Security awareness is critical to cultivate in your organization. But security awareness training can often miss the mark. Traditional training is slow and reactive. As deepfakes and LLM-enhanced attacks become common, organizations need training solutions that can adapt and provide relevant training.
In this episode, Brian Long, CEO of Adaptive Security, explains how their platform provides engaging training that can be customized in a matter of minutes. Joining him are Janet Heins, CISO at ChenMed, and Gary Chan, CISO at SSM Health.
Huge thanks to our sponsor, Adaptive Security
And now, with Adaptive’s new AI Content Creator, security teams can instantly transform breaking threat intel or updated policy docs into interactive, multilingual training — no instructional design needed. That means faster compliance, better engagement, and less risk.
Trusted by Fortune 500s and backed by Andreessen Horowitz and the OpenAI Startup Fund, Adaptive is helping security teams prepare for the next generation of cyber threats.
Learn more at adaptivesecurity.com.
Full Transcript
[Voiceover] Connecting security solutions with security leaders, Security You Should Know starts now.
[Rich Stroffolino] Welcome to Security You Should Know. Today, we’re talking with Adaptive Security and what they’re doing in security awareness training. And the problem that they’re addressing, it’s a big one. It’s that traditional security awareness training just isn’t that effective. Trying to make that better is a major problem that a lot of organizations are trying to deal with. Helping us get answers and trying to elucidate here the nature of this problem are Janet Heins, CISO over at ChenMed, and Gary Chan, CISO at SSM Health. So, Janet, let me get started with you. Why are we still struggling to get security awareness right?
[Janet Heins] Well, I think it’s because we have people involved, right? And their day-to-day job is not to wake up every day, I mean, they don’t wake up every day saying, “I just can’t wait to take training and learn more about security.” We’re a behind-the-scenes organization. And so, it’s a challenge to get people engaged.
[Rich Stroffolino] Gary, does that reflect what you’re seeing? I mean, from your perspective, why are we still struggling with this?
[Gary Chan] I would say the same thing as Janet, completely agree. It’s not their job, or at least that’s what they think from their perspective, right? So, really, you got to capture their attention. And it’s really hard to do when they’re worried about their own meetings, their own priorities, the thing that their manager asked them to do. So, it’s a tough one because it’s people, like Janet said.
[Rich Stroffolino] All right, well, today we’re going to be talking with Brian Long, CEO over at Adaptive Security. So, to start out, Brian, we need the preliminaries here. So, help me out here. How do I explain the value of your solution to my CEO? What does your solution do? What does it not do? And then give us just an overview of the pricing model. Can you help us out here?
[Brian Long] Yeah, sure. So, Adaptive Security provides next generation security awareness training. So, that involves things like simulating phishing attacks using AI technology over SMS, voice, and generative AI email, and then also offering security training that your employees will actually love and pay attention to without wasting their time. And our average training has a 4.8 out of 5-star rating and we cover all sorts of new AI threats. So, things like deep fakes, phishing, smishing, and stuff like that that’s evolving very, very quickly. The product is priced per employee, per user, per month, and it’s priced very similar to other security awareness training products. So, you very likely already have something. Why not choose the best and check out Adaptive, which is growing really fast and recently just raised a large amount of money from OpenAI in OpenAI’s first and only cybersecurity investment. So, again, helping protect from the next generation of AI attacks.
[Rich Stroffolino] All right, so a lot of interesting threads there to pull on. So, CISOs, I know you have some questions based on those preliminaries. Let’s get started with you, Gary. What are the questions you have for Adaptive Security?
[Gary Chan] I’m going to start with a softball. So, help me understand, Brian, why your product is loved by your customers.
[Brian Long] Yeah, look, I mean, at the end of the day, the most important metric to me at the company is our Net Promoter Score. We have a channel in Slack that comes in and looks at every single submission for Net Promoter Score. And today our Net Promoter Score is a 94, which means almost every company is a 10 out of 10. But if we see someone submit something that’s not a 10 out of 10, we’re paying very close attention to what they like, what they don’t like, what they wish was different, and we’re moving very quickly to build features and functionality around that. So, number one is just paying attention to that metric. Number two is after every single one of our trainings, we actually ask the employee for their one through five-star rating. So, in addition to getting feedback from the actual end CISO or customer, we’re also hearing from the employee on what they like or don’t like, and then we’re changing the training accordingly as well.
[Rich Stroffolino] All right, Janet, throwing to you here, what other questions do you have for Adaptive Security?
[Janet Heins] I guess I’m looking for how would you characterize your training? Is it what I call edutainment? Is it like animated? What makes it so engaging and loved by people who take it?
[Brian Long] Yeah, so the number one thing I would characterize about Adaptive Security Training that makes it pretty different is that it’s extremely personalized to the business. One of the biggest pieces of feedback from employees on why they didn’t like their traditional security training was that it wasn’t relevant to me. It’s not up to date, it’s boring, it doesn’t mean anything to me. We make our trainings very, very specific to the individual organization. So, some examples of that, our trainings, if it’s a training on deepfake, it actually includes deepfakes of the executives. And not just their video, it also has real-time voice interactions that you could have with an executive or person at the company to help illustrate the topic. We also pull an open-source intelligence into our trainings and real-life scenarios. So, all that is great and a way to make it more interactive. Finally, all of our global modules can be completely customized by the organization. So, they can change anything they want in the content, in the frames to make it match with their own organization. Finally, we also have a Gen AI content creator that allows you to create content on literally anything. So, you can just put in information about your organization, upload your context materials, hit generate, and it’ll make a net new training with all of your branding, your imagery, your animations, and content just for you.
[Janet Heins] That sounds great.
[Rich Stroffolino] Brian, I just have a question here. I’m one of the producers of Cybersecurity Headlines. We’re always seeing just new ways of getting a new social engineering, seeing these tools being used by threat actors in real time. I’m curious from that new cycle, from that kind of just breaking threat intelligence side, what’s the adaptation look like on your side? Like how quickly can you turn around and create training based on novel new approaches for technology we haven’t seen before?
[Brian Long] Yeah, so with using our AI content creation tools, you can actually make a net new training in about three minutes. And that takes you about a minute to type it in. And then once you click submit, it takes about two minutes for our AI to generate a full-length training with full AI, all the iteration, imagery, animations, everything in that training. And what’s pretty cool in your example, if you saw something that was concerning that happened in the news, maybe it’s an attack that happened at a peer company or some new vulnerability, you can actually just take the link to that article, put it into our content training creator, click submit, and it will make a net new training using the context of that particular article. So, it’s pretty magical technology. And what’s great is that with each release that we’re seeing right now from OpenAI and the other large language models, it just gets better and better with every release, better images, better animations, better content, etc.
[Janet Heins] Can I benefit as a customer from your other customers? So, your other customers create some using the GenAI, can I benefit from that?
[Brian Long] Yeah, you do benefit from it in the sense that if we see someone make a new training module that we think is around a really particularly interesting set of content, we will then create a global version of that module. So, on the one hand, if you’re making content specific to your organization, we’re not going to use that content and give it accessible to other organizations. There may be things that are confidential to your company and therefore you don’t want other companies to access it. But I’ll give you a recent example. We had a customer of ours, Figma, that was creating a training to help people look out for deepfakes within job interviews. And we thought, wow, that’s a really important and great topic. And we ended up making a new training on how to look for deepfakes and other sorts of AI within the interview process specific to the HR team but also hiring managers in general. And it’s quickly turned into one of our most popular training modules.
[Gary Chan] There’s something that you said, Brian, that piqued my interest, but also scares me at the same time, which is that you have deepfakes of the executives. And my question is, is that okay? I mean, do you get permissions from the executive to do deepfakes that will do real-time basically phishing of employees, where employees now are not really ever going to be sure if they should trust that executive again or not? I don’t know. I feel like there would be a real concern, at least for me here.
[Brian Long] [Laughter] Yeah, Gary, we definitely want to make sure that anytime it’s being used, it’s being approved by the person that’s being deepfaked. And also, quick update, it is actually me on this call right now. It’s not a deepfake of me.
[Laughter]
[Brian Long] But if you see the technology now for voice and for video with some processing time, it’s getting quite good. It’s like 98% there. For real-time types of deepfakes like you would see on a video for this, it’s about 85% there, but it’s getting closer and closer. But Gary, we also have a number of different controls behind our deepfakes that offer moderation to make sure that they’re not used inappropriately, that they’re approved by the people that are using them. And you can also make them for people on your team that do approve their usage. I do think it’s extremely important for employees to have awareness of what is possible here. These types of attacks are happening every day. We are talking to so many companies right now experiencing these deepfake persona attacks where they use the voice unlike this, but they also know a tremendous amount of OSINT about the company, and they’re really, really smart. So, I think companies need to get educated on this really quickly, and it’s extremely important.
[Janet Heins] How can I use Adaptive Security and ensure that my information is not shared?
[Brian Long] Yeah, look, so in terms of using Adaptive Security, you can use us in order to send out these simulated attacks, in which case we’re just using OSINT and information that’s out there for anyone to simulate those attacks. And then number two, using our training software in order to train your employees in order to make sure that they’re up to date on these latest types of attacks. So, those are the two biggest things that you can use in order to make sure that your team is up to date and ensuring that your data is secure.
[Janet Heins] And so, a follow-on to that would be if I create my own content within your tool, how do I ensure that content is not viewable or seen by anybody besides our company?
[Brian Long] Yeah, so any content that you edit or create in our tool is kept secure and separate from any other accounts. It’s also not used for training in any of the LLM models. So, it’s all just yours, secure for yours, and not used or leveraged by any other system.
[Gary Chan] I want to talk a little bit about smishing, so SMS phishing, right? Everybody’s sort of used to getting these simulated phishing emails by email, but I think a lot of people treat their cell phones for text messages a little differently than email. And I can imagine a lot of people get really upset if they start getting basically simulated SMS messages. And I’m just curious as to your experience with that, not only about the end user and whether they’re going to be happy about it, but also maybe there are legal repercussions because maybe the employees, it’s their personal phone and not paid for by the organization.
[Brian Long] First off, we have seen a large increase in SMS-based attacks, right? And unfortunately, they’re getting more and more sophisticated using OSINT about those individuals. In terms of what we can offer in order to help protect people from those attacks, we can do simulated SMS attacks. If you want to be more on the side of making it something that’s for users that have their own devices, you can do that as an SMS inbound attack where you send an email with a phone number and say, “Hey, can you text me at this number?” And if the user decides to send a text message to the number, then they have failed the simulation, then we’ll let them know accordingly. We also can do outbound, but in order to do that, we’re going to need the consent from the employee before we send those types of messages. I think in those situations, if you’re particularly concerned about annoying employees, we also offer SMS-specific trainings that offer the simulated types of SMS attacks but happening within a training environment. So, rather than it being something that may annoy them, it’s something that explains the concept, takes them through the scenario, but without it actually being something that they get on their phone.
[Janet Heins] I have a couple logistical questions. One is, how do you connect into LMSs? So, if I wanted to have your learning, your training modules be part of our learning management system.
[Brian Long] If you want, you can export all of our training modules as SCORM files, and that applies to both our global modules as well as any of the modules that you create within our platform or edit within our platform.
[Janet Heins] And my second part of that question is, is there any difference in resources needed to run and manage this, from your competitors?
[Brian Long] Yeah, I mean, look, we’ve worked hard to have this be a modern software platform that automates a lot of workflows. So, we generally hear that the amount of resourcing to manage it on our platform is less than other legacy platforms because we’ve spent a lot of time on those automations and workflows and leveraging AI tools in order to make the creation really easy. As just an example, making custom content on some of the other platforms or editing content is something that usually takes in some cases months. And with our platform, you can do it in about two to three minutes, and you can do it just by typing a few letters and hitting submit. Number two, our trainings are also available in 39 different languages, both with the content on the screen as well as within the audio narration. So, you can get something that’s accessible to everyone instantly. On other platforms, often it’s very hard to have something that’s accessible to everyone.
[Rich Stroffolino] All right, we got time for one last question.
[Gary Chan] Well, I have one. Continuing Janet’s operational type questions, I imagine a lot of your customers would like recommendations on how to use your platform. For example, how frequently they should send out phishing emails, whether if someone fails it two or three times that this other disciplinary action takes place. Do you have any recommendations that you would give to your customers related to your product and how it should be used?
[Brian Long] As part of onboarding, we have an implementation team that uses best practices from setting up hundreds and hundreds of our customers and knows what works and what doesn’t work and can help you set it up. In terms of like the appropriate frequency, the answer is that it really depends on the individual employee. So, we create custom dynamic groups that utilize information from your HR software and other softwares that you can attach so that we can create those custom groups and send the right frequency and the right type of training or simulation to each individual employee. In addition, we also calculate real-time risk scores on employees based on what their role is, what they have access to, which trainings they’ve taken, what sort of simulations they’ve failed, and we incorporate all of that into a broader risk score that we can also use when creating those dynamic groups and ultimately deciding who gets what trainings, who gets what simulations.
[Rich Stroffolino] All right, well, Brian, what’s one thing we didn’t ask about that we need to know?
[Brian Long] I think that we talked a lot about what’s happening now, but I think what’s important to know is what’s coming down the pipe. And if there were two things that I would be thinking about in the future, number one would be the growth in voice-based phishing. The software to create deepfake voice technology, but also to power it with OSINT with real-time flash models is coming down significantly in cost while also increasing quite a bit in quality. And as a result, I think we’re going to see a continued growth in these sort of large-scale, very sophisticated voice-based attacks. So, if I was a CISO, I’d be looking very hard at the controls in my organization for these types of attacks, and that’s beyond just wire transfers, thinking about controls on anything that is particularly important at your organization. So, that would be one of the top things that I’d be thinking about. And then number two is just as the LLMs get better and better, we’ve seen a large increase in the volume of OSINT that’s on those platforms and what can be very easily grabbed from those platforms. So, number two is I would consider doing a LLM audit of kind of what is out there about your company. And if that’s something that you’re interested in as well, you can ping us at Adaptive Security, and we’re happy to guide you on that as well.
[Rich Stroffolino] Well, fantastic. And that’s just about it for this episode of Security You Should Know. To learn more, head on over to adaptivesecurity.com. And if you have any feedback about this show or just any questions, send them over to us at feedback@CISOseries.com. A huge thank you to Janet Heins and Gary Chan for helping us learn more about Adaptive Security, and a giant thank you to you, Brian Long, CEO at Adaptive Security, for your time and your insightful answers and being game to answer all of these questions. And thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe, tell your friends, and leave us a review. All companies showcased on this program are sponsors of CISO Series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOseries.com or just email us at info@CISOseries.com. Thank you for listening to Security You Should Know, connecting security solutions with security leaders.