One Interview, Two Voices: Crafting Different Narratives from Expert Input
Sometimes, the best way to demonstrate versatility in writing is to present the same content in different ways. Here are two versions of a blog post about cybersecurity, both based on an interview with expert Curt Vincent.
The first version presents the information from the interview as a standalone, ghostwritten piece, removing the interview framework. This approach allows for a more casual, direct conversation with the reader while maintaining the core insights and examples. We kept Curt's vivid stories and key statistics but reframed them in our own voice.
The second version maintains the interview format, allowing Vincent's expertise and personality to shine through his direct quotes and stories. It's almost like cheating to write this way — Curt's 40 years of experience and polished speaking style made the content practically organize itself. His well-structured thoughts about the pillars of cybersecurity and carefully chosen analogies translated beautifully to the page.
Both versions accomplish the same goal: explaining why cybersecurity is about people more than technology and outlining the essential actions organizations must take. They simply take different paths to get there.
These pieces showcase how the same expert insights can be packaged differently depending on audience and purpose while maintaining clarity and impact.
Option 1:
[Title:] Your Biggest Security Threat Isn't Your Technology — It's Your People
Looking for the biggest cybersecurity threat to your organization? Check the mirror.
According to a recent Stanford University study, a whopping 88%[1] of all data breaches are caused by human error. Not sophisticated hackers. Not cutting-edge malware. Just people being... well, people.
Here's the thing about cybersecurity: it's barely 20 years old as a field, and we're all still figuring it out. In fact, we can't even agree if it's cyber security or cybersecurity! A scant 55% of organizations are aware enough of the risks to invest in cybersecurity insurance.
While it can encompass many things, the field has evolved to merge three previously separate domains:
Governance, Regulatory and Compliance (GRC) — all those geographic and industry-specific legal requirements your lawyers love to talk about
IT Security — the technical elements most people think of as "cybersecurity"
Information Security (InfoSec) — protecting not just data but all company resources
Want to dramatically improve your security posture in these domains and beyond? Here are five essential actions that will make a difference.
1. Implement a Password Vault
Sure, a passwordless future sounds great. But while we wait for that cybersecurity utopia, we need to deal with password reality. The best passwords are long, complicated, and about as memorable as last year's grocery lists. They're just strings of digits, letters, and symbols designed to be impossible to guess—which, unfortunately, also makes them impossible to remember.
What happens next is predictable: People either use the same password everywhere (hello, domino effect if one site gets breached) or start the sticky note collection under their keyboards. Neither scenario ends well.
Modern password vaults transform this chaos into order by offering capabilities that sound like security magic, like the ability to:
Share passwords without revealing them (yes, really — users can share passwords to mutual resources without ever seeing the actual password)
Instantly revoke access when employees leave (no more changing every password after Bob in accounting departs)
Control who has access to what (and track who's using it)
This is the lowest-hanging fruit in the cybersecurity orchard. Start here.
2. Institute Comprehensive Training with Clear Consequences
Most of us think we're pretty savvy about spotting scams. We all have that internal voice saying, "I'd never fall for that!" But here's the uncomfortable truth: Today's attackers are craftier than ever, and AI is helping them in new and alarming ways.
Consider this real-world example: A security team noticed a company had an upcoming softball game. Using this publicly available information, they sent a phishing email inviting employees to sign up for the event. The response was immediate – people clicked because it seemed relevant and real. That's exactly how modern attackers work. They're not sending emails about Nigerian princes anymore; they're using inside information gleaned from your website, social media, and public events.
The good news? Training works. The key is implementing real consequences, like a "three strikes in a year and you're out" policy. Think that's harsh? Consider how quickly you'd fire someone who repeatedly violated expense policies or safety protocols.
3. Create a Security-First Culture Led From the Top
Here's a puzzler that perfectly illustrates our security disconnect: Every organization has fire insurance, smoke detectors, suppression systems, and regular fire drills that apply to every room in every building. No CEO questions these expenses, and they apply to everyone. Yet these same leaders often delegate cybersecurity entirely to their IT departments, treating it like a purely technical problem.
Often, CEOs are deemed exempt from security training and phishing exercises, when they are just as likely — if not more likely — to fall for attacks than the rank and file.
Creating a security-first culture means making security as natural as locking your door at night, for every person in the organization. The best security cultures have leaders who admit their own mistakes. Imagine a CEO standing up at a company town hall and admitting they failed a phishing test – that's the kind of leadership that transforms security culture.
4. Remember the Physical Security Weak Link
A security team once tested a company's defenses by sending an attractive woman in a UPS uniform (bought on eBay and professionally tailored) to their small satellite office. Not only did employees hold the door open, but they also watched as the "delivery person" walked around photographing passwords under keyboards.
This is a perfect example of why we need to stop thinking of cybersecurity as separate from physical security. It's like border security: while major crossing points have sophisticated technology and trained personnel, terrorists have historically entered through tiny, understaffed crossings. Similarly, attackers will find your weakest point — usually a combination of physical access and human error — and capitalize on your impulse to see the best in people.
5. Don't Let Security Teams Become the "Just Say No" People
There's a common trap security teams fall into: becoming the department everyone avoids. Instead of being the team that only says "no," security needs to be embedded throughout the organization.
Security shouldn't be a separate function. It should be integrated into every department, working alongside development teams and other units to build security in from the start. Returning to the fire prevention analogy, we don't have a separate "fire safety department" that people only interact with during emergencies. Fire safety is part of everyone's job.
Prevention: Better Than Any Cure
Many organizations start by building incident response teams, but that’s like waiting to install smoke detectors until after there’s a catastrophic fire. Instead, start with prevention:
Deploy that password vault (seriously, do it today)
Launch comprehensive training with real consequences
Build security into your culture from the top down
Layer cybersecurity with physical security
Don’t maroon your security teams in an unlikeable no man’s land
Don't wait for a crisis to kickstart your security journey. Start with these fundamentals, build gradually, and remember that security isn't just an IT thing anymore. It's an everyone, everywhere, all-the-time thing.
Share these tips with your teams. Your future self (and your data) will thank you.
Option 2:
[Title:] 3 Essential Actions for Modern Cybersecurity (Hint: None Are Technical)
The biggest cybersecurity threat facing everyone, from enterprises to small businesses, nonprofits to governments, isn’t sophisticated technology.
It’s your people.
According to a recent Stanford University study, 88%[2] of all data breaches are caused by human error. That’s why former Morgan Stanley cybersecurity executive and U.S. Army veteran Curt Vincent focuses his cybersecurity consultancy more on psychology than technology.
With over 40 years of experience dating back to the Army's early internet days, Curt knows that cybersecurity isn't just about getting the right technology — it's about creating comprehensive protection for all company resources.
Today's cybersecurity, barely 20 years old as a field, is still evolving. It combines three previously separate domains:
Governance, Regulatory and Compliance (GRC) — the legal requirements that vary by geography and industry
IT Security — the technical elements most people think of as "cybersecurity"
Information Security (InfoSec) — protecting not just data, but all company resources
In this new and evolving field, bad actors and security specialists alike often make their next moves on the fly. Luckily, organizations can do things to protect themselves (and themselves from themselves!).
We recently sat down with Curt to talk all things cybersecurity and learned that any organization can improve its security posture dramatically by implementing three essential actions. Here's what they are and why they matter.
1. Implement a Password Vault
A passwordless world may be coming, but in the meantime, get a password vault like Keeper or 1Password. This fundamental tool transforms how organizations handle credentials.
The best passwords are long, complicated, and impersonal. They’re just strings of digits, letters, and symbols that, by definition, are tough to guess. Of course, that means they’re also tough to remember.
Many people resort to using the same password for professional and personal security, but that can lead to a disastrous domino effect. If one site is breached, every other touch point is vulnerable.
Using multiple passwords is the best option, but that necessitates some sort of system to keep track of them all.
Enter the password vault.
Modern password vaults offer crucial capabilities like:
The ability to share passwords without revealing them
Instant access revocation when employees leave
Centralized control over all credentials
Secure access without written passwords
Making these vaults mandatory is undoubtedly the lowest-hanging cybersecurity fruit for corporations and families alike — don’t delay!
2. Institute Comprehensive Training — With Clear Consequences
After passwords come people.
That 88% statistic is certainly alarming, especially since most of us think we’re pretty savvy about detecting scammers.
But we’re not.
Curt likes to start cybersecurity consulting engagements with a phishing exercise. It’s simple enough — his team sends a fake email to employees and sees who clicks. Most people, even (especially!) execs, assume they’re smart enough to outwit it. Unfortunately, today’s phishers have a few tricks up their sleeves. Fortunately, so does Curt.
He noticed that one company had an upcoming softball game. This wasn’t a secret — these events are easy to discover through flyers, social media, and websites. Curt’s team capitalized on the event, sending phishing emails to employees with subject lines inviting them to sign up for the event.
The response was swift. The employees, eager to join the game, quickly clicked on the links in the false email.
"People will click on it because it seems relevant," he explains. "That's exactly how attackers work — they use inside information."
A shocking 25-30% of email recipients typically fall for tests like these. After the test proves how susceptible everyone is, the team starts cybersecurity training — but it can’t be a mindless, box-checking activity.
Training must have teeth.
Curt recommends a "three strikes" policy: fail three phishing tests within a year, and you're out. While this may seem harsh, he points out that companies routinely fire employees for repeatedly violating expense policies or safety protocols. Security deserves the same seriousness.
3. Create a Security-First Culture Led From the Top
Everyone needs to attend cybersecurity training — including the C-suite. Their buy-in and endorsement are crucial for compliance, but many don’t give it the same gravitas as other security measures.
Think of cybersecurity like fire security. No CEO questions the need for:
Fire insurance
Smoke detectors
Fire suppression systems
Regular fire drills
Yet these same leaders often delegate cybersecurity entirely to IT departments. This must change. Security, like fire safety, needs to become part of the organizational culture.
Curt admires the leadership team that admits mistakes and learns from them. His favorite example is when a CEO who failed a phishing test admitted it openly at the next company town hall. This vulnerability and accountability from the top helped transform the organization's security culture.
This cultural shift should also extend to how security teams operate. At one large investment firm, Curt managed a robust security team and realized they were becoming the “just say no” people — feared and avoided by other departments. Cybersecurity teams can’t live on a remote island; they should be embedded throughout the organization, working alongside development teams and other departments to seamlessly build security everywhere.
The Reality Check: Physical Security Matters Too
Part of this holistic security approach is merging cybersecurity with physical security. Physical breaches are more common than anyone believes, mostly because people are socially wired to be helpful.
Curt’s team once tested a company's security by sending someone in a UPS uniform (bought on eBay and professionally tailored) to their satellite office. Not only did employees hold the door open, but they also stood by as the "delivery person" walked around photographing passwords under keyboards. She also took pictures of the names on desks, since a combination of first and last names or initials is generally a system login name. Now, the team had credential sets, login names, and passwords. In other words, they had access to everything.
In many ways, the human impulse to see the best in people is wonderful. In others, it’s downright dangerous.
In addition, building security is like border security: while major crossing points have sophisticated technology and trained personnel, terrorists have historically entered through tiny, understaffed crossings. Similarly, attackers will find your weakest point – usually a combination of physical access and human error.
Moving Forward: Prevention Over Response
Many organizations start by building incident response teams — their cybersecurity "fire department." Curt argues that this is backward. Why wait until after a catastrophic event? "You should expect a fire and work on preventing it, not just respond when fires happen," he explains.
Don’t wait until there’s a crisis. Install your cybersecurity smoke alarms and prevent the problems before they start. Most importantly, recognize that cybersecurity is evolving beyond just digital protection. We need to move to the point where it's just called “security," encompassing physical, cultural, and digital protection of all company resources.
The path forward is clear: start with these fundamentals, build gradually, and remember that security, like any crucial business function, must become part of your organizational DNA.
As these two versions demonstrate, there's real craft in adapting expert interviews into different content styles. While the interview format leverages the natural authority and structured thinking of an experienced speaker, the standalone piece brings those same insights to life through a more conversational lens. Both achieve their goals while showcasing different writing approaches — and both remind us that great content often starts with a great conversation.
[1] https://blog.knowbe4.com/88-percent-of-data-breaches-are-caused-by-human-error
[2] https://blog.knowbe4.com/88-percent-of-data-breaches-are-caused-by-human-error
