Robert Siciliano

The following is a cleaned and lightly edited transcript of the conversation. It has been adjusted for readability while preserving the speakers' original meaning and voice.

Henry Harrison: I want to welcome Robert Siciliano to the show, and he helped me pronounce that name as a non-Italian, so thank you for that. This is The Henry Harrison Show: Entrepreneurs, Business, and Finance. Thank you for coming on. Robert is an expert in quite a lot of things, but probably first and foremost cybersecurity. He has a very interesting story and some very practical insights for us, with more to come if you follow him or engage with him later. So let's get right to it. Hello, Robert.

Robert Siciliano: Hey, thank you so much. Happy to be here.

Henry Harrison: Why don't you talk about what you're doing right now to help people? You've got a number of certifications and accreditations, and there's a whole world out there that you're helping. You're a repeat entrepreneur. You've had many employees over the years. What are you up to now?

Robert Siciliano: For 40 years, 30 of them professionally, I've been engaged in what we call security awareness training. Security awareness training is essentially going into businesses and setting up employees so they can effectively recognize and manage risk, which is an ongoing process. Security is 24/7, 365. As they say, security never sleeps. It's a journey, not necessarily a destination, and that's because bad actors always have been, are, and always will be seeking their next mark, their next victim.

So we have to be on alert pretty much all the time, and being on alert isn't something most humans want to do. My job is to get people into a frame of mind where recognizing risk is easy for them, so they see it as something they actually want to do by the time we're done working together. And ultimately, my job is to make the CISO's life easier, because their employees become part of the solution instead of part of the problem.

Henry Harrison: That's terrific. I see on your bio that you do public speaking and consulting, and you still have a couple of companies. You want to elaborate on that, and all these certifications? I see Protect Now, I see Safr.Me, and you've got active shooter preparedness. It's pretty interesting.

Robert Siciliano: I've been speaking professionally for all of my adult life, ever since my early 20s. I'm a Certified Speaking Professional, certified in cyber, social, identity, and personal protection, and I'm a certified identity theft risk management specialist. What I do professionally all started about 30-something years ago. I owned my first computer back in 1995 to manage my small business.

Then and now, I speak to all kinds of businesses, whether it's construction, real estate, manufacturing, finance, or healthcare. I also speak to real estate agents, because in the US they're occasionally accosted, assaulted, and even murdered. It's a high-risk profession, so they need a certain level of understanding and the ability to recognize risk in their work. I still speak to them in that regard today.

Back in the mid-'90s, I bought my first computer to manage that business, which I still have today. After about a month of being connected to the internet in 1995, I was hacked. I'd bought an IBM PS/1 Consultant — that's the make and model of a Windows 3.0 machine with a 150-megabyte hard drive. I had to buy an additional card to install inside it so I could connect to dial-up internet and get onto AOL. After about a month, I lost roughly $3,000 to credit card fraud through my point of sale on that computer.

As awful as it was, and as much money as I lost, I was enamored by how they did what they did. When I talked to my bank and credit card company about it, they said, "Yeah, this is a new thing for us, too." I wanted to understand how they did it, so I reverse-engineered their process — how they chose me, how they got in, and how they did what they did.

Back then and now, my business has always been about personal security as it pertains to violence and theft prevention. Traditionally that's the physical world, but what's more about theft prevention today than information security and your data being hacked? So it all evolved over time. Once I understood how they did it, I started to see this was becoming a real problem.

In the late '90s, municipalities all over the country started posting our personal information online, because it was a very normal thing to do. Most of us had our Social Security numbers on our driver's licenses and on all kinds of applications, and that's still true in a lot of places. When municipalities started posting those Social Security numbers, identity theft became a real problem. I was right there. I saw it all taking place, so I started to speak about it, not just to real estate agents but to the media.

Over the years I've done pretty much everything — all the morning shows, Good Morning America, the Today Show, the CBS Early Show. I did Howard Stern a couple of times, ABC Nightly News.

Henry Harrison: It's amazing, all the shows, all the places. I was going to read the list, but it's too long. Forbes, the New York Times, quoted in those magazines, work with Merrill Lynch, Honeywell, you name it. That's one reason we're glad to have you.

Robert Siciliano: I've lived a colorful life, and over the years I've seen it all when it comes to hackers and criminals. What I've come to learn is that about 97% of all the people you and I will ever come into contact with are good in their heart of hearts. They're good-natured. They mean no harm.

But I've also come to understand that about 3% of women and as much as 6% of men would essentially be diagnosed by the medical community as sociopaths or psychopaths. They're the hardcore narcissists who live among us and experience no empathy, sympathy, guilt, or remorse. These are the people who truly have no shame, and many of them would be considered human predators. They seek out you and me as their natural mark.

I hear it all the time: "If these criminals could just take what they know and use it for good, they could solve cancer." And I say, no. They couldn't care less about that. They are predators by nature. Hitting, hurting, harming, stealing, and taking from others is their version of normal. There always has been, there is, and there always will be a criminal element out there, and our job as the 97% is to become tougher targets.

Most people resist that. When I say resist, I mean they don't truly understand that 3%. They don't understand those people are always looking for their next victim, and they don't want to believe they'd ever be chosen. So we function in a form of denial. We do nothing about it, because we don't want to think these things can happen to us. That's basically why I still have a job. Humans resist security by default, and I'm happy to speak to all of that.

Henry Harrison: Let's talk about some of the practical things you can do, and let's also talk about the severity of what it can mean. You mentioned violence. I think that's relatively self-explanatory — we see it on the news, it's awful, and you don't want to imagine it happening to you or anyone. But just earlier today I ran into a friend of mine, a successful entrepreneur and business owner who owns multiple businesses, and he was just hacked by a major international ransomware operation. I won't say the name. He's had the FBI involved and hired cybersecurity help, but it's essentially too late. They're telling him how to get out of it, but he's going to have to pay a large amount of money and go through an incredibly difficult process. He looked really upset.

Robert Siciliano: It's brutal when this happens, and it happens for a number of reasons, primarily because many of us aren't engaging in basic 101 security measures. When I'm hired by a chief information security officer or a company's C-suite — the CIO, CTO, and so forth — they bring me in because they're already providing some level of training in the form of what we call phishing simulation training.

Phishing simulation training is a compliance and regulatory exercise. It's there to show due diligence in the corporate environment, so that if something does go wrong and regulators come knocking and say, "We're going to sue you or fine you unless you can show you did everything you were supposed to do," the company can demonstrate it. That's ultimately what phishing simulation training is for. It's a check-the-box exercise, and it doesn't necessarily move the needle when it comes to actually securing the enterprise.

So they bring me in because they've reached a threshold. They'll say, "Our phishing simulation metrics are good, but we know we can do better. We just want our people to care about security." I walk into the room, they introduce me, and let's say there are 100 people sitting in front of me with scowls on their faces and their arms crossed, thinking, "Okay, security guy, what are you going to tell me that I don't already know? I've got to get back to work, so let's make this quick."

What I do is start asking them questions. I engage them in a dialogue, and it revolves around things like: "How many of you can honestly say you're using a different passcode for each of your critical accounts? In other words, you're not using the same passcode twice?" When I ask that in front of a live audience of 100 people, if 10 raise their hands, that's a lot. That means 90% are using the same passcode across multiple accounts, which is brutal.

What most people don't understand is that right now there are about 300 billion of our records — names, addresses, Social Security numbers, account numbers, passwords — on the dark web. About 20 billion of those credentials are passwords. So when 90% of the public reuses the same passcode, bad actors don't necessarily hack anymore. They just log in. I don't know exactly what happened to your friend, but it's possible he was reusing a passcode and they simply logged into his critical accounts. Once that happens, it's game over. That's when they extort you.

The next question I ask is, "How many of you are using a password manager?" A password manager is a software program that's been around for more than 20 years, designed to make it easy to use a different passcode across all your accounts. I've used one for 22 years. I don't reuse passcodes, and I don't even know my own passwords. My password manager knows them. I can look them up, but I don't need to remember them. If 10 out of 100 people raise their hands for that, that's a lot.

Then I ask, "How many of you are using two-factor authentication on all your critical accounts, including email, personally and professionally?" If 15% of the room raises their hand, that's a lot, which means 85 to 90% of employees — and probably many people listening to this podcast — are engaged in very poor cyber hygiene. That's exactly what organized criminals want. They want you doing nothing. They know 90% of the population, including many small businesses, aren't doing the basics, and that's extremely lucrative.

What most people don't realize is that cybercrime is projected to be about a $12.2 trillion business by 2031. Right now, organized fraud and cybercrime have eclipsed the illicit drug trade. It's already a half-trillion-dollar-a-year industry, and it's lucrative because we're not doing anything to protect ourselves. My guess is your friend did a bunch of things, but apparently not enough. And it's that "not enough" they're counting on.

People hear about how sophisticated criminal hackers are and say, "There's nothing I can do, I'm just going to throw my hands up and give up." I don't think that's a good strategy. When people adopt that, they're adopting fatalism, and fatalism is not how we approach security.

Henry Harrison: No, we don't want fatalism. The idea of this podcast is to educate people so they can do a better job, and that's helpful. Do you have a way to measure success? It's hard to measure in some cases, but getting people to take adequate steps in the companies you work with — how do you measure that?

Robert Siciliano: Part of this process is about getting people to recognize risk, and that's actually a pretty easy process. I tell everybody, "I can make you the top 10% of secure Americans. Literally, the top 10%." How? Number one, a password manager. Start with that, because it makes it easy to use a different passcode across all your accounts. Between a password manager, changing up your passcodes, and two-factor authentication, you're already in the top 10%, because 90% of the population isn't doing those three basic things.

From there, if you want to go the do-it-yourself route — which isn't a bad thing depending on the size and scope of your organization — update your hardware. Right now I'm on a 2025 Mac with an M4 chip. There's something newer, but this is a relatively new device I got in December. It's the most secure operating system and device I could have in this day and age, with an updated operating system, updated hardware, and updated software, so I become a tougher target.

Many people are using three-, four-, five-, six-, or seven-year-old devices, which means old hardware, old chips, old motherboards, and old software, all of which facilitate fraud. If you're still on Windows 10, I'm not even sure that's supported by Microsoft anymore. Old hardware supports only old software, so updating your hardware means updating your software. Make those investments in your technology, because they're investments in your business. Then update your browser and everything else.

And then there are the basics, like Wi-Fi. When you're out and about, you should be using a VPN, a virtual private network. It's a software program that encrypts your connection when you're on free, open Wi-Fi at the airport, the hotel, the resort, or the conference room. A VPN prevents criminals in the area from sniffing out your data on that free Wi-Fi. You'll never catch me at an airport on free Wi-Fi without my VPN. These programs might cost five dollars a month or 60 dollars a year, and anyone can use them. You just launch it once you connect to, say, Boston Logan Airport Wi-Fi, and you're good.

These basic strategies are all anyone needs to do, but most people don't even think they need them. When I'm in front of an audience, I ask serious questions about their current security practices. One of the basics is, "How many of you have a home security system?" — the fundamentals of personal protection, where you sleep. If 10 or 15% of the room raises their hands, that's a lot. About 85% of the general public doesn't have one.

So I ask, "Why don't you have a home security system?" People start raising their hands, and one of the most common answers is, "We don't have one because we have insurance" — as if insurance is going to protect you and your physical being at 3 a.m. It's a silly answer, but that's what people say. The next answer is, "We don't have one because my husband says, 'If they're going to break in, they're going to break in. What are we going to do?'" He's justifying not making that investment through fatalism — the burglars are too powerful. And I say to that wife, "Listen, divorce that guy. He's no good." I've got two daughters and a wife. I'm doing everything I can to protect my family. I'm not going to throw up my hands and say, "The burglar has the upper hand, good luck, honey, you're on your own."

But the most common answer I get is, "We don't have a home security system because I don't want to live like that. I don't want to worry. I don't want to live in fear." And I say, "Whoa." Then I tell them the truth: I have more than 20 security cameras. Six points on my home, the corners, two to three cameras per point, and a few inside. Maybe a little excessive, but whatever. When you hear that a guy has 20-plus security cameras, what do you think his worldview is? What do you think people say?

Henry Harrison: I don't want to — they're going to say you're paranoid, something like that.

Robert Siciliano: Exactly. Paranoid. That's what they always say. When I ask that in front of 100 people, all 100 say "paranoid" simultaneously, which is funny, because they all look at each other realizing they just called me paranoid. But here's the problem with that. If you look at managing risk and putting systems in place to reduce it as a form of paranoia — "He must worry, he must live in fear, he must always be looking over his shoulder" — then why would you ever want to engage in security practices? That's what most people think, and it's why we resist them.

That's a reality I've concluded after 30 to 40 years of security awareness training, meeting thousands of people, asking them questions, and getting their answers. Most people in America think security is about paranoia. As a result, we do nothing. We say, "It can't happen to me," and we function in denial. We use fatalism to justify that denial, because we don't want to think it'll happen to us, and we tell ourselves the criminal hackers are too powerful anyway. Plus, we don't want to be paranoid, so why bother? We throw up our hands, and that is exactly what criminal hackers want.

They make billions every year off the backs of hardworking Americans who basically don't know what to do, because they don't want to believe it can happen to them and they've never made the effort. That's unfortunate. So when I'm hired and I go in and speak, what happens is I get off the platform and an employee says to me, "You know something? I didn't want to be here today. My boss told me I had to come. But I didn't think it was going to be like this." Because what I talked about was their own personal security — their own passwords, their own bank accounts, their child's digital footprint, their own money, how they protect themselves first. That's what security awareness training should be, but in a corporate environment it usually isn't.

Once you do that, they say, "I want more of this in my life." At the end of the meeting they come up and say, "This was great. I'm so glad I came. I wish my spouse was here, because he or she would have loved it." That's how it should be, but most of the time it isn't.

Henry Harrison: You're a widely recognized expert, as we talked about, quoted and featured on many of the largest news organizations and publications in the country. When you were a kid, did you think you'd be a trainer, speaker, and cyber expert? Did you have an entrepreneurial bent? What was your family life like that led you here? Because you didn't just appear here.

Robert Siciliano: When I was young, I was always industrious. I remember my grandfather saying something to me at a very early age. I might have been 11. As a kid, on the way to and from school, I'd pick through trash. I'd grab stuff off the side of the road — bicycles out of people's trash, whatever I could find — and I'd find ways to sell it. My grandfather said, "Robbie is an entrepreneur." I didn't even know what the word meant. I had to ask around, and once I understood it and he instilled it in me, it started to make sense. I saw opportunities to get paid all around me.

So I've always considered myself somewhat of a hustler, and I don't think of that as a bad word. I've always done anything and everything I could to make a buck. I always had three jobs. I was always buying and selling stuff on the side, always doing something to make money.

In my early teens, when I was 12, something significant happened. I'm 57 years old, and I'm of the generation where our parents opened the door in the morning, let us outside, and said, "Come back when the streetlights come on," or "Come back for dinner." That's what we did. We were gone 8, 10, 12 hours a day, came back filthy, bleeding, and ragged, sat down to dinner, showered, watched some TV, went to bed, and started over the next day. I don't know how we survived, but we did.

My dad would let us go into downtown Boston and get on the train — I'm from Boston, if you haven't figured that out. One day my little brother and I get off the train and come up to the street. He's 8, I'm 12. There are five kids at the top of the street waiting for us, or for anybody. They mugged me, beat me up, and took all my money. I was not prepared for that at all. So I go home all beaten and bloodied, and my dad says, "Okay, so today you were the gazelle and those boys were the lions." He explained that there always has been, there is, and there always will be a predatory element out there, and my job was to become a tougher target. He explained predators and their prey, sociopaths and psychopaths. It started to make sense, but not entirely.

About a year later, when I was 13, I met a girl at summer camp. She was my first crush. On the bus at the end of the day, riding home, we'd sit together and hold hands. One day I got off with her at a bus stop, and we sat on her front stairs. She was looking at me solemnly, and I didn't really understand what was happening. She said, "I think you should know that my mother's boyfriend assaulted me." I didn't know what she was talking about, but I knew it was bad based on how she said it.

So I went home and asked my dad, "What is sex, and what is rape?" Because I didn't know what she meant. I just knew it was bad. Now, I'm 57, so this is 44 or 45 years ago. We didn't know what sex was as kids. We didn't know at 12, 13, 14. It wasn't talked about. We didn't have porn. If you knew anything, it was because you found a Playboy in the trash on the way home from school. That's literally how you learned. So I learned about the birds and the bees and about sexual assault in the same conversation at 13 years old.

That had a profound effect on the way I viewed the world. Being the victim of a multiple-attacker situation a year earlier, I began to gravitate toward professions revolving around personal protection. I started taking karate, then teaching karate. That became a thing in my life. By my early 20s, I was teaching real estate agents personal protection. Then I got hacked.

Really, not much has changed in the past 30 years when it comes to consumers and citizens recognizing risk. We don't do much differently today than we did back then. Most of us aren't locking our doors. Most of us don't have home security systems. Most of us are reusing the same passcode across multiple accounts. Most of us haven't taken self-defense classes. The bad guys, though, have changed. What they do is treat fraud as a business, and they make billions. But I'm here to say it doesn't have to be that easy for them. All you have to do is the basic things, and you're good.

Henry Harrison: That's powerful. Thank you for sharing that. I know you're a bestselling author. Would you like to wrap up with something about that, and also where people can reach you?

Robert Siciliano: Thank you, sir. I've written five books, and all of them revolve around personal protection as it relates to violence and theft prevention in the physical and virtual world. My latest is Identity Theft Privacy: Security Protection and Fraud Prevention. It's a bestseller on Amazon, and you can find it there.

Beyond that, my job is to help you and your organization tighten things up, whether that's bringing in a virtual chief information security officer to run vulnerability testing on your network and determine where you need to improve, or engaging in security awareness training to make sure ransomware doesn't happen in your environment. Just reach out at protectnowllc.com — again, that's protectnowllc.com. Otherwise, search Robert Siciliano and connect with me on LinkedIn. That's S-I-C-I-L-I-A-N-O.

Henry Harrison: Fantastic. We just had thunder here — that wasn't an audiovisual extra. That's a wrap-up thunder. That's what the world thinks of that presentation. Boom. Well done. Thank you, sir. Thanks a lot for coming on. I really appreciate it.

Robert Siciliano: It's my absolute pleasure. I appreciate what you're doing here.