Cybersecurity Meets Comedy: How Humor Builds Trust | Stories With Traction Podcast
SHOW NOTES:
In this episode, Matt Zaun sits down with Rob Black, Founder & CEO of Fractional CISO, to demystify cybersecurity for growing companies—without the fear-mongering. Rob explains how his team operates as a virtual CISO (security leader) to strengthen programs, enable enterprise sales, and translate “security-speak” into clear business outcomes.
Rob shares why security shouldn’t be priority #1 (sales and delivery come first), how to size up the risk when incidents are low-probability but high-impact, and why humor can drive far more adoption than dry policy memos.
In this episode, they cover:
âś… Prioritization reality: why cybersecurity should be priority 4–5—not 100
âś… Humor that converts: skits, wigs, and why fun content outperforms stoic lectures
âś… LinkedIn as referral fuel: staying top-of-mind vs. hard selling (and why neighbors all know what Rob does)
…and much more.
*Below is an AI-generated transcript, which may contain errors
Matt Zaun
Rob, welcome to the Stories of Attraction podcast.
Rob Black
Great to be here, Matt. Thanks for having me. Yeah, I appreciate your time.
Matt Zaun
I want to start with cybersecurity. So your team helps business leaders manage risk. So can you tell us a little bit about what you and your team do for your clients?
Rob Black
Absolutely. So my company is Fractional CISO, and we act as a virtual CISO, which is a cybersecurity leader. And just imagine you're a 100-person company, 200-person company.
You're selling a large enterprise. That large enterprise tells you your security program is not good. And there are many signals that companies give off on how good their security program is.
We help to analyze the environment, look at the company, build a great security program, and then help them tell their story to the large enterprise so that they can make that sale.
So even though I'm in cybersecurity, we are a sales enabler. And it's our job to both fix the problems, but then really paint a good picture so that our clients can make that sale to the big company.
Yeah, so I feel like a lot of companies admit that cybersecurity is important, right?
Matt Zaun
I don't think anyone disputes or debates the importance of cybersecurity.
Rob Black
For sure. But why do you think a lot of companies don't take it as a top priority? Yeah, it really shouldn't be a top priority.
So the top priority has got to be sales, right? So if you're not selling, if you're not making money, you're going out of business.
Second thing is you have to worry about your product delivery. Like if your solution, if your product isn't going out, if you're not meeting customer needs, you're going to go out of business also.
So then there's customer service and all those things. So we've got to be priority four, five, somewhere around there.
I think to me, the problem is when cybersecurity is priority number 100, that's a company that is not probably assessing the risk appropriately.
And the challenge is, just like with a lot of topics where the impact can be tremendously high, but the occurrence is very low.
For most companies, you're probably talking sub-3% chance of an incident in a given year. Now, to focus on that is quite difficult.
Now, the problem can be catastrophic. You literally could go out of business. Even if you don't go out of business, you could be facing millions of dollars of costs.
could have irate customers. You could have regulatory fines. The consequences can be quite high. But it's really difficult for folks to mentally balance what kind of effort should they be spending on something that is not that likely to occur.
And then what level of effort should they be putting there? So we totally get that. But it's our job to help prioritize smartly so that we're not disrupting their operations.
So that we're not inhibiting sales, but that we're helping them be successful and going to market and selling appropriately and really bridging that trust with the large enterprise.
So the large enterprise sees the organization, oh, they're taking security seriously. And it's not just some sort of paperwork exercise, but they're actually demonstrable things with the technology and with their processes and the paperwork.
Matt Zaun
So I really appreciate that honest answer. I appreciate the honesty in all that. You're listing it as the fourth or fifth priority.
I think that that speaks to your integrity, right? You're not saying it's the number one thing people should worry about.
Clearly, it's important, right, but not number one. I also appreciate you putting numbers to it. said sub 3%, though it could be catastrophic, right?
Someone might have been a business.
Rob Black
It could be catastrophic. Yeah, mean, that's the problem. say, oh, it's unlikely to occur. But when it does occur, could be, you know, I mean, companies have gone under, companies have lost significant market share.
to Yeah. are a few And companies have just been totally hamstrung for days, weeks, months because of cyber attacks sometimes.
It could be devastating, right?
Matt Zaun
I mean, someone could have worked decades to build their business to where it needs to be and then could all be stripped away, basically.
So even though it can be – here's what I find fascinating that I really want to talk with you about.
So even though it can be absolutely catastrophic, you're dealing with someone's baby, right? Especially if they're the founder, they're the owner, they built it up, and then it could be absolutely devastating.
I find it interesting that on your LinkedIn, you say, follow me for humorous, actionable cybersecurity advice.
Rob Black
Yes. I've never heard before like that.
Matt Zaun
So even though we're talking about something that, again, could be catastrophic, you put an element of humor to it.
Why? How? Take me with your line of thinking on bringing people in through comedy.
Rob Black
Yeah, well, I mean, obviously, cybersecurity is the most interesting topic.
Matt Zaun
So say cybersecurity professionals.
Rob Black
But to most of population, it's not that interesting. There's usually a lot of technical details. There's a lot of process stuff, things that are often not that interesting.
We use humor. I use humor. One, I just use humor in general. That's kind of my nature. But either you need to tug at someone's heartstrings when you're telling a story or you need to make them laugh.
So I like to make them laugh. I have a series of skits I do with different wigs. If this were a video podcast, you'd see that I have beautiful zero hair on my head.
So I use wigs to sometimes play different characters and tell a story. Recently, I've used some AI babies in my videos, which some folks like, where the baby is answering cybersecurity questions.
But the idea is we have a valuable message, but telling people, you really should turn on MFA. MFA is not that interesting, but telling a kind of humorous little skit to get them to turn on MFA, that's something that can cause someone to take action.
At least think about it for a second as opposed to, yeah, yeah, yeah, I should also eat my vegetables and brush my teeth.
I get it. I don't want people to miss what you're saying because here's why I find this so fascinating.
Matt Zaun
So you have an MBA from Kellogg School of Management. That's no joke, right? And people might watch some of these skits you put out, and they wouldn't realize that, that behind your organization, clearly you have wisdom as far as how you handle your business and handle other people's business.
There's a lot of people listening to this episode that, for whatever reason, they like to be put in the stoic category, if you will.
They want to be looked at as respectable business leaders, but for whatever reason, they're not breaking through. They're not connecting with their audience.
They're struggling messaging, marketing.
Rob Black
Okay, what you should do is you should go back four years or five years and look at some of my videos back then, me talking straight to the camera about important cybersecurity topics in a newscaster-like way, and I got maybe hundreds of views or maybe single-digit thousands of views.
So it was great that the message was serious, and I delivered it in a serious way, but certainly didn't connect to the audience.
mean, now, if we get less than 10,000 views on a video, it's pretty disappointing. My biggest hitter has been over 800,000 views.
And this is a cybersecurity video, not like the meaning of life or some sports thing, right? So the thing is, I do think...
The video or humor in general, if you have a humorous nature to you, telling a story in a funny way can be really valuable because, you know, I'm sure whatever you're doing, whatever you're selling, I'm sure it's an important thing, but, you know, there are a lot of important things in this world.
So you want to capture people's attention. And even though I don't take myself seriously, I take my topic seriously.
So, you know, I'm not making fun of the topic. I'm making kind of fun of myself or maybe people in my industry or people who just disregard cybersecurity.
But it's not that I'm saying that any of the things I'm doing is unimportant. It's actually quite important. But, you know, the way you get into someone's mind has got to be, you know, you've got to either tug at their heartstring, you got to tell a compelling story, or, you know, you got to make them laugh.
Matt Zaun
Yeah, and we live in an attention economy, right? So, mean, we need eyeballs on our screen, right? We need people to pay attention to what we're doing.
Take me through the sales funnel, if you will. So let's say you put out a video, you're getting 800,000 views.
How are you capturing?
Rob Black
Are you trying to get people to subscribe to something from an email and then book them on a separate call?
What are you doing? So what's interesting is I would say for LinkedIn, our goal is not top of the funnel.
It's to remind my network that I exist and what I do. And here's the interesting measure. I will walk into a cocktail party, neighborhood event, people I haven't seen in long time.
Every single person there that knows me knows what I do. It's, and you know, how many times you go out with your neighbors, have no way, the guy across the street, you don't know, I mean, you just know it's Bob across the street and, you he takes his garbage on Wednesday.
have no idea what he does, but everyone knows what I do. So my goal in LinkedIn and my LinkedIn messaging is really just to remind people what I do on a periodic basis.
Our top of the funnel activities are, I would say, more traditional. Professional SEO, email marketing, advertising, those sorts of things.
But the LinkedIn bit is more a referral activity to remind people, hey, if you do have a cybersecurity need, if your friend has a cybersecurity need, come to us, we can help.
And oh, yeah, I know Rob does that because I saw a video from him last week. But yeah, we probably could do better on the capture and that sort of thing.
We do have a monthly newsletter where I write a humorous article about something that's happening in my life and tie that to an important cybersecurity concept.
But for the most part, I would say, I say this on calls with my prospects, I'm the least salesy salesperson you've ever met.
I will oftentimes try to not sell them on what we're doing and really make them convince me that what they need is our services.
Um, but. But, you know, but the LinkedIn bit, I think, you know, a lot of people are using wrong.
They, you know, they send out a message and then they connect with someone and they say, hey, you know, buy my tool, buy my service, whatever.
And that person clicks, you know, delete right away. So, you know, we're, I'm more of just like, get my message out there and then let people come to us when they have that need.
I think it's also the nature of our business, which is everyone's cybersecurity needs. it's like, you're going to have this occurrence happen one, two, three times in your career.
So if I'm hitting everyone all the time, like, what are the chances? This is the two month period where they're actually looking for our types of services.
You know, so it's, it's more like, I just want to be out there and let folks come to us when, when they're decisional, when they're thinking about us.
Sure.
Matt Zaun
So you said, let people come to us. take me through your, your buyer journey. So let's say you have a phone call with someone, how long typically does it take to go from prospect to client?
Rob Black
If it's a, if it's someone. For who's actively looking, it's probably a 60-day activity. So, you they came to us for some reason.
They were searching for us. They got referred to us. They come to us and say, hey, you know, we're trying to land this big deal with the client.
The client said, you need a better cybersecurity program. We decided we wanted, you we weren't going to hire a full-time CISO.
CISO is the Chief Information Security Officer. You know, we're a 200-person company. It doesn't make sense for us to hire a full-time person, but we definitely need, you know, all the things.
We need risk management, vendor management, you know, all the elements of a security program. So they're going to outsource that or, you know, potentially outsource that to us.
They come to us. We have a discovery call. You know, usually a week or two later, we have another call, kind of get really into the weeds.
And then I would say for the most part, they're going to make a decision within a few weeks. You know, sometimes it's not budgeted.
So sometimes, you know, that process starts and then it's delayed to the end of the year and, you we start for the following calendar.
But, you know, it's usually quite short. Oftentimes, folks will come to us with some amorphous requirement. Oh, we need more security.
You know, and those are the ones, as I say, I want to really make them convince us that they want our service because, you we don't want to sign with them and then, you know, nothing happens and they're not happy and, you know, it's a waste of everyone's time.
So, you know, typically the client knows that they're ready to do something. Either something happened, their investor told them they had to make it happen, their client told them, you know, prospect told them that they need a better security program and we show up.
Do you do anything to filter someone out?
Matt Zaun
So you said to make sure they're ready. Do you say or you make, like, how do you filter someone out that might be wasting your time if they're not truly ready to be a client?
Rob Black
Yeah. mean, my first question, so typically my team is doing the first call with them and kind of getting the details.
And when I'm on the call, my first question typically is, tell me about your cybersecurity. Or, you know, maybe tell me a little bit about your company and your needs.
But, you I kind of know that from the notes from the previous call. But, you know, I'll say, tell me about your cyber pain.
And they'll say, we lost a deal. We're about to lose another deal. Right? There's pain. You know, our key competitor got this certification.
We don't have it. Or, you know, it's really scary. You something along those lines. Our investor said, if we don't have this by the end of the year, you know, we're in trouble.
You know, those are all things where there's an actual pain. And, you know, versus, oh, you know, that'd be good if we had some cybersecurity.
Yeah, that's true. But, you know, are you willing to pay for it?
Matt Zaun
Yeah, it's like the aspirin versus vitamin, right? You don't want tell people that want a vitamin. They got hit with a shovel over the head.
They need that aspirin, right? They need the painkiller for sure.
Rob Black
For sure.
Matt Zaun
All right. So I want to talk a little bit. I want to backtrack a little bit. I want to talk about you as a teen.
I really like unpacking. How did people get to where they are now? And I feel like there's a lot that we do as teens that mold us into who we are as business leaders.
So if were to ask teenage Rob what he wanted, what would be some of the responses that I would have gotten back?
Rob Black
Yeah. So I'm going to go back to 10 years old, preteen, because I can tell you that I was 10 years old.
And so this was the mid 80s. I'm, you know, I have a few years. And my parents bought an Apple IIc.
We had an actual computer in our house, if you can believe that. So that was that was pretty awesome.
And 10 year old Rob Black was playing on that computer all the time. was learning to program, you know, do I don't even know what you do with the computer.
I mean, I played games and programmed it and, you know, try to communicate. My parents do word processing. So I loved computers from, you know, from then, I think I can't remember if I'd had school, a school computer, maybe a little bit before then.
So I always really liked computers. I was, I was a math and science kid. My dad, as a teenager.
Major said, you know, you'd be a great sales engineer. You know, those guys make a lot of, he worked for a technology company.
like, those guys make a lot of money. They're very technical. You have, you have the different skill, you have the technical skills, you're good with people, that sort of thing.
And then, I don't know, that kind of took hold. I got a couple of engineering degrees when I went to college.
You I don't know that I literally was going to be a sales engineer, but, you certainly something in my mind.
And then I had a number of technical roles. And, okay, I don't know if I'm supposed to advance way past the teenage years.
Matt Zaun
You can show whatever you want. Okay.
Rob Black
So, so I had a number of technical roles. And, you cybersecurity, when I was coming out of college, was not like, I mean, it was a thing, but it wasn't a commercial thing.
It wasn't like tons of people going into cyber. But, you know, by the 2000s, that was definitely the case.
I worked for RSA Security. And then I worked for another company doing cybersecurity for them. And then got acquired.
acquired. I acquired. Our company got acquired, doing cybersecurity for them, and I was like, every company needs this. And then I started my company to help many companies with their cybersecurity needs.
But I will say, it's funny, one of my parents' friends from when I was a kid asked my mom what I did, and she said, well, I know he does something with computers.
That's awesome. That's awesome.
Matt Zaun
So you said something I do want to unpack. So you'd mentioned engineers, and I know that you speak to a lot of business leaders.
So I feel like there's a lot of people out there that when they have a story or they have a message to share, they get really excited about sharing that.
Rob Black
But sometimes the person on the other end isn't excited to receive it. For sure. What I'm getting at is it's different to speak to an engineer than it is to speak to someone in C-suite.
Matt Zaun
So how would you change messaging? If you were to share with someone something that you do from a cybersecurity.
Thanks. How do you change your messaging strategy, or how do you tweak your stories from an engineer or, let's say, a manager to a C-suite executive?
Rob Black
I would actually probably have a similar message. It just would be more geared toward the executive than it would be toward the engineer, but it should resonate with both.
And the thing I talk about with cyber risk is being able to quantify the answer. So a lot of times, folks in cybersecurity will say, you have a high risk.
Well, what does that mean? I don't know. It means something, right? A high risk in one context and another might be quite different, right?
So if you're a kid walking across a busy street, is it a high risk they're going to get hit by a car?
I don't know, but it's certainly something you want to mitigate. But if you put things in percent and dollars, it can really resonate, I would say, with both audiences.
So if you say there's, instead of high risk, a 10% chance of a $5 million loss. Everyone can be calibrated.
So now you're talking to the CEO of GE or some large company. They're like, oh, I can live with that.
Five million bucks, that's not that big a deal. But you're talking to the CEO of a $5 million revenue company, he's like, hmm, that's existential.
I better mitigate that. And the same thing with the engineer, when you put numbers on things, if I have a list of high issues and then medium and low, it means something on one level, like, okay, these ones are more important than those.
But if I have a 10% chance of a $5 million loss, a 5% chance of a $1 million loss, I can calibrate, okay, how much effort do I need to spend to mitigate that issue?
And that really resonates, I would say, with both audiences, because the engineer likes numbers and the senior manager likes talking in terms of business metrics as opposed to high risk.
Yeah, that's incredible.
Matt Zaun
think it's really important to think in those terms. So you mentioned percentages. So obviously this isn't a scientific formula, but I'm just interested, your gut reaction, if we were to go, if we were to speed up time, go to the end of this decade, what percentage would you put on your concern regarding AI as it pertains to cybersecurity risks?
What percent would that be? You're 100% concerned that there needs to be stuff in place, or what percentage would you give it on panic mode concern?
Rob Black
So five years is a long horizon in a fast-changing area. I rarely get into panic mode about many things.
Yeah, I mean, to me, it's less about the tool. Also, it's about the humans that are using the tool.
So, you know, if your question is, am I concerned Skynet is going to take over the world in the next five years, that's very, you know, 0.01%.
very们. Yeah. Uh, Some very small number. If your concern is there's to be huge displacement of jobs and work and things that were working just fine now kind of break, there's a non-trivial chance that that's true.
But we also get to respond to those challenges. So given human track record to date, I'm going to say we're going to overcome those challenges.
And yes, could there be a very bad hiccup where some AI tool goes amok and creates a lot of havoc?
Yes. But will we be able to recover as a society? Absolutely. So I'm going to say 99.99, we're fine.
And then some small percent chance that it's catastrophic. You know, the Skynet bit is not really, if it does happen, it probably won't be this technology trained for AI.
I could imagine. Imagine powerful people, organizations, governments using AI to create serious damage or harm. But, you know, again, I'm going to assume that we will be able to mitigate those challenges.
Matt Zaun
What about people using AI for strictly cyber, like to hurt other companies, to tie to their networks? Are you concerned that AI is moving at such a quick pace that cybersecurity can't keep up?
Rob Black
So, first, as a society, we have technical debt for cyber. So, you know, today, people are using the same password, know, never mind AI.
Like, you know, I could probably type in password 1234 into, you know, a bunch of different windows, and one of them, that password is going to hit.
So we have a significant technical debt. AI is definitely going to make it easier for the attackers. So now non-native English speakers are going to have perfecting.
perfecting. English, you know, to be able to perpetrate things, they're to be able to automate things they couldn't before.
You know, obviously, your more technical attackers could automate things before, but now the less technical ones can have ChatGPT or, you know, one of those other tools write them a script that's going to automate bad behavior and now hit thousands of people at once and, you a couple people fall for it.
So, yes, but just like any tool, the good guys get to use those tools, too. So, you know, will we be slow in responding?
Maybe. But will we catch up and stop some of them? Absolutely. You know, if you look at the adoption of any technology, let's say the automobile, it's like, oh, it's amazing.
You can transport people and goods all around, but, you know, thousands of people die every year in automobile accidents, right?
And so that's bad. And AI is going to be the same way. You know, there will be casualties. You know, hopefully we can help mitigate that from being widespread.
Matt Zaun
Yeah, it's definitely going to be one of the biggest. So I'm sure there are individuals listening that they are interested in making sure that they have a separate security plan in place.
Rob Black
They don't know where to start.
Matt Zaun
What would be some points you would say, you know, A, B, and C, where would someone start if they haven't truly implement the security plan that they need?
Yeah.
Rob Black
So I think if you're really starting from scratch, I would go to your ChatGPT, Grok, Claude, one of those tools, and say, describe your business a little bit, describe some of your controls, and say, what five things would you recommend that I do to my business from a security standpoint?
You know, my guess it's going to spit things out like turn on multi-factor, make sure you have good password management, make sure you're patching your servers, right?
So, you know, basic advice, but, you know, that could be tuned to your business along those lines. I would add...
I add... A good incident response plan is extremely valuable. So an incident response plan is a plan that is specific to your organization, thinks about if an incident were to happen, who are you going to contact?
Where's, you know, oh, remember, we got to talk to the legal team, we got to talk to marketing, we got to talk to the insurance company, right?
And so all those things, it has the details from the insurance company, who do I contact there for technical help or just to notify them.
And it has everyone's contact info and has some guidelines on what you should do as an organization if a cyber incident were to happen.
Then take that incident response plan and do a tabletop exercise. Again, I'm going to say go, you know, go to one of your favorite LLM and say, you know, explain your environment and say, generate a tabletop exercise for my company to do, you know, here are the people that are participating, here's my incident response plan, know, generate, you know, couple of scenarios that we should run through to see.
You know, I think those simple things can make a very big difference and it probably will be eye-opening in the, you know, potentially lack of preparedness that your organization has.
If those things seem too complicated, you know, that's why there are companies like mine that, hey, you know, we do this all the time.
We help. You you don't need to go to ChatGPT and say, what should I do? We'll tell you what to do.
You know, we'll help you with the incident response plan and, you all those other activities. But, you there's a lot of things that companies can do on their own.
There's a lot of great content out there, which is why I say go to an LLM to ask. And the more tuned it is to your environment, the better it's going to be.
And, you know, and then, you know, separately, let's even say, let's, you're a non-technical person, you're a business leader.
You want to know how you're doing. Ask your team. Where's my cybersecurity scorecard, dashboard, write-up? When's the last time we did a cybersecurity activity?
Do we have a report? Or, You know, and see what the organization says. Is it totally IT focused? Well, there's nothing on product.
There's nothing on the rest of my organization. Wow, that's interesting. You know, on the IT folks, are the IT folks grading themselves?
You know, maybe they give themselves a very mature grading. You know, maybe they do a mature grading of their activities, but, you know, maybe someone else should look at them and are they really doing the things that they say that they're doing?
If you're using an outsourced IT provider, have someone inside your organization kind of do a rating. You you don't have to be an expert.
You can kind of know, well, let's see, they didn't follow up on X. Those servers aren't patched, and we don't have EDR on these three laptops.
So, you know, you kind of know, even without a real formal process. You know, those things will probably just give clues to the business leader that they are, they have a good cybersecurity program, or, you know, maybe it needs some improvement.
Matt Zaun
That's really good advice. I appreciate you sharing that. And I appreciate this conversation. Thank you. Thank much for all that you shared.
There's a lot of nuggets that you shared with us today. There's three in particular I'm going to take away.
The very first is I appreciate you mentioning you need to pull on heartstrings or you can make them laugh.
That is so incredibly important. I don't think enough leaders think about humor. Humor was a weakness of mine for quite some time.
I'm still not the funniest person, but one of the things that I personally did was improv comedy. I did a lot of improv, a lot of classes over the years that really helped me.
I really appreciate the videos you put out. A lot of humor really ties back to your points. Really important.
Second point that you made is the quantify the answer. You mentioned high risk. What does that even mean? We need to paint a picture for what high risk means.
You say that percent and dollars, really important. We say a lot of different things in business. got to paint that picture.
I think a lot of times we paint the picture with storytelling, paint the pictures with the messages that we're conveying, which you spoke to.
And then the third and final point, that incident response plan. You mentioned lists, steps, right? Do it logically now before these intense emotions take place, right?
List out all the steps so when something happens, you know what you need to do before everyone's all flustered and they have no idea what to do.
It's really good to plan now to fix the roof right before it starts to really leak. So I appreciate that, Rob.
If anyone wants to get more information on what you do, they want to reach out to you for your services, where's the best place they can go to get that info?
Rob Black
Yeah, I'll give two places. So if you're not in the buying mode right now, just connect with me on LinkedIn, follow my content.
You'll learn something about cybersecurity. Hopefully you'll laugh on occasion. And, you know, and obviously, and if you're actually interested in getting your cybersecurity needs met in the short term, visit us at FractionalCISO.com.
Really easy to contact us on that from the website. We have a great blog content there. So you can sign up for our newsletter, or you can just, you know, click the contact us and we will.
We'll get back to you, hopefully, really quickly.
Matt Zaun
Perfect. I'll include that in the show notes. People could just click and go from there. Thanks again, Rob. Really appreciate your time today.
Rob Black
Great. Thank you very much, Matt.
Want weekly updates...
to take your storytelling
to a whole new level?
