or customer data that's sensitive for, and and holds, holds ransom. So, you know, man, we, we, we, we've heard about these. So as we go through the sales process, we sometimes get contacted by a company that just went through it and they realize we have to do something different than we're doing, and so that's how we, we get a lot of sales.
Speaker 2:Um, in some of those stories, there they are, they are literally heart-wrenching stories where Very sensitive and personal information has been encrypted and the threat is that it's going to be, you know, shot out into the dark web or other vehicles If, if a ransom isn't paid. Uh, sometimes a company cannot come up with a ransom, and so that information is sent out and it's it's, it's horrible you think about your most sensitive information for you and your family Just being shot out there and it's a, it's a just a horrible, horrible moment for a person and a company. So it's, it's that type of of breach that, I think is that that we see and hear. That is uh staggering and the the scale of it and scope at times.
Speaker 3:Absolutely Well, and it's. It's a tough situation and and, josh, you're gonna agree with me on this it's we're interviewing people that have a lot of Vital information that truly needs to help educate the public, but you can only do so much with regards to sensitivity with the information you're sharing and whatnot. So it's, it's just an an intricate way to talk about it. Uh, and that's part of the reason we we love having guests like you on this show is because you do a great job of just kind of Helping us see on a bigger scale, um, and you did a really good job of describing that.
Speaker 2:So, thank you, oh man, thanks, thanks, thanks, maggie. Your questions have been Right on probably the most insightful questions I've heard Over time and in one setting, and I think that they're really, really important. I don't think people think about the types of, of breaches it. It leaves our mind for a moment and sometimes we're we're lulled into feeling a sense of security because we've got the right tech stack, um, and, and you know, security profile that way. But once you start thinking about your employee base, you know like wait a minute, I probably have a lot of risk in my employee base if they're just clicking through the annual training and not learning from it. Uh, so so you know, when you start thinking about it that way, you're like, okay, wait a minute, I might have to do something a little different.
Speaker 2:It's a little more personalized, based on where somebody is and and then on the, on the, on the personal side, we also have risk at home. You know, I mean, I think for everybody that's got that is involved in gaming, you know that xbox is a or ps5 is a Portal to, to who knows where, and, and you know a lot of young kids are are in it. They're sharing information and data. You've got bad actors communicating with them, because now they've got headphones on and who knows what they're Uh doing or hearing or who they're speaking to, and and so the risk just keeps getting Greater and greater again as technology Uh continues to impact us in greater ways. But I think awareness is the key, but then it's good behavior, training and and hygiene, data hygiene, um, you know past, just awareness training now.
Speaker 3:The word so.
Speaker 1:Last question, john, and I'm asking everybody about this because to me this is the hot topic Of the day. The hot topic de jour is the sce rulings coming up in october, which you know they keep pushing it back, but the sec rulings for companies to demonstrate oversight and risk and uh Basically demonstrating that. You know they've got everything covered from a board level, not just in the security function or just from the siso. So how would uh security awareness training Help these companies to demonstrate, or how does it play into that demonstration of oversight from a risk perspective?
Speaker 2:Yeah, it's, it's, it's huge. You know, I serve on a public company board and we talk about cybersecurity regularly, not to mention it's an audit committee Component. That that, I think, is here for the future, I think. Uh, esg Is starting to cover it, I think I. So I think the sec is realizing that If you're a public company, just imagine Again, somebody somewhere in your organization Clicks a link that they thought their boss sent at 4 30 on a friday.
Speaker 2:Uh, before you've been thinking about it, because of that vulnerability as a human, a bad actors in your system, what if that bad actor has access to your earnings before your earnings call?
Speaker 2:Um, they could start trading your stock in one way, shape or form beforehand and you've got, you've got an issue, and so and that's just one example I think that this, this is a risk that that public companies are going to have to manage. Um, I wouldn't, I wouldn't say you know, in a, in a different way than anybody else, but they're, they're so public that, um, shareholders and shareholder concerns Are are also prevalent in that regard in that realm, so they've got to be sensitive to it. So I think that companies are starting to bring on board members that have either the technical or the cybersecurity awareness um experience that that needs to be a part of the conversation constantly. And and audit committees are making sure that the, the protections are there From a regulatory perspective and just good practice. So I I think it's the. The future is here, no matter what the rulings say over time. Companies are already on it because the the risk is so huge for for an sec company.
Speaker 1:Well, security awareness training isn't going anywhere and I love the psychological approach. It is a it, like I always have said, that you know I've got a sweet spot for security awareness training because it is. It is a psychological control to a psychological problem. Security's not a technical problem. We use try to fit it into, you know, a round square, into a round peg, into a square hole, but it is a psychological problem problem and it's one that you guys are tackling in one of the smartest ways that I've seen To date. So kudos to ninjio, and I didn't even know you existed until last week. So you know Whatever we can do to get the message out there, you know we'll do at security market watch, because it's it's it's something that is pertinent, relevant, important and actually works.
Speaker 3:A Security thing that actually works.
Speaker 1:It's refreshing.
Speaker 2:And you know, josh, thank you so much. Um, this has been enlightening and I'll tell you that we we don't publicly promote who our clients are, customer base, etc. But what we've got, we've got a great client base. But, to your point, the, the our, our challenge is how much, how quickly and how fast we, we, can promote ourselves and what we do. We've just built this, this even, um more I would say, contemporary approach To behavior change that we will start promoting. This is an important first step for us and I appreciate you giving us the platform to to talk about it. So, josh and Maggie, thank you so much.
Speaker 1:Sean, we appreciate you coming on the show, maggie. Any closing remarks?
Speaker 3:Well, thank you for your time, and I actually already got a name for your netflix series, which we're gonna try to get, we're gonna make it happen. All right, it's called the netflix ninjio ninja's series and we're gonna get this out there and spread the word as much as possible, because the people who don't care about Cybersecurity or any of that stuff, they love clicking on netflix all day.
Speaker 2:That's true, that is true, thank you, thank you. Thank you for your time.
Speaker 3:I appreciate it.
Speaker 1:Maggie the her, her, let me get this right Maggie the hurricane dylan. I love it. Maggie, thank you for for uh, oh gosh, and I'm starting to.
Speaker 3:It's the hurricane.
Speaker 1:It's just getting to your brain. This is the hurricane getting to my brain, maggie, as always.
Speaker 3:Go ahead. You forgot one thing. I didn't get a chance to say this how do we find both of you if we want to get your information, Sean? How do we find? How does anyone get in touch with you?
Speaker 2:uh, just, you know there's a couple of things. You go to ninjiocom and everything you need is there, and if you want to get in touch with me personally, um, again, through the website, you can find me and somebody will get me back to anybody who's looking for me through the website.
Speaker 1:And you can find me on twitter, instagram just google josh brooning. I'm everywhere. Uh, don't forget, please, check out our youtube channel and don't forget to hit like and subscribe, and so it really helps us to get this message and Um conversations like this really out there. So, um find us online, you can email me at josh at brooningcom, or again, you can find me on instagram as well. I'm also active on linkedin. Again, sean Maggie, you guys are awesome. Thank you so much and thank you for joining us for this episode of security market watch.