If We're Laughing, We're Learning: Mike Crandall’s Unconventional Approach to Cybersecurity

In a recent episode of Phishing for Answers, Joshua Crumbaugh sat down with Mike Crandall, a cybersecurity expert who went from building networks for the Department of Defense to helping small and mid-sized businesses secure their systems. Mike’s story is full of insights, lessons, and a few humorous surprises that shed light on how modern phishing simulations and a proactive security culture can drastically improve an organization’s defense against cyber threats.

Turning Phishing Tests into Lessons Learned

Mike kicked off the conversation with a memorable story about running a phishing test for a municipality in New York. The test involved sending out a fake email offering a $30 Starbucks gift card—classic phishing bait. The results? Plenty of clicks, as expected. But one city employee stood out by clicking the link three times a day for an entire week, determined to claim the prize! As funny as it is, this story highlights the broader challenge organizations face: people fall for phishing schemes not because they are careless, but because these schemes are designed to exploit basic human tendencies.

From Military Service to Cybersecurity Leadership

Mike’s journey into cybersecurity began in the U.S. military, where he was one of the first to help build secure networks for the Department of Defense. His military experience laid the groundwork for his expertise in defending large-scale systems, and it ultimately led him to his current mission—securing small and mid-sized businesses. Mike pointed out that while much attention is given to large enterprises, small businesses are often the ones that need the most help yet have the least resources to defend themselves.

“The small guy absolutely needs help,” Mike explained. “Often, they have the least budget, access to tools, and people to manage security.”

Changing the Mindset Around Cybersecurity

One of the most critical points Mike touched on is the negative mindset that often permeates cybersecurity—specifically, the idea that users are the problem. He believes that users should be seen as sensors, the frontline defenders of an organization’s security, rather than as weak links. His philosophy centers on education, making users more aware and better equipped to detect threats before they cause damage.

He shared, “Your users are not the problem. They are sensors. Sometimes sensors fail, but it’s our job to help make them sharper and more aware.”

By changing this mindset, organizations can turn their employees into active participants in cybersecurity, helping to detect threats like phishing attacks before they escalate.

Role-Based Training: A Key to Better Phishing Defense

Mike also discussed the importance of role-based phishing simulations, noting that different roles within an organization are targeted in different ways. Senior executives, IT admins, and finance teams are especially vulnerable to spear-phishing attacks that are tailored to their specific functions. Educating these groups with targeted training is critical to reducing their susceptibility.

“We break it down into roles, helping people understand why they are targeted and how they can protect themselves,” Mike explained.

Laughing While Learning: Why Human Security Needs a Light Touch

One of Mike’s core principles is that laughing while learning is key to making security awareness more effective. By making training fun and engaging, people are more likely to retain the information and apply it in real-world situations. This approach not only reduces frustration but also fosters a security culture where employees feel like they are part of the solution.

“If you’re laughing, you’re learning,” Mike said with a smile, emphasizing the need for fun, relatable training experiences that people will actually remember.

Mike Crandall’s unconventional approach to cybersecurity—one that blends humor, practical lessons, and targeted training—offers a refreshing take on how organizations can better protect themselves from phishing attacks and other cyber threats. His philosophy is simple: treat users as assets, not liabilities, and provide them with the right training to turn them into a powerful line of defense.

As Mike’s stories illustrate, security isn’t just about technology—it’s about people. And when people are equipped with the right knowledge, they’re capable of extraordinary things.

PhishFirewall helps organizations like yours stay ahead of these threats with AI-powered, behavioral science-based security awareness training designed to stop phishing attacks before they cause harm.

#CyberSecurity #PhishingAwareness #SecurityCulture #RoleBasedTraining #CISO #InfoSec #RiskManagement #PhishFirewall

‍