This episode is packed with straight-talking cyber stories, smart thinking about human risk, and a brilliant look at why simple beats clever every single time.
I sat down with Dan Thornton, founder and CEO of Goldphish, for a conversation that cuts right to the heart of what security awareness should be. No jargon, no corporate waffle, no pretending that long training solves everything. Just two people who genuinely care about helping users stay safe talking about what actually works.
Dan’s path into cyber was shaped by his time in the Royal Marine Commandos and then years spent managing physical security and crisis situations in some of the toughest environments. Everything changed during the NotPetya attack, when he watched a global organisation go dark for five days. That moment showed him just how fragile companies can be when people are unprepared. It also opened the door to the idea that awareness needs to be practical, human and built around behaviour, not box ticking.
We talk about the reality of today’s phishing landscape and how AI is helping attackers personalise scams faster than ever. We dig into the pressure felt by small and mid-sized businesses, many of which want to improve their awareness but do not have the resources or expertise to run it properly. And we get into why so many programmes still rely on long courses and shame-based phishing tests that only push people away.
One of my favourite moments is Dan’s take on incentives. If you want people to care about security, give them reasons to care. Celebrate reports. Highlight good behaviour. Make it visible when teams do the right thing. Culture grows when people feel supported, not when they feel like they are being set up to fail.
There is plenty of fun mixed in too. Pizza-flavoured passwords. The apps we all secretly know are probably spying on us. The danger of what someone could learn if they ever got hold of your chat history. It is honest, light, and surprisingly revealing at points.
Most of all, this conversation is a reminder that awareness is at its best when it feels like something people actually want. Clear messaging. Good storytelling. Simple takeaways that help at work and at home. Training people do not hate. And a culture where reporting is seen as a win, not an admission of failure.
If you care about people, behaviour, and building a culture that actually works, this is one of those episodes that will stay with you for a while.
Give it a listen and let it get you thinking about what your programme could look like when you keep things simple, human and genuinely helpful.
Stay aware, stay secure.
